You are currently on the new version of our website. Access the old version .
MDPIMDPI
Search all articles
WEVJWorld Electric Vehicle Journal
Download PDF
  • Article
  • Open Access

27 January 2026

Protection of Personal Information in the Era of Autonomous Vehicles: China’s Dilemma and Legal System Reactions

,
,
,
and
1
School of Law, Chongqing University, No. 174 Shazhengjie Road, Shapingba District, Chongqing 400044, China
2
School of Marxism, Chongqing University of Science and Technology, No. 20 Daxuecheng East Road, Shapingba District, Chongqing 401331, China
*
Authors to whom correspondence should be addressed.
World Electr. Veh. J.2026, 17(2), 60;https://doi.org/10.3390/wevj17020060
This article belongs to the Section Marketing, Promotion and Socio Economics
Version Notes
Order Reprints

Abstract

Autonomous vehicles, often described as “computers on wheels,” must collect extensive data, including personal information, and employ data analysis to enhance their self-learning capabilities. In this process, users’ personal information is particularly vulnerable to excessive collection, leakage, and misuse. Accordingly, establishing a robust legal framework for the protection of personal information in the context of autonomous driving is of critical importance. China has not yet implemented an Autonomous Driving Law, and the related legal provisions on protecting of personal information in the field of autonomous vehicles still unclear. We conducted a comparative analysis of the policies and legislation on automated driving and personal information protection in various countries and regions. The results indicate that China could benefit from the EU’s approach to expanding protection. Considering the current state of China’s legal system and legislative trends, it is more suitable to guide the legal application of personal information protection for automated driving through legal interpretation, alongside the existing laws on personal information protection.

1. Introduction

Autonomous vehicles (AVs), also known as smart cars, connected vehicles, or self-driving cars in China [1], are powered by artificial intelligence and capable of operating safely on the road without human intervention [2]. The development of autonomous driving technology can be traced through two main logical trajectories that have led to the automation of vehicle operation. The first trajectory focuses on the autonomous driving control technology of a single vehicle, which employs intelligent algorithms to predict the behavior of other road users, determine the vehicle’s operational mode, and achieve human-like control through actuator manipulation. This system regulates the actuators to achieve the desired anthropomorphic control of the vehicle. The second trajectory is vehicle-to-everything (V2X), which places the autonomous vehicle within an interconnected environment. This system enables connections between the vehicle and other vehicles, pedestrians, roads, cloud systems, infrastructure, and other elements [3]. By synthesizing data from multiple sources, the system determines the vehicle’s operational routes and driving strategies [4].
To achieve these functions, AVs need to integrate environmental sensing, intelligent decision-making, control execution, and V2X technologies [5], while also collecting large amounts of data, including personal information. These collected personal information, including personal identification, contact information, vehicle trajectories, and sensitive biometric data, such as voices and fingerprints [6]. AVs result from the deep integration of the automotive, electronics, information technology, and transportation sectors. Their safe and reliable operation depends largely on data collection and processing, which has raised public concerns regarding data security, personal privacy, and data usage [7]. A global survey indicated a wide range of perceptions regarding automated vehicles [8], with primary worries about safety, legal challenges, and data privacy, revealing an intricate link between consumer confidence and technology [9]. As a significant technological innovation, the societal risks associated with AVs often only become evident through real world applications. Recent research suggests that the level of data privacy protection affects consumer acceptance and purchasing decisions regarding AVs [10]. In our social experiment, public survey results also revealed considerable concerns about privacy protection, concerns that may even shape policy development [11]. Therefore, addressing public anxieties about personal data security is essential during the commercialization of autonomous driving technology.
The problem of current research stems from the absence of a regulatory system, it is urgent to establish a comprehensive legal framework for the protection of personal information in the context of AVs. Existing studies show that the international community has recognized the importance of protecting personal information in the context of AVs and has begun legislative exploration in this area. In contrast, research on the protection of personal information related to AVs in the Chinese domestic context remains limited. Current Chinese laws, such as the Personal Information Protection Law (PIPL), emphasize legality, informed user consent, and liability allocation. However, most provisions are overly abstract. This makes it difficult to implement them in practice. Furthermore, rules concerning data ownership are unclear, and existing liability mechanisms are underdeveloped. As a result, the current legal framework struggles to keep pace with the rapid development of autonomous driving technologies. This article employs descriptive analysis, comparative analysis, and legal dogmatic methods. It examines existing policies, laws, and national standards in China to identify deficiencies in the current system. Drawing on legislative practices from foreign countries and regions, and taking China’s national conditions into account, the study addresses several issues that have recently attracted considerable attention. The aim is to provide a reference for the future development of autonomous vehicle legislation in China.

2. Personal Information Challenges in the Era of Autonomous Vehicles

The generation of data in AVs is complex, with diverse data types, frequent interactions, and extensive applications, which entail governance challenges more intricate than those associated with general data. The date technical risks associated with autonomous driving are increasingly evolving into legal risks, which is expected to emerge as one of the most critical challenges in the era of autonomous driving [12]. The following aspects can be used to analyze this challenge.

