On the Regulatory Framework for Last-Mile Delivery Robots

Autonomously driving delivery robots are developed all around the world, and the first prototypes are tested already in last-mile deliveries of packages. Estonia plays a leading role in this field with its, start-up Starship Technologies, which operates not only in Estonia but also in foreign countries like Germany, Great Britain, and the United States of America (USA), where it seems to provide a promising solution of the last-mile problem. But the more and more frequent appearance of delivery robots in public traffic reveals shortcomings in the regulatory framework of the usage of these autonomous vehicles—despite the maturity of the underlying technology. The related regulatory questions are reaching from data protection over liability for torts performance to such mundane fields as traffic law, which a logistic service provider has to take into account. This paper analyses and further develops the regulatory framework of autonomous delivery robots for packages by highlighting legal implications. Since delivery robots can be understood as cyber-physical systems in the context of Industry 4.0, the research contributes to the related regulatory framework of Industry 4.0 in international terms. Finally, the paper discusses future perspectives and proposes specific modes of compliance.


Introduction
Within the last years, many initiatives towards smart manufacturing have been initiated in order to re-establish and regain a significant industrial share in the economy [1,2].A promising concept is the fusion of the virtual and the real worlds of manufacturing to realize concepts for smart manufacturing and logistics by using cyber-physical systems (CPS) and dynamic production networks in order to achieve flexible and open value chains in the manufacturing of complex mass customization products.The German concept of smart production and logistics, Industry 4.0, goes even beyond these objectives, as Industry 4.0 aims to comprise also energy and resource efficiency, increased productivity, shortening of innovation, and time-to-market cycles [3].Internet-based linked machine-to-machine (M2M) communication and interaction pave the way to cross-company production and logistics processes enabling the design and control of the entire supply chain of a product during its full life time, i.e., from product design to logistics, distribution, and post-production services [4,5].Consequently, Industry 4.0 leads to new supply chain paradigms on complex and intertwined manufacturing networks with a high degree of fragmentation and low entry barriers for small and medium enterprises (SME) as well as new R&D strategies, cross-national value chains, and new business models [2,[6][7][8].
Despite the importance of logistics and distribution for the Industry 4.0 concept, a concise literature revue reveals that the last-mile problem has not been discussed by scholars in the context of Industry 4.0 so far.Nevertheless, the last-mile problem has been subject to a large number of scholars in the context of retailing and e-commerce [9][10][11][12].Lee and Whang point out innovative e-fulfilment strategies for orders to contribute to solve the last-mile problem [13].Song et al. addressed the last-mile problem from the transport point of view (here transport impacts of collection and delivery points), whereas Boyer et al. conducted their research by utilizing a simulation on the base of vehicle routing software, investigating the relationship between customer density, delivery window length, and delivery efficiency [14,15].
Existing M2M concepts are mainly researched by technical scholars so far.Cha et al. discuss different use cases for M2M communication together with common security requirements to clarify the security requirements on M2M systems [16].Their business cases include logistics-related M2M applications and come to the conclusion that information security and trustworthiness of the operations involved grows from the predictability and observability of the behaviour of the devices.Wu et al. investigated M2M systems in the context of embedded internet and identified low cost/high performance devices, scalable connectivity, and cloud-based device management and services as vision for the Internet of Things [17].By considering M2M cases for mobility support, they investigated frame conditions for standards and M2M networks.Zhang et al. highlighted-besides security issues-self-organization and quality of service support as important factors for M2M-communication [18].Self-organization was stressed due to low human intervention as a major requirement for M2M systems, which for that aim ought to comprise self-configuration, self-management, and self-healing.The quality of service requirements was emphasized against the background of possible applications, which could become life critical (e.g., in medical contexts).This paper will focus on the niche of autonomous self-driving package delivery robots that are used for intra-supply chain transport in Industry 4.0 networks as well as for the delivery to the client on the last mile.The research concentrates on the regulatory framework for those autonomous delivery robots, as existing research rather addresses self-driving passenger vehicles [19].Since the research issue of this paper is placed in a global business sector of high dynamics and ongoing innovation activities, it is impossible to give a comprehensive insight in all facets and to discuss all topics in detail.Therefore, the authors study the case of one important player in the field of delivery robots, the Tallinn-based start-up Starship Technologies, which produces and develops delivery robots that can technically be considered as self-driving package box vehicles bridging the last mile.
The paper highlights the current status of autonomous delivery robots for distribution and investigates the related regulatory framework for the use of these self-driving vehicles.As the authors consider delivery robots as parts of M2M supply chains in the context of Industry 4.0, the starting point of the research is an overview on the existing regulatory framework for Industry 4.0.The research uses an empirical analysis based on semi-structured expert interviews, research group meetings, secondary data, and results from case studies that are gathered from Estonian start-up companies.Starship Technologies is placed in Tehnopol in Tallinn and maintains a close research cooperation with Tallinn University of Technology, which allows for an empirical validation of the research results.

Theoretical Background
The still growing e-commerce market volumes raise the question of efficient product delivery to the client.The last-mile delivery includes three stakeholders, namely the seller, an intermediary and the client.Punakivi et al. still discussed the last mile-issue in the traditional context of B2C and e-commerce; they proposed an unattended reception of goods which could reduce home delivery costs by up to 60% [10].The unattended delivery approach is based on two main concepts, being the reception box concept and the delivery box concept: The reception box is installed at the customer's garage or home yard, whereas the delivery box is an insulated secured box that is equipped with a docking mechanism.Based on simulation results, the authors came to the result that home delivery solutions enabling secure unattended reception are operationally the most cost-efficient model for last-mile distribution.They also confirmed that a secured delivery box solution potentially enables a faster growth rate and higher flexibility of the investments because of a smaller investment being required per customer.

