Data Privacy Investigation: Chinese Electric Vehicle Exports

As sales of Chinese EVs rapidly increase around the world, we investigated the privacy implications of owning these high-tech internet-connected vehicles that require a mobile app to unlock all their features.

Our goal is to raise awareness about the personal data harvested by these ever more popular EVs and their associated mobile apps. We hope that highlighting the risks posed to consumer privacy by the growth of this internet-connected technology will lead to an improvement in data privacy protections for everyone.

Smart car data is extremely sensitive. It can be used to track individuals’ movements, which not only reveals where they live and work but also their hobbies, personal relationships, health and finances. This information is valuable not only for governments but also businesses such as insurance companies, whose actions can have a significant impact on our everyday lives.

Exports of Chinese EVs have surged by 851% over the last three years, with many of those vehicles heading to Europe.^[1] In 2023 alone, shipments to the European Union increased by 112% compared to 2022 and by 361% versus 2021.^[2]

While it’s clear that the appeal of these new EVs, which are typically priced 20% lower than competing brands’ vehicles, causes a headache for the automotive old guard, it could also represent a privacy timebomb for consumers.

There are also question marks over the closeness of the relationship between the EV industry and the government in China.

Smart cars in general already have a poor reputation for privacy even without adding in the spectre of mass data harvesting by the Chinese state.^[3]

The Chinese government pumped $57 billion in subsidies into its EV industry between 2016 and 2022. It remains unknown whether this generous funding came with any conditions relating to the goldmine of data generated by smart cars. However, it doesn’t seem unreasonable to suggest that any company that accepts substantial state handouts in an industry as competitive as the manufacture of EVs will be beholden to some degree to their benefactors.

Moreover, four leading EV exporters have clear ties to the state: MG parent company SAIC is wholly state-owned while Nio, HiPhi and Xpeng have all received significant government investment. The billionaire owner of Geely (the parent company of Zeekr, Volvo, and Polestar) is politically active and appears close to the government.^[4]

As the Chinese share of the European EV market has already grown to 8% this year and is set to reach 15% by 2025,^[5] the time felt ripe to investigate the privacy practices of the leading exporters.

We did a deep dive into the personal data collection, sharing, storage and transfer practices by these companies (jump straight to our GDPR compliance section for a quick overview of this). We also analyzed the accuracy of the app store labels for their mobile apps, along with identifying Android app permissions and any third-party software libraries that posed a privacy risk to users.

The ten companies we investigated were:

• Aiways
• BYD
• GWM (Great Wall Motors)
• HiPhi
• MG (SAIC)
• Nio
• Polestar (Geely)
• Volvo (Geely)
• Xpeng
• Zeekr (Geely)

Which brands pose the most risk to data privacy?

The EV brand with the highest data privacy risk was Polestar, which was primarily due to the lack of an appropriate privacy policy. However HiPhi and Aiways also performed poorly overall.

The best-performing companies on data privacy were MG and Volvo.

The following table summarises the overall performance of each manufacturer across each of the privacy categories that formed our analysis.

The companies are ordered from worst to best-performing in terms of data privacy.

* Aiways and GWM don’t claim to collect as much data as their rivals however there are significant gaps in their policies in this area.

** Volvo’s privacy labels were inaccurate for iOS app but accurate for the Android version.

The following table indicates the professionalism of each EV manufacturer’s privacy policy, the level of detail the policies contain and whether the policy documents are easy to access.

Companies are listed in alphabetical order. An orange tick indicates that while there were some issues with that aspect of the policy, it did not completely fail to meet expectations.

A dash “-” indicates that no policy info was available.

The only EV firm without a relevant privacy policy at all was Polestar, whose app store links pointed to a generic policy that only covered visitors to its website and made no mention of data collection by its app or in-vehicle systems, beyond a promise that such a policy was “coming soon”.

Screenshot from Polestar privacy policy.

The app store listings for the GWM mobile apps direct users to a blank page, however it was possible to navigate to a list of older versions of the privacy policy. The most recent was dated February 2022, which we used for the purposes of this research.

Three companies – Aiways, BYD and GWM – have privacy policies published in completely substandard fashion.

BYD directs its app users to a policy hosted at https://dilinkappoversea-eu.byd.auto:8666/#/text/fileNotice?agreementType=2&softType=0, which could lead users to doubt its veracity given that the URL looks like it could be a malicious address. This contrasts with the more straightfoward URLs making up the majority of BYD’s web properties and that are widely accepted to be better for users as they are less likely to break. BYD’s privacy policy is also poorly translated and sloppily formatted with mismatched text and colours.

