ARTICLE
3 December 2025

Changing Lanes: The Evolving Legal And Regulatory Data Considerations For CAVs In Australia

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
Connected and autonomous vehicles (CAVs) generate and transmit large volumes of data to interpret their surroundings and communicate with other vehicles and infrastructure.
Australia Transport
Katherine Gregor,Kaman Tsoi,Leana Lim
+1 Authors
 Your Author LinkedIn Connections
Katherine Gregor’s articles from Herbert Smith Freehills Kramer LLP are most popular:
  • with Finance and Tax Executives and Inhouse Counsel
  • in United States
  • with readers working within the Banking & Credit, Insurance and Technology industries

Connected and autonomous vehicles (CAVs) generate and transmit large volumes of data to interpret their surroundings and communicate with other vehicles and infrastructure.

While such interconnectivity promises greater mobility, including safer roads, optimised transport networks and personalised driver experiences, it also introduces a complex web of privacy, data and cyber security considerations and regulation.

This article explores the evolving legal and regulatory landscape for CAVs in Australia, with a focus on privacy, cyber security and the implications of forthcoming reforms such as the Automated Vehicle Safety Law (AVSL).

This article forms part of our global series on CAVs – explore our other articles here.

Key takeaways

  • CAVs collect vast amounts of data (potentially involving personal information). Manufacturers and distributors must embed robust privacy and cyber security controls into every stage of the CAV lifecycle, including design and third party data sharing arrangements.
  • Australia's Privacy Commissioner signalled a regulatory focus on the collection and use of personal information in the CAV context, noting concerns with existing data governance practices. CAV providers should carefully review their data governance processes and assess whether privacy compliance uplifts are required.
  • CAV providers should consider whether cyber security requirements under the Cyber Security (Security Standards for Smart Devices) Rules 2025 or the Road Vehicle Standards Act 2018 (Cth) apply.
  • Additional information management obligations may be introduced under the upcoming AVSL. However, no details on expected timing have been announced.

1. Personal information captured by CAVs and privacy implications

CAVs capture a wide range of data which, depending on the context of data collection (including whether an individual is identifiable in respect of the information), may include personal information. For example, this can arise in the context of:

  • location tracking data;
  • images and videos of individuals from internal and external cameras;
  • in-cabin audio recordings and other voice data; and
  • telematics data (such as driver behaviour patterns and other vehicle-related information).

This can raise questions under privacy laws, particularly where such data may be used to identify, profile or monitor individuals. This was highlighted at the 'UNSW Privacy & Security Regulation for Connected Cars Workshop' on 2 May 2025, where Australia's Privacy Commissioner signalled a regulatory focus on data collection / use practices in the CAV context. In particular, the Privacy Commissioner expressed concerns with lack of transparency and consumer awareness of CAV data collection practices and the resulting power asymmetry.

The Privacy Commissioner identified a number of key issues, including:

  • challenges in defining the scope of 'personal information', noting that while data collected by CAVs can be used (either alone or in combination with other data) to identify individuals, it is not always clear whether vehicle or driving data is about the driver or the vehicle itself.
    We note that elsewhere the Office of the Australian Information Commissioner (OAIC) – which includes the Privacy Commissioner – has said that 'Information that is about something other than an individual — a car, for example, or a piece of land — can still be about an individual as well.'1;
  • excessive collection of personal information, including whether it is necessary or fair for the data to be collected (for example, where car features collect information despite a user's opt out or where sensors collect data in a continuous and automatic way);
  • collection of data relating to vehicle passengers, including children or other vulnerable persons without the capacity to consent;
  • under the upcoming Children's Online Privacy Code, CAV providers may be exposed to heightened privacy requirements for online services accessed by children. The precise details of the Code are not yet known; and
  • use of collected data for secondary purposes, such as for assessment of insurance claims (see class action risks in this context below).

CAV providers should take stock of what (if any) personal information is collected, used or disclosed and ensure that appropriate notices, consents and other practices and procedures are in place to meet privacy law requirements. Similarly, CAV providers should consider if automated decision-making (ADM) involving personal information is used in their CAVs and, if so, determine if such use will be subject to the new ADM requirements under the Privacy Act 1988 (Cth) (Privacy Act) and in Western Australia, the Privacy and Responsible Information Sharing Act 2024 (WA)2. Breach of privacy laws can attract various consequences, including potentially significant penalties, injunctions and enforceable undertakings.

