The Spy Car Question: Why Every EV Is a Telematics Device — and Who Gets the Data

On 21 April 2026, as trade ministers in Ottawa reviewed a tariff framework that could admit 49,000 Chinese-built electric vehicles annually, a former Canadian diplomat published a stark warning. "Chinese EVs are true spy machines on wheels," wrote Charles Burton, who served in Beijing during the Hu Jintao era. "Their cameras, sensors, and integrated GPS systems can easily conceal sophisticated spyware and malware." The vehicles in question — largely BYD and Geely models — represent a fraction of the global EV market. But the volume, argued Burton, transforms a marginal security concern into a systemic one.

That framing has momentum. Conservative MP Raquel Dancho has tied BYD's reported European factory conditions into a national-security narrative, arguing that Ottawa's openness to Chinese EVs constitutes a failure of sovereign risk management rather than a routine trade-policy calculation. In Washington, analyst Isaac Stone Fish has framed the same issue through a war-scenario lens: Chinese EVs "soak up personal and geospatial data across the United States," he wrote on 19 April 2026, and "if tensions worsen into war, they would be a potent national security threat." The concern is real, specific, and backed by technical detail. It also, remarkably, applies to almost every connected vehicle on the road.

The telematics architecture that makes an EV a "spy machine" is not proprietary to Chinese manufacturers. It is the architecture of the modern connected car — and it is universal.

The Security Case, Made Properly

Burton's argument deserves to be stated in its strongest form before it is contextualised. A 2026 BYD Seal or Geely EX5 is not merely a vehicle. It carries forward-facing cameras, rear sensors, cabin microphones, cellular modems, and GPS receivers that together constitute a continuous data-collection apparatus. That apparatus transmits vehicle telemetry — location, speed, braking patterns, cabin audio when voice commands are activated — to the manufacturer's servers. Under the PRC Cybersecurity Law (2017) and Data Security Law (2021), Chinese authorities have broader legal grounds to access domestically stored data than their counterparts in liberal democracies. For a vehicle operating in Canada or the United States, this creates a theoretical access pathway: data collected on North American roads flows to Chinese servers, where it sits within a jurisdiction whose state-access provisions are more permissive than Western counterparts.

Stone Fish's war-scenario framing extends this logic. If China and the West entered active hostilities, the telematics data from a fleet of Chinese EVs operating in North America would constitute a precise real-time intelligence layer — vehicle locations, driver routines, facility access patterns. That is not speculation; it is the logical extrapolation of an architecture that already exists. MP Dancho's contribution adds the forced-labour dimension: supply-chain conditions at BYD's European operations, documented in media reports she has amplified, reinforce the case that engagement with Chinese industrial policy carries values costs alongside economic benefits.

These are not fringe concerns. They are held by a former diplomat with direct China experience, a sitting opposition MP, and analysts who study Chinese industrial policy professionally. The case for treating Chinese EV telematics as a genuine security question is coherent and evidenced.

It is also, crucially, a case that applies to the entire category.

Every Connected Car Phones Home

Ford Motor Company's privacy notice for its SYNC 4 and FordPass platforms, updated to reflect 2026 data practices, discloses continuous telemetry collection: GPS coordinates, driving behaviour, braking force, cabin microphone input when voice commands are invoked, and cellular-modem diagnostics. This data flows to Ford's US servers. US law enforcement can request access through standard legal channels — the same channels available to authorities in any jurisdiction where Ford operates. Third-party sharing agreements with insurance partners and roadside-assistance vendors extend the data surface beyond Ford's direct control.

Tesla's privacy disclosures are more extensive, partly by virtue of its sensor density. The company collects continuous vehicle sensor data, camera footage (including cabin-facing cameras on later Model 3 and Model Y builds), and driver behavioural data. A 2023 Reuters investigation surfaced that internal Tesla employees had circulated sensitive cabin footage among themselves — an internal governance failure Tesla said had been addressed. The Model 3 is manufactured in Shanghai for substantial shares of the European and Asia-Pacific markets. Even when those vehicles are destined for Western customers, their telemetry crosses Chinese jurisdiction during manufacturing burn-in processes that involve server connectivity and software initialisation.

BMW's ConnectedDrive platform stores telematics data in European data centres under GDPR supervision — a meaningfully higher regulatory bar than applies in the US. German and EU law-enforcement access to that data proceeds through the European Production Order framework, which requires judicial authorisation and proportionality assessments. Geolocation histories are accessible to BMW personnel under audit controls. The architecture is functionally equivalent to what Chinese OEMs' Western-market telematics proposals would deploy under the forthcoming EU Data Act: supervised data residency within the user's legal jurisdiction.

Volvo, now majority-owned by Chinese conglomerate Geely, routes its connected-vehicle data to Gothenburg — the same city, and by extension the same legal jurisdiction, that houses the parent company's European operations. The data flows to a jurisdiction that is, under the relevant statutes, as accessible to Chinese state authorities as EU data protections permit — which is considerably less accessible than PRC law permits within China itself, but meaningfully more accessible than Chinese critics of Geely-owned Volvo would prefer.

