Intelligent Connected Vehicle Industry Data Compliance Solution (Part 1)

Background

With the increasing maturity and commercialization of vehicle networking and artificial intelligence technology, intelligent connected vehicles (Intelligent Connected Vehicle, abbreviated as 'ICV') have emerged. Intelligent connected vehicles combine the characteristics of intelligence and networking, and achieve mature interaction between vehicles, people, road traffic facilities, and the cloud through V2X (Vehicle-to-Everything) communication technology. Intelligent connected vehicles can not only carry out data interaction and information sharing, optimize driving routes, and reduce the risk of traffic accidents, but also realize autonomous driving functions through sensor devices, provide personalized user experiences, and inspire prospects for future driving methods.

In recent years, the rapid development of automobile and internet companies has accelerated the upgrading and innovation of vehicle networking, autonomous driving, internet maps, and intelligent traffic technologies. The strong support from governments of various countries and regions around the world and the shift in consumer demand for travel methods have promoted the research, development, production, and popularization of intelligent connected vehicles, with the commercial scenarios increasing continuously. In order to provide a better user experience, intelligent connected vehicles and their background support systems are processing massive amounts of data at all times and in every moment, including vehicle operation data, road condition information, location information, and in-vehicle application operation information. Without strict data security and compliance control measures, handling these data is prone to cause security and compliance risks, which may affect national and public security, corporate operations, and personal privacy. Therefore, data security and compliance in the lifecycle of intelligent connected vehicles are crucial, and data security and compliance have also become an important foundation for the healthy development of the intelligent connected vehicle industry.

With the enhancement of the level of attention of supervision and consumers to data security and privacy protection, laws and regulations on data security have been successively issued in various countries and regions around the world, and industry norms for intelligent connected vehicles are also gradually improving.

Various laws and regulations and industry norms of countries

China has issued various laws, regulations and standards requirements, established a data security legal protection system barrier, and the industry norms for data security of intelligent connected vehicles are also constantly improving and deepening.

June 1, 2017Cybersecurity LawEffective
October 1, 2020YD/T3746—2020 Requirements for Protection of Personal Information of Users of Vehicle Network Information Service, YD/T3751-2020 Technical Requirements for Data Security Technology of Vehicle Network Information Service, YD/T3752-2020 Technical Requirements for Security Protection of Vehicle Network Information Service PlatformEffective

It plays a leading role in the construction of the industrial ecological environment of intelligent connected vehicles, improves industry data security standards and specifications, and focuses on aspects such as confidentiality of data transmission, data encryption, data access rules, dynamic desensitization, and data destruction

It proposes to protect user data layer by layer, protect the rights of users to know and choose, and ensure that intelligent connected vehicles accelerate innovation and safe applications

August 24, 2021General Requirements for Data of Intelligent Connected Vehicles (Draft for Comments)Released
September 1, 2021Data Security LawEffective
October 1, 2021Some Provisions on the Security Management of Vehicle Data (Trial)Effective

It proposes that data should be classified and graded for intelligent connected vehicle data, and it is necessary to distinguish between personal information, cabin data, external data, location track data, and other data types, and corresponding security protection measures should be configured accordingly

It proposes that annual risk assessments and regular reporting of data security management situations should be carried out to form a data security protection system

November 1, 2021Personal Information Protection LawEffective

Established the 'inform-informed-consent' personal information processing rules

Requirements have been made for the processing of sensitive personal information

It emphasizes that after mastering a large amount of user data, the Internet

September 1, 2022Guidelines for Data出境 Security Assessment Declaration (First Edition)Effective
September 1, 2022Measures for Data出境 Security AssessmentEffective

It is required that enterprises declare and pass the data出境 security assessment before carrying out data出境 activities

A clear definition of the situation for judging the amount of data出境 has been made

May 1, 2023GB/T 41871-2022 'Information Security Technology - Security Requirements for Automotive Data Processing'Effective

Looking globally, to strengthen the data security of intelligent and connected vehicles, to ensure data security and user privacy, countries and regions around the world are also continuously strengthening the corresponding laws, regulations, and industry norms for data security compliance management

2013 (Updated in 2022)ISO/IEC 27001 Information Security Management System was released
2014 (Updated in 2019)ISO/IEC 27018 Public Cloud Personal Identifiable Information Protection CertificationReleased
August 6, 2017, United KingdomThe 'Important Principles of Cybersecurity for Connected and Autonomous Vehicles' was released

Proposes eight principles, including ensuring the security and controllability of data storage and transmission

Emphasizes that data security issues should be incorporated into the vehicle lifecycle

September 7, 2017The U.S. H.R.3388 Autonomous Vehicles Act was released

Proposes that manufacturers of autonomous vehicles establish cybersecurity policies, requiring vehicle manufacturers to establish monitoring, testing, and protection

May 23, 2018The UK Data Protection Act 2018 was promulgated

Adopts many core concepts of GDPR

Proposes that the intentional or negligent identification of de-identified personal data may constitute a new criminal offense