Class actions relating to disclosure of driving data for insurance purposes

There has been an increase in alleged privacy and/or security breaches in respect of connected cars in the US:

  • General Motors and OnStar: Earlier this year, the US Federal Trade Commission (FTC) announced a proposed order that would ban General Motors and OnStar for five years from disclosing consumers' driving data to any consumer reporting agencies.3 The FTC alleges that the companies unlawfully collected, used and sold the private geolocation data and driving behaviour information from millions of vehicles without the consumers' knowledge or consent. This data was allegedly shared with consumer reporting agencies, potentially impacting insurance rates.
  • Kia and Hyundai: A class action lawsuit filed in 2024 claims that Kia and Hyundai shared vehicle data and driving behaviour, including braking events and trip reports, to insurance companies without consumer consent. The plaintiff alleges that the sharing of his driving data resulted in a $250 increase to his insurance premium. 4

Surveillance laws

In addition to the privacy risks outline above, there are various state-based laws regulating the use of surveillance devices in Australia, and what can be done with information gathered with those devices. The requirements (for example, notice and consent) vary across jurisdictions and may apply to location, video, audio and data surveillance.

In addition to these general surveillance device laws, ACT and NSW also specifically regulate surveillance in an employment context. With non-CAVs, these requirements have been particularly relevant to employers in the context of surveillance of their staff drivers. With CAVs, the impact of these laws will depend on the extent to which staff are (assisted) drivers, or passengers, of the vehicles.

CAV providers, as well as employers providing or requiring use of CAVs, should ensure they are across the relevant requirements in each state.

Notifiable Data Breaches scheme

To the extent data breaches involve personal information, under the Privacy Act's notifiable data breaches scheme, entities regulated by the Act are required to notify the OAIC (and affected individuals) in the event of an 'eligible data breach', defined to occur when:

  • there is unauthorised access to, or unauthorised disclosure of, or loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur;
  • the entity holds (ie possesses or controls) the information and is required to keep it secure under the Privacy Act;
  • a reasonable person would conclude that the access or disclosure, or loss would be likely to result in serious harm to any of the individuals to which the information relates; and
  • prevention of the risk of serious harm through remedial action has not been successful.

Penalties for breach of the Privacy Act can be significant, with the maximum penalty for a serious or repeated interference with privacy being the greater of:

  • $50 million;
  • three times the benefit of the contravention; or
  • where the benefit cannot be determined, 30% of the 'adjusted turnover' of the Australian group during the 'breach turnover period'.

On 8 October 2025, the Federal Court ordered the first civil penalty ($5.8 million) under the Privacy Act (refer to our article here for further details). This demonstrates the willingness of regulators to enforce penalties for significant interferences with privacy.

2. Cyber risk factors at play

CAVs may become targets for cyberattacks, gven their increasingly central role in transport infrastructure and the amounts of valuable and sensitive data they handle.

The Cyber Security Act 2024 (Cth) and the Cyber Security (Security Standards for Smart Devices) Rules 2025 (Rules) set out core cyber security obligations applicable to manufacturers and suppliers of certain smart devices. While the Rules exclude road vehicles and road vehicle components as defined in the Road Vehicle Standards Act 2018 (Cth) (RVSA), there is some uncertainty regarding the application of these exclusions to CAVs. At present, connectivity features of CAVs do not fall within the definition of 'road vehicle component' for the purposes of exemption under the Rules.5

The Critical Infrastructure Security Centre has also signalled that new standards for cyber security of road vehicles could be introduced under the Cyber Security Act 2024 (Cth) where existing requirements under the RVSA are insufficient.6

Jeep Cherokee hack

The Jeep Cherokee hacking incident was a widely publicised 2015 cyber security demonstration in which 'white hat' security researchers remotely accessed and took control of a Jeep Cherokee's critical functions, including steering, brakes, and transmission via its internet-connected entertainment system. The researchers exploited vulnerabilities in the vehicle's system, allowing them to send commands over the internet to the car's internal network. This high-profile hack highlighted the real-world risks of connected vehicle technology, prompting industry-wide attention to automotive cyber security.

