Cooperative ITS Regulatory Policy Issues Discussion PaperBB07ED22-C3D7-3B62-8455-C… · National Transport Commission Cooperative ITS Regulatory Policy Issues: Discussion Paper Report

Cooperative ITS Regulatory Policy IssuesDiscussion Paper

November 2012

National Transport Commission

Cooperative ITS Regulatory Policy Issues: Discussion Paper

Report prepared by: Marcus Burke and James Williams

Cooperative Intelligent Transport Systems Regulatory policy issues November 2012

i

Report outline

Title: Cooperative ITS Regulatory Policy Issues

Type of report: Discussion paper

Purpose: Identification and discussion of regulatory issues impacting the deployment and support of Cooperative Intelligent Transport Systems (C-ITS) in Australia, for public consultation.

Abstract: The paper identifies and discusses regulatory options for the safe and effective deployment and support of Cooperative Intelligent Transport Systems in Australia. It outlines the nature of the technology, the risks and benefits of uptake and potential roles for government. Key regulatory issues the paper addresses are privacy, liability, driver distraction and compliance and enforcement threats and opportunities. The paper is based on stakeholder engagement with industry, jurisdictions and privacy commissioners, and desktop research.

Submission details: Submissions will be accepted until Thursday 31 January 2013. They can be submitted online at www.ntc.gov.au or by mail to:

Chief Executive Officer National Transport Commission L15/628 Bourke Street MELBOURNE VIC 3000

Key words: Cooperative Intelligent Transport Systems; privacy; liability; driver distraction; compliance and enforcement; technology; human risk factors; road safety.

Contact: Marcus Burke Senior Policy Manager (Compliance and Technology) National Transport Commission

E: [email protected] P: (03) 9236 5044


i

How to make a submission to the NTC

Who can make a submission? Any individual or organisation can make a submission to the National Transport Commission.

How to submit To make an online submission please visit the National Transport Commission homepage (www.ntc.gov.au) and select ‘Make a submission to the NTC’ from the News & Publication menu.

Alternatively, you can mail your comments to: Chief Executive Officer, National Transport Commission, Level 15/628 Bourke Street, MELBOURNE VIC 3000.

Where possible, you should provide evidence, such as data and documentation, to support your views.

Publication of submissions Unless submissions clearly request otherwise, all submissions will be published online. Submissions that contain defamatory or offensive content will not be published. The Freedom of Information Act 1982 (Cwlth) applies to the NTC.


iii

Table of contents Report outline i

Foreword iii

Executive summary 1

1. Introduction 4 1.1 What are cooperative intelligent transport systems? 4

1.1.1 Key elements of C-ITS 6 1.2 What are the potential benefits of C-ITS? 7 1.3 When are we likely to see this technology? 8 1.4 Aim of this paper 8

1.4.1 Role of government 9 1.4.2 Existing safety systems 10

1.5 Scope of issues 11 1.6 Key issues in C-ITS 12

1.6.1 Human Factors 12 1.6.2 Mixing old and new technology; mixing with other road users 13 1.6.3 Accuracy of data 13 1.6.4 Security and anonymity 14 1.6.5 Warning systems and interventions 14

1.7 The Australian context and existing ITS policy 15 1.8 Methodology for this paper 17

2. Privacy 18 2.1 What are the issues? 18

2.1.1 Examples of vehicle tracking 19 2.1.2 Anonymity 19 2.1.3 Deployment models 20

2.2 What is the current law? 21 2.2.1 Commonwealth privacy principles 21 2.2.2 Exceptions 22 2.2.3 Current reform 22 2.2.4 Applying the privacy principles 22 2.2.5 National Privacy Principles 23 2.2.6 Commonwealth Information Privacy Principles 24 2.2.7 State Information Privacy Principles 24 2.2.8 Common law 25

2.3 Privacy and C-ITS internationally 25 2.3.1 United States 25 2.3.2 Europe 26 2.3.3 International standards 26

2.4 Consumer expectations 27 2.5 Policy questions and approaches 27

2.5.1 Is regulation required? 27 2.5.2 Option 1: Continue current approach 28 2.5.3 Option 2: Privacy Code 28 2.5.4 Option 3: Provide guidance on best practice 28 2.5.5 Option 4: Legislate C-ITS governance arrangements and use of

information 28 2.5.6 Option 5: Legislate technical standards to protect privacy 28

iv Cooperative Intelligent Transport Systems Regulatory policy issues November 2012

2.6 Preliminary findings 29

3. Liability 31 3.1 What are the issues? 31

3.1.1 Effects of different types of C-ITS applications 32 3.1.2 Crash causation 33 3.1.3 Types of parties in C-ITS 33 3.1.4 Human factors 34 3.1.5 What is the standard expected? 35

3.2 Current law 35 3.2.1 The driver remains in charge 35 3.2.2 Tort 36 3.2.3 Contract law 37 3.2.4 Product liability 38 3.2.5 Compulsory third party systems 38

3.3 Overseas approaches 38 3.3.1 Europe 38 3.3.2 United States 39

3.4 Policy questions and options 40 3.4.1 Option 1: Continue current approach 40 3.4.2 Option 2: Enact specific C-ITS liability law to clarify issues 40 3.4.3 Option 3: Non-legislative approaches 40 3.4.4 Option 4: Information and education campaigns 40

3.5 Preliminary findings 41 3.5.1 C-ITS and manufacturers 41 3.5.2 C-ITS and road operators 42 3.5.3 C-ITS information service providers 42 3.5.4 C-ITS and drivers 42

4. Driver distraction and information display 44 4.1 What are the issues? 44 4.2 What is the current law? 45

4.2.1 Information display 45 4.2.2 In-vehicle technology and distraction 46

4.3 Overseas approaches 46 4.3.1 United States 46 4.3.2 Europe 47 4.3.3 International 49

4.4 Policy questions and options 49 4.4.1 Option 1: Continue current approach 49 4.4.2 Option 2: Amend current road rules 49 4.4.3 Option 3: Create guidelines or principles for manufacturers 49 4.4.4 Option 4: Examine technology options as they develop 50


5. Compliance and enforcement 52 5.1 What are the issues? 52

5.1.1 Surveillance devices 53 5.1.2 Comparative systems 54

5.2 Application to C-ITS 56 5.3 Overseas approaches 57

5.3.1 United States 57 5.3.2 Europe 57

5.4 Policy questions and options 57


v

5.4.1 Option 1: Continue current approach 57 5.4.2 Option 2: Specific protection of data from C-ITS applications 57 5.4.3 Option 3: Provide guidance on appropriate use of data 57 5.4.4 Option 4: Amendment to Surveillance Device legislation 57


6. Incentives for uptake 59

7. Other issues for consideration 60 7.1.1 Driver training and licensing 60 7.1.2 Roadworthiness 60 7.1.3 Security 60

8. Glossary 61

9. Appendix 1: US Privacy framework 63

10. Appendix 2: Product liability legislation 66

11. Appendix 3: Interference legislation 67

vi Cooperative Intelligent Transport Systems Regulatory policy issues November 2012

Foreword

Road trauma in Australia accounts for almost 1,300 deaths each year1 and costs the nation an estimated $27 billion per annum.2 Congestion on our roads has a major impact on productivity, air quality and carbon emissions. These impacts could be significantly reduced with the introduction of Cooperative Intelligent Transport Systems (C-ITS).

C-ITS represent an opportunity to considerably advance Australia’s road safety through vehicles and infrastructure sharing vital information, which could avoid collisions. The technology will also offer productivity and environmental advancements through improved traffic management and decision-making by drivers.

While we are excited about the opportunities presented with C-ITS, we also realise the implementation of such detailed technology could have policy implications. The National Transport Commission (NTC) is currently examining the policy implications of C-ITS while the technology continues to be developed in Australia and overseas.

This paper analyses the risks, barriers and potential regulatory reforms required to ensure a national, harmonised platform for the technologies. It aims to ensure that such systems can be rolled out successfully without adverse impacts, in particular those concerning privacy, liability, driver distraction and compliance and enforcement.

The NTC is seeking public comment on this discussion paper by Thursday 31 January 2013. Feedback will be used to prepare a final recommendation to the Standing Council on Transport and Infrastructure (SCOTI). I acknowledge the work of NTC staff in developing this report, in particular Marcus Burke and James Williams.

Greg Martin PSM

Chairman

1 Bureau of Infrastructure Transport and Economics, Road Deaths Australia Bulletin, 2012. 2 Department of Infrastructure and Transport, Road safety, 2012.

Cooperative Intelligent Transport Systems Regulatory policy issues November 2012 1

Executive summary

Cooperative Intelligent Transport Systems (C-ITS) are a group of technologies that allow different elements of the transport network, including vehicles and infrastructure, to exchange information. Effectively, these systems allow vehicles to ‘talk’ to each other and to the infrastructure. These systems have significant potential to improve the transport network in Australia, particularly in regards to safety, by providing information to support better decisions by drivers. Governments should, at a minimum, ensure that regulatory policy does not impede the uptake of C-ITS.

These systems also have a number of implications for regulatory policy that need to be considered, particularly in the areas of privacy, liability, driver distraction and compliance and enforcement. This paper discusses the impact of C-ITS in each of these areas.

In many of these areas there are already clear, well established principles. A key question will be whether C-ITS applications can be managed within the current legislative and policy frameworks, or whether this technology is sufficiently different that changes are required. Frameworks will also need to be sufficiently flexible to deal with subsequent technology developments and take into account what is unique about Australia and its transport system.

Australia will be largely dependent on technology developed and built overseas. The US Department of Transportation, for example, plans to make a regulatory decision on in-vehicle C-ITS technology for cars by 2013 and for trucks by 2014. It remains possible that vehicles could be imported with this technology switched off if the policy framework does not support it, with the result that Australia misses out on the benefits.

Key C-ITS issues affecting regulatory policy include:

human factors mix of old and new technology in the transport system and mixing different road users data accuracy security and anonymity whether C-ITS applications operate as warning systems or trigger automated interventions.

Each chapter outlines the key issues in relation to C-ITS and the current law in Australia, before presenting a range of approaches for further discussion and feedback, with a focus on the appropriate role for governments. Whilst privacy, liability, driver distraction and compliance and enforcement each have their own unique aspects, there are common approaches. The approaches we have examined include:

continuing current practices and processes in each of these areas, effectively treating C-ITS as another technology that can be managed through existing principles

creating specific legislation to manage C-ITS applications and their associated regulatory issues

exploring non-legislative approaches, such as creating codes of practice, in order to provide practical guidance to industry whilst maintaining flexibility

educational and information-based approaches.

For each area considered, there is currently no legislation specifically governing C-ITS applications, but these applications could in general be managed under existing principles. Privacy C-ITS applications generate significant volumes of data. This raises questions of whether such data could be linked to individuals and how C-ITS applications fit within current privacy regimes in Australia dealing with the collection, use and disposal of personal information. Key findings indicate:

The impact of C-ITS on privacy will depend on the extent to which the C-ITS application will collect and transmit personal information. Privacy is best protected through anonymous data collection or, if this is not possible, by restricting the collection and use of the personal information collected.

2 Cooperative Intelligent Transport Systems Regulatory policy issues November 2012

The current indications are that, due to the need to maintain appropriate security standards, C-ITS may not always produce anonymised data.

While consent to collect information is usually not required, C-ITS consumers must be made aware that data is being collected, who is collecting it and for what purpose, as well as their right to access and correct the information. Thought will need to be given as to how consumers should be informed of these matters.

Uptake of C-ITS technology is expected to be lower should consumers lack confidence in the appropriate handling and collection of their personal information. Unambiguous governance arrangements and clarity over who is collecting the information and under which privacy regime is a critical step towards reassuring consumers, along with ensuring secure data storage and transmission.

While there does not appear to be a pressing need for regulatory intervention at this stage, given the existing principles, governments will need to carefully follow the development of the technology.

Systems that can track location have been broadly accepted when there are clear advantages to using the system and when consumers trust service providers to handle their personal data securely and responsibly within a voluntary system. It is not enough that C-ITS applications in Australia are within the law. In the foreseeable future consumers will be making choices about purchasing C-ITS technology. If the safety benefits are to be realised, government and industry must ensure that consumers can be confident that their personal information is collected and used appropriately and only for proper purposes. Liability As transport technology advances, the issue of who is liable in the event of a crash will likely become more complex. The question of how liability would be resolved in the event of C-ITS system failure will be important in providing certainty to drivers, manufacturers, insurers and road managers. Key findings indicate:

Manufacturers and services providers of C-ITS technology will need to carefully consider the safety risks of their systems and the development and testing processes that they implement, along with consumer marketing and communications.

Liability concerns may mean C-ITS applications need to log actions in more detail in order to trace causation.

Taking human factors into consideration will be critical to the success of C-ITS, but these factors may require further testing in order to better understand and address them.

Information provided to drivers on system limitations and system status will be critical. Road managers will need to assess the risk implications of providing infrastructure-based

C-ITS solutions. Expectations of system performance and liability implications are likely to change as C-ITS

applications move from being advisory systems to overriding driver actions.

Clearly defined responsibilities for liability in a cooperative system is essential. Uncertainty around who is liable is likely to increase the risk of litigation and act as a deterrent to technology investment, particularly for manufacturers of C-ITS applications. Driver Distraction Existing rules govern the use of technology inside vehicles to reduce driver distraction. An assessment is required of how C-ITS applications fit within these existing rules and whether they raise additional risks. Key findings indicate:

Initial C-ITS applications are likely to require human recognition of the signals and timely and proportionate responses. This reliance on human factors could increase risks in certain circumstances.

C-ITS, including driver distraction and information display considerations, are not explicitly regulated in Australia.

Relevant terms such as ‘visual display unit’ and ‘driver’s aid’ are not precisely defined in the Australian Road Rules. However devices providing C-ITS applications would likely fall under the definition of ‘driver’s aid’ and be allowable under the road rules.

In addition to ensuring that C-ITS meets safety objectives, legislation may be required to ensure that legitimate C-ITS functions are legalised and that drivers’ using the technology


are not caught by laws prohibiting the use of mobile phones while driving. Any required changes to the law will be recommended to the NTC Review of the Australian Road Rules.

Guidelines relating to the safety and ergonomic functionality of in-vehicle electronic devices have been developed overseas to address this issue.

C-ITS will provide more information to drivers to empower them to make better driving decisions, at least in its early development when C-ITS is expected to be largely based on advisory systems that require human recognition of the signals. The challenge for designers is to achieve this without overloading the driver’s cognitive load. Messages must be prioritised in order to ensure that the driver receives critical information at the critical time. Drivers should be able to distinguish a critical message from a host of other in-vehicle systems competing for his or her attention. Compliance and Enforcement The role of C-ITS applications within existing road compliance and enforcement activities, in particular in relation to the purposes for which C-ITS information can be used, will be critical for providing certainty to drivers on how they will be treated. Key findings indicate:

Compliance and enforcement issues are linked to privacy issues in that both relate to the appropriate collection and use of data.

The current indications are that they may not be capable of being made completely anonymous, whilst maintaining appropriate security.

Some jurisdictions overseas are examining setting explicit limits on the collection and use of C-ITS data for compliance and enforcement purposes.

Use of C-ITS data for compliance and enforcement raises similar policy issues to those for Automatic Number Plate Recognition (ANPR) systems and may require similar controls to those put in place for these systems.

There may be scope to link the use of C-ITS to incentives and rewards around compliant behaviour for certain vehicles, such as trucks.3

Uncertainty in the treatment of C-ITS data for compliance and enforcement purposes may act as a disincentive to the take-up of technology and result in reduced safety and other benefits.

The utilisation of C-ITS for enforcement activities is, in a sense, the alternative perspective in the privacy debate. In Victoria, both the myki public transport ticketing system and Citylink tollway provide examples of how intelligent technology can be harnessed with clearly defined enforcement applications.

As the benefits of C-ITS applications may be limited until there is a significant population of equipped vehicles, incentives to encourage the uptake of this technology may be required. These could include incorporating C-ITS technology into star-rating systems, registration discounts, accreditation schemes, regulatory concessions, financial or tax incentives or operator ratings. Higher risk demographics or vehicles, or specific vehicle fleets such as trains, trams, fleet cars or oversize vehicles, could be the subject of incentive schemes.

The NTC is seeking submissions and feedback on this discussion paper by Thursday, 31 January 2013. We are particularly interested in your comments or feedback on the approaches described at the end of each section. The NTC will consider submissions when developing its final recommendations for the Standing Council on Transport and Infrastructure.

3 The place of incentive and reward in securing compliance is considered in the NTC’s forthcoming Strategy for Heavy Vehicle Compliance document.


1. Introduction

This chapter introduces the key elements of C-ITS and describes the potential benefits of the technology, timeframes, the role of government and the scope of the issues in the Australian context.

1.1 What are cooperative intelligent transport systems?

‘Cars talking to each other is the future of motor safety’ US Transportation Secretary Ray LaHood4

The number of road deaths in Australia, whilst falling, remains at almost 1,300 per year,5 with the annual economic cost of road crashes estimated at $27 billion per annum.6 C-ITS applications represent an opportunity to significantly reduce these figures.

‘Intelligent Transport Systems’ (ITS) is an umbrella term describing the use of information and communication technology in the transport network to improve transport outcomes. The term ‘Cooperative Intelligent Transport Systems’ refers to a particular subset of ITS in which the different elements of the transport network – vehicles, roads, infrastructure – share information with each other to improve these outcomes. In C-ITS applications, these components of the transport network effectively ‘talk’ to each other, providing valuable information, including facts on conditions, incidents and traffic, enabling the coordination of movements and the avoidance of collisions.

In Europe, C-ITS have been described as:

ITS systems based on vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I, I2V) and infrastructure-to-infrastructure (I2I) communications for the exchange of information … Co-operative ITS is a subset of the overall ITS that communicates and shares information between ITS stations to give advice or facilitate actions with the objective of improving safety, sustainability, efficiency and comfort beyond the scope of stand-alone systems.7

The concept is most easily illustrated with an example. One potential C-ITS application, illustrated at Figure 1, involves vehicles broadcasting a signal as they approach an intersection, giving their location, speed and direction. Other vehicles approaching the same intersection could receive these signals and hence be aware of the first vehicle’s approach, even if the driver’s view was obstructed. An in-vehicle warning could be provided to both drivers if their trajectories indicated an imminent collision.

Figure 1: An example of C-ITS: intersection collision avoidance application, image courtesy of Cohda Wireless.

4 B Vlasic ‘Smart cars get a connection test in Michigan’, New York Times, 21 August 2012. Quoted at the launch of the US connected vehicle trial in Ann Arbor, Michigan. http://www.nytimes.com/2012/08/22/business/a-test-of-smart-cars-gets-under-way.html (viewed on 18/10/2012). 5 Bureau of Infrastructure Transport and Economics, Road Deaths Australia Bulletin 2012 6 Bureau of Infrastructure Transport and Economics, ‘Road Safety’(2012). 7 European Committee for Standardisation and ETSI, ‘Joint CEN and ETSI Response to Mandate M/453’ p. 3.


This example is simply one application of many that could be developed. One of the significant, indeed defining, features of C-ITS is that it provides a new communications platform for a potentially vast range of applications improving safety, environmental and productivity outcomes. A selection of these applications is set out in Table 1. These applications could give advice or could actively intervene. However the advisory applications will almost certainly be the first to be developed.

Just as developers have taken advantage of the possibilities created by smartphone platforms to create a wide array of applications, so a future C-ITS platform will likely provide the basis for a range of applications that we cannot yet imagine, by utilising the communication between vehicles (and between vehicles and infrastructure) along with the vehicle’s ability to capture sensor data. One manufacturer has described the resulting system as the ‘first social network for automobiles’.8

Table 1: examples of C-ITS applications9

Application Description

Collision avoidance/warning Warns or intervenes if an imminent collision with a vehicle ahead is detected

Rapid braking warning Warning automatically sent to surrounding cars in the event of a rapid braking incident, in order to avoid rear-end collisions.

Intersection collision avoidance system

Detects and warns driver if there is a potential risk of a collision at upcoming intersection

Blind spot detection Provides information on presence of vehicles in an area not visible to driver

Road works warning Road works teams broadcast signals to surrounding traffic to warn on approach.

Rail crossing warning Train approaching an unprotected railway crossing broadcasts a warning to nearby traffic.

Traffic signal speed assist Traffic lights provide information directly to vehicles of an impending change of lights, in order for vehicle speed to be set appropriately.

C-ITS applications are often classified based on the types of interactions:

vehicle-to-vehicle (V2V) communication – where vehicles exchange information with each other, in particular for safety applications

vehicle-to-infrastructure (V2I) – where vehicles exchange information with the transport network infrastructure (roadways, intersections, etc.), of which electronic tolling is an example

vehicle-to-nomadic device (V2N) – where information is exchanged between vehicles and nomadic devices, such as mobile phones, tablets or navigation devices.

These classifications can be fluid: a police car sending out a signal to other vehicles on the road is V2V; that same vehicle stopped at an incident and broadcasting a roadside warning to approaching traffic effectively becomes part of the infrastructure and hence V2I. All points sending out and receiving signals can simply be described as ‘ITS stations’, and are effectively nodes within the network. Industry feedback has indicated that V2V applications are likely to be the first deployed, as these are already under development by many of the major automotive manufacturers.

8 Daimler, I spy with my little car…: The first ‘social network’ for automobiles’, media release 12 August 2012, 9 A number of these examples are taken from the Curtin-Monash University Accident Research Centre Fact Sheet No. 9 ‘In-Vehicle Intelligent Transport Systems’ http://c-marc.curtin.edu.au/local/docs/CMARC_Fact_Sheet_09_In_Vehicle_ITS.pdf (viewed on 18/10/2012). The European Standards body, ETSI, lists 32 basic C-ITS applications.


Widespread use of V2I applications may lag a number of years behind, due to the cost of rolling out significant infrastructure across the network, but could be implemented in key locations, such as collision black spots or unprotected rail crossings.

C-ITS applications will require the interaction of many elements, to the degree that some describe C-ITS not as a ‘cooperative system’, but as a ‘group of systems that cooperate’.10 The ability for vehicles to ‘talk’ to each other and to the infrastructure will provide much more information to the vehicle and the driver and effectively extend the range of sensors within the car.