2.1. Risks to Personal Information Protection in Autonomous Driving

The rapid advancement of AVs has intensified security concerns, particularly regarding the extensive personal data collected by these vehicles [13], especially sensitive data. Beyond the purely technical parameters, the data collected and processed by these vehicles can potentially identify individuals [14]. However, current regulations do not clarify ownership of this data, nor do they define the scope of “personal information” or specify data types unique to AVs [15]. Additionally, vehicle communications are often occurring without user awareness, and the lack of a national regulatory framework on data collection frequently results in individuals unknowingly subjected to excessive data gathering.
Secondly, there is a risk of stalking and other privacy breaches because of the potential for misuse of personal information, such as location information combined with other personal details. AVs include extensive data encompassing details about familial relationships, occupations, beliefs, political affiliations, health status, and lifestyle habits [16]. During the use of AVs, such data may be shared with governments or third-party service providers (e.g., maintenance facilities and insurance companies) without the user’s consent, posing significant risks to personal information security [17]. Data-controlling enterprise, driven by profit, often integrate information and use unique user identifiers alongside algorithmic modeling to construct detailed user profiles. Such profiles aim to assess users’ shopping preferences, travel habits, online activities, and other behaviors, thereby improving business management and operations [18]. Even though these profiles may not directly identify an individual, companies in the autonomous driving industry and other commercial entities can exploit consumption patterns or draw unwarranted conclusions about users, often without their knowledge.
Thirdly, there is a risk of personal information leakage [19]. To ensure the system operates effectively, automated driving heavily relies on big data. However, throughout data processing and exchange, unstructured data often presents a risk of personal information leakage. This risk arises from inadequate fine-grained access control mechanisms. Additionally, internal privilege abuse and external cyberattacks can also contribute to the leakage. According to a report by the German news magazine Der Spiegel, the location data of approximately 800,000 electric Volkswagen vehicles was accessible online due to a data breach. In some cases, the breach also included the emails, addresses, and phone numbers of drivers [20]. Compared to typical data scenarios, the data in the context of automated driving systems is more diverse, larger in scale, and more sensitive. If compromised or exposed, personal information such as identity details, biometric data, and other sensitive information can be used to reconstruct a person’s true identity and reveal their real-world context [21], which increases the risk of privacy breaches and identity theft.

2.2. Characteristics of Personal Information Infringement in Autonomous Driving Scenarios

Compared to other data-driven industries, AVs have superior data collection capabilities, advanced data processing capacities, and more complex data flow procedures [22]. However, it also further expands the scope of risks to personal information protection, presenting the following characteristics of infringement:
Firstly, numerous parties are involved in infringement. The autonomous vehicle industry chain is both broad and intricate. From an upstream perspective, autonomous driving depends on the seamless collaboration of the perception, decision-making, and execution layers, which are coordinated by various technology companies to achieve a complete autonomous driving system. The midstream of the industry chain primarily includes automobile manufacturers and autonomous driving solution providers, as well as vehicle testing and evaluation processes before the deployment of applications. The downstream involves specific application scenarios, such as mining, ports, waste management, logistics, and commercial transportation, covering a wide range of stakeholders, including government agencies, businesses, and individual users [23]. This complex multi-party data flow significantly complicates the already challenging issue of personal data protection.
Secondly, the range of impacted parties is vast. AVs are constantly evolving. In addition to collecting personal information from vehicle owners, users, passengers, and other occupants within the vehicle, there is also a risk that personal information from pedestrians, traffic enforcement officers, road workers, and other ‘unintended subjects’ may be collected and processed [24,25].
Thirdly, the infringement process is often concealed. Unlike tangible damages, which can usually be observed directly, personal data infringements are inherently hidden. Due to the multi-dimensional interactive environment of AVs, the high mobility of data resources, and the complex, opaque nature of algorithmic “black boxes,” as well as subjective factors such as limited individual knowledge and awareness, personal data infringements tend to remain obscure. Current technologies are often inadequate for uncovering and reconstructing the full causal chain [26]. Additionally, the involvement of human intervention, automated decision-making, and their interaction further weakens the causal connection between the infringement and the resulting harm. When it comes to post-incident accountability and evidence collection, vehicle users face significant challenges in proving the causal link between the harm they experience and the personal data breach caused by a specific service flaw.
Fourthly, the consequences of such infringements are severe. AVs store vast amounts of personal information, particularly sensitive data. If leaked, this data can be maliciously exploited for purposes such as fraud, phishing, and harassment, significantly infringing on the rights of vehicle occupants. Financial losses may also result, as sensitive details—such as bank card numbers, passwords, and purchase records—can be used by malicious actors to commit fraud or steal personal assets. Additionally, the leakage of information like driver’s license numbers, credit details, and insurance records could damage the vehicle owner’s credit history, disrupting their daily life and work. Furthermore, core operational data of AVs, which is often linked to user personal information and controlled via mobile terminals, poses an even greater risk. A successful cyberattack or data breach could result in vehicle theft or unauthorized control during operation, endangering user safety and potentially causing widespread public panic [27].

3. Legislative Practices of Personal Information Protection for Autonomous Driving in China

The swift advancement of autonomous driving technology requires a robust regulatory framework to guarantee safety and foster innovation within the sector [28]. Personal information protection is a critical security issue in autonomous driving. The Chinese government is actively working to address personal information risks associated with AVs through policies, regulations, and voluntary guidelines, reflecting a global trend in governmental responses to these challenges [29]. These norms largely unify the protection of personal information, due to the overlap between personal information protection, data security, and privacy safeguards.

3.1. National Policies

In terms of policy, the Chinese government have actively promoted the development and application of autonomous driving. This not only provides a clear and promising market outlook for the industry’s development but also establishes entry requirements, application scenarios, and safety standards for AVs in relation to product standards and safety. Additionally, specific guidelines and plans have been formulated for personal information protection and data security. To illustrate, this article summarizes key development policies on autonomous driving as of December 2025, as well as policies regarding personal information protection, data security, and cybersecurity, as Table 1.
Table 1. The key policies on AVs in China.
Among the introduced policies, the DPNGAI has addressed the legal regulation of AI as early as 2017, explicitly calling for the protection of “privacy and property rights” in relation to AI applications and research on legal issues such as the safe use of information. The IDSIV emphasizes research on issues including the identification of “machine drivers” in intelligent vehicles, cybersecurity, data management, and other legal concerns, as well as ethical norms. To ensure the consistent quality and production of intelligent connected vehicles, the SAAICVMP require research into legal and ethical issues. The RARTDAICV specify the types of data that must be stored during road testing and demonstration applications, along with the required storage duration. The PAOTICV emphasizes the need to enhance the emergency response mechanism for network and data security incidents, as well as the implementation of primary responsibility for network and data security. Furthermore, the SNSDST and the GCIVNSDSSS, along with the COASUR and DGJPAHMINV, mark the formation of an initial standard system guiding network and data security in telematics.

