On October 8, the National Information Security Standardization Technical Committee (hereinafter referred to as TC260) released the first technical document “Guidelines for the Safety of Data Processing for Automobiles”. For this document, we can understand it from two aspects: form and content.
First of all, in terms of form, technical documents are different from formal standards. In essence, a standard is “a uniform specification of repetitive objects and concepts. It is based on the combined results of science, technology and practical experience, is agreed upon by interested parties, approved by the competent body, and published in a specific form, as the norm and basis for common observance”. As the entire connected car industry is in a stage of rapid development, the protection, development and utilization of car data is a new issue. As far as car data is concerned, the privacy protection of private space, as well as different issues such as personal information, important data, network security, road traffic management, and the demand for continuous development and utilization of data in the auto industry ecology, are deeply intertwined. Therefore, the specification of automobile data involves balancing the interests of different aspects and is in a stage of continuous evolution. This is also the case. The “Several Provisions on the Management of Automobile Data Security (Trial)” formulated by the Central Cyberspace Administration of China and other five ministries and commissions has the attribute of “trial implementation” while being legally enforceable. Similarly, for the data collected by automobiles, TC260 proposes safety guidelines for its processing in the form of technical documents rather than standards, which itself is in the field of standardization of automobile data security, based on the “Several Regulations on Automobile Data Security Management (Trial Implementation)” )” means to further explore and try. This is different from another type of publication of TC260, “Network Security Practice Guide”, which is positioned to propose a landing plan for implementing regulatory requirements such as laws and regulations.
Secondly, in terms of content, this technical document is not applicable to vehicle data collection during emergency tasks and operations in closed places. In terms of the definition of the scope of application, the technical documents focus on the behavioral norms of the cars that people drive, ride and contact in their daily lives during and after data collection. Looking at the provisions of the technical documents, the following core ideas are highlighted: First, the interior of the cockpit is the private space for the driver and passengers, which is in line with the relevant provisions of the Civil Code on privacy. “The content of the content embodies the protection of privacy. The second is the key protection of off-vehicle information and the location and trajectory of the vehicle. Chapter VI “Storage Requirements” in the technical document incorporates the security protection requirements of the Personal Information Protection Law and the Data Security Law. Chapter 7 “Requirements for Data Export” in the technical document reiterates the requirements of my country’s data export security management framework, clarifying that cockpit data, off-vehicle data, and location trajectories should not be exported. Finally, Chapter 8 in the technical document emphasizes the main responsibility, requiring automakers to master and manage the data collection and transmission of each component.
Therefore, from the perspective of form and content, TC260 “Automotive Data Processing Safety Guide” faces the ever-evolving and iterative technologies, models and formats, and uses innovative methods to simultaneously safeguard personal, social and public interests and national security.