Europe needs swift action in regulating data-gathering smart cars

Chinese electric vehicles (EVs) are coming to Europe in large numbers. In 2024, a projected 25 per cent of battery cars sold in Europe will be made in China. While EU lawmakers are making moves to protect Europe’s car industry, which faces stiff competition from low-priced Chinese vehicles, there is another aspect that merits consideration — the data security concerns created by intelligent vehicles, loaded with cameras and sensors, and their potential vulnerability to being hacked.

Smart cars’ ability to gather information should draw parallels to smartphone apps such as TikTok. The Biden administration has announced an investigation into the data security concerns of foreign smart cars, clearly aimed at China. While European lawmakers may shy away from such a targeted approach, they should still establish frameworks to evaluate the data security and cybersecurity risks of smart cars. One place to start could be to leverage the new Digital Services Act, which is currently being used to regulate TikTok.

The strategic importance of data

China is seeking to boost its manufacturing sector by moving into higher value-added goods, and EVs are its star product. Chinese state media has celebrated the growth of exports in the “New Three” — EVs, solar cells, and lithium batteries. Aided by concerted efforts of state support including massive subsidies, preferential tax treatment and procurement contracts, Chinese EV companies have thrived. They have managed to produce vehicles loaded with advanced features, and at prices that are difficult to match by western carmakers. EV maker BYD surpassed Tesla in the last quarter of 2023 as the biggest seller of electric vehicles in the world.

To avoid a repeat of the 5G debacle with EVs, European lawmakers should get serious about creating a framework to evaluate their potential data security and cybersecurity risks, before foreign EVs hit the road in large numbers.

With the US largely excluding Chinese EVs through a high 27.5 per cent tariff, soon to be raised to a whopping 102.5 per cent, Chinese EV firms are looking to Europe for its growing export capacity. In 2023, Europe accounted for around 55 per cent of Chinese EV exports. BYD’s recent announcement to build its first European plant in Hungary shows their plans to expand European operations, in anticipation of tariffs.

Faced with the possibility of Chinese EVs flooding the market, the EU has launched an anti-subsidy probe into Chinese EVs. As this investigation draws towards its conclusion, the EU has started requiring import registration for Chinese EVs, to apply retroactive tariffs should they be decided on. But while the focus has largely been on the economic front, the data-gathering potential of smart cars also warrants our urgent attention.

Smart cars, by design, capture huge quantities of data — about the vehicle itself, its surroundings, and its driver. The real-time environmental data captured by its sensors and cameras enables smart functionality like automated driving. Intelligent vehicles are also highly connected – the data collected is constantly uploaded to common networks, for example, precise location data for real-time traffic analysis.

Additionally, by integrating with the driver’s personal devices such as smartphones, smart cars can access even more personal information. Tellingly, the Chinese government itself has taken action against US smart cars on the grounds of data security. Local governments and the Chinese military have forbidden Teslas from navigating near their buildings, for fear of potential data gathering. Whether this was out of legitimate concern or political theatre is hard to determine, but it does sharpen the point — no one trusts smart cars from the other side.

Where this trove of data is stored and who has access to it has become the crux of the issue on data security — for smartphone apps, and similarly for EVs. Beijing has made a concerted effort to solidify its control over the country’s data in the last few years. Laws like the National Intelligence Law could require tech companies to turn over data to the government when it concerns issues of national security. Companies have little recourse for rejecting such requests, and often fear government retaliation in addition.

Scrutiny over TikTok best illustrates the growing tension over user data. TikTok in its effort to assuage US concerns launched Project Texas, which purports to store American user data in locally hosted data centres. This effort largely failed to appease lawmakers, especially after it came to light that engineers in Beijing headquarters retained access to the data. Consequently, the US Congress has passed a bill to ban the app unless TikTok’s parent company, ByteDance, relinquishes ownership of its US business. The EU and many European countries have banned the use of TikTok by government officials on work devices. With the Digital Services Act coming into effect earlier this year, the European Commission has opened formal proceedings to assess whether TikTok has complied with its obligations. Data collected by smart cars could very much be subject to the same concerns.

Smart cars are data-gathering sources and hacking targets

Data in the digital age serves as a vital resource for developing data-hungry applications. Much like social media customising recommendation algorithms based on usage data, EVs require large amounts of gathered data to train their algorithms on self-driving and other developing functionality. This means that left unregulated, large amounts of European driver data could be used towards helping Chinese EVs become more competitive, further tilting the scale of competition against European carmakers.

The Chinese government for its part has recognised data as a “factor of production” and has legislated extensively to centralise its control and access. In particular, it has placed strict restrictions on foreign companies from transferring Chinese nationals’ data out of China, which limits foreign carmakers’ ability to develop smart driving technology for the Chinese market.

Smart cars are often dubbed as “smartphones on wheels”, but their potential vulnerability goes beyond that of smartphone apps. A smart car is a large collection of hardware and software parts that provide navigation, self-driving, entertainment, and more — and many of these parts come from third-party providers. This leaves them highly vulnerable to the potential threat of hacking.

There have already been reports of individuals successfully circumventing Tesla’s paywall to access features intended only for paying customers. While this may be an issue facing all carmakers regardless of country of origin, the Chinese government’s well-known support for hacker groups does provide an extra reason for pause. While most cyberattacks today target things like users’ financial details or the charging network, the potential for harm that could be caused by hacked vehicles to life and property, or for spying purposes, especially when EVs achieve self-driving abilities, could be vast.

Europe needs to move fast to avoid the 5G-Like debacle

Concerns over a potential scenario where Chinese EVs fill European roads should remind us of how a similar debate over 5G infrastructure unfolded across Europe. Chinese firms, particularly Huawei and ZTE, dominated the European markets with their 5G equipment. Assessment of possible security issues and hardware backdoors on these devices lagged their large-scale procurement and use in infrastructure throughout Europe, partly owing to differing views on the issue between countries. Rip-and-replace is expensive and complex — the German government is still working on legislation that could potentially order the removal of Huawei equipment from critical infrastructure.

A similarly uneven attitude on regulating EVs will guarantee to be more complex, as cars can cross country borders. Privately owned EVs will also be much harder to ban or recall after the fact, than ordering telecoms to replace critical infrastructure. The situation can become still more complex as self-driving cars become a reality.

To avoid a repeat of the 5G debacle with EVs, European lawmakers should get serious about creating a framework to evaluate their potential data security and cybersecurity risks, before foreign EVs hit the road in large numbers. Policymakers should establish guidelines for which data smart cars can collect, where it ought to be stored, and how it can be reviewed. The newly created Digital Services Act may be leveraged for this — for example, requiring large online platforms to provide data access to researchers for transparency and public scrutiny. Mechanisms for evaluating the security of smart car components should also be taken into consideration.

EVs are emblematic of a growing class of issues that Europe needs to deal with involving the data security and cybersecurity concerns of foreign technology — EU Competition Commissioner Margrethe Vestager’s proposal of “trustworthiness criteria” for clean technology includes these aspects. Establishing a framework to evaluate the trustworthiness of these and similar products is crucial. Without proper regulation of these aspects, the threat posed by Chinese EVs will be more than economic.

DISCLAIMER: All views expressed are those of the writer and do not necessarily represent that of the 9DASHLINE.com platform.

Author biography

Wendy Chang works on topics relating to the geopolitics of technology at MERICS. She has a background in software engineering and holds a Computer Science degree from MIT. Image credit: Wikimedia Commons/Alexander-93.