May 25, 2018The EU General Data Protection Regulation (GDPR) came into effect

Defines personal data and special categories of personal data

Proposes principles to be followed in the processing of personal data, such as transparency, data minimization, integrity, and confidentiality

August 2019ISO/IEC 27701 Privacy Information Management System was released
January 1, 2020The California Consumer Privacy Act (CCPA) came into effect

Emphasizes the rights provided to California consumers regarding personal information, including access rights and deletion rights

January 12, 2021The U.S. Cybersecurity Best Practices for Modern Vehicle Safety was released

Outlines 45 important principles from the perspective of the entire automotive industry

Provides solutions and practical guidelines for cybersecurity issues

March 9, 2021The EU Guidelines on Personal Data Protection for Vehicle Connectivity v2.0 came into effect

Applies GDPR to scenarios involving the processing of personal data in connected vehicles

Established fundamental protection rules for connected vehicle data

Regulates data exportation

April 13, 2021, United KingdomThe Automated and Electric Vehicles ActEffective

Clarified rules related to data transmission at charging points

June 28, 2021The EU Cybersecurity Act came into effect

Regulates personal information protection requirements

August 31, 2021ISO/SAE 21434:2021 'Road Vehicles - Information Security Engineering' was released
June 21, 2022The U.S. Data Privacy and Protection Act was released

The privacy policy requires the disclosure of the types of data collected, the purposes of processing, and the sharing of data with third parties

July 6, 2022The "Cybersecurity Management System" (UNR155) and the "Software Update Management System" (UNR156)

The first mandatory automotive information security regulation released by (WP.29)

R155 requires vehicle manufacturers to establish cybersecurity management processes at all stages of the vehicle lifecycle

R156 is a unified regulation on the management system for software updates and software upgrades for vehicle approval

In the revised bills submitted by the EU automotive group, UNR155 and UNR156 have become the technical regulations for protecting vehicle network attacks

The California Privacy Rights Act (CPRA, CCPA revised version) came into effect on January 1, 2023

Around the world, requirements for the protection of data confidentiality, integrity, and availability of intelligent connected vehicle data, the protection of personal information, and obtaining consumer consent in appropriate cases have been proposed in the field of data security and compliance. However, there are differences in the specific content of requirements in different countries and regions.

Personal information classification:

The EU emphasizes the special category of personal data, which is clearly defined in the GDPR, while the definition of sensitive personal information in the US varies due to different laws and regulations.

Vehicle data security:

China has issued industry specifications, the UK and the US have proposed principles and best practices, the EU focuses on the protection of personal information in this scenario, and it is possible that the United Nations World Forum for Harmonization of Vehicle Regulations (WP.29) will continue to issue security and compliance requirements for different systems.

Intelligent connected vehicle ecosystem partners should comply with local relevant laws and regulations and industry specifications in addition to meeting industry common standards when operating in various regions.

Data classification and grading of intelligent connected vehicles

Data is an important asset driving the development of intelligent connected vehicles. Rational data classification and grading is the foundation for the proper management of data, as well as the foundation for the processing of massive data. In order to achieve the safe governance of intelligent connected vehicle data in the data lifecycle, relevant data should be classified and graded according to scientific, reasonable, objective, and clear principles. This white paper will analyze the security and compliance requirements of intelligent connected vehicle data from the perspectives of personal information and vehicle data, in accordance with the requirements of the industry specifications already issued.

Personal information:

• Personal basic information
• Personal biometric information
• Personal virtual identity and authentication information
• Personal location information
• Traffic and travel information
• Contact information of on-board applications
• Information of personal commonly used devices
• Ordering, registration, and cancellation information
• Data of personal terminals and cloud storage materials

Vehicle data:

• Basic attribute data of vehicles
• Basic attribute data of vehicle network service platform
• Vehicle static condition data
• Vehicle operating condition data
• Basic attribute data of mobile terminal application software for vehicle networking
• Driver operation data
• Remote monitoring and operation data
• System decision-making data
• Predictive planning data
• Vehicle external environment perception data

The important data in the intelligent connected vehicle industry, as defined by relevant laws and regulations such as the "Cybersecurity Law", "Data Security Law", and "Provisional Regulations on the Management of Vehicle Data Security (Trial)", includes but is not limited to:

• Data related to important sensitive areas
• Automotive charging network operation data
• Infrastructure data
• Other important data
• Data reflecting the economic operation situation
• Face, license plate video image data
• Export controlled data

Based on data classification, different data can be further divided into general level, sensitive level, important level, and core level according to the object and extent of the impact when data security incidents occur.

General level

• Refers to the case where data would cause general harm to the legitimate rights and interests of users or enterprises after being leaked, tampered with, destroyed, or illegally obtained, used, or shared.

Sensitive level

• Refers to the case where data would cause considerable harm to the legitimate rights and interests of users or enterprises after being leaked, tampered with, destroyed, or illegally obtained, used, or shared.