3.2. Laws and Regulations

In terms of laws and regulations, China has yet to enact a unified law on AVs. However, building on the overarching legal framework provided by the Civil Code, Cybersecurity Law (CL), Data Security Law (DSL) and Personal Information Protection Law (PIPL), the automotive industry has progressively refined policies and regulations in the domain of intelligent connected vehicles. Consequently, China has gradually developed a legal framework for the protection of personal information, data, and cybersecurity in the field of intelligent connected vehicles. Among these, the PIPL, which took effect on 1 November 2021, addresses various aspects of the collection, storage, use, processing, transmission, and provision of personal information, establishing itself as a key legal foundation for the protection of personal data in AVs.
At the national level, the CL, DSL, and PIPL delineate the foundational scope of protection for personal information and data security. On 16 August 2021, the Internet Information Office of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security, and the Ministry of Transportation and Communications jointly issued the Several Provisions on the Management of Automobile Data Security (for Trial Implementation) (SPMADS), which applies the aforementioned laws to the automotive sector, marking China’s first sector-specific regulation on data security protection within the automotive industry. In July 2022, the State Internet Information Office issued the Measures for the Security Assessment of Outbound Data Transfer, which regulates two key categories: personal information and important data.
At the local level, most provinces have introduced road testing management regulations. As of December 2025, 26 provinces (including municipalities directly under the central government) and more than 40 cities in China have enacted administrative regulations or implementation rules for the testing of intelligent connected vehicles. These road testing regulations specify the types and retention periods of data that must be stored in smart connected vehicles, but they do not address personal information protection. In contrast to road test management regulations, autonomous driving legislation can safeguard public safety, promote technological innovation, regulate market order, and protect personal privacy. While China has yet to implement national legislation on autonomous driving, more than 10 cities have made significant progress in local legislative efforts. It is encouraging to note that most of these local laws recognize the importance of personal information protection in autonomous driving and have included provisions to address it, as Table 2.
Table 2. Local AVs regulations with personal information protection provisions.
Among these laws and regulations, with the exception of the PIPL and the SPMADS, the rest are primarily general guidelines and do not contain specific provisions for the protection of personal information in the context of autonomous driving. Although the PIPL and the SPMADS establish specific compliance requirements for personal information protection, they do not adequately address the unique characteristics of autonomous driving scenarios, and their applicability remains limited.

3.3. Standardized Practices

The protection of personal information requires not only national policy support and legal regulation but also the harmonization of relevant standards. These standards specify technical requirements and operational guidelines for the collection, storage, transmission, and processing of personal information by vehicles. They can help guide the self-driving car industry in standardizing its development with regard to personal information and privacy protection.
Regarding telematics and intelligent connected vehicles, the MIIT issued the Guidelines for the Construction of Internet of Vehicles Network Security and Data Security Standard Systems and the GCNIVISS, both of which propose the introduction of personal information protection standards. In October 2022, the MIIT opened public consultation on the recommended national standard Intelligent and Connected Vehicles—General Requirement of Data, which establishes the general data requirements for intelligent and connected vehicles, including provisions for personal information protection, important data protection, and requirements for auditing and assessment. This standard has been incorporated into the Technical Requirements for Vehicle Cybersecurity, a national standard adopted by the MIIT. Prior to this, the industry standard Personal Information Protection Requirements for Internet of Vehicles Information Service Users (PIPRIVISU) and the Data Security Technical Requirements Data Security Technical Requirements for Internet of Vehicles Information Services set forth specific guidelines for categorizing information content, sensitivity grading, and protective measures for personal information in the context of internet of vehicles and intelligent connected vehicles.
With regard to personal information protection, the national standard Information Security Technology Personal Information Security Specification (IST) has been in effect since 1 October 2020. Compared to the 2017 version, the 2020 edition is more aligned with industry practices, addressing a number of current issues and adjustments. The national standard Information Security Technology Guidance for Personal Information Security Impact Assessment, effective 1 June 2021, introduces several changes relative to its predecessor, Information Security Technology Personal Information Security Impact Assessment, providing a foundation for organizations to implement personal network and data security measures. Additionally, the national standard Information security technology-Implementation guidelines for notices and consent in personal information processing, effective 1 December 2023, offers concrete guidance for organizations to conduct personal cybersecurity and data security impact assessments. This standard also specifies the content and structure of notices for personal information processing in vehicle scenarios and outlines how to obtain consent from data subjects for the collection, use, and public provision of personal information.
China has recognized the importance of security standards for personal information in intelligent and connected vehicles. Standards committees and industry organizations, such as the China Communications Standards Association (CCSA), Telematics Industry Application Alliance (TIAA), and the China Industry Innovation Alliance for Intelligent and Connected Vehicles (CAICV), are working based on the GCNIVISS. These organizations are actively engaged in developing and researching personal information security standards for intelligent and connected vehicles. However, few standards related to personal information security have been issued, most of which were formulated prior to the enactment of the Personal Information Protection Law and have not been effectively aligned with the current regulatory framework. The challenge of incorporating methodological guidance on personal information and privacy protection throughout the entire life cycle of autonomous vehicle product development remains substantial.

3.4. Summary of Legislative Characteristics

Although China has made considerable progress in establishing a legal framework for protecting personal information in the context of autonomous driving, several challenges remain. Judging from the perspective of legislative form, China follows a “pilot first” legislative strategy. Over the past decade, more than ten cities have made significant progress in developing local regulatory frameworks. However, the lack of interconnectivity and mutual recognition among municipal regulations continues to hinder effective personal information protection at the national level. Secondly, comprehensive legislation in the field of autonomous driving remains absent. China’s laws and regulations are not yet ready for the changes that AVs bring to personal information protection. As a result, lower-level regulations are often being applied in ways that conflict with higher-level laws. Although earlier draft amendments to the Road Traffic Safety Law tried to bridge this institutional gap, the relevant provisions were ultimately removed from the final adopted version.
Judging from the content of law, one of the major issues related to China’s autonomous driving regulation is the tendency to prioritize data security over personal information protection, a phenomenon also observed in other jurisdictions. Although the relationship of data, personal information, and privacy is undeniably complex, it cannot serve as a justification for vague or indeterminate legislation. Secondly, the legal framework of AVs, which already exists, has not achieved effective integration with China’s personal information protection legal framework. In contrast to the slow progress of autonomous driving legislation, China’s personal information protection regime has become increasingly mature following the implementation of the PIPL. However, the published autonomous vehicle regulations have little connection with this framework, and focus more on technical standards or road testing, with little mention of personal information protection. Even where these issues are mentioned, the relevant provisions are largely declaratory in nature.

4. EU Personal Information Protection in Autonomous Driving: Lessons for China

4.1. A Global Overview of Legislation on Autonomous Vehicles

As a prominent application of the current wave of artificial intelligence, the self-driving car industry is rapidly evolving into a multi-trillion-dollar sector and is set to become an unprecedented political force due to its significant economic impact [30]. In this context, traditional automotive powers, including the United States, Germany, the United Kingdom, Japan, South Korea, and others, are actively advancing legislation related to autonomous vehicles to secure a leadership position in the development and deployment of this emerging industry [31]. There are two main legislative approaches: one involves amending existing traffic regulations, while the other entails creating specific laws dedicated to autonomous vehicles.
In most of these countries, there is a recognition of the importance of strengthening data protection to promote the industrialization and commercialization of autonomous driving. In 2017, the U.S. House of Representatives passed the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act, which improved safety standards in various areas, including critical components such as cybersecurity. Subsequently, a series of documents was released by the U.S. Department of Transportation, including Automated Driving Systems: A Vision for Safety|US Department of Transportation, Preparing for the Future of Transportation: Automated Vehicle 3.0, and Ensuring American Leadership in Automated Vehicle Technologies: Automated Vehicles 4.0|US Department of Transportation series of documents. These documents set forth the Ten Principles of Autonomous Driving and emphasize the significance of privacy and data protection. In the same year, Congress passed the SPY Car Act, focusing on privacy protection. The following year, California enacted the California Consumer Privacy Act (CCPA), one of the most stringent privacy laws in the U.S. In 2022, the U.S. also passed the Personal Data Protection Act—Uniform Law Commission, further broadening the scope and depth of personal information protection. Japan and South Korea followed suit by amending their respective road transport and autonomous vehicle laws, such as the Bill to Amend Part of the Road Transport Vehicle Act and the Law on Promoting and Supporting the Commercialization of Autonomous Vehicles. In addition, the German issued the document “Data Protection in the Use of Connected and Non-Connected Vehicles” in 2016, which stipulates that “data generated during the use of a vehicle may be considered personal data under the Federal Data Protection Act (BDSG) if it is linked to the vehicle identification number or license plate.” These measures enhance the protection of data generated during vehicle use. In 2017, the UK issued the “The key principles of vehicle cyber security for connected and automated vehicles,” outlining eight principles and twenty-nine rules, including the protection of secure and controllable storage and transmission of data and expanding cybersecurity responsibilities to all key stakeholders in the connected-vehicle industry. The South Korea issued the “Cybersecurity Guidelines” in 2020, offering guidance on data protection and cybersecurity for self-driving cars.
Although these countries recognize the importance of data protection in the context of automated driving, most of their provisions are merely declarative, lacking specific regulations to guide the protection of personal data. Additionally, due to regional differences in the application of the law, these provisions are not universally applicable. In contrast, the relevant legislation and practical experience of EU countries are more directly applicable to China. There are three reasons for this. First, the EU is actively advancing personal data protection in the context of automated driving and has established a relatively mature legal framework that addresses both personal data protection and automated driving legislation. Second, China’s unified approach to personal data protection is largely influenced by EU law, particularly German law [32]. Both legal systems belong to the civil law tradition, and while there may be differences in their application, the principles they uphold and the insights they offer are universally applicable. Third, although China has yet to issue a comprehensive Autonomous Driving Law, it has already developed a relatively robust legal framework for personal data protection, largely due to the profound influence of EU personal data and privacy protection laws. Building on this foundation, a legal framework for personal data protection in autonomous driving can be developed within China’s national context.

4.2. Legal Developments in the EU

The EU’s approach to personal information protection has evolved through four key phases. Initially, during the domestic legislative phase, countries include Sweden, the UK, and Germany established their own comprehensive personal data protection laws. The second phase, marked by the 1995 EU Directive, saw member states engaging in negotiations and compromises to standardize data protection practices. The third phase, defined by the 2009 EU Charter of Fundamental Rights, recognized personal data protection as a fundamental human right. The final phase is characterized by the harmonization of laws, with the EU General Data Protection Regulation (GDPR) being the most widely implemented framework. The GDPR’s broad definitions of “personal data” and “data processing” encompass all forms of personal information handling in autonomous driving. In addition to the GDPR, the Regulation on Privacy and Electronic Communications, adopted by the European Commission, sets specific standards for entities that handle information stored on end devices, including those related to internet-connected vehicles and their associated devices. Regarding national legislation, Germany incorporated the 1995 EU Directive into its national law through the BDSG, which was enacted in 2002 and amended in 2017, having a profound impact on the legislative practices of various countries.
The EU remains cautious about adopting unified legislation on autonomous driving, and no harmonized legal framework for AVs has been established. However, existing EU regulations are already largely applicable to the deployment of autonomous and connected vehicles. In 2010, the EU issued Directive 2010/40/EU, which proposed the deployment of Collaborative Intelligent Transportation Systems (C-ITS) across member states. Subsequently, the C-ITS and C-Roads platforms were established in 2014 and 2016, respectively. In 2018, the European Commission revised the vehicle-related management system and published The Road to Automated Mobility: An EU Strategy for Mobility of the Future, which supports the development of autonomous driving. In 2019, the C-ITS System Authorization Act was introduced to clarify technical details and set relevant standards. In 2020, the EU released the Sustainable and Smart Mobility Strategy, which further promotes the development of autonomous driving technology. At the legislative level, the UK government has remained focused on the Automated and Electric Vehicles Act 2018, which explores the regulation of autonomous driving in public service vehicles. France has yet to introduce comprehensive legislation on autonomous driving. Among EU member states, Germany has made significant progress in advancing autonomous driving legislation. Following the first amendment to the Road Traffic Act (Eighth Amendment)in 2017, Germany amended both the Road Traffic Act and the Compulsory Motor Vehicle Insurance Act in 2021 to address issues related to autonomous driving. The new law, known as the Autopilot Act, came into force on 28 July 2021.
In terms of comprehensive protective legislation, the EU has established a relatively mature legal framework. In 2016, the EU released the EU Strategy for Connected Vehicles, which emphasized the crucial role of personal data and privacy protection in the successful deployment of self-driving cars. The strategy asserts that all data generated by connected vehicles are considered personal data of the users [33]. In September 2017, the 39th International Conference of Data Protection and Privacy Commissioners (ICDPPC) adopted a resolution on Connected Vehicles. In January 2020, the European Data Protection Board (EDPB) issued a document titled Personal Data in the Context of Connected Vehicles and Mobility Related Applications (Personal Data in Connected Vehicles) [34]. In March 2021, the EDPB published version 2.0, which included some revisions and is currently the most informative regulatory document on personal data protection in the context of autonomous driving. This document will be discussed in more detail in Section 4.2. In February 2022, the EU published the Proposal For A Regulation Of The European Parliament And Of The Council On Harmonized Rules On Fair Access To And Use Of Data (Data Act), which regulates the ownership and sharing of data related to smart connected vehicles. In addition, a series of documents have been released by various EU member states. For instance, in 2017, the German Federal Ministry of Transport and Digital Infrastructure released the world’s first ethical and moral standard for autonomous driving, in which data security is a key element. The same year, the UK Department for Transport and the National Infrastructure Protection Center issued The Key Principles of Vehicle Cyber Security for Connected and Automated Vehicles, covering aspects such as personal data security. Additionally, in 2017, the French Data Protection Agency released the Connected Vehicle Data Compliance Program, which provides a detailed introduction to key concepts such as personal data, and the rules on information processing that stakeholders in the automotive industry must follow.

