The rapid development of the ‘Internet of Vehicles’ means intelligent vehicles are the future of the automotive industry. China aims to have vehicles with partial autonomy account for 50% of new sales by 2025. On 10 March 2020, the country’s Ministry of Industry and Information Technology announced the recommended national standard for ‘Automotive Driving Automation Classification’, which will take effect from January 1 2021. It classifies autonomous driving levels according to the degree of input required from the driver to control the vehicle.
Fremont, CA:Autonomous vehicles (AV) are dependent on large-scale data collection, including personal and technical information. In China, the lack of specific laws and regulations on data compliance raises a number of issues for AV developers moving forward.
China has no specific legislation on personal information. However, the Standing Committee of the National People's Congress issued a draft law on personal information in October 2020, which will be finalized and promulgated soon. For general laws, regulations and rules, "personal information" has different definitions. According to Article 76 of the Cyber Security Law, it refers to information that is recorded electronically or in other ways that can identify individuals, whether used alone or in combination with other information.
The definition used in ‘Information Security Technology – Personal Information Security Specification’ (published in March, henceforth the ‘Specification’) is similar to the one in Article 76, but is further categorised into biometric information and sensitive information. Whether the information can identify a person is the key to determining whether it falls within the scope of personal information.
According to the Cybersecurity Law and the Specification, the collection of personal information requires the authorisation and informed consent of the subject. It should not be collected through fraud, deception or manipulation, nor should functions that collect such information be hidden.
Express consent is required for the collection of sensitive information. To collect biometric information, however, the collector must also individually inform the subject of the purpose, method and scope of use of the information. According to the Specification, automotive service providers cannot store biometric information. If necessary, it should be obtained at the collection terminal. The automotive service provider shall gather the biometric information and delete it once the subject is identified.
Although car service providers can obtain explicit consent through prior authorization, there is usually no way to obtain authorization for the information the driver obtains when operating the vehicle. Car service providers should avoid developing a comprehensive authorization plan and should specify what data to collect at various stages. They should provide drivers with an accessible exit mechanism or the option to change their privacy preferences.
AV technology often involves the use of collected information, such as the analysis of vehicle failures or accidents, to reduce driving risks. Because of this, it is necessary to cooperate with other companies. This can lead to data breaches. A key case is that of Canadian automation and robotics engineering company Level 1, which in 2018 leaked 157GB of data, including 47,000 documents of customer information, factory production details, and confidentiality agreements of many notable automotive companies.
When the data controller entrusts a third party to process personal information, both parties should enter into an agreement to determine responsibilities and obligations. Data controllers should conduct security audits of third parties, accurately record and store personal information processed by third parties, and establish standardized procedures within the company to implement authorization, audit and remedial measures. In turn, the third party should process the data in accordance with the scope of the agreement. In the event of a security incident or failure to perform the contract, the third party shall immediately notify the data controller and take corresponding remedial measures.