It is predicted that the future of driving, and of transport infrastructure more generally, will be autonomous and interconnected. Numerous headlines in recent years have been dedicated to the rise and challenges of driverless technology. When and how the technology will be rolled out will depend, in no small part, on the creation of a legal and regulatory environment capable of supporting this new technology.

According to the National Transport Commission’s (NTC) Automated Vehicle Program report 2019, in 2017, transport ministers endorsed the development of an end-to-end regulatory framework by 2020, to support the deployment of automated vehicles through reform of Commonwealth, state and territory regulations relating to vehicles and drivers. Work is continuing towards this goal but given the regulatory complexity, the timeline for delivery of the framework has been extended beyond 2020.  Additionally, while the focus of the end-to-end framework will be on driving regulations, there are numerous other regulatory issues to consider before the deployment of automated vehicles.

This article touches on a few of the key regulatory issues associated with autonomous vehicles and cooperative intelligent transport systems (C-ITS) that will inevitably form part of Australia’s transport infrastructure in the near-future and will play a key part in the ensuing debate about its adoption.

Autonomous vehicles and C-ITS

Autonomous vehicles or ‘driverless cars’ are vehicles operated by a sophisticated computer system programmed to perform tasks such as accelerating, braking, turning and changing lanes, in place of a human. Cars today have some autonomous features such as self-parking, but in coming years, the expectation is that cars will be increasingly automated until no or very minimal human control is necessary.

Many of the benefits of automated vehicles are dependent on the development of C-ITS. C-ITS is a system (still under development in Australia) that will allow vehicles to communicate with other vehicles and infrastructure (such as traffic signals) connected to the same system. According to the NSW Centre for Road Safety, the technology works by a C-ITS device sending and receiving information to and from other vehicles and infrastructure in real time, and using that information to assess risks on the road based on the location, direction and speed of the device and other vehicles.

Autonomous vehicles and C-ITS are set to revolutionise transport networks and deliver benefits such as greater traffic efficiency and productivity, safety improvements, reduced fuel consumption, less noise pollution and greater accessibility to transport for those who can’t drive. The technology allows for collision avoidance, hazard detection and warnings, improved emergency response times through post-crash notification systems and improved road safety for pedestrians and cyclists.

Data is key

Autonomous vehicles and C-ITS will constantly generate data that will have enormous value to key players in the transport infrastructure space. For example, data about traffic congestion and the road environment will be valuable to transport agencies, road operators and Government, driver preference data will be valuable to automated vehicle entities, and event data such as data about crashes and technical faults will be valuable to manufacturers, insurers, law enforcement and accident victims (see discussion here).

Despite the undeniable benefits, the adoption of autonomous vehicles and C-ITS presents complex legal and regulatory challenges for stakeholders and law-makers in Australia’s transport infrastructure space. Autonomous vehicles go against the current regulatory paradigm, being that a person has a central and clearly defined role in each stage of a car’s journey from manufacture to the road. The data-driven nature of autonomous vehicles also raises a new set of legal problems to be solved. A few of the key legal challenges are considered below, including privacy issues, cyber security threats and motor accident injury insurance reform. These are by no means exhaustive, but offer an insight into some of the complexities that will need to be resolved before automated vehicles are ready for wholesale rollout.


As autonomous vehicles and interconnected transport systems are increasingly adopted, a balance will need to be struck between protecting privacy and promoting public safety. In its Policy Paper released in 2019 on ‘Regulating government access to C-ITS and automated vehicle data’, the NTC concluded that a large amount of the data generated by autonomous vehicles and C-ITS will be classified as ‘personal information’ (e.g. location data), and in some cases as ‘sensitive information’ (e.g. data from health sensors that monitor driver alertness, facial recognition data used to verify car-owner identity etc.) under the Privacy Act 1988 (Cth) (Privacy Act). As described above, data from autonomous vehicles and C-ITS will be incredibly valuable to both the private and public sector and some of the benefits from automated vehicles (e.g. collision avoidance using location data) will not be available unless such data is shared in C-ITS.

However, current privacy protections contained in the Privacy Act may prohibit the use and disclosure of personal and/or sensitive information obtained from autonomous vehicles in certain circumstances. For example, under APP 3, sensitive information cannot be collected about an individual unless the individual consents and the information is reasonably necessary for one or more of an organisation’s (e.g. body corporate) functions or is directly related to and reasonably necessary for an agency’s (e.g. Department, Minister, law enforcement) functions. Additionally, under APP 5, an individual is required to be notified if an entity collects personal information about them.