1.1.1 Key elements of C-ITS

A critical component of C-ITS will be Dedicated Short Range Communication (DSRC), utilising the 5.9 GHz band of the spectrum. This will be the key medium for exchange of information in many applications. Due to its properties and availability, most major jurisdictions overseas plan to use the 5.9 GHz band for C-ITS applications.11 The low latency of this band is critical for collision avoidance, where fractions of a second can make the difference in avoiding a crash.12

In Australia, use of the 5.9 GHz band is currently embargoed and the Australian Communications and Media Authority (ACMA) has recognised its future potential use for C-ITS.13 However a final determination on the use of the spectrum and its licensing is yet to be made. While C-ITS applications are certain to utilise other communications media, such as the mobile phone network, DSRC will be indispensable for many applications, particularly safety applications, as the key medium by which information is shared.

Many C-ITS applications are premised on vehicles sending out a ‘heartbeat’ or more accurately a ‘Basic Safety Message;’ that is a signal broadcast ten times per second and up to one kilometre around the vehicle,14 to inform other vehicles of its basic information, such as where it is, where it is heading and how fast it is going. Standards are under development internationally, but the information broadcast by a C-ITS enabled vehicle will likely include:

a unique identification number for the station or device position – latitude, longitude, altitude and a measure of the accuracy of the information motion – speed, direction, steering angle and acceleration controls – such as brake status vehicle information – such as vehicle size and model.15

10 European Commission, Co-operative Vehicle Infrastructure Systems ‘Safe spot and CVIS Cooperative Applications and Related Legal Aspects’, http://www.cvisproject.org/download/qfree_CommCalmCvis_aalborgbrochure.pdf (viewed on 18/10/2012). 11 Except in Japan, which is utilising 5.8GHz band for C-ITS. A decision has already been made in the USA to use the 5.9GHz band for C-ITS. 12 In this context ‘low latency’ refers to the short delay (or alternatively the rapid response time) of signals transmitted, processed and output using this bandwidth. This feature is critical for road safety applications. 13 See for example ACMA, Five-year spectrum outlook 2011–2015: The ACMA’s spectrum demand analysis and indicative work programs for the next five years, March 2011 at p. 113: ‘The 5850–5925 MHz band is intended to support Intelligent Transport Systems.’ 14 Estimates vary in regard to this maximum range with some sources stating up to one kilometre http://www.standards.its.dot.gov/Documents/advisories/dsrc_advisory.htm (viewed on 18/10/2012) whilst others estimate 300-500 metres. The exact distance will also be dependent on topography and obstacles such as buildings. 15 The full set of information is outlined in SAE International, J2735 Dedicated Short Range Communication (DSRC) Data Message Set Dictionary Revised November 2009. See also SAE International, DSRC Implementation Guide: A guide to users of SAE J2735 message sets over DSRC.


Figure 2: Vehicles broadcasting C-ITS ‘heartbeat’ signal, image courtesy of Cohda Wireless

This information, visualised in Figure 2, would primarily be used by other vehicles to avoid collisions. Infrastructure could similarly broadcast information to nearby vehicles, including incident information or route guidance and receive signals from vehicles in order to monitor and manage traffic flows. Note that Global Navigation Satellite System technology (GNSS, more commonly known as Global Positioning System or GPS technology) is critical in providing the position information for these messages.

1.2 What are the potential benefits of C-ITS?

The safety, environmental and productivity benefits are potentially extremely significant. Research in the United States suggested that C-ITS safety systems have the potential to affect 80 per cent of road collisions involving unimpaired drivers.16 An Austroads and Monash University Accident Research Centre (MUARC) study in Australia concluded that C-ITS applications could provide a 25-35 per cent reduction in serious casualties from road collisions.17

Whilst the real figure cannot be estimated accurately until larger trials are conducted, the number of lives potentially saved is huge. As stated earlier, the number of road deaths in Australia remains at almost 1,300 per year18 whilst ‘the annual economic cost of road crashes in Australia is enormous—estimated at $27 billion per annum—and the social impacts are devastating’19. A 25 per cent reduction, if achieved, would represent a saving of over 300 lives each year, with additional savings of injuries and property damage. C-ITS has the potential to greatly increase road safety, significantly reducing the current scale of trauma, economic effects and community impacts felt in Australia.

16 US Department of Transportation, ‘Achieving the Vision: From VII to IntelliDrive’, White Paper, 2010. 17 Austroads, ‘Evaluation of the Potential Safety Benefits of Collision Avoidance Technologies Through Vehicle to Vehicle Dedicated Short Range Communications (DSRC) in Australia.’ Publication No. AP–R375/11, 2011, p.18 18 Bureau of Infrastructure Transport and Economics, Road Deaths Australia Bulletin, 2012. 19 Bureau of Infrastructure Transport and Economics, ‘Road Safety,’ 2012.


In addition to the safety benefits, significant environmental and productivity benefits may be possible as a result of this technology, with C-ITS applications able to improve driving efficiency, routing and congestion management. One example is a traffic signal speed assistance application (mentioned above) which is estimated to provide fuel savings of up to 15 per cent.20

Productivity benefits are difficult to estimate but may also be significant, particularly through management of movement around high traffic areas such as ports, airports and city centres. C-ITS technology can potentially provide a platform for innovative solutions to improve traffic flows, better information on trip times and improved travel planning. Improved performance and safety of vehicles can allow improved use of existing infrastructure. A recent study estimated that a combination of sensors and V2V communication in all vehicles could allow highway capacity to be increased by as much as 273 per cent.21

C-ITS also provides a platform for communication between different modes of transport, to enable outcomes such as collision avoidance and improve connections and interoperability.

1.3 When are we likely to see this technology?

Active trials are currently taking place around the world, particularly in the United States where a large-scale trial on public roads in Michigan should provide important data on the benefits of specific applications.22 In addition there have been various trials of V2V and V2I applications in Europe.23 In Australia, a recent trial has examined the use of C-ITS technology for rail crossings.24

Whilst estimates vary, it is likely that such systems will be introduced into new vehicles by manufacturers over the next three to five years, beginning with advisory systems in higher-end vehicles. It will then take many years for such technology to become common place throughout the vehicle fleet – the average age of a car on Australian roads is currently around ten years, with the average age of trucks older again.25 There is also potential for after-market devices to introduce this technology into older vehicles. By 2013 the US Department of Transportation plans to make a regulatory decision about whether in-vehicle C-ITS technology will be made mandatory in cars or be encouraged in other ways, for example through star ratings systems.26 This decision is likely to have a significant impact on the pace of change globally.

The introduction of this technology will be influenced by a range of other factors. A report by the US Department of Transportation’s Research and Innovative Technology Administration (RITA) found that the factors positively influencing the roll-out of ITS in general (rather than specifically C-ITS) include funding for state and local agencies, use of regional architectures, research producing evidence to support adoption and knowledge sharing among peers.27 Other important factors are likely to include changes in the economy and public acceptance of the technology.

1.4 Aim of this paper

C-ITS applications could potentially have a significant impact on our lives, however the roll out of these applications also raises a number of policy issues. Governments, industry and the community will need to think about how this new technology will fit within our current policy frameworks for transport and how applications should be managed. For example, if many (or most)

20 Siemens, Intellidrive, 2010, https://www1.vtrenz.net/imarkownerfiles/ownerassets/1111/siemens_ts_intellidrive.pdf (viewed at 18/10/2012). 21 P Tientrakool, Ya-Chi Ho and NF Maxemchuk, ‘Highway Capacity Benefits from Using Vehicle-to-Vehicle Communication and Sensors for Collision Avoidance’ Vehicular Technology Conference 2011, Institute of Electrical and Electronics Engineers, http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=6093130 (viewed on 18/10/2012). 22 Michigan Department of Transportation, Southeast Michigan Transportation Operations Centre, http://www.michigan.gov/mdot/0,4616,7-151-9615_44489_44992-119729--,00.html (viewed on 18/10/2012). 23 For example, the Cooperative Vehicle Infrastructure Systems (CVIS) project (http://www.cvisproject.org/en/about_cvis/), the SAFESPOT project, which looked at using V@I safety systems (http://www.safespot-eu.org/objectives.html) and the Co-operative Systems for Intelligent Road Safety (COOPERS) project (http://www.coopers-ip.eu/index.php?id=project). 24 La Trobe University, Safety Measure for Rail Crossings, media release, 22 August 2012, http://www.latrobe.edu.au/news/articles/2012/article/next-generation-safety-measure-for-rail-crossings (viewed on 18/10/2012). 25 Australian Bureau of Statistics, Motor Vehicle Census, 31 March 2010, p.11, http://www.ausstats.abs.gov.au/ausstats/subscriber.nsf/0/03CFF66BA0471A68CA257829001168D6/$File/93090_31%20Mar%202010.pdf (viewed on 18/10/2012). 26 It is worth noting the US mandates the disclosure of safety ratings as part of new car sales. 15 USC chapter 28, Disclosure of Automobile Information: http://uscode.house.gov/download/pls/15C28.txt. 27 RITA, ‘An Analysis of the Factors Influencing ITS Technology Adoption and Deployment’, Final Report, 2011).


vehicles on the network are sending out signals, will this enable greater tracking of vehicles and hence impact on the privacy of drivers? Who will be held liable if C-ITS applications fail, resulting in a collision?

A key question will be whether C-ITS applications can be managed within the current legislative provisions and policy frameworks, or whether this technology is sufficiently different from existing systems that changes are required.

There also remains a risk that areas of regulatory policy could represent a barrier to the deployment of C-ITS. Australia will largely be dependent on technology developed and manufactured overseas. It remains possible that vehicles could be imported with this technology switched off if the policy framework does not support it, with the result that Australia completely misses out on the benefits.

There are a range of C-ITS projects in Australia, and the NTC is not seeking to tackle every issue raised by these applications, but is focusing on the key regulatory policy implications. In particular, the NTC is seeking to understand whether there are regulatory barriers that would prevent or delay the roll-out of these applications and, further, where government action can improve the uptake of C-ITS. Policy certainty is required in order to give confidence to consumers and to manufacturers to invest.

1.4.1 Role of government

The appropriate role of government is a key issue. If the evidence indicates that C-ITS applications offer significant net benefits in terms of safety, productivity and environmental outcomes, then there is a case that government should at minimum ensure that regulatory policy does not impede its uptake (whilst ensuring that other rights and benefits are not adversely affected).

Commonwealth, state and local governments will inevitably play a role in C-ITS as major infrastructure owners and managers. Beyond this, there is a question of how much more of a role governments should play and how much should be left to the private sector.

The role of government will be determined, in part, by the extent of any market failures requiring government action. Market failure is an economic term used when market forces are unable to deliver optimal outcomes for society. While it is quite possible that C-ITS can perform to its optimal potential in society and produce the benefits associated with the technology, relevant market failures may include:

asymmetric information, for example, where the safety benefits are not known or understood by consumers

externalities, where the societal safety benefits of C-ITS are not reflected in the market price, or the benefits and costs of C-ITS are misaligned or misallocated.

Fundamentally, government action must be in response to, and in proportion to, a policy problem. While it is too early to comprehensively identify market failures, this paper is an opportunity to reflect on what the policy problems may be, and what is required to achieve the policy objectives of improved road safety, productivity and environmental outcomes.

More regulation is not the only option. This paper discusses each policy question in the light of a range of alternative regulatory approaches, including:28

Self-regulation: characterised by industry-formulated rules and codes of conduct, with industry responsible for enforcement. This is a feasible option when there is no strong public interest concern, in particular no major public health and safety concerns, the problem is a low-risk event, of low impact or significance, and the problem can be fixed by the market itself. Self-regulation is not likely to be effective, however, if industry has an incentive not to comply with the rules.

Quasi-regulation: characterised by a wide range of rules or arrangements, where

governments influence businesses to comply, but without explicit government regulations,

28 Australian Government, Best Practice Regulation Handbook, 2010, pp 34-35.


such as industry codes of practice developed with government involvement, guidance notes, industry-government agreements and accreditation schemes.

Co-regulation: where industry develops and administers its own arrangements, but

government provides legislative backing to enable the arrangements to be enforced. Legislation may also provide for government-imposed rules in the event that industry does not meet its own responsibilities.

Explicit government regulation: characterised by direct regulation comprised of

primary and subordinate legislation. Explicit government regulations should be considered where:

o the problem is high-risk, of high impact or significance; for example, a major public health and safety issue

o the community requires the certainty provided by legal sanctions o universal application is required or judged necessary o there is a systemic compliance problem with a history of intractable

disputes. Self-regulation is the NTC’s preferred option, particularly in the initial, introductory phase of the technology. Alternative instruments to regulation include information and education campaigns, pre-market assessment schemes (such as certification), standards (including voluntary and regulatory, performance-based or prescriptive), and other mechanisms, such as public information registers, mandatory audits and quality assurance schemes. Finally, in some cases legislation may also need to be removed.

1.4.2 Existing safety systems

C-ITS will not be the only type of technology developed for safety, productivity and environmental benefits. It will operate in conjunction with existing safety systems in vehicles that utilise a range of in-vehicle sensors, including cameras, radar and lidar (‘Light Detection and Ranging’), location services via GNSS and information received via the mobile data network. There is overlap between C-ITS and Advanced Driver Assistance Systems (ADAS), a term used for a wider range of driver technology such as Advanced Cruise Control (ACC), which do not necessarily rely on a cooperative system of wireless signals from other vehicles and infrastructure. Some of the policy issues will be similar for both C-ITS and ADAS, particularly in the area of liability.


There has been significantly more research conducted on ITS generally and on ADAS, than specifically on C-ITS applications; this paper thus draws on some of this broader research but attempts to make clear distinctions between these different classifications of technology. An additional challenge for manufacturers will be to smoothly incorporate all of these systems and provide simple, intuitive messages for the driver.

As with many areas of technology, C-ITS is evolving rapidly; any policy solutions must seek to establish principles that will be durable even as the technology evolves.

1.5 Scope of issues

As mentioned above, C-ITS represent an entirely new communications platform for transport. Once vehicles are able to share information, there will be a large (indeed unknown) number of applications that may run on that platform. This represents a significant challenge given the unpredictable extent of its use. However this report is intended to look at the policy implications of the platform and the potential range of applications that may run on it. It will aim to avoid discussions of individual applications, except where this is required for purposes of illustration.

As an example of the range of applications, the US ITS discusses the following areas:

public-sector transportation public-sector commerce and toll collection public-sector regulation and commercial vehicle permitting law enforcement and investigation public security surveillance private sector commerce and transportation truck parking.

Each of these may raise different sets of issues, but there will be some common policy challenges. In this report the NTC considers the impact of C-ITS applications in four major areas of regulatory policy:

1. Privacy – C-ITS applications generate significant volumes of data. This raises questions around whether such data could be linked to individuals and how C-ITS applications fit within current privacy regimes in Australia dealing with the collection, use and disposal of personal information.

2. Liability – as transport technology advances, the issue of who is liable in the event of a crash will likely become more complex. The question of how liability would be resolved in the event of C-ITS system failure will be important in providing certainty to drivers, manufacturers and road managers.

3. Driver distraction – existing rules govern the use of technology designed to prevent the driver from being distracted from the driving task. An assessment is required of how C-ITS applications fit within these existing rules and whether they raise additional risks.

4. Compliance and enforcement – the role of C-ITS applications within existing road compliance and enforcement activities, in particular in relation to the purposes for which C-ITS information can be used, will be critical for providing certainty to drivers on how they will be treated.

While they are outside the scope of this paper, there are a range of further critical issues that need to be considered as part of introducing C-ITS in Australia, including:

management of the spectrum setting up the appropriate systems architecture governance and institutional arrangements.

These issues are being explored elsewhere in Australia, in particular by the Austroads Cooperative ITS project, which recently published a Cooperative ITS Strategic Plan.29

29 Austroads Project No: NT1632 is coordinating a number of streams of work in relation to C-ITS and is considering spectrum licensing and mapping requirements. Austroads Research Report AP-R413-12 Cooperative ITS Strategic Plan, 2012.


This paper will outline the four key issues (privacy, liability, driver distraction and compliance and enforcement) together with the current legislation, interaction with C-ITS applications and broad potential policy approaches for the future. This paper will not provide detailed solutions but is intended to generate discussion and feedback on whether action is required in each of these areas and, if so, what are the best policy options to pursue.

1.6 Key issues in C-ITS

There are a number of key C-ITS issues which affect several of the regulatory policy areas to be discussed. In particular:

human factors mix of old and new transport technology and mixing with other road users data accuracy security and anonymity whether C-ITS applications are warning systems or intervention systems.

1.6.1 Human Factors

Human factor considerations can have a significant impact on whether safety technology delivers on predicted benefits. Humans can often behave in complex and unpredictable ways, whereas technology behaves as programmed, so the interaction of the two can lead to unforeseen results. A study of recent crash avoidance technology, based on insurance claims data, concluded that:

An early crop of advanced crash avoidance technologies includes some clear success stories when it comes to preventing crashes... Forward collision avoidance systems, particularly those that can brake autonomously, along with adaptive headlights, which shift direction as the driver steers, show the biggest crash reductions. Lane departure warning appears to hurt, rather than help, though it's not clear why, and other systems, such as blind spot detection and park assist, aren't showing clear effects on crash patterns yet.30

In assessing safety and hence liability issues, it is vital to look at the technical and the human factors which may impact on safety. These factors, outlined below, range from over-reliance by drivers on the new technology to failure to use it.

Drivers’ over-reliance/ behavioural adaptation: with any new driving technology there is a risk of over-reliance by drivers: ‘avoiding false expectations will be important to ensure safety.’31 Drivers may adapt their behaviour based on safety systems, for example where the use of a reverse collision warning leads to drivers’ failing to look behind them when reversing. Systems always have limitations and this adaptation can lead to additional dangers, particularly in an environment where not all vehicles are connected.

Awareness of capabilities and limitations: a related issue is that if users are not aware of a system’s capabilities and limitations they can overestimate that capability. Risk compensation: a potential issue for any new safety system is risk compensation, that is the notion that drivers may drive in a more risky fashion due to a greater feeling of safety as a result of additional safety systems.

Distraction: driver distraction is an increasing concern as in-car systems and their interfaces become more complex. Designers will need to ensure warnings are not startling and that the design of information is ergonomically appropriate. Well-designed warnings ‘should be carefully calibrated in the sense of being decipherable, comprehensive, parsimonious, obvious and executable’.32

30 Insurance Institute for Highway Safety, Crash avoidance features reduce crashes, insurance claim study shows; autonomous braking and adaptive headlights yield biggest benefits, news release, 3 July 2012, http://www.iihs.org/news/rss/pr070312.html (viewed on 18/10/2012). 31 Rand Corporation, Liability and Regulation of Autonomous Vehicle Technologies, 2009. 32 K van Wees and K Brookhuis, Delft University of Technology, ‘Product liability for ADAS; legal and human factors perspectives,’ European Journal of Transport and Infrastructure Research, vol 5, no. 4, 2005, p.365, http://www.ejtir.tbm.tudelft.nl/issues/2005_04/pdf/2005_04_08.pdf (viewed on 18/10/2012).


Risk exposure change: technology can change people’s travel patterns, with a resultant change in their exposure to risk. An example is GPS navigation systems, which may have led more drivers to complete trips in unfamiliar locations; increasing their driving and changing their risks. Changes in driving as a result of C-ITS are at this stage difficult to predict. Skill loss: increasing driver aids may lead to a loss of driver skill, which can be critical when a driver aid fails and the driver no longer has the collision avoidance skills to deal with a critical situation. Airlines seek to avoid this with their pilots through flight simulator training. In comparing automatic cruise control and C-ITS applications, the European Commission’s Cooperative Vehicle-Infrastructure Systems project (CVIS) found that:

The overall probability of a simultaneous failure of an automated system and the driver, resulting in an accident, is the product of the probability of a system failure and the probability of a failure by the driver to respond if the system cannot. Clearly, the issue here is to ensure that the level of driver attention does not fall so low that the overall performance is worse than without the system. In fact, the result needs to be substantially better in order to justify the benefits.33

Driver acceptance: drivers may not accept and use the technology. A historical example is seat belts. Regulation was required to ensure that seat belts were fitted on all vehicles and to change the habits of the driving population. Regulatory policy issues can also have an effect on public perception and uptake – will the public perceive these systems as a benefit to themselves and their safety? Initial studies indicate strong public interest, with a recent on-road trial in the United States finding that ‘more than 90 per cent of the participants believed a number of specific features of the connected vehicle technology would improve driving in the real world, including features alerting drivers about cars approaching an intersection, warning of possible forward collisions, and notifying drivers of cars changing lanes or moving into the driver's blind spot’.34 The study did, however, also indicate a limit on what consumers are willing to pay, with drivers indicating that such systems would not be worth purchasing if they were over US$250. Regulatory policy issues – in particular privacy, compliance and enforcement issues – may also have a significant impact on acceptance.

1.6.2 Mixing old and new technology; mixing with other road users

A key limitation that C-ITS is the long (perhaps endless) period during which some, but not all, vehicles on the road will be C-ITS enabled – or when C-ITS systems become inoperable over time as they are replaced by more advanced C-ITS technologies. C-ITS enabled vehicles will only interact with a certain percentage of other vehicles on the road, initially a very low percentage but growing over time. Drivers will not be able to rely on all other cars sending signals for an indefinite period, which has a significant impact on how much they can rely on the warnings generated. Laws will also need to take account of both sets of vehicles and drivers. Similarly C-ITS enabled vehicles will need to be tolerant of other road users that may be not have C-ITS, in particular cyclists and pedestrians.

This could be an important issue for liability.

1.6.3 Accuracy of data

A further issue is the accuracy of data, particularly positioning data and mapping data, which will be critical to the effectiveness of particular applications. Current positioning technology (e.g. current GPS systems) may not have the accuracy required for certain applications. For example, in order to determine whether a vehicle’s trajectory indicates that a collision is likely, accurate position data

33 F Verweij, N Hoose, S Sondeijker, M Kuiken, J Pommer and W Savenije D.DEPN.7.1 Guidelines for policy makers: policy challenges on the way to deployment of CVIS, p. 28, 28 February 2010, http://www.cvisproject.org/download/Deliverables/DEL_DEPN_7.1_Guidelines%20for%20policy%20makers_Final%20version_v2.8.pdf (viewed on 18/10/2012). 34 US National Highway Traffic Safety Administration, New DOT research shows drivers support connected vehicle technology, appreciate potential safety benefit, media release, 22 May 2012, http://www.nhtsa.gov/About+NHTSA/Press+Releases/2012/New+DOT+Research+Shows+Drivers+Support+Connected+Vehicle+Technology,+Appreciate+Potential+Safety+Benefits (viewed on 18/10/2012).


for vehicles is critical. For applications such as intelligent speed assistance, accurate, up-to-date mapping of speed zones (along with accurate position information for the vehicle) is key.

This level of accuracy will be an important determinant of the reliability of the system and drivers will need to understand any deficiencies as a key limitation of the technology.

