Intelligent networked vehicles continue to grow at a high speed, strengthening data security management is imminent

　　Clarify the principles of not collecting by default and applying accuracy range

　　Car data has a "safety lock" (policy interpretation)

　　"The car you just bought has features such as face-sweeping and opening doors. Will the facial information collected by the camera be abused?"

　　"When the data such as the track, audio and video generated during the driving of the vehicle is collected and analyzed by the car company, is there any desensitization such as anonymization and de-identification?"

　　"If the country where the vehicle is produced is overseas, is the daily collected data stored in the country? If it is necessary to provide it overseas due to business needs, has it passed the safety assessment of the relevant authority?"

　　…………

　　In 2020, the cumulative sales of my country's intelligent networked vehicles was 3.032 million, a year-on-year increase of 107%. However, some safety issues have also attracted widespread attention from users and the industry.

　　The "Regulations on Automobile Data Security Management (Trial)" (hereinafter referred to as the "Regulations") promulgated by the five departments of the State Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Ministry of Transport (hereinafter referred to as the "Regulations") have come into effect on October 1.

What is car data?

What requirements should be met to carry out automobile data processing activities?

The reporter interviewed relevant persons in charge and relevant experts of the National Internet Information Office.

　　Intelligent networked vehicles continue to grow rapidly, and it is urgent to strengthen data security management

　　Triple-screen smart cockpits, cross-vision fusion automatic driving algorithms, 5G high-speed networks, complete vehicle intelligent ecological solutions... Entering the car market, there are numerous introductions of similar functions, and intelligent networked cars have become a major selling point of new cars.

　　What is the average amount of data collected by an intelligent connected car every day?

　　Huang Peng, deputy chief engineer and director of the Information Policy Institute of the National Industrial Information Security Development Research Center, said that an intelligent connected car can generate terabytes of massive data every day, including not only the facial expressions, movements, eyes, and voice data of drivers and passengers, but also It also includes the geographic location of the vehicle, the environment inside and outside the vehicle, and the usage data of the Internet of Vehicles.

　　"The automobile industry involves many fields such as national economy, equipment manufacturing, finance, transportation, production and life, and automobile data processing capabilities are increasing day by day, and the exposed automobile data security issues and hidden risks are also becoming increasingly prominent." Relevant person in charge of the National Internet Information Office According to the introduction, the problems are mainly focused on the excessive collection of important data by car data processors exceeding actual needs; the illegal handling of personal information, especially sensitive personal information without the user’s consent; the illegal exit of important data without security assessment, etc.

Therefore, it is urgent to strengthen the management of automobile data security, prevent and resolve the above-mentioned security problems and hidden risks, and promote the rational and effective use of automobile data in accordance with the law and the healthy and orderly development of the automobile industry.

　　Huang Zihe, vice president of the China Electronics Information Industry Development Research Institute, said that the promulgation of the "Regulations" is conducive to speeding up the construction of the intelligent networked vehicle data security assurance system, improving data security assurance capabilities, and promoting the construction of a strong manufacturing country, a network power country, and a transportation power country.

　　Clarify personal information, sensitive personal information, and important data in car data

　　After each long holiday, some car brands will release data on the driving trajectory, the most popular scenic spots, and the best hit songs of their smart connected models.

Many consumers will ask, what data can cars collect from drivers and passengers?

If there is a lack of effective management in data collection and use, and car companies randomly collect information such as the voice images of the drivers and passengers in the car, the location of the vehicle and the surrounding environment, will it cause personal information leakage, abuse, and even endanger public and national security?

　　The "Regulations" clearly define the meaning and types of personal information, sensitive personal information, and important data in automobile data.

　　——Personal information refers to various information related to the identified or identifiable vehicle owner, driver, passenger, and people outside the vehicle that have been recorded electronically or by other means, and does not include anonymized information.

　　—— Sensitive personal information, which mainly includes information such as vehicle track, audio, video, image and biometric features.

　　——Important data, mainly including geographic information, personnel flow, vehicle flow and other data in important sensitive areas such as military management zones, national defense science and industry units, and party and government agencies at or above the county level; vehicle flow, logistics, and other data that reflect economic operations; Operating data of the car charging network; video and image data outside the car including face information, license plate information, etc.

　　The “Regulations” propose that car data processors should adhere to the principles of "in-car processing", "not collecting by default", "accuracy range application", and "desensitization processing" in carrying out car data processing activities, so as to reduce the disorderly collection and desensitization of car data. Violation and abuse.

"In-vehicle processing means that it is not provided outside the vehicle unless it is absolutely necessary; the default is not to collect, that is, unless the driver sets it independently, the default setting is not to collect each time you drive; the accuracy range applies, which is based on the provided function The service's requirements for data accuracy determine the coverage and resolution of cameras, radars, etc.; for desensitization, it is required to perform anonymization and de-identification as much as possible." The relevant person in charge of the National Internet Information Office said.

　　Car data processors should better fulfill their personal information protection responsibilities

　　"Intelligent connected cars collect data. Do drivers and passengers have the right to know? Do they have the right to veto?"

　　"Can drivers and passengers turn off related data collection functions?"

　　In the face of the above questions, the "Regulations" clarify the specific requirements for handling personal information and sensitive personal information.

　　Regarding personal information, one is the obligation to inform, the other is the obligation to obtain consent, and the third is the requirement for anonymization.

For sensitive personal information, on the basis of fulfilling the obligations of notification and obtaining individual consent of individuals, it should also meet specific requirements such as limiting the processing purpose, prompting the collection status, and providing convenience for individuals to terminate the collection.

For personal biometric information, it can be collected only when it is clearly necessary and necessary to enhance driving safety.

　　"Restricted processing purpose refers to the purpose of directly serving individuals, including enhancing driving safety, intelligent driving, navigation, etc.; prompt collection status, including notification through user manuals, on-board display panels, voice, and car usage-related applications, etc. Necessity and the impact on individuals. In addition, individual consent should be obtained, and individuals can set the consent period on their own; if individuals request deletion, the car data processor should delete it within 10 working days.” The State Internet Information Office is responsible for People added that the car data processor has the purpose and sufficient necessity to enhance driving safety before collecting fingerprints, voiceprints, faces, heart rhythms and other biometric information.

　　Our reporter Wang Zheng