A Legal Study: How Do China’s Top 10 Intelligent Connected Vehicle Companies Protect Consumer Rights?

Abstract

This paper presents a case study on intelligent connected vehicle data. Intelligent connected vehicles (ICVs) gather comprehensive road data throughout operation to facilitate vehicle automation and enhance user experiences. However, this technological innovation presents new concerns for data security and privacy. This study employs case study analysis to examine the data protection provisions of the top ten ICV companies in China and the governmental rules pertaining to data utilization. The findings indicate that these organizations do not completely adhere to the legal rights afforded to consumers, resulting in possible data security vulnerabilities. To improve this situation, the Chinese government ought to explicitly specify the regulatory responsibilities of the National Security Council (NSC) and the Ministry of Industry and Information Technology (MIIT) via regulations. Furthermore, the government should use media to educate the public about their data rights. These initiatives seek to aid the Chinese government in promptly updating legislation and efficiently controlling data breach threats as ICVs increase.

1. Introduction

The rapid advancement of ICVs, fueled by artificial intelligence and modern manufacturing, has outstripped the development of data security legislation [1]. ICVs depend significantly on comprehensive data that link persons, cars, highway information, and service providers. Throughout the data connection procedure, this information is sent to other organizations, resulting in vulnerabilities [2,3]. ICV companies’ data storage practices reveal significant flaws, including unclear ownership boundaries and weak protections for stakeholder rights. Additionally, there is a lack of sufficient regulatory oversight for cross-border data transfers [4,5,6].

At present, data governance of intelligent connected vehicles has become a global issue. The European Union has set strict standards for cross-border transmission of vehicle data and user privacy through the General Data Protection Regulation (GDPR), but its adaptability in dynamic data processing scenarios is still controversial [7]; although the California Consumer Privacy Act (CCPA) requires companies to actively compensate victims of data leaks, the implementation mechanism relies on corporate self-discipline and the effect is mixed [5]. On the technical level, if the real-time environmental perception and decision-making data relied on by autonomous driving systems are not fully encrypted or anonymized, they may be maliciously used to manipulate vehicle behavior or steal user trajectory information [3]. Although China promulgated the “Several Provisions on the Security Management of Automobile Data (Trial)” in 2021, proposing the principles of “in-vehicle processing” and “default non-collection”, the non-mandatory clauses have led to insufficient compliance willingness of companies [8]. Studies show that only 30% of users can accurately identify the core terms in the privacy policy. This cognitive gap has exacerbated the imbalance of rights and responsibilities between companies and users. Existing research focuses on a single dimension, such as technical protection solutions, legal framework improvement, or user behavior analysis, but there is insufficient cross-disciplinary integration and a lack of systematic empirical evaluation of China’s leading companies [9].

Despite the existence of several Chinese laws and regulations intended to govern ICV companies, the absence of comprehensive implementation guidelines diminishes their practical efficacy. Motivated by significant commercial interests, organizations often neglect to safeguard user data [10,11]. Some scholars suggest defining the responsibilities of all parties involved and establishing standards for vehicle network data security to protect user information [12]. Others advocate for the establishment of user rights and explicit criteria for assessing corporate reimbursement for damages to ensure data security [5]. However, current research lacks legal measures based on empirical studies. This study evaluates the data protection practices of China’s top ten ICV companies, identifying key barriers and deficiencies in enforcing existing regulations. By providing empirical evidence, it aims to refine policy and regulatory frameworks, enhancing ICV technology development and ensuring user data security.

2. Legal Challenges for Data Protection in China’s ICV Industry

ICVs integrate vehicle networking and smart vehicle technology, transforming the conventional interaction among cars, infrastructure, and people. By integrating advanced data communication technologies, ICVs can collect, analyze, and apply vast amounts of data in real time, making fully autonomous driving possible [13,14]. However, this technological shift also introduces new challenges, particularly in personal data protection.

China’s laws and regulations lack comprehensive monitoring for data processing operations in ICVs. The Cybersecurity Law of the People’s Republic of China (CSL) established a fundamental legal framework by delineating the primary entities accountable for network data regulation (Article 8). However, it offers little guidance on how regulators should enforce cybersecurity protections [15]. The Data Security Law of the People’s Republic of China (DSL) establishes a framework for surveillance and proactive alerts (Article 22). Nonetheless, it lacks explicit directives for the implementation of this method. The Regulations on Network Data Security Management delineate the conduct of data handlers and define their responsibilities (Article 21–28). In any case, they provide little information about the precise activities and duties of regulators.

Passive control based on companies reporting themselves is not enough to prevent all data risks. Existing legislation mostly mandates that data processors or service providers must proactively disclose data threats or breaches to authorities (CSL Article 22, 25, 42, 47; DSL Article 29, 30). This strategy significantly depends on their diligence and punctuality. If these companies neglect their reporting obligations, they are subject merely to corrective orders, warnings, and very little penalties (CSL Article 59). The light legal penalties are inadequate for compelling companies to swiftly disclose data concerns or breaches. This may result in the personal data of users of ICVs being compromised prior to the implementation of adequate protective measures.

The lack of awareness about their rights among users of ICVs permits companies to avoid responsibility. The existing laws confer upon persons several rights, including the right to be notified, access, consent, delete, rectify, and reject (Personal Information Protection Law of the People’s Republic of China, PIPL Article 44–50). The implementation of these rights mostly relies on users’ initiative. This approach guarantees personal control over information. Nevertheless, it could impede the effective realization of these rights if people are uninformed or unable to exercise them. The PIPL mandates that large companies regularly publish reports on how they protect personal information (Article 58). This requirement aims to increase transparency and build public trust. While these reports help improve corporate accountability and public oversight, they do not solve the core issue. Individuals still face significant challenges in understanding and exercising their privacy rights.

3. Data Privacy Practices: A Deep Dive into China’s Top Ten ICV Companies

The fast progression of technology has seen the protection of user data become a fundamental concern for regulators, enterprises, and consumers. This chapter will examine the present condition of user data security among the top ten ICV companies in China. This will examine how these companies confer rights to users within the current legal framework and meet their legal responsibilities.

3.1. User Rights: What Are Companies Offering?

By 2025, the size of China’s ICV market is anticipated to surpass CNY one trillion. The market is seeing tremendous expansion and is projected to maintain this trajectory in the next few years [16]. This article identifies the top ten ICV companies in China, selected based on their market share, to analyze the user rights delineated in their privacy policies available on official websites.

The analysis shows that these companies generally recognize and protect six basic rights of users. Specifically, the right to access, correct, delete, withdraw consent, cancel, and refuse. These rights are fundamental to the protection of user data, demonstrating the companies’ regard for personal privacy and their adherence to applicable laws and regulations [17]. The ICV enterprises just providing fundamental rights may be inadequate to address the increasing complexities of data security and the heightened desire for transparency from consumers.

To strengthen users’ sovereignty over their data, several companies have granted new rights. Baidu and BAIC provide its intelligent connected car users with the right to prior notification. Companies inform users of substantial changes to the services offered, including disruptions or discontinuations of service [18,19]. Several companies explicitly confer upon users the right to an explanation, guaranteeing timely notification of the processing of their personal information and the resultant effects [18,20,21,22]. Users possess the right to seek a suspension of data processing when they doubt the accuracy or fairness of their data handling until their concerns are resolved. This right permits them to temporarily halt the processing of their information. Furthermore, users may exercise data portability, allowing them to request the direct transfer of their personal data to another entity [18,23]. The implementation of data portability rights significantly increases users’ control over their data and safeguards them against the negative consequences of automated decision making.

Ultimately, several companies provide extensive safeguarding of consumer rights by explicitly stating in their privacy policies that consumers possess the right to file complaints [19,23,24]. If users are not satisfied after making a complaint, they can seek redress from judicial or government agencies, such as filing a lawsuit in court or lodging a complaint with a data protection authority. This not only offers users an expanded range of remedies but also reinforces the legal obligations companies have in managing user information (Table 1).

Table 1. Rights granted to users by China’s top ten ICV companies (Short Version).

Company	Right of Access	Right to Rectification	Right to Erasure	Right to Withdraw Consent	Right to Deregistration	Right to Object	Right to Copy	Right to Prior Information	Right to Explanation	Right to Restriction of Processing	Right to Lodge a Complaint	Right to Data Portability
Huawei (Shenzhen)	√	√	√	√	√	√	√		√
Baidu (Beijing)	√	√	√	√	√	√	√	√	√	√		√
BYD (Shenzhen)	√	√	√	√	√	√			√
CCAG (Beijing)	√	√	√	√	√	√	√			√	√	√
NIO (Shanghai)	√	√	√	√	√	√	√
LI (Beijing)	√	√	√	√	√	√	√
XPeng (Guangzhou)	√	√	√	√	√	√	√
BAIC (Beijing)	√	√	√	√	√	√	√	√			√
SAIC (Shanghai)	√	√	√	√	√	√	√		√	√
FAW (Changchun)	√	√	√	√	√	√		√			√

Source: According to the “China Intelligent Connected Vehicle (ICV) Industry Development Model and Investment Strategy Planning Analysis Report” by the Forward-looking Industry Research Institute and the 2023 Intelligent Connected Vehicle Patent Publication Ranking Data released by the China Automotive Intellectual Property Promotion Center. These rights are derived from the privacy policies on the official websites of ICV companies. For more information, see references [18,19,20,21,22,23,24,25,26,27].

