Despite the fact that delivery robots are called autonomous, they are—for the time being—only partly self-driving, i.e., they are remote-controlled from a control centre. This remote-control is maintained via a permanent exchange of data between the robot and the control centre, resulting in serious issues in terms of data protection—issues this paper intends to discuss. But initially, the fact that the delivery makes use of public traffic area designated to pedestrians shall be analyzed from a legal perspective – especially in terms of tort liability for eventual accidents.
5.1. Liability for Torts Inflicted by Traffic Accidents
General tort law in most legal systems provides a general claim for damages caused by any tortious action, i.e., a civil wrong resulting in loss or damage to another person, and based on these principles implemented into positive law in all national legal systems individually, the legal or natural person steering the delivery robot and being in charge also of its supervision (in our case study Starship Technologies) would be held liable for any tortious action the legal/natural person committed via its tools—here the delivery robot—itself.
In general, tortious liability is in many legal systems fault-based (see e.g., sec. 823 I Bürgerliches Gesetzbuch, i.e., the German Civil Code, hereafter BGB) or subject to exculpation if the tort has not been committed directly by the tort-feasor, but a third person for whom the tort-feasor is responsible and who has been picked and supervised with due care (see sec. 831 BGB). In our case study, this could be an employee of Starship working in the command centre.
In contrast to that, two constellations are generally marked by strict (i.e., non-fault-based) liability for damages—product liability and liability under traffic law.
5.1.1. Product Liability
For the context of delivery robots, it is important that also the manufacturer of a product that caused damage/personal injury to the user can be held liable for the tort of negligence in most Western legal systems. In the European Union (EU) legal space, it is the Directive 85/374/EEC (Product Liability Directive), which regulates liability for defective products, and which has been implemented, respectively, in all EU member states national legal systems. The directive defines, “product” as all movables—even if incorporated into another movable or an immovable (see art 2 of amendment to directive)—which are considered by design as a completed product and imposes strict liability for any damage that is caused by the defective product on the producer, “defective” being any product that “does not provide the safety which a person is entitled to expect, considering, all of the circumstances, including, the presentation of the product, such as adequacy of the warning, the use to which it could reasonably be expected that the product would be put, and the time when the product was put into circulation are factors” (art 6), making the standard thus objective.
As Product liability can arise from constructional defect, fabrication defects, user instruction defects and product supervision defects—i.e., all spheres under the complete control of the producer—a sound production and product specification, user instruction, and supervision by the producer can limit the risks of strict liability as producer.
5.1.2. Tortious Liability under Traffic Law
This is considerably less the case for traffic law, which in most legal systems extends this liability according to the special circumstances of public traffic. In that respect, traffic law does not only extend the circle of debtors—i.e., not only the owner of a vehicle can be held liable, but also the driver separately, but also imposes generally strict liability onto the vehicle owner, i.e., the owner will be held liable for any damages caused by his vehicle in public traffic even if he did not act with intent or negligence.
Any victims of accidents in which delivery robots were involved will thus try to apply traffic law liability than product liability (or standard tort liability, which is usually fault-based) in order to maximize liability, if they can. The question is thus whether delivery robots can be qualified as vehicles participating in public traffic in standard traffic laws.
Delivery robots are starting from existing definitions for motorized vehicles, which are (only) permitted to operate in pedestrian areas (pavements) due to their low speed and weight, a comparable vehicle would be motorized wheelchairs (part a). The difference between e.g., these motorized wheelchairs and delivery robots are identical to those between human-steered cars and automatic cars. As the second difference has already been subject to regulation in various legal regimes, it can serve as a model for a respective definition of transport robots as well (part b).
Adapting Regulations for the Needs of Delivery Robots
An essential criteria permitting motorized wheelchairs to operate in public traffic (which includes pedestrian areas) is their conformity with the general principle “Every moving vehicle or combination of vehicles shall have a driver”, as stated in art. 8 par. 1 of the 1958 Convention; they do also comply with art. 8 par 5 “Every driver shall at all times be able to control his vehicle or to guide his animals”, and art 13 par 1 “Every driver of a vehicle shall in all circumstances have his vehicle under control so as to be able to exercise due and proper care and to be at all times in a position to perform all manoeuvres required of him”.