Supporting privacy protections and providing adequate privacy assurances will likely be critical for the uptake of automated vehicles and underpin public trust in the interconnected transport system of the future. However, navigating Australia’s privacy laws (including federal, state and territory regimes) will be a key challenge for those implementing autonomous vehicles and C-ITS on Australian roads. In the NTC’s Policy Paper mentioned above, the NTC recommended some broad design principles for managing government access to and addressing privacy challenges of C-ITS and automated vehicle data, which will guide further work in this space. The principles consider the need to balance the benefits of data access with privacy concerns, aligning regulation with existing concepts of personal information and specifying the data, purposes and parties covered.  

Cyber security

As autonomous vehicles depend on connection to networks, they will be vulnerable to cyber attacks. Additionally, as they will be connected to C-ITS, a cyber security breach could have catastrophic consequences for all interconnected transport infrastructure, not just driverless cars.

Cyber risk can arise in the manufacture of an autonomous vehicle, which depends on a range of third party vendors providing software and hardware components. It can also arise where the vehicle is being operated and a malicious actor takes control of the vehicle or surrounding infrastructure. Another risk is a hacker gaining unauthorised access to the data generated by automated vehicles themselves and by C-ITS.  See also here and here.

Cybercrime is currently regulated under Australia’s Criminal Code Act 1995 (Cth) (Criminal Code), which contains cybercrime offences that criminalise activity such as unauthorised access to computer systems (s 478.1) and denial of service attacks (s 477.3). The scope of criminal offences and potential penalties may need to be revisited in an ever more connected world.

In recent years, Australia has also introduced legislation and guidance to address the security of critical infrastructure. The Security of Critical Infrastructure Act 2018 (Cth) (SCI Act) places an obligation on owners and operators of critical infrastructure assets (including certain electricity, gas, water and port assets) to provide certain details to the Secretary to the Department of Home Affairs. This enables the Critical Infrastructure Centre to obtain detailed information from owners and operators of critical infrastructure assets in particular circumstances and empowers the Minister to intervene where there are national security concerns.  

Last month, the Australian Government released its highly anticipated Cyber Security Strategy 2020 (Strategy) which is intended to create a ‘more secure online world for Australians, their businesses and the essential services upon which we all depend’. The Strategy proposes to reform the SCI Act to include a principles-based approach to cyber security to be applied separately to each sector, including the transport sector, recognising that each sector will require different approaches. The enhanced regulatory framework will impose stronger cyber security obligations on entities considered to be involved with critical infrastructure of national significance and place an enforceable positive security obligation on designated critical infrastructure entities. The Strategy also outlines new powers that will allow the Government to act against sophisticated cyber attacks. We have examined the Strategy in more detail here.

Furthermore, as the technology evolves it is predicted that autonomous vehicles will not only be connected to the infrastructure network but also to smart devices in homes such as TVs, garage doors and digital keys via the ‘Internet of Things’ or ‘IoT’. While this will undoubtedly offer benefits and convenience, it is also a significant cyber security risk, as a hacker gaining access to information from an autonomous vehicle could allow them to access a person’s home, and vice versa. Currently, the IoT is governed in Australia by a Voluntary Code, being the ‘Code of Practice – Securing the Internet of Things for Consumers’, however it is likely that as IoT technology becomes more ubiquitous, a more stringent regime will be required.  We have examined regulation of the IoT in more detail here.

Motor accident injury insurance

Although the expectation is that autonomous vehicles will be safer than vehicles controlled by humans, accidents will still happen. Currently, Australian state and territory laws require registered vehicles to have motor accident injury insurance (MAI Insurance), which provides compensation for injury and/or death from car accidents.

Under existing MAI Insurance schemes, an entitlement to compensation is typically dependent on determining fault in respect of the accident. If a computer is in charge of a vehicle, who is at fault?  The current MIA Insurance scheme is built around the human driver paradigm.

As noted by the NTC in its Discussion Paper released in 2018 on ‘Motor Accident Injury Insurance and Automated Vehicles’, the current regulatory landscape needs to be altered or even redesigned to ensure that compensation is available for injuries and deaths from accidents involving automated vehicles.

Driving into the future

The future of Australia’s transport system is driverless and interconnected. Australia’s current regulatory frameworks and laws – particularly in relation to privacy, cyber security and motor accident injury insurance - will be tested by the new technology. Regulatory reform is likely to be necessary across the transport and infrastructure sectors to ensure that security and privacy concerns are addressed and to foster public trust in the system, especially given the vast amounts of valuable data that the system will generate.