3.2. Companies’ Rights and Duties: What Are Companies Entitled and Obligated to Do?

In the context of ICV driving, users unavoidably provide personal information to companies. These data, including diverse information both inside and external to the vehicle, underpin ICV services [28]. Once these critical data are obtained, companies may provide personalized intelligent services designed to meet user requirements [29]. During this data exchange procedure, companies not only implement data processing rights according to the user’s expressed preferences but also assume legal duty for safeguarding user privacy and data security.

3.2.1. Companies’ Rights

The top ten ICV companies in China possess the rights to share, transfer, and disclose information. Nevertheless, they exhibit considerable variation in the implementation of these rights. Most companies must obtain express permission from data subjects prior to processing personal data. This strategy adheres to legal mandates for data security while still honoring user privacy. By obtaining users’ express consent about the use of their data, firms may foster trust and mitigate legal concerns associated with privacy.

In some instances, companies may handle data without obtaining user authorization. This includes legally compelled exceptions, including those for public interest, legal requirements, or contractual fulfillment. These exclusions provide essential flexibility, enabling companies to function efficiently and deliver services in the public interest while safeguarding user privacy. The variation in how companies implement these rights may arise from inequalities in their business strategies. For instance, companies with robust data processing capabilities and advanced privacy measures may prefer processing data with user consent to demonstrate their commitment to data protection [30]. Conversely, some may depend on legal exemptions to optimize procedures and save expenses.

Moreover, several companies possess the authority to delegate processing in response to business growth requirements. ICVs depend significantly on intricate data analysis and processing, including real-time navigation, driving behavior assessment, and vehicle repair forecasting. These activities often need specialist technological assistance, and not all automotive companies have this ability. Consequently, numerous companies delegate these responsibilities to external enterprises with the requisite expertise and equipment, thereby guaranteeing superior data processing and service innovation (Table 2).

Table 2. Rights granted to users by China’s top ten ICV companies.

Rights		Sharing	Transfer	Disclose Information	Delegate Processing
	Companies
Huawei		Without the Data Subject’s Consent	With the Data Subject’s Consent or as Otherwise Required by Law		Processing of User Information by the Entrusting Party as Requested by the Entrusted Party
Baidu		With the Data Subject’s Consent or Under Other Legal Provisions
BYD		With the Data Subject’s Consent or Under Other Legal Provisions
CCAG		With the Data Subject’s Consent or Under Other Legal Provisions
NIO		With the Data Subject’s Consent or Under Other Legal Provisions
LI		Without the Data Subject’s Consent		With the Data Subject’s Consent	The Entrusting Party Processes User Information at the Request of the Entrusted Party
XPeng		Without the Data Subject’s Consent or Under Other Legal Provisions	With the Data Subject’s Consent or Under Other Legal Provisions
BAIC		With the Data Subject’s Consent or Under Other Legal Provisions
SAIC		With the Data Subject’s Consent or Under Other Legal Provisions	Without the Data Subject’s Consent	With the Data Subject’s Consent or Under Other Legal Provisions	The Entrusting Party Processes User Information at the Request of the Entrusted Party
FAW		Without the Data Subject’s Consent	With the Data Subject’s Consent or Under Other Legal Provisions

Source: These rights are derived from the privacy policies on the official websites of ICV companies. For more information, see references [18,19,20,21,22,23,24,25,26,27].

3.2.2. Companies’ Obligations

The obligations of the top ten smart connected car companies are classified into three categories: preservation, protection, and notification obligations. Concerning preservation obligations, each company adheres to the principle of requirements, maintaining personal user information just for the legally permissible and required period for business purposes.

Protection obligations are crucial in the data management of smart connected car enterprises, including data acquisition, surveillance, and post-incident remediation. During the data collection phase, companies such as Huawei and Baidu follow the principle of minimal requirements, gathering just the necessary information required to provide services [18,20]. While other companies may not explicitly express the same goal, they are nevertheless required to adhere to applicable legal criteria to validate the validity of their data collecting practices. During the monitoring phase, all companies prioritize enhancing the selection and training of technical personnel, establishing specific access rights to guarantee workers manage data only within required and allowed limits.

Furthermore, to mitigate future data security events, every company has created comprehensive emergency plans, including prompt risk evaluations, swift reaction protocols, and post-incident remediation procedures. The creation and execution of these strategies guarantee that companies may promptly enact actions to safeguard user information to the maximum degree feasible in the case of data breaches or other security concerns.

