On 26 May 2026, WeRide and Renault Group announced their return to Roland-Garros for a third consecutive year, running a driverless autonomous Robobus along a 2.8-kilometre public route on Avenue de la Porte d'Auteuil during the tournament (24 May–7 June). The 12-minute loop carried spectators between three stops, with daytime, evening and late-night service, and was operated on the ground by French mobility firm beti, with WeRide supplying the self-driving stack (WeRide/Renault press release).
This is not a closed test track. It is a high-density, mixed-traffic deployment in central Paris during one of France's largest annual sporting events. And it sits squarely inside one of Europe's most developed legal frameworks for autonomous-vehicle data — a framework worth examining precisely because the deployment worked.
What the law actually requires
France built its autonomous-driving regime in stages. Ordinance No. 2021-443 of 14 April 2021 established the criminal-liability rules for vehicles operating under "driving delegation," and its implementing Decree No. 2021-873 of 29 June 2021 mandates an onboard recorder — a dispositif d'enregistrement des données d'état de délégation de conduite — that logs the interactions between the human and the automated driving system, so authorities can later determine who or what was in control (Légifrance, Décret 2021-873). A separate track, Ordinance No. 2021-442 of 14 April 2021 on access to vehicle data, governs who may obtain that information and for what purpose (Légifrance, Ordonnance 2021-442).
The data-retention rule that gives the regime teeth predates full deployment: under the experimentation framework (Decree 2018-211, Article 12), the final five minutes of recorded data must be conserved for one year in the event of an accident (Connected Automated Driving — France). On top of this sits the data-protection layer: France's privacy regulator, the CNIL, published a connected-vehicle compliance pack that treats routes, driving style and vehicle identifiers as personal data, and explicitly urges operators to prefer "in-in" processing — keeping data inside the vehicle rather than streaming it out (CNIL connected-vehicles compliance pack). The European Data Protection Board's Guidelines 01/2020 reinforce the same data-minimisation logic across the EU (EDPB Guidelines 01/2020).
The case for the rules
The strongest argument for this architecture is hard to dismiss. A two-tonne driverless bus weaving through pedestrians is exactly the situation where black-box recording earns its keep: when something goes wrong, investigators, insurers and victims need a reliable account of whether the system or a human was driving, and the one-year retention window ensures that evidence survives long enough to matter. Mandatory event recording converts an opaque algorithm into something auditable. And the CNIL's insistence that location and behavioural data are personal data is a genuine safeguard — a shuttle that logs precisely who travelled where, when, is a surveillance asset if left ungoverned.
That is the regulation working as intended: accountability without prohibition. France did not ban the Robobus pending perfect rules; it set conditions and let the vehicle run on a real Parisian avenue for three straight years.
Where proportionality must hold
The risk is not the existence of these rules but their drift. Three pressure points deserve scrutiny.
- Retention creep. One year for the last five minutes of crash-relevant data is defensible. The temptation — visible across European data policy — is to expand retention windows and data categories "just in case." The CNIL's own in-in default is the correct counterweight: record what is needed for liability, keep it local where possible, and resist building a permanent travel-history archive out of a safety mandate.
- Access scope. Ordinance 2021-442 sensibly separates what is recorded from who can access it. Keeping access gated to accident investigation, narrow safety purposes and properly anonymised traffic analytics is what prevents an EDR regime from quietly becoming a law-enforcement telematics pipeline.
- Compliance overhead. Renault and WeRide cleared this bar because they are large, well-resourced firms. The same paperwork — type-approval, recorder certification, data-protection impact assessments, semi-annual reporting — can be a moat that smaller mobility startups cannot cross, entrenching incumbents under the banner of safety.
The takeaway
The Roland-Garros deployment is the best kind of evidence in a policy debate: a working example. France's framework is prescriptive, but it is also enabling — it produced clear liability rules, a defined evidentiary record, and privacy guardrails, and still allowed a genuinely driverless vehicle to operate in dense public space. That is the proportionate-regulation case made concrete.
The open question is whether the regime stays this calibrated. Black-box recording and one-year retention are justified by the specific, serious risk of a crash involving an automated system. They are not a licence to accumulate granular mobility data on every passenger, nor to load compliance costs so heavily that only national champions can deploy. France has shown the rules can coexist with innovation. The next test is keeping them aimed at the harm they were written to address — and no further.