Evaluating Data Security in Chinese Drones and Smart Vehicles

Digital technologies are profoundly transforming the way that consumers engage with products. On the one hand, they have drastically impacted the functioning of traditional goods. In cars, electronics have rapidly evolved from relatively simple applications in engine management and diagnostics to include infotainment and advanced driver aids such as adaptive cruise control, lane-keeping systems and parking assistance. A next generation of technologies, including vehicle-to-everything (V2X) communication and automated driving are gaining increasing adoption. On the other hand, they have enabled the emergence of new product categories. The market for consumer unmanned aerial vehicles (UAVs)  has rapidly expanded, as drones became cheaper and more advanced at the same time. The EU’s 2022 European Drone Strategy 2.0 estimates that the drone market could grow to 30 billion EUR in scale and create 154.000 jobs by the end of this decade . Their scope of application ranges from mundane individual hobbies to applications in mapping, surveying and pollution control. Pilot projects for drone-enabled logistics and deliveries are underway.

Key to the functioning of these digitized products is data and connectivity. Smart vehicles collect data related to the performance of hardware and software, as well as the individuals on board the routes they take and their surroundings. In some cases, that data is transferred out of the vehicle, for instance to manufacturers for the sake of later updates or training autonomous driving algorithms. Drones are primarily used to gather data one way or another through cameras and on-board sensors, and require continuous data connectivity with their operators for operations and safety purposes. This core function of data and connectivity is only likely to intensify, for instance as vehicles will communicate ever more with other vehicles and smart infrastructure, or as businesses create new data-enabled products and services around these products.

Yet this new centrality of data and connectivity raises questions concerning data and cyber security. Data can be valuable to malicious actors, whether criminals or spies, while the devices generating them may be vulnerable to sabotage or even hijacking. Particular unease is growing for geopolitical reasons, and more specifically the growing presence of Chinese manufacturers in the car industry, as well as their dominance of drone production. Echoing earlier distrust of Huawei and ZTE in the telecommunications sector, Western governments are ratcheting up scrutiny of Chinese data-enabled products on their markets, with Washington in the lead. In March, the US government started an investigation into the potential national security risks posed by Chinese vehicles , leading to the institution of  nationwide restrictions on the sale of Chinese connected passenger cars, as well as smart vehicle software and hardware . Since 2017, various US government bodies have alleged drones made by the Chinese company and market leader contain espionage and surveillance backdoors, culminating in a 2023 prohibition for all federal agencies to use Chinese drones. At the time of writing, the Countering CCP Drones Act has passed the House of Representatives, awaiting a vote in the Senate. This would, amongst others, ban new DJI UAVs from US communications networks . Sometimes, these concerns go far: in the Netherlands, a The Hague city councillor called for a “thorough investigation” about the espionage risks stemming from using BYD vehicles in a municipal service to transport disabled and elderly individuals .

In most of the policy processes and public debate surrounding these issues, it is often assumed that Chinese companies will find it difficult to resist pressure from the Chinese government, amongst others because of provisions in intelligence legislation stipulating that Chinese firms must collaborate with intelligence services when asked to do so . In addition to intelligence legislation, the Chinese government has also passed several pieces of general legislation, as well as sector-specific regulation, to manage the collection, storage, processing and use of data, including potential government access to data. It is certainly the case that Chinese intelligence services are building up their capabilities to obtain large-scale data about priority targets, of which the Netherlands is likely one. They also face far less constraints through oversight processes or judicial institutions. But the risk calculus of European governments cannot be black and white. The nature and impact of risk depends on which technologies, users and applications are involved. Risks can only be excluded by eliminating Chinese products, components and technologies from consumer markets, but that would carry potentially significant costs. Closing European markets to Chinese products might invite retaliation, deny high-quality, innovative products to EU consumers and users, affect partnerships between European and Chinese companies, or hinder Chinese investments into Europe-based business activities.

To assist this effort, this report will review whether China’s legal frameworks for data governance create or increase risks for Dutch and European companies, individuals, infrastructure and national security, whether the Chinese government can leverage this legislation to affect the confidentiality, integrity and availability of personal and corporate data of Dutch and European citizens, companies, organizations and government bodies. Its first section will focus on the legal and policy-strategic aspects of Chinese data regulation, exploring the extent to which Chinese law enables access to sensitive information. The second section specifically addresses the case studies of smart vehicles and drones, reviewing the technical aspects of related data flows and discussing the state of technical standardization. The third section summarizes the report’s findings, and offers policy recommendations. For the purposes of this report, the focus concerning smart connected vehicles is on battery electric consumer vehicles (instead of, for instance, buses and other public transport vehicles), and concerning UAVs is on commercial (not military use) drones.
 

About the authors

Rogier Creemers is a Lecturer in Modern Chinese Studies. With a background in Sinology and International Relations, and a PhD in Law, his research focuses on Chinese domestic digital technology policy, as well as China's growing importance in global digital affairs. He is the principal investigator of the NWO Vidi Project "The Smart State: Big Data, Artificial Intelligence and the Law in China". For the Leiden Asia Centre, he directs a project on China and global cybersecurity, funded by the Dutch Ministry of Foreign Affairs. He is also a co-founder of DigiChina, a joint initiative with Stanford University and New America.

John Lee is director of the consultancy East West Futures. He is also a researcher at the LeidenAsiaCentre, Co-lead on the EU China Semiconductor Observatory, and TOY Senior Fellow with Asia Society Switzerland and Fellow at the Asia Society Policy Institute's Center for China Analysis. John’s research focuses on China and digital technology, in particular China’s cyberspace governance regime, the semiconductor industry and future telecommunications networks. Previously he was a senior analyst at the Mercator Institute for China Studies and worked at the Australian Department of Foreign Affairs and Trade and the Department of Defence.
The authors would like to thank the researchers behind Project Lion Cage for their assistance.