Important level

• Refers to the case where data would cause serious harm to the legitimate rights and interests of users or enterprises after being leaked, tampered with, destroyed, or illegally obtained, used, or shared.

Core level

• Refers to the case where data would cause serious harm to the legitimate rights and interests of users or enterprises after being leaked, tampered with, destroyed, or illegally obtained, used, or shared.

Data that would cause serious harm to public interests and general harm to national security.

The same data may cause the data level to rise due to the accumulation of data volume or changes in use scenarios; the combination, aggregation, and analysis of different types of data may also cause the data level to rise. Therefore, data classification can be divided and adjusted according to actual conditions.

Compliance requirements for the lifecycle of intelligent connected vehicle data.

To ensure the safety and compliance of data throughout its lifecycle, enterprises need to continuously improve their management methods and technical measures based on data classification and grading. In this process, ensure the confidentiality, integrity, and availability of data, meet security and compliance requirements, and pay special attention to the special requirements for the processing of different categories and levels of data, such as important data and personal privacy data.

Typical safety and compliance requirements for the lifecycle of intelligent connected vehicle data.

Data collection:

• On the basis of legal collection, follow the principles of justice, reasonableness, and minimization.
• Comply strictly with the established data security compliance classification and grading requirements for the processing of collected data.
• Collect personal information on the basis of explicit consent, collecting only necessary precision data, and conducting appropriate risk assessment and management.

Data transmission:

Internal transmission: Based on the principle of internal processing, data should generally only be transmitted within the vehicle.

External transmission: External transmission should only be carried out under legal requirements or when it is necessary to fulfill the contract, and the following is required:

• Obtain separate consent from the user.
• Ensure that the data transmitted after transmission is only used for necessary functions.
• Perform necessary de-sensitization and encryption before transmission.
• Protect the transmission channel with technology.
• Enforce strict data permission control.

Data storage:

Internal local storage: It should meet the requirements for accident risk investigation and accident data restoration.

External storage: Only necessary data is stored.

• Data is encrypted or de-sensitized through reasonable technical means and stored securely to prevent tampering or malicious deletion.
• Properly configure the storage cycle in accordance with the regulatory requirements for storage duration

Data Use:

• It cannot affect the normal driving and driving safety of the vehicle
• Authorize and verify the use of data based on the classification and grading standards of data
• The use of important data, personal privacy data, and other sensitive information needs to be desensitized, such as using de-identification, anonymization,

Encryption processing and other methods

• Audit the behavior of data use

Data Sharing:

• Carry out data sharing based on a comprehensive and effective evaluation, including feasibility assessment, risk assessment, and network security capability assessment
• Formulate data sharing risk control measures to ensure the security of data sharing
• The recipient of the data also needs to fulfill the obligations of data protection

Data Destruction:

• Establish data destruction strategies and approval mechanisms, clarify the objects and procedures of destruction, and ensure the safety and rationality of data during the destruction process
• Ensure that all storage spaces where copies, file directories, database records, and other resources related to data to be destroyed are released or completely eliminated before they are redistributed to other users
• Technical means should be adopted to prevent the recovery of data that is to be destroyed

Cross-border compliance issues of data in major regions

China

China attaches importance to the security of data出境, and continuously legislates to emphasize the protection principles. Enterprises need to conduct a self-assessment of the security of outbound data and, based on the results of the assessment, choose to take the following measures:

• Apply to the cyber information department for a data security evaluation of outbound data
• Adopt the standard contract provisions for personal information出境
• Implement personal information protection certification

EU

Under the premise that the protection measures provided in the counterparty country are equivalent to those of the EU, Europe allows data cross-border flow. Typically, enterprises need to take one of the following safeguard measures:

• Apply for Binding Corporate Rules (BCR)
• Sign standard contractual clauses (SCC)
• Make a commitment to the Code of Conduct (CoC) and apply for approval from the European Commission
• Apply for data protection certification (Certification) to the regulatory authorities of member states

US

The US advocates for global data free flow and also strictly manages the cross-border transfer of sensitive corporate data, including:

• If an enterprise is involved in the transaction of sensitive personal data, it needs to undergo a foreign investment security review
• Assess the risk of the application to ensure that foreign entities cannot access sensitive personal data or confidential government and commercial information
• Network service providers should disclose by default to the US government the communication content and other data they control

UK

The UK has proposed standard contractual requirements for cross-border transfers under the 'UK General Data Protection Regulation' formulated after Brexit. The standard data protection clauses (UK SCC) involve two documents, requiring enterprises to sign one of them:

• International Data Transfer Agreement (IDTA)
• International Data Transfer Agreement (IDTA) to the EU Commission Standard Contractual Clauses

This is some basic background and requirements for data compliance in the intelligent connected vehicle industry. In the next article, we will focus on the relevant solutions for data compliance in the intelligent connected vehicle industry.