The development of new energy vehicles in China is booming, and many domestic car manufacturers are expanding globally. In 2023, China exported 4.91 million cars, surpassing Japan’s 4.42 million, becoming the world’s largest car exporter. As one of the major automotive markets globally, the EU has always been an important destination for Chinese automotive companies. Against the backdrop of complex global geopolitical situations, sluggish economic growth, and the decline of EU new energy subsidies, Chinese automotive companies face many complex challenges when entering Europe. The EU’s General Data Protection Regulation (GDPR) is the biggest data compliance challenge for Chinese automotive companies entering Europe.
The EU’s General Data Protection Regulation came into effect on May 25, 2018, and is known as the strictest personal data protection legislation in history. This regulation aims to protect personal data and privacy rights and stipulates how personal data is collected, used, processed, and stored. Fines can reach up to 4% of the company’s annual revenue or €20 million, whichever is higher.
As of August 14, 2023, there have been a total of 1,778 GDPR enforcement actions (an increase of 562 since the statistics on November 30 last year), with total fines exceeding €4 billion (an increase of approximately €2 billion), the largest fine being €1.2 billion imposed on an international internet giant in May 2023.
For Chinese automotive companies entering the market, especially in the context of rapidly developing intelligent connected vehicles and digital transformation, their products and operations face GDPR compliance challenges:
1. For their products, intelligent connected vehicles and associated mobile applications collect and generate vast amounts of data daily and frequently interact with public facilities, automotive companies, third-party service providers, and user smart terminals. Scenarios such as assisted driving, onboard cameras, high-precision sensors, in-car recording devices, map positioning, vehicle interaction, and remote control may collect and generate personal data within the context of GDPR. This data may remain in the vehicle, be collected into the information systems of automotive companies and their service providers, or circulate between user devices and vehicles.
2. For their operations, cooperation with dealers, marketing activities, customer data management, insurance, financial services, cooperation with cloud services and telecommunications operators, technical operations, and coordination with headquarters in China all involve the collection, processing, storage, and transmission of vast amounts of personal data.
Indeed, the complex scenarios and massive amounts of data pose significant challenges for Chinese automotive companies entering Europe regarding GDPR compliance. However, the greater challenge for these companies may lie in how to avoid the lag in data compliance actions. Faced with long product development cycles, high costs of violations, substantial overseas investments, and complex multinational governance structures, such lag can lead to higher costs, internal communication inefficiencies, and more difficult-to-correct or remedy consequences.
To address these challenges, we recommend that automotive companies entering the market adopt a “proactive and embedded” approach to privacy design. This means that from the very beginning of product, application, and business process design, privacy protection requirements should be proposed.
The concept of privacy by design was introduced by Dr. Ann Cavoukian, former Information and Privacy Commissioner of Ontario, Canada, in the 1970s and was incorporated into the EU Data Protection Directive (RL 95/46/EC) in the 1990s. Privacy by design advocates for the proactive, comprehensive, and embedded integration of privacy protection into a company’s technology and business practices, meaning that privacy protection requirements should be integrated from the outset of product or service design, ensuring that privacy protection is present throughout the entire lifecycle of personal data processing activities, including collection, transmission, storage, processing, sharing, and destruction, rather than seeking remedial measures and means after the product or service has been developed.
Privacy by design has seven fundamental principles:
-
Proactive, Not Reactive. Implement privacy protection controls proactively and continuously, rather than reactively compensating after incidents occur. Considering privacy protection-related compliance requirements and risk control measures from the very beginning of product and business design will help companies predict and prevent compliance risks before they occur.
-
Default Privacy Protection. Privacy should be the default setting of the product, meaning that personal data processing should be automatically protected by default in products and operations. This proactive approach helps companies set privacy as the default setting of their products.
-
Embedded Privacy Design. Privacy protection considerations should be comprehensively integrated into the design of products or services from the start, rather than added afterward. By embedding privacy into the design, privacy protection functions and features can be implemented, ensuring that personal data processing complies with legal regulations and user expectations.
-
Positive-Sum, Not Zero-Sum. Good privacy design should complement product functionality, rather than hinder users’ access to basic functions and usability. Good privacy design contributes to brand enhancement and helps users accept the use of products, creating a win-win situation rather than a zero-sum game.
-
End-to-End Security. Privacy design should span the entire lifecycle of data, ensuring that user data is protected from collection, transmission, storage, to use, sharing, and destruction.
-
Visibility and Transparency. Companies should clearly state the purposes for which they process personal information and ensure that all relevant parties are aware of these purposes. Additionally, privacy design should ensure that relevant operations are independent and verifiable.
-
Respect for User Privacy. Companies should be user-centered and respect user privacy, fostering a corresponding culture and philosophy. Only in this way can companies truly understand user needs regarding privacy and make better decisions when implementing privacy design.
In fact, the core principles of privacy by design are already reflected in the GDPR. Article 25 of the GDPR and the FTC privacy design framework explicitly mention the concepts of “privacy/data protection by design” and “privacy by default.” The European Data Protection Board (EDPB) published guidelines in November 2019 on “Data Protection by Design and by Default” (Guidelines 4/2019 on Article 25 Data Protection by Design and by Default), providing guidance on the theory of privacy design and its practice under GDPR.
Having understood the challenges posed by GDPR and the concept of privacy by design, in the second half of this special issue, we will provide recommendations for automotive companies entering the market to focus on four key aspects when implementing privacy by design: establishing “a set of processes,” forming “a stack of evidence,” producing “a big picture,” formulating “a set of systems,” and implementing “a group of platforms.” Stay tuned!
This article is published by the Shanghai International Trade Promotion Commission and may not be reproduced, reprinted, modified, excerpted, or used without authorization. This article is for general informational purposes only and should not be used as a substitute for professional advice. Images in the article are sourced from the internet.