Screenshot of one example of the haphazard presentation found throughout the BYD privacy policy.

Similar issues affected the GWM and Aiways privacy policies. While the HiPhi privacy policy was on a user-unfriendly URL, it was otherwise presented professionally.

There was insufficient detail in three privacy policies. Aiways in particular had some glaring omissions compared to other companies, such as failing to disclose what vehicle data was collected and not providing specifics around data sharing. GWM‘s policy had similar deficiencies.

Aiways also failed to disclose whether the company transferred user data internationally, a critical privacy policy point for such a firm.

The Zeekr privacy policy was comprehensive but failed to provide clickable links to named sub-policies. While the Volvo policy was detailed, it couldn’t be described as comprehensive as it failed to disclose whether data was transferred to China or whether user data was ever deleted.

Inadequate privacy policies mean consumers have no way of knowing what data is collected, how it is stored and who it’s shared with.

The following table catalogues the personal datapoints collected by each auto maker. This data collection is categorised under the headings of personal information, vehicle information, vehicle status and device information. Click the button at the top right of the table to expand it to fullscreen view to see all companies’ data collection.

The number of datapoints collected by the companies ranges from 10 (Aiways) to 66 (Zeekr).

This should not be taken as an endorsement for Aiways‘ data privacy practices, however, as this low number is primarily a result of the company failing to disclose what data it collects from the in-vehicle systems. Screenshots from its iOS app suggest that the company does actually collect such data.

Screenshot of Aiways iOS mobile app showing remote vehicle control options.

GWM and Polestar also fail to disclose what data they collect from in-vehicle systems.

Conversely, while it’s certainly alarming that Zeekr, MG, HiPhi and Xpeng all collect more than 50 individual datapoints about their users, their vehicles and their devices, at least they are transparent about doing so. Potential customers who care about their data privacy can therefore make more informed decisions.

Zeekr collects intrusive amounts of data about its customers’ vehicles, notably:

• Vehicle usage behavior data
• Vehicle sensors data
• Vehicle insurance and accident information
• Maintenance/repair/rescue records
• Vehicle historical driving record
• Mileage

MG, Zeekr, Volvo, Nio, HiPhi and Xpeng all track the location of their vehicles.

It’s unclear whether Polestar, GWM and Aiways track vehicle location as they fail to specify any collection of in-vehicle system data whatsoever. BYD, on the other hand, does not appear to track vehicle location.

MG, Zeekr, Volvo and Nio also collect driving route information. All such vehicle location data is very sensitive and can be highly revealing about an individual’s relationships, health and interests.

HiPhi, Nio and Xpeng even collect data about how fast you are driving, which could have potential legal ramifications for anyone exceeding the speed limit.

In terms of device data, all the mobile apps we investigated harvest precise location data (we assumed Polestar to collect this based on its Android app permissions due to the absence of a privacy policy).

The BYD mobile app was the only one to credibly claim to not collect users’ IP addresses. Aiways makes no reference to IP addresses in its privacy policy, however detail was again suspiciously lacking in this area.

HiPhi, MG and Zeekr all collect users’ browsing history from their apps and in-vehicle systems. GWM and Nio harvest the contents of messages sent via their apps or in-vehicle systems.

The BYD, HiPhi and Zeekr mobile apps collect a device’s IMEI number, the unique number identifying every device on a mobile network. It’s likely that other apps also collect this identifier, as all the auto makers except MG stated they collected Device IDs but were not more specific than that.

HiPhi collected the most personal information about its customers, including gender, height, weight, profession, hobbies and driver’s license.

Zeekr, Nio and Xpeng also explicitly state that they collect driver’s license details. While it’s to be expected that buying a vehicle requires valid ID, there’s heightened risk about that data being potentially accessible to the Chinese state.

The following table summarizes the data storage, deletion, and international transfer policies of the EV firms in this report. It also highlights notable third-parties with whom the companies share their users’ data and any relevant policies relating to advertising.

A dash “-” indicates that no policy info was available. Click the button at the top right of the table to expand it to fullscreen view to see all the data.

All the EV firms we investigated have subsidiaries based in Europe. BYD and Xpeng for example are incorporated in the Netherlands, and GWM in Germany. Others like Volvo and MG may be familiar Western brand names with long histories in the countries where they were originally founded. However all the firms in this report are ultimately owned by companies with headquarters in mainland China, subject to local laws that require them to hand over their data should the government demand it.^[6]

It’s almost certain that all these companies routinely share data with their parent companies, however only five were transparent about this. GWM and Xpeng disclose that they transfer data outside the European Economic Area but provide no more detail than that. Aiways, Volvo and Polestar all failed to specify their policy in this area.

