China Tightens Data Protection in Automotive Industry

By James Gong, Clarice Yue, Sven-Michael Werner, Sarah Zeng

09-2021

Multiple ministries jointly issued the Interim Provisions on Automotive Data Security Management (Auto Data Regulation) on 16 August, which is the first data protection regulation targeted at automotive industry and will come into effect on 1 October 2021. The regulation covers a wide range of players processing vehicle-related data and will have a far-reaching impact on the industry.

BACKGROUND

This year, the Ministry of Industry and Information Technology (MIIT), the sectoral regulator for the automotive industry, has taken a series of moves to regulate the intelligent and connected vehicles (ICVs). Cybersecurity and data protection have become a key component of the regulatory efforts against the backdrop of landmark legislations, such as the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) (see our article on PIPL here).

The MIIT has made data protection and cybersecurity capability a key part of ICV market entry requirements. The draft guidance on ICV manufacturers and products market entry published in April lays down detailed requirements for the manufacturers to maintain cybersecurity of the vehicles. In July, the MIIT required vehicle manufacturers to strengthen their data security management and cybersecurity capability in an official opinion on ICV market entry.

The MIIT also intends to strengthen the current regulatory regime for cybersecurity of ICVs. In April, the MIIT further released a draft guidance on establishing a regime of cybersecurity standards for ICVs, which aims to formulate at least 100 sets of cybersecurity standards by 2025. A draft circular was released in June which requires the telecom carriers, vehicle-to-everything (V2X) service operators and ICV manufacturers to enhance cybersecurity protection.

The Auto Data Regulation was promulgated by multiple ministries to strike a balance between the privacy right of individuals on one hand and on the other the promotion of ICV technology in China in the wake of the importance imposed on personal data for the ICV development which has been making considerable progress in other countries. The cybersecurity review investigations on Didi and Manbang initiated in early July gave this project additional urgency.

KEY PROVISIONS

  1. Scope and key concepts

    The Auto Data Regulation regulates the processing of automotive data (Auto Data) in China, which includes personal information and important data throughout the automotive design, manufacturing, sales, use, and operation and maintenance process.

    As such, the regulation covers a variety of industries relevant to the vehicle, and the Auto Data processors will include automobile manufacturers, parts and software suppliers, dealers, repair shops, and ride-hailing and car-sharing companies. Notably, insurance companies have been removed from the final draft.

    The regulation defines the personal information in the context of vehicle eco system, which includes information relevant to the identified or identifiable owner, driver, passengers and people outside the vehicle. It also defines sensitive personal information generally in line with the PIPL and gives a few examples, including location and tracking data, audios and videos, images and biometric information. Like the PIPL, personal information excludes anonymized information.

    More Importantly, the Auto Data Regulation provides a rare guidance on what important data consists of, which the DSL fails to define and requires sectoral regulators to formulate a catalogue on. Under the regulation, important data includes

    1. The geographical and people and traffic flow information of sensitive areas, such as military zones, defense-related scientific and industrial units or party or governmental organs of country-level or above;

    2. Data reflecting economic status, such as traffic or logistics flow;

    3. Operational data of vehicle charging networks;

    4. Out-of-vehicle audio and visual data, such as facial information, vehicle registration information;

    5. Personal information concerning over 100,000 individuals; and

    6. Such other data specified by the authorities. 

    Compared to the drafts published previously, it is worth noting that the high-definition mapping data has been removed. These will be regulated by the relevant mapping regulations. On the other hand, economic status data has been newly added to the category of important data which seems to be subject to a wide discretional interpretation by the authority. Any processing of sensitive personal information and important data will be subject to special protective measures discussed below.

  2. General data protection principles and measures

    Processors of Auto Data are required to adhere to the following four principles when processing Auto Data:

    i. In-vehicle processing: data should be transferred out of vehicles only when necessary;

    ii. No-collection by default: functions should not collect personal information by default, unless otherwise set by the driver before each ride;

    iii. Appropriate precision/scope: the coverage and level of definition of vehicle cameras and radars should match the requirements of the relevant functions or services, i.e. excessively broad coverage or high definition of data should be avoided; and

    iv. Data desensitization: anonymization or de-identification should be implemented whenever possible

    The principles of two-week data storage period and the mandatory user consent on a single ride basis have been removed compared to earlier drafts. However, the current language still indicates that the driver opt-in is required for any collection of personal information during each ride.

    In addition, the regulation also set out the details that Auto Data processors must notify the users when processing personal information. They authorities may also initiate data security assessment on processors of Auto Data when they see fit. The multi-level protection scheme (MLPS) is also requisite for entities that process Auto Data online.

  3. Special measures for protecting important data and sensitive personal information

    The Auto Data Regulation lays down special protective measures for processing of important data. Processors of Auto Data must

    1. Conduct risk assessment and submit to provincial CAC office and other competent authorities a report that includes  type, quantity, scope, place and period of storage, and use of important data, data processing activities as well as any provision of important data to third-party, data security risks and measures adopted;

    2. Store data locally within China and go through security assessment if export of important data is necessary;

    3. File an annual report to provincial-level CAC office and other competent authorities on information relevant to data security management and any export of important data.

    The regulation also sets out certain requirements for processing sensitive personal information on processing purposes, notification, separate consent and exercise of personal rights. In particular, processors of Auto Data should collect biometric information, unless it enhances driving safety and is sufficiently necessary.

  4. Governing authorities

The Auto Data Regulation was issued by the Cyberspace Administration of China (CAC) jointly with the National Development and Reform Commission (NDRC), the MIIT, the Ministry of Public Security (MPS) and the Ministry of Transport (MOT), and indicates that all the aforementioned ministries will have powers to enforce the regulation in their respect purview.

However, the regulation does not provide any clarity as to how the ministries will exercise their powers when their joint action is required. For instance, it is required that the ministries will conduct data security assessment on data processing by Auto Data processors, but gives no details as to the assessment procedures or the role of each ministry in the process.

CONCLUSION

The Auto Data Regulation was promulgated in the context of intensive regulatory and enforcement actions aimed to tighten cybersecurity and data protection in the automotive industry. The regulation applies to an extensive variety of players in the industry and may reshape the product design as regards the underlying approach to Auto Data. The broad scope of important data will subject a substantial proportion of processors of Auto Data to special protection measures.

With the DSL and PIPL taking effect in September and November respectively, we expect more enforcement actions in the automotive industries, which will pose a compliance challenge for companies operating in the automotive and transport industries in China.