The United States Must Move Towards Better Automotive Data Privacy

The U.S. Department of Commerce today proposed rules aimed at future-proofing the supply chain for next-generation automobiles against national security threats by significantly restricting the use of Chinese and Russian software and hardware in connected vehicles sold in the United States. Connected vehicles use computer systems to assist drivers, for example, by communicating with other vehicles to avoid collisions or by sensing a vehicle’s surroundings to enable autonomous driving. notice of proposed rulemaking (NPRM) focuses on two key elements in connected vehicles: vehicle connectivity systems (VCS), which are software and hardware that enable vehicles to connect to cellular and other external networks, such as Bluetooth and Wi-Fi, and automated driving systems (ADS), which are software that enable driverless vehicle navigation. Under the NPRM, the Department of Commerce would tightly restrict the use of hardware or software that has “sufficient connectivity” to China and Russia and would prohibit domestic sales of connected vehicles manufactured in those countries.

US authorities are not considering new restrictions worry that connected car technology could provide a trove of data to the Chinese and Russian sides. Data collected by vehicle computer systems could endanger individual drivers and passengers, while also sharing geographic details about critical U.S. infrastructure. In a worst-case scenario, Commerce Secretary Gina Raimondo in question an enemy could “simultaneously shut down or take control of all of its facilities operating within the United States”

While the new rules could disrupt supply chains for the automotive industry, they are designed to facilitate this transformation with phased timelines, support for advisory opinions to clarify implementation and compliance requirements, and an exception to protect vehicle prototyping by entrepreneurs. The rules recognize that hardware supply chains typically take longer to adjust by distinguishing between hardware supply chains and software supply chains. The NPRM provides automakers with a longer time horizon to phase out Chinese and Russian hardware; the hardware bans would go into effect on January 1, 2029 (or Model Year 2030), while the software bans would go into effect starting in Model Year 2027. The proposed approach to securing software supply chains is particularly notable; some software suppliers have software bill of materials (SBOM) is a machine-readable inventory of the components, dependencies, and relationships between components of a given piece of software.

Overall, the order appears to reflect lessons learned from U.S. government efforts to “copy and modify” Huawei equipment from telecommunications networks that began in 2019. That effort began after Chinese Huawei equipment was already widely used in the U.S. and was costing the U.S. government billions of dollars in refunds and direct replacement costsBillions more dollars have been earmarked for future work.

The announcement comes at a time when increasing restrictions imposed by the US on Chinese products – including a mandatory TikTok divestment, a 25% tariff on Chinese-made connected vehicles, and a 100% tariff on Chinese electric vehicles (EVs) – have raised concerns that national security claims are being used as an excuse to defend domestic markets and manufacturers. (Chinese automakers, backed by massive government subsidies, have rapidly expanded their footprints around the world in the past two years, and Chinese EV exports have 1,016 percent increase between 2018 and 2023 This NPRM was drafted with a degree of specificity that explicitly targets critical supply chain vulnerabilities: the restrictions target the hardware that supports connectivity, for example, but not the plastic body of the car. Moreover, the order seeks to mitigate supply chain threats before they grow so exponentially that they become nearly impossible to address.

These new restrictions are undoubtedly a step in the right direction for U.S. supply chain security and national security interests. Yet they also highlight persistent structural gaps in the U.S. government’s toolset for securing data. Connected vehicles pose more than just threats of espionage and disruption. Addressing data policy risks with tools designed for economic tradecraft or cybersecurity will always be an imperfect solution to the problem. These risks are well-documented, with leading automakers like General Motors, Honda, and Hyundai repeatedly sold large datasets including acceleration and braking data to third-party data brokers. Restrictions on the types of software and hardware in cars would close a back door to data access, but the front door would remain wide open as long as Americans’ personal data is accessible to any actor or government willing to write a check. This NPRM will address how agencies Forced to use imperfect tools to address obvious and far-reaching risksThe longer the United States goes without stronger protections for the privacy of personal data, the longer a critical piece of U.S. national security will go unattended.