4.3. EDPB Guidelines on Personal Data in Autonomous Vehicles

China has not yet enacted a specific law on autonomous driving vehicles. The laws, regulations, administrative norms, industry standards, and guidelines issued so far primarily focus on the licensing of AVs and road testing. These regulations do not establish a comprehensive framework for the protection and use of personal information in autonomous driving. Personal Data in Connected Vehicles (PDCV) is the first guideline issued by the EDPB on handling personal information in smart connected vehicles. It explains how to comply the GDPR in the context of AVs, making it an essential reference for personal data protection in China’s autonomous driving sector, focusing on the subsequent aspects:
First, the scope of personal information. The EDPB argues that as connected vehicles generate increasing amounts of data, most of it can be classified as personal information, as it is typically linked to the driver or passengers. Even if a connected vehicle cannot be directly associated with a specific individual, it can still be connected to a driver or passenger through the aggregation and analysis of technical data and vehicle characteristics. For example, data on driving habits, mileage, and vehicle component wear can be used. The sources of personal information include: (1) data processed within the vehicle itself, (2) data exchanged between the vehicle and external devices, and (3) data collected within the vehicle and transmitted to external entities for further processing [35]. In summary, any information generated by an internet-connected vehicle that can identify or be linked to an individual is considered personal information.
Second, the flexible application of consent rules. Traditional methods of obtaining consent are challenging to apply in vehicle contexts, particularly in cases involving used, rented, or loaned vehicles. In these situations, it is difficult for the user to be aware of the information processing activities occurring in the vehicle and to provide informed consent. As a result, the use of consent as a legal basis for information processing under the GDPR may be problematic.
Third, the core risks of personal information and corresponding strategies. EDPB has identified the core risks associated with connected vehicle data and proposed a series of preventive measures. These measures include the following: (1) Making sure that all drivers are fully understand data processing situation and providing accessible control options for users. (2) Avoiding blanket consent by requiring specific and informed consent. (3) Limiting the data collection scope of sensors to what is strictly necessary. (4) Strengthening the encryption and vulnerability remediation functions within vehicle systems and enhancing protection against cyberattacks. Fourth, data classification and the prioritized protection of special categories of data. Personal Data in Connected Vehicles identifies three categories of personal data that require particular attention from information processors: geolocation data, biometric data, and data revealing criminal behavior or traffic violations.
Fifth, the general principles of personal information processing. Under the GDPR, information processors are required to adhere to fundamental principles, particularly the principles of purpose limitation, data relevance, and data minimization.
Sixth, the rights of the data subject. To ensure that the data subject retains control over their data throughout the processing cycle, it is essential to provide effective mechanisms, such as a user profile management system, to facilitate the exercise of rights including access, rectification, deletion, restriction of processing, data portability, and the right to object.