Industry 4.0
Within the last years, many innovative manufacturing initiatives have been started all over the world, driving for re-establishing and regaining a significant industrial share in the economy.Many of them embrace the fusion of the virtual and the real world based on cyber-physical systems (CPS), leading to smart manufacturing and logistics networks towards flexible and open value chains to be able to meet the demands of mass customization products in series up to lot size 1 [3,4].In Germany, the most important industrial EU country, this approach has been called "Industry 4.0".A deeper analysis of the objectives of Industry 4.0 reveals that Industry 4.0 targets beyond the use of cyber-physical systems and dynamic supply chain networks also to energy and resource efficiency, shortening of innovation, and time-to-market cycles, as well as a rise in productivity through internet-linked machine-to-machine (M2M) communication and interaction [3][4][5].In this sense, Industry 4.0 represents nothing less than the fourth industrial revolution, comprising three-dimensional (3D) printing, big data, Internet of Things, and Internet of Services, i.e., all of the ingredients that are needed to facilitate smart manufacturing and logistics processes [3,4].
Meanwhile, new technological innovations implemented into new business models opened up new solutions to bridge the last-mile to the client by using drones and delivery robots, and food and grocery services gaining first experiences in the use of autonomous devices [20].By transferring the traditional delivery box concept of Punakivi et al. into an Industry 4.0 context, a corresponding approach should take account of the options of internet-linked manufacturing and logistics [10].Mainly technical scholar studied M2M systems and the realization of autonomous logistics agents in the context of Industry 4.0.Cha et al. studied business cases, including logistics-related M2M applications, and Wu et al. investigated M2M systems in the context of embedded internet and identified low cost/high performance devices, scalable connectivity, and cloud-based device management and services as vision for the Internet of Things [16,17].By considering M2M cases for mobility support, they investigated frame conditions for standards of M2M networks and Zhang et al. highlighted self-organization and self-management as important factors for success M2M systems due to low human intervention as a major requirement [18].Several scholars came to the same conclusion by stressing self-organisation and self-optimisation as success factors to cope with requirements of Industry 4.0 [2,8,21].Based on these principles-together with wireless internet technologies, artificial intelligence concepts and M2M technologies-some entrepreneurs founded start-ups to develop autonomous transport devices on the base of Industry 4.0 related concepts in order to serve the last-mile delivery more or less autonomously.
Parallel to technical and economic issues also the discussion of a regulatory framework for Industry 4.0 enjoyed high importance.Already Kagermann et al. dedicated a full chapter to the regulatory framework in their recommendations for implementing the strategic initiative Industry 4.0.They highlighted the requirement to reconcile regulation and technology, i.e., they postulated the formulation of criteria to ensure that the new technologies comply with the law and development of the regulatory framework in a way that facilitates innovation.Special emphasis was laid on the protecting of personal and corporate data, liability issues, and trade restrictions ( [3], pp.58-61).For the implementation of such a regulatory framework, they proposed a mix of instruments comprising regulatory, technical and policy elements, and they pointed out the special importance of the inclusion of SME sector.

Delivery Robots
After an initial hype about delivery with flying drones, in recent times land-based delivery robots are in the focus for the last-mile [20].Since these robots have to share their space with other transport devices or moving people, their preferred operation areas are suburbs and areas where the traffic is comparatively low.In these areas, autonomous delivery robots have a competitive advantage when compared to other delivery modes, and the underlying business model emphasizes the cost advantage for the last-mile delivery, which is estimated to be less than 1€ per unit/delivery, which is-depending on the salary level of the respective location-up to 15 times less than current costs [22].For the customer, additional convenience is gained by the aspect that robot delivery provides a 15-to-20 min delivery window as standard, which is a much more precise specification than for traditional delivery, which so far is only able to provide the a general date (calendar day) beforehand.
Today, the key players of last-mile delivery consists of established delivery companies, including traditional logistics service providers as DHL, UPS, and others, but also a range of new startups focusing on the development of delivery robots that grow all around the globe.The most important business areas of delivery robots are currently perishable goods as food and flowers, but also applications in retailing and warehousing sector are possible in the context of automated warehouses.A closer view into the main startup funding landscape reveals that about 50% of all investment sums are dedicated to enterprise robots, which comprise industrial automatization for manufacturing, heavy industry, as well as delivery robots [23].According to a study of International Data Corporation, the industry and the manufacturing sector will continue to be the largest purchaser of robots and related services, and the worldwide spending on robotics that reached the $100 billion level in 2017 is forecasted to be more than doubled until 2021 [24].Nevertheless, the robot sector today realized that deliveries to costumer sector are predicted to represent the fourth largest growth till 2021, with a compound annual growth rate of about 60%.A deeper insight into the scene of land-based delivery robots shows that start-ups as Marble, Teleretail, Dispatch, or Starship Technologies were able to attract funding in the range of several million Euro [24].
Concerning the regulatory framework for delivery robots, the discussion is still open.On one hand, it is possible to build on the steps towards a regulatory framework for Industry 4.0; on the other hand, it is also possible to follow the discussions that are taking place in the context of autonomous mobility.Scheurs and Stewer worked on a regulatory framework of autonomous driving and analyzed the political, legal, social, and sustainability dimensions of mobility.Their investigations highlighted competitiveness, innovation, safety, harmonization, and coordination ( [19], pp.151-173).Their research based on empiric results from development in several countries as well as on the United Nations (UN) convention on road traffic.Basu et al. have recently researched the legal framework for small autonomous agricultural robots [25], but as "agribots" roam usually only on private land, the unresolved traffic law dimension has not been covered by their paper.This paper continues the regulatory framework path of Industry 4.0 by perceiving delivery robots as part of Industry 4.0 environment.Consequently, the research concentrates on liability issues, data protection, privacy, and legal developments around delivery robots.

