Connected Vehicles and Data Privacy & Sovereignty in the Global South

The rapid advancement of digital technology has revolutionized many industries, including the automobile sector. This surge in the production of connected vehicles, which are capable of collecting and generating vast amounts of data, raises significant concerns about privacy and digital sovereignty. Countries that import these vehicles, particularly those in the Global South, face additional challenges. This essay explores the issues of data privacy and sovereignty associated with connected vehicles and provides an overview of various legal frameworks governing data protection and localization.

Rise of Connected Vehicles

A “connected vehicle,” or “smart vehicle,” uses data and digital technology to provide a safer, more efficient, and more comfortable driving experience for drivers and passengers. These vehicles are equipped with data transmission nodes, similar to Internet of Things (IoT) devices. For example, just as you can use your smartphone to turn on the heat in your smart home before you arrive, you can also use it to warm up the windshield of your connected vehicle a few minutes ahead of your departure. In this context, connected vehicles use data transmission technologies to communicate with other devices, while autonomous vehicles, or self-driving cars, include connected vehicles and can make independent driving decisions. All autonomous vehicles are connected, but not all connected vehicles are autonomous.

While the debate over the superiority of internal combustion engines, electric vehicles, and hydrogen fuel cell vehicles continues, one undeniable fact is that our vehicles are becoming smarter. Currently, 97% of vehicles globally are equipped with smart screens, and by 2025, it is projected there will be over 400 million connected vehicles in operation. These screens display results from sensors and data processing, performing functions like collecting and analyzing road information, facilitating human-machine interaction, enabling autonomous driving, and controlling the vehicle’s computer system. While these features provide significant convenience, they involve the collection of personal information from drivers and passengers, as well as external environmental data, raising concerns about data privacy and security, respectively.

Implications for Privacy

The U.S. Commerce Secretary has emphasized privacy and security concerns by likening these vehicles to “smartphones on wheels,” noting that they collect vast amounts of sensitive data about the drivers, including personal and biometric information, as well as location data. Connected vehicles can also gather personal data and details from connected smartphones, such as contacts, call history, and media playlists. A recent Mozilla Study found that modern vehicles collect more data than many other personal devices.

Tesla, a leading electric vehicle manufacturer, states in its privacy policy that it collects a wide range of data from its vehicles, including charging information, diagnostic data, details from infotainment systems, data from connected apps, and information related to its autopilot features, such as video camera footage, location services data, and voice commands. The Mozilla Study also found that Nissan has a policy indicating that it may collect sensitive personal details such as driver’s license numbers, citizenship status, race, religious beliefs, sexual orientation, precise geolocation, health data, and genetic information.

This vast amount of data collected could also later be forwarded to other entities, often without the drivers’ knowledge or consent. For example, “driver scores”–which track behaviors such as hard braking, acceleration, and phone use–are sold to data brokers, who then provide this information to auto insurers. This extensive data collection also poses significant security risks, as breaching a personal device could expose information such as financial account details, communication channels, and location data and potentially allow harmful remote access to vehicle controls.

Implications for Data Sovereignty

In addition to data privacy, the rise of connected vehicles raises concerns about data sovereignty. Data sovereignty refers to the handling and control of data in line with a country's legal frameworks, practices, cultural norms, and laws, including those related to data protection, competition, and national security. It may involve ensuring that countries retain “control” over their residents’ and government data; consequently, relevant policies may include conditions on data transfers and restrictions on reliance on foreign technology that could lead to data being stored overseas.

The presence of foreign-connected vehicles roaming a country’s streets raises digital sovereignty concerns. Many experts and scholars push back on equating digital sovereignty with other threats to a nation’s sovereignty. For example, Chander and Sun argue that European concerns regarding the dominance of large platforms are “misplaced.” “It is like arguing that because people drive Toyota cars on U.S. roads, we no longer control our streets. As long as the cars are regulated by local law, the fact that they might be built abroad should not undermine sovereignty,” they contend.

However, with connected vehicles now widespread, has this dynamic shifted? The US now views connected vehicles, particularly those manufactured in China, as a national security threat due to the potential access of foreign governments. Consequently, the Biden administration ordered the Department of Commerce (DOC) to investigate the matter. The investigation is pursuant to the 2019 Executive Order (EO) 13873, “Securing the Information and Communications Technology and Services Supply Chain,” which has now been expanded by the 2024 EO 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.”

Similarly, China perceives American Teslas as a national security threat, leading to bans on their use in most government functions and restricted access in certain governmental areas. Only recently did a provincial government add Tesla to its purchase list, but only after negotiating and approving Tesla’s data security measures, including the requirement for domestic data storage in China. Ultimately, the government allows only China-made Teslas to drive in China.

Considerations for the Global South

Currently, the majority of connected vehicles are designed and exported from three primary regions: the US, the EU, and East Asia (Japan, South Korea, and China). These exporting regions are taking steps to have policies in place to address data privacy and sovereignty (whether through laws, frameworks, or government actions). In the US, despite the absence of federal data protection legislation, the government is seeking to address concerns regarding data collection from connected vehicles. The DOC is set to propose a ban on the import of smart autos that have Chinese or Russian technology, and a draft bill has been introduced to grant explicit legal authority to the DOC and other federal agencies on the matter. In the meantime, the Federal Trade Commission (FTC) is investigating data practices in the domestic auto industry.