The pattern is categorical: every connected vehicle sold by every major manufacturer ships the same class of data to its OEM's jurisdiction of registration. The question is not whether this happens. It demonstrably happens. The question is which jurisdiction receives it, and under what legal conditions that jurisdiction permits state access.

Three Regimes, Three Access Standards

The PRC Cybersecurity Law and Data Security Law together establish that "critical information infrastructure operators" — a category that includes large data processors and, by regulatory extension, major manufacturers — must store Chinese-user data within PRC territory and must undergo security review before any cross-border data transfer. For Chinese OEMs exporting vehicles to the EU or Canada, this creates a dual-residency architecture: Chinese-user data in China, EU-user data in EU, Canadian-user data in Canada under PIPEDA. The export vehicles themselves are, under this framework, treated as Canadian or European data processors, not Chinese ones.

This is where the asymmetry becomes precise rather than rhetorical. Under PRC law, state access to domestically stored data requires no individual judicial warrant in the same fashion as Western legal systems require. Chinese authorities can compel data production from domestic operators under broader national-security and public-security provisions. The access threshold is lower, the review process less transparent, and the effective appeal mechanisms weaker. This is not contested in the academic literature on Chinese cyberlaw; it is the operative feature of the regime.

The EU's GDPR sets a higher bar. Article 48 of the GDPR prohibits transfers of personal data to third countries except where the EU has issued an adequacy decision or where specific transfer mechanisms — standard contractual clauses, binding corporate rules — are in place. German law enforcement access to BMW's data proceeds through the European Production Order, which requires judicial oversight within Germany and proportionality assessment against the specific investigative need. The EU Data Act, expected to fully enter force by late 2026, will further codify connected-vehicle data sharing obligations, creating a third layer of consumer rights and processor obligations.

The United States sits in between — not geographically, but regulatorily. There is no federal data-privacy statute of general application. The California Consumer Privacy Act and Illinois Biometric Information Privacy Act set materially higher bars for data collection and law-enforcement access than federal baseline. Ford's telemetry flows to Michigan, where the applicable standard is the lesser of federal constitutional minima and any state-specific statute. A BYD vehicle in California is subject to CCPA; the same BYD vehicle in Alabama, which has no comprehensive privacy statute, is subject primarily to federal constitutional constraints. The regulatory patchwork means that the data-security floor for connected vehicles in the United States is set by the least protective jurisdiction that applies.

This is the structural comparison that the "spy car" debate obscures. The concern about Chinese EV telematics is legitimate. But the mechanism of that concern — data flowing to a jurisdiction with permissive state-access law — is not unique to Chinese OEMs. It is the category-wide architecture of the connected vehicle. The differential is the jurisdiction: Beijing's access provisions versus Berlin's versus the patchwork of US state laws.

What Policymakers Must Actually Decide

Canada's tariff review, currently before trade officials, confronts a choice that is genuinely complex. Opening the market to 49,000 Chinese EVs annually delivers lower vehicle costs to Canadian consumers and accelerates fleet electrification. It also introduces vehicles whose telemetry flows to a jurisdiction whose state-access laws are less constrained than Canada's own — or than the EU's. The MP Dancho framing frames this as a national-security failure; the trade-economics framing frames it as a market-access decision. Both framings are partial.

The stronger framing is structural: the regulatory asymmetry between China's data-access regime and those of Western democracies is real, and it creates asymmetric risk when Chinese-manufactured connected devices operate at scale in Western markets. That asymmetry justifies a higher standard for data-residency requirements — forcing Chinese OEMs, like all OEMs, to store Western-user data within Western jurisdictions under Western access law. It also justifies requiring that any connected vehicle sold in Canada, regardless of manufacturer origin, meet minimum data-residency and access-transparency standards.

The EU's Data Act points in this direction. The US state-by-state patchwork does not. The absence of a Canadian federal connected-vehicle data statute leaves Ottawa negotiating tariff rates while the underlying data-governance question remains unlegislated.

Burton's warning and Stone Fish's war-scenario analysis deserve to be taken seriously. They also deserve to be understood as the opening of a policy conversation rather than its conclusion. Every connected vehicle is, in the relevant technical sense, a telematics device. The question is not whether to restrict Chinese EVs specifically. The question is whether to regulate the category — all of it — to the standard the security community rightly demands.

The alternative — targeting Chinese OEMs while Ford, Tesla, and BMW operate the same architecture under looser or equally ambiguous legal conditions — is not a security policy. It is a trade posture dressed as one.

— Monexus Staff Writer

Wire provenance

This editorial synthesis draws on the following public wire/social posts:

• https://x.com/PilonEric2/status/2046562352162631761
• https://x.com/RaquelDancho/status/2041932248564260893
• https://x.com/isaacstonefish/status/2046574296332460293
• https://x.com/M_Johnston1/status/2020856437061103798
• https://www.ford.com/help/privacy/
• https://www.tesla.com/legal/privacy
• https://www.bmw.com/en/footer/metanavigation/privacy-policy.html
• https://en.wikipedia.org/wiki/Cybersecurity_Law_of_the_People%27s_Republic_of_China