1.6.4 Security and anonymity

Security will be an important feature of the platform – both security of the system (to ensure that false signals are not created, potentially creating traffic problems or collisions) and security of the data (to ensure that user’s data cannot be stolen). Verification of each user’s signal is important for security, in order to assure drivers that the signal coming from around the corner is a legitimate one. The technology will likely be based on security certificates (similar in concept to those used for secure websites), with a central authority able to issue these certificates. The system will then likely require some infrastructure at various intervals to check the credentials of vehicles as they pass and ensure that the data they are providing to the network is correct.35 This potentially adds further risks and hence liability issues in relation to the control and management of this system. It also raises the issue of whether the signals generated by vehicles can truly be anonymous, or whether there will be some method by which they can be linked back to a vehicle and its registered owner: a critical question for the analysis of privacy as well as compliance and enforcement. Even if there is not a direct relationship between the ID number provided in a C-ITS signal by a vehicle and the vehicle’s registered owner, ways may exist to determine this relationship if different data sets are linked together, for example through the certificate authority and licensing databases. If C-ITS signals cannot be genuinely anonymous, then questions of privacy and controls on the uses of C-ITS data become paramount. Finally, in the future applications could be created which require users to identify themselves, for example to use toll roads or to access secure facilities such as ports (although devices may simply use a different message function to the Basic Safety Message described above).

1.6.5 Warning systems and interventions

C-ITS in-vehicle applications, as with other vehicle systems, can be classified in a series of ways based on their interaction with the driver. A basic way of classifying these applications would be as:

information and warning systems non-overridable intervention systems (for example, causing a vehicle to brake

automatically when a collision is imminent) overridable intervention systems (triggering an intervention but allowing the driver to

override it), which represent a complex grey area between the other two.36

There is not always a clear distinction and these notions may be better conceptualised as a spectrum, visualised at Figure 3.

35 ‘Since the use of time-restricted certificates introduces the need for a greater number of certificates per vehicle, all certificates will be encrypted and loaded onto the vehicle at longer-term intervals, for example, annually. The certificates are stored in batches, or bundles, and cannot be unencrypted until a key is received from the CA. At full deployment, vehicles will request keys from the CA daily to unlock certificates. Vehicles will receive certificates, keys and CRLs through infrastructure nodes, most likely deployed as roadside units (RSEs).’ See RITA, An Approach to Communications Security for a Communications Data Delivery System for V2V/V2I Safety: Technical Description and Identification of Policy and Institutional Issues, White paper, November 2011, http://ntl.bts.gov/lib/43000/43500/43513/FHWA-JPO-11-130_FINAL_Comm_Security_Approach_11_07_11.pdf (viewed on 18/10/2012). There may be some difficulties in this approach in there is not a widespread roll out of roadside units. 36 P Elliott and E Stanley, ‘Liability issues with intelligent transport systems’ Traffic Engineering and Control, February 2010, http://www.twobirds.com/English/News/Articles/Pages/Liability_issues_with_intelligent_transport_systems_240210.Aspx (viewed on 18/10/2012).


Figure 3: spectrum of advanced driver assistance systems

37

Where each C-ITS application sits on this spectrum will be significant for areas such as compliance and enforcement, but particularly for liability. It is assumed, at this point, that initial C-ITS applications will be developed as information and warning systems. However they are likely to rapidly develop into more interventionist systems.

1.7 The Australian context and existing ITS policy

There has been significant work completed overseas on a number of the regulatory policy issues discussed in this paper, particularly in relation to privacy and driver distraction. The NTC is not seeking to replicate this research, however these issues do need to be examined in the Australian context, in particular with reference to our:

legal system, and the common law and legislative coverage of the issues being considered

federal structure and the division of responsibilities between state and territory governments and the Australian government

geography, in particular the large distances and remote locations involved in the transport task, with implications for prioritising applications and setting limits on the utility of some applications.

State governments play a significant role in land transport through their road and transport agencies. Local government also has an important role as a major asset owner. The recent Policy Framework for Intelligent Transport Systems in Australia38 sets out the policy context for ITS in Australia (and hence for C-ITS) and includes the following principles for ITS:

1. ITS development and implementation must deliver demonstrable benefits to individuals, the community and business ITS provides a suite of enabling technologies that permit the delivery of improved safety, productivity, environmental, urban amenity, and security outcomes. ITS planning and implementation will:

a) be outcomes focused – make a tangible contribution towards solving key transport challenges (e.g. reducing congestion and freight delays, lowering emissions, improving energy efficiency, attaining higher levels of safety and security including vulnerable road users) b) be consistent with broader transport network objectives c) build on existing infrastructure and networks – where it is cost effective to do so – including the National Broadband Network d) facilitate competition and consumer-driven outcomes – for establishment and development of innovative ITS applications and services wherever feasible and appropriate.

37 Rand Report, op. cit. 38 Standing Council on Transport and Infrastructure, Policy Framework for Intelligent Transport Systems in Australia, 2012, http://www.infrastructure.gov.au/transport/its/files/ITS_Framework.pdf.


2. The policy environment in which ITS are developed and implemented must be robust and dynamic The policy environment for ITS will provide for both regulatory and non-regulatory processes when market interventions are considered necessary. Non-regulatory approaches will rely on cooperative agreements between jurisdictions and/or business to adopt common standards, policies and guidelines to harmonise state, regional or sector based solutions. Under a regulatory framework the adoption of specifications, the issuing of mandates for national standards and the selection and deployment of ITS applications and services shall be based upon an evaluation of needs involving all relevant stakeholders, and an assessment of benefits and costs in accordance with best practice regulatory principles. These measures shall:

a) deliver interoperability – ensure that systems and the underlying business processes have the capacity to exchange data and to share information and knowledge to enable effective ITS service delivery b) be transparent – regulatory decisions will be evidence-based and follow established and explicit principles and rules c) be fit for purpose – including accreditation/certification and or audit requirements d) discourage inappropriate technologies that could restrict future development e) be proportionate – provide, where appropriate, for different levels of achievable service quality and deployment, taking into account the local, regional, national and international specificities f) support continuity of services – ensure seamless services when ITS services are deployed. Continuity of services should be ensured at a level adapted to the characteristics of the individual transport networks, and where appropriate, regions with regions and cities with rural areas g) encourage innovation – ensure that regulation is only introduced when there is a demonstrated need to do so, is closely targeted, and involves the minimum level of intervention required to deliver a regulatory objective h) support backward compatibility – ensure, where appropriate, the capability for ITS systems to work with existing systems that share a common purpose, without hindering the development of new technologies i) avoid favouring particular technologies or applications, to the maximum extent feasible j) facilitate multiple uses – where appropriate and feasible, enable ITS customer equipment to be used for multiple purposes, to reduce cost and maximise customer value k) promote equality of access – facilitate and encourage access to ITS applications and services for all users who may benefit from them including vulnerable users l) facilitate inter-modality – take into account the coordination of various modes of transport, where appropriate, when deploying ITS m) promote consistency with international standards – enabling Australian suppliers to compete in the world market and providing Australia access to global technology and supplier solutions n) promote consistency across modes and geography so that information is delivered to end users in a familiar way o) promote data sharing – to support the delivery of additional ITS solutions that benefit the wider community.

C-ITS policy issues will be explored in the context of these principles, to ensure that solutions are in keeping with the overall national approach to ITS. Research undertaken by the NTC for the National Heavy Vehicle Compliance Strategy suggests that platform interoperability between jurisdictions is sorely lacking in the heavy vehicle transport context. This paper will not deal with institutional arrangements for C-ITS, such as which body will manage the system and maintain the architecture and standards. However it is worth noting the importance of these decisions to a successful implementation of the technology. As the NTC noted in its submission to the Review of Transport Bodies:


Powerful advances in information technology and commitments to open data are opening up new opportunities to achieve transport and infrastructure policy objectives. The convergence of new technologies, performance management, open data, and analytics will be game-changing… National decisions by governments on how Intelligent Transport Systems (ITS) and data is deployed seamlessly across modes and/or borders are key to maximising this opportunity and avoiding ‘break of gauge’ issues… A national view on common standards and integration in the deployment of intelligent transport systems and data can avoid information-related ‘break-of-gauge’ issues across transport modes and networks. It is important that a policy led approach is adopted, with strong engagement mechanisms across modes and the private sector (e.g. ITS Australia).39

In 2011 the NTC released the ‘National in-vehicle telematics strategy: the road freight sector’40 which outlines a strategy for encouraging the uptake of telematics in order to improve transport outcomes. Whilst the strategy focused on road freight and specifically on telematics technology, the principles may be applicable to C-ITS, in particular outlining the role of government in transport technology:

1. The role of business is to develop innovative technological solutions – the private sector has the ability to drive the development of new technologies, and the incentive and resources to innovate in-vehicle telematics.

2. The role of governments is to provide policy certainty by setting the regulatory framework, creating an environment for business to invest with confidence.

3. Technology is a tool to enable policy; policy should not be designed to fit a technology.

4. Interoperability standards and platforms must be public, transparent and performance based. They should encourage innovation and facilitate multiple uses. Governments should provide standards and policy directions to help facilitate supply chain interoperability and in-vehicle telematics uptake.41

5. Telematics-based compliance monitoring should be voluntary wherever practical.

6. Uptake by industry should be encouraged rather than compelled.

7. Mandating in-vehicle telematics applications requires transparent and consistent evaluation, considering the needs of all relevant stakeholders in accordance with best practice regulatory principles. It should ensure any new technological requirements deliver demonstrable benefits to individuals and the community.

8. National approaches for telematics use – national consistency delivers economies of scale and drives greater uptake within industry.

1.8 Methodology for this paper This paper is based on extensive desktop research along with ongoing consultation with industry, government and other stakeholders, including automotive manufacturers, technology providers, road agencies and privacy experts. Prior to the development of this paper, an initial scoping paper was presented to the Austroads’ Cooperative ITS Steering Committee for feedback on the issues being covered.

39 National Transport Commission, NTC submission to the Review of NTC & Other Bodies – Analysis & Findings, 2012, http://www.ntc.gov.au/DocView.aspx?DocumentId=2313 (viewed on 18/10/2012). 40 National Transport Commission, National in-vehicle telematics strategy: the road freight sector, 2011, http://www.ntc.gov.au/viewpage.aspx?AreaId=35&DocumentId=2002 (viewed on 18/10/2012). 41 Note: there should be transparency of existing tamper-proof standards and data protection.


2. Privacy

This chapter analyses the privacy implications of C-ITS in the context of Australian privacy laws, and explores potential regulatory approaches to protect personal information.

2.1 What are the issues?

At base, C-ITS applications rely on vehicles broadcasting signals to indicate their location, signals which are intended to be received and understood by a range of other devices. This raises a significant privacy issue should C-ITS enable persons or organisations –– either governments or private-sector companies –– to locate and track specific vehicles. The risk for C-ITS consumers is that this information will be ‘personal information’ if their identity is apparent. This is feasible if those that have access to location data can link the unique vehicle identifier (or series of identifiers) of the C-ITS signal to a registered vehicle and, in turn, to an individual (a registered owner). This information could be in real time (where the vehicle is presently located) or historic (where the vehicle was at a certain time on a certain day).

While the opportunities for improved road safety, traffic management and law enforcement are considerable, many individuals would not expect the movement of their private vehicle, and by extension themselves, to be plotted across the network by a government or a third party. This is a valid and legitimate concern and will require both government and industry to practice in good faith the privacy principles enshrined in Australian law, particularly in respect to purpose of collection, data storage and disclosure.

The likelihood and significance of the privacy risk will depend on the extent to which the data is anonymised and the nature of the controls in place with respect to collecting the data and linking information to individuals. It will also depend on which bodies hold relevant data, such as certificate information.

‘Intelligent transport systems are intrinsically linked to the movement and exchange of data’42 and cooperation among the various entities acquiring the information is often expected. In this situation, responsibilities need to be assessed in terms of security risks and possible threats to privacy, as ‘some of the data will be purely situational or anonymous, while other data, either by itself or as part of multiple data sets, which independently can be purely situational or anonymous, taken together can provide personal information’.43

Location information can be a very personal matter worthy of privacy protection, even if the movements and activities of an individual are within the law. In a report regarding surveillance activities, the Victorian Law Reform Commission reflected on location information:

The need to retain privacy in public places is sometimes concerned with the desire to keep particular information private. This information may relate to a person’s political views, medical issues (such as attendance at an abortion clinic or a drug and alcohol treatment centre), and social matters (such as attendance at a gay bar). It is strongly arguable that people ought to be able to restrict access to information about themselves of this nature.44

Consumers make choices that impact upon their privacy in many ways. For example, most people accept that certain location information can already be tracked, particularly through their mobile phone and location-based applications. They do so because of the advantages that these applications afford them, and – implicitly – because they trust the service providers to handle their personal information securely and responsibly. However, the ability for individuals to make this choice is important.

These privacy issues mirror a bundle of technology innovations that pose comparable risks, from ANPR to facial recognition technology. Privacy issues are also becoming increasingly cross-border

42 ISO/TR 12859 Intelligent transport systems – System architecture – Privacy aspects in ITS standards and systems, 2009, p.v and 3. 43 Ibid. 44 Victorian Law Reform Commission, Surveillance in Public Places Report, 2010, p. 64.


in nature, due to the move towards cloud computing where personal information may be held anywhere in the world (or in multiple places).

2.1.1 Examples of vehicle tracking

Vehicle tracking technology is widely utilised in Australia today. Many telematics systems include a level of tracking, for example to provide emergency assistance or to track stolen vehicles. Vehicle tracking technology is also a common component of commercial freight management systems.

Telematics are increasingly used for insurance and crash-liability purposes. Systems may record information regarding driving style, including speeds, distances, time of day and harsh braking events. While offering safety benefits for drivers, telematics devices also capture driver behaviour and vehicle location information.

Infrastructure providers also utilise vehicle-tracking technology in a range of circumstances. Enforcement agencies may apply ANPR technology to track vehicles through point-to-point systems or mobile units, while tolling systems record certain vehicle information for the purposes of road user charging. Vehicle tracking technology is also required of certain types of commercial vehicles in return for network access and mass concessions under the Intelligent Access Program (IAP) regime. These systems typically have stringent controls in place to govern the collection, use, access and disposal of information.

Some stakeholders have suggested that, due to the significant vehicle tracking which already takes place, additional information collection through C-ITS is likely to have a minimal impact. However, all technologies that have an impact on privacy require a risk assessment and systems appraisal to ensure compliance with the privacy principles.

Before reviewing current privacy laws in Australia, we will discuss two key elements that will shape discussions regarding the privacy implications of C-ITS:

the extent to which C-ITS data will be anonymous the deployment model for C-ITS.

2.1.2 Anonymity

While this paper is intended to focus on the policy principles and not specific technologies, the privacy issues will be framed by the technology solutions implemented and in particular the extent to which C-ITS signals generated by vehicles can be anonymised. This is critical given that the surest way to protect privacy is not to gather the personal information in the first instance.

International standards for C-ITS are in development.45 A focus of these standards is that intelligent transport systems will be developed with a ‘privacy by design’ objective. There may, however, be limitations on whether true anonymity can be achieved. For security purposes, vehicles are likely to be required to have a form of security certificate (similar to those for secure websites) in order to ensure that signals are legitimate and prevent false signals being generated. While security certificates for drivers or vehicles are still under development, it is expected that these will need to be authenticated by a certification authority to ensure that false signals are not recognised within the system.

This means that, much like providing details to purchase a mobile phone, individuals – personally or through vehicle registration – will likely need to identify themselves in some way to gain access to the system. This creates a unique identifier, or collection of identifiers,46 that can potentially link a vehicle’s activity to a vehicle registration number or individual license number. Whilst the intention is to make the signals generated by vehicles anonymous,47 there may remain the ability to trace,

45 ISO Standards are being developed as part of the work of TC 204: ‘Intelligent Transport Systems’, http://www.iso.org/iso/home/standards_development/list_of_iso_technical_committees/iso_technical_committee.htm?commid=54706 (viewed on 18/10/2012). 46 It has also been mooted that vehicles rotate the identity numbers that they use to limit the ability to effectively track an individual signal. 47 US Department of Transport ‘The communication security system shall not allow for identification of a person through personally-identifiable information within messaging context.’ in An Approach to Communications Security for a Communications Data Delivery System for V2V/V2I Safety: Technical Description and Identification of Policy and Institutional Issues White Paper, November 2011, P.6.


via the certification authority, these identity numbers back to an individual. In fact there may be a need to do so, if individuals within the system need to be penalised for misuse of devices (for example hacking a device so that it broadcast an incorrect signal). These issues will also feed into decisions around governance, such as which body should act as the certification authority and whether this needs to be separated from road authorities.

In a submission regarding ANPR technology, the Australian Information Commissioner suggested that vehicle registration numbers, when collected by government authorities with the means to link those numbers to individuals’ names and addresses, are likely to be personal information.48 This principle extends to C-ITS. The question will be whether the broadcast identity number can be linked back to an individual, either directly or through a process or data mining or matching. At the same time, if a service provider collects a vehicle’s unique number but has no method to match that number to a vehicle registration or individual, then it is not the collection of personal information.

At issue is how easily, if at all, a C-ITS vehicle signal can be linked to a particular individual. In the event that genuine anonymity is not attainable, consideration should be given as to how privacy can be ensured.

2.1.3 Deployment models

The privacy impact of C-ITS applications will vary depending on the deployment model introduced for C-ITS. At a broad level, three options are available:

Opt-in model – where consumers must explicitly purchase C-ITS applications and, as part of this consumer choice, they accept the consequent privacy implications. While this approach may result in a lower take-up of C-ITS, and a smaller realisation of the safety benefits of the technology, the opt-in model is the most privacy-friendly option.

Opt-out model – where consumers purchase a vehicle and C-ITS would be operational by default, but with the ability to be switched off. Whilst this approach is likely to result in a higher uptake of C-ITS and consumers are still empowered to make decisions, they may not be as aware of their available choices and the resultant privacy implications.

Mandatory model – where all new vehicles in the future are built with C-ITS and, potentially, all older vehicles are required to be retrofitted with C-ITS. This approach would provide the greatest safety benefits, but the privacy implications of C-ITS would become of much greater significance for the community.

In the event that C-ITS safety applications are incorporated into the Australian Design Rules (ADR) they would effectively become mandatory as ADR safety features cannot generally be switched off or opted out of. While at this stage there is no suggestion that C-ITS technology become mandatory in Australia or that it be classified in the ADRs as a critical safety feature that cannot be turned off, these are certainly options that will arise for consideration in the future and that are being discussed and reviewed by the US Department of Transportation.49

Opt-in and opt-out models are premised on consumers being able to make informed choices, which may not always be the case. A recent survey50 in the US indicated that, while it did not stop them purchasing the technology, consumers are concerned about their location being tracked through their mobile phones, and that they do not feel they are given sufficient information about the use of this information. A separate report51 concluded that ‘privacy policies are hard to read, read infrequently, and do not support rational decision making.’ It found that, read in full, the number of online privacy policies that an average user encounters would require some 25 days a year to read.

48 Office of the Privacy Commissioner, Inquiry into Automatic Number Plate Recognition Technology submission: Issues Paper No.12, 2008, paragraph 20. 49 US Department of Transportation, Research and Innovation Technology Administration (RITA), Principles for a Connected Vehicle Environment, 2012, http://www.its.dot.gov/connected_vehicle/principles_connectedvehicle_environment.htm (viewed on 18/10/2012). 50 GPS Business News, 2012, http://www.gpsbusinessnews.com/Poll-Shows-U-S-Consumers-Have-Privacy-Concerns-with-LBS_a3571.html (viewed on 18/10/2012). 51 N Anderson, ‘Study: Reading online privacy policies could cost $365 billion a year’ Ars technica ( 2008, available at http://arstechnica.com/tech-policy/2008/10/study-reading-online-privacy-policies-could-cost-365-billion-a-year/ (viewed on 18/10/2012).


In the limited circumstances where consent may be required under either opt-in or opt-out methods (for example to disclose personal information for a secondary purpose), thought must be given to how a consumer will give their consent, which could be at the point of purchase (or sign-up) of either the C-ITS hardware or individual applications.

Subject to further consultation, technology and standards development, the opt-in model provides choice to the consumer and therefore is likely to be the most feasible approach to introducing C-ITS into the Australian market. This method will significantly help mitigate the privacy risks. However any changes to the adopted approach (such as a move towards mandating C-ITS) should include a re-evaluation of C-ITS compliance with the privacy principles.

2.2 What is the current law?

Privacy principles in Australia are governed by a mix of Commonwealth and state laws and regulations. While there are relevant differences across Commonwealth and state-based privacy principles that are explored below, the treatment of privacy is largely consistent across jurisdictions with a principles based approach adopted.In general:

Commonwealth agencies are subject to the Commonwealth Information Privacy Principles (IPPs)

most private sector organisations are subject to the National Privacy Principles (NPPs) under Commonwealth legislation

state agencies are subject to their respective state privacy regimes, generally contained in state-based IPPs.

The NPPs will be particularly relevant to C-ITS given that this is an industry-led development, but state-based privacy principles will apply to state road agencies.

2.2.1 Commonwealth privacy principles

The Privacy Act 1988 (Cwlth) regulates the collection, use, disclosure, security and access of personal information. An agency or organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way. The Privacy Act defines personal information as:

Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.52

Personal information is therefore broad in scope. Whilst the Privacy Act does not specify information regarding the geographic location of an individual, the definition is sufficiently broad to include location information if that information is about an individual whose identity is apparent or can be reasonably ascertained from that information. The Privacy Act will not apply, however, if the information does not identify an individual.

There are also certain types of personal information that are especially sensitive, such as a criminal record or medical information. This information is classed as 'sensitive information' and is to be managed with particular care. This does not usually include location information or driver behaviour, therefore sensitive information is unlikely to be relevant for C-ITS.

The Privacy Act offers guiding principles about the way in which personal information should be handled and each organisation must apply these principles to its own situation.

If an agency or organisation breaches the privacy principles, the Office of the Australian Information Commissioner may investigate the matter. Individuals can also make a privacy complaint to the Australian Information Commissioner about an agency or organisation if they think their information has been mishandled. An organisation may transfer personal information to a foreign country (or another jurisdiction under IPPs) only if the recipient of the information is subject to a law, binding scheme or contract which upholds privacy principles; or the individual consents, it

52 Section 6, Privacy Act 1988 (Cwlth).


is necessary as part of a contract with the individual, or it will benefit the individual and it is impractical to obtain their consent.