Subaru Starlink hack (2025)

Earlier this year, 'ethical' hacker Sam Curry detailed how he and his colleague discovered a vulnerability in Subaru's Starlink multimedia technology that could potentially allow a third party to access Starlink accounts. With this access, they were able to gather real-time data about the vehicle's location, operate door locks and start or stop an engine. Similarly, vehicle location history over the previous 12 months, physical addresses and the last four digits of credit cards used with the account were able to be retrieved. In response, Subaru patched the vulnerability within 24 hours of the hack. However, the issue raises wider concerns for CAV manufacturers to consider security-by-design at the outset.

While CAV-specific cyber security standards may take some time to be developed, CAV providers should benchmark existing cyber controls against the Australian Cyber Security Centre's 'Essential Eight' cyber threat mitigation strategies (which is now the minimum standard across organisations).

3. Telematics and data sharing arrangements

CAV providers may offer telematics solutions to consumers, collecting and interpreting vehicle data for various purposes (including for fleet management, predictive maintenance, insurance assessments, etc). Data from CAVs is also often shared between with manufacturers, service providers and other entities.

The telematics solution or aspects of data handling process may be outsourced to third party service providers. Where that is the case, CAV providers should ensure that robust contractual safeguards are in place in respect of the relevant data. The contractual regimes should cover regulatory and security requirements, as well as having broader regard to commercial considerations and scope of data use rights.

4. Forthcoming Automated Vehicle Safety Law

The National Transport Commission (NTC) and the Department of Infrastructure, Transport, Regional Development, Communications and the Arts have been working to create a set of rules for automated vehicle safety, following public consultation which ended in 2024. The NTC is currently analysing this feedback and, as at November 2025, no further update on the timeframe for the possible AVSL has been provided.

What's covered?

The AVSL consultation paper highlighted the challenges and risks posed by remote operation of vehicles, particularly in the context of cyber security management and secure transmission of data.
Amongst other things, the proposed rules (if adopted) would introduce information management obligations in respect of certain information, including details about modifications and data required to support incident investigations. Additionally, the proposed rules seek to establish a new in-service safety regulator to support and enforce the AVSL.

5. Thinking ahead

As the legal and regulatory landscape for CAVs continues to evolve, CAV providers should take proactive steps to manage risk and ensure compliance across privacy, cyber security and data governance. In addition to monitoring regulatory reforms on the horizon (in particular, in respect of the Privacy Act and the AVSL), this should include:

  • reviewing whether and how personal information is captured and handled by CAVs (including whether such information is used in CAV ADM systems) and the privacy notices, consents and other practices and procedures in place to do so;
  • assessing whether cyber security requirements under the Cyber Security (Security Standards for Smart Devices) Rules 2025 or Road Vehicle Standards Act 2018 (Cth) apply to relevant CAV systems and monitoring for relevant updates to this legislation; and
  • ensuring that robust contractual privacy, cyber security and data use controls are in place with third party service providers or partners involved in telematics or data sharing arrangements.

Footnotes

1. OAIC, What is personal information?, 5 May 2017

2. For more information, see our previous articles on Tranche 1 reforms under the Privacy Act and the Privacy and 3 Responsible Information Sharing Act 2025 (WA).

3. Decision and Order

4. Hyundai, Kia accused of selling owner data, leading to higher insurance premiums | The Canberra Times | Canberra, ACT

5. To meet the definition of 'road vehicle component', it must be of a type that is capable of being assessed against the Australian Design Rules (ADRs).

6. https://www.cisc.gov.au/resources-subsite/Documents/cyber-security-security-standards-for-smart-devices-explanatory-document.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Katherine Gregor
Katherine Gregor
Photo of Kaman Tsoi
Kaman Tsoi
Photo of Magdalena Blanch-de Wilt
Magdalena Blanch-de Wilt
Person photo placeholder
Leana Lim
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More