To further enhance the transparency and credibility of data handling, BYD also regularly publishes personal information security impact assessment reports [21]. These reports detail the measures and their effectiveness in data processing and protection, allowing users and the public to clearly understand the company’s efforts and achievements in maintaining personal information security.

As for companies fulfilling their notification duties, there are significant differences in the conditions that trigger these obligations. Some companies notice modifications to services and policy revisions as the primary basis for satisfying their notice responsibilities [20,23,25]. This method guarantees that consumers are completely informed of any alterations that may impact the use of their personal data throughout the service. Other companies activate their notification responsibilities primarily in the occurrence of a personal information security breach [18,19,21,22,24,26,27]. In such instances, the company informs users only upon the occurrence of a data breach or other security problem. This approach fulfills the basic legal standards; nonetheless, it may restrict consumers’ comprehension of the utilization and processing of their data in the absence of a security event (Table 3).

Table 3. The obligations of China’s top ten ICV companies.

Obligations		Preservation	Protection	Notification
	Companies
Huawei		Retain users’ personal information based on the principle of necessity	Collect information in accordance with the principle of minimization; Technical control; Remedial measures; Staff training and service provider selection	Notify users when services change or policies are updated
Baidu			Collect information in accordance with the principle of minimization; Employee access control and training; Emergency response and remedial measures	Promptly inform users in the event of a personal information security incident
BYD			Encryption technology; Staff training; Remedial measures Regularly publish personal information security impact assessment reports;	Promptly inform users in the event of a personal information security incident
CCAG			Technical control; Regularly inspect and update mechanisms for protecting data security	Notify users when services change or policies are updated
NIO			Technical control; Employee access control and training; Emergency response and remedial measures	Promptly inform users in the event of a personal information security incident
LI			Technical control; Employee access control and training; Emergency response and remedial measures	Notify users when services change or policies are updated
XPeng			Technical control; Employee access control and training; Emergency response and remedial measures	Promptly inform users in the event of a personal information security incident
BAIC			Technical control; Employee access control and training; Emergency response and remedial measures	Promptly inform users in the event of a personal information security incident
SAIC			Technical control; Employee access control and training; Emergency response and remedial measures	Promptly inform users in the event of a personal information security incident
FAW			Technical control; Employee access control and training; Emergency response and remedial measures	Promptly inform users in the event of a personal information security incident

Source: These rights are derived from the privacy policies on the official websites of ICV companies. For more information, see references [18,19,20,21,22,23,24,25,26,27].

4. Legal Landscape: Navigating Compliance for ICV Companies

The Chinese government has established a comprehensive legislative framework for data security and personal information protection in the ICV industry via three laws and two regulations (Figure 1). Notwithstanding all of that, the existing legislative framework continues to exhibit shortcomings in regulatory enforcement mechanisms and the allocation of tasks among regulatory agencies.

Figure 1. China’s legal framework for ICV companies.

4.1. Regulating ICVs: Key Laws and Regulations

4.1.1. Legal Framework for ICVs

The CSL mandates that ICV companies provide a secure network environment to ensure the safe transmission of user data. Companies must fulfill a series of security obligations according to the cybersecurity registration and protection system. Under the cybersecurity protection level framework, companies must implement various security measures throughout the design and operational stages of their network systems (Article 21). This includes the implementation of internal security management systems and the deployment of antivirus and anti-intrusion technology. Regarding the handling of personal information, the law mandates that companies follow principles of legality, propriety, and necessity (Article 41). Specifically, companies must transparently inform users about the purposes, methods, and scope of data collection and ensure they obtain explicit consent before collecting and using data. Moreover, companies must have thorough emergency plans for cybersecurity events and react rapidly, instantly notifying appropriate authorities upon the occurrence of an issue (Article 25).

The DSL mainly addresses national administrative agencies and associated departments, providing a rough outline of obligations for data subjects (Article 3). It includes a wide array of data processing tasks, including information captured electronically or via other methods. The legislation requires data processors to manage data legally and appropriately. It necessitates the implementation of a comprehensive data security management system (Article 27). Moreover, data processors are required to conduct data security training and risk assessment. (Article 27, 30). However, in reality, these broad principles may still provide flexibility and ambiguity in execution. The precise technological methods used by automotive companies and the regularity of risk evaluations need greater elucidation.