2.2.2 Exceptions

The Privacy Act provides a range of exceptions; in particular the Act does not apply to the following organisations or circumstances:

small businesses with an annual turnover of $3,000,000 or less53 – unless the small business collects or discloses personal information for a benefit, service or advantage54

state or territory authority, or organisations acting under state contract55 political acts and practices56 privacy codes (approved by the Australian Information Commissioner) may cover exempt

acts or practices57 disclosure is permitted if required under law, or consented to by the individual concerned,

or necessary to protect the health of that person, or others. Consent can be express or implied.

The Privacy Act also exempts certain acts by an organisation in relation to employee records.58 The Australian Law Reform Commission recently proposed modifying or removing a number of these exceptions, including the employee record exception, but these recommendations have not yet been actioned.59

2.2.3 Current reform

It should also be noted that the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cwlth),60 which at the time of writing was still making its way through federal parliament, seeks to make a range of changes to the current Commonwealth privacy regime. According to the Explanatory Memorandum, the Bill would amend the Privacy Act to (amongst other changes):

create the Australian Privacy Principles (APPs), a single set of privacy principles applying to both Commonwealth agencies and private sector organisations, which replace the IPPs and the NPPs

introduce new provisions on privacy codes, including powers for the Australian Information Commissioner to develop and register codes in the public interest that are binding on specified agencies and organisations

clarify the functions and powers of the Commissioner and ‘improve the Commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and promote compliance with privacy obligations.’61

The Bill would also make changes in a range of other areas, such as credit reporting. Should the Bill become law this would make significant changes to the structure of the law, although the actual principles will be largely consistent with the current regime.

2.2.4 Applying the privacy principles

As referred to above, the Privacy Act distinguishes between personal information collected by private sector organisations and personal information collected by public sector agencies. The NPPs apply to private sector organisations and the IPPs apply to public sector agencies and are

53 Paragraph 6(d), Privacy Act 1988 (Cwlth). 54 Paragraph 6(e), Privacy Act 1988 (Cwlth). 55 Subpara 7(c)(5), Privacy Act 1988 (Cwlth). 56 Paragraph 7(c), Privacy Act 1988 (Cwlth). 57 Section 18BAA, Privacy Act 1988 (Cwlth). 58 Subsection 7B, Privacy Act 1988 (Cwlth). 59 Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC Report 108, 2008, http://www.alrc.gov.au/publications/report-108 (viewed on 18/10/2012). 60 The Bill is currently the subject of an enquiry by the Standing Committee on Social Policy and Legal Affairs, with a report expected late in 2012. 61 Parliament of the Commonwealth of Australia, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 explanatory memorandum, http://parlinfo.aph.gov.au/parlInfo/download/legislation/ems/r4813_ems_00948d06-092b-447e-9191-5706fdfa0728/upload_pdf/368711.pdf;fileType=application%2Fpdf#search=%22legislation/ems/r4813_ems_00948d06-092b-447e-9191-5706fdfa0728%22 (viewed on 18/10/2012).


the federal equivalent of state-based IPPs. As a general rule, a Commonwealth or Australian Capital Territory (ACT) agency would apply the IPPs under the Privacy Act, while state-based public sector agencies would apply their own privacy legislation; private sector organisations – regardless of which Australian jurisdiction they operate in – would generally apply the NPPs.

A notable exception, however, is when a private sector organisation is undertaking the collection of personal information under contract, or on behalf of, a state-based public sector organisation. In this circumstance, the state-based IPP may apply rather than the NPPs. This will be relevant in a number of circumstances in the area of transport. Public-private partnerships for toll roads, for example, have raised challenging issues over whether privately operated roads are subject to Commonwealth or state jurisdiction.62

Importantly, if the collection of personal information by an agency or organisation is within the law and is necessary to undertake its functions, the privacy principles do not prevent that collection and use, but set out guiding principles in the way in which that personal information is collected and used.

2.2.5 National Privacy Principles

There are ten NPPs that regulate how private sector organisations manage personal information. 63 They cover the collection, use, disclosure and secure management of personal information. They also allow individuals to access that information and have it corrected if it is wrong.

An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.64 The privacy principles do not prescribe under what conditions or circumstances the collection of personal information is necessary. Therefore what can be collected, as opposed to how the information is collected or used, is very broad in scope given that private sector organisations self-assess what personal information is required to undertake any of its functions or activities.

At, or before, the information is collected, the organisation must take reasonable steps to ensure that the individual is made aware of:65

the identity of the organisation and how to contact it the fact that he or she is able to gain access to the information the purposes for which the information is collected the organisations (or the types of organisations) to which the organisation usually

discloses information of that kind any law that requires the particular information to be collected the main consequences (if any) for the individual if all or part of the information is not

provided. This is an essential privacy principle, for only by being aware that this information is being collected about him or her can an individual seek to access, correct or challenge the collection of that information. The organisation must collect the personal information directly from the individual or, if not, take reasonable steps to ensure that the individual is aware of the matters listed above. For C-ITS, point of purchase (or sign-up) is probably the most logical juncture for organisations collecting or accessing personal information to inform the individual that they are doing so. Consent by the individual of the collection of personal information for a primary purpose, whether express or implied, is not required by the NPPs. Where the personal information has already been collected for another reason (the primary purpose), a private sector organisation may nonetheless use or disclose personal information for certain secondary purposes. For example: if the secondary purpose is related to the primary purpose of collection, then the individual has consented, or if the personal information is used for direct marketing, public health or law enforcement.66

62 The Victorian Privacy Commissioner has advised in public documents that Citylink operates under the NPPs, whilst Eastlink is covered by the Victorian IPPs, because it operates under a Victorian government contract. 63 Located at Schedule 3 of the Privacy Act 1988 (Cwlth). 64 NPP 1.1. 65 NPP 1.3. 66 NPP 2.1


2.2.6 Commonwealth Information Privacy Principles Commonwealth IPPs67 are relevant to C-ITS should a Commonwealth agency collect or access the personal information. The collection or use of personal information by a Commonwealth or ACT public sector agency must not be unlawful or by unfair means. The collection and use must be relevant to the work of that agency and, if the information is used for a purpose other than it was collected for, the secondary purpose must be directly related, or there is consent, or it is necessary for public health, law enforcement or revenue protection. IPP collection must not intrude to an unreasonable extent upon the personal affairs of the individual concerned. When collection of personal information meets these principles, the IPPs do not require that the agency seek the individual’s consent, only that the individual concerned is informed and generally made aware that the collection has taken place. These elements are consistent with NPPs. Unlike the NPPs, the individual does not have to be made aware of the identity of the agency, or the fact that the individual can access the information, or the main consequences for the individual if all or part of the information is not provided.

2.2.7 State Information Privacy Principles

There are a range of state privacy regimes in place, also known as IPPs. While terminology and form may vary, particularly in South Australia, the general approach across jurisdictions is consistent. Namely, a public sector agency must not collect personal information unless the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and the collection of the information is reasonably necessary for that purpose.68 Some of the key differences include:

67 Section 14, Privacy Act 1988 (Cwlth). 68 Sec 8, Privacy and Personal Information Protection Act 1998 (NSW).


Western Australia does not have IPPs for its public sector agencies collection must be from the individual only in New South Wales consent (express or implied) is required in the Northern Territory circumstances for disclosure to a third party are broader in Queensland use and disclosure of personal information can occur for research purposes in

Queensland, Tasmania and Victoria the terminology and form of privacy regulation is different in South Australia, where the

privacy principles are contained in an executive order, but are broadly consistent with other IPPs.

The appropriate jurisdiction can be a complex matter, particularly in certain commercial circumstances where private companies are contracting with a state agency, and the relevant set of principles will usually depend on the detail of the contract in question.

2.2.8 Common law

A common law breach of privacy has been recognised in Queensland and Victorian courts,69 but neither case has reached the High Court of Australia for a determination. The defined scope of a privacy breach at common law remains uncertain and it is unlikely that the common law can be relied on by consumers for protection given this lack of clarity.

2.3 Privacy and C-ITS internationally

2.3.1 United States

The US Department of Transportation is conducting a C-ITS pilot with a view to assess regulatory options, including mandatory C-ITS in new vehicles, and the department has funded the RITA Connected Vehicle program.70 RITA has recommended nine privacy principles for connected vehicles, with a strong emphasis on anonymity ‘secured, in part, through technical methods designed and built into [the system].’71 These privacy principles, set out at APPENDIX 1, propose limitations on the use of information, which are relevant for discussions of compliance and enforcement issues and are generally similar to the privacy principles in Australia. The US also has existing legislation in the form of the Drivers Privacy Protection Act,72 which strictly governs the use and release of information by state motor vehicle authorities.73 Similar to Australia, consent is not a feature of the proposed US privacy principles. Earlier this year a proposed Mobile Device Privacy Bill was introduced in the US Congress, proposing that all mobile phone data collection require explicit user consent. The Bill has not, however, progressed at this stage.74

The US Congress is also currently considering legislation that would make Event Data Recorders (EDRs), the equivalent of black boxes in aircraft, mandatory in new vehicles from 2015. However outstanding questions regarding ownership of EDR data remain.75 There are privacy concerns over how data in such devices might be used and who would have access to it; currently the US sets minimum standards for EDRs and requires that manufacturers disclose to owners the existence of an EDR in the drivers’ manual.76 However, these devices typically only retain the last few minutes/seconds before an incident. Whilst these devices are not strictly part of C-ITS, they are likely to play a part in monitoring the performance of the technology. There is also a growing trend overseas to use similar devices, measuring driving style and performance, for insurance purposes.

69 Grosse v Purvis (2003) QDC 151; Jane Doe v Australian Broadcasting Corporation (2007) VCC 281. 70 L Jacobson, RITA, Intelligent Transportation Systems Joint Program Office, Vehicle Infrastructure Integration: Privacy Policies Framework, 16 February 2007, http://www.its.dot.gov/research_docs/61vii_privacy_framework.htm (viewed on 18/10/2012). 71 Ibid, at p. 1, http://financecommission.dot.gov/Documents/April2008Meetings_Hearings/VII_Privacy_Policies_Framework-Approved_by_ELT.pdf (viewed on 18/10/2012). 72 Drivers Privacy Protection Act, 18 U.S.C. § 2721. 73 Electronic Privacy Information Centre, http://epic.org/privacy/drivers/ (viewed on 18/10/2012). 74 J Brodkin, ‘ “Mobile Device Privacy Act" would prevent secret smartphone monitoring’, Ars Technica, 2012, http://arstechnica.com/tech-policy/2012/01/mobile-device-privacy-act-would-prevent-secret-smartphone-monitoring/ (viewed on 18/10/2012). The discussion draft of this United States Bill is available at http://markey.house.gov/sites/markey.house.gov/files/documents/Mobile%20Device%20Privacy%20Act%20--%20Rep.%20Markey%201-30-12_0.pdf (viewed on 18/10/2012). 75 D Newcomb, ‘As Congress mulls mandate on car black boxes, data ownership remains unclear’,2012, http://www.wired.com/autopia/2012/05/congress-black-box/ (viewed on 18/10/2012). 76 National Highway Traffic Safety Administration, Final Rule 49 CFR Part 563 2006 Event Data Recorders http://www.nhtsa.gov/DOT/NHTSA/Rulemaking/Rules/Associated%20Files/EDRFinalRule_Aug2006.pdf (viewed on 18/10/2012).


Earlier this year, the US Supreme Court found in United States v Jones77 that the surreptitious use of GPS trackers on vehicles without a warrant by enforcement agencies was unconstitutional, although the court was split on whether this was because the placement of the GPS tracker constituted a search, or because the action impinged on expectations of privacy. A subsequent case, however, found that tracking location via mobile phone records was constitutional as the subject ‘did not have a reasonable expectation of privacy in the data given off by his voluntarily procured pay-as-you-go cell phone.’78 This apparent inconsistency between vehicle tracking and mobile phone tracking has received some criticism.79

2.3.2 Europe

The privacy implications of ITS have been a strong focus within the European Union. The Privacy Enabled Capability in Cooperative Systems and Safety Applications (PRECIOSA) project has developed guidelines aimed at ensuring that cooperative systems can comply with future privacy regulations and protect the location-related data of individuals.80

The European Union Directive81 setting out the framework for ITS deployment includes specific provisions for both privacy and liability. Article 10 concerns privacy and directs member states to ensure that personal data is protected against misuse, including unlawful access, alteration or loss. The use of anonymous data is encouraged, where appropriate, and personal data shall only be processed when it is necessary for the performance of ITS applications and services.82

The European Data Protection Supervisor issued an opinion on the EU draft directive83 which noted the importance of identifying who the data controllers will be to ensure that privacy and data protection considerations are implemented at all levels of the chain of processing. The opinion also stressed the importance of establishing principles of ‘privacy by design’ and data minimisation, ensuring that the personal data processed through interoperable systems are not used for further purposes that are incompatible with those for which they were collected.

Further, a new data protection study was launched in December 2011 aiming to assess the importance and impact of data protection and privacy aspects in the areas and actions of the ITS Action Plan and ITS Directive. The final report of the study is yet to be completed.

The direction of C-ITS and privacy in Europe, particularly the EU directives, are comparable to the NPPs and the regulatory and commercial environment in Australia. The PRECIOSA privacy guidelines provide a useful approach for thinking about what an Australian C-ITS guideline or privacy code may look like.

2.3.3 International standards

In 2009, the International Organization of Standardization (ISO) released Intelligent transport systems – system architecture – privacy aspects in ITS standards and systems,84 a technical report that proposes international privacy standards for the design of intelligent transport systems. While the standards are, in part, based on principles of freedom of movement, the design principles nonetheless strongly align with Australia’s NPPs and various IPPs, and recommends that intelligent transport systems include the following features:

77 United States v Jones (2012) USSC No.10–1259, http://www.supremecourt.gov/opinions/11pdf/10-1259.pdf (viewed on 18/10/2012). 78 United States v Skinner (2012) USCA 6th Circuit, http://www.ca6.uscourts.gov/opinions.pdf/12a0262p-06.pdf (viewed on 18/10/2012). 79 Editorial, New York Times, ‘When GPS Tracking Violates Privacy Rights’, 22 September 2012, http://www.nytimes.com/2012/09/23/opinion/sunday/when-gps-tracking-violates-privacy-rights.html (viewed on 18/10/2012). 80 PRECIOSA, http://www.preciosa-project.org (viewed on 18/10/2012). 81 European Parliament and Council, Directive 2010/40/EU, 2010 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:207:0001:0013:EN:PDF (viewed on 18/10/2012). 82 Directives 95/46/EC sets out provisions for the protection of individuals with regard to the processing of personal data and on the free movement of such data; Directive 2003/98/EC covers the re-use of public sector information. 83 European Data Protection Supervisor, ‘Opinion of the European Data Protection Supervisor on the Communication from the Commission on an Action Plan for the Deployment of Intelligent Transport Systems in Europe’, Official Journal of the European Union, 2010. 84 ISO/TR 12859, 2009.


avoid harm through the misuse of personal information obtain personal data fairly and lawfully collection should be specified, explicit and for a legitimate purpose (at the time of

collection) personal data should not be further processed in a way incompatible with the purpose of

original collection personal data should not be disclosed without the person’s consent personal data must be adequate, relevant and not excessive records of personal data are to be accurate and kept up to date identification of data should be kept for no longer that what is necessary for the data

collection access to personal data should be restricted to those with a demonstrable ‘need to know.’

It should be clear and accessible to the subject of the data and security safeguards should protect the personal data.

The ISO technical report is designed to make the implementation of ITS systems possible and to help create legal clarity in the economic arena in order to achieve the necessary and important developments towards intelligent infrastructure.85

2.4 Consumer expectations

In United States v Jones Justice Alito observed that ‘the availability and use of [location tracking] and other new devices will continue to shape the average person’s expectations about the privacy of his or her daily movements.’ He went on to state that ‘relatively short-term monitoring of a person’s movements on public streets accords with expectations of privacy that our society has recognized as reasonable… but the use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy.’86

These statements are likely to reflect consumer expectations in Australia. Systems that can track locations have been broadly accepted when there are clear advantages to using the systems or technology and when consumers can trust service providers to handle their personal data securely and responsibly. It is also important that most systems provide options for individuals to choose not to use them.

Mobile phones, road tolling and smartcard ticketing are examples of where this commercial/ privacy balance has been successful (illustrations of which are provided in chapter 5, pages 54-56). For example, there are commercial advantages in using a toll road (faster journey times) but it is also clear who collects the data and why, and an individual can choose not to use the toll road.

It is not enough that C-ITS applications in Australia are within the law. In the foreseeable future consumers will be making individual choices about purchasing and using C-ITS technology. If the safety benefits of C-ITS are to be realised, government and industry must ensure that consumers can be confident that their personal information is collected and used appropriately and only for its proper purposes.

2.5 Policy questions and approaches

2.5.1 Is regulation required?

A threshold question is whether any further regulation is required to protect personal information collected by C-ITS. Australia’s privacy principles would appear to sufficiently meet this objective in the first instance, although there may be some complexity in the implementation of C-ITS in particular circumstances. Other options could also be examined, including industry codes, guidelines or education campaigns.

It will be necessary to determine to what extent anonymity can be built into C-ITS applications, in particular the signals generated by private vehicles. This is both a technical and policy question: the breadth and limitations of the technology will shape and determine the appropriate policy response.

85 ISO/TR 12859, 2009, p.4. 86 United States v Jones (2012) USSC No.10–1259, http://www.supremecourt.gov/opinions/11pdf/10-1259.pdf (viewed on 18/10/2012).


The following options are proposed for discussion, with the NTC seeking submissions on the appropriate approach. It is noted that a combination of approaches may be recommended.

2.5.2 Option 1: Continue current approach

Existing privacy principles have been in place for a number of years and have already been applied to a wide range of technologies. Some stakeholders have suggested that these principles can readily be applied to C-ITS applications, and that industry and government can manage the impact on privacy of individual products and services that may be offered. However this may result in inconsistent implementation and potentially negative perceptions of C-ITS technology.

2.5.3 Option 2: Privacy code

Privacy codes – approved by a privacy commissioner – can be introduced across jurisdictions to amend the principles as they relate to a specific sector; creating an effective exemption without changes to privacy laws. The ALRC has recommended moving to using codes of practice in order to provide more flexible industry-specific options. The Office of the Australian Information Commissioner provides a register of approved codes of practice.87 However these have not always proven successful, and have a number of important limitations, for example state agencies would not be obligated to subscribe to them. Earlier this year, the Biometrics Institute Privacy Code was revoked by the Australian Information Commissioner at the request of the Biometrics Institute, in part due to a low level of subscription to the code.88

Further, until the system technology specification and governance arrangements are settled, it is not evident what a C-ITS Code would provide industry and consumers with a level of comfort that is not already provided by the existing privacy principles.

2.5.4 Option 3: Provide guidance on best practice

Working with privacy commissioners, C-ITS guidance material could be provided to governments and industry, including manufacturers, service providers, enforcement agencies and record keepers. This may also involve recommending that organisations conduct privacy impact assessments89 before implementing C-ITS applications. Utilising best practice from within the transport technology sector, such as road tolling, guidance material could assist industry to understand how to apply the privacy principles. Guidance could include establishing purpose, information use and disposal practices, security, disclosure to third parties and secondary uses. Guidance could also be provided on appropriate processes for gaining consent of individuals where required.

2.5.5 Option 4: Legislate C-ITS governance arrangements and use of information

To build confidence in the privacy and security of C-ITS, regulations could be introduced to fully separate collection and storage of vehicle activity (the C-ITS service provider) from the entity that holds information linking the unique identifier to a vehicle registration number. Such a governance arrangement would recognise that, for the most part, the identity of vehicles is not necessary for effective C-ITS and in circumstances where this information could assist with law enforcement activities a warrant would be required.

2.5.6 Option 5: Legislate technical standards to protect privacy

If ISO standards develop a ‘privacy by design’ approach that guarantees anonymity and is consistent with the Australian market, then these technical standards could be incorporated into relevant transport legislation in order to guarantee their adoption. Enforcing standards of anonymisation, if feasible, will likely offer the best solution for protecting privacy.

87 Office of the Australian Information Commissioner, http://www.privacy.gov.au/business/codes/register (viewed on 18/10/2012). 88 Office of the Australian Information Commissioner, ‘Revocation of the Biometrics Institute Privacy Code’, Explanatory Statement, 2012, http://www.comlaw.gov.au/Details/F2012L00869/Explanatory%20Statement/Text (viewed on 18/10/2012). 89 Office of the Australian Information Commissioner, Privacy Impact Assessment Guide, 2010, http://www.privacy.gov.au/materials/types/guidelines/view/6590 (viewed on 18/10/2012).


2.6 Preliminary findings

As stated earlier, the seriousness of the privacy risk will depend on the anonymity of C-ITS signals and how readily (if at all) the unique identity for a signal could be linked back to an individual. If, for example, a road agency were able to link a unique identity (or collection of identities), via the certificate authority, to registration information and signals were being tracked by that road agency across the network, then this would represent a significant privacy issue. However, the standards and processes that govern these signals are still evolving, thus only qualified answers can be suggested at this stage.

Industry- and consumer-focused education and guidance is perhaps the first important step towards protecting privacy and ensuring that uninformed privacy concerns do not become a principal reason for not using C-ITS applications (Option 3). Clarity on what data will be captured by whom and where consumers can go to make complaints could significantly alleviate privacy concerns. Whilst the technology is still under development, there is not currently a clear market failure in this area or a clear gap in existing regulation.

With the adoption of an opt-in model, there is not a pressing need to regulate C-ITS. It is arguable, however, that should C-ITS technology allow service providers to link vehicle activity to a vehicle registration number and an individual, greater regulation could be required. However again, there are existing principles that can be applied.

Should C-ITS become mandatory in the future, the privacy risks will become greater. It is recommended that governance arrangements concerning the collection of personal information under a mandatory system should be reviewed and assessed prior to implementation.

Questions for consideration

1) Should privacy protection for C-ITS be explicitly regulated? 2) If so, what limits should be placed on the collection, use and disclosure of personal

information generated by C-ITS? 3) Should other, non-regulatory, controls be pursued?


Key privacy findings

The privacy considerations of C-ITS are not explicitly regulated in Australia, however C-ITS are covered by the general privacy regimes.

The impact of C-ITS on privacy will depend on the extent to which the C-ITS application will collect and transmit personal information. Privacy is best protected through anonymous data collection or, if this is not possible, by restricting the collection and use of the personal information collected.

The current indications are that, due to the need to maintain appropriate security standards, C-ITS may not always produce anonymised data.

While consent to collect information is usually not required, C-ITS consumers must be made aware of the collection, by whom it is being collected and for what purpose, as well as their right to access and correct the information. Thought needs to be given about how consumers should be informed of this.

