By Mark Schaub, Atticus Zhao, Mark Fu

On 12 May 2021, the Cyberspace Administration of China (the “CAC”) issued the Provisions on Management of Automotive Data Security (Draft) (the “Draft“) for public comment.

The Draft is the first time a Chinese ministerial department has issued data security management rules for the automotive industry. The Draft is a regulatory response to growing concerns regarding data security as smart cars continue to evolve. As smart cars are still continuing to rapidly develop the Draft addresses both present and future issues.

The purpose of this article is to briefly analyse the key provisions of the Draft and their relevance to the various market players.

1. Scope of Application

The Draft applies to the collection, analysis, storage, check and cross-border transmission of personal information or important data that occurs during the course of designing, manufacturing, selling, operating, maintaining and managing automobiles within the PRC.

The Draft borrows a concept of network operators that is similar to that set out under the China Cybersecurity Law. The Draft broadly defines “operators” within the automotive industry as encompassing almost all entities that comprise the upstream and downstream of the auto industry. This includes automobile manufacturers, component suppliers, software providers, dealers, maintenance agencies, ride-hailing companies, insurance companies etc.

As the Draft’s definition of “operators” is not exhaustive it is possible that in addition to the entities listed above there is a possibility that the scope may be further expanded in the future. In short the Draft foresees a very broad scope of application.

2. Definition of personal information

A concept of “personal information” is outlined in the Civil Code of the PRC (the “Civil Code“), the China Cybersecurity Law, and the Law of the PRC on the Protection of Personal Information (Second Deliberation Draft) (the “Second Deliberation Draft of Personal Information Protection”).

It is important to note that the China Cybersecurity Law and Civil Code have a similar definition for personal information, namely information which can be used to identify a natural person, either on its own or in combination with other information. The Second Deliberation Draft of Personal Information Protection defines personal information as all kinds of information relating to an identified or identifiable natural person.

The Draft uses this concept of “personal information”, but goes further by defining personal information in respect of automobile data as “including personal information of vehicle owners, drivers, passengers, pedestrians, etc., as well as all kinds of information from which personal identity can be inferred and personal behavior can be described”.

The Draft has a wide application to all relevant human interacting with the automobile. In addition, the Draft adopts a bottom-up approach so as to include information from which “personal identity can be inferred and personal behavior can be described” into the scope of the personal information regulated by the Draft. [1]

3. Scope of Important Data

The term “important data” is mentioned in the China Cybersecurity Law, the Measures on Security Assessments for the Export of Personal Information and Important data (Draft for Comment) (the “2017 Measures for Assessment”), and the 2019 Measures for Data Security Management (Draft for Comment).

Despite being included in several pieces of legislation the term has not been explicitly defined.

Appendix A of the 2017 recommended national standard, Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft for Comment), provides a general description for the scope of important data in key industries.

The Second Deliberation Draft of the Data Security Law of the PRC (the “Second Deliberation Draft of the Data Security Law“) stipulates that all regions and departments shall, in accordance with the data classification and classification protection system, make a catalogue of important data for their own regions and departments as well as for relevant sectors of the economy.

The Draft builds on the provisions of the Second Deliberation Draft of the Data Security Law and fleshes out a definition for important data in the automotive industry as including:

  • Data on the flow of people and traffic in important and sensitive areas such as military districts, units involving state secrets such as science, technology and industry for national defence, party and government organs at or above the county level;
  • Surveying and mapping data with a level of precision that is higher than maps publicly disseminated by the State;
  • Data on the operation of vehicle charging networks;
  • Data on vehicle types and vehicle flows on roads;
  • Audio and video data outside the vehicle containing facial images, voices, license plates, etc.; and
  • Other data that may affect national security and public interest as specified by the CAC and relevant departments of the State Council.

The Draft marks the first time that the scope of important data for the automotive industry is defined.

This broad scope of important data means that the Draft will have a major impact upon the whole automotive industry.