The PIPL emphasizes the protection of individual privacy and personal data, applying it to all subjects who handle personal information. The legislation specifically indicates and grants upon people many rights to the processing of personal information for the first time, including the rights to be informed, to make choices, to access data, and to make changes (Article 44–50). These rights seek to empower people by guaranteeing openness and control over the management of their personal information. The legislation delineates the categorization of personal information into general personal information and sensitive personal information. For general personal information, ICV companies must re-obtain user consent for data processing activities that exceed the originally agreed scope and when changing data processors (Article 21). For sensitive personal information, individual consent is required, and it must be obtained in writing (Article 29). The law also sets strict requirements for the cross-border transfer of personal information. When the amount of processed personal information attains a certain level, it must be evaluated and sanctioned by the national cyber administration prior to any international transfer (Article 38–43).

4.1.2. Regulations for ICVs

In 2021, the growth of ICVs in China’s market heightened public apprehension around the security and privacy of data gathered, used, and disseminated by these vehicles [31]. The Chinese government promulgated the “Several Provisions on the Management of Automobile Data Security (Trial)” to oversee the management of automotive data and mitigate consumer apprehensions about the exploitation of their personal information. This regulation not only retains the fundamental obligations for data processors from present law but also incorporates many additional principles to augment the protection of user rights. Specifically, the regulation promotes processing data within the vehicle, restricting external data sharing unless absolutely necessary. Furthermore, it offers a default configuration that refrains from data collection unless specifically enabled by the driver (Article 6). However, these principles are recommended for ICV companies, which are not mandatory. The absence of compulsory enforcement may lead to some companies failing to completely comply with these principles or simply following them superficially.

The Regulations on Network Data Security Management reinforce the stipulations of three statutes, offering comprehensive guidelines for data security management in digital contexts. According to these regulations, ICV companies are required to provide openness and accessibility in their communication on the handling of personal information. Requirements include that the criteria for processing personal information must be presented in a “centrally displayed”, “easily accessible”, and “prominent” fashion, with material that is clear and explicit. Furthermore, organizations must enumerate all personal information to be gathered in a “checklist”, ensuring that the collection is strictly confined to what is essential for delivering goods or services. The regulations refine the notification methods for personal information processing rules and set higher standards for processing based on personal consent [32]. For instance, during the process of obtaining consent, companies are prohibited from using improper methods and must not repeatedly solicit consent from users (Article 22).

4.2. Assessing the Impact of Present Legal Frameworks

4.2.1. Data Security Incidents in China’s ICV Companies

Since 2020, approximately 2.8 million malicious data assaults have targeted Chinese ICV manufacturers. There have been more than 20 documented data breaches directly associated with automotive firms since 2023 [33]. These incidents, ranging from personal privacy information to vehicle operational data leaks, have highlighted serious flaws in data security management within the smart connected vehicle industry.

In 2021, XPeng Motors was criticized for excessively collecting facial information during its sales process, which was followed by a user data breach at NIO [34,35]. This incident exposed significant personal and vehicle information, violating user privacy and presenting safety issues. It elicited public apprehensions on the sufficiency of data security management in smart linked automobiles. Furthermore, before 2022, companies like XPeng, Changan, and BYD equipped their ICVs with remote monitoring functions activated by default at the factory, without adequately alerting consumers or securing their agreement [36]. These features, such as remote diagnostics and driving safety monitoring, were designed to enhance value. Nonetheless, their default activation without explicit user authorization raised privacy issues.

4.2.2. Assessing the Effectiveness of Legal Implementation

Before assessing the impact of legal implementation, it is essential to comprehend the data gathering methodologies from users and the transmission procedure. For example, privately owned vehicles use onboard sensors to gather real-time data on driving behavior and road conditions. These data improve autonomous driving capabilities and, after anonymization, are sent to partner manufacturers or third-party companies for technical advancement or market evaluation. Likewise, vehicles owned by legal companies, such as logistics fleets, collect data on temperature, humidity, and fuel usage to enhance operating efficiency. Concurrently, anonymized data are sent to manufacturers and technology companies to enhance product design and service options [37]. Regarding the aforementioned data collection and transmission processes, local authorities lack comprehensive directives to oversee the data handling operations conducted by ICV companies. Differential regulatory requirements across areas have resulted in unequal data protection measures, increasing the danger of data breaches. Local governments establish diverse regulations derived from the foundational framework of national legislation, resulting in discrepancies in legal enforcement across areas. For example, the Shanghai Data Regulations require real-time monitoring and periodic evaluations by the city’s Big Data Center (Article 35), whereas Chongqing, Guangzhou, and Wuhan have not delineated their regulatory strategies or frequencies. The Shenzhen Special Economic Zone Data Protection Regulations provide a novel and open regulatory approach to conversations, improving direct contact between regulators and data handlers. Nonetheless, these disparate standards hinder data protection initiatives and diminish the overall efficacy and preventive capabilities of legislation.