Uptake of C-ITS technology will be negatively impacted if consumers do not have confidence that their personal information is being collected and handled appropriately and within the law. Unambiguous governance arrangements and clarity over who is collecting the information and under which privacy regime is a critical step towards providing this consumer comfort, along with ensuring secure data storage and transmission.

While there does not appear to be a pressing need for regulatory intervention at this stage, given the existing principles, governments will need to carefully follow the development of the technology.


3. Liability

This chapter analyses the liability implications of C-ITS in the context of Australian law, and explores potential regulatory approaches to address liability concerns.


While C-ITS applications have significant potential to increase road safety, crashes will continue to occur and liability issues will arise. ITS applications in general raise some broad liability risks:

Any legislation or guidance that seeks to deal with the issues raised by ITS based solutions will have to interact with the current framework in a sufficiently clear and delineated manner and will have to deal with a wide range of causes of liability including: device or system failure, conflict between multiple ITS products, operator information overload, loss of operator attention, risk compensation, incorrect interpretation of information and liability arising as a result of the interaction of both enabled and conventional vehicles.90

C-ITS applications could potentially cause a collision, for example when such an application:

fails to provide an appropriate warning in the lead-up to a collision provides incorrect information (for example, in regard to the local speed zone) provides a misleading warning (for example, the direction of a potential collision is unclear) provides a warning which distracts the driver, leading to a crash overrides the driver’s action in a way that causes a collision (for example, a brake assist

application that causes a vehicle to brake suddenly in the middle of fast moving traffic).

Failure to provide appropriate warnings could result from a range of sources, including software problems (including those introduced as part of upgrades), limitations on sensors, signal interference, lack of accuracy in mapping or positioning information or other sources. The exact list will depend on the specific applications and whether they are merely advisory or more interventionist systems. Liability concerns have been raised as a potential disincentive for manufacturers to develop C-ITS applications and other safety systems: ‘these technologies pose challenges for manufacturers and may increase their liability risk in ways that discourage the efficient introduction of these technologies.’91

The introduction of airbags by the US National Highway Traffic Safety Administration (NHTSA) is a cautionary example, where even safety technology with significant benefits can have unintended consequences:

In 1977, NHTSA estimated that air bags would save on the order of 9,000 lives per year and based its regulations on these expectations. Today, by contrast, NHTSA calculates that air bags saved 8,369 lives in the 14 years between 1987 and 2001. Simultaneously, however, it has become evident that air bags pose a risk to many passengers, particularly smaller passengers, such as women of small stature, the elderly, and children. NHTSA determined that 291 deaths were caused by air bags between 1990 and July 2008, primarily due to the extreme force that is necessary to meet the performance standard of protecting the unbelted adult male passenger. Houston and Richardson describe the strong reaction to these losses and a backlash against air bags, despite their benefits.92

Similarly, C-ITS applications could potentially save many lives, but cause the loss of a small number of others; a net gain for society but an extremely difficult problem from a liability (and ethical) perspective. Liability risks could prevent the roll-out of C-ITS applications or severely reduce their scope of operations, as manufacturers could become excessively cautious. At the same time the threat of future litigation also acts as a safeguard, ensuring rigorous testing and research before any public release.

90 Elliott and Stanley, op. cit. 91 Rand Corporation Report, op. cit., p.21. 92 Rand Corporation Report, op. cit., pp. 38-39. A separate issue has been deaths caused by air bag fumes, http://www.news.com.au/world/british-driver-dies-after-breathing-in-airbag-fumes/story-e6frfkyi-1226373204448 (viewed on 18/10/2012).


Liability will also depend on any schemes for approving or accrediting systems. If systems are accredited, rather than left to manufacturers to develop, this may subtly shift the liability.

Finally there may be circumstances where collisions are caused as a result of deliberate abuse, including sending a false signal (through sensor or software manipulation) or a ‘denial of service’ attack which interferes with the system by sending a more powerful signal or flooding users with messages. However the risk of such attacks is considered to be low and, given the short range nature of the signals, would likely to have only a localised effect.93

3.1.1 Effects of different types of C-ITS applications

There are a variety of ways to classify C-ITS applications, for example those that:

provide for interventions (braking and/or steering) or for information/warning only provide for overridable interventions or for non-overridable interventions provide for interventions in time-critical situations or for a kind of continuous support provide for interventions in time-critical situations when a collision is unavoidable or for

interventions at an earlier stage.94

Each of these will have a separate set of risks:

Functions providing for mere information warnings can easily be overridden and hence be controlled by the driver. Functions providing for automated braking and/or steering interventions bring along an increased product liability risk since the driver has to do more than simply ignore a false-positive warning: he/she will have to counteract actively on a false positive intervention. Non-overrideability of automated braking and/or steering interventions increases the product liability risk since the driver cannot counteract a false-positive intervention in this case.95

In most applications currently being trialled, the C-ITS application effectively acts as a secondary safety system, providing an additional set of warnings to the existing safety systems and processes. However applications that actively intervene in the driving task have a different risk profile with regards to liability. For example in a number of cases overseas courts have found GPS navigation systems not to be liable for directions given, even where they have been incorrect, as these are primarily advisory systems.96

A US report concluded that ‘autonomous vehicle technologies are likely to reduce liability for drivers but increase liability for manufacturers as perceived responsibility for crashes shifts from drivers to the vehicle itself. This may impede development and use of these technologies.’97 While automated systems may become increasingly common in the longer term, vehicle technology such as C-ITS is not likely to become mandatory until:

1. the technology is mature enough that manufacturers are completely confident in their operation and reliability, unless incentives are provided to cover liability

2. safety effects are well understood, including understanding the performance of the technology in different conditions and with different users.98

Most advanced safety systems can also be understood as a series of typical functions: sensing, planning and acting. Each again comes with its own risks. Sensing involves taking in data from various sensors (which may have limitations) and aggregating that data. Planning involves predicting movements of other vehicles and formulating appropriate responses. Acting involves carrying out the appropriate response, which may be to provide a warning or to intervene in the driving task.99

93 US Department of Transport, An approach to communications security for a communications data delivery system for V2V/V2I safety: technical description and identification of policy and institutional issues, White paper 2011, pp.18-25. 94 InteractIVe Deliverable D7.3, Legal Aspects p. 57. 95 Ibid. 96 See, for example, C Dempsey ‘When directions are bad, who’s liable?’, GIS Lounge, 2010, http://gislounge.com/when-directions-go-bad-whos-liable/ (viewed on 18/10/2012). 97 Rand Corporation Report, op. cit. 98 Rand Corporation Report, op. cit., p.43. 99 Ibid.


3.1.2 Crash causation

In a cooperative environment, the threads of causation will potentially be much more complex and difficult to trace. Potential points of failure could include:

signals not being correctly sent or received signal interference failure to translate a signal into a warning for the driver failure by a driver to understand or react to a warning.

Understanding the warnings and signals that may or may not have been sent or received in the lead up to a collision will create challenges to crash investigators and may result in greater use of in-vehicle data logging, such as EDRs, by manufacturers. Reducing the number of components in a safety system is another common means in the industry of avoiding single points of failure. Even more complex scenarios can easily be imagined, such as those involving larger numbers of vehicles, different types or classes of vehicles (such as trucks or public transport), V2V and V2I applications (which potentially increase the risk of liability for road authorities). In addition to failures to prevent a collision, other failures could include generation of false positives or unwanted activations possibly causing a crash. Causation may be difficult to determine in these scenarios, although this can be the case in crashes today.

3.1.3 Types of parties in C-ITS

C-ITS applications draw together a range of parties typically involved in vehicle crashes today. These are likely to include:

vehicle manufacturers technology providers of in-vehicle systems, network technologies and roadside devices after-market device manufacturers road managers, both public and private C-ITS system managers information service providers drivers with C-ITS drivers without C-ITS.

There will be different liability concerns for different parties, in particular manufacturers, technology providers, C-ITS system managers and road managers.

Manufacturers and technology providers will be exposed to liability – the issue for both will be determining the limits of liability and the standards expected. In the absence of regulatory guidance or industry standards, this will be a matter for the courts to determine on a case by case basis.

C-ITS system managers will manage the spectrum use for C-ITS, access rules, architecture and other key elements. It is a role that is still to be defined in Australia but a system manager could by default become the point for claims where responsibility is difficult to establish:

Establishing liability against a public body for a failure of infrastructure is a comparatively hit and miss area and is comparatively rarely achieved. For example, authorities are not normally liable for damage caused by poor road surfacing even though this can result in serious accidents. However, methods of transport that rely more on complex systems maintained by public bodies generally tend to see a higher rate of successful litigation in the event of a failure (e.g. failure of rail or air-travel related infrastructure). It is arguable that complex ITS based solutions are closer to the latter approach and this could lead to a higher likelihood of public bodies being found liable where a system has failed.100

Road managers will potentially be exposed to liability as the provider of road-based V2I signals as crashes could be caused if incorrect information is sent out, such as incorrect speed limits. Such concerns may slow the roll-out of V2I systems. However the experience in similar areas of road management suggests that the liability risk can result in an improved system. Dynamic speed signs

100 Elliott and Stanley, op. cit.


that were subject to power or communication failures, for example, resulted in improved back-up systems, redundancy of connections and power supplies and other controls that significantly reduced the liability exposure of road managers.

3.1.4 Human factors

As discussed above, human factor considerations for C-ITS applications may suggest a greater duty on manufacturers to explain the use and limitations of such systems, including foreseeable misuse and for greater demonstration of how such applications would handle system failures:

In this case the policy issues are closely aligned with issues regarding liability and the responsibility of the driver to be aware of whether the system is operating correctly, and to know how to react if it isn’t. This has implications for the ability of the system to report faults, or drops in performance that might lead to failure, and how the current system status is reported to the driver. Therefore, there will have to be a policy on system safety to complement policies on highway and vehicle engineering safety.101

C-ITS applications may need to take into account different types of users in their design:

Recall that standards for air bags were set for only a limited section of the driver and passenger population – namely, average male adults. It became apparent only after widespread implementation that they put smaller passengers at risk of injury or death. Autonomous vehicle technologies, too, will affect different people differently. In the case of driver-warning systems, for example, users’ expectations of how and when the technology will work and their ability to understand the system’s directions and warnings will affect the effectiveness of the technology. Therefore, standards must be developed that take into account diverse populations.102

Image courtesy the City of Sydney

101 CVIS, Guidelines for policy makers: policy challenges on the way to deployment of CVIS (2010), p.28, http://www.cvisproject.org/download/Deliverables/DEL_DEPN_7.1_Guidelines%20for%20policy%20makers_Final%20version_v2.8.pdf (viewed on 18/10/2012). 102 Rand Corporation Report, op. cit., p.41. It is noted that the US experience of airbags will not apply to the same way in Australia where standards are set based on airbags being a supplementary restraint system.


3.1.5 What is the standard expected?

Taking these issues into account, what is the standard of safety expected of these systems? Some commentators have suggested that there is a split in approaches between those ‘based on consumer expectations’ and those which focus on a risk-benefit analysis.103 Coming to a single standard will, however, be difficult with either approach:

Despite the fact that some important factors can be identified that will be relevant for determining the potential defectiveness of an ADAS, it has been made clear in this contribution that no hard and fast rules can be given to answer the question what will be safe enough. This may certainly make manufacturers feel uncomfortable. However, one should not rush into categorical statements about product liability as a barrier for market introduction. On the one hand it is basically a valuable principle that judges take all the relevant circumstances into account. One of these circumstances, for instance, will be the possibilities for producers – also considering the burden in terms of costs, time and trouble – of taking precautionary measures against the inherent shortcomings and resulting dangers of ADAS. It forces manufacturers to carefully design, introduce and monitor their systems.104

There may be fundamental limitations on applications in some scenarios, for example in highly dense environments, such as the middle of a city, where urban canyons can interfere with signals or where large numbers of signals may create broadcast storms that interfere with each other or exceed the ability of the in-vehicle system to resolve them and calculate trajectories effectively.105

3.2 Current law

Liability is an area where there are very well-established principles, deriving from centuries of common law but also incorporating a series of more recent legislative amendments and extensions.

In transport crashes, liability encompasses three broad areas of law: tort, contract and product liability. Each of these will be discussed in turn, however an important initial concept is the driver control of the vehicle.

3.2.1 The driver remains in charge

Ultimately, the driver is considered to be in control of the vehicle and must drive safely for the conditions; this is the fall back if systems fail as in the example of a dynamic speed sign. The current liability regime remains premised on driver responsibility for the control of the vehicle. This is derived from the Vienna Convention on Road Traffic.106 The principle is replicated in the Australian Road Rules: ‘a driver must not drive a vehicle unless the driver has proper control of the vehicle.’107 This is an important assumption from a liability perspective but one that may be challenged with increasingly automated systems entering public roads.

This obligation has been found by the courts to operate in a variety of driving scenarios, for example when a driver approaches an intersection:

The common-law duty to act reasonably in all the circumstances is paramount. The failure to take reasonable care in given circumstances is not necessarily answered by reliance upon the expected performance by the driver of the give way vehicle of his obligations under the regulations; for there is no general rule that in all circumstances a driver can rely upon the performance by others of their duties, whether derived from statutory sources or from the common law. Whether or not in particular circumstances it is reasonable to act upon the assumption that another will act in some particular way, as for example by performing his duty under a regulation, must remain a question of fact to be judged in all the particular circumstances of the case.

103 Van Wees and Brookhuis, op. cit., p.368. 104 Ibid. 105 A Grant, P Alexander and D Haley, Technologies for Dedicated Short Range Communications, presentation, http://www.acma.gov.au/webwr/_assets/main/lib310814/tech_for_dedicated_short_range_comms-a_grant.pdf (viewed on 18/10/2012). 106 Vienna Convention on Road Traffic (1968), article 13, http://www.unece.org/fileadmin/DAM/trans/conventn/crt1968e.pdf (viewed on 18/10/2012). 107 Australian Road Rules, regulation 297.


The obligation of each driver of two vehicles approaching an intersection is to take reasonable care. What amounts to ‘reasonable care’ is, of course, a question of fact but to our mind, generally speaking, reasonable care requires each driver as he approaches the intersection to have his vehicle so far in hand that he can bring his vehicle to a halt or otherwise avoid an impact, should he find another vehicle approaching from his right or from his left in such a fashion that, if both vehicles continue, a collision may reasonably be expected.108

3.2.2 Tort

A party in a collision could take action against another party or parties under the common law action of tort. Such cases require the key elements of:

duty of care breach of duty (that is, standard of care) causation damages.

Whilst the duty of care on a public road (and any breach) will likely be straightforward, C-ITS may raise particular issues in relation to causation and the remoteness of the damage caused.

The common law is supplemented and amended by state legislation, in particular a series of civil liability acts. As a result of the recommendations of the Review of the Law of Negligence109 these now provide a largely consistent definition of causation (with minor textual variations), classifying causation into two elements – factual causation and scope of liability:

11 General principles

The Queensland Civil Liability Act 2003 states that:

(1) A decision that a breach of duty caused particular harm comprises the following elements – (a) the breach of duty was a necessary condition of the occurrence of the harm (factual causation); (b) it is appropriate for the scope of the liability of the person in breach to extend to the harm so caused (scope of liability).

(2) In deciding in an exceptional case, in accordance with established principles, whether a

breach of duty—being a breach of duty that is established but which cannot be established as satisfying subsection (1)(a)—should be accepted as satisfying subsection (1)(a), the court is to consider (among other relevant things) whether or not and why responsibility for the harm should be imposed on the party in breach.

…

(4) For the purpose of deciding the scope of liability, the court is to consider (among other relevant things) whether or not and why responsibility for the harm should be imposed on the party who was in breach of the duty.110

The court must consider why responsibility should be imposed on the party in breach and these provisions appear designed to bring out any policy issues and judgements in assessing liability. ‘Scope of liability’ covers issues, other than factual causation, referred to in terms such as ‘legal cause’, ‘real and effective cause’, ‘common sense causation’, ‘foreseeability’ and ‘remoteness of damage’’111 – however this does not necessarily clarify how the scope of liability would be assessed in C-ITS scenarios.

108 Sibley v Kais (1967) 118 CLR 424 at [5]-[6]. 109 Commonwealth of Australia, Review of the Law of Negligence, 2002, http://revofneg.treasury.gov.au/content/home.asp (viewed on 18/10/2012). 110 Civil Liability Act 2003 (Qld) http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/C/CivilLiabA03.pdf (viewed on 18/10/2012). Similar provisions exist in other states. 111 Commonwealth of Australia, Review of the Law of Negligence, 2002, http://revofneg.treasury.gov.au/content/Report2/PDF/Law_Neg_Final.pdf (viewed on 18/10/2012).


Causation is also not an ‘all-or-nothing’ scenario. Multiple factors may contribute to a crash in a cooperative environment and the Australian legal system allows for concepts of joint, several and contributory liability where a manufacturer or service provider could contribute in part to a collision (and be held liable for this contribution) even if they are not wholly responsible.

On the questions of burden of proof, these Acts similarly hold that ‘in deciding liability for breach of a duty, the plaintiff always bears the onus of proving, on the balance of probabilities, any fact relevant to the issue of causation.’112 Whilst this remains an important legal principle, due to the potential difficulties in demonstrating factual causation mentioned above, this may be a high barrier for many claimants to overcome.

It is also worth noting from a transport perspective that many states provide certain exemptions for road authorities, in particular in relation to the repair of roads. For example the NSW Civil Liability Act 2002 states:

45 Special non-feasance protection for roads authorities

(1) A public or other authority is not liable in any legal proceeding for any failure by the authority in relation to any function it has as a road authority –

(a) to repair a road or to keep a road in repair; or (b) to inspect a road for the purpose of deciding the need to repair the road or to keep the road in repair.

(2) Subsection (1) does not apply if at the time of the alleged failure the authority had actual knowledge of the particular risk the materialisation of which resulted in the harm. 46 Exercise of function or decision to exercise does not create duty

In proceedings to which this Part applies, the fact that a public or other authority exercises or decides to exercise a function does not of itself indicate that the authority is under a duty to exercise the function or that the function should be exercised in particular circumstances or in a particular way.113

The Civil Liability Act was in part a response to a series of cases which varied the traditional immunity of highway authorities in common law.114 Some jurisdictions also have specific limitations on liability written into their road law. For example, the Road Management Act 2004 (Vic) sets out limitations and a series of principles to be considered in assessing whether a road authority, infrastructure manager or works manager has a duty of care or has breached a duty of care.115 This raises the question of whether road authorities could require similar protection for their C-ITS infrastructure and services, in addition to the current protection for their road infrastructure.

3.2.3 Contract law

Parties in a cooperative system may be linked through a network of contracts (for example, a road operator who contracts for the provision of a V2I system with an equipment provider and an information provider). Questions about the allocation of risks and liabilities under a contract are largely left to the parties to the contract themselves to determine under the principle of freedom of contract, provided that the contract is not illegal. Contracts in this area will need to ensure that they cover details over uses and ownership of data, allocation of risks and costs and any caps on liability.

Two areas of contract law may be of particular relevance to C-ITS:

disclaimers under consumer contracts insurance contracts will be relevant for the allocation of risks and are governed by the

Insurance Contracts Act (Cwlth) 1984.

112 See e.g. section 12 of the Civil Liability Act 2003 (Qld). 113 Extract from Civil Liability Act 2002 No. 22 (NSW). 114 Brodie v Singleton Shire Council (2001) 206 CLR 512 115 Road Management Act 2004 (Vic), sections 101-102


3.2.4 Product liability

Product liability in Australia is governed by the Trade Practices Act (Cwlth) 1972, supplemented by a variety of state consumer protection laws. The Act includes general obligations that goods are of merchantable quality and that services supplied are fit for purpose, and it sets out obligations to comply with prescribed safety standards116 (see APPENDIX 2). Commentators have distinguished between manufacturing defects (which may be one-off) and design defects (affecting all products in the line) which may lead to different liability outcomes.117

The Australian Competition and Consumer Commission (ACCC) advises that suppliers may reduce exposure to product liability action by using responsible and sensible business practices, including:

conducting regular reviews of product designs and production implementing and reviewing quality assurance procedures testing products regularly to relevant standards, including batch testing conducting appropriate marketing providing clear and thorough user instructions where necessary, conducting a quick voluntary recall of any products that are defective or

unsafe.118

3.2.5 Compulsory third party systems

A number of states have compulsory third party personal injury schemes, funded through registration payments. 119 They provide compensation for personal injuries sustained in crashes on public roads. Some of these schemes are run on a no-fault basis, others are fault-based. There is a direct economic benefit to these schemes if the road toll is reduced and they are typically very involved in improving road safety.

Although no-fault schemes manage liability for most personal injury cases, liability may still be an issue in some cases, including those involving challenges to commission determinations and those involving exceptions within respective Acts (such as contributory negligence).120

Incidents involving a person in the course of their employment may also fall under the relevant workplace health and safety legislation, although most state and territory legislation sets out that employees involved in traffic incidents are captured by the motor vehicle legislation.

3.3 Overseas approaches

3.3.1 Europe

In Europe liability issues have been identified as a key question to be addressed for ITS generally:

Liability issues have notably hampered the market introduction of intelligent integrated safety systems, with legal questions regarding product/manufacturer liability and driver responsibility. For advanced driver assistance systems, for instance, the liability risks may be highly complex — the term ‘defective product’ is used in the EU product liability directive not only in a technical sense but is also linked to human factors including system requirements such as dependability, controllability, comprehensibility, predictability and misuse resistance, which in turn brings in human–machine-interaction safety issues.121

However, analysing liability in Europe in relation to ADAS, Van Wees concluded that:

116 Trade Practices Act 1972 (Cwlth), sections 62-63. 117 Rand Corporation Report, op. cit., p.28. 118 Australian Competition and Consumer Commission, Product Liability, 2012, http://www.productsafety.gov.au/content/index.phtml/itemId/971609 (viewed on 18/10/2012). 119 Transport Accident Commission (Vic), http://www.tac.vic.gov.au/jsp/corporate/homepage/home.jsp (viewed on 18/10/2012); Motor Accidents Authority (NSW), http://www.maa.nsw.gov.au/Index.aspx (viewed on 18/10/2012); Insurance Commission of Western Australia, http://www.icwa.wa.gov.au/ (viewed on 18/10/2012); Queensland Government, Motor Accident Insurance Commission, http://www.maic.qld.gov.au/ (viewed on 18/10/2012); and the Motor Accident Commission (SA), http://www.mac.sa.gov.au/ (viewed on 18/10/2012). 120 For example, Transport Accident Act 1986 (Vic), section 106, http://www.tac.vic.gov.au/upload/TAA1986.pdf (viewed on 18/10/2012). 121 European Commission Directorate-General for Mobility and Transport, Intelligent Transport Systems in Action, 2011, p. 26, http://www.polisnetwork.eu/uploads/Modules/PublicDocuments/intelligent-transport-systems-in-action_its-action-plan.pdf (viewed on 18/10/2012).


