Necessity and importance of research on data application compliance issues for intelligent vehicle networking platforms

2022 03/24

For automotive companies and professional Internet of Vehicles companies, in order to provide relevant Internet of Vehicles services, is it necessary to apply for a telecommunications license or purchase services from a service provider with a telecommunications license? The customer is a B2B automotive parts manufacturing enterprise that does not target individual consumers. Will customers fall into the category of network operators under the Cyber Security Act? In April 2021, a car owner failed to brake during driving, and the car company released the car owner's brake data to the media without permission in order to certify that the brakes were working well. Is this a violation of personal information security regulations?


The above scenario involves different suppliers in the intelligent connected vehicle industry chain, and has one common feature: constrained by insufficient law enforcement evidence and weak public opinion, privacy risk issues are ultimately "unresolved" or "unresolved". In addition, in addition to automakers, Internet companies are also seizing this huge opportunity to enter the automotive industry. In 2014, SAIC Motor and Alibaba jointly established a new brand Ebanma and developed the AliOS based Banma system, which is the first completely independent automotive operating system in China from Android. Tencent and Baidu have also proposed solutions for intelligent connected automotive systems, but they are not considered to be the basic operating systems for automobiles. Tencent's AI in cars is a solution based on the Android system, porting Tencent's powerful social application ecosystem to cars. The DuerOS launched by Baidu focuses on voice control and applies AI conversation functionality to car driving scenarios. Due to the budding and overlapping stage of the technology of intelligent networked vehicles, a unified industrial practice has not yet been formed in the industry. Relevant laws and regulations are still being introduced in succession, and specific implementation rules and interpretations need to be released and further improved. A wide range of fields such as personal and public sensitive information security, network security, data security, telecommunications services, positioning service supervision, etc. constitute an important component of the data application compliance work of the intelligent networked vehicle platform. In addition to this core component, compliance requirements in foreign trade include: for example, when exporting vehicle products for foreign use, attention must be paid to trade remedy investigations conducted by the countries (regions) involved in the business, including anti-dumping, countervailing, and safeguard measures investigations. Specific requirements for trade control, quality, safety, technical standards, and intellectual property protection should ensure the full process and full compliance of business activities, and comprehensively grasp the specific requirements for bid management, contract management, environmental protection, joint and several risk management, debt management, donation and sponsorship, anti-corruption, and anti bribery.


First, in terms of personal data security, the "Several Provisions on the Security Management of Automotive Data (Trial Implementation)" implemented on October 1, 2021 provides more specific provisions on "automotive data", including personal information data and important data involved in the process of vehicle design, production, sales, use, operation and maintenance.


Automobile data processing includes the collection, storage, use, processing, transmission, provision, and disclosure of automobile data.


Automotive data processors refer to organizations that carry out automotive data processing activities, including automotive manufacturers, parts and software suppliers, dealers, maintenance agencies, and travel service enterprises.


Personal information refers to various information recorded electronically or otherwise related to identified or identifiable vehicle owners, drivers, passengers, and people outside the vehicle, excluding information processed anonymously.


Sensitive personal information refers to personal information that, once leaked or illegally used, may result in discrimination against vehicle owners, drivers, passengers, and people outside the vehicle, or serious harm to personal and property safety, including information such as vehicle tracks, audio, video, images, and biometrics.
Important data refers to data that may endanger national security, public interests, or the legitimate rights and interests of individuals and organizations once tampered with, destroyed, leaked, or illegally obtained or utilized, including:


(1) Geographic information, personnel flow, vehicle flow, and other data of important and sensitive areas such as military management zones, national defense science and engineering units, and party and government organs at or above the county level;


(2) Data reflecting economic operation such as vehicle flow and logistics;


(3) Operation data of vehicle charging network;


(4) Video and image data outside the vehicle including face information, license plate information, etc;


(5) Personal information involving more than 100000 personal information subjects;


(6) Other data that may endanger national security, public interests, or the legitimate rights and interests of individuals and organizations as determined by the national network information department, the development and reform, industry and information technology, public security, transportation, and other relevant departments of the State Council.


It should be noted that both the Cyber Security Law and the Personal Information Protection Law stipulate that the broad concept of personal information outside the automotive industry refers to various types of information that can be recorded electronically or in combination with other information to identify a natural person's personal identity. Common personal information includes the name, date of birth, ID number, personal biometric information, address, phone number, and so on of a natural person.


There are no more detailed provisions in China's laws on what is meant by "various types of information that can identify a natural person's personal identity alone or in combination with other information.". Generally, it is understood that determining whether a certain item of information belongs to personal information should consider the following two paths: first, identification, that is, from information to individuals, identifying specific natural persons based on the specificity of the information itself, and personal information should help identify specific individuals. The second is association, that is, from individuals to information. If a specific natural person is known, the information generated by that specific natural person in their activities (such as personal location information, personal call records, personal browsing records, etc.) is personal information. Information that meets one of the above two circumstances should be determined as personal information. With the increase of Internet services in vehicles, consumers' concerns about personal privacy protection will become increasingly prominent in the future. Consumer awareness and attention is one of the key factors that trigger privacy disputes. Currently, compared to other industries such as healthcare and finance, consumers have a low degree of trust in privacy protection in the automotive industry. The privacy risk scenarios involved in intelligent connected vehicles are increasingly similar to those of the Internet, communications, and industries, especially for risks such as forcing user consent for bundled services, and excessive information collection and processing.


From the perspective of network security, some automotive companies operating in China have implemented data localization arrangements in China before the introduction of the Network Security Law, and some multinational automotive companies have stored the personal information of Chinese users on overseas servers. Due to the fact that the relevant provisions on data localization and data outbound under Chinese law are not yet fully clear, the attitudes of multinational car companies vary: some multinational car companies tend to believe that becoming a CIIO is a high probability event, so they have actively started deploying localized storage of data in China (some multinational car companies have completed data localization deployment); Although some automotive companies have not started localized deployment, they have conducted a comprehensive assessment to identify and sort out important inspection items such as system status, data storage locations, security measures, real-name system, and hierarchical protection, conduct gap analysis, and develop action plans; Some car companies are still on the sidelines.


In terms of data security, although more automotive companies tend to believe that the General Data Protection Regulation (GDPR) is not mandatory for their operations in China, they also tend to believe that the direction of data regulation represented by GDPR is a global trend, and its principles are basically consistent with the Network Security Law and the Data Security Law, Therefore, in practice, it will also rectify its operations in China in accordance with the general principles of GDPR. In summary, the intelligent vehicle networking platform faces many legal risks such as the recent implementation of relevant new laws, uncertain legal regulatory scenarios, and rapid updates of intelligent assisted driving and vehicle networking technology. The importance and necessity of studying data application compliance is self-evident. At the same time, this also requires that legal service providers must have rich legal experience in the automotive industry, have a sensitive ability to predict trends in network and information security, and have social resources that are forward-looking in meeting the rules and regulations of relevant government regulatory departments.