On April 28, the China Association of Automobile Manufacturers announced that in order to standardize automobile data processing activities and protect the legitimate rights and interests of users, head car manufacturers are encouraged to play a benchmarking role, to promote the formation of a good environment for the whole society to jointly maintain automobile data safety and promote the development of the automobile industry.
The China Automobile Industry Association and the National computer Network Emergency Technology processing Coordination Center are in accordance with the relevant regulations and standards such as several regulations on Automobile data Safety Management (trial), GB/T 41871-2022 “Information Security Technology Automobile data processing Security requirements”, and in accordance with the principle of voluntary inspection by enterprises.
Since November 2023, we will organize the safety and compliance of the data of the newly listed Intelligent Networked vehicles of the automobile manufacturers in 2022-2023 (anonymous processing such as face information outside the car, default not collecting cockpit data, in-car processing of cockpit data, processing significant personal information, etc.
) 4 compliance requirements) Among them, 76 models of BYD, ideal, Lutes, Hezhong New Energy, Tesla, Xilai and other 6 enterprises meet the four compliance requirements for automobile data safety.
The list of specific car models is as follows: .
As can be seen from the publicity form, BYD Hantang family, ideal L series, Lutes ELETRE (parameters | inquiry), Nezha GT, Nezhu S, Model 3, Model Y and the whole series of Weilai models are listed, all of which meet the four compliance requirements for automobile data safety.
The following are the testing standards and methods: according to the relevant requirements of “several provisions on Automobile data Safety Management (trial)”, according to GB/T 41871-2022 “Information Security Technology Automobile data processing Security requirements” and T/CAAMTB 77-2022 “Automobile Transmission Video and Image Desensitization Technical requirements and methods” relevant technical standards, and refer to the “Automotive data General requirements (application and approval draft)” appendix C organization and implementation.
As of November 15, 2023, according to the notice on carrying out Automobile data Safety and Compliance work (China Automobile Association letter [2023] No.
243), automobile manufacturers voluntarily submitted to the China Association of Automobile Manufacturers for inspection of the newly listed Intelligent Networked vehicles in 2022-2023.
Second, testing standards, testing using the same test requirements, test environment, technical standards and testing process, including anonymous processing of face information outside the car, default does not collect cockpit data, cockpit data in-car processing and processing of personal information significantly inform four requirements.
The testing criteria are as follows: 1.
Anonymous processing requirements such as out-of-car face information, a.
Out-of-car data should not be provided to the outside of the vehicle until anonymization has been completed.
The anonymization detection rate of the video, the face target in the image and the car license plate target should be greater than or equal to 90%. , 2. Do not collect cockpit data by default, a.
Unless the driver sets it independently, the car should be set to not collect cockpit data by default, and the collection can only be started after the driver actively chooses through physical buttons or touch buttons, and the car can be set according to the driver.
Maintain the state chosen by the driver or restore the default state. b. A convenient way to terminate the collection of cockpit data should be provided. c. Obtain the individual consent of the subject of personal information for each sensitive personal information. d. The consent period for processing sensitive personal information should not be set to “always allowed” or “permanent”. , 3. Cockpit data in-vehicle processing requirements, except for voice recognition, remote inspection of the situation inside the vehicle, cloud storage functions and the transmission of data to regulatory or law enforcement agencies in accordance with relevant regulations, the vehicle should not provide cockpit data outside the vehicle. 4. Significant notification requirements for dealing with personal information, automobile data processors should inform individuals of the following through user manuals, on-board display panels, voice, car usage-related applications and other significant ways: a.
The types of personal information processed. b. The specific situation of collecting all kinds of personal information and the ways and ways to stop collecting. c. The purpose, purpose and way of dealing with all kinds of personal information. d. The storage location and duration of personal information, or the rules for determining the location and duration of preservation. e. Ways and means to access and copy their personal information and delete inside the car and request the deletion of personal information that has been provided outside the car.
The name and contact information of the contact person for user rights and interests affairs.
Third, testing methods, according to the data processing functions of different models (distinguishing years), four compliance requirements are tested under the same standard, and different testing methods are adopted according to the technical characteristics of related functions.
It includes:, 1.
The detection method of anonymized processing such as out-of-car face information: the technicians sampled the data from the car side, and carried out anonymization effect analysis and data statistics.
The detection method that does not collect cockpit data by default: confirm the conformance of various cockpit data collection functions in the vehicle. 3. The detection method of cockpit data processing in the vehicle: grasping and analyzing the external communication data of the vehicle at the vehicle end. 4. The detection method of significant disclosure of personal information: confirm the compliance of the user Privacy Agreement on the official corporate website, in-car application or mobile communication terminal application.
(compiled / Auto House Zhang Xiaodan), return to the home page of the first electric network >.