Product liability stresses the responsibility of the industry and is far more flexible than vehicle safety regulation. This being said, however, we could still agree that it would be undesirable if system developers and car manufacturers are discouraged to develop and market ADAS only because the (perceived) liability risks are too high. Product liability is often labelled as an important ‘show stopper’ for the market introduction. Certainly, more advanced ADAS such as anti-collision systems that intervene in critical situations, will because of the consequences potentially raise serious and difficult product liability questions which may need some legal intervention.

However, one should not put all the blame on liability. First of all, the threat of product liability will have a preventive effect, helping to keep immature or poorly designed technology off the market. Secondly, an important observation in this respect is that, although product liability is getting a lot of attention in the legal literature, case law on the subject, especially in relation to the automotive sector, is rather rare. Of course, this may certainly not be considered the only indication whether or not product liability must be regarded as a threat for the deployment of ADAS. For instance, most claims will probably not reach court, because manufacturers prefer settlement outside court. Collecting evidence about such settlements is almost an impossible task. It appears, however that in Europe (automotive) producers are, in contrast to the United States, until now not burdened with a great number of claims. Recent evaluations of the Product Liability Directive did not reveal any serious problems of the automotive industry with this Directive either. Furthermore, the introduction of other innovative automotive technologies, such as navigation systems, ABS, ESP or ACC, does not seem to be seriously limited by the impact of the product liability law.122

This last point is particularly worth noting in the context of considering whether legislative changes are required.

Europe has also developed a code of practice for the design and evaluation of ADAS, which ‘summarises best practices and proposes methods for risk assessment and controllability evaluation’.123 Recognising that ‘existing technical limits as well as liability issues are currently delaying the market introduction of Advanced Driver Assistance Systems’124 the code of practice is intended to allow manufacturers ‘to demonstrate that state-of-the-art procedures in ADAS development have been applied, including risk identification, risk assessment and evaluation methodology.’125

3.3.2 United States

As part of its Connected Vehicle Program, RITA has an ongoing Policy and Institutional Issues project, one of whose tasks is to look at liability issues, including:

developing a risk inventory developing a framework for addressing potential risks, including risk mitigation strategies conducting an industry impact analysis.126

As mentioned earlier, EDRs may play an important role in C-ITS systems in order to log events. In the US, such data has previously been used in order to prove criminal liability. As far back as 2002 a driver was convicted of manslaughter, in part based on evidence from an EDR.127 However this data has traditionally not been used by courts in Australia.128 These issues also arise in regard to compliance and enforcement, considered later in this paper. EDRs also play an important role in monitoring for defects, which can lead to recalls when required.

122 van Wees, op. cit. 123 PREVENT, Code of Practice for the Design and Evaluation of ADAS, 2006. 124 Ibid. 125 Ibid. 126 RITA, ITS JPO Policy and Institutional Issues, 2012, http://www.its.dot.gov/factsheets/policy_factsheet.htm (viewed on 18/10/2012). 127 Matos v. State of Florida, http://www.floridasupremecourt.org/clerk/briefs/2005/801-1000/05-887_JurisIni.pdf (viewed on 18/10/2012). 128 D Mccowen, ‘Crash blame: How your car could land you in jail’, The Age, 4 November 2011 http://theage.drive.com.au/motor-news/crash-blame-how-your-car-could-land-you-in-jail-20111103-1mw8n.html (viewed on 18/10/2012).


3.4 Policy questions and options

As with privacy, the liability issues rest on the question of how well the present laws apply to the new technology; is C-ITS so different from what has gone before that a change in approach is required? A series of broad options are set out below and the NTC is seeking feedback on the appropriate approach (or combination of approaches).


Given the established principles in this area and the lack of strong evidence that liability concerns are holding back the development of the technology, there is a legitimate argument that C-ITS applications can fit within the existing liability regimes. Liability issues could be dealt with by the courts under existing laws and parties in C-ITS could establish their own approaches to dealing with liability issues and mitigating their liability risks.

This approach may, however, impact on the roll-out of C-ITS, as there may be a lack of clarity of the risks.

3.4.2 Option 2: Enact specific C-ITS liability law to clarify issues

In order to clarify rights and responsibilities within a cooperative system, specific legislation could be developed, or amendments could be carved out from existing legislation. This might include certain exemptions for particular parties or providing guidance on where liability should fall in order to ensure a just outcome. The question is whether an approach of ‘Regulatory pre-emption’ should be taken or whether government should seek to track progress in technology and update legislation at a later stage. There is a risk with pre-emption, given the evolving nature of the technology, that such legislation could be redundant before it is enacted.

One approach might involve mandating relevant ISO standards, incorporating performance requirements and test procedures. This would provide greater certainty to providers and to consumers. However, ISO standards should not be implemented in such a way as to inhibit innovation in the industry. Regular reviews would also need to be conducted in order to ensure that rules keep up-to-date with technology.

3.4.3 Option 3: Non-legislative approaches

A variety of non-legislative approaches could be considered in order to provide guidance to operators or performance-based standards, whilst allowing the market to develop solutions. An example might be the European code of practice for the design and evaluation of ADAS. Such a document in Australia could set out general principles to be followed in the design and development of systems, but also include issues such as communicating system limitations to drivers and appropriate driver training. Australia could develop a code of practice for C-ITS (or more broadly for ADAS) similar to the European code of practice in order to guide developers of C-ITS applications.

A connected approach could also require that systems meet accepted international standards linked to accreditation schemes in order to ensure consistency of approach. This could lead to ‘design on a modular basis and pre-defined quality and safety standards and certification procedures [which] may help overcome liability concerns in this context.’129

3.4.4 Option 4: Information and education campaigns

Information and education campaigns could assist in raising the profile of these systems in order to better generate benefits, along with encouraging best practice and ensuring the public is informed of capabilities and limitations. This approach may assist in addressing some of the human factor issues, however would not guarantee consistency in the development of systems.

129 European Commission, Cooperative Vehicle-Infrastructure Systems, op. cit.



The European CVIS project found that:

The biggest problem is maybe not the liability itself, but the unclearness of the liability. If it would be clear who is responsible for what, probably a big part of the problems would be solved. A complicating factor in this, are the boundaries of the cooperative system. They cannot be well defined.130

The issue turns on specific scenarios: if a warning failed, how would this impact on driver responsibility? Is the driver essentially in the same situation which they are in today where they would need to apply their own judgement and skill in order to avoid a collision? Governments and courts will need to consider where liability falls in these cases.

Potential liability issues and the risk of litigation may act as a deterrent to technology investment, particularly manufacturers of C-ITS applications. The question arises whether the litigation risks to manufacturers will prevent the roll-out of beneficial technologies – either until they are made mandatory or until a shared liability scheme is developed. In Europe the CVIS Project concluded that that ‘an identifiable entity for people wanting to claim against the system is also needed.’131

However, because C-ITS applications are likely to begin as passive safety systems – providing warning to drivers- they are unlikely to have the same potential impact as the earlier example of airbags (at least initially). Some of the lessons of the deployment of airbags are instructive, however, in particular use of duplicate sensors, to ensure that airbags are only deployed when they are definitely required. Liability concerns may place more onus on providers to build redundancy into the network such as by planning for potential system failures (through providing redundant connections and power supplies) and to manage external disruptions (for example by clearly indicating to the driver whether the C-ITS device is correctly functioning or not). This approach is already being applied in C-ITS technology, for example by employing a second antenna in order to effectively capture the best possible signal and provide a fall back for equipment failure.

3.5.1 C-ITS and manufacturers

Liability will also put pressure on manufacturers and service providers to make clear any limitations of the system, for example signal disruption due to adverse weather conditions. It will be imperative that drivers are aware of limitations and take them into consideration in their driving, much as this information can be difficult to convey. A study on the legal impacts of the C-ITS Interactive project in Europe found that ‘a comprehensive and comprehensible instruction may well contribute to a reduction of the manufacturer’s product liability risk.’132

Mitigating measures for manufacturers and others may include (but not be limited to):

additional driver training information provision, both in-vehicle and in the owner’s handbook, communicating to the

driver their responsibilities, any system limitations and a warning that C-ITS applications should not be relied on in isolation

redundancy of sensors and communication systems to improve reliability additional logging of data for resolution of disputes and system diagnostics (for example,

through EDRs, with appropriate safeguard for data) fall back measures and warnings to the driver when systems are not functioning correctly

(fail-safe provisions) prudent advertising and marketing of systems to avoid over-reliance or false expectations appropriate insurance.

The onus will be on manufacturers to produce systems which can stand up to legal scrutiny. But many, if not all of these measures are already standard practice for major manufacturers as part of their development process and therefore may not require further regulation or other government action.

130 CVIS (2010), op. cit., p.57. 131 CVIS, Mobility 2.0 The New Cooperative Era, p. 26, http://www.cvisproject.org/download/ERT_CVIS_FinalProject_Bro_06_WEB.pdf (viewed on 18/10/2012). 132 InteractIVe, op. cit., p. 56.


3.5.2 C-ITS and road operators

Similar to manufacturers, road operators will need to be aware of their risks and how these change over time. Governments and road agencies will need to carefully track technological progress to ensure that policy keeps pace. Allocation of risks will need to be clear between different service providers and scenario analysis will need to be undertaken to search for potentially unforeseen consequences. Many of the controls mentioned above for manufacturers will also be relevant for road operators, including ensuring backup systems are in place and that appropriate information on any limitations is provided to consumers.

In particular operators will likely need to carefully examine:

the operation and reliability of any roadside units deployed the accuracy of information being relied upon (such as mapping and speed zone data) and

any limitation on information that is being provided how drivers are made aware of any system faults or limitations potential conflicts between different systems, such as visible traffic signals conflicting with

the C-ITS signal sent out at an intersection.

3.5.3 C-ITS information service providers

Again, in a similar way to manufacturers, C-ITS service providers will need to make clear any limitation on information being provided and may need to ensure that commercial features do not conflict with safety features.

3.5.4 C-ITS and drivers

C-ITS applications could in fact put more onus on the liability of the driver, by providing them with additional warnings that if ignored, put more responsibility on the driver for their actions. It may prove difficult to show definitively that a driver ignored a warning. A report into the potential liability issues of the CVIS project concluded that:

The system should be deployed in a way where the CVIS safety messages are considered as a bonus to something else. The driver remains responsible. All information provided is only additional assistance to the driver. One example for this principle is traffic management systems. If the system fails the traffic lights still work. Thus, safety is never compromised, only additional benefits such as green waves are lost.133

The first generation of C-ITS applications can be viewed similarly – these will provide additional warnings to drivers that they do not have today, whilst retaining all of the existing signals, signs and information that they have traditionally relied upon. However as vehicles evolve to have more active safety systems that reduce driver control, liability issues will become more complex and will need to be revisited by governments.


1) Are current laws around liability sufficient to manage the roll out of C-ITS applications? 2) Is further guidance required for industry or for road agencies on managing liability risks?

133 Verweij et al, 2010, op. cit., p.63.


Key liability findings

The liability aspects of C-ITS are not explicitly regulated in Australia, however C-ITS are captured by the general liability laws.

Manufacturers and service providers of C-ITS technology will need to carefully consider the safety risks of their systems and the development and testing processes that they implement, along with consumer marketing and communications.

Liability concerns may create a need for C-ITS applications to log actions in more detail so that causation can be traced. C-ITS applications should also minimise components, as much as possible, to reduce points of failure.

Human factor considerations will be critical to the success of C-ITS, but may require further testing in order to better understand and address them.

Information provided to drivers on system limitations and system status will be critical.

Road managers will need to assess the risk implications of providing infrastructure-based C-ITS solutions.

Expectations of system performance and liability implications are likely to change should C-ITS applications move from being advisory systems to overriding driver actions.


4. Driver distraction and information display

This chapter analyses the unintended safety risk of C-ITS, namely driver distraction due to in-vehicle information display, and discusses potential arrangements to reduce the risk of driver distraction.


Safety is a primary objective of C-ITS, but there is a risk that its introduction will inadvertently compromise safety in certain scenarios. The challenge for manufacturers and C-ITS service providers is to provide more in-vehicle information through new systems without unnecessarily distracting, overwhelming or confusing drivers.

The American Automobile Association Foundation for Traffic Safety defined driver distraction as occurring:

when a driver is delayed in the recognition of information needed to safely accomplish the driving task because some event, activity, object or person within or outside the vehicle compelled or tended to induce the driver’s shifting attention away from the driving task.

It has alternatively been defined as ‘the diversion of attention away from activities critical for safe driving toward a competing activity.’134 Distraction can be visual, auditory, biomechanical, physical or cognitive. Driver distraction can be caused by the actions of the driver, for example adjusting the radio, answering a phone or texting; or it may be caused by unexpected visual, auditory or haptic experiences that are outside the driver’s control, such as a distracting billboard image, or sudden in-vehicle high pitched tone or vibration. In-vehicle driver distraction outside the driver’s control is particularly relevant to C-ITS and is the focus of this chapter. At the same time, it should be borne in mind that C-ITS safety applications can also help protect against the results of distraction, by providing warnings of imminent collisions (such as rear-end collisions) that may be caused by distraction. Future technology could assist with managing distraction, for example by varying the options and functions presented to a driver based on the driver’s experience, vehicle speed, weather and current traffic conditions, in order to ‘lock down’ the technology in riskier situations.135 At issue is the loss of concentration that these acts may cause, and while driver distraction data is difficult to measure and not as consistently collected as speed or alcohol data, driver distraction is acknowledged as a common source of crashes. Given the newness of C-ITS there is even less empirical research about its impact on drivers than other forms of distraction. The scenario of most concern is nonetheless clear: where an in-vehicle C-ITS warning startles the driver and contributes to a collision. C-ITS does not function in isolation but requires human recognition of the signals and timely and proportionate responsiveness. This reliance on human factors could create risks. C-ITS applications providing traveller information to drivers could also prove a source of distraction. As in-vehicle technologies increase, C-ITS will emerge in the marketplace to compete with a host of other information-providing systems and technologies. In-vehicle technology may include systems built into the vehicle, personal navigation devices or smartphones (or a combination of these devices). This could result in drivers ignoring the warnings produced by C-ITS or becoming distracted by the warnings. Alternatively, the package of C-ITS technologies may result in a range of warnings and signals competing for the driver’s attention and could result in overwhelming the driver. Warnings need to be carefully timed and prioritised. In addition to ensuring that C-ITS is designed to meet safety objectives, legislation will need to confirm that C-ITS devices are legal and not caught in the net of laws prohibiting the use of mobile phones while driving. It also remains an ongoing challenge to keep the law up-to-date with

134 MA Regan, JD Lee and L Kristie. Young Driver Distraction: Theory, Effects and Mitigation,2009. 135 International Telecommunications Union, Decreasing Driver Distraction: ITU-T Technology Watch Report, August 2010, p 6. http://www.itu.int/dms_pub/itu-t/oth/23/01/T230100000F0002PDFE.pdf (viewed on 18/10/2012).


changing technology: ‘it is important that standards addressing driver distraction be valid and applicable independent of type of device, manufacturer and level of experience of driver/ user.’136 Any required changes to the law will be recommended to the NTC Review of Australian Road Rules.137

Potential risks, some of which were flagged earlier when discussing liability, include:

An increasing cognitive load on drivers: C-ITS will provide more information to drivers which should empower them to make better driving decisions. The risk is that they will be overloaded with information and decision-making will worsen in critical situations as a result.

Prioritising signals: with a greater volume of information and a range of signals competing for the driver’s attention, messages must be prioritised in order to ensure that the driver receives the critical information at the critical time – and be able to distinguish that message from the host of others.

Prioritising systems: a critical C-ITS warning to a driver, perhaps involving both an audio and a visual message, could be undermined if competing with other in-vehicle systems. For example, the audio message may not be clear when the navigation system is providing turn-by-turn directions and the mobile phone is notifying the driver of new text messages and music is playing. Compatibility between systems that enable prioritisation is possible when C-ITS is built into the vehicle, but prioritising systems is a much greater risk when C-ITS is based on after-market devices. The risk may also be higher in commercial vehicles that have additional in-vehicle systems. Significant work in this area has been done in the aviation industry, however this is a much more closely controlled environment.

4.2 What is the current law?

Regulations currently govern the use of phones and audiovisual devices within vehicles. These rules should not inadvertently prevent the use of C-ITS applications that increase safety, particularly when C-ITS technology is accessed through after-market devices. These laws may prevent, or be perceived to prevent, the uptake of technology. Discussing the future release of their telematics systems, Toyota Australia's product planning executive commented:

Some competitors have had to delay the introduction of telematics connectivity in their cars because of that [local regulations]… So we're working towards something that will comply with regulations for driving distractions in our standards and offering initially a small number of applications and then expanding those out as more and more become available and we should start doing that from early next year.138

4.2.1 Information display

ADRs139 detail the location and format of dashboard information display, including the placement of speedometers and odometers. The design rules do not prescribe the location and format of additional information, such as changes to the speed limit, real time traffic and roadwork advice or the location of approaching vehicles.

As C-ITS generated information becomes available to drivers, the current information display regulations may require updating, more so if C-ITS information display becomes mandatory. Australia’s policy is ‘to harmonise the national vehicle safety standards with international regulations where possible’,140 thus agreed international standards would likely flow through into the ADRs through the current updating process.

136 Ibid. 137 National Transport Commission, Review of the Australian Road Rules, 2011, http://www.ntc.gov.au/viewpage.aspx?documentid=2029 (viewed on 18/10/2012). 138 F Torr, ‘Toyota Telematics Coming Down Under’, CarPoint.com.au, 2012. 139 Australian Design Rules, Vehicle Standard (Australian Design Rule 18/00 - Instrumentation), 2006, which have been implemented by states and territories. http://www.comlaw.gov.au/Details/F2007C00025 (viewed on 18/10/2012). 140 Commonwealth Department of Infrastructure and Transport ‘Australian Design Rules’ http://www.infrastructure.gov.au/roads/motor/design/index.aspx (viewed on 18/10/12).


4.2.2 In-vehicle technology and distraction

Australian Road Rule 299 prescribes the use of in-vehicle televisions or visual display units. Generally, a driver cannot drive a vehicle that has a television receiver or visual display unit that is visible to the driver or could distract other drivers, unless the unit is part of a driver’s aid and is either an integrated part of the vehicle design or is secured in a mounting affixed to the vehicle while being used. Relevant examples of driver’s aids include:

closed-circuit television security cameras dispatch systems navigational or intelligent highway and vehicle system equipment rear-view screens vehicle monitoring devices.

Relevant terms such as ‘visual display unit’ and ‘driver’s aid’ are not specifically defined; but the nature of the examples provided, particularly reference to navigational or intelligent highway and vehicle system equipment, correspond sufficiently with C-ITS technology to suggest that it would be considered a driver’s aid for the purposes of Rule 299.

It is noted, however, that Rule 299 does not prescribe appropriate use of visual display units or driver’s aids, and does not regulate design interface or provide maximum time periods that a driver’s attention should be taken from the road.

Australian Road Rule 300 prohibits the use of mobile phones while driving. Generally, a driver must not make or receive a phone call while driving, unless the mobile phone is secured in a mounting affixed to the vehicle (in a manner intended by the manufacturer) or is not being held by the driver, and does not require the driver at any time while using it, to press or manipulate anything on the body of the phone.

Furthermore, a driver is not deemed to be using a mobile phone to receive a text message, video message, email or similar communication if the communication is received automatically by the phone; and the message is not automatically visible on the screen of the phone (except for an indication that the communication has been received). Relevant definitions include:

affixed to, in relation to a vehicle, includes forming part of the vehicle

held includes held by, or resting on, any part of the driver's body, but does not include held in a pocket of the driver's clothing or in a pouch worn by the driver

mobile phone does not include a CB radio or any other two-way radio

use, in relation to a mobile phone, includes any of the following actions by a driver:

o holding the body of the phone in her or his hand (whether or not engaged in a phone call), except while in the process of giving the body of the phone to a passenger in the vehicle

o entering or placing, other than by the use of voice, anything into the phone, or sending or looking at anything that is in the phone

o turning the phone on or off o operating any other function of the phone.

Rule 300 may not have kept pace with developing mobile phone functions and it may conflict with Rule 299 as a mobile phone could potentially be both a visual display unit and a driver’s aid. This provision, if read strictly, could restrict the use of a mobile phone that was being used to provide C-ITS information.


4.3.1 United States

Driver distraction rules in the United States are largely set by state jurisdictions, resulting in a wide range of different regulations. However driver distraction is also a particular concern of the US Department of Transportation and the NHTSA.


Working with industry, the NHTSA recently proposed performance-based distraction guidelines for in-vehicle electronic device manufacturers, with the aim to:

reduce complexity and task length required by the device limit device operation to one hand only (leaving the other hand to remain on the steering

wheel to control the vehicle) limit individual off-road glances required for device operation to no more than two seconds

in duration limit unnecessary visual information in the driver's field of view limit the amount of manual inputs required for device operation.

The guidelines distinguish between safety critical and other features of in-vehicle electronic devices, and recommend disabling the operational capability of the following devices while driving:

visual-manual text messaging visual-manual internet and social media browsing visual-manual navigation system destination entry by address visual-manual 10-digit phone dialling

displaying to the driver more than 30 characters of text unrelated to the driving task.141

There is an exception for devices intended for use by passengers and it cannot reasonably be accessed or seen by the driver, or unless the vehicle is stopped and the transmission shift lever is in park.

Whilst there has been some criticism of these guidelines, for example they do not consider auditory distraction, they are perhaps a sensible starting place when thinking about what guidelines or a code may look like in Australia. There has been generally strong support for this approach in the United States, particularly as the NHTSA engaged with industry to develop the guidelines. It should be noted, however, that a similar approach in Australia is likely to be easier to incorporate into in-vehicle devices than into after-market devices.

4.3.2 Europe

Within the European Union, distraction issues are generally governed at the member-state level. As a result there is a variety of regimes, for example in regard to nomadic devices, states generally have either a behavioural focus or technical standards focus (see Table 2).

Behavioural focus –

road traffic acts Technical focus –

vehicle licencing and regulations Bans or user restrictions:

Technical (e.g. hands-free) Situational (e.g. vehicle is moving) Functional (e.g. texting prohibited) Way of use (e.g. sound volume)

Bans or vehicle requirements:

Location of mounting position (e.g. position on windscreen of hands-free equipment)

Technical mounting (e.g. suction cup of hands-free equipment).

