With the continuous advancement of technology, intelligent driving technology, as an important development direction in the automotive industry, is profoundly changing people's travel patterns and transportation ecosystem. As one of the largest automotive markets in the world, China is naturally actively exploring and promoting the development of intelligent driving technology. To further expand the market, more and more Chinese automakers are successively introducing new models into the European market.

However, Europe, with its strict regulations on personal and data privacy, has stringent regulatory requirements for models sold in the market. Two particularly notable regulations are:

The "Global Safety Regulation" (GSR), a mandatory access regulation that all newly sold vehicles must meet after July 7, 2024.

In addition, the European data protection regulation, the "General Data Protection Regulation" (GDPR), imposes strict requirements on the collection, processing, and transmission of intelligent driving data.

This poses significant challenges for Chinese automotive companies developing intelligent driving functions in the European market. Therefore, this article will combine relevant information and industry experience to explore the following aspects:

What is GSR?

What is GDPR?

What are the challenges in collecting intelligent driving data in Europe?

Technical differences and procedural compliance regarding data desensitization definitions

What to do if data needs to be transferred abroad?

We will discuss how Chinese automakers ensure compliance with GSR and GDPR requirements when launching intelligent driving models in Europe, especially the challenges and solutions in data collection and cross-border transmission. We have also established a Chinese automakers' overseas expansion group. Welcome to send us private messages or leave comments, let's discuss together.

I. What is GSR?

GSR stands for The General Safety Regulation, a regulation setting minimum safety standards for motor vehicles and their trailers in the European Union. Adopted in November 2019, it applies to new models from July 6, 2022, and to all new vehicles from July 7, 2024. Its main purpose is to encourage the adoption of life-saving technologies, protect vehicle occupants, pedestrians, and cyclists, and reduce human error, which is the root cause of 90% of accidents on European roads.

GSR 2024 introduces several new safety requirements to improve the safety of vehicles on European roads. Here is an overview of some of these requirements:

Advanced Driver Assistance Systems (ADAS): GSR 2024 requires all new passenger cars and light commercial vehicles sold in the EU to be equipped with ADAS. These systems include technologies such as Automatic Emergency Braking (AEB), Lane Departure Warning (LDW), and Driver Monitoring System (DMS).

Pedestrian and cyclist protection: GSR 2024 requires new vehicles to be designed with improved safety features to protect pedestrians and cyclists in the event of a collision. These features include using advanced sensors and cameras to detect vulnerable road users and using automatic emergency braking systems to prevent collisions. Improved crash test standards: GSR 2024 introduces new crash test standards to evaluate the safety performance of vehicles. These standards include using new crash test dummies to assess the impact of collisions on different parts of the body and using more comprehensive test procedures to evaluate the safety performance of vehicles. Intelligent Speed Assistance (ISA): GSR 2024 requires all new vehicles to be equipped with ISA. ISA is a technology that uses GPS and map data to alert drivers when they exceed the speed limit and can even intervene to limit the vehicle's speed if necessary.

Data recording: GSR 2024 requires new vehicles to be equipped with data recorders to collect information about vehicle performance in the event of an accident. These data can be used to investigate accidents and identify ways to improve vehicle safety.

GSR mainly requires newly sold vehicles to have the above configurations, which are relatively straightforward. New vehicles to be launched in Europe must be equipped with relevant functions.

II. What is GDPR?

1. GDPR is known as the strictest data protection law in history

GDPR, the General Data Protection Regulation, officially came into effect on May 25, 2018, unifying the laws and regulations on data protection among EU member states. The GDPR is implemented uniformly in 28 EU member states. As a new regulation designed to protect the personal privacy and data of EU citizens, its enactment means that the EU's protection and regulation of personal information have reached unprecedented heights, making it the strictest data protection law in history.

2. What does GDPR protect?

GDPR aims to protect personal data, which refers to any information relating to an identified or identifiable natural person (data subject). The core objective of GDPR is to give data subjects more control, protect their privacy rights, and ensure that the collection, processing, and storage of personal data comply with specific legal requirements.

According to Article 4 of GDPR, personal data refers to any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to:

Direct identifiers: such as name, ID number, home address, phone number, email address, passport number, social security number (or equivalent), driver's license number, etc. Indirect identifiers: such as location data, online identifiers (such as IP addresses), cookies, DNA samples, fingerprints, etc. Other factors: specific factors related to the physical, physiological, genetic, psychological, economic, cultural, or social identity of the individual.