As all autonomously driven vehicles—i.e., vehicles which are not constantly monitored by the driver—are thus inadmissible according to the provisions of the 1958 Convention, the Working Party on Road Traffic Safety (WP.1), which is responsible for the regulation of these issues for the United Nations Economic Commission for Europe, has decided [
32] in their 68 meeting (24 to 26 March 2014) to propose to adapt the 1958 Convention to the needs of automated traffic by supplementing art 8 of the 1958 convention with an additional paragraph 5b is, which states that
“Vehicle systems which influence the way vehicles are driven shall be deemed to be in conformity with paragraph 5 of this Article and with paragraph 1 of Article 13, when they are in conformity with the conditions of construction, fitting and utilization according to international legal instruments concerning wheeled vehicles, equipment and parts which can be fitted and/or be used on wheeled vehicles. Vehicle systems which influence the way vehicles are driven and are not in conformity with the aforementioned conditions of construction, fitting and utilization, shall be deemed to be in conformity with paragraph 5 of this Article and with paragraph 1 of Article 13, when such systems can be overridden or switched off by the driver.”
If transport robots are intended to operate in public traffic, then they would have to comply with these criteria as well. A definition of criterion 1 would thus have to either refer to 5 bis of the 1958 Convention or implement these definitions directly.
Against this background, delivery robots could be defined as follows:
“A transport robot is an autonomously or partially autonomously electrically driven motor vehicle, which is designed for the transport of goods, and has a maximum mass of not more than (e.g., 10) kg including batteries bit without freight, a maximum permissible mass (including freight) not exceeding (e.g., 20) kg, a maximum design speed of not more than (e.g., 6 km/h) and a total height/width/length/ of xyz. A motor vehicle shall be seen as autonomously or partially autonomously operated, when its steering systems are in conformity with the conditions of construction, fitting and utilization according to international legal instruments concerning wheeled vehicles, equipment and parts which can be fitted and/or be used on wheeled vehicles. Vehicle systems which influence the way vehicles are driven and are not in conformity with the aforementioned conditions of construction, fitting and utilization, shall be deemed to be in conformity with this Article, when such systems can be overridden or switched off by the driver.”
At present, a respective adaption of national traffic laws has not taken place yet, but various States will implement the UN’s Working Party on Road Traffic Safety’s in near future, and they will define delivery robots in very similar (if not identical) terms, as proposed above, making delivery robots objects to public traffic laws as well. But even as by definition until then delivery robots will not be included in public traffic law, judges do have to the discretion—provided that their respectively applicable national traffic law provides for a sufficiently broad definition of vehicles—to include delivery robots onto the scope of liability of present-day public traffic law.
Transport companies or sellers directly delivering their goods themselves should thus be aware of an eventual strict liability under public traffic law applying on delivery robots already today and take measures by addressing local traffic authorities and asking them to clarify the “liability status” of delivery robots in the receptive jurisdiction. In the case of coverage of delivery robots by the respective traffic law, they should be aware of the risk of strict liability, and, if they do wish to take that risk, take preparative measures as e.g., insuring themselves for this liability.
5.2. Delivery Robots and EU Data Protection
The information that is collected by design by most delivery robots (Starship robots, for instance, are equipped with six cameras) for various purposes—eventual accident documentation, building up maps of efficient delivery trajectories and the like—is of considerable commercial value, not only to the user of delivery robots, but also to state authorities, competitors, or the producer of delivery robots seeking to improve their product development; data protection is thus one of the central legal issues for delivery robots.
In 2016, the European Commission, the European Parliament, and the Council of the European Union approved the General Data Protection Regulation [
33], which entered into force on 25 May 2018 and replaces the Data Protection Directive of 1995 [
34]. The General Data Protection Regulation (GDPR) aims to strengthen and unify data protection for all individuals within the European Union and addresses especially the export of personal data to countries outside the EU. One important highlight of the GDPR is its endeavour to “return control” to citizens and residents over their personal data and to harmonize the regulatory framework for international business by unifying the regulation within the EU. As an EU regulation, the GDPR applies directly in all EU member States, i.e., it does not require national governments to pass any enabling legislation.
The key term of the GDPR is personal data that are considered to be “sensitive” under the condition that they revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data processed solely to identify a human being, health-related data, and data concerning a person’s sex life or sexual orientation ([
33], p. 679, Article 4(13)–(15); Article 9; Recitals (51)–(56)). The GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is any person who can be identified, directly or indirectly, in particular, by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors that are specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. In addition to that, a catalogue of examples for “personal data” provides examples of information relating to an individual, whether it relates to his or her private, professional or public life, e.g., name, home address, photographs, e-mail address, bank details, posts on social networking websites, medical information, or a computer’s IP address [
35].
