Over the last three years, France has actively started to develop a legal framework allowing for the testing and development of self-driving cars.
Car manufacturers have thus been able to start conducting experiments on French roads, though still on the basis of individual derogations.
In 2015 PSA was the first company to receive authorization to test self-driving vehicles on motorways in France. More recently, VALEO has also been testing cars, including in Paris. In November 2017, NAVYA, a French company specializing in self-driving cars, presented “Autonom Cab”, the first robot-cab in the world.
In the public transportation sector, KEOLIS (a subsidiary of the France’s national railway SNCF) and ÎLE-DE-FRANCE MOBILITÉS have launched a temporary experiment of autonomous vehicles onto the esplanade of La Défense (business center in Paris). The RATP (public company in charge of Parisian transports) is currently testing two vehicles with six seats in the bois de Vincennes.
Some legal gaps must still be addressed but President Emmanuel Macron announced on 29 March 2018 that France will have a legislative framework allowing experiments on autonomous vehicles of level 4 (near-total autonomy) in 2019.
In this context, car manufacturers have announced that they will be ready to commercialise autonomous vehicles as soon as 2022, by which time a legal framework authorising the circulation of autonomous vehicles is intended to be in place.
A. Automotive laws in France
(i) French legal framework
On this basis, the French Government issued an order on 3 August 2016. Its effective implementation has been limited, however, because the application process had yet to be approved.
In the meantime, ad hoc authorizations are issued under an “exceptional registration certificate” procedure provided by Article 8 IV of a decree dated 9 February 2009.
This procedure is not specifically targeted for autonomous vehicles, as it concerns the vehicle registration procedure in general, which at present limits the scope of tests - these are still strictly limited to certain highways and specific weather conditions.
As explained, however, the situation is expected to change soon.
In February 2017, a joint report produced by the IGA an inter-ministerial body) and the General Council for environment and sustainable development (GCESD) evaluated the economic and legal challenges entailed by the development of autonomous vehicles. The report proposes a set of concrete administrative and regulator measures to foster this technology. These would be overseen by a specifically appointed inter-ministerial director.
In November 2017, the French Senate issued a comprehensive report on the EU strategy for autonomous vehicles. The report identifies remaining “legal gaps” that are believed to be slowing down the development of autonomous vehicles in France and advocates for the adoption of a comprehensive regulatory framework to encourage more efficient adoption of this technology.
Concrete political and legal initiatives steps have been taken to foster the development of autonomous vehicles in France and manufacturers have been able to initiate tests since 2015.
Although legal gaps must still be addressed, the Government is committed to providing a fully operational legal framework for experimentations as soon as 2019, and an operational legislative framework allowing for the circulation of autonomous vehicles by 2022.
(ii) Who or what is allowed to drive or operate as vehicle
Article R.412-6 of the French Highway Code requires that all moving vehicles must have a driver adequately controlling the vehicles at all times. Complete or partial delegation without the full control of a driver is incompatible with this article.
(iii) Safety of autonomous vehicles
The Government’s order of 3 August 2016 provides that the circulation for experimental purposes of a vehicle with partial or complete driving delegation on a road open to public traffic is subject to the issuance of an authorization to ensure the safety of the experimentation.
Although this new authorization system is not effective yet, an upcoming draft implementing decree indicates that the Ministry of Transport, on the advice of the Minister of the Interior, and the police and competent traffic authorities will supervise the use and testing of autonomous vehicles.
(iv) Requirements for autonomous vehicle manufacturers to provide consumer education
In the absence of legal framework, there are currently no educational requirements for autonomous vehicle manufacturers into force.
(v) Use of the SAE nomenclature for autonomous vehicle
Pending further legislative amendments, there are currently no laws or regulations referring to the SAE nomenclature for autonomous vehicles.