4.4. Legislative Content Differences in AVs Personal Information Protection: EU and China

As described previously, the EU and China have both introduced numerous policies, laws, and standards for AVs. In terms of personal information protection, the EU has established a fundamental legal framework, which is based on the GDPR. As a supplement, the Data Act defines rules for vehicle data access and sharing, and the PDCV provides practical guidance. China has also established a legal framework, which is based on the PIPL, the DSL, and the CL. Within this framework, the SPMADS has specified the classification, storage, and authorization requirements for automotive data. And the support is provided by local regulations, such as the Regulations on Autonomous Driving Vehicles in Beijing and the Regulations on Intelligent Connected Vehicles of the Shenzhen Special Economic Zone. These regulations form the core legal basis for protecting personal information in autonomous driving scenarios.
From a content perspective, both EU and Chinese legislation pay close attention to data ownership, the definition of personal information, data classification, transparency, risk assessment, informed consent, and liability for violations, as Table 3. Chinese law mentions these aspects but provides little detail for AVs. Regarding data ownership, both EU and Chinese legislation are concerned, but fundamental laws are still lacking. At the current stage, discussing data ownership in the context of AVs has limited practical significance. Both the EU and China use “identifiability” as the core criterion for personal information. According to this criterion, personal information includes an individual’s location, biometric identifiers, driving habits, and the like in autonomous vehicle scenarios. The EU provides a detailed list of personal information types specific to autonomous driving scenarios in PDCV. China mainly relies on PIPL. It only supplements and clarifies the scope of sensitive personal information in the SPMADS. However, its applicability to specific scenarios is limited. As for data classification and protection, the EU focuses on the specific characteristics of autonomous vehicle scenarios. It divides geographical location information, biometric data, and data related to crimes into three key protected categories. The EU implements differentiated regulatory measures for each type of data. In contrast, China adopts a “general classification + industry key data” model. This model places greater emphasis on the linkage with national security, incorporating high-precision maps, spatiotemporal data, and other relevant data into the management of important data. This shows that China’s legislation follows a general data classification logic, and lacks specific standards for autonomous vehicle scenarios. In terms of transparency, the EU emphasizes the use of contextual tools, such as layered notifications and standardized icon prompts. By contrast, China follows the principles of “clarity, understandability, and definiteness,” lacking dedicated transparency norms for autonomous vehicle scenarios. In terms of risk assessment, the EU requires a DPIA through the GDPR, whenever data processing relates to high-risk scenarios, such as transmitting sensitive data outside the vehicle. The triggering conditions are clearly defined. Chinese rules are more principle-based in nature, such as requiring enterprises to conduct regular assessments and submit reports, when they handle important data or large amounts of personal information. In terms of consent rules, the EU has more detailed regulations on how consent is obtained and how easily it can be withdrawn. By contrast, China focuses on preventing implicit authorizations and needs to further develop operational norms for specific scenarios. In terms of liability, both the EU and China consider the data controller or processor as the primary responsible party. The GDPR stipulates fault-based liability for data controllers, liability for the faults of data processors, joint liability for co-conspirators, and recovery mechanisms, which are highly practical. In China, the PIPL and the Civil Code must be combined to allocate responsibilities according to the degree of fault. In both the EU and China, the allocation of responsibilities in autonomous driving scenarios, such as the boundaries between car manufacturers, third-party suppliers, and service providers, still requires further clarification. At a minimum, China’s personal information protection legislation must address these issues.
Table 3. Comparative analysis of legislative content.

6. Conclusions

Autonomous vehicle technology is developing rapidly, which raises some concerns about the privacy of personal information. As the commercialization of AVs accelerates, incidents of excessive collection, disclosure, and misuse of users’ personal information have become increasingly frequent, posing a serious threat to the protection of users’ information rights. China has not yet enacted an autonomous vehicles law. Most existing local regulations focus on road testing and quality standards, and include few rules on protecting personal information. Although the PIPL establishes a general legal framework for protecting personal information, it is not well suited to the context of AVs. Rigid application of existing legal provisions has made effective supervision of autonomous vehicle enterprises’ personal information processing difficult.
The current state of autonomous driving legislation in China suggests that it will take time to achieve comprehensive legal protection for AVs. In the absence of a unified Autonomous Driving Law, it is recommended to integrate autonomous driving within the existing legal framework for personal information protection through reasonable legal interpretation, aligning with relevant legislation and national standards. This approach can address the current legal challenges. Furthermore, the expansion of protection approach in the Personal Data in Connected Vehicles and the GDPR can provide a fundamental interpretative stance for legal issues. Considering the actual situation in China, we propose the following recommendations: (1) Expand the scope of personal data protection in autonomous driving scenarios. If vehicle data can identify or be linked to a specific individual or vehicle, it should be classified as personal data. (2) Introduce a hierarchical classification system to ensure precise protection of personal information. To address the distinction between general and sensitive personal data, the concept of “important personal information” can be introduced as a buffer zone. In addition, special attention should be given to specific types of sensitive information, such as geographic location data, biometric information, data that may indicate criminal activities, and information about minors. Detailed guidelines should be provided on how to handle these types of personal data. (3) Given the unique characteristics of automated driving services and personal information handling, more flexible and diverse notification and consent methods should be provided for data subjects. (4) Actively conduct impact assessments on the security of personal information, including life safety and public interest as key assessment criteria. (5) Focus on the critical aspect of personal information collection practices, evaluate the networked status of AVs, and, based on this, clarify the responsible parties for personal information violations. Obviously, it requires the collaborative engagement of key stakeholders, including enterprises, governments, and consumers [46].
To strengthen the protection of personal information, we cannot rely solely on laws and regulations. Joint efforts from laws, regulations, enterprises, technology, users, and industry self-discipline are also required. Due to space limitations, our research only explores the current situation and optimization paths of personal information protection in the context of autonomous driving from legislative and institutional perspectives. It does not consider non-institutional factors such as technological feasibility, the stage of industry development, or enterprise compliance costs. Due to the limitations of this research perspective, the analytical findings may deviate from practical scenarios, and the proposed recommendations lack sufficient justification for practical applicability. Future research will further examine the impact of non-institutional factors, such as technological iteration, industry self-discipline, and enterprise compliance capacity, on personal information protection practices, and will construct a more comprehensive analytical framework based on multiple variable dimensions to provide a more valuable perspective for evaluating the actual effectiveness of personal information protection in autonomous driving scenarios.

Author Contributions

Conceptualization, Y.X. and Z.S.; methodology, Z.S.; software, J.C.; validation, Y.X., Z.S. and Y.D.; formal analysis, Y.X.; investigation, J.C. and X.D.; resources, X.D.; data curation, J.C.; writing—original draft preparation, Y.X. and Z.S.; writing—review and editing, Y.X., Y.D. and Z.S.; visualization, X.D.; supervision, J.C.; project administration, Z.S.; funding acquisition, Z.S. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by the Chongqing Social Science Planning Key Project “Legalization Research on Resilience Construction of Megacities in Chongqing” (2024ZXZD31); Central University Basic Research Business Fund Project “Legalization Research on Resilience Governance of Megacities in the Era of Digital Intelligence” (2024CDJSKZK09); Chongqing Technology Innovation and Application Development Special Key Project “Social Experiment Research on Autonomous Driving in Mountain City Road Scenarios” (cstc2020jscx-dxwtBX0018).

Institutional Review Board Statement

The study was conducted in accordance with the Declaration of Helsinki, and approved by the Ethics Committee of the Law School of Chongqing University (protocol code 260122 and approval data 22 January 2026).