Volvo, Aiways and MG had the most consumer-friendly policies around data storage and deletion. BYD, GWM, Nio, Xpeng and HiPhi had open-ended approaches to storage while Polestar did not offer a policy.

BYD, GWM, HiPhi and Zeekr‘s data deletion policies were ambiguous in that they promised only to “delete or anonymize” personal information. However this was better than Polestar, with no policy at all, and Nio, which failed to specify what happens to data once it’s no longer necessary to retain it.

The worst offenders for sharing data with third parties were HiPhi, whose mobile app contains 20 third-party software libraries developed by Chinese companies that each collect user data, and Nio. The latter shares user data with social media advertising agencies in order to allow them to target ads on Facebook and X (formerly Twitter).

BYD, Nio and Xpeng share user data with law enforcement, which should alarm Nio customers in particular given that the company logs route, speed and location data.

BYD and Zeekr share user data with other Chinese tech companies and while they appear benign, this is difficult to vet by Western customers.

Zeekr, Volvo, Nio and HiPhi all have policies that suggest they allow targeted advertising based on their users’ data. MG allows for advertising, however it wasn’t clear whether this is for targeted ads based on user data.

GDPR compliance

As to be expected from companies with a legal presence in Europe, overall there was substantial GDPR compliance across the board. The only exception was Polestar due to the lack of an appropriate and accessible privacy policy at the time of publication.

There were some recurring issues, however, where a lack of clarity or detail meant that it was impossible to determine whether the majority of EV companies in this report were fully GDPR compliant.

Only MG and Volvo had sufficiently detailed policies to avoid any uncertainty about full GDPR compliance.

The uncertainty surrounding the remaining EV makers could be found in three key areas of their policies.

Data retention periods: while most companies at least pay lip service to the GDPR principle of not retaining data longer than necessary, they would be more compliant if they provided specific retention periods for different types of data or a mechanism for users to inquire about these periods.

Automated decision-making: aside from MG and Volvo, no EV firm explicitly addressed whether or not they make use of automated processing. Companies are required by GDPR to clearly disclose this practice should it take place. In an EV, this could conceivably relate to the use of biometrics to authorize the vehicle for example.

Obligations to provide data: GDPR emphasizes the principle of data minimization and informed consent. For more unambiguous compliance, the EV makers should more clearly differentiate between mandatory and optional data provisions, ensuring users are aware of their choices and the implications of not providing certain data.

The following table shows how the privacy labels on the app store listing for each EV mobile app differ from its actual privacy policy.

Note: Zeekr and HiPhi don’t yet have Android apps on the Google Play app store, offering direct downloads instead.

Overall, the privacy labels on the EV brands’ mobile app store listings were disappointingly inaccurate, sometimes significantly so.

MG and Zeekr were the only EV brands to not have misleading labels on any listing. While the privacy labels on Volvo‘s Google Play listing were accurate, the company’s Apple App Store listing contradicted its privacy policy.

GWM and Nio were the most egregious offenders here as they each had a store listing that falsely claimed to collect no data at all, GWM on Google Play and Nio on the App Store. GWM‘s App Store listing was also inaccurate, as it failed to indicate that its mobile app collected a user’s name and phone number, along with the contents of email and text messages. Nio‘s Play Store listing was also missing labels disclosing collection of Device IDs and messages.

Alarmingly, Xpeng, Aiways, BYD and HiPh each had app store listings with privacy labels omitting that they collected location data.

As well as failing to disclose its location data collection on both app stores, Xpeng also falsely claimed to share no data on its Google Play listing.

The following table shows the number of potentially risky Android permissions present in each manufacturer’s Android app. A permission was deemed risky if it was on Android’s dangerous permissions list or if it had implications for privacy.

For a full list of risky permissions download the public datasheet

Zeekr‘s Android app requests 34 potentially risky permissions, significantly more than any other app. This included ACCESS_BACKGROUND_LOCATION which allows for continuous tracking of a user’s location even when the app is not in use. The HiPhi, Nio and Polestar apps also request this permission.

The Zeekr and HiPhi apps also request ACCESS_LOCATION_EXTRA_COMMANDS, a less-commonly used permission that provides additional control or commands to location providers (like GPS). This potentially allows the apps to track users more precisely.

The Zeekr app also requests the QUERY_ALL_PACKAGES permission, which allows an app to see all apps installed on the user’s device. Apps with this permission can see all the other apps a user has installed, which can reveal personal preferences, habits, or even sensitive information about the user.