Table 2: Different approaches to driver distraction in the EU

141 National Highway Safety Transportation Agency, U.S. Department of Transportation proposes ‘distraction’ guidelines for automaker’, media release, 2012, http://www.nhtsa.gov/About+NHTSA/Press+Releases/2012/U.S.+Department+of+Transportation+Proposes+'Distraction'+Guidelines+for+Automakers (viewed on 18/10/2012).


The European Statement of Principles on Human Machine Interface for In-Vehicle Information and Communication was published by the European Commission (EC) in 1998142 and updated in 2006 with the Commission Recommendation on safe and efficient in-vehicle information and communication systems.143 The taskforce responsible for the statement was developed jointly with the automotive and vehicle technology sector and the principles provide guidance on the usability and safety aspects of the interface between in-vehicle information devices and the driver.

The statement included a range of principles over the following areas: overall design, installation, information presentation, interaction with displays and controls and system behaviour.

Again, as with the development of US guidelines, the EC principles take a pragmatic approach with the objective of safety and ergonomic suitability in mind and a number of the principles are particularly relevant to driver distraction issues in Australia. For example, the system should be designed:

to support the driver and should not present information that gives rise to potentially hazardous behaviour by the driver or other road users in such a way that the allocation of driver attention to the system displays remain compatible with the attention demand of the driving situation

so as not to distract or visually entertain the driver to be located and fitted in accordance with relevant regulations, standards and

manufacturer’s instructions for installing the system in vehicles so that information relevant to the driving task is timely and accurate so as not to produce uncontrollable sound levels liable to mask warnings from within the

vehicle or outside with provision for hands-free speaking and listening to enable the driver to control auditory information where there is a likelihood of distraction

or irritation to enable non-safety dynamic visual information to be capable of being switched off to display current status of the system, and any malfunction that is likely to have an impact

on safety so that in the event of a partial or total failure of the system, the vehicle should remain

controllable, or at least should be capable of being brought to a halt in a safe manner with instructions that clearly state which aspects of the system are intended for use by the

driver while driving and those aspects which are not intended to be used while driving to ensure that representations of system (e.g. descriptions, photographs and sketches)

should neither create unrealistic expectations on the part of potential users nor encourage unsafe or illegal use.

The EC is in the process of updating the Statement of Principles to make them more specific.144 The commission wants to define a procedure that should be followed by manufacturers and ITS service providers to ensure compliance with these principles, including a certification process through which products can be shown to have complied with these principles. In parallel to ISO/TC204 the EC is progressing European standards and technical specifications for Intelligent Transport Systems more generally. CEN/TC 278 Road transport and traffic telematics is responsible for the development of ITS standards to ensure inter-operability across countries and to harmonise technical solutions. Working groups include C-ITS, travel and traffic information, route guidance and navigation and electronic fee collection.

142 Updated in 2007: Official Journal of the European Union (2007/78/EC). 143 European Commission, ‘Commission recommendation of 22 December 2006 on safe and efficient in-vehicle information and communication systems: update of the European Statement of Principles on human machine interface’, EN, Official Journal of the European Union, 2007, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2007:032:0200:0241:EN:PDF (viewed on 18/10/2012). 144 European Commission, EC initiatives on e-safety, 2012, http://ec.europa.eu/transport/road_safety/specialist/knowledge/esave/ec_initiatives_on_esafety/index.htm (viewed on 18/10/2012).


4.3.3 International

The Vienna Convention on Road Traffic was amended in 2006 to provide that:

A driver of a vehicle shall at all times minimize any activity other than driving. Domestic legislation should lay down rules on the use of phones by drivers of vehicles. In any case, legislation shall prohibit the use by a driver of a motor vehicle or moped of a hand-held phone while the vehicle is in motion.145

The convention does not however specify uses of other technology.

In addition to the standards development mentioned above, the International Telecommunications Union has a Focus Group on Driver Distraction146 which seeks to provide reports and requirements on managing the distraction of information technology within vehicles. The group aims to complete its work by December 2012.


The following options are proposed for discussion, with the NTC seeking submissions on the appropriate approach. It notes that a combination of options may be recommended. Again, a key question is the role of government and regulation in this area and how far the market should be left to innovate its own solutions.


Enable self-regulation within the industry: manufactures and in-vehicle ITS service providers are generally aligned with government objectives to ensure that C-ITS applications minimise safety risks relating to driver distraction and market-led solutions may be largely accommodated within existing regulations.

4.4.2 Option 2: Amend current road rules

Update the Australian Road Rules to ensure that C-ITS applications are captured and set out in what circumstances, and how, C-ITS should be incorporated into vehicles.

Relevant terms contained in the Australian Road Rules 299 and 300, including ‘visual display unit’ and ‘driver’s aid’ should be technology neutral and defined so as to remove ambiguities and distinguish between safety critical and non-safety critical systems or functions. This may extend to permitting the use of a mobile phone as a driver’s aid when it is being used for that purpose. There are inherent challenges in enforcing provisions that allow particular devices to be used for one purpose and not another. An alternative may be to change the focus to the task demand on the driver rather than the technology, however again this approach is problematic for enforcement.

4.4.3 Option 3: Create guidelines or principles for manufacturers

As an alternative to regulation there may be an opportunity to work with manufacturers in order to define safe interfaces, in-vehicle systems and operations, as is being developed in the United States and Europe. In doing so, guidelines or a statement of principles should not restrict technology innovation and take into consideration the international connectivity of in-vehicle technology development and multinational nature of the auto-manufacturing sector that will favour in-vehicle information standards that are consistent across jurisdictions.

Guidelines or a statement of principles should also take into consideration the challenge of after-market C-ITS devices and seek to manage and provide advice on how these devices can minimise driver distraction when units may have multiple functions or be competing with a range of in-vehicle technologies, such as satellite navigation or phone communication. Separate guidelines may need to differentiate between technology built into the vehicle and after-market devices which may raise different risks.

145 Vienna Convention on Road Traffic, Art. 8.6. 146 International Telecommunication Union, Focus Group on Driver Distraction, http://www.itu.int/en/ITU-T/focusgroups/distraction/Pages/default.aspx (viewed on 18/10/2012).


It should also be noted that there is already a code of practice for the Conduct of an Automotive Safety Recall.147

4.4.4 Option 4: Examine technology options as they develop

There are already technology solutions emerging in the market that seek to minimise driver distraction. For example, in-vehicle cameras are being developed that track the driver’s eyes in order to ensure that they are not looking away from the road for longer than a designated period. This technology is still in development, however, and governments may have a role ensuring that as anti-distraction technologies are developed there are appropriate and agreed standards in place that are consistent with the ADRs and meet ergonomic and safety guidelines.


Regan et al. concluded that in relation to new technologies and distraction:

transport authorities, in conjunction with automotive manufacturers and providers of after-market products, need to develop verification processes for the installation of new technologies so that vehicle owners and potential purchasers can be assured that the installation satisfies the design rules that apply in that jurisdiction. There is also a need for the development of safety standards, ratings, and labels for aftermarket devices.148

Perhaps the first important step towards minimising driver distraction safety risks is reaching agreement with industry on guidelines that are broadly consistent with standards being developed overseas (Option 3). The auto-manufacturing and C-ITS service providers would most likely benefit from a uniform principle-based approach implemented across the sector. Furthermore, standardised formatting and prioritisation rules for information communication across all vehicle and C-ITS makes and models will accelerate consumer confidence in C-ITS and decrease the driver distraction risk.

As C-ITS are implemented across the vehicle fleet, in both new vehicles and after-market systems, and as the technology begins to blur information display with entertainment and/or critical safety features, the Australian Driving Rules are also likely to need review (Option 2). Regulations should ensure that the principles of reducing driver distraction extends to C-ITS and the interplay with other in-vehicle functions, ideally without being technology specific or limiting further intelligent transport innovation.

However, given that C-ITS applications will still only be one technology communication function amongst a range of different in-vehicle and after-market systems, it may be that a wider review of distraction is required, rather than focusing specifically on C-ITS and developing rules or guidance that may be incompatible with other technology.


1) To what extent should regulatory tools be used to set uniform standards to minimise the driver distraction risks of C-ITS applications?

2) Are there any other driver distraction and information display issues relevant to C-ITS that have a potential safety risk, but that have not been identified in this paper?

147 Federal Chamber of Automotive Industries, Code of Practice for the conduct of an automotive safety recall (20110, http://www.fcai.com.au/library/publication//fcai_recall_code_september_2011.pdf (viewed on 18/10/2012). 148 Regan, Driver Distraction Injury Prevention Countermeasures,2009, p. 546.


Key driver distraction and information display findings

Initial C-ITS applications are likely to require drivers to recognise the signals and respond in a timely and proportionate way. This reliance on human factors could increase risks in certain circumstances.

C-ITS, including driver distraction and information display considerations, are not explicitly regulated in Australia.

Relevant terms such as ‘visual display unit’ and ‘driver’s aid’ are not precisely defined in the Australian Road Rules, however devices providing C-ITS applications would likely fall under the definition of ‘driver’s aid’ and be allowable under the Road Rules.

In addition to ensuring that C-ITS meets safety objectives, legislation may be required to ensure that legitimate C-ITS functions are legal and not caught by laws prohibiting the use of mobile phones while driving. Any required changes to the law will be recommended to the NTC Review of Australian Road Rules.

Guidelines relating to the safety and ergonomic functionality of in-vehicle electronic devices have been developed overseas to address this issue.


5. Compliance and enforcement

This chapter analyses the role of C-ITS applications within existing road compliance and enforcement activities, in particular in relation to the purposes for which C-ITS information can be used.


The advent of C-ITS provides challenges but also opportunities for compliance and enforcement. If much greater information is generated by road users, part of this information could be used by road authorities for enforcement purposes. However, C-ITS also provides opportunities to assist drivers in achieving compliance with road laws, for example through intelligent speed assistance technology, which can assist drivers to keep to the speed limit.

C-ITS could also assist in creating opportunities for road agencies to change their compliance approach from primarily random or targeted roadside enforcement to back-office enforcement. This is already occurring in sections of the fleet which are utilising technology such as the IAP (and potentially in future electronic work diaries for truck drivers). The issue is important from a road user perspective but also has a potentially significant impact on road agencies’ structure and resourcing.

The issues and potential effects were summed up in the proposed US Privacy Policy Framework:

Were a National VII [Vehicle Infrastructure Integration] Program to be proposed that would use a VII System as a surveillance tool for law enforcement purposes, concerns with regard to privacy and civil liberties would be raised by the public and its representatives and advocates, which would threaten the implementation of such a Program. The primary purposes of VII are to enhance transportation safety and mobility through improving driver situational awareness, to help avoid and/or mitigate crashes and to use technology to optimize anonymous traffic monitoring and control strategies. The program is being developed, and policy-makers are making decisions, with these purposes in mind. To expand the program beyond these purposes to include punitive uses of the VII System for enforcing traffic or other laws would cast doubt regarding the true intent of the initiative. If a National VII Program were used to facilitate or automate enforcement, many would likely seek ways to disable the VII communications system on their vehicles, or to purchase or retain an older, non-VII-equipped vehicle. This would negatively impact not only their safety, but also the safety of other road users, because a VII-disabled or non-equipped vehicle would no longer be sending or receiving safety data.149

As discussed earlier, there will be a long period during which more technologically advanced cars share the road with those that do not have C-ITS devices. Does compliance and enforcement activity need to take a different approach to these different groups? Will more advanced cars be held to a higher standard (because their breaches could potentially be more easily detected) and will this discourage the take-up of advantageous technology? Some stakeholders report public concern that they could be fined for speeding based on roadside detection of C-ITS signals from the vehicle.

Similar to privacy issues, the issue of compliance and enforcement will depend to a certain degree on technical questions about how far a driver’s C-ITS signal can be made anonymous. If these signals cannot be made completely anonymous, there may be fears that C-ITS enabled cars could be subject to greater enforcement, creating a disincentive to implement the technology. As mentioned earlier, police in Washington have set up a ‘net’ of ANPR detectors, tracking movements around the city, which have apparently moved from initially capturing wanted criminals or unregistered vehicles to a range of other purposes:150

149 RITA, Vehicle Infrastructure Integration: Privacy Policies Framework, http://www.its.dot.gov/research_docs/61vii_privacy_framework.htm (viewed on 18/10/2012). 150 A Klein and J White, ‘License plate readers: A useful tool for police comes with privacy concerns’ Washington Post, 20 November 2011, http://www.washingtonpost.com/local/license-plate-readers-a-useful-tool-for-police-comes-with-privacy-concerns/2011/11/18/gIQAuEApcN_story.html (viewed on 18/10/2012).


Police also have begun using them as a tool to prevent crime. By positioning them in nightclub parking lots, for example, police can collect information about who is there. If members of rival gangs appear at a club, police can send patrol cars there to squelch any flare-ups before they turn violent. After a crime, police can gather a list of potential witnesses in seconds.

Beyond the technology’s ability to track suspects and non-criminals alike, it has expanded beyond police work. Tax collectors in Arlington bought their own units and use the readers to help collect money owed to the county. Chesterfield County, in Virginia, uses a reader it purchased to collect millions of dollars in delinquent car taxes each year, comparing the cars on the road against the tax rolls.

There have also been some examples in the US of private use, for example by banks searching for delinquent borrowers.151

Could compliance and enforcement create a disincentive to take-up of the technology? Do limits need to be placed on the use of data from safety systems in order not to penalise those who take them up? The Policy Framework for Intelligent Transport Systems in Australia152 mentioned above and the principles that it sets out are important to guide policy direction in this area. In particular the policy framework includes the principle that ITS policy should ‘be consistent with broader transport network objectives.’

Most concerns centre around keeping of information about members of the public who have not committed an offence. Many existing systems such as point-to-point are explicitly designed not to retain information if there is no suspected offence, in order to avoid this concern. Regimes are in place to limit the use of data from other systems, such as tolling. Surveillance device legislation in various states provides rules around the use of tracking devices, including for enforcement purposes.

In addition there is a question over how C-ITS data would be used in the aftermath of a crash. Data could be captured within the vehicle (e.g. as discussed earlier in an EDR) or elsewhere within the system (e.g. by a roadside unit). There may be value in making this data available in order to analyse crash causation, which could be extremely valuable in helping to set appropriate speed limits on particular stretches of road or improve road infrastructure. However, this data could also be used to convict a driver, for example of negligent driving. If historical data is retained then this could also be used (e.g. to show that a driver had a history of driving in a reckless manner).

There may be potential to counter-weight the increased surveillance made possible by C-ITS with incentives and rewards for its use where compliant behaviour is demonstrated. This is discussed in a forthcoming NTC strategy document on heavy vehicle compliance.

5.1.1 Surveillance devices

C-ITS may be impacted by surveillance device legislation in various jurisdictions. The Surveillance Devices Act 2004 (Cwlth) sets out conditions for law enforcement agencies to use surveillance devices to track locations and to listen to conversations. The Act does not affect any other Commonwealth or state laws that prohibit or regulate surveillance devices. Certain potential C-ITS applications (for example using C-ITS to measure individual vehicle trips in order to manage traffic flows) may inadvertently be captured by this legislation. This has reportedly been the reason that some Australian states have not used technology to track Media Access Control (MAC) addresses of bluetooth devices to measure trip times. Surveillance devices that track vehicle activities are also captured by state legislation and are broader than the Commonwealth Act – capturing any surveillance by any person. With some variances, particularly in relation to exemptions, surveillance device legislation across New South Wales, Victoria, Western Australia and the Northern Territory is largely consistent. For example, in New South Wales, a tracking device means any electronic device capable of being used to

151 GW Schulz, ‘DEA installs license-plate recognition devices near Southwest border’ Ars Technica, 2012, available at http://arstechnica.com/tech-policy/2012/07/dea-installs-license-plate-recognition-devices-near-southwest-border/ (viewed on 18/10/2012). 152 Standing Council on Infrastructure and Transport, Policy Framework for Intelligent Transport Systems in Australia, 2012, http://www.infrastructure.gov.au/transport/its/files/ITS_Framework.pdf (viewed on 18/10/2012).


determine or monitor the geographical location of a person or an object. This is sufficiently broad to include vehicle movements, and is likely to capture vehicle tracking by state or territory road managers for the purposes of managing traffic flows. If state-based surveillance laws apply, the person under surveillance, or person controlling the object being tracked, must provide their consent to that surveillance.153 Consent may be express or implied. For example, in Western Australia, the Surveillance Devices Act 1998 (WA) legislates that:

A person shall not attach, install, use, or maintain, or cause to be attached, installed, used, or maintained, a tracking device to determine the geographical location of a person or object without the express or implied consent of that person or, in the case of a device used or intended to be used to determine the location of an object, without the express or implied consent of the person in possession or having control of that object. 154

Point of purchase (or sign-up) is perhaps the appropriate time in which agencies obtain individuals’ consent to track their vehicles for traffic management purposes. However, as with privacy, individuals should be made aware of the implications of consent and arrangements should be in place to ensure that the tracking devices do in fact only track those vehicles where consent has been obtained. Further, the Telecommunications (Interception and Access) Act 1979 (Cwlth) prohibits the interception of, and other access to, telecommunications, except where authorised in special circumstances or for the purpose of tracing the location of callers in emergencies. The application of the Act is limited to communications as they travel across the network, and C-ITS vehicle-to-infrastructure signalling is perhaps unlikely to be captured, however this will be explored further as the technology specification of C-ITS becomes settled.

5.1.2 Comparative systems

Automatic Number Plate Recognition technology If signals from individual vehicles are able to be tracked, the system would have similarities to ANPR technology. A Queensland study into the use of ANPR recommended that safeguards and controls governing the use of automatic number plate recognition technology be clearly articulated in enabling legislation, and should prescribe that:

access to data collected by ANPR devices is restricted to authorised agencies and users the collection and retention of personal information is limited to that which is necessary to

achieve clearly articulated purposes

153 In New South Wales, for example, the prohibition on the installation, use and maintenance of a tracking device does not apply when the tracking device is for a lawful purpose: subsection 9(2) of the Surveillance Devices Act 2007 (NSW). 154 Section 7 of the Surveillance Devices Act 1998 (WA).


data relating to vehicles not found to be committing an offence shall be cleansed nightly from devices to minimise the possibility of security breaches

data shall be transported securely between devices and repositories and stored with high-security encryption and digital signatures

security systems shall be subject to regular audits to ensure they are adhered to should additional and compelling public interests be served in the future by new

applications of ANPR, these should only be pursued after public consultation and scrutiny by Parliament

the misuse of ANPR data attracts severe penalties affected individuals have access to a complaints scheme to seek redress if their rights are

abused.155

Similar recommendations may need to be examined in relation to C-ITS technology if detection devices are used for compliance purposes, in particular ensuring that data is used for stated purposes, is secured correctly and that there are appropriate offences for misuse. A national ANPR system was examined by Crimtrac, however at this stage such systems remain state-based.

Myki Public Transport Ticketing System

The myki ticketing system in Victoria records location information of public transport users, which may be linked to personal information for certain types of tickets. In regard to the disclosure of information, the Victorian Transport Ticketing Authority (TTA) states in its privacy policy:

6.10 Apart from disclosures connected with administration of the new ticketing system and Transport Act enforcement, TTA will only provide personal information about myki customers to other third parties, including law enforcement agencies, in the following circumstances:

where TTA is required to do so by law, e.g. in response to a warrant or subpoena where TTA reasonably believes that the disclosure is necessary to lessen or

prevent a serious threat to the life, health, safety or welfare of one or more people where disclosure is necessary for the purposes of complaint handling, such as

disclosure to the Public Transport Ombudsman or the Privacy Commissioner (see sections 12.1 and 13.2)

where the disclosure is requested in writing by the individual concerned where an authorised police officer certifies in writing that the disclosure is

reasonably necessary for the enforcement of the criminal law in connection with investigating or reporting suspected unlawful activity detected by

TTA or its contractors in exceptional circumstances - to intelligence agencies; the Australian Security

Intelligence Organisation (ASIO) or the Australian Secret Intelligence Service (ASIS).156

The TTA has also developed 'Guidelines for disclosure of personal information by the Transport Ticketing Authority' setting out criteria and procedures for disclosure of personal information.

CityLink

CityLink is a toll road which utilises ANPR technology and collects personal information from and about motorists. CityLink is governed by the Melbourne City Link Act.157 Under the Act, a motorist who drives on CityLink without a valid pass may receive an infringement notice and enforcement procedures remain in the hands of Victoria Police.

While CityLink is bound by the NPPs and has implemented a privacy code,158 additional legislative privacy protection has been created under the Melbourne City Link Act. The Act requires that information collected by CityLink, including the names, addresses, licence plate numbers, activities and infringements of motorists, remains confidential. Disclosure is only legal in defined

155 Parliamentary Travelsafe Committee, Report on the Enquiry into Automatic Number Plate Recognition Technology Report No. 51, 2008. 156 Transport Ticketing Authority, Privacy Policy (Revision 4), 24 January 2012, http://www.transport.vic.gov.au/__data/assets/pdf_file/0020/61526/Transport-Ticketing-Authroty-Privacy-Policy-Revision-4-24-January-2012.pdf (viewed on 18/10/20120. 157 Melbourne City Link Act 1995 (Vic). 158 CityLink, Privacy Code, http://www.citylink.com.au/Privacy_Code_C_0109.pdf (viewed on 18/10/2012).


circumstances, namely to relevant agencies such as police and road agencies for specific purposes, including infringement notices, criminal investigations and to enforce certain road safety laws. Penalty units apply – not only to CityLink for illegal disclosure, but to relevant agencies if the records are subsequently misused.159

This is an example of governments applying legislative instruments to restrict the use of personal information and to ensure against function creep in a commercial environment that coexists with genuine state requirements to access information for enforcement and road safety purposes. The intended outcome is that motorists will be confident that their personal information is secure and used only for the purposes intended by the Act. 5.2 Application to C-ITS One approach may be to separate collection and storage of vehicle activity from the entity that holds the information linking the unique identifier to a vehicle registration number. In circumstances where this information is required by law enforcement bodies, a warrant would be required. In this scenario, personal information would be tightly controlled around one entity that is not engaged in day-to-day C-ITS activities, thereby minimising the privacy risk exposure of C-ITS.