Data controllers must ensure that data processing activities comply with the basic principles of GDPR, including legality, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. Why is purpose limitation特别强调 here? Because GDPR requires that data collection needs to have a clear purpose and cannot be arbitrarily diverted for other uses.

3. If data has been desensitized, do you still need to comply with GDPR compliance requirements?

Data desensitization is part of GDPR compliance requirements, especially when data is transmitted and shared, as it helps reduce the risk of data breaches while allowing data to be used for other purposes such as testing, development, or analysis.

However, data desensitization itself does not exempt organizations from complying with other GDPR provisions. Organizations must also ensure:

Compliance with GDPR requirements regarding data subject consent, data protection impact assessments, and data breach notifications Implementation of appropriate technical and organizational measures to protect data security Compliance with data cross-border transfer rules, especially cross-border data transfers. Even if data has been desensitized, it still needs to comply with GDPR compliance requirements.

4. What are the consequences of non-compliance with GDPR?

The consequences of non-compliance with GDPR are severe sanctions and significant fines.

GDPR provides for two levels of administrative fines: for general violations, the maximum fine is €10 million, or up to 2% of the total global annual revenue of the previous fiscal year (whichever is higher); for serious violations, the maximum fine is €20 million, or up to 4% of the total global annual revenue of the previous fiscal year (whichever is higher).

The severity of penalties is based on factors such as:

The nature, severity, and duration of the violation Whether the violation was intentional or due to negligence The level of responsibility and control over personal identity information Whether the violation was a single event or a recurring event The type and scope of the personal data affected The degree of harm suffered by the data subject Actions taken to mitigate the harm Financial expectations or gains arising from the violation

III. Challenges in Collecting Intelligent Driving Data in Europe

Attention must be paid to GDPR regulations throughout the entire process of vehicle design to delivery, which can be organized into two chains:

The first chain: every step in the product chain from design, development, manufacturing, sales, to after-sales service;

The second chain: introducing GDPR compliance considerations into every step of data collection, storage, processing, transmission, and deletion.

Next, we will focus on the compliance challenges in the process of intelligent driving data collection.

The intelligent driving configurations of major models exported to Europe must meet the requirements of the General Safety Regulation (GSR). Newly registered vehicles must meet these regulations from July 2024 onwards. This is a mandatory access regulation. Some of the defined functions include:

Lane Keeping ELKS, LDWS; Blind Spot Monitoring BSIS, Reverse Monitoring, MOIS; Forward Collision Warning and Emergency Braking AEBS; Intelligent Speed Assistance (ISA).

Among them, the ISA function is required to undergo road testing in Europe for not less than 400km.

Although N-CAP is not an access regulation, it also imposes clear requirements on functions such as AEB, FCW, LDW, LKA, ELK, BSD, ISA for passenger cars, and it is authoritative. Therefore, it is usually considered during intelligent driving development.

During road testing, it is inevitable that road test vehicles collect personal data of natural persons in public areas to support the upgrading and optimization of functional performance. For example, facial information and license plate numbers captured by cameras. For this part of personal data, how to handle or reuse it in compliance with GDPR guidelines is a challenge that automotive companies conducting road tests need to address.

Based on the GDPR's definition of personal data, facial information and license plate numbers may be involved in the data collected during road testing.

IV. Technical Differences and Procedural Compliance Regarding Data Desensitization Definitions

GDPR regulations indeed emphasize the protection of personal data, including the desensitization of personal data in certain cases. Desensitization is a data processing technique that aims to reduce the risk of data breaches by removing or replacing direct or indirect identifying information in personal data, while allowing the data to be used for other purposes such as testing, development, or analysis.

Following this line of thinking, we need to address the desensitization of facial information and license plate numbers.

Regarding the desensitization of personal information, we will further explore what anonymization is. In fact, there are significant differences in the regulations here.

GDPR itself does not specify detailed technical standards for desensitization, but in practice, desensitization may involve various technical methods, including but not limited to:

Data substitution: Replacing real personal data with pseudonyms or synthetic data. Data masking: Masking or removing sensitive information, such as credit card numbers, ID numbers, etc. Data perturbation: Modifying data to make it unidentifiable while maintaining its statistical characteristics.

Encryption: Encrypting sensitive data using encryption algorithms.