This personal data must be processed fair, lawful and transparent, whereas consent of the data subject is the main (but not only) criteria for lawfulness and also the core principle of data processing in general: ‘The controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data and the data subject shall have the right to withdraw his or her consent at any time” (Article 7), and the content has to have been provided explicitly, i.e., not inferred by mere implied behaviour.
Non-compliance with the strict data protection rules can cause severe penalties of up to 4% of the global turnover of a company or €20 Million ([
33], Article 83). Under GDPR, organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g., not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g., a company can be fined 2% for not having their records in order ([
33], Article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. Besides, also individuals may bring civil actions additional to measures taken by state authorities against violators.
The GDPR differentiate between the “data subject”, the “controller”, and the “processor”. The EU resident who represents the client of the delivery takes the role of a “data subject”. In order to clarify the data controller and data processor in the case of the delivery robot it is necessary to refer to Article 4 of the GDPR that defines a ‘controller’ as the “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”; whereas the ‘processor’ means a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” ([
33], Article 4).
By applying Article 4 to the case of the delivery robot that distributes e.g., pizzas for Mario’s Pizzeria, the client who ordered and receives the pizza represents the data subject, while Mario’s Pizzeria that uses the delivery robot for distributing the pizza to the client represents the data processor. If it is now assumed that Mario’s Pizzeria subcontracted for the delivery of their pizzas via delivery robots Starship Technologies, i.e., Starship Technologies owns and controls the delivery services, then Starship Technologies is the data controller in the sense of GDPR. This distinction is important for compliance considerations, as GDPR treats the data controller as the principal party for responsibilities, such as collecting consent, managing consent-revoking, enabling right to access, and other things. Thus, a data subject who wishes to revoke consent for his or her personal data will therefore contact the data controller to initiate the request, even if such data is stored on the servers of the data processor. In the case of such a request, the data controller has then to forward the request to the data processor in order to remove the revoked data from its server. In doing so, GDPR applies to all processes, irrespective of whether the organization is located inside or outside EU, and it introduces direct obligations for data processors as well as the situation to be subject to penalties and civil claims. This represents an important difference to the old Directive that only holds data controllers liable for data protection noncompliance. Thus, by recalling again Article 28(1), data controllers, i.e., customers of data processors, should only choose processors that comply with the GDPR in order to avoid penalties themselves.
Applying the GDPR on autonomous delivery robots, a first controversial issue arises in terms of the personal data collected and transmitted during the last-mile-delivery of such robots. As in any other delivery process as well, personal data of the client are necessary to fulfil the 6R of logistics, i.e., to bring the right product, at the right time, in the right quantity and quality, to the right destination with the right costs [
27]. The corresponding personal data include the address, financial, and biographical data plus personal consummation data that result from the business relationship with the client. Anyway, the sensitive data concerning the GDPR are less than those data that are needed and collected to steer the autonomous delivery robot from the starting point of the delivery to the final destination; simple address specifications are a precondition to contract performance, and its collection and storage does thus not violate the GDPR, as it is matches the purpose limitation. More problematic are pictures, sound recordings and films taken by delivery robots in order to provide evidence in case of eventual accidents in which the robots where inflicted—material that inevitably also contains visual and audio information on human individuals moving in the direct vicinity of the robots. These data are collected in public spaces, and these photos, sound recordings and video sequences of natural persons are considered as “personal data” by the GDPR. These data are exchanged via internet and telecommunication networks, before they are partly considered and analysed by control personal and their IT-systems. Later, the data is stored in databases of the delivery control centres of companies.
These robots could also violate Article 25 of the Regulation, which calls for the implementation of privacy by design or privacy by default (PbD).