B. Data protection and cybersecurity – France
The use of these “connected vehicles” in France raises significant privacy and data protection issues. It is therefore crucial to ensure the protection of personal data processed through such vehicles, as they could lead to the disclosure of specific information on data subjects’ behaviours (places they go, music they listen to, traffic violations, worn condition of the vehicle…) and could even lead to the collection of special categories of data such as the sexual preferences or political or religious beliefs of the passengers.
In France, the government and the French data protection authority (the CNIL) have provided guidance to stakeholders on how to comply with the currently applicable French Data Protection Act and, starting from 25 May 2018, with the GDPR. These guidelines are likely to be adopted by the future European Data Protection Board to be applied consistently on the EU territory.
(i) Obligations and challenges
Autonomous vehicles’ primary functions directly result from information technologies. One vehicle is connected through numerous technologies such as vehicle sensors, telematics boxes and mobile apps, implying a wide range of stakeholders, and multiplying the risks of data breaches and cyberattacks.
In order to minimize these risks, the CNIL and the government adopted several recommendations, in addition to the general obligations set out in the GDPR.
(1) Privacy by design, privacy by default, and minimization of data
According to these principles, privacy and data protection are key considerations that must be considered in any project and throughout its lifecycle. The data controller must implement appropriate technical and organisational measures and integrate the necessary safeguards into the car’s data processing. Privacy by design and by default also requires data minimization, i.e. only processing the data strictly necessary to meet the purpose of the processing.
The CNIL recommends the following:
- Default settings that protect privacy and personal data;
- Settings that allow easy enablement/disablement of the services;
- Scalable settings that can be adapted flexibly to the situation (e.g., the possibility to access a map without being GPS-located);
- Easy access, for the data subjects, to his/her personal data;
The CNIL emphasizes that data minimization implies that processing location data on an on-going basis, and in a precise and detailed manner, could not be considered lawful as nothing justifies the need of such detailed and continuous data.
(2) Transparency, information and consent
Any data processing must inform the data subjects of the processing, its purpose, which data are collected, by whom, and which rights they have. Processing also involves a fair and transparent collection of their consent, when consent is the processing’s legal ground.
When several companies are acting jointly as data controllers, they must inform the data subjects of their respective obligations and how data subjects can exercise their rights.
Data subjects should be informed through several means of communications: clear and detailed clauses in the vehicle sales or leasing agreement or the service agreement, separate documents such as the owner’s manual of the vehicle, the on-board vehicle, and standardized icons inside the vehicle.
(3) Local processing of data
The collected data can be processed inside or outside the vehicle. In its guidance, the CNIL identifies three different personal data flows that may occur:
- Model (IN→IN): the data collected remains within the vehicle (‘local processing’).
Ex: eco-driving solutions with real time advice on the car dashboard;
- Model (IN→OUT): the data is transferred to a service provider with the aim to provide a service to the data subject.
Ex: “Pay as you drive” contracts (insurance, car rental…); and
- Model (IN→OUT→IN): the data collected is transmitted to trigger an automated action.
Ex: real time route calculation based upon real time traffic.
The CNIL and the government encourage the car industry to favour vehicles involving local data processing (Scenario 1) with no data transmission to service providers. This option has the advantages of both providing users safeguards of their privacy and simplifies the obligations for data controllers.
(4) Right to data portability
Article 20 of the GDPR states: “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller.”
The data collected via the vehicle navigation system or generated by the driver’s activity (journeys history, driving habits/style) do fall within the scope of this right.
However, the data processed on the basis of the controller’s legitimate interest is excluded from the scope of this right. This includes:
- data collected for models, optimization or improvement;
- data contained in technical configurations that are not provided by the data subject; and
- data deduced by the controller on the basis of the data provided by the data subject (i.e., driving score).
In addition to this right, data subjects also benefit from the rights to obtain access, rectification, or erasure of their personal data, restriction of processing, and to object to the processing.
