Europe needs swift action in regulating data-gathering smart cars

European lawmakers should get serious about creating a framework to evaluate the potential data security and cybersecurity risks of foreign EVs, before they hit the road in large numbers, says Wendy Chang. 

Chinese electric vehicles (EVs) are coming to Europe in large numbers. In 2024, a projected 25 percent of battery cars sold in Europe will be made in China. While EU lawmakers are making moves to protect Europe’s car industry, which faces stiff competition from low-priced Chinese vehicles, there is another aspect that merits consideration — the data security concerns created by intelligent vehicles, loaded with cameras and sensors, and their potential vulnerability to being hacked.

Smart cars, by design, capture huge quantities of data — about the vehicle itself, its surroundings, and its driver. The real-time environmental data captured by its sensors and cameras enables smart functionality like automated driving. Intelligent vehicles are also highly connected – the data collected is constantly uploaded to common networks, for example, precise location data for real-time traffic analysis.

By integrating with the driver’s personal devices such as smartphones, smart cars can access even more personal information. Tellingly, local governments and the Chinese military have forbidden Teslas from navigating near their buildings. Whether this was out of legitimate concern or political theatre is hard to determine, but it does sharpen the point — no one trusts smart cars from the other side.

Where this trove of data is stored and who has access to it has become the crux of the issue on data security — for smartphone apps, and similarly for EVs. Beijing has made a concerted effort to solidify its control over the country’s data in the last few years. Laws like the National Intelligence Law could requirre tech companies to turn over data to the government when it concerns issues of national security. Companies have little recourse for rejecting such requests.

Scrutiny over TikTok best illustrates the growing tension over user data. TikTok in its effort to assuage US concerns launched Project Texas, which purports to store US user data in locally hosted data centers. This effort largely failed to appease lawmakers, especially after it came to light that engineers in Beijing headquarters retained access to the data. Consequently, the US Congress has passed a bill to ban the app unless TikTok’s parent company, ByteDance, relinquishes ownership of its US business. The EU and many European countries have banned the use of TikTok by government officials on work devices. With the Digital Services Act coming into effect earlier this year, the European Commission has opened formal proceedings to assess whether TikTok has complied with its obligations. Data collected by smart cars could very much be subject to the same concerns.

Smart cars are data-gathering sources and hacking targets

Data in the digital age serves as a vital resource for developing data-hungry applications. EVs require large amounts of gathered data to train their algorithms on self-driving and other developing functionality. Left unregulated, large amounts of European driver data could be used towards helping Chinese EVs become more competitive.

The Chinese government for its part has recognized data as a “factor of production” and has legislated extensively to centralize its control and access. In particular, it has placed strict restrictions on foreign companies from transferring Chinese nationals’ data out of China, which limits foreign carmakers’ ability to develop smart driving technology for the Chinese market.

Smart cars are often dubbed as “smartphones on wheels”, but their potential vulnerability goes beyond that. A smart car is a large collection of hardware and software parts that provide navigation, self-driving, entertainment, and more — and many of these parts come from third-party providers. This leaves them highly vulnerable to the potential threat of hacking.

There have already been reports of individuals successfully circumventing Tesla’s paywall to access features intended only for paying customers. While this may be an issue facing all carmakers regardless of country of origin, the Chinese government’s well-known support for hacker groups does provide an extra reason for pause. The potential for harm that could be caused by hacked vehicles to life and property, or for spying purposes, especially when EVs achieve self-driving abilities, could be vast.

Europe needs to move fast to avoid a 5G-like debacle

Concerns over a potential scenario where a EVs fill European roads should remind us of how a similar debate over 5G infrastructure unfolded across Europe. Chinese firms, particularly Huawei and ZTE, dominated the European markets with their 5G equipment. Assessment of possible security issues and hardware backdoors on these devices lagged their large-scale procurement and use in infrastructure throughout Europe, partly owing to differing views on the issue between countries. 

A similarly uneven attitude on regulating EVs will guarantee to be more complex, as cars can cross country borders. Privately owned EVs will also be much harder to ban or recall after the fact, than ordering telecoms to replace critical infrastructure. The situation can become still more complex as self-driving cars become a reality.

To avoid a repeat of the 5G debacle with EVs, European lawmakers should get serious about creating a framework to evaluate their potential data security and cybersecurity risks, before foreign EVs hit the road in large numbers. Policymakers should establish guidelines for which data smart cars can collect, where it ought to be stored, and how it can be reviewed. The newly created Digital Services Act may be leveraged for this — for example, requiring large online platforms to provide data access to researchers for transparency and public scrutiny. Mechanisms for evaluating the security of smart car components should also be taken into consideration.

EVs are emblematic of a growing class of issues that Europe needs to deal with involving the data security and cybersecurity concerns of foreign technology — EU Competition Commissioner Margrethe Vestager’s proposal of “trustworthiness criteria” for clean technology includes these aspects. Establishing a framework to evaluate the trustworthiness of these and similar products is crucial. Without proper regulation of these aspects, the threat posed by Chinese EVs will be more than economic.

This article was first published by 9Dashline on May 12, 2024.