When used automated driving technology inevitably collects personal information and road environment information. This will include in-car audio and video information as well as information on personal driving habits.

Similarly, operational data from vehicle charging networks can be traced back to new energy vehicles, charging stations and other clean energy companies as well as upstream and downstream intelligent and connected devices.

In addition, “surveying and mapping data” and “vehicle flow” data will be handled by navigation and electronic map service providers. Automated driving technology requires precision maps which will have a significantly higher level of precision than publicly used ordinary maps or electronic maps currently available. As such, surveying and mapping data of all maps used in automated driving will highly likely fall within the scope of important data.

The Draft will subject all companies interacting and processing important data to far higher compliance requirements as well as hampering the flow of relevant data.

4. Data Processing: the principles of “default non-collection’ and “in-car processing”

The Draft enumerates five “advocative” principles for the processing of personal information and important data.

These principles are:

  • default setting is non-collection of data;
  • in-car processing (i.e. information should be primarily related to the environment within the car and not outside);
  • data anonymisation;
  • minimum retention period; and
  • applicable scope of precision.

The Draft advocates operators comply with the principle of default non-collection of user data, i.e. the default setting must be non-collection for each drive, and the driver’s consent authorisation will only be valid for a specific drive. This provision reflects the principle of “minimum necessity” when collecting personal information. However, in practice there will often be cases where the driver will only leave the driver’s seat briefly. As such, the feasibility of the provision in the Draft of “the driver’s consent shall be obtained each time and the authorisation shall automatically expire at the end of the drive (when the driver leaves the driver’s seat)”, may require further deliberation.

The Draft proposes the principles of “in-car processing” and “data anonymisation”, i.e. companies should not provide information outside the vehicle unless necessary. If outside information is necessary, then such information must be anonymised and desensitised to the greatest possible extent.

In April 2021, the National Information Security Standardization Technical Committee released the Information Security Technology – Requirements for Data Collection by Intelligent and Connected Vehicles (Draft) (the “NISSTC Data Collection Security Requirements Draft”), which stipulates that “connected vehicles shall not transmit data such as audio, video and image data collected or processed in the compartment of the vehicle to outside the vehicle through the network or physical interface”.

The NISSTC Data Collection Security Requirements Draft did not explicitly limit the storage of data related to the location and trajectory of the vehicle collected by a connected vehicle inside the vehicle. Rather, it stipulates that the storage in the in-car storage device or telematics platform cannot exceed 7 days.

In our opinion, the definition of “in-car” requires further clarification. In practice, many companies store car data on telematics platforms or in the cloud for processing. If the definition of “in-car” in the Draft only relates to in-car storage devices and not their connected telematics platforms then this will have a material impact on the current business model of many companies. Arguably there is a conflict in the underlying logic between in-car processing principles and the cooperative vehicle technology which is currently being advocated by the Chinese government.

The NISSTC Data Collection Security Requirements Draft stipulates that “without the separate consent of the person from whom it is collected, a connected vehicle shall not transmit data containing personal information outside the vehicle through the internet or physical interface. The exception is video and image data that is converted to less than 1.2 megapixels and has been erased of personally identifiable information such as faces and license plates”. This provision provides an exception for the transmission of data outside the vehicle. By way of contrast the Draft does not provide a similar exception.

It is also noteworthy, that the principle of “applicable scope of precision” requires operators to determine the coverage and resolution of cameras, radars, etc. based on the data accuracy requirements of functional services provided. This requirement may have an impact on future standards for the configuration of smart car sensors. This means sensors with a higher resolution or functional coverage than the functional services provided may be considered by the regulator to fall outside of the “applicable scope of precision” principle.

As the aforementioned 5 principles are “advocative” the legal consequences for a failure by companies to observe are unclear at present. The Chinese authorities will likely legislate more explicitly as the technology develops.

5. Data Collection: regulations that highlight the features of the auto industry

The Draft provides guidance as to how user authorisation for data collection is to be obtained in the automotive sector, such as operators informing users and obtaining appropriate authorisation through the user manual, in-car display panel or other appropriate means in processing information.

