What are the legal aspects of blockchain-based solutions when it comes to autonomous vehicles, and what consequences might these have in terms of IT and cyber security? Blockchain-based solutions for autonomous vehicles which have caught the public imagination are the prospects of “self-owning” or “self-managing” cars that, for instance, autonomously plan and organize appointments at automobile repair shops, or which transport people when not used by the car owner in order to earn money and thus reduce the costs for the vehicle. It is envisaged that autonomous vehicles could fund and purchase themselves as well as manage themselves via an installed wallet, refuel themselves or recharge their battery autonomously, and independently pay their fees for insurance, loans, and required fuel or power.
No matter which of these solutions is in play: The great complexity of the technical processes used in connected cars leads to complex legal requirements. In addition to contract or liability issues, a major legal issue centers on IT, cyber, and data security. Since an autonomous vehicle has various systems that were developed by various companies and which are part of a larger unit which is permanently connected to the Internet and thus prone to attacks, it is essential to define the legal requirements of IT and cyber security. From a legal standpoint, it is also necessary to assess whether the data generated by the connected systems of the vehicle are tamper-proof and legally admissible.
Blockchain/DLT and Smart Contracts
The self-management of autonomous vehicles is based on smart contracts that are mainly approached as blockchain-based solutions.
Smart contracts are not contracts in a legal sense – although the name may suggest this – but are rather computer programs that store legal relations or agreed-upon services and automatically enforce their fulfilment. They have to be designed accurately and need to be programmed correctly, taking into account all contingencies that may occur. This results in a system that can considerably accelerate contract processing as well as conflict resolution, since the fulfilment of duties that need to be performed by the parties under the contract is monitored, contract processes are managed transparently, and appropriate consequences are enacted, e.g. when a duty was not fulfilled.
If a smart contract deals, for instance, with the purchase of a car where instalment payments are agreed upon, and the buyer is in default on a payment, the electronic car key might be influenced in a way which disables the key, so that the buyer will be unable to open the car until the outstanding instalment has been paid. If and to what extent such a form of “law enforcement” on a technical level is in line with the fundamental principles of law, and occurs instead of taking legal action as defined by law, needs to be checked for each individual case.
Thus, smart contracts enable devices controlled by software to have an efficient, pre-programmed self-management. If smart contracts are integrated into a blockchain, the blockchain technology provides a technically secure basis for protecting against misuse and later manipulation of smart contracts and the parameters processed. However, these concepts face limitations of a very real nature, e.g. in discretionary decisions that need to be weighed up thoroughly, or unforeseeable cases that are impossible to be considered when programming. For such cases, there might not be any technical solutions currently available on the market.
IT/Cyber Security of Autonomous Vehicles
Data documentation which is admissible as evidence and which is tamper-proof is of essential importance due to the numerous components installed in vehicles and produced by various producers. Since there are many technical systems built into a vehicle that also interact with each other, there is a high vulnerability to technical errors and manipulation. Questions also arise concerning which requirements are imposed by law with regard to fully digitized and autonomous systems and their IT/cyber security, and whether the data that have been generated by these vehicles, resulting from their interconnection of systems – data that may be used, for instance, for investigating an accident – are documented in a manner which is legally admissible and tamper-proof in a blockchain, or a decentralised distributed ledger, or even in a blackbox. In the case of an accident, the party responsible for the damage can only be identified if a technical failure can clearly be attributed to a particular component. The procedural advantage for data stemming from, for instance, a distributed ledger is that the factual basis can only be attacked if technical errors in generating data or manipulation were explicitly proven.
Rights to Data
Further, the question of who legally owns the right to the data becomes more and more important. In the case of an accident, many different people might have a considerable legal interest in gaining access to the computer-generated data, including not only the owner and driver or the victim of the accident, but also the insurer and the potentially liable producer of sensors or other components of the vehicle involved in the accident. So far, the legal attribution of produced data to a particular party has not been finally clarified. Thus, the question of who legally owns the data needs to be checked in each individual case and with considerable legal effort. For this reason, legal experts are currently engaged in discussions concerning the possibility of creating a property right to computer-generated data.
Implications for Liability
With regard to liability issues, there are also legal limitations for autonomous vehicles. Under current law, the producer, owner, and driver of a vehicle might be held liable for accident damages. Robots or autonomous systems or so-called intelligent systems cannot be held liable, given that, in the absence of a legal entity, they are not considered to be legal subjects. Furthermore, a system does not have liability assets. Thus, it is necessary to attribute the cause of the accident to a legal entity due to predictability and supervisory duties. Especially with regard to a probable exclusion of liability, another question arises: Could the action or non-action of the robot that caused the accident have been prevented by the liable person’s human intervention?
Outlook: Legislation on European Level
The European Parliament has passed a resolution on robotics/AI. The core of this resolution focuses on the legal problems in connection with intelligent, self-learning systems.
In particular, the question being weighed up is whether it is necessary to establish an electronic person in order to create self-liability for robots. Moreover, the Parliament is considering decreasing human responsibility depending on the degree of a system’s self-controlling capacity and the ability of robots to make their own decisions. Previous legislation will not be sufficient in cases where a self-controlled system – for instance, an autonomous vehicle – is powered more and more by what approaches human thinking. The Parliament is also considering establishing a system of registration for robots in the Union as well as compulsory insurance for them. These legal innovations might provide a binding framework of action for developers and thus might enhance further technical progress.
Klaus Brisch, LL.M. is a certified specialist lawyer for information technology law in Germany. He consults on complex IT projects in the areas of transactions, compliance, IT security, data protection, and data security, and advises companies in the entire field of Internet law and electronic commerce, as well as on hardware and software contracts. He also focuses on eGovernment.
Marco Müller-ter Jung, LL.M. is also a certified specialist lawyer for information technology law in Germany. His consulting practice specializes in the areas of information technology law, intellectual property rights, and copyright law. He advises in the entire field of Internet law, e-commerce law (e.g. e-business, contract law, law of general terms and conditions, consumer protection, data protection and privacy, etc.) and IT contract law.
Klaus Brisch and Marco Müller-ter Jung are focused on the legal issues and requirements related to future technologies like industrial-Internet, additive manufacturing, connected devices and cars, big data, and wearables, to name but a few.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.