Xiaomi founder Lei Jun shows off the colours of the SU7, a sporty four-door sedan, with matching Xiaomi smartphones in Beijing, Thursday, March 28, 2024.
5 min read

The data quagmire for German carmakers in China

The renewal of the Sino-German MoU on autonomous vehicles opens up questions around data privacy, security, and Germany’s industrial competitiveness, says Rebecca Arcesati.

One of the few outcomes of German Chancellor Olaf Scholz’s recent trip to China, where he met with President Xi Jinping and toured German companies’ plants, was the prospect of deepening cooperation in autonomous and connected vehicles (AVs). While a positive step toward joint standardization and technology development for safe and green mobility, the renewal of the Sino-German Memorandum of Understanding (MoU) on AVs also opens up deeper questions around data privacy, security, and Germany’s industrial competitiveness.

China’s data governance regime empowers state and Chinese Communist Party (CCP) organs while disempowering companies and individuals. This is a big reason the US Commerce Department launched an investigation into potential national security risks of AVs sold by firms headquartered in “countries of concern” – essentially, China. Aside from spying, an adversarial government might try to hack and remotely sabotage smart cars. China, too, has moved to ward off data-related risks in the auto sector. But while AVs everywhere hold cybersecurity vulnerabilities, Chinese companies like BYD or Huawei would likely have a hard time refusing a government request to share data or leave a backdoor for access.  
Against this backdrop and Beijing’s stated ambition to displace foreign competitors in data-driven industries like AVs, the German government’s intention to discuss “reciprocal data transfer” with China should raise some eyebrows in Europe.

Careful what you promise: The pitfalls of reciprocity 

Reciprocity sounds nice, but it can be a double-edged sword. As Chinese electric vehicle (EV) manufacturers start to localize R&D in Europe and their products become more competitive, they will naturally seek to transfer some data back to their headquarters. This raises thorny questions around privacy, data security, and the protection of critical infrastructure. Shouldn’t  European policymakers be thinking about viable solutions that maximize local storage of personal data, like they did with TikTok, owned by the Chinese company Bytedance? Should Chinese-built AVs have access to sensitive sites, and should public officials drive them? 

New technologies are reshaping the auto sector, and legacy companies are struggling to keep up while innovative (and heavily subsidized) Chinese firms are moving faster. Smart vehicles siphon and process huge volumes of data. New cars are already highly digitally networked, using advanced software, including artificial intelligence (AI), to enable limited autonomy. AI learns from driver and passenger behavior, while sensors ingest data on the surroundings, preparing for a day when AVs will assess road conditions and make decisions. All this requires seamless data sharing with manufacturers and software vendors.

Before offering data access for Chinese carmakers in the name of reciprocity and free trade, the German government might want to consider Germany’s national security interests. The EU’s General Data Protection Regulation (GDPR) was not designed to deal with the strategic dimension of data protection – for instance, the appropriation and exploitation of sensitive data by foreign states. Cybersecurity legislation, particularly the NIS 2 Directive, enables member states to assess supplier-level risks in digital supply chains, which the European Commission is nudging capitals to do. Unfortunately, Berlin’s foot-dragging on Chinese vendors’ role in fifth generation (5G) telecommunication networks suggests a fear that doing so would hurt German companies in China.

German carmakers, in the meantime, have been struggling with China’s strict data localization requirements. Chinese data export restrictions for the auto industry have been in place since October 2021, forcing foreign companies like BMW and Tesla to store a wide range of data locally. As Beijing’s treatment of Tesla and domestic ride hailing giant Didi has shown, Chinese policymakers regard AV manufacturers as operators of critical information infrastructure. Without needing to copy China’s approach, perhaps German policymakers too should take security more seriously.

Data for industrial policy – for whose industries?

Another reason reciprocity is the wrong approach to data issues is that Beijing does not seem interested unless it has something to lose. For starters, in response to fierce European industry lobbying, China’s cybersecurity regulator CAC significantly relaxed its data export rules in March. That did not assuage all concerns of German carmakers, but it showed that China’s leaders can be responsive when pushed. Faced with the lowest inbound foreign investment in decades, Xi’s security-obsessed bureaucrats had to give in. By contrast, the Sino-German MoU simply contains a vague commitment to dialogue on data restrictions, meaning Xi made no concessions to Scholz. 

The bottom line: the CCP regards data as a “factor of production” whose value should accrue first and foremost to domestic actors. This is about applying data in key industries China seeks to dominate. Any promises to level the playing field should be seen through the lens of Beijing’s non-negotiable national security and industrial policy priorities. When European companies complain they can’t access data pools in China, which they need for R&D and innovation, they are up against a government strategy to outcompete advanced economies in digital industries.

China has required mandatory government access to EV data since 2017 for domestic and international companies. They must transmit mechanical and navigation data to local government-run data centers, where it is then pooled into a central platform managed by the Ministry of Industry and Information Technology and the Beijing Institute of Technology. This is done not only to prevent fraud, reduce carbon emissions, improve public safety, and monitor fleet performance and security, but also to stimulate innovation among Chinese EV makers. But it is far from clear that German carmakers can benefit from those data pools to the same degree as their local competitors. 

A new world

While Scholz was in China, former European Central Bank president and Italian prime minister Mario Draghi said in a speech that Europe needs “radical change,” as both China and the United States break trade rules to strengthen their own manufacturing bases. He explicitly called China out for “attempting to capture and internalize all parts of the supply chain in green and advanced technologies.” 

Meanwhile Germany, whose car industry keeps deepening its reliance on China in defiance of both the EU’s “de-risking” plans and Beijing’s message that foreign companies shall eventually be replaced, does not seem ready for this new world. Cooperating with China can greatly benefit Germany. But sticking to the old rules of engagement, hoping China will change while ignoring its stated ambitions and signaling that data privacy and security may be negotiable, will hardly serve German interests.

This article was first published by The Diplomat on May 6, 2024.