Methodology
This paper highlights the current status of autonomous self-driving package delivery robots that are used for intra-supply chain transport in Industry 4.0 networks, as well as for the delivery to the client on the last mile.The research is based on semi-structured expert interviews, desktop and secondary data analysis, and a case study of Tallinn based start-up Starship Technologies Ltd. representing an important player in the branch of self-driving package box vehicles bridging the mast mile.The empirical activities were executed between September 2017 and May 2018.
It is not the aim of this paper to give a comprehensive overview of the sector of autonomous delivery robots, which is impossible due to the large number of developments in this sector.Nevertheless, the paper highlights technical, legal, and regulatory issues that are evolving with the development of autonomous delivery robots.Autonomous delivery robots are placed in the context of Industry 4.0 and M2M systems so that exiting concepts are firstly applied to case of delivery robots.In the sequel, actual issues that are related to liability and data protection are discussed.
Finally, social-technical aspects and possible legal solutions are discussed and an outlook for tentative developments is discussed.Therefore, the research questions are: RQ 1: How do autonomous delivery robots work, and how are they defined in the context of liability?RQ 2: Which regulatory frameworks apply on delivery robots?RQ 3: Where does the current use of delivery robots conflict with these frameworks, and what shall users be advised to prevent violations?
Literature review reveals a research gap in the listed research questions.In addition, a case study of one of the most important start-ups for delivery robots is given to discuss and to empirically verify the research.For this purpose, the empirical evidence in this paper is based on the qualitative research style [26].Here, the complexity of the research question requires personal interviews and a qualitative approach.The willingness to answer questions in a greater depth and in an open discussion can only be achieved by personal and individual conversations with selected interview partners.Furthermore, the field of delivery robots addresses a quickly developing innovative sector, so that a large part of the information is confidential; the research has to balance between novelty of science and the business secrets of the investigated companies.
For this, surveys, interviews, and workshops that have been conducted by the authors during the European projects, together with experts from business, ICT, and law, as well as from the start-up sector.

Case Study: Starship Technologies Ltd
Starship Technologies Ltd. was founded in 2014 by Skype co-founders Janus Friis and Ahti Heinla in Tallinn with the aim to tackle the last-mile problem by developing autonomous delivery robots.Today, Starship Technologies is a European technology startup with subsidiaries in Estonia, the United Kingdom (UK), and USA, which has built the first commercially available autonomous delivery robots in order to "revolutionize the local delivery industry" [22].Starship claims to be environment-friendly as well, as Starship robots do not emit CO 2 (while-of course-the electric power plants do).It also claims that their robots contribute to reduce on-road traffic and thus congestions, and that Starship provides a solution for retailers and logistics firms to increase supply chain efficiencies and reduce costs.
Starship's small self-driving vehicles with a weight of less than 20 kg are electric-powered and are designed for driving on sidewalks with a speed of maximal 6 km/h, being capable to locally deliver their goods within 15-30 min and within a radius of up to 5 km for a price of under 1 Europer delivery.The robots are able to deliver freight of up to 10 kg for a shipment price which is up to 15 times lower than the normal price for last-mile deliveries in high-salary level economies, which makes the delivery robots interesting for e-commerce applications as well as for food deliveries or postal services.In practice, Starship delivery robots have been tested already by online food ordering service providers in Tallinn (Volt), as well as by Domino's pizza delivery services to use them as "personal delivery devices".
To safeguard safe circulation, the robots are equipped with a couple of sensors and tracking systems comprising nine cameras, GPS, and an inertial measurement unit (IMU) for special orientation.They are also equipped with microphones and speakers enabling them to communicate with humans.Even if the robots are called autonomous vehicles, they, at present, are only self-driving around 90% of the time; the remainder-mainly complex road crossings and the final meters to the receiver-the robot will be remote-controlled from a command centre, which is linked via Wi-Fi and telecommunication networks.While their entire journey, the robots are continuously supervised by a responsible, natural person, i.e., the contact with the command centre is not only established if the robot's autonomous operation fails.This remote-control means that the operation of a delivery robot implies a permanent exchange of data, including life-video transfer, between the robot and the control centre via public telecommunication networks.
The underlying cost engineering strategy at Starship Technologies focusses on the use of traditional hardware engineering in order to make sure that the robots are cheap to produce and that they require only basic maintenance.In terms of operational cost management, the company tries to generate cost advantages by targeting a hybrid autonomous robot to be operable in near future, which is able to drive entirely autonomously most of the time.In this fully-developed version, the remote-control supervisor in the command centre has only to be involved in teleoperations via live video link in a small percentage of time, which minimizes the operational costs of the robot.
In order to create a smart solution for bridging longer distances of delivery, the company started collaboration with Daimler in order to develop the "RoboVan", which forms a mobile robot hub on the base of a MB Sprinter mini truck and would considerably extend the range of the robots.This approach for delivery realizes a "hub and spoke" concept, which is a well-known standard model in logistics [27].A RoboVan-Mercedes-Benz Sprinter is to that aim equipped with a storage system for 54 delivery boxes and eight Starship robots.The Sprinter performs the long distance elements of transport as a mobile hub and it brings the robots together with the delivery boxes right into an area were a multitude of individual deliveries has to be performed.From this spot, the robots disembark from the RoboVan autonomously and cover the last-mile to the client in order to individually deliver the goods to the clients and return to the Sprinter afterwards.The approach realizes a "hub and spoke" concept with robot delivery for the last short distance.
Starship Technologies considers its delivery robots as a supplemental form of shipment, not as a replacement, i.e., the logistical models that can be used with robots are different than those models of traditional delivery methods.Ahti Heinla, the co-founder of Starship Technologies, illustrated in an interview the different areas of complementing delivery with bicycle couriers operating in very dense urban environments, since they are able to overcome gridlocks and traffic jams, whereas autonomous vehicle are predestinated for the delivery in suburbs with low traffic [28].Access to the cargo in the robots is arranged by a smartphone app, which enables the client to unlock the robot cover lid and retrieve the goods.If someone tries to steal the robot, the cameras will take a photograph of the thief, and alarm will sound.Additionally, multiple tracking devices can track the robot's location via GPS, and the remote operator is able to speak through two-way speakers with the thief; and, obviously, the robot will stop working and will not open the cargo unit unless re-programmed by Starship.In January 2017, Starship Technologies announced $17.2 million in seed funding for building autonomous robots that are designed to deliver goods locally.The funding round was led by Daimler AG and included a couple of other venture capital funds, among which were Shasta Ventures, Matrix Partners, ZX Ventures, Morpheus Ventures, Grishin Robotics, Playfair Capital, and others [22].This amount of seed funding makes Starship Technologies rank among the worldwide leading companies of delivery robots for the last-mile.