Data Availability Statement

The original contributions presented in the study are included in the article, further inquiries can be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. National Development and Reform Commission. Notice on the Issuance of Strategies for the Innovative Development of Intelligent Vehicles. 2020. Available online: https://www.ndrc.gov.cn/xxgk/zcfb/tz/202002/t20200224_1221077.html (accessed on 9 November 2024).
  2. Chen, Z.; Liu, S. China’s Self-Driving Car Legislation Study. Comput. Law Sec. Rev. 2021, 41, 105555. [Google Scholar] [CrossRef]
  3. Khan, S.M.; Chowdhury, M.; Morris, E.A.; Deka, L. Synergizing roadway infrastructure investment with digital infrastructure for infrastructure-based connected vehicle applications: Review of current status and future directions. J. Infra. Syst. 2019, 25, 03119001. [Google Scholar] [CrossRef]
  4. China Intelligent Transportation Systems Association and China Automotive Technology & Research Center Co., Ltd. Annual Report on the Development of Autonomous Driving Industry in China; Social Sciences Academic Press: Beijing, China, 2021; p. 29. Available online: https://www-pishu-com-cn-s.atrust.cqu.edu.cn/skwx_ps/bookDetail?SiteID=14&ID=13432859 (accessed on 9 November 2024).
  5. Van Brummelen, J.; O’brien, M.; Gruyer, D.; Najjaran, H. Autonomous Vehicle Perception: The Technology of Today and Tomorrow. Transp. Res. Part C 2018, 89, 384. [Google Scholar] [CrossRef]
  6. Khan, S.K.; Shiwakoti, N.; Stasinopoulos, P.; Warren, M. Cybersecurity Regulatory Challenges for Connected and Automated Vehicles-State-of-the-Art and Future Directions. Transp. Policy 2023, 143, 58–59. [Google Scholar] [CrossRef]
  7. Xu, Y.; Wei, J.; Mi, T.; Chen, Z. Data Security in Autonomous Driving: Multifaceted Challenges of Technology, Law, and Social Ethics. World Electr. Veh. J. 2025, 16, 6. [Google Scholar] [CrossRef]
  8. Bloom, C.; Tan, J.; Ramjohn, J.; Bauer, L. Self-Driving Cars and Data Collection: Privacy Perceptions of Networked Autonomous Vehicles. In Proceedings of the 13th Symposium on Usable Privacy & Security (SOUPS 2017); Usenix Association: San Francisco, CA, USA, 2017; p. 357. Available online: https://webofscience.clarivate.cn/wos/woscc/full-record/WOS:000698688000023,2017 (accessed on 21 November 2024).
  9. Kyriakidis, M.; Happee, R.; de Winter, J.C.F. Public Opinion on Automated Driving: Results of an International Questionnaire among 5000 Respondents. Transp. Res. Part F Traffic Psychol. Behav. 2015, 32, 127. [Google Scholar] [CrossRef]
  10. Huang, H.; Qian, L. Consumer preferences and willingness to pay for data privacy in automated vehicles. Transp. Res. Part A Policy Pract. 2025, 199, 104585. [Google Scholar] [CrossRef]
  11. Yang, Y.; Song, Z. The public perception and adaptability of laws and regulations of autonomous driving vehicles. Humanit. Soc. Sci. Commun. 2025, 12, 1224. [Google Scholar] [CrossRef]
  12. Glancy, D.J. Privacy in Autonomous Vehicles. Santa Clara Law Rev. 2012, 52, 1171–1172. Available online: https://digitalcommons.law.scu.edu/lawreview/vol52/iss4/3 (accessed on 24 January 2026).
  13. Yang, P.; Nan, Y.; Xue, L.; Zhang, Y.; Zhai, J.; Zheng, Z. Understanding Privacy Risks of Intelligent Connected Vehicles through Their Companion Mobile Apps. IEEE Internet Things J. 2024, 11, 33683. [Google Scholar] [CrossRef]
  14. Carlton, J.; Malik, H. Safeguarding Personal Identifiable Information (PII) after Smartphone Pairing with a Connected Vehicle. J. Sens. Actuator Netw. 2024, 13, 63. [Google Scholar] [CrossRef]
  15. Singh, J. The Ethics of Data Ownership in Autonomous Driving: Navigating Legal, Privacy, and Decision-Making Challenges in a Fully Automated Transport System. Aust. J. Mach. Learn. Res. Appl. 2022, 2, 333. [Google Scholar]
  16. Nguyen, T.-H.; Vu, T.G.; Tran, H.-L.; Wong, K.-S. Emerging privacy and trust issues for autonomous vehicle systems. In Proceedings of the 2022 International Conference on Information Networking (ICOIN); IEEE: New York, NY, USA, 2022; pp. 52–57. [Google Scholar] [CrossRef]
  17. Yu, Z.; Cai, K. Perceived risks toward in-vehicle infotainment data services on intelligent connected vehicles. Systems 2022, 10, 162. [Google Scholar] [CrossRef]
  18. Sim, K.; Heo, H.; Cho, H. Combating Web Tracking: Analyzing Web Tracking Technologies for User Privacy. Future Internet 2024, 16, 363. [Google Scholar] [CrossRef]
  19. Hu, C. Protection of Personal Information in the Era of Big Data. Front. Hum. Soc. Sci. 2022, 2, 184. [Google Scholar] [CrossRef]
  20. Roth, E. Volkswagen Leak Exposed Location Data for 800,000 Electric Cars. 2024. Available online: https://www.theverge.com/2024/12/30/24332181/volkswagen-data-leak-exposed-location-evs (accessed on 5 January 2025).
  21. Cui, S.J.; Qi, P. The Legal Construction of Personal Information Protection and Privacy under the Chinese Civil Code. Comput. Law Sec. Rev. 2021, 41, 12. [Google Scholar] [CrossRef]
  22. Zheng, Z.F. A Study of Private Law Challenges and Responses to Self-Driving Cars; China Legal Publishing House: Beijing, China, 2022; pp. 256–262. [Google Scholar]
  23. Che, C.; Geng, X.; Zheng, H.; Chen, Y.; Zhang, X. Optimization and Benefit Analysis of Intelligent Networked Vehicle Supply Chain Based on Stackelberg Algorithms. Sci. Program. 2022, 2022, 3946744. [Google Scholar] [CrossRef]