The absence of comprehensive regulatory rules complicates companies’ capacity to ascertain legal requirements for data management. The ambiguous nature of these recommendations may leave intelligent vehicle makers such as XPeng, Changan, and BYD uncertain about the precise legal obligations pertaining to data collection, storage, and processing. Furthermore, the lack of explicit enforcement criteria may hinder regulatory agencies in successfully overseeing the data processing operations of companies. The lack of defined inspection and assessment criteria limits regulators’ ability to accurately assess if a company’s data protection processes comply with legal mandates. This also impedes the prompt discovery and rectification of errors in data processing [38].

The reliance on companies’ self-regulation is another factor contributing to data breaches. The legislation mandates that ICV companies create independent entities to evaluate and report on personal information security to enhance efficiency (PIPL Article 58). However, this method has evident shortcomings in reality. The effectiveness of self-regulation significantly depends on the company’s initiative and ethical principles. In practice, when the expense of data protection clashes with financial objectives, corporations may choose to sacrifice data security for increased profits [39]. Furthermore, the legal requirement for companies to self-report data risks often fails to achieve its intended effect in practice (DSL Article 29). Companies may choose to disregard reporting regulations if they perceive that the economic advantages of concealing information surpass the legal and financial consequences. Companies may choose to obscure or postpone the disclosure of data breaches owing to concerns of reputational harm and possible financial repercussions. To sum up, the inadequate deterrence impact of existing legislation diminishes the efficacy of the overall data protection framework.

5. Legal Tactics: Advancing Regulatory Oversight of ICV Companies

As ICV technology advances and the market grows, it is essential for the legal framework to adapt accordingly to effectively tackle emerging challenges. This chapter will delve into strategies for fostering the sustainable growth of the smart connected vehicle industry and safeguarding user rights.

5.1. Crafting Comprehensive Regulatory Guidelines for ICVs

5.1.1. Refining China’s Legal Regulatory Framework

In comparison to the EU’s broad legislative framework for data subject protection, China’s structure seems less extensive. The EU employs a singular directive and seven regulations to regulate corporate data processing and safeguard the rights of data subjects. The General Data Protection Regulation (GDPR) is an essential component of EU data protection legislation, standardizing privacy rules throughout member states and providing enhanced protections and rights for data subjects [40]. The European Data Protection Board (EDPB) has established a set of recommendations for the implementation of personal data protection, delineating the specific obligations of all entities engaged in data processing (Figure 2). The rules thoroughly clarify the rights of data subjects to data portability and consent and specify requirements for privacy protection. They delineate the rights and obligations of regulatory organizations, data processors, and service providers, including the processes for reporting infractions.

Figure 2. The framework of the EU’s data protection.

China regulates corporate data processing with just three laws and two regulations (Figure 1). These legal measures provide a framework for data security management but may lack sufficient detail for implementation and operation. For instance, specifics on data classification and the measures for processing and protecting data by different parties are not thoroughly explained, making practical application challenging.

To improve the efficacy and comprehensiveness of data protection in the nation, China could contemplate using the EU’s expertise in optimizing legislative frameworks for data protection. The Chinese government needs to accelerate the formulation of more comprehensive subsidiary rules and implementation guidance. This would guarantee that privacy regulations are not just extensive in theory but actually effectively protect the rights of data subjects in reality, while harmonizing technological progress and economic development.

5.1.2. Defining the Enforcement Rights and Responsibilities of Regulatory Agencies

The legislation explicitly confers on the relevant agencies the right and obligation to implement rules, emphasizing the joint oversight of ICV companies by many bodies. China has established many regulatory agencies for the regulation of ICV data processing, including the Cyberspace Administration of China (CAC), the National Security Commission (NSC), and the Ministry of Industry and Information Technology (MIIT). These entities are responsible for guaranteeing the secure functioning of networks and information systems, as well as supervising business data processing. Each regional cyberspace office is tasked with supervising network data security within its jurisdiction, guaranteeing the safe functioning of all networks and information systems. Other departments are responsible for supervising the data processing operations of organizations [41].

5.1.3. Rights and Obligations of the NSC

The NSC must establish explicit criteria for using its investigative and intervention rights in relation to ICV companies. The exercise of these rights is aimed at fulfilling the NSC’s primary mission: the protection of national security [42].

The NSC is empowered to examine ICV companies upon reasonable suspicion of unlawful management or transfer of sensitive information. The investigations rely on the company’s self-reports and concerns uncovered during security assessments conducted by the MIIT. Through these inquiries, the NSC evaluates probable breaches of national security legislation, the characteristics of these breaches, and their possible significance. If the investigation confirms actions that directly threaten national security, the NSC should then exercise its intervention rights.

