Changing lanes: The evolving legal and regulatory data considerations for CAVs in Australia

1. Personal information captured by CAVs and privacy implications

CAVs capture a wide range of data which, depending on the context of data collection (including whether an individual is identifiable in respect of the information), may include personal information. For example, this can arise in the context of:

• location tracking data;
• images and videos of individuals from internal and external cameras;
• in-cabin audio recordings and other voice data; and
• telematics data (such as driver behaviour patterns and other vehicle-related information).

This can raise questions under privacy laws, particularly where such data may be used to identify, profile or monitor individuals. This was highlighted at the ‘UNSW Privacy & Security Regulation for Connected Cars Workshop’ on 2 May 2025, where Australia’s Privacy Commissioner signalled a regulatory focus on data collection / use practices in the CAV context. In particular, the Privacy Commissioner expressed concerns with lack of transparency and consumer awareness of CAV data collection practices and the resulting power asymmetry. 

The Privacy Commissioner identified a number of key issues, including:

• challenges in defining the scope of ‘personal information’, noting that while data collected by CAVs can be used (either alone or in combination with other data) to identify individuals, it is not always clear whether vehicle or driving data is about the driver or the vehicle itself. 
  We note that elsewhere the Office of the Australian Information Commissioner (OAIC) – which includes the Privacy Commissioner – has said that ‘Information that is about something other than an individual — a car, for example, or a piece of land — can still be about an individual as well.’¹;
   
• excessive collection of personal information, including whether it is necessary or fair for the data to be collected (for example, where car features collect information despite a user’s opt out or where sensors collect data in a continuous and automatic way);
   
• collection of data relating to vehicle passengers, including children or other vulnerable persons without the capacity to consent;
   
• under the upcoming Children’s Online Privacy Code, CAV providers may be exposed to heightened privacy requirements for online services accessed by children. The precise details of the Code are not yet known; and 
   
• use of collected data for secondary purposes, such as for assessment of insurance claims (see class action risks in this context below). 
   

CAV providers should take stock of what (if any) personal information is collected, used or disclosed and ensure that appropriate notices, consents and other practices and procedures are in place to meet privacy law requirements. Similarly, CAV providers should consider if automated decision-making (ADM) involving personal information is used in their CAVs and, if so, determine if such use will be subject to the new ADM requirements under the Privacy Act 1988 (Cth) (Privacy Act) and in Western Australia, the Privacy and Responsible Information Sharing Act 2024 (WA)².  Breach of privacy laws can attract various consequences, including potentially significant penalties, injunctions and enforceable undertakings. 
 

Surveillance laws

In addition to the privacy risks outline above, there are various state-based laws regulating the use of surveillance devices in Australia, and what can be done with information gathered with those devices. The requirements (for example, notice and consent) vary across jurisdictions and may apply to location, video, audio and data surveillance.

In addition to these general surveillance device laws, ACT and NSW also specifically regulate surveillance in an employment context. With non-CAVs, these requirements have been particularly relevant to employers in the context of surveillance of their staff drivers. With CAVs, the impact of these laws will depend on the extent to which staff are (assisted) drivers, or passengers, of the vehicles.

CAV providers, as well as employers providing or requiring use of CAVs, should ensure they are across the relevant requirements in each state.  

Notifiable Data Breaches scheme

To the extent data breaches involve personal information, under the Privacy Act’s notifiable data breaches scheme, entities regulated by the Act are required to notify the OAIC (and affected individuals) in the event of an ‘eligible data breach’, defined to occur when:

• there is unauthorised access to, or unauthorised disclosure of, or loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur;
• the entity holds (ie possesses or controls) the information and is required to keep it secure under the Privacy Act;
• a reasonable person would conclude that the access or disclosure, or loss would be likely to result in serious harm to any of the individuals to which the information relates; and 
• prevention of the risk of serious harm through remedial action has not been successful. 

Penalties for breach of the Privacy Act can be significant, with the maximum penalty for a serious or repeated interference with privacy being the greater of: 

• $50 million; 
• three times the benefit of the contravention; or 
• where the benefit cannot be determined, 30% of the ‘adjusted turnover’ of the Australian group during the ‘breach turnover period’.

On 8 October 2025, the Federal Court ordered the first civil penalty ($5.8 million) under the Privacy Act (refer to our article here for further details). This demonstrates the willingness of regulators to enforce penalties for significant interferences with privacy.

2. Cyber risk factors at play  

CAVs may become targets for cyberattacks, gven their increasingly central role in transport infrastructure and the amounts of valuable and sensitive data they handle.

The Cyber Security Act 2024 (Cth) and the Cyber Security (Security Standards for Smart Devices) Rules 2025 (Rules) set out core cyber security obligations applicable to manufacturers and suppliers of certain smart devices. While the Rules exclude road vehicles and road vehicle components as defined in the Road Vehicle Standards Act 2018 (Cth) (RVSA), there is some uncertainty regarding the application of these exclusions to CAVs. At present, connectivity features of CAVs do not fall within the definition of ‘road vehicle component’ for the purposes of exemption under the Rules.⁵ 

The Critical Infrastructure Security Centre has also signalled that new standards for cyber security of road vehicles could be introduced under the Cyber Security Act 2024 (Cth) where existing requirements under the RVSA are insufficient.⁶
 

3.  Telematics and data sharing arrangements

CAV providers may offer telematics solutions to consumers, collecting and interpreting vehicle data for various purposes (including for fleet management, predictive maintenance, insurance assessments, etc). Data from CAVs is also often shared between with manufacturers, service providers and other entities.

The telematics solution or aspects of data handling process may be outsourced to third party service providers. Where that is the case, CAV providers should ensure that robust contractual safeguards are in place in respect of the relevant data. The contractual regimes should cover regulatory and security requirements, as well as having broader regard to commercial considerations and scope of data use rights.

4.  Forthcoming Automated Vehicle Safety Law  

The National Transport Commission (NTC) and the Department of Infrastructure, Transport, Regional Development, Communications and the Arts have been working to create a set of rules for automated vehicle safety, following public consultation which ended in 2024. The NTC is currently analysing this feedback and, as at November 2025, no further update on the timeframe for the possible AVSL has been provided.

What’s covered?

The AVSL consultation paper highlighted the challenges and risks posed by remote operation of vehicles, particularly in the context of cyber security management and secure transmission of data. 
Amongst other things, the proposed rules (if adopted) would introduce information management obligations in respect of certain information, including details about modifications and data required to support incident investigations. Additionally, the proposed rules seek to establish a new in-service safety regulator to support and enforce the AVSL. 

5. Thinking ahead

As the legal and regulatory landscape for CAVs continues to evolve, CAV providers should take proactive steps to manage risk and ensure compliance across privacy, cyber security and data governance. In addition to monitoring regulatory reforms on the horizon (in particular, in respect of the Privacy Act and the AVSL), this should include:

• reviewing whether and how personal information is captured and handled by CAVs (including whether such information is used in CAV ADM systems) and the privacy notices, consents and other practices and procedures in place to do so; 
• assessing whether cyber security requirements under the Cyber Security (Security Standards for Smart Devices) Rules 2025 or Road Vehicle Standards Act 2018 (Cth) apply to relevant CAV systems and monitoring for relevant updates to this legislation; and
• ensuring that robust contractual privacy, cyber security and data use controls are in place with third party service providers or partners involved in telematics or data sharing arrangements.