  24. Khanh, N.Q.; Hoang, N.T.; Trung, N.H.; An, D.T.; Van Hien, D.; Uyen, V.N.B. The Ethics of Advanced Driver-Assistance System Based Computer Vision: Balancing Safety and Decision-Making. Ethics 2024, 11, 34. [Google Scholar] [CrossRef]
  25. Salami, E. Autonomous transport vehicles versus the principles of data protection law: Is compatibility really an impossibility? Int. Data Priv. Law 2020, 10, 330. [Google Scholar] [CrossRef]
  26. Li, J.; Li, H.; Liu, J.; Zou, Z.; Ye, X.; Wang, F.; Huang, J.; Wu, H.; Wang, H. Exploring the causality of end-to-end autonomous driving. arXiv 2024, arXiv:2407.06546. [Google Scholar]
  27. Łukasz, B. Data Privacy in Autonomous Vehicles. 2023. Available online: https://gallio.pro/blog/data-privacy-in-autonomous-vehicles// (accessed on 13 January 2025).
  28. Shaosyue, T. Autonomous Driving in the Digital Age and Legal Protection: Chinese Experience and Development Paths. Law J. High. Sch. Econ. 2023, 4, 357. [Google Scholar] [CrossRef]
  29. Lim, H.S.M.; Taeihagh, A. Autonomous Vehicles for Smart and Sustainable Cities: An in-Depth Exploration of Privacy and Cybersecurity Implications. Energies 2018, 11, 1062. [Google Scholar] [CrossRef]
  30. Schwartz, S.I. No One at the Wheel: Driverless Cars and the Road of the Future; PublicAffairs: New York, NY, USA, 2018; p. 5. [Google Scholar]
  31. Zheng, Z.F. Autonomous Vehicle Legislation: Global Practice and Local Landscape. Shanghai Leg. Stud. 2024, 11, 120–141. [Google Scholar]
  32. Qi, A.M. A Comparative Study of Personal Information Protection Laws in the Era of Big Data; Law Press China: Beijing, China, 2015; pp. 170–177. [Google Scholar]
  33. European Commission. Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions a European Strategy on Cooperative Intelligent Transport Systems, a Milestone towards Cooperative, Connected and Automated Mobility. 2016. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2016%3A766%3AFIN (accessed on 24 December 2024).
  34. European Data Protection Board. Guidelines 1/2020 on Processing Personal Data in the Context of Connected Vehicles and Mobility Related Applications. 2020. Available online: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012020-processing-personal-data-context_en (accessed on 10 November 2024).
  35. Arai, K.; Kapoor, S.; Bhatia, R. Proceedings of the Future Technologies Conference (FTC) 2020; Springer Nature: Berlin/Heidelberg, Germany, 2020; Volume 2, p. 597. [Google Scholar]
  36. Landini, S.; Noussia, K. Big data, privacy, and protection of the user of autonomous vehicles: Ethical issues, insurance aspects, and human rights. In Insurance and Human Rights; Lima Rego, M., Kuschke, B., Eds.; Springer International Publishing: Cham, Germany, 2022; pp. 158–159. [Google Scholar] [CrossRef]
  37. Taiwan Legal Department. Legal Judgment No. 10403501110. 2015. Available online: https://laws.gov.taipei/Law/Interpretation/Content/FE275500 (accessed on 12 November 2024).
  38. Guangzhou Internet Court. Yu Mou v. Beijing Kuche Yimei Network Technology Co., Ltd, Privacy Dispute Case [2021]; 1134 Guangdong 0192 Republic of China No. 928; Guangzhou Internet Court: Guangzhou, China, 2021. [Google Scholar]
  39. Guo, L.S.; Qi, L.; Suo, J. Research on Data Classification of Intelligent Connected Vehicles Based on Scenarios. In Proceedings of the 2021 International Conference on E-Commerce and E-Management (ICECEM), Dalian, China, 24–26 September 2021; p. 157. [Google Scholar] [CrossRef]
  40. Chen, S.S. Protection of the Personal Information Rights and Interests of “Unintentional Persons Caught in the Mirror”—From the Perspective of Personal Information Rights and Interests in Public Places. Law J. 2022, 43, 149. [Google Scholar] [CrossRef]
  41. Tang, A. Privacy in Practice: Establish and Operationalize a Holistic Data Privacy Program, 1st ed.; CRC Press: Boca Raton, FL, USA, 2023; p. 13. [Google Scholar]
  42. Walters, R.; Novak, M. Cyber Security, Artificial Intelligence, Data Protection & the Law; Springer Nature: Singapore, 2021; p. 305. [Google Scholar]
  43. Andraško, J.; Hamul’ák, O.; Mesařcík, M.; Kerikmäe, T.; Kajander, A. Sustainable data governance for cooperative, connected and automated mobility in the European Union. Sustainability 2021, 13, 10610. [Google Scholar] [CrossRef]
  44. Wang, Y.; Ji, R.; Peng, Y. Research on Legal Protection of Consumers’ Personal Information from the Perspective of Public Interest Litigation. Asian J. Soc. Sci. Stud. 2022, 7, 38. [Google Scholar] [CrossRef]
  45. Hemesath, S.; Tepe, M. Multidimensional Preference for Technology Risk Regulation: The Role of Political Beliefs, Technology Attitudes, and National Innovation Cultures. Regul. Gov. 2024, 18, 1264. [Google Scholar] [CrossRef]
  46. Lu, C.; Xin, X. Key Stakeholder Perceived Value’s Influence on Autonomous Vehicles’ Privacy and Security Governance—An Evolutionary Analysis Based on the Prospect Theory. Asia Pac. J. Innov. Entrep. 2024, 18, 131. [Google Scholar] [CrossRef]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Article Metrics

Citations

Article Access Statistics

Journal Statistics
Article metric data becomes available approximately 24 hours after publication online.
Download PDF
Thermally Triggered Interfacial Debonding for Lid-to-Frame Disassembly in Electric Vehicle Battery Packs
Previous