As with general personal information, collection of other type of data (including vehicle location, biometrics, driving habits, audio and video, etc.) should be informed to the user at the time of collection. Further, the user should be informed as to the trigger for collecting each type of data; how to stop collection; purpose and use of each type of data collected; location and duration of data retention, rules determining the location and duration of retention; and the method of deleting in-car personal information and requesting deletion of personal information that has already been provided outside the vehicle.

In addition, the Draft specifically lists sensitive personal information for the automotive industry, including vehicle location, driver or passenger audio and video, and data that can be used to determine driving violations, and sets higher requirements for the collection and provision of sensitive personal information outside the vehicle. With respect to the purpose of collection, sensitive personal information may only be collected for the purpose of directly serving the driver or occupant of the vehicle. Each collection and provision of sensitive personal information to the public requires the consent of the driver, and such authorisation will automatically expire at the end of the drive (i.e. when the driver leaves the driver’s seat).

In addition, if a driver requests deletion of sensitive personal data, the operator should do so within 2 weeks. As mentioned earlier, the NISSTC Data Collection Security Requirements Draft stipulates that data related to vehicle location and trajectory collected by a connected vehicle shall not be stored in the in-car storage device or telematics platform for more than 7 days.

In respect of sensitive personal information, the Draft also requires operators to “allow vehicle owners to easily view and structurally access sensitive personal information collected”. This is a response to a current concern as to how owners can gain access to their collected sensitive personal information.

Due to its nature the automotive industry will struggle to obtain consent of individuals outside the vehicle. However, such collection of audio and video information via cameras is necessary for ADAS or automated driving functions. The Draft takes this difficulty into account by providing that in cases where it is difficult to obtain consent from individuals then anonymisation or desensitisation of the collected information is sufficient. In particular, images that could identify a natural person should be deleted or faces blurred. This is also the usual method used by automotive companies in practice and appears to be tolerated by the authorities.

The Draft also sets out conditions for the collection of biometric sensitive data from drivers, namely “biometric data such as fingerprints, voice prints, faces and heart rhythms may only be collected for the convenience of the user and to increase the security of the vehicle’s electronic and information systems, and alternative means of biometric data should be provided at the same time”.  This means that the collection of biometric data must not be the only method, and that users must also be offered the option of an alternative non-biometric data solution.

6. Important data processing reporting requirements

The Draft specifies the requirement for operators to report to competent authorities in advance when handling important data, i.e. operators handling important data should report in advance to the provincial cyberspace administration and relevant departments on the type, size, scope, place and time limit of storage, the manner of use, and whether the data will be provided to third parties.

This provision of the Draft is more stringent than the Second Deliberation Draft of the Data Security Law. Article 29 of Second Deliberation Draft of the Data Security Law provides that “processors of important data shall conduct risk assessments of their data processing activities on a regular basis in accordance with the provisions and submit risk assessment reports to the relevant competent authorities. The risk assessment report shall include the type and quantity of important data processed, the state of data processing activities, the data security risks and the measures to address them, etc.”

7. Data localization and cross-border transmission requirements

China Cybersecurity Law explicitly requires that operators of critical information infrastructures store personal information and important data collected and generated in their operations within the PRC.

On 7 April 2021, the Ministry of Industry and Information Technology promulgated the Guide for the Administration of Access of Intelligent and Connected Vehicle Manufacturers and Products (for Trial Implementation) (the “Draft MIIT Access Guide”), which clearly requires self-driving car manufacturers to localize storage of personal information and important data collected and generated within the PRC territory. If it is necessary to export personal information and important data outside of China due to a business need then the manufacturers should report this to the competent industry authorities.