Legal Challenges
Despite the fact that delivery robots are called autonomous, they are-for the time being-only partly self-driving, i.e., they are remote-controlled from a control centre.This remote-control is maintained via a permanent exchange of data between the robot and the control centre, resulting in serious issues in terms of data protection-issues this paper intends to discuss.But initially, the fact that the delivery makes use of public traffic area designated to pedestrians shall be analyzed from a legal perspective -especially in terms of tort liability for eventual accidents.

Liability for Torts Inflicted by Traffic Accidents
General tort law in most legal systems provides a general claim for damages caused by any tortious action, i.e., a civil wrong resulting in loss or damage to another person, and based on these principles implemented into positive law in all national legal systems individually, the legal or natural person steering the delivery robot and being in charge also of its supervision (in our case study Starship Technologies) would be held liable for any tortious action the legal/natural person committed via its tools-here the delivery robot-itself.
In general, tortious liability is in many legal systems fault-based (see e.g., sec.823 I Bürgerliches Gesetzbuch, i.e., the German Civil Code, hereafter BGB) or subject to exculpation if the tort has not been committed directly by the tort-feasor, but a third person for whom the tort-feasor is responsible and who has been picked and supervised with due care (see sec.831 BGB).In our case study, this could be an employee of Starship working in the command centre.
In contrast to that, two constellations are generally marked by strict (i.e., non-fault-based) liability for damages-product liability and liability under traffic law.

Product Liability
For the context of delivery robots, it is important that also the manufacturer of a product that caused damage/personal injury to the user can be held liable for the tort of negligence in most Western legal systems.In the European Union (EU) legal space, it is the Directive 85/374/EEC (Product Liability Directive), which regulates liability for defective products, and which has been implemented, respectively, in all EU member states national legal systems.The directive defines, "product" as all movables-even if incorporated into another movable or an immovable (see art 2 of amendment to directive)-which are considered by design as a completed product and imposes strict liability for any damage that is caused by the defective product on the producer, "defective" being any product that "does not provide the safety which a person is entitled to expect, considering, all of the circumstances, including, the presentation of the product, such as adequacy of the warning, the use to which it could reasonably be expected that the product would be put, and the time when the product was put into circulation are factors" (art 6), making the standard thus objective.
As Product liability can arise from constructional defect, fabrication defects, user instruction defects and product supervision defects-i.e., all spheres under the complete control of the producer-a sound production and product specification, user instruction, and supervision by the producer can limit the risks of strict liability as producer.

Tortious Liability under Traffic Law
This is considerably less the case for traffic law, which in most legal systems extends this liability according to the special circumstances of public traffic.In that respect, traffic law does not only extend the circle of debtors-i.e., not only the owner of a vehicle can be held liable, but also the driver separately, but also imposes generally strict liability onto the vehicle owner, i.e., the owner will be held liable for any damages caused by his vehicle in public traffic even if he did not act with intent or negligence.
Any victims of accidents in which delivery robots were involved will thus try to apply traffic law liability than product liability (or standard tort liability, which is usually fault-based) in order to maximize liability, if they can.The question is thus whether delivery robots can be qualified as vehicles participating in public traffic in standard traffic laws.
Delivery robots are starting from existing definitions for motorized vehicles, which are (only) permitted to operate in pedestrian areas (pavements) due to their low speed and weight, a comparable vehicle would be motorized wheelchairs (part a).The difference between e.g., these motorized wheelchairs and delivery robots are identical to those between human-steered cars and automatic cars.As the second difference has already been subject to regulation in various legal regimes, it can serve as a model for a respective definition of transport robots as well (part b).

