Data security issues are increasingly becoming points of friction in the technology policies between major powers.
On September 23rd local time, the U.S. Department of Commerce announced a regulatory proposal. Citing national security concerns, it proposed a ban on the import and sale of smart connected vehicles equipped with software or hardware that uses Chinese technology.
In an interview with the media in March this year, the U.S. Secretary of Commerce likened smart connected vehicles to "Apple phones on wheels." This statement emphasized that the ban is primarily concerned about overseas entities gaining control of Americans' driving habit data through the internet or remotely controlling U.S. vehicles.
According to the U.S. Department of Commerce, the ban would cover all hardware and software that can be integrated into vehicle connectivity systems (VCS) or autonomous driving systems (ADS). Traditional automotive "passive" components, such as plastic covers and screws, are not within the scope of regulation. Vehicles not used on public roads, such as agricultural and mining vehicles, are also not within the scope of the ban.
The ban has undergone seven months of deliberation and is currently in a public comment period. After 30 days, the final rules will be drafted. If ultimately approved, the import ban on related software will take effect in 2027, and the ban on hardware products will take effect in 2030.
Where are the data sensitivity points for smart connected vehicles? What is the development status in this field domestically, and what regulatory constraints are already in place? Is the U.S.'s proposed ban really due to data security issues?
On September 25th, a spokesperson for China's Ministry of Commerce responded, stating that the U.S. approach is unfounded and violates the principles of market economy and fair competition, representing a typical act of protectionism.
Domestically, there are already many regulations promoting the compliance of smart connected vehicles.The data risks of connected vehicles are the focal point of attention for U.S. bans. Data security is the controversial shadow that haunts connected cars, involving complex issues.
McKinsey has divided the user experience of smart connected vehicles into five levels: the most basic L1 level can only monitor basic vehicle conditions, L2 means that the vehicle can provide digital services based on the driver's personal information, such as personalized control and access to information entertainment. When reaching the top level of the framework, L5, the system will become a "virtual driver" - that is, an AI that can automatically predict and make decisions.
In this process, vehicles with different "degrees of connectivity" can collect a large amount of data. The "Autonomous Driving Data Security White Paper" released by the National Industrial Information Security Development Research Center in 2020 shows that data such as road infrastructure, vehicle operation status, and owner's usage behavior need to be collected, with as many as 18 categories of detailed data. After collecting data, there are indeed data security risks in every link from transmission to application.
U.S. Commerce Secretary Gina Raimondo specifically mentioned the connected cameras, microphones, and GPS devices in cars when announcing the proposed ban. "Today's cars are equipped with cameras, microphones, GPS tracking, and other technologies connected to the Internet. It is not hard to imagine that foreign opponents mastering this information poses a serious threat to our national security and the privacy of American citizens."
The U.S. Department of Commerce believes that connected cars have inherited technologies such as Wi-Fi, Bluetooth, and satellite connections, making the security of vehicles more vulnerable. Malicious actors may exploit vulnerabilities in these systems to launch attacks, thus posing a risk to national security.
However, it is worth noting that Chinese car manufacturers first need to meet domestic compliance standards, and there are already many laws and regulations in China that directly constrain.
For example, Ning Xuanfeng and Wu Han, partners in charge of compliance business management at King & Wood Law Firm, pointed out in an analysis article that the "Several Provisions on Data Security Management of Automobiles (Trial)" in 2021 established the principle of "in-vehicle processing," meaning that car data should not be transmitted outside the vehicle by default. They believe that this principle should be able to alleviate the U.S. side's core concerns about data leakage.
Reporters from 21st Century Business Herald found that after 2021, China has intensively formulated a series of regulations or standards in the field of data security for smart connected vehicles, including the "Management Regulations for Road Testing and Demonstration Application of Intelligent Connected Vehicles (Trial)" and the "General Specifications for Digital Identity and Authentication of Intelligent Connected Vehicles." To ensure safety performance, the extremely important "Opinions of the Ministry of Industry and Information Technology on Strengthening the Access Management of Enterprises and Products of Intelligent Connected Vehicles" stipulates that data and network security management are the most basic and top-priority requirements for the access of connected vehicles, requiring enterprises to establish and improve automotive data security management systems and establish automotive network security management systems.
Now, many Internet giants and ICT companies have increased their investment in the software and hardware of smart connected vehicles. Typical representatives include Huawei, Tencent, and Baidu. Automobile manufacturers such as GAC, SAIC, and BYD have also laid out autonomous driving solutions. However, so far, almost all of these products are used in cars sold in the Chinese market.The "Preemptive Strike" U.S. Ban
In reality, although according to data from the China Association of Automobile Manufacturers, China surpassed Japan last year to become the world's largest exporter of automobiles, the total number of cars exported to the United States was minimal. Data from the Passenger Car Association shows that in 2023, China exported a total of 74,800 passenger cars to the U.S., accounting for only 1.4% of total exports; new energy passenger cars numbered 18,600, representing 0.4%.
Compared to worrying about current data security, the nature of this ban is more of a "preemptive strike." U.S. government officials admit that there are very few Chinese or Russian cars on American roads at present, and this regulation is aimed at eliminating potential national security threats they might pose in the future.
A lawyer engaged in data compliance business in Silicon Valley told a 21st-century journalist, "If you look at the work of the U.S. federal government in the field of data security, it can be seen that data security is not really what they care about." This is because, in most cases, data security mainly considers the privacy and security of ordinary consumers, but so far, the United States has not passed a federal-level data security law; there are only privacy bills issued by each state.
"Data circulation has no boundaries. Issues like privacy security are different in each state's regulations, and the actual cost of compliance is very high," the aforementioned lawyer believes. If the United States truly values data security issues, a better solution would be federal legislation.
On September 25, a spokesperson for China's Ministry of Commerce responded, stating that the U.S. approach is unfounded, violates the principles of market economy and fair competition, and is a typical act of protectionism. It severely affects normal cooperation between China and the U.S. in the field of connected vehicles, disrupts and distorts the global automotive industry chain and supply chain, and will also harm the interests of American consumers. The U.S. approach is also a non-market behavior that uses government power to interfere with corporate economic and commercial cooperation, constituting economic coercion.
The "preemptive strike" nature of technology policies is becoming more common. In 2022, the U.S. government banned some equipment from Huawei and ZTE on the grounds of national security concerns; this spring, President Biden signed a law that also forced ByteDance, the parent company of TikTok, to divest due to concerns about data引起的national security, or face a nationwide ban. The global head of automotive research at Bloomberg Intelligence said in a media interview that the logic behind this car ban is similar, a typical TikTok-style action. TikTok is currently suing the U.S. government in an attempt to overturn the ban against itself.