On 12 May 2021, the Rules on the Administration of Automobile Data Security (Draft for Public Comments) (hereinafter as the “Draft rules") were released by the State Cyberspace Administration of China (hereinafter as the “CAC"). The Draft rules aim to further enhance personal information and important data protection and regulate data processing activities in automobile (ICV included) sector in China. As the first ever binding law to be regarding data security in automobile sector, the Draft rules are of great significance and distinctive features, for example, the scope of important data under automobile scenarios is enumerated in a non-exhaustive manner and the long-lasting controversy of data localization and cross-border transfer requirements is answered as well. We envisage that, with reference to previous legislative moves of the CAC, the Draft rules will come into effect within this year.

The Draft rules apply to the processing of personal information and important data within the territory of the People’s Republic of China by operators during the process of design, manufacture, sale, operation and maintenance and management of automobiles.[3] For companies to determine whether they will be subject to the Draft rules, they shall first fully understand the three fundamental concepts of operators, personal information and important data as elaborated in article 3.[4]

The Draft rules greatly cover the whole circle processing activities and multi-participants in the automobile ecosystem such as manufacturer, hardware and software supplier, distributor, online car-hauling companies, maintenance agencies and insurance companies.

For the determination of personal information, the Draft rules adopt the “identifiable + linkage" criteria, that is, any information that can be used to identify or trace individuals as well as personal information of identified individuals such as automobile owners, drivers, passengers and pedestrians.

The Draft rules also for the first time set out the scope of important data in automobile sector in a non-exhaustive manner, including external environmental data such as car flow and people flow of sensitive military and governmental zones, mapping data beyond the precision of published maps and other data with potential impact on national security and public interests.

The Draft rules entail seven principles relating to processing of personal information and important data.

Currently only the first two principles, that is, the principle of purpose limitation and implementation of Multi-Level Protection Scheme (“MLPS") under the Cybersecurity Law are binding. The Draft rules stipulate that the purposes of processing shall be legitimate, specific, explicit and shall be directly relating to automobile design, manufacture and services.[5] We understand that the entire ICV industry and technologies such as autopilot driving are under rapid development and the purpose limitation principle may impose certain setbacks for business operation, we suggest automobile operators adopt the methodology of privacy by design within their business deployment.

The Draft rules, in close convergence with the Cybersecurity Law, also require that operators shall implement MLPS to enