Europe’s vehicle-data gap: How under-regulation gives Chinese carmakers an edge

This analysis is part of the MERICS Europe-China Resilience Audit. For detailed country profiles and further analyses, visit the project's landing page.

The EU Data Act expands access to information from connected vehicles, but fragmented rules and weak oversight risk undermining its promise of innovation, says Wendy Chang. 

The number of foreign-made connected vehicles on European roads is growing rapidly, and the EU now faces a critical moment. The EU Data Act took effect in September, giving users more control over their vehicle data and the right to share those with third parties. Modern cars collect vast amounts of sensitive information — including about drivers and their environment — that can affect everything from individual privacy to public safety and national security. 

While the Data Act promises innovation and new services through greater data accessibility and interoperability, it also raises urgent questions about how this data — personal or otherwise — can be safely gathered, processed, and shared across borders. Without clear rules and stronger oversight, Europe risks privacy violations, cybersecurity threats, and an uneven playing field that favors foreign players, particularly Chinese electric vehicle makers. 

Chinese car makers benefit from operating within one of the world’s most comprehensive frameworks for regulating data-collecting smart cars – one from which the EU could also draw insights. China’s data governance regime imposes stringent controls on the collection, storage, handling, and cross-border transfer of data. Core frameworks such as the Data Security Law, Cybersecurity Law (CSL) and Personal Information Protection Law (PIPL) form the general legal foundation, while the Several Provisions on the Management of Automobile Data Security extends these requirements specifically to connected vehicles.

Under these laws, “important data” is defined as information that may affect national security or public interests. For connected vehicles, this can include geographic and traffic data near sensitive areas, operational data from charging networks, and images containing identifiable faces or license plates. Personal information involving more than 100,000 individuals also falls under this category. All such data must be stored within China, and any transfers abroad must undergo rigorous security assessments. Car makers and service providers may also be deemed “critical information infrastructure operators” (CIIOs) who are responsible for the cybersecurity of their networks and subject to regular cybersecurity assessments.

China’s regulations safeguard domestic data and constrain foreign competitors

Tesla’s experience in China illustrates how these regulations safeguard domestic data and constrain foreign competitors. Tesla vehicles were in 2021 banned from certain government and military areas. The company later had to build a data center in Shanghai and comply with local data-handling rules before in 2024 receiving a data security certification. Because map data and mapmaking activities in China are tightly controlled, Tesla is required to partner with Baidu instead of using its own electronic maps. Tesla is also unable to transfer Chinese road data abroad. With Washington barring Tesla from training AI in China, the company is therefore unable to train its autonomous driving AI on ample data — leaving Tesla’s Chinese offerings less capable and less attractive than those of local rivals.

By contrast, the EU’s approach to vehicle data regulation is fragmented. The General Data Protection Regulation (GDPR) remains the primary safeguard for personal data, requiring consent for collection and processing, and enforcing data minimization and transfer restrictions. But much of the data generated by vehicles — such as grid analytics, traffic flows, or aggregated technical metrics — can fall outside its definition of personal data.

The EU also lacks comprehensive frameworks for cross-border transfers of non-personal data. While the GDPR mandates safeguards for personal data sent to countries without an adequacy decision, industrial and operational data are not similarly covered. The new Cross-Border Data Flow Communication Mechanism between Europe and China, for instance, appears primarily aimed at helping European companies export data from China. This imbalance is concerning given Chinese companies’ legal obligation to provide data to the government under the National Intelligence Law and other legislation. 

EU must close gap in rules to verify the trustworthiness of suppliers

Cybersecurity is one area in which the EU has made commendable progress. Modern connected vehicles transmit and receive data over the internet, including software updates. This makes them vulnerable to cyberattacks which can pose serious risks for both the driver and the public. UN Regulations No. 155 and 156 mandate cybersecurity management systems for new car types, addressing risks from both connected features and over-the-air updates. The associated international standard, ISO/SAE 21434, details engineering requirements for cybersecurity risk management. China’s 2024 cybersecurity standard, GB 44495, is in fact modeled after R155.

But there remains a gap in the EU for rules to verify the trustworthiness of suppliers for security-critical components. China’s Cybersecurity Review Measures require reviews of network products and services, while the US has gone further by banning Chinese-made components in two high-risk categories: Vehicle Connectivity Systems (VCS) and Automated Driving Systems (ADS). The EU’s Cyber Resilience Act will introduce cybersecurity requirements for digital components by late 2027, but rigorous enforcement will be key.

Under-regulating the collection and transfer of vehicle data and the cybersecurity of critical vehicle components will leave the EU exposed — to violations of privacy, threats to public safety, and even risks to national security. At the same time, the asymmetry between China’s restrictive approach to foreign access and Europe’s permissive stance towards Chinese automakers creates an uneven playing field for European manufacturers. Without stronger regulatory guardrails, Europe risks compromising not just data protection and cybersecurity — but the competitiveness and security of its entire car industry.

This analysis was made possible with support from the “Dealing with a Resurgent China” (DWARC) project, which has received funding from the European Union’s Horizon Europe research and innovation programme under grant agreement number 101061700. 

Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union. Neither the European Union nor the granting authority can be held responsible for them.