(5) Data security and confidentiality
Data controllers must ensure security and confidentiality of the data they process. Regarding autonomous vehicles, it involves the data processed inside the vehicle and those transferred outside the vehicle.
Among the measures to be taken:
- Data encryption (e.g. through a Hardware Security Module);
- Management of access rights with the IT system processing the data;
- Secured and robust update processes;
- Intrusion detection systems and automatic implementation of a degraded mode.
Depending on the scenario (see Models above), security measures shall be adapted. In the case of local processing, the obligations can be alleviated as the risk is minimized. However, certain data are more sensitive than others (e.g., traffic violations) and must be processed with a high level of security, regardless of where the processing occurs.
Even with the implementation of appropriate measures, personal data processed through automatized systems such as autonomous vehicles are constantly threatened by cyberattacks.
The French Criminal Code (sections 323-1 to 323-7) provides a set of provisions punishing the following offences:
- Fraudulent access to computer systems;
- Fraudulently remaining in computer systems;
- Hindering or damaging the working of computer systems; and
- Fraudulently introducing or modifying data in computer systems.
Committing such offences may lead to three to five-year prison sentences and fines of €60,000-150,000 euros.
More generally, the GDPR aims at protecting personal data from “data breaches”, i.e.: “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
If the data breach is likely to result in “high risks” to the rights and freedoms of data subjects, data controllers are required to notify the breach to the competent Supervisory Authority and to the data subjects, without undue delay after becoming aware of it.
Failure to comply with these provisions may result in penalties of up to 2% of the annual global turnover or €10 million, whichever is higher.
 French Public Authority regulating transport in France.
 See https://www.20minutes.fr/paris/2167031-20171113-paris-deux-vehicules-autonomes-vont-etre-mis-circulation-bois-vincennes.
 Law n°2015-992 dated 17 August 2015 relating to the energy transition for green growth.
 In France, when it has been ratified by the French Parliament, an order has the same authority as a law in the hierarchy of norms.
 Referred as VDPTC in French. VDPTC means in French Véhicule à délégation totale ou partielle de conduite.
 This authorisation covers both private passenger cars and vehicles for transportation of goods or commercial passenger transport.
 Ordonnance n°2016-1057 dated 3 August 2016 relating to the experimentation of vehicles with drive delegation on public roads.
 Des enjeux juridiques pour les véhicules connectés et autonomes, Michèle Guilbot, Institut français des sciences et technologies des transports, de l’aménagement et des réseaux, IFSTTAR, 2017,
 Joint report of the GAI and the GCESD on automatisation of vehicles, dated 28 April 2017.
 French Senate’s report of 21 November 2017 on the EU strategy for autonomous vehicles written by René DanesI, Pascale Gruny, Gisèle Jourda and Pierre Médevielle.
 This article translates the former Article 8 of the Vienna Convention on road traffic of 1968 into French law. Article 8 of the Vienna Convention on road traffic of 1968 originally set out that “any moving vehicle or all together moving vehicles must have a driver” and “the driver must constantly “have control of his vehicle.” On 23 March 2016, a new paragraph 5 bis included in Article 8 bis now provides that “systems having an impact on driving a vehicle (...) are regarded as compliant (...) as long as they can be neutralized or deactivated by the driver.” However, this amendment has yet to be translated into French law. See the United Nations Economic Commission for Europe (UNECE) press release dated 23 March 2016: UNECE paves the way for automated driving by updating UN international convention.
 Article 1 of Order n° 2016-1057 abovementioned.
 Article 2 of Order n° 2016-1057 abovementioned.
 Please note that the Senate’s report of November 2017 on the EU strategy for autonomous vehicles does refer to it in its appendix. As a result, we might expect that this nomenclature will be used to implement the future legal framework for autonomous vehicles.
 Ministry of Ecological Transition and Solidarity, Draft national strategy for the development of autonomous vehicles, 15 September 2017 and CNIL, “Compliance pack: Connected vehicles and personal data”, 17 October 2017.