In China, self-driving cars are also referred to as intelligent connected cars, and it is this “intelligence” and “connectedness” that permits such vehicles, through V2X technology, to achieve information exchange with all entities that can affect the vehicle. V2X includes numerous forms, such as V2V (vehicle to vehicle), V2I (vehicle to infrastructure), V2N (vehicle to network), V2P (vehicle to pedestrian), etc.

When a self-driving car engages in information exchange, it may need to collect such data as location information, health condition, personal particulars, etc. of the vehicle owner/driver/passengers. The formulation of a strict compliance system for the collection, use, sharing and storage of personal information by a controller of personal information relating to self-driving cars is an important step in establishing a relationship of trust between the public and automated driving technology.

Personal information protection legislation in China. At the moment, there is no legislation in China specifically addressing self-driving cars. As for the protection of personal information, it can be found scattered among such laws and regulations as the General Provisions of the Civil Code, the Cybersecurity Law, etc. and other standard documents. Article 111 of the General Provisions of the Civil Code approaches the protection of personal information from the perspective of the right to privacy, “the personal information of natural persons shall be subject to the protection of the law. Any organization or individual that wishes to obtain the personal information of other persons shall do so in accordance with the law, ensure the security thereof, may not unlawfully collect, use, process or transmit the same and may not unlawfully buy or sell, provide or disclose the same.”

Article 76 of the Cybersecurity Law defines the term “network” as a system comprised of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information in accordance with certain rules and procedures. It is certain that self-driving cars will fall under the regulation of the Cybersecurity Law. Given that the Cybersecurity Law makes use of the user real-name system as a prerequisite for an operator to provide services, with the gradual commercialization of self-driving cars in future, the collection and use of sensitive personal information will be unavoidable.

Protection of personal information in connection with automated driving abroad. Taking the United States as an example, the US House of Representatives unanimously passed the Self Drive Act (H.R. 3388) in September 2017, which prohibits manufacturers from selling, offering for sale or importing any highly automated vehicles in or to the US, unless such manufacturer formulates a privacy policy that includes the following: a written privacy plan with respect to the collection, use, sharing, and storage of information about vehicle owners or occupants collected by a highly automated vehicle. However, if information about an occupant is anonymized or de-identified, the manufacturer is not required to include the process or practices regarding that information in the privacy policy.

Preparing for the Future of Transportation: Automated Vehicles 3.0 (AV 3.0) issued by the US Department of Transportation in October 2018 also expresses concern for the issue of privacy protection. Given that all parties with an interest in automated driving regularly express concern about data privacy, the Department of Transportation will cooperate with the Federal Trade Commission in providing a privacy protection arrangement for consumers.

In contrast to the US’s principle-based legislation, Germany, when revising its Road Traffic Regulations in May 2017, required the installation of “black boxes” with data recording functions in self-driving cars, but, with respect to such data as personal information, etc. recorded by such “black boxes”, the regulations oblige vehicle owners to provide data only on the basis of the law enforcement activities of law enforcement authorities or the request of a party to a traffic accident. With respect to the period for which data is to be preserved, the bill of amendment specifies that the same are to be preserved for six months under normal circumstances, but when a traffic accident occurs, the same are to be preserved for three years.

The ethical rules for automated and connected vehicular traffic issued at the same time by the Ethics Commission of the Federal Ministry of Transport and Digital Infrastructure additionally propose for the first time the ethical rule that users are the persons with the rights in their data and it is they who ultimately make the decisions on their driving data.

Personal information compliance system relating to automated driving. At present, the excessive collection and abuse of personal information in the Internet sector has been roundly criticized by many, so the fostering of public confidence in automated driving, as an emerging industry, is of utmost importance, and within that, the disclosure of personal information is the topic of most concern to the public, other than security.

From the legislation of various countries that addresses personal information and self-driving cars, it can be seen that the provision of privacy protection for personal information is a pre-requisite for self-driving cars to become a reality. Accordingly, for manufacturers or operators of self-driving cars, the establishment of a personal information compliance system is imperative.

Taking into account the particularities of the automated driving sector, the following points should be taken into consideration when establishing a personal information compliance system:

(1) As the information collected by a self-driving car comes from numerous people, such as the vehicle owner, driver, passengers and even pedestrians, the collection of personal information should adhere to the principle of“minimum and necessary” and appropriate rules for the period of storage, the scope of use, etc. of the personal information of such different persons should be set forth;

(2) Considering that the EU’s General Data Protection Regulation (GDPR) has established extraterritorial jurisdiction, the compliance system additionally needs to effectively avoid foreign law compliance risks;

(3) Given that the legislative activities of various countries in respect of data sovereignty are increasingly robust, a compliance system needs to take account of the risks that could be faced when personal information exits in China, even if the rules for the administration of the exit of personal information from China have yet to be issued; as an avoidance measure, the de-identification and anonymization of personal information to the greatest extent possible may be an option for minimizing compliance risks.

Cheng Zhonghua is an associate at AllBright Law Offices