The EU, known for its robust digital regulatory initiatives, protects personal data against excessive personal data practices via its General Data Protection Regulation (GDPR). Since 2016, the “My Car My Data” campaign has raised awareness and voiced Europeans' concerns about personal data captured by connected cars. This prompted the European Data Protection Board to issue authoritative guidelines on the subject, with an emphasis that any transfer of personal data outside the EU must comply with the safeguards set by the GDPR. The 2023 Data Act proposal further establishes rules for data sharing, aiming at fostering competition and innovation while maintaining rights over personal data.

Japan and South Korea are also recognized for their strong data protection rules, being among the few jurisdictions “white-listed” by the EU for their adequate standards. China, with its state-focused digital policy, has implemented several regulations promoting data localization. The Cybersecurity Law 2017 mandates that data collected abroad by Chinese corporations be stored in China. The Personal Information Protection Law (PIPL) includes provisions limiting data exports, and the Automotive Data Management Regulations specifically regulating vehicle manufacturers and, to some extent, mandating data security.

On the other hand, many countries in the Global South lack the expertise and capacity to design and produce their own vehicles. Consequently, they import connected vehicles from foreign automakers and often have limited influence over the data policies associated with these machines. In response, these countries should carefully consider their position. This involves determining the extent to which data collection and transfer should be allowed, balancing data privacy and sovereignty protection against short-term economic benefits. They should also take appropriate regulatory actions, such as updating data localization regulations or prohibiting imports of smart vehicles from certain jurisdictions.

This challenge is particularly evident in the Southeast Asian market, where Chinese smart vehicles have achieved significant success. Thailand serves as a prime example, with sales in 2023 nearly eight times higher than the previous year. This rapid expansion raises concerns about large-scale data collection and overseas transfers, which pose risks to both data privacy and sovereignty. Despite having a comprehensive data protection regulation inspired by the GDPR, enforcement and investigative actions by the Thai regulator have been limited, partly due to constraints in personnel and budget.

In contrast to Thailand, Chinese smart vehicles appear less dominant in the Indian market. However, the potential influx of connected vehicles from other foreign sources can still present data privacy and sovereignty challenges. For example, the Tesla-Indian government deal possibly represents a notable increase in the presence of American smart vehicles in India. India’s data protection strategy focuses on individual control, emphasizing user ownership and consent. Alongside its GDPR-inspired data protection laws, the Indian government is advancing the "India Stack" initiative, which seeks to balance data localization with economic development. This initiative includes a data governance model designed to enhance user control over their data through a consent management system for data sharing.

Shifting the focus to Africa, many nations face significant challenges due to a lack of locally developed digital technologies, compounded by the dominance of foreign companies in the cloud computing market and the storage of data on servers outside the continent. To address these issues, the African Union (AU) has emphasized that Member States should implement policies ensuring data subjects have control over their personal data. Additionally, the AU is exploring new ownership frameworks, such as data trusts and stewardships, which offer alternatives to the traditional individual rights model.

Building on the data protection initiatives across Africa, Nigeria has taken significant steps with the implementation of the 2023 Nigeria Data Protection Act. This legislation ensures fair, lawful, and transparent data processing, with a strong focus on the rights of data subjects. In addition to this, Nigeria has reinforced its data localization laws through the legally binding guidelines for "Nigerian Content Development in Information & Communication Technology", which require that all government data be hosted within the country. Importantly, data ownership and rights remain with the customer, or data originator, regardless of where the data is physically stored.

Similarly, other African countries like Kenya and South Africa have implemented data protection laws that would apply to personal data collected by connected vehicles. Kenya’s Data Protection Act is GDPR-like and regulates the collection, use, storage and sharing of personal data of natural persons. The act applies to both domestic and foreign data processors and controllers when Kenyan data subjects are involved. In South Africa, the scope of coverage of the law is slightly broader as the Protection of Personal Information Act could apply to both natural and juristic persons.

Adopting a shared approach to data governance can help African countries maintain their data sovereignty while simultaneously benefiting from cross-border data sharing. African nations face common challenges, including a lack of infrastructure and access to resources that could be better addressed through a unified approach, potentially attracting more investment. If African nations unite on data protection strategies, they could create a distinctly African approach to digital sovereignty. This possibility is amplified by Africa’s vast untapped market and young population, positioning the continent to potentially become a key influencer in shaping global digital sovereignty principles.

Conclusion and Recommendations

The rapid advancement of the connected vehicles industry raises significant data privacy and sovereignty concerns. These data privacy and sovereignty issues should not be viewed solely through the lens of geo-political tensions, such as the US-China Trade War. Global South nations should proactively establish data policies for smart autos, focusing on key strategies such as enforcing compliance with domestic regulations. Key actions may include conducting audits to prevent unauthorized cross-border data transfers and prioritizing user agency by ensuring drivers receive clear privacy notifications and have the ability to retain legal rights over their data.

Additionally, importing countries can negotiate security terms with foreign automakers such as by deactivating sensors in sensitive areas and prohibiting cross-border transfers of certain sensitive data, with the possibility of establishing local data centers for data filtering and classification. Countries with limited negotiating power can also collaborate regionally to develop unified approaches. This way, Global South countries could assert more control over data privacy and sovereignty issues related to connected vehicles, ensuring alignment with their national interest and regulatory frameworks.