Existing Definitions for Motorized Vehicles Operating on Pavements
If the usage of motorized wheelchairs is regulated-which is not always the case-most legal systems provide respective definitions in their street traffic and/or driving license acts.The German StVO (Straßenverkehrsordnung/street traffic act), for instance, already provides for a very detailed definition of motorized wheelchairs, which states in § 24 par 2 (special means of transportation), that "motorized wheelchairs or with wheelchairs other than those referred to in paragraph 1 may be used wherever pedestrian traffic is permissible, but only at walking speed" [29].
The motorized wheelchair itself, however is defined in the Fahrerlaubnisverordnung (driving licence act) in § 4 II 1 e, being a "one-seated electrically driven vehicle, which is designed for use by physically disabled persons, has a maximum mass of not more than 300 kg including batteries but without driver, a maximum permissible mass (including driver) not exceeding 500 kg, a maximum design speed of not more than 15 km/H and a total width of 110 cm" [30].
While many of these criteria can be applied in delivery robots just as well as on motorized wheelchairs, there are three criteria of the definition that would have, respectively, to be adapted, being

•
"autonomously or partially autonomously electrically driven motor vehicle (criteria 1), which is • designed for the transport of goods (criteria 2), and has a maximum mass of not more than (e.g., 10) kg including batteries bit without freight, a maximum permissible mass (including freight) not exceeding (e.g., 20) kg, a maximum design speed of not more than (e.g., 6 km/h) and a total height/width/length/ of xyz.
(criteria 3 = technical specifications)." While the term "motor vehicle" is already internationally defined in Art 1 p of the Road Traffic Convention of 1958" (further: The 1958 Convention) [31], being a "power-driven vehicle which is normally used for carrying persons or goods by road or for drawing, on the road, vehicles used for the carriage of persons or goods," the definition of autonomous or partially autonomous steering devices requires clarification.

Adapting Regulations for the Needs of Delivery Robots
An essential criteria permitting motorized wheelchairs to operate in public traffic (which includes pedestrian areas) is their conformity with the general principle "Every moving vehicle or combination of vehicles shall have a driver", as stated in art.8 par. 1 of the 1958 Convention; they do also comply with art.8 par 5 "Every driver shall at all times be able to control his vehicle or to guide his animals", and art 13 par 1 "Every driver of a vehicle shall in all circumstances have his vehicle under control so as to be able to exercise due and proper care and to be at all times in a position to perform all manoeuvres required of him".
As all autonomously driven vehicles-i.e., vehicles which are not constantly monitored by the driver-are thus inadmissible according to the provisions of the 1958 Convention, the Working Party on Road Traffic Safety (WP.1), which is responsible for the regulation of these issues for the United Nations Economic Commission for Europe, has decided [32] in their 68 meeting (24 to 26 March 2014) to propose to adapt the 1958 Convention to the needs of automated traffic by supplementing art 8 of the 1958 convention with an additional paragraph 5b is, which states that "Vehicle systems which influence the way vehicles are driven shall be deemed to be in conformity with paragraph 5 of this Article and with paragraph 1 of Article 13, when they are in conformity with the conditions of construction, fitting and utilization according to international legal instruments concerning wheeled vehicles, equipment and parts which can be fitted and/or be used on wheeled vehicles.Vehicle systems which influence the way vehicles are driven and are not in conformity with the aforementioned conditions of construction, fitting and utilization, shall be deemed to be in conformity with paragraph 5 of this Article and with paragraph 1 of Article 13, when such systems can be overridden or switched off by the driver." If transport robots are intended to operate in public traffic, then they would have to comply with these criteria as well.A definition of criterion 1 would thus have to either refer to 5 bis of the 1958 Convention or implement these definitions directly.
Against this background, delivery robots could be defined as follows: "A transport robot is an autonomously or partially autonomously electrically driven motor vehicle, which is designed for the transport of goods, and has a maximum mass of not more than (e.g., 10) kg including batteries bit without freight, a maximum permissible mass (including freight) not exceeding (e.g., 20) kg, a maximum design speed of not more than (e.g., 6 km/h) and a total height/width/length/ of xyz.A motor vehicle shall be seen as autonomously or partially autonomously operated, when its steering systems are in conformity with the conditions of construction, fitting and utilization according to international legal instruments concerning wheeled vehicles, equipment and parts which can be fitted and/or be used on wheeled vehicles.Vehicle systems which influence the way vehicles are driven and are not in conformity with the aforementioned conditions of construction, fitting and utilization, shall be deemed to be in conformity with this Article, when such systems can be overridden or switched off by the driver." At present, a respective adaption of national traffic laws has not taken place yet, but various States will implement the UN's Working Party on Road Traffic Safety's in near future, and they will define delivery robots in very similar (if not identical) terms, as proposed above, making delivery robots objects to public traffic laws as well.But even as by definition until then delivery robots will not be included in public traffic law, judges do have to the discretion-provided that their respectively applicable national traffic law provides for a sufficiently broad definition of vehicles-to include delivery robots onto the scope of liability of present-day public traffic law.
Transport companies or sellers directly delivering their goods themselves should thus be aware of an eventual strict liability under public traffic law applying on delivery robots already today and take measures by addressing local traffic authorities and asking them to clarify the "liability status" of delivery robots in the receptive jurisdiction.In the case of coverage of delivery robots by the respective traffic law, they should be aware of the risk of strict liability, and, if they do wish to take that risk, take preparative measures as e.g., insuring themselves for this liability.