GDPR does not specify how desensitization should be done to ensure data compliance. However, in actual project implementation, European regulations place more emphasis on compliance with judicial procedures.

In fact, the fastest, least risky, and most cost-effective way is for data controllers to choose data processing processes and software with compliance certifications during data processing. Consulting agencies authorized by the European Union Certification and Privacy Center (ECCP) provide guidance and support to applicants according to certification standards, thereby increasing compliance guarantees.

V. What to Do if Data Needs to be Transferred Abroad?

In practice, to avoid transmitting a large amount of personal information outside the EU, most Chinese automakers exporting overseas will store personal data of EU users in data centers located in a member state of the EU provided by external cloud service providers. Relying on local data centers, overseas automakers collect, store, and process personal information, especially sensitive types of personal information, within the EU to minimize the scale, scenarios, and sensitivity of cross-border data transfers, thereby controlling cross-border transfers within the necessary scope for providing services. This not only fully guarantees business needs but also reduces the compliance costs brought about by cross-border data transfers. This is also a task that most automakers are already planning, and major domestic cloud service companies also provide overseas cloud service support. However, there are still many obstacles from intention to implementation.

For example, since the R&D and operation and maintenance teams are mainly located domestically, establishing data centers overseas is not a quick process. To meet functional development needs, some data needs to be transmitted outside the EU. So what should be done in this case?

This obviously triggers risks related to cross-border data transfers under GDPR. So how can this risk be avoided?

Regarding this risk point, it is first necessary to identify whether the relevant data transfer constitutes a "cross-border transfer" under GDPR and whether the relevant compliance obligations are borne by the automaker. Secondly, it is necessary to select a GDPR-compliant cross-border transfer path based on the company's actual situation and compliance costs. In practice, most automakers will choose to sign SCCs, and the contracting parties are generally data controllers and data processors.

What is a "controller" of data? Under the GDPR framework, a "controller" refers to a natural or legal person, public authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data. In simple terms, the controller is the party responsible for determining why and how personal data is collected and used. The controller is different from the data processor, who does not make decisions about the purposes and means of data processing.

It is worth emphasizing that data controllers may not want to sign any form of data contract in an attempt to avoid GDPR's definition of a data controller. However, in practice, data definitions and uses are often clear, and such practices cannot only avoid legal risks but can even be directly considered non-compliant and subject to fines.

The European Commission has a "whitelist of countries/regions" recognized for the level of protection of personal data. Currently, there are only 15 whitelist countries/regions, and China is not on the list. In such cases, GDPR stipulates that data can still be transferred to recipients outside whitelist countries or regions if the data transferor provides appropriate safeguards and grants data subjects enforceable data subject rights and effective legal remedies.

The main cross-border transfer methods under this path are: signing EU standard contractual clauses (Standard Contractual Clauses, referred to as SCCs), signing binding corporate rules (Binding Corporate Rules, referred to as BCRs) by multinational group entities, approved codes of conduct, approved certification mechanisms, etc. In practice, Chinese automakers commonly use standard contractual clauses (SCCs).

After signing SCCs, it is also necessary to conduct a "Data Transfer Impact Assessment" (TIA). The European Commission clearly stipulates that organizations transferring personal data outside the EU must conduct a transfer impact assessment to verify on a case-by-case basis whether the laws of the third country to which personal data is sent have any impact on the effectiveness of SCCs.

Signing SCCs alone does not mean that you have ensured "essentially equivalent" protection, enforceable rights, and legal remedies as guaranteed by GDPR. Only when the exporting organization conducts a case-by-case documented transfer impact assessment to ensure that personal data (and data subjects) remain protected to the standards required by GDPR can reliance be placed on transfers made using GDPR Article 46 tools, including SCCs.

TIA can be divided into three main parts in sequence:

Description of the cross-border transfer scenario; Analysis of the legal regulations in the recipient country/region regarding rights protection and remedies provided to individuals, as well as the possibility of the recipient's local government agencies accessing relevant personal data;

Based on the analysis results of the second part, determine whether it is necessary to take corresponding technical, organizational, and contractual supplementary measures, and if necessary, what transmission safeguards should be taken for the cross-border transfer scenario to effectively reduce the potential "detriment" to rights.

Data controllers should document all steps followed and be prepared to provide these documents when requested by data protection authorities, who may request to see your documents and content that you consider part of the process. As TIA is a complex process, we need the professional help