Legal challenges for connected and autonomous vehicles

Science topics June 2017 InnovationTransportRoad safetyHuman behaviour

By Michèle Guilbot, Research director in Law and deputy director of the LMA (Laboratory of Accident Mechanisms) TS2 department

In 2016, the Commission for the enrichment of the French language defined the autonomous vehicle as “a connected vehicle which, once it has been programmed, travels on public thoroughfares automatically and without any intervention from its users»1. But full autonomy requires the presence of artificial intelligence capable of handling its interaction with the environment and taking action without automatically responding to a pre-programmed situation.2.
The French law proposes the notion of “partial or total driving delegation»3. This alternative helps better assessing the functional features that will lead to autonomy and is suitable to legal analysis as it identifies the delegated tasks: to whom (or what), at what time, under what circumstances.
Combined with the automation levels put forward by SAE4, this concept offers a reading grid for the analysis of new risks and responsibilities of the stakeholders in the design, manufacturing, maintenance and usage of the autonomous vehicle, its specific components and its environment (software, algorithms, mapping, digital platforms, road infrastructures, etc.).
Autonomous vehicles indeed raise new challenges to which the law must now bring adapted responses in view of the new risks and liabilites.


Legal tools for protection against new risks

The execution of tasks entrusted to the vehicle requires using a large amount of data, often shared with third parties. Law and technique must therefore concur to address the risks generated by the multiplication of connected objects. This is particularly true for the capturing and usage of personal data; violations of privacy and of the freedom to move anonymously;  Illustration Joël Yerpez Collection personnelle J. Yerpez - M. Guibotillegitimate, if not malicious, intrusions into the systems to alter their operation. To prevent such risks the law has two arrays of tools.
1. Regulations, including EC regulations. In 2018, the General Data Protection Regulation (GDPR) will strengthen the protection of users’ personal data across the territory of the European Union.5. Cybersecurity6 and the deployment of cooperative intelligent transport systems (STI-C)7 have also been placed under the scrutiny of the European regulator.
2. The “soft law” with standardisation (ISO8 et ETSI9), recommendations, charters and best practice guidelines (G2910 and CNIL11 for advice and recommendations concerning the protection of personal data, ENISA12 and ANSSI13 for cybersecurity.

* Call driving assistance to the box !

Credit : Joël Yerpez / Personal collection Yerpez - Guilbot


Human vs System as seen from the driving tasks and the liabilities

While the legal backdrop to public road experimentations is still under construction in France 14, work is currently undertaken towards the compatibility of international Conventions on road traffic (Vienna, 1968; Geneva, 1949)15, with automotive technical regulations and in-vehicle technological innovations.

The law will have to envisage a number of major issues: Who shall be regarded as the pilot of the autonomous vehicle? Who will be responsible for traffic violations? How to apportion the steering and control powers over driving tasks between the human driver and the system? What status should the human driver be assigned during phases of total automation?

Answers to these questions will affect the apportionment of accident liability in determining victims’ indemnification (third party or administrative liability) or who to sanction for offences, including cases of gross negligence on the part of professional parties (criminal liability). The burden of proof will be key to these cases. The Event Data Recorder (EDR) has often been referred to, but itself raises a number of questions: access right, availability, integrity, data interpretation; new debates are emerging between the legitimate interest of economic operators, prevention of road hazards and protection of users’ personal data; competition law versus business confidentiality.



Ifsttar contributes to the work on these legal aspects (Guilbot, Serre et Ledoux, 2016; Guilbot et Pflimlin, 2017; Hautière, Tattegrain et Guilbot, 2017) as part of a prospective, operational and cross-disciplinary approach. The aim is to take a pragmatic outlook on the evolution of law without unnecessary haste as indeed, the regulations currently in force cover most potential disputes, at least in the transition period. Some of them will need to be adapted gradually to cater for the presence on public roads of driverless vehicles steered by artificial intelligence.






1. Vocabulaire de l’automobile, JORF, 11 juin 2016, texte n°111.
2. Sur l’autonomie d’un robot, v. Résolution du 16 février 2017 of the European Parliament. Recommendations to the Commission concerning civil law rules on robotics (2015/2103(INL)).
3. Law 2015-992 dated 17 August 2015 pertaining to the energy transition towards green growth (art. 37-IV) and report to the President of the French Republic on Ordinance 2016-1057 dated 3 August 2016 pertaining to the experimentation of delegated driving vehicles on public thoroughfares.
4. SAE International is a worldwide association of over 128,000 engineers and technical experts working together with the aerospace, automotive and commercial vehicles industries.
5. Regulation 2016/679/UE dated 27 April 2016 pertaining to the protection of private persons against the processing of personal data and the free circulation of such data (repeals directive 95/46/CE of 24 October 1995).

6. Directive (EU) 2016/1148 du 6 of July 2016 on security of networks and essential information systems.

7. Directive (EU) 2010/40 of 7 July 2010 pertaining to the framework for deployment of intelligent transport systems in the area of road transport and of interfaces to other transportation modes.

8. International Standardisation Organisation:

9.ETSI is a private certification body specialising in the area of information security

10. The G29 or “Working Party on data protection and privacy” was established by article 29 of the 1995 directive. It brings together the representatives of every national independent data protection authority (CNIL for France) and one representative of the European Commission. A European data protection committee, having legal personality, will replace it in May 2018 with the enforcement of the European Regulation (art. 68 et seq. of the GDPR).

11. French national data protection commission: Commission Nationale de l’informatique et des libertés.

12. The European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe.

13. L'ANSSI is the French national authority for the security and protection of information systems

14. The ratification act of the above-mentioned ordinance has not been voted yet and the statutory instruments are still pending publication. Experimentations are currently authorised subject to a special registration certificate (regulation dated 9 February 2009, art. 8.IV).

15. Discussions taking place between WP1 (Working group on road traffic and safety) and WP29 (World Forum for Harmonisation of Vehicle Regulations) within the UN Economic Commission for Europe.