Delivery Robots and EU Data Protection
The information that is collected by design by most delivery robots (Starship robots, for instance, are equipped with six cameras) for various purposes-eventual accident documentation, building up maps of efficient delivery trajectories and the like-is of considerable commercial value, not only to the user of delivery robots, but also to state authorities, competitors, or the producer of delivery robots seeking to improve their product development; data protection is thus one of the central legal issues for delivery robots.
In 2016, the European Commission, the European Parliament, and the Council of the European Union approved the General Data Protection Regulation [33], which entered into force on 25 May 2018 and replaces the Data Protection Directive of 1995 [34].The General Data Protection Regulation (GDPR) aims to strengthen and unify data protection for all individuals within the European Union and addresses especially the export of personal data to countries outside the EU.One important highlight of the GDPR is its endeavour to "return control" to citizens and residents over their personal data and to harmonize the regulatory framework for international business by unifying the regulation within the EU.As an EU regulation, the GDPR applies directly in all EU member States, i.e., it does not require national governments to pass any enabling legislation.
The key term of the GDPR is personal data that are considered to be "sensitive" under the condition that they revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data processed solely to identify a human being, health-related data, and data concerning a person's sex life or sexual orientation ( [33], p. 679, Article 4( 13)-(15); Article 9; Recitals (51)-( 56)).The GDPR defines 'personal data' as any information relating to an identified or identifiable natural person ('data subject').An identifiable natural person is any person who can be identified, directly or indirectly, in particular, by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors that are specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.In addition to that, a catalogue of examples for "personal data" provides examples of information relating to an individual, whether it relates to his or her private, professional or public life, e.g., name, home address, photographs, e-mail address, bank details, posts on social networking websites, medical information, or a computer's IP address [35].
This personal data must be processed fair, lawful and transparent, whereas consent of the data subject is the main (but not only) criteria for lawfulness and also the core principle of data processing in general: 'The controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data and the data subject shall have the right to withdraw his or her consent at any time" (Article 7), and the content has to have been provided explicitly, i.e., not inferred by mere implied behaviour.
Non-compliance with the strict data protection rules can cause severe penalties of up to 4% of the global turnover of a company or €20 Million ( [33], Article 83).Under GDPR, organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).This is the maximum fine that can be imposed for the most serious infringements e.g., not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.There is a tiered approach to fines e.g., a company can be fined 2% for not having their records in order ( [33], Article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.Besides, also individuals may bring civil actions additional to measures taken by state authorities against violators.
The GDPR differentiate between the "data subject", the "controller", and the "processor".The EU resident who represents the client of the delivery takes the role of a "data subject".In order to clarify the data controller and data processor in the case of the delivery robot it is necessary to refer to Article 4 of the GDPR that defines a 'controller' as the "natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law"; whereas the 'processor' means a "natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller" ( [33], Article 4).
By applying Article 4 to the case of the delivery robot that distributes e.g., pizzas for Mario's Pizzeria, the client who ordered and receives the pizza represents the data subject, while Mario's Pizzeria that uses the delivery robot for distributing the pizza to the client represents the data processor.If it is now assumed that Mario's Pizzeria subcontracted for the delivery of their pizzas via delivery robots Starship Technologies, i.e., Starship Technologies owns and controls the delivery services, then Starship Technologies is the data controller in the sense of GDPR.This distinction is important for compliance considerations, as GDPR treats the data controller as the principal party for responsibilities, such as collecting consent, managing consent-revoking, enabling right to access, and other things.Thus, a data subject who wishes to revoke consent for his or her personal data will therefore contact the data controller to initiate the request, even if such data is stored on the servers of the data processor.In the case of such a request, the data controller has then to forward the request to the data processor in order to remove the revoked data from its server.In doing so, GDPR applies to all processes, irrespective of whether the organization is located inside or outside EU, and it introduces direct obligations for data processors as well as the situation to be subject to penalties and civil claims.This represents an important difference to the old Directive that only holds data controllers liable for data protection noncompliance.Thus, by recalling again Article 28(1), data controllers, i.e., customers of data processors, should only choose processors that comply with the GDPR in order to avoid penalties themselves.
Applying the GDPR on autonomous delivery robots, a first controversial issue arises in terms of the personal data collected and transmitted during the last-mile-delivery of such robots.As in any other delivery process as well, personal data of the client are necessary to fulfil the 6R of logistics, i.e., to bring the right product, at the right time, in the right quantity and quality, to the right destination with the right costs [27].The corresponding personal data include the address, financial, and biographical data plus personal consummation data that result from the business relationship with the client.Anyway, the sensitive data concerning the GDPR are less than those data that are needed and collected to steer the autonomous delivery robot from the starting point of the delivery to the final destination; simple address specifications are a precondition to contract performance, and its collection and storage does thus not violate the GDPR, as it is matches the purpose limitation.More problematic are pictures, sound recordings and films taken by delivery robots in order to provide evidence in case of eventual accidents in which the robots where inflicted-material that inevitably also contains visual and audio information on human individuals moving in the direct vicinity of the robots.These data are collected in public spaces, and these photos, sound recordings and video sequences of natural persons are considered as "personal data" by the GDPR.These data are exchanged via internet and telecommunication networks, before they are partly considered and analysed by control personal and their IT-systems.Later, the data is stored in databases of the delivery control centres of companies.
These robots could also violate Article 25 of the Regulation, which calls for the implementation of privacy by design or privacy by default (PbD).
Privacy by default means that data controllers have to implement appropriate and technical measures in order to ensure that, by default, only personal data necessary (and at the necessary amount, period of storage, and accessibility) for the respective specific purpose of processing are processed.Article 23 supplements this principle by the duty to ensure that, by default, this personal data is not accessible without individual intervention to an indefinite number of natural persons.Appropriate measures are mentioned in Article 28(1) to provide "sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the regulation and ensure the protection of the rights of the data subject".Article 32 continues demanding the "Security of processing" by "taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.These objectives shall be implemented by appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and, (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Unfortunately, Article 32 of the GDPR is not very clear by defining suitable technical and organizational measures that a company should adopt to comply with the regulation.But, in order to supervise the compliance within organizations a Data Protection Officer has to be appointed who shall be involved in all issues relating to the protection of personal data and who shall work independently, monitor the compliance with the GDPR, report to the highest management level, is reachable by data subjects, and cooperate with the supervisory authority ( [33], . Once data falls into the scope of application of the GDPR, the regulation provides strict instructions on how these data may be used.As the autonomous delivery robot itself as a device collects, processes and transfers user data article 25 of the GDPR concerning data protection by design and by default, i.e., the autonomous robot system has to take appropriate technical and organisational measures for "ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons" ( [33], Article 25, Recitals 78).Consequently, the producer of the delivery robot has to safeguard that data protection measures have been taken, e.g., pseudonymization of personal data by the controller in an early stage of data collection, and as the communication between the robot and the remote control centre is executed via wireless links, the personal data (including photos and video sequences) have to be encrypted.Secondly, the data collection of the robot must be limited to what is necessary and transparency has to be safeguarded "with regard to the functions and processing of personal data in order to enable the data subject to monitor the data processing and the controller to create and improve security features" ( [33], Recital 78).This requires that all obtained user data must be accessible and portable in order to enable any EU resident assuming that his personal data were collected by the robot (i.e., photos and videos) is provided with the possibility to request these data in a widely-compatible format, enabling him to verify which data exactly have been obtained.Thirdly, "the principles of data protection by design and by default should also be taken into consideration when developing, designing, selecting, and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations" ( [33], Recital 78).
But, it is not only the producer, processor, and the controller of the delivery robot who may by held liable for GDPR violations; also telecommunication service providers the processor and/or the controller may make use of in order to transmit data from the delivery robot via the telecommunication service provider's network has to comply with the GDPR, i.e., take respective technical protection measures and store this data only within the limits of Art 25 GDPR.
Starship's Regional Business Manager for Central Europe, Hendrik Albers, recently addressed the GDPR explicitly in the context of innovative disruptions [22].Albers warns to not over-regulate the European data protection regime and proposes to create a feasible balance between innovation and privacy for consumers.In the case of Starship, the company has according to Hendrik Albers developed very precise routines to ensure that this balance is kept.In Albers' opinion, most companies that collect customer data do so either way rather in order to benefit the customer than to market client data in order to generate profits.He thus emphasizes a privacy approach that leaves sufficiently large freedom to companies.In the case of delivery services he points out that there is an essential need to know where the customer is located in order to deliver the goods as close as possible to the customer.In addition to that, the delivery service also requires to be informed about several personal details in order to provide for an efficient organization of the delivery of items, as the customer would not be able to receive the freight if the regulation excessively prohibited the collection of one of these essential parameters.
While it may not be surprising that Albers takes a rather liberal approach on (not) subsuming Starship robots' activities under the GDPR, it has to be admitted that, indeed, in the case of delivery services, especially in the case of autonomous delivery robots that are partly remote-controlled via telecommunication networks, the main focus in area of privacy is still on the costumer data, which happens to be the least controversial aspect.The collected personal data that are collected by the sensors, microphones, and cameras, and which are transferred via telecom links are until now not on the top of the agenda-in spite of obvious violations of the GDPR by many default technical data collection settings.
The organization environment of the delivery robot control must be able to demonstrate compliance with the GDPR, i.e., the data controller should implement measures that meet the principles of data protection by design and data protection by default.Furthermore, the data controller is responsible to implement effective measures and it must be able to demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller.
Article 25 states that Data Protection Impact Assessments have to be conducted when specific risks occur to the rights and freedoms of data subjects, and Articles 37-39 state that Data Protection Officers have to ensure compliance within organizations.In the case of non-compliance of these three main rules, strict penalties apply, starting with 20 Mio € and reaching up to 4% of the company's global turnover.In addition to that, one should keep in mind that there is no grace period, i.e., the GDPR is in full effect since 25 May 2018.