Whether location information can be linked back to an individual whose identity is apparent will become more important should C-ITS develop beyond speed and direction information. Advanced applications in the future could require much more information, conceivably including:

mass number and placement of occupants, to allow vehicles to minimise the impact on drivers

and passengers if collisions cannot be avoided license information, to determine whether the driver is subject to particular restrictions, for

example in relation to speed restrictions for learner drivers registration information, for compliance checks and tolling.

The application of privacy principles and surveillance laws to C-ITS is dependent on the extent to which the information collected is anonymous and whether the deployment model is opt-in, opt-out or mandatory. We have seen that absolute anonymity may not be attainable with the requirement of security certificates that link a unique identifier to a vehicle registration number and therefore an individual.

Identification of the correct jurisdiction under which the information collection will take place is essential. Both Commonwealth and state NPPs and IPPs are likely to apply, depending on the entity accessing the personal information. This could include:

private sector bodies, including car manufacturers, tolling agencies, technology providers and data providers, who are generally subject to NPPs

Commonwealth public sector agencies that are subject to the Commonwealth IPPs state government entities and private sector bodies working under a state government

contract, subject to the state IPPs Commonwealth and state enforcement agencies.

However restricted the collection of personal information is under C-ITS, and under either Commonwealth or state regimes, collection must be lawful and relevant to the entity’s tasks. While parliaments may choose to set out in legislation what information an entity can collect and who it can disclose it to (the CityLink model), ordinarily the collection does not of itself have to be authorised by a law.

159 Sections 90 – 93, Melbourne City Link Act 1995 (Vic).



5.3.1 United States

To provide assurance to the public about the uses of C-ITS information, the US Intellidrive project has proposed a set of limitations on the use of C-ITS information, including Limit 4, which states:

No specific information about an individual or vehicle shall be … used for law enforcement or investigation purposes without a valid warrant (or its equivalent). However, anonymous data may be collected and used by law enforcement to, for example, assist traditional law enforcement efforts or to analyze transportation problem locations. Specifically, the National VII Program shall not be used by law enforcement for:

recording real-time video or voice of vehicle occupants, or associating precise vehicle identification numbers (VIN) with times or locations, or, off-board control of vehicle driving or manoeuvring functions.

5.3.2 Europe

Compliance and enforcement was not specifically included in the EU’s ITS Action Plan and enforcement action is complicated by the nature of the EU, with enforcement agencies based in the different member states.160 Nonetheless the use of C-ITS information for enforcement has not been specifically excluded at this stage.


The use of C-ITS information for compliance and enforcement purposes is not currently explicitly regulated. However the use of this information for compliance and enforcement purposes (assuming it is technically possible to do so) may create a significant disincentive to consumers to use this technology. This would be an unfortunate outcome if it led to the loss of the benefits of C-ITS in Australia. Nonetheless there are legitimate scenarios where enforcement agencies may need to access data; the question becomes whether limits and controls need to be put around the use of this data.


Allow jurisdictions to develop their own procedures and processes. This will provide greater flexibility, but will likely lead to inconsistent approaches in different parts of the country. This will have particular implications for heavy vehicle fleets which, from 2013, will be administered under the Heavy Vehicle National Law and National Regulator with an explicit objective of national consistency.

5.4.2 Option 2: Specific protection of data from C-ITS applications

Provide specific protection for C-ITS based information from use for compliance and enforcement purposes (potentially through legislation or policy). This could provide guidance that such information should not be used as part of certain regular compliance and enforcement activities (e.g. generating infringements), but only as part of a court order or utilising a specific process.

5.4.3 Option 3: Provide guidance on appropriate use of data

Again linked to the privacy issues, guidance could be provided on the appropriate use and disposal of data to ensure against misuse. This would provide guidance on and encourage best practice, although it would not compel organisations to follow the same processes.

5.4.4 Option 4: Amendment to Surveillance Device legislation

Examine an amendment to the various state Surveillance Device Acts to ensure that beneficial C-ITS applications are not excluded, provided appropriate safeguards are in place.

160 C Wilson ‘Does enforcement merit a place in the EU's ITS action Plan?’ ITS International, 2012, http://www.itsinternational.com/categories/enforcement/features/does-enforcement-merit-a-place-in-the-eus-its-action-plan/ (viewed on 18/10/2012).



In a similar way to privacy, the issue of compliance and enforcement centres on how information is collected and for what purposes it is used. Ensuring that the system is sufficiently anonymised, and that data is not kept if it is not required, will assist in building the confidence of drivers.

Whilst it can be argued that ‘if people aren’t doing the wrong thing they have nothing to worry about,’ many members of the public would be concerned about enormous stores of information being created about their travel patterns and driving behaviour, with the potential for almost continuous monitoring: ‘It would be difficult to implement a system that gathered information about drivers who might be breaking the law and not be in a position to use that information for enforcement.’161

Ultimately any information once gathered can potentially be used in a court case; subpoenas can be used to access most forms of relevant information in the right circumstances (with rare exceptions such as client confidentiality for lawyers). However, there is a difference between information that could be gathered as part of a specific investigation and information that is constantly being monitored in order to issue infringements. It will be important as part of building trust in systems likely to be primarily used for safety purposes that compliance and enforcement does not become a disincentive to the uptake of systems.


1) Is there a need for clarification over how data from C-ITS systems (both from in-vehicle units and roadside units) will be used and for what purposes?

2) Do limits need to be placed on the use of data from C-ITS systems? 3) If so what limits are appropriate? For what purposes should C-ITS data be

available to be used? Should there be limits on how long data can be kept? 4) Should government, including police and road agencies, have restrictions placed

on the access and use of C-ITS personal information for law enforcement purposes? If so, how, if at all, should these restrictions vary between general law enforcement activities and the investigation of a criminal act?

161 CVIS, 2010, Op. cit., p. 25

Key compliance and enforcement findings

Compliance and enforcement issues are linked to privacy issues in that both relate to the appropriate collection and use of data.

The current indications are that C-ITS signals may not be capable of being made completely anonymous.

Some jurisdictions overseas are examining setting explicit limits on the collection and use of C-ITS data for compliance and enforcement purposes.

Uses of C-ITS data for compliance and enforcement raise similar policy issues to those for ANPR systems and may require similar controls to those put in place for these systems.

Uncertainty about the treatment of C-ITS data for compliance and enforcement purposes may act as a disincentive to the take-up of technology and result in reduced safety and other benefits.


6. Incentives for uptake

The preceding discussion of privacy, liability, driver distraction and compliance and enforcement issues reveals hurdles or disincentives that may affect the uptake of C-ITS. However, there is a counterweight of potential incentives that may encourage uptake and the faster realisation of the safety benefits of the technology.

Benefits of C-ITS applications may initially be quite limited until there is a significant population of vehicles fitted with the technology. This raises the question of whether specific incentives can be provided in order to encourage the uptake of this technology. Such incentives will of course depend on the successful trialling of the technology and clearly demonstrated safety benefits.

A US Department of Transportation study into ‘Incentives for deployment of Onboard Safety Systems’162 classified potential incentives (specifically for the heavy vehicle fleet) as:

federal tax expenditures public information federal loans insurance corrective tax project grants tort liability.163

Incentives that could be examined in Australia to encourage the uptake of C-ITS technology include:

incorporating C-ITS technology into star rating systems (e.g. ANCAP) registration discounts for enabled vehicles linking technology to entry into accreditation schemes regulatory concessions, such as for commercial vehicle access financial or tax incentives transport operator ratings to encourage the use of improved technology.

It would be valuable for governments to examine whether uptake could be encouraged in specific higher-risk vehicles or driver populations or in specific vehicle fleets, such as trains, trams, fleet cars or over-size, over-mass and over-dimension vehicles.

Again there is a question about the appropriate role of government; it could be argued that incentives be left to the market processes, from manufacturers marketing the added safety benefits of their C-ITS enabled vehicles to insurers providing discounts for drivers who utilise this technology.

The NTC is seeking feedback on whether incentives are required and if so, what are the appropriate incentives for examination.

162 US Department of Transportation Federal Motor Carrier Safety Administration Incentives for Deployment of Onboard Safety Systems Final Report, FMCSA RRT-07-031, December 2007. 163 Ibid., p. 1.


7. Other issues for consideration

A range of other policy issues will likely need to be considered for the future:

7.1.1 Driver training and licensing

As C-ITS applications become more common, and particularly if there is a move to make such systems mandatory, updates to driver training and licensing may be required.

7.1.2 Roadworthiness

If C-ITS applications are made mandatory, standards for C-ITS applications will also impact on roadworthiness standards.

7.1.3 Security

It is worth noting that there are existing offences for interference under the Telecommunications Act and transmission of false information. These are not particular to different parts of the general spectrum and there are specific offences for interference which may endanger safety. The relevant provisions are set out below in APPENDIX 3.

7.1.4 Eco-driving

Eco-driving is the handling of the vehicle in a way that maximises fuel efficiency and safety and reduces wear and tear on the vehicle, such as braking. Eco-driving has significant environmental, safety and economic benefits – for example, changing gears to reduce speed instead of relying on braking at the last minute when approaching an intersection. C-ITS may have a role assisting drivers to eco-drive, providing well timed advisory messages that are linked to the performance of the vehicle (an example of this function is Traffic Signal Speed Assist).

7.1.5 Heavy vehicles

There is scope for further exploration of the role of C-ITS in the heavy vehicle sector and its potential to increase the road safety of heavy vehicles, particularly in relation to fatigue. For example, providing truck drivers with current information about available truck parking facilities, opportunities to make it easier for operators and drivers to comply with heavy vehicle law and to streamline compliance and enforcement activities with minimal impact on supply chain efficiency.


8. Glossary

Abbreviation Full Name Description

ACMA Australian Communications and Media Authority

Commonwealth agency that plans and regulates the radiofrequency spectrum in Australia.

ADAS Advanced Driver Assistance Systems A broad category of vehicle technology that does not necessarily use C-ITS. ADAS includes Advanced Cruise Control.

ADR Australian Design Rules Performance-based national standards for vehicle safety, anti-theft and emissions.

ANPR Automatic Number Plate Recognition Optical character recognition software to convert images of vehicle registration numbers into data matching information used for law enforcement or other purposes, such as tollway operations.

C-ITS Cooperative Intelligent Transport Systems

A technology platform that enables components of the transport network to share real-time information to improve safety and traffic outcomes.

CVIS Cooperative Vehicle-Infrastructure Systems

European Commission research and development project to design, develop and test C-ITS technologies.

DSRC Dedicated Short Range Communication

A short to medium range communication service allocated for automotive and transport use. C-ITS are based on DSRC-technology.

EDR Event Data Recorders An in-vehicle device that records information relating to a vehicle crash or incident and is triggered by an engine fault or an abrupt change to speed.

GNSS Global Navigation Satellite System A satellite navigation system that provides geospatial positioning with global coverage, based on longitudinal, latitudinal and altitudinal data.

IAP Intelligent Access Program A voluntary program that uses GNSS technology to monitor a heavy vehicle’s road use, providing an operator with flexible access to the network to suit specific business and operational needs.

IPP Information Privacy Principles Commonwealth and state privacy principles introduced for the public sector.

Lidar Light Detection and Ranging Optical technology that uses light to detect the proximity of objects.

NHTSA National Highway Traffic Safety Administration

US agency that directs motor vehicle and highway safety and consumer programs.


NPP National Privacy Principles Commonwealth privacy principles introduced for the private sector.

NTC National Transport Commission The NTC develops national regulatory and operational reforms and implementation strategies for safer, more efficient and sustainable road, rail and intermodal transport across Australia.

RITA Research and Innovation Technology Administration

US agency that coordinates the Department of Transportation's research and education programs, including advanced transport technologies.

SCOTI Standing Committee on Transport and Infrastructure

Council of Australian Governments (COAG) standing council of Commonwealth and state transport and infrastructure ministers.

V2I Vehicle-to-Infrastructure Cooperative ITS information exchanged between vehicles and infrastructure, such as roadways or traffic lights.

V2N Vehicle-to-nomadic device Cooperative ITS information exchanged between a vehicle and a nomadic device, which may be located on a pedestrian, cyclist or inside another vehicle.

V2V Vehicle-to-Vehicle Cooperative ITS information exchanged between two or more vehicles


9. Appendix 1: US Privacy framework

The US Department of Transportation Vehicle Infrastructure Integration (VII) Privacy Policies Framework Principles164 are:

1. Principle of Respect for Privacy and Personal Information Commitment to respect for individual privacy in a National VII Program means that VII-derived personal information should be acquired, retained, disclosed, and used only in ways that protect the privacy of individuals. Personal information users should collect, retain and use only anonymous information whenever possible. Users of VII-derived personal information and VII System administrators are expected to be accountable with regard to the personal information they collect and/or use in a National VII Program.

2. Information Purposes Principle A personal information user should acquire, use, disclose and retain personal information only for valid purposes, consistent with the goals of a National VII Program, as described in the VII Privacy Limits, below. A personal information user should:

inform a personal information subject about the purposes for which personal information will be collected, used or disclosed before collecting personal information from that subject so that the personal information subject can decide whether or not to agree to use of their personal information for those purposes

use and/or disclose personal information to third parties, only for valid purposes about which the information subject has been informed

retain personal information for only as long as the information serves a valid purpose limit the storage of personal information to a specified duration that should reflect the

period of time necessary to fulfil the purpose for which personal information was collected. (See Information Protection and Retention Principle, below.)

3. Acquisition Principle In acquiring personal information, a personal information user should:

assess the potential impact on the privacy of personal information subjects collect only personal information that is reasonably expected to support current or planned

activities collect personal information consistently with valid purposes for information collection (See

Information Purposes Principle, above) and the notices that the personal information user has provided to personal information subjects. (See Notice Principle below.)

4. Notice Principle Before a personal information user collects personal information, the information user should provide effective advance notice to each information subject about:

what personal information is collected why the personal information is collected how the personal information will be used what steps will be taken to protect the confidentiality, integrity, and quality of the personal

information any opportunities to remain anonymous the consequences of providing or withholding personal information; how long the personal information will be retained rights of recourse and redress. (See Accountability Principle, below.)

5. Fair Information Use Principle A personal information user should use personal information about an information subject only in ways that are compatible both with the notice provided by the information user (See Notice

164 US Department of Transportation, Vehicle Infrastructure Integration, Privacy Policies Framework, 2007, http://www.its.dot.gov/research_docs/61vii_privacy_framework.htm (viewed on 18/10/2012).


Principle above) and with the information subject’s reasonable expectations regarding how the personal information will be used.

6. Information Protection and Retention Principle Within a National VII Program, the VII System’s technical architecture and structure should be designed to implement advanced security and other technologies to protect personal information against improper collection, disclosure or misuse in ways that may affect the privacy interests of personal information subjects.

Personal information users and information administrators should apply administrative, physical and technical controls appropriate to the protection of personal information derived from or obtained through the VII System. Particular attention should be given to:

maintaining the security of personal information protecting confidentiality of personal information against improper access assuring the quality and integrity of personal information collected or maintained.

Personal information users and information administrators should only retain personal information that is relevant to a valid purpose and only for as long as, and to the extent that, the information is protected against improper access, disclosure or use. Personal information users and information administrators should have data storage procedures that assure appropriate, secure disposal of personal information:

when there is no longer a valid purpose for retaining the personal information when a stated or required time limit on data retention has been reached when data transmission has been completed within the VII System.

Identifiers, such as data addresses (potentially identifying a data source) captured during transmission or transport of data within the VII System should not be retained longer than is necessary to accomplish the data transport or transmission.

7. Openness Principle Personal information users and information administrators:

should be informed about privacy issues and the best ways to protect personal information derived from the National VII Program

should inform prospective personal information subjects about personal information the personal information user collects through the National VII Program

should explain to personal information subjects protections for personal information derived from National VII Program, and the length of time personal information will be retained by the personal information user.

Personal information subjects should be able to rely on personal information users for adequate information about:

the nature and extent of personal information collected from them the purposes for which such personal information is collected the uses of personal information made by personal information users the opportunity not to provide personal information the protections for confidentiality, integrity, and quality of personal information the consequences of providing or withholding personal information opportunities to remain anonymous rights of recourse and redress for misuse of personal information. (See Accountability

Principle, below.)

8. Participation Principle In addition to receiving information regarding how personal information is collected and used in a National VII Program, each personal information subject should be expected to protect his or her own privacy. Personal information users should provide each personal information subject opportunities to:

access personal information about himself or herself correct any inaccurate personal information about the personal information subject


object to improper or unfair personal information use choose to remain anonymous, and not provide personal information.

9. Accountability Principle A personal information user should respond to inquiries and complaints about interference with privacy interests or misuse of personal information, including use of personal information in ways that are incompatible with notice provided to information subjects (see Notice Principle, above). If an information subject has a complaint that he or she has been harmed by improper collection, retention, disclosure or use of his or her personal information by a personal information user, the information subject should have appropriate means to raise and resolve the complaint.

Limits

Limit 1 For the public-sector transportation functions discussed above, public sector entities that are VII data users may collect and retain only anonymous safety- and traffic-related data derived from the National VII Program, and vehicle operator/owners shall not be required to provide personal information for such functions.

Limit 2 For public-sector commerce purposes, public sector entities that are personal information users may collect and use personal information derived from the National VII Program to the extent that personal information subjects have provided consent. Personal information held by public agencies shall be protected by agency privacy policies and present or future privacy protection laws.

Limit 3 For public-sector regulation and commercial vehicle permitting purposes, public sector entities that are personal information users may collect and use personal information derived from the National VII Program to the extent that a personal information subject has provided consent, unless the nature of the regulation (e.g., legal requirement) or permit requires uniquely-identifiable vehicle information for specific applications. In these exceptions, the personal information shall only be used for explicitly-stated purposes that are necessary for the required application. Personal information held by public agencies shall be protected by agency privacy policies and present or future privacy protection laws.

Limit 4 No specific information about an individual or vehicle shall be derived from the National VII Program to be used for law enforcement or investigation purposes without a valid warrant (or its equivalent). However, anonymous data may be collected and used by law enforcement to, for example, assist traditional law enforcement efforts or to analyze transportation problem locations. Specifically, the National VII Program shall not be used by law enforcement for:

recording real-time video or voice of vehicle occupants, or associating precise vehicle identification numbers (VIN) with times or locations, or, off-board control of vehicle driving or manoeuvring functions.

Limit 5 The National VII Program and VII System will not be designed to gather specific information about an individual driver, occupant, or vehicle for national security, homeland security or anti-terrorist surveillance purposes.

Limit 6 For private-sector commerce purposes, private sector entities that are personal information users may collect and use personal information derived from the National VII Program to the extent that personal information subjects have provided consent. Personal information held by private entities shall be protected by privacy policies and present or future privacy protection laws.

Limit 7 For the private-sector transportation functions, private sector entities that are VII data users may use only non-personal information derived from the National VII Program (e.g. impersonal vehicle data) and vehicle operator/owners shall not be required to provide personal information for such functions.


10. Appendix 2: Product liability legislation

Trade Practices Act 1975 Section 62 – product safety standards (1) A corporation shall not, in trade or commerce, supply goods that are intended to be used, or are of a kind likely to be used, by a consumer, being goods of a kind in respect of which a consumer product safety standard has been prescribed, if those goods do not comply with that standard. (2) The regulations may, in respect of goods of a particular kind, prescribe a consumer product safety standard consisting of such requirements as to

(a) performance, composition, contents, design, construction, finish or packaging of the goods; and (b) the form and content of markings, warnings or instructions to accompany the goods, as are reasonably necessary to prevent or reduce risk of injury to persons using the goods.

(3) Where

(a) the supplying of goods by a corporation constitutes a contravention of this section by reason that the goods do not comply with a prescribed consumer product safety standard; (b) a person suffers loss or damage by reason of a defect in the goods or by reason of his not having particular information in relation to the goods; and (c) the person would not have suffered the loss or damage if the goods had complied with that standard, the person shall be deemed for the purposes of this Act to have suffered the loss or damage by the supplying of the goods.

Section 63 – product information standards

(1) A corporation shall not, in trade or commerce, supply goods that are intended to be used, or are of a kind likely to be used, by a consumer, being goods of a kind in respect of which a consumer product information standard has been prescribed, unless the corporation has complied with that standard in relation to those goods. (2) The regulations may, in respect of goods of a particular kind, prescribe a consumer product information standard consisting of such requirements as to

(a) the disclosure of information relating to the performance, composition, contents, design, construction, finish or packaging of the goods; and (b) the form and manner in which that information is to be disclosed on or with the goods, as are reasonably necessary to give persons using the goods accurate information as to the quantity, quality, nature or value of the goods.

(3) Where

(a) the supplying of goods by a corporation constitutes a contravention of this section by reason that the corporation has not complied with a prescribed consumer product information standard in relation to the goods; (b) a person suffers loss or damage by reason of his not having particular information in relation to the goods; and (c) the person would not have suffered the loss or damage if the corporation had complied with that standard in relation to the goods, the person shall be deemed, for the purposes of this Act, to have suffered the loss or damage by the supplying of the goods.


11. Appendix 3: Interference legislation

Radiocommunications Act 1992

Section 194 – interference likely to endanger safety or cause loss or damage

Subject to section 196, a person must not do any act or thing that the person knows is likely to:

(a) interfere substantially with radiocommunications; or (b) otherwise substantially disrupt or disturb radiocommunications; if the interference, disruption or disturbance is likely to endanger the safety of another person or to cause another person to suffer or incur substantial loss or damage.

Section 197 – causing interference etc.

(1) A person is guilty of an offence if: (a) the person engages in conduct; and (b) the person is reckless as to whether the conduct will result in:

(i) substantial interference with radiocommunications; or (ii) substantial disruption or disturbance of radiocommunications.

(2) In this section: ‘engage in conduct’ means:

(a) do an act; or (b) omit to perform an act.

Section 198 – transmission of false information

A person must not, in a transmission made by a transmitter operated by the person, make a statement, or convey information, with intention of inducing a false belief that:

(a) the person or any other person is dying, has died, is being injured or has been injured; or (b) property is being, or has been, destroyed or damaged; or (c) there is a risk of the occurrence of an event referred to in paragraph (a) or (b); or (d) there has been, is or is to be a plan, proposal, attempt, conspiracy, threat to do, or omit to do, an act, being an act or omission that is likely to result in the occurrence of an event referred to in paragraph (a) or (b).

Imputed knowledge For the purposes of establishing a contravention of section 192, 193 or 194, paragraph 195(1)(b) or section 199, if, having regard to:

(a) a person's abilities, experience, qualifications and other attributes; and (b) all the circumstances surrounding the alleged contravention; the person ought reasonably to have known that using the transmitter in question, or doing the act or thing in question, was a contravention of that provision, the person is taken to have known that using the transmitter, or doing the act or thing, was such a contravention.