Autonomous Vehicles for Smart and Sustainable Cities: An In-Depth Exploration of Privacy and Cybersecurity Implications

Amidst rapid urban development, sustainable transportation solutions are required to meet the increasing demands for mobility whilst mitigating the potentially negative social, economic, and environmental impacts. This study analyses autonomous vehicles (AVs) as a potential transportation solution for smart and sustainable development. We identified privacy and cybersecurity risks of AVs as crucial to the development of smart and sustainable cities and examined the steps taken by governments around the world to address these risks. We highlight the literature that supports why AVs are essential for smart and sustainable development. We then identify the aspects of privacy and cybersecurity in AVs that are important for smart and sustainable development. Lastly, we review the efforts taken by federal governments in the US, the UK, China, Australia, Japan, Singapore, South Korea, Germany, France, and the EU, and by US state governments to address AV-related privacy and cybersecurity risks in-depth. Overall, the actions taken by governments to address privacy risks are mainly in the form of regulations or voluntary guidelines. To address cybersecurity risks, governments have mostly resorted to regulations that are not specific to AVs and are conducting research and fostering research collaborations with the private sector.

💡 Research Summary

The paper provides a comprehensive examination of autonomous vehicles (AVs) as a transformative technology for smart and sustainable cities, focusing specifically on the privacy and cybersecurity challenges that accompany their deployment. It begins by situating AVs within the broader context of rapid urbanization and the United Nations Sustainable Development Goals (SDGs), arguing that AVs can contribute to economic efficiency, reduced congestion, lower emissions, and greater accessibility for vulnerable populations such as the elderly and disabled. The authors detail how AVs achieve these benefits through high‑resolution sensors, artificial intelligence, and vehicle‑to‑vehicle (V2V) and vehicle‑to‑infrastructure (V2I) communications, which enable traffic flow optimization, platooning, and shared‑mobility services.

The core of the analysis centers on two interrelated risk domains. First, privacy risks arise because AVs continuously collect, store, and transmit massive amounts of data—including precise location traces, passenger behavior, and vehicle diagnostics—that can be linked to personally identifiable information (PII). The paper highlights regulatory gaps in existing data‑protection regimes such as the EU GDPR and California CCPA, noting ambiguities around data ownership, retention periods, consent mechanisms, and cross‑border data flows when AVs interact with smart‑city infrastructure.

Second, cybersecurity risks are explored through a taxonomy of attack vectors: (1) compromise of on‑board control systems (e.g., ADAS, LiDAR, radar), (2) infiltration of V2X communication protocols (including 5G‑based links), and (3) exploitation of cloud back‑ends and third‑party service platforms. The authors illustrate potential consequences—ranging from physical accidents and traffic disruption to large‑scale data breaches—and argue that these threats can cascade across the entire urban ecosystem, undermining public safety and eroding trust in autonomous mobility.

To assess how governments are responding, the paper surveys policy and regulatory initiatives in ten jurisdictions (United States, United Kingdom, China, Australia, Japan, Singapore, South Korea, Germany, France, and the European Union) as well as several U.S. states. The analysis finds that most responses rely on existing ICT or transportation regulations rather than AV‑specific rules. For example, the U.S. National Highway Traffic Safety Administration (NHTSA) has issued a Cybersecurity Best Practices Guidance, the UK’s Department for Transport collaborates with the National Cyber Security Centre on an automotive cybersecurity strategy, and the EU integrates GDPR with UNECE WP.29 vehicle cybersecurity standards. However, the authors note a pervasive lack of dedicated AV privacy statutes, limited enforcement mechanisms, and fragmented approaches to risk‑based certification.

Based on these findings, the authors propose a set of policy recommendations: (1) embed privacy‑by‑design and data‑minimization principles into AV architecture; (2) adopt a supply‑chain security model that secures not only the vehicle but also V2X infrastructure, cloud services, and smart‑city platforms, leveraging standards such as ISO/SAE 21434; (3) shift from technology‑neutral to risk‑based regulation, establishing tiered certification and continuous monitoring for different AV risk levels; (4) create public‑private‑academic testbeds and sandbox environments to evaluate emerging threats and mitigation techniques; and (5) foster international harmonization of standards and best practices through multilateral cooperation.

In conclusion, while autonomous vehicles hold significant promise for advancing the efficiency, equity, and environmental performance of future cities, their successful integration hinges on robust, forward‑looking governance of privacy and cybersecurity. Without such safeguards, the very technologies intended to make urban life smarter and more sustainable could become sources of new vulnerabilities and public mistrust. The paper calls for urgent development of AV‑specific regulatory frameworks and collaborative risk‑management ecosystems to ensure that autonomous mobility truly serves the goals of smart, sustainable urban development.