At present, cars have become an indispensable part of people’s lives, and with the development and popularization of smart car technology, new functions have been brought to cars, which are already well-known to people. However, the application of services such as autonomous driving and intelligent navigation not only brings great convenience to people’s lives, but also arouses widespread concerns about their data security.
Businesses such as autonomous driving and intelligent navigation in smart cars all rely on a large amount of data obtained through car sensors. On the one hand, these data are necessary to conduct business, and on the other hand, they also contain a lot of important data and personal information. Cars will inevitably process a lot of personal privacy data when collecting in-vehicle information, which brings the need for personal information protection. Many people are skeptical about this, exacerbating the conflict between manufacturers and individuals. Due to the lack of relevant norms with clear scope and rights and responsibilities in the past, it is difficult for car manufacturers to achieve “laws to abide by and rules to follow”, resulting in confusion in the implementation of current technologies, hindering business application promotion, and implementing irregularities. The resulting security risks may also adversely affect the data security of nations and citizens.
On August 16, 2021, the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Ministry of Transport and other departments jointly issued the “Several Regulations on the Management of Vehicle Data Security (Trial)” (hereinafter referred to as the “Regulations”). certain regulations). The “Several Provisions” clarify the scope, type, life cycle environment and processing principles of automobile data, put forward security requirements for personal information and important data, and provide a guiding document basis for solving problems.
On October 8, 2021, the National Information Security Standardization Technical Committee released the technical document “Guidelines for the Safety of Data Processing in Automobiles” (hereinafter referred to as the “Guidelines”). The Guidelines stipulate the security requirements for processing activities such as transmission, storage and exit of vehicle-collected data. Standardized guidelines are given for implementing the requirements in the Several Provisions. The author believes that the “Guide” has good meaning in the following aspects:
1. The “Guide” focuses on automobile manufacturers on the basis of the “Several Regulations”, and the “Several Regulations” are technically clarified, and at the same time, some requirements are further refined in combination with the current state of technology. The formulation of this technical document is formed by the standardization research institute, together with a number of automobile research, evaluation institutes and automobile manufacturers through full consultation, discussion and extensive solicitation of opinions. The technical requirements put forward are highly compliant, usable and forward-looking. Together with the “Several Regulations”, it constitutes a system of guidance documents – standardized documents, which provides a practical basis for solving the security problems of automobile data management.
2. Secondly, starting from the technical dimension, the “Guide” provides a clear definition of four types of car data-external data, cockpit data, operation data and position trajectory data, and gives different definitions according to activities such as transmission, storage and exit. security requirements, including anonymizing and processing personal information of off-vehicle data, clarifying the storage time of off-vehicle data and location trajectory data, and exporting requirements for car-collected data, etc., in order to guide car manufacturers to clarify data classification and implement corresponding protection measures Provides specific, usable, and effective guidance. The overall formulation of the document conforms to the principle of “classified and hierarchical protection of data” proposed in the “Data Security Law”. It is an excellent example of the formulation of standardized documents under the Data Security Law in specific technical fields and application scenarios. It provides a reference for the formulation of standardized documents for data security specifications.
3. Finally, the “Guide” is the first time that TC260 has published standardized documents in the form of technical documents. The technical documents are application-oriented and issued by the Standardization Technical Committee, which greatly improves the timeliness of the documents and helps to promote the improvement and acceleration of the standardization document system. Promoting the standard implementation and verification work, collecting opinions from all sides, providing new ideas for technical fields that urgently need to implement relevant standardization requirements, and has a good demonstration role.