Findings and Discussion
Delivery robots as part of the last-mile B2C-distribution raise currently considerable attention and represent a growing business sector that is driven by traditional logistics service providers, but also by a number of start-ups that are located all around the globe.The existing devices are still in the test phase, and the considered cases show that the main area of operation is in food, flower, and grocery business where the robots are charged and unloaded by humans.The case of Starship Technologies reveals that the delivery robots can be considered as cyber-physical systems (CPS), since they are self-organised, self-optimized, and internet-linked-but they are autonomous only up to 90%, i.e., full self-organization is still a future issue [3].
Other important features of Industry 4.0 publications are related to internet-based linked machine-to-machine-communication and interaction as well as the ability to get integrated into cross-company processes safeguarding the capability to operate in a networked manufacturing and logistics environment [3][4][5].Here, research shows that M2M-technologies are today only partly realized-e.g., in the RoboVan solution, where the van acts as a hub that communicates with the delivery robots as feeders.But, a self-guided and M2M-based organization of delivery robots that integrate themselves into the full supply chain and realize autonomously the last-mile of the delivery without media discontinuity, i.e., without intervening of human work-force, is still to come.A benchmark for such a system is the pilot project "AMATRAK" at ISL Bremen, which realized a self-guided container transportation system, where containers are able to choose and book suitable and optimal transportations means, according to their own needs [2].
The competitive advantage of autonomous delivery robots as compared to other delivery modes is the low cost of less than 1€ per unit and delivery, which makes them up to 15 times cheaper than traditional delivery services.Their limited delivery radius, together with the fact that land-based delivery robots have to share the sidewalk with pedestrians and other traffic, make their preferred area of operation suburbs and low-density traffic areas, which makes them a delivery service mainly supplementing the existing ones.
Another important aspect which has not been in the focus of discussion in robot-friendly circles is the question to which degree society would in fact be ready to accept an excessive use of delivery robots.The shared use of sidewalks between delivery robots and pedestrians cause already today considerable acceptance problems in some places, which are expressed in different legal frame conditions, depending on the location.Some of them can seriously endanger the business model of delivery robots: Whereas, e.g., Estonia already has adapted its traffic laws for the shared use of space for humans and robots (see reform act on Estonian traffic act from 14 June 2017 on amendments of Section 2 of the same act) [36], other countries are still hesitating.A closer look to the USA reveals that not all parts of society welcome sharing sidewalks with robots by nature.Currently, a number of United States (USA) States allow for robots to participate in the traffic and adapted accordingly their state traffic laws.At the same time, within some States certain cities or municipalities formulated their own traffic law concerning robots, which makes the USA a much diversified legal patchwork with changing and partly contradicting laws for robot operations in traffic.Recently, the case of San Francisco's anti-robot laws gained extensive media coverage when they banned autonomous delivery devices from most sidewalks entirely and permitted them only in low-foot traffic zones [37]: While in those places where few specimen roaming around on selected cities' walkways today are well respected and are observed with curiosity, the public perception is starting to deteriorate in some cities with a higher "population" of delivery robots-for instance, in San Francisco the local government passed in early December 2017 strict regulations on delivery robots, capping permissions for robots "at three per company, and nine total at any given time for the entire city.The robots will now only be allowed to operate within certain industrial neighbourhoods, on streets with 6 ft-wide sidewalks, and must be accompanied by a human chaperone at all times" [38].The city reacted this way to protests by a "coalition of residents, pedestrian advocates, and activists for seniors and people with disabilities", claiming that "sidewalks are not playgrounds for the new remote controlled toys of the clever to make money and eliminate jobs" [38].
Besides this ongoing regulatory discussion around the world, another important frame condition is dedicated to the allowed weight of delivery drones.Both US States Virginia and Idaho allow for robots to operate autonomously, but, in Virginia, the law allows for land-based robots to operate up to a weight of less than 50 pounds, in Idaho the legal weight limit is 80 pounds.These discussed examples point out that delivery robots face a scattered landscape of legal regulations even within individual nations, which makes their operation decisively more difficult.
Finally, the new EU data protection regulation formulates new challenges for the development and operation of delivery robots.The considered cases disclose that, until now, data protection issues are not ranging in the top of agenda of the delivery robot world.But, since the new European General Data Protection Regulation took effect on 25 May 2018, a huge set of data necessary to operate a delivery robot have to be considered as personal data that are not only locally processed in the robot, but are also transferred and stored via internet links.Consequently, the applicable new data protection rules have to be taken into account in the design of the robots.Although partly, there may be a legitimate interest of the user/controller for collecting and processing in order to prevent harm to bystanders and to maintain integrity of the robot, interviews with the management and developers [22] have shown that there is little to no awareness that any collection of personal data from any human individual in the vicinity of the moving robots beyond the absolute necessary (PbD) requires the explicit consent from the respective individual, which is practically impossible to obtain, meaning that the GDPR is generally violated by delivery robots that are collecting this information.
This research show that the new EU General Data Protection Regulation requires a higher level of attention in the whole sector of delivery robots.

