Expert Interpretation | “Guidelines for the Safety of Automobile Collection Data Processing”

With the development of automobile intelligence and networking, while bringing consumers a smarter and more convenient user experience, it has also caused a series of industry pain points, especially the issue of automobile data security. Due to the complex and diverse composition, technical structure, and data sources of the automotive industry, automotive data security is faced with new multi-layered risk challenges. Therefore, policies, regulations and standards are urgently needed to respond effectively.

Recently, my country has continuously improved the construction of data security regulations and standards system and strengthened data protection. Regulations, policies and standards related to data security of intelligent networked vehicles have been issued intensively, including the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and the Opinions on Strengthening the Access Management of Intelligent and Connected Vehicle Manufacturers and Products, “Several Provisions on Vehicle Data Security Management (Trial)”, “Notice on Strengthening the Network Security of the Internet of Vehicles (Intelligent Connected Vehicles) (Draft for Comment)”, etc. , strengthen the management and control of the data life cycle through policy documents, emphasize data classification and classification, and point out channels and directions for industrial and technological development.

On October 8, the National Information Security Standardization Technical Committee (hereinafter referred to as the “Information Security Standardization Committee”, TC260) issued the “Automotive Collection Data Processing Safety Guidelines” (hereinafter referred to as the “Guidelines”), which stipulates that car manufacturers collect data from vehicles. security requirements for processing activities such as transmission, storage, and exit, provide data protection implementation specifications for car manufacturers to carry out the design, production, sales, use, operation and maintenance of automobiles, and also provide regulatory authorities, third-party evaluation agencies, etc. Provides a basis for the monitoring, management and evaluation of collected data processing activities.

1. Background of the preparation of the document “Guidelines for the Safety of Data Processing for Automobile Collection”

How to use data in the development of intelligent networked vehicles, how to ensure data security, and how to take into account the interests of the country, citizens and industry are important issues for future development. Vehicle data mainly comes from the information collection of vehicle terminals and users. The driver’s identity information, vehicle information, driving behavior information, location positioning information, and other personal parameter data may be collected by sensors such as the vehicle’s camera and uploaded to the cloud. Due to lack of control and information asymmetry, vehicles may collect data without the knowledge of individuals, and process the collected personal data, resulting in the leakage of personal information. In addition, the data collected by cars usually involves highly sensitive infrastructure data, geographic information data, traffic data, and a large number of car owners’ identity and behavior data. The data security issues may be directly related to national security and public interests. Under the general framework of higher-level laws such as the “Data Security Law” and “Personal Information Protection Law”, the “Automotive Data Collection and Processing Safety Guidelines” aims to start from the actual development of the industry, address the shortcomings of data security, and propose scientific, reasonable and effective solutions. , to play a fundamental, normative and leading role.

2. Interpretation of the key content of the “Guidelines for the Safety of Data Processing for Automobile Collection”

(1) The content of the data collected by the car

On the one hand, a car is a personal item and will inevitably collect and process a large amount of personal privacy data; on the other hand, based on the needs of safe driving, a car will also collect a large amount of environment, road conditions, location and geographic information, which may involve sensitive data. If these data are only processed by the on-board computer in the car and do not interact with the outside world, it can be considered that data security and personal privacy protection issues are not involved. The “Guide” divides the content of the data collected by the car into four categories: out-of-vehicle data, cockpit data, operation data and positional trajectory data, and clarifies the scope of various types of data and the personal information, sensitive personal information and important data that may be involved. For the data collected from different types of vehicles, the “Guide” formulates relevant requirements for targeted transmission, storage, and exit to ensure that all types of data are properly protected and that relevant data processing activities are in a safe and controllable state.

(2) Comprehensive protection of car data security

At present, the performance of the on-board computer can already meet the requirements for the safe processing of relevant data. A key part of the content is the processing of off-vehicle interaction data required for vehicle-road collaboration, including the processing of vehicle-vehicle interconnection, human-vehicle interconnection, vehicle and roadside infrastructure, and the processing of interactive data on cloud service platforms. This requires distinguishing between different situations to securely process out-of-vehicle interaction data to prevent security risks such as data leakage and privacy violations. The “Guide” clearly stipulates transmission requirements, storage requirements and data export requirements. The requirements are specific to data content and exceptions, avoiding a one-size-fits-all arrangement and providing a clear reference for enterprises to implement data protection measures. Regarding the issue of car data export that is more concerned by car manufacturers, the “Guide” clearly requires that “out-of-vehicle data, cockpit data, and location trajectory data should not be exported; if operating data needs to be exported, it should be exported through the data export organized by the national network information department. assess safety”. Therefore, it is believed that the three types of data should not be exported in principle. This is to suggest that all car brands that have sales in China should establish a cloud service platform in China, and the data should be stored, analyzed and utilized in China.

The Links:   LQ150X1LG71 LM190E08-TLL2