Specifically, actions that directly threaten national security include significant data breaches at ICV companies, transferring over 100,000 pieces of data abroad, or 10,000 pieces of sensitive personal information without proper data certification (Provisions on Promoting and Regulating Cross-border Data Flows, Article 8). Moreover, the NSC has the jurisdiction to mandate the prompt termination of unlawful activities, enforce supplementary security protocols, and suspend or limit the company’s operations.

5.1.4. Rights and Obligations of the MIIT

The MIIT must be specifically authorized to access and audit ICV companies. This encompasses access to the whole data processing infrastructure of a corporation, including data collection, processing, storage, and dissemination. During inspections, the MIIT has the authority to review the technical configurations and data flows to ensure compliance with legal standards.

The MIIT should possess the ability to require detailed reports and records about a company’s data management practices. Furthermore, it must have the capability to retrieve essential data and documents for inquiries into any infractions or data breaches. To guarantee the proper execution of these rights, comprehensive rules must delineate explicit responsibilities for the MIIT, including the performance of both regular and unscheduled inspections [43].

Additionally, the MIIT should provide technical and policy support to ICV companies to enhance their data protection standards, which includes arranging training sessions, providing guidance manuals, and disseminating best practice examples. The MIIT also must provide openness in the regulatory process by disseminating the results of oversight and notable data security events to enhance public confidence and comprehension of data protection initiatives (Figure 3).

Figure 3. Division of government functions in regulating ICV.

5.2. Boosting the Impact of External Regulation for ICV Companies

5.2.1. Tightening Control with Strict Reporting Deadlines

The government needs to set definitive reporting dates rather than commencing reports only in response to emerging dangers. The existing paradigm, which initiates reporting only upon the manifestation of a danger, often acts as a pretext for firms to shirk accountability and neglect reporting obligations [44]. Therefore, the government needs to enforce regular routine reporting on a monthly or quarterly schedule, along with immediate reporting during emergencies.

Under standard management settings, rules should require corporations to notify quickly upon identifying particular risks or security events. Furthermore, they are required to consistently produce reports about their data management and security procedures to guarantee ongoing scrutiny. These regular reports must include security audit results, discovered vulnerabilities, assessments of the efficacy of current security protocols, and any proposed improvements.

However, in emergency situations, such as data breaches or the exploitation of security vulnerabilities, organizations must disclose to the appropriate regulatory authorities within 24 h. This mandate would require that companies swiftly address critical security incidents and immediately tell authorities, therefore reducing the potential for information delays. Furthermore, definitive reporting timelines are created to mandate companies to disclose all data security vulnerabilities within a certain period.

5.2.2. Designing a Structured Penalty System for Enhanced Accountability

A structured system of penalties should be established to enhance penalties. Existing disciplinary measures, like rectification orders, warnings, and nominal penalties, have little deterrent influence on enterprises. The government needs to correlate penalty levels directly with a company’s annual revenue and modify them according to the extent, length, and particular harm resulting from the infraction. For example, data breaches involving substantial quantities of user information or national security may result in penalties of up to 5% of the company’s annual revenue. This multilayered penalty system more precisely represents the gravity and possible damage of the violation.

Moreover, the government might implement a graduated penalties system. Companies that consistently breach data protection standards should face escalating fines and penalties. This should include not just financial penalties but also the possible suspension or limitation of company activities until remedial actions are implemented. However, if a company fails to report a data security incident within the required timeframe, penalties should increase with the length of the delay. The severity of these penalties should be determined based on the type of report delayed and the duration of the delay (Table 4).

Table 4. The structured penalty system.

Report Type		Periodic Report	Interim Report
	Delay Time
Delay ≤ 30 days		0.1% of the total fine per day as a late penalty	0.2% of the total fine per day as a late penalty
30 days < Delay ≤ 90 days		0.2% of the total fine per day as a late penalty	0.4% of the total fine per day as a late penalty
Delay > 90 days		0.3% of the total fine per day as a late penalty	0.6% of the total fine per day as a late penalty

According to the California Consumer Privacy Act (CCPA, Article 1798.150), data processors must proactively compensate victims in the event of data breaches or violations of data subject rights. This differs from prevailing norms in China, where data subjects are required to pursue compensation independently via complaints, negotiations, or litigation. This procedure not only burdens the victims but also results in many breaches being unresolved. China should amend its existing laws to include an “automatic compensation mechanism for data violations” to enhance legal effectiveness and protect data subjects’ rights more effectively. This reform would streamline the process of securing reparations for data breaches, ensuring more reliable protection for individuals’ privacy.