Conclusions
Delivery robots by design seem to provide the "missing link" between wholesale logistics and the consumer, and expectations that they will considerably contribute to solve the last-mile-problem in near future are well-founded.The current technical solutions are realizing only partly the Industry 4.0 concepts, but a closer view to funding and growth indicators reveal that the whole robot sector is highly dynamic and it represents a strongly growing market for the upcoming years, especially against the background of ecologically friendly logistics (e.g., via green transport corridors) and the combination of delivery robots and artificial intelligence [25,39,40].Anyway, excessive enthusiasm falsifies the perception of delivery robots when it comes to implementation of these technologies into existing legal frameworks.
This paper intended to shed some light on two aspects where major challenges will arise in future (and partly even today), being strict liability for accidents that are caused by delivery robots under traffic law and considerable penalties in case of violations of GDPR requirements by delivery robots' data collection and transmission mechanisms-risks an entrepreneur deciding in favour of making use of delivery robots may not have taken into account so far.
Another, less legal aspect that may impede the future success of delivery robots as business model is the question how much society-and municipal governments-will indeed welcome an excessive use of pedestrian walkways by delivery robots.The related legal framework which evolves around the sector of delivery robots represents a patchwork of different rules on national, regional and municipality level, making it complicated to realize the competitive advantage of the business model of the delivery robots for the last-mile.
While it has to be conceded that all great novel technologies have so far faced an initial hype together with massive initial protests before they were broadly accepted later, an interested entrepreneur has to be aware that some perseverance may be required once this business model is chosen, i.e., that legal restrictions in close future could rather hinder than facilitate the use of delivery robots.The research gives an empirically validated insight in the current developments in the sector of delivery robots, but by taking into account the high dynamic and innovative character of the whole sector, the picture can only give an actual snapshot of the evolution of delivery robots.