(By You Yunting)According to a media report, a woman recently claimed her rights at a car exhibition in Shanghai after Tesla disclosed part of driving data of her Tesla car, including time, VIN, speed, physical movement signal of the brake pedal and the pressure of master brake cylinder. The woman’s family claimed that Tesla infringed the car owner’s privacy and consumer rights and should cancel the data and apologize.
Let’s discuss whether it was illegal for Tesla to disclose the customer’s driving data to media. First, in my opinion, driving data are personal data of Tesla car drivers, so Tesla violated the Cyber Security Law when disclosing the driving data without the driver’s approval.
I. Are driving data disclosed by Tesla personal or private?
The car owner’s family said Tesla infringed the car owner’s privacy and consumer rights. I think they were half right. In this case, driving data were personal data related to consumer rights, not private ones. Disclosure of the data was an infringement of consumer rights, not privacy.
In Civil Code, privacy is peaceful private life of a natural person and private space, activities and data they don’t want to let others know and personal data is all kinds of data in electronic or other forms which could be used independently or with other information to identify a natural person, including their name, date of birth, identification card number, biological information, address, phone number, email address, health information and whereabouts.
In Civil Code, private and personal data have similar meanings in some way. Privacy includes private life and secrets, while personal data are more closely related to identity recognition. Privacy related provisions apply to private data contained in personal data. Without applicable privacy related provisions, personal data protection provisions would apply.
Driving data generated by driving a Tesla car are personal data in law which contained private data such as ones obtained from the camera monitoring the driver inside the car. Data disclosed to media by Tesla at that time were related to driving acts and should be seen as the customer’s personal data.
You may ask how data generated by driving a Tesla car could be related to identity recognition. Everyone has their own driving habits. All automatic driving researchers and developers are making big data analyses of driving acts. With full driving data, Tesla could recognize the identity of a car’s driver by using technology that enables walking movement recognition.
If Tesla disclosed driving data anonymously, it would not infringe personal data because the data were no longer sensitive. However, the identity of the driver which was open due to her claims could be recognized by using the driving data disclosed by Tesla, so in that case the driving data were personal data.
II. Who is owner of driving data of Tesla
A lot of journalists recently asked me who should own the data disclosed by Tesla. I replied that ownership of personal data was not clearly defined in Chinese law, but based on the Cyber Security Law, as an internet operator, Tesla was seriously illegal to disclose driving data without the customer’s approval.
From legal aspects, the driving data disclosed by Tesla were:
- personal data owned and created by the driver;
- controlled and processed by Tesla as network operator;
- were in a confidential state before their disclosure; and
- could be known as related to the driver whose identity became known with claims against Tesla.
Article 42 of the Cyber Security Law provides that network operators shall not disclose, alter or damage personal data they gathered and not provide other person with such data without approval of the person from whom such data were collected, not including data that are processed for unrecoverable removal of data needed to recognize a particular person. As an internet operator, Tesla disclosed driving data without the customer’s approval, which were treated on a confidential basis and could be used for identity recognition, and therefore should be deemed as acts of using personal data by violating the Cyber Security Law.
Finally, this article gives an analysis of the issue in question based on Civil Code and the Cyber Security Law. The Standing Committee of the National Congress is deliberating on the Personal Data Protection Law to create and improve provisions about personal data protection. After this law takes effect, we could decide on matters discussed in this article more easily.