5.3. Empowering ICV Users: Spreading Awareness of Rights

Legal education is a fundamental technique for increasing awareness of ICV users’ rights. While legislation provides eight rights to ICV users (Table 5), the top ten ICV companies in China often provide just six. Consequently, the government needs to extensively disseminate these eight legislative rights via several methods.

Table 5. Rights granted to ICV users by law.

Laws and Regulations	Rights
Personal Information Protection Law	Right to access, right to copy, right to rectify, right to delete, right to request an explanation, right to restrict processing
Regulations on Network Data Security Management	Right to access, right to copy, right to rectify, right to delete, right to request an explanation, right to restrict processing, right to deregister, right to withdraw consent

5.3.1. Traditional Legal Education: Television and Community Engagement

Television, as a conventional media for legal instruction, has a distinct advantage owing to its extensive audience reach. The broadcasting authorities might effectively use this platform by including public service messages on people’s data rights during prime time, particularly inside popular television programs. These advertisements may be created as engaging mini dramas that illustrate real-life situations, emphasizing the significance and practical approaches to personal data security. This method allows audiences to obtain essential legal insights while engaging in their amusement [45].

Furthermore, television producers may partner with legal specialists to create a series focused on examining different facets of data security. These seminars may include dialogues with specialists from legal, technological, and social domains on the most recent data protection legislation and privacy technology. They would investigate the social implications of these technologies, improving public comprehension and proficiency in data security. These initiatives use case studies and expert dialogues to enhance public comprehension of data protection legislation. On top of that, the broadcasting authority should facilitate frequent public forums or live call-in programs, allowing viewers to pose direct inquiries to legal experts. This participatory method swiftly responds to public apprehensions, thus improving the efficacy and involvement of legal teaching.

5.3.2. Modernizing Legal Education: Internet and Social Media

New media is especially favored by youth as a novel approach to legal education due to its provision of quick, interactive, and visually engaging material [46]. New media platforms not only speed up and broaden the dissemination of legal information but also enhance interactivity.

Regulatory authorities are essential in safeguarding the rights of ICV users. Regulatory authorities should implement effective actions against companies that do not properly uphold statutory rights for their customers. These measures may include engaging in dialogues with the companies, issuing official admonitions, and disclosing the identities of non-compliant entities.

Furthermore, authorities must contemplate the imposition of significant fines and other administrative sanctions to ensure compliance. Regulators should mandate that companies submit comprehensive rectification plans and provide explicit timelines for their implementation when assessing penalties. New media presents unique instruments such as augmented reality (AR) and virtual reality (VR), which replicate legal circumstances, enabling users to study and engage with legal ideas immersively. This immersive learning substantially improves users’ comprehension and recall of legal material. Finally, the swift reactivity of new media promptly disseminates the newest advancements in law and technology to the public [47]. This feature is crucial for helping users quickly understand the current legal environment, which is essential for protecting their legal rights.

6. Conclusions

As ICV technology becomes more integrated and prevalent, the systematic collecting, processing, and transfer of extensive personal data directly affect user rights and data security. Nonetheless, existing data protection legislation, often formulated for conventional data processing methods, inadequately governs the data management practices of ICV companies.

A study evaluating the management of user rights and duties by China’s top ten ICV companies revealed that these companies often do not comply with regulations. The absence of compliance has raised public skepticism over the efficacy of their self-regulatory measures in data management; according to the “2022 China Consumers’ Intelligent Connected Vehicle Data Security and Personal Privacy Awareness and Concerns Survey” report released by the US market research organization J.D. Power, the overall confidence index of the consumers surveyed was only 45.7 points (out of 100 points). Therefore, the Chinese government must promptly enhance laws and explicitly delineate the regulatory functions and authorities of the CAC, the NSC, and the MIIT. Specifically, the CAC should assume the responsibility of coordinating and directing the regulatory functions of other agencies engaged in the oversight of ICV. Simultaneously, the NSC needs to be endowed with the authority to examine and act in issues that might jeopardize national security or public interest. The MIIT should be given access and auditing powers to meticulously oversee and evaluate the data processing procedures of ICV enterprises. This systematic method will guarantee that each regulatory entity can efficiently execute its assigned duties in overseeing the intricacies of ICV operations.

Moreover, to enhance regulatory effectiveness, China’s government should provide explicit reporting requirements for companies and enforce severe penalties. It should also enhance legal education about user rights to ensure users are well aware of their entitlements and the remedies accessible to them.

However, this article only discusses compliance with rights and obligations from a legal perspective, not considering the corporate culture and technical challenges. A following study will investigate these non-legal elements, including company culture, technical competencies, and internal management frameworks, and their influence on data security. This will provide a more thorough perspective on the performance of smart connected car firms in data processing.