Privacy by default means that data controllers have to implement appropriate and technical measures in order to ensure that, by default, only personal data necessary (and at the necessary amount, period of storage, and accessibility) for the respective specific purpose of processing are processed. Article 23 supplements this principle by the duty to ensure that, by default, this personal data is not accessible without individual intervention to an indefinite number of natural persons. Appropriate measures are mentioned in Article 28(1) to provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the regulation and ensure the protection of the rights of the data subject”. Article 32 continues demanding the “Security of processing” by “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These objectives shall be implemented by appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- (a)
the pseudonymisation and encryption of personal data;
- (b)
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- (c)
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and,
- (d)
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Unfortunately, Article 32 of the GDPR is not very clear by defining
suitable technical and organizational measures that a company should
adopt to comply with the regulation. But, in order to supervise the
compliance within organizations a Data Protection Officer has to be
appointed who shall be involved in all issues relating to the protection
of personal data and who shall work independently, monitor the compliance
with the GDPR, report to the highest management level, is reachable by
data subjects, and cooperate with the supervisory authority ([
33], Article 37–
39).
Once data falls into the scope of application of the GDPR, the regulation provides strict instructions on how these data may be used. As the autonomous delivery robot itself as a device collects, processes and transfers user data article 25 of the GDPR concerning data protection by design and by default, i.e., the autonomous robot system has to take appropriate technical and organisational measures for “ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons” ([
33], Article 25, Recitals 78). Consequently, the producer of the delivery robot has to safeguard that data protection measures have been taken, e.g., pseudonymization of personal data by the controller in an early stage of data collection, and as the communication between the robot and the remote control centre is executed via wireless links, the personal data (including photos and video sequences) have to be encrypted. Secondly, the data collection of the robot must be limited to what is necessary and transparency has to be safeguarded “with regard to the functions and processing of personal data in order to enable the data subject to monitor the data processing and the controller to create and improve security features” ([
33], Recital 78). This requires that all obtained user data must be accessible and portable in order to enable any EU resident assuming that his personal data were collected by the robot (i.e., photos and videos) is provided with the possibility to request these data in a widely-compatible format, enabling him to verify which data exactly have been obtained. Thirdly, “the principles of data protection by design and by default should also be taken into consideration when developing, designing, selecting, and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations” ([
33], Recital 78).
But, it is not only the producer, processor, and the controller of the delivery robot who may by held liable for GDPR violations; also telecommunication service providers the processor and/or the controller may make use of in order to transmit data from the delivery robot via the telecommunication service provider’s network has to comply with the GDPR, i.e., take respective technical protection measures and store this data only within the limits of Art 25 GDPR.
Starship’s Regional Business Manager for Central Europe, Hendrik Albers, recently addressed the GDPR explicitly in the context of innovative disruptions [
22]. Albers warns to not over-regulate the European data protection regime and proposes to create a feasible balance between innovation and privacy for consumers. In the case of Starship, the company has according to Hendrik Albers developed very precise routines to ensure that this balance is kept. In Albers’ opinion, most companies that collect customer data do so either way rather in order to benefit the customer than to market client data in order to generate profits. He thus emphasizes a privacy approach that leaves sufficiently large freedom to companies. In the case of delivery services he points out that there is an essential need to know where the customer is located in order to deliver the goods as close as possible to the customer. In addition to that, the delivery service also requires to be informed about several personal details in order to provide for an efficient organization of the delivery of items, as the customer would not be able to receive the freight if the regulation excessively prohibited the collection of one of these essential parameters.
While it may not be surprising that Albers takes a rather liberal approach on (not) subsuming Starship robots’ activities under the GDPR, it has to be admitted that, indeed, in the case of delivery services, especially in the case of autonomous delivery robots that are partly remote-controlled via telecommunication networks, the main focus in area of privacy is still on the costumer data, which happens to be the least controversial aspect. The collected personal data that are collected by the sensors, microphones, and cameras, and which are transferred via telecom links are until now not on the top of the agenda—in spite of obvious violations of the GDPR by many default technical data collection settings.
The organization environment of the delivery robot control must be able to demonstrate compliance with the GDPR, i.e., the data controller should implement measures that meet the principles of data protection by design and data protection by default. Furthermore, the data controller is responsible to implement effective measures and it must be able to demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller. Article 25 states that Data Protection Impact Assessments have to be conducted when specific risks occur to the rights and freedoms of data subjects, and Articles 37–39 state that Data Protection Officers have to ensure compliance within organizations. In the case of non-compliance of these three main rules, strict penalties apply, starting with 20 Mio € and reaching up to 4% of the company’s global turnover. In addition to that, one should keep in mind that there is no grace period, i.e., the GDPR is in full effect since 25 May 2018.