This permission allows a developer to build detailed profiles on users, understanding their interests, profession, hobbies, and more.

The Zeekr app was also one of four apps, along with Nio, GWM and Xpeng, that requested the READ_MEDIA_AUDIO, READ_MEDIA_IMAGES, READ_MEDIA_VIDEO permissions that allow the app to read all of a user’s media files.

The MG and Volvo apps both request the DOWNLOAD_WITHOUT_NOTIFICATION permission which allows for silent downloads, which comes with the potential security risk of malware downloads.

The HiPhi app requests the DISABLE_KEYGUARDpermission, which allows it to bypass the device’s lockscreen and expose sensitive information.

Six apps – Xpeng, Nio, Volvo, Polestar, GWM, Aiways and BYD – request the RECEIVE_BOOT_COMPLETED permission. This permission allows an app to be alerted once the device has completed its booting process. This poses a potential privacy risk because an app can then start itself or schedule tasks to run right after the device starts up. Apps that start automatically can begin collecting data or monitoring user behavior immediately after the device starts, even if the user hasn’t actively launched the app.

The GWM app requests the RECEIVE_USER_PRESENT permission, which allows an app to be alerted when a user is actively using the device. This can be used to infer user behavior or patterns, which poses a risk to user privacy.

The following table provides relevant corporate information about the EV manufacturers included in this study. It indicates whether they are privately-held, publicly-traded or state-owned, along with highlighting any links the firms may have with the state and any notable investors that may allow for government influence.

It’s clear that any MG customers’ personal data transferred to its state-owned parent company SAIC Motor would be easily accessible to the local authorities.

Other firms’ government links may not be quite as clear-cut as SAIC Motor’s but they remain significant enough to raise concerns around state access to sensitive international customer data.

HiPhi is a privately-held company, however there are reasons to question whether its relationship with the government.

HiPhi owner Ding Lei has been CEO or Vice President of several SOEs, including Shanghai General Motors and SAIC Motor.

Ding has also acted Party Secretary for several organizations and served as Deputy Mayor of Shanghai Pudong Municipality.^[7]

The state-controlled Bank of Communications is the sole investor in HiPhi, pumping $783 million into the company in 2021.^[8]

Xpeng also has a number of potential ties to the government. Founders Xia Heng and He Tao were executives at GAC Motor, a state-owned enterprise, prior to starting Xpeng. A major backer of the company is Alibaba, which has ties to the state due to mandatory “golden shares” held by the government.^[9] There have been several senior leaders from Alibaba in key positions at Xpeng, including chairman and CEO He Xiaopeng who previously headed key parts of the Alibaba empire before co-founding the EV firm.^[10] Alibaba Chairman Joseph Tsai was on the Xpeng board until 2019, when he was replaced by another Alibaba executive.^[11]

One early Xpeng investor was Xiaomi founder Lei Jun, who is also a deputy to the National People’s Congress.^[12]

Xpeng has also received significant state investment. The city government in Guangzhou, where Xpeng is headquartered and has a factory, pumped in $600 million while in Guangdong, the location of another Xpeng facility, the city injected $76 million.^[13][14]

Billionaire Li Shufu owns Geely, the massive privately-held multinational whose large stable of brands not only includes Volvo Cars, Polestar and Zeekr but also other household names such as Lotus.

Li was a member of major political advisory body the Chinese People’s Political Consultative Conference (CPPCC) and in March 2023 also a delegate to the Chinese parliament.^[4] At the very least, Li can be said to orbit in the same spheres as senior Chinese government officials.

On the verge of bankruptcy in 2020, Nio was saved by an injection of $787 million by the municipal government of Hefei, a city in eastern China, in return for 17% of the company. Following the investment, Nio moved key executives to the city and began producing more vehicles there.^[15]

The Hefei government may have since cashed out most of its shares but the relationship appears to remain strong between Nio and the municipality, thanks to a string of deals for factories, industrial parks and so-called Nio Houses that provide services to Nio customers.^[16]

Additionally, state-owned China Construction Bank led a consortium of banks in extending $1.6 billion in credit to Nio.^[17]

Publicly-traded Aiways was part owner of automotive joint venture Jiangling Holdings with Jiangling Motors Corporation and Changan Automobile (both SOEs) for two years until 2021.^[18]

Aiways has also received investment from tech giant Tencent (1.2 billion yuan) and the state-backed Mingchi fund (1 billion yuan).^[19][20] As with Alibaba, the Chinese government has special “golden shares” in Tencent.