The Draft is largely consistent with the principles of in-country storage as outlined in the Draft MIIT Access Guide, while clarifying that CAC will conduct data cross-border transmission security assessments. In addition, data cross-border transmission also requires appropriate authorisation from users, and the cross-border transmission data must strictly fall within the scope of authorisation. Operators shall bear corresponding liability for any damage to users’ legitimate rights and interests or public interests caused by data cross-border transmission. As such, given the legislation trend is largely clear on in-country storage requirements, it is recommended that automotive data collected by companies in China be stored locally to the greatest possible extent.

In addition, the Draft imposes clear restrictions on data sharing and commercial use. It is required that where scientific research and commercial partners need to inquire and use personal information and important data stored within the PRC, operators should take effective measures to ensure data security and prevent loss of data. Meanwhile, operators should strictly limit the use of important data as well as vehicle location, biometric characteristics, driver or passenger audio and video, and data that can be used to determine driving violations.

It should be noted that the Draft sets higher compliance requirements for cross-border data use in the automotive industry. In particular, access to and use of important data and sensitive data, whether for scientific research or commercial purposes, should be “strictly limited” – it is clear that even if not strictly prohibited, the subsequent commercial use of important data and sensitive data by the automotive industry will be heavily restricted in practice.

8. Data Security Management: “annual reporting system”

The Draft sets out a requirement for “annual reporting” in respect of personal information and important data processing. According to the Draft, operators that process personal information exceeding 100,000 personal information subjects or which processes important data shall report annually to the provincial cyberspace administration and relevant departments on data security management. The operators must report on: the person in charge of data security; the type, scale, purpose and necessity of data process; data security protection measures and the location and duration of storage. Those involving cross-border data transmission are additionally required to report the type, quantity and purpose of exported data, as well as the location, scope and manner of use of storage outside the country.

Moreover, in case of data transferred outside the country, the annual report will require, in addition to the aforementioned information, the name and contact details of the recipient; the type, quantity and purpose of the transferred data; the location, scope and manner of use of the data outside the country; and user complaints involving the provision of data outside the country and how they are handled.

9. Conclusion

China has continuously strengthened legislation and regulation on cybersecurity, data security and protection of personal information protection.

Automated driving and smart cars will be a major challenge to the Chinese regulators. Smart cars will be collecting, processing and transferring data at previously undreamt of levels. The authorities will need to balance the convenience of automated technology against cybersecurity and privacy concerns. China is accelerating its pace of promulgating laws, regulations, policies and standards to nurture the intelligent vehicle industry but at the same time have in place regulations to ensure such technologies are safe.

The Draft strengthens the protection of personal information and secures data in China’s automotive industry.

However, we believe that some provisions of the Draft require clarification and there is also room for improvement as to how the Draft fits in with other laws. Big data is an important basis for the rapid development of self-driving cars and China’s automotive industry but a balance must be struck between technological innovation and data security. [2]

The Draft will affect almost all players engaged in the automotive industry. Companies that will be affected should keep a close eye on the legislative process of the Draft and start making preparations now to minimize disruption to their operations. In particular:

  • Consider data security issues in the process of designing, producing, selling, operating, maintaining and managing cars, and reduce the amount of data collected and stored in car to the greatest possible extent.
  • While using big data for commercial operations, safeguard the users’ right to know and implement technical safeguards to desensitize and anonymise data, as well as preventing misuse or unauthorized third-party access.
  • Multinational companies or Chinese companies with R&D centres outside China should consider implementing localized storage as soon as possible by establishing data centres within China and enhancing local R&D capabilities in China.
  • Finally, companies would be well advised to conduct a systematic review and assessment of the current state of their data handling. Business operations that clearly do not comply with the requirements of the Draft should be adjusted in a timely manner. The companies should also consider formulating internal mechanisms and systems that comply with the Draft as soon as possible. Although the Draft has not come into force it is a clear indication of the Chinese authorities’ intent and clear direction as to where the policy is going.

[1] Reference in respect of definition of personal information can be made to Comments on China Draft Personal Information Protection Law by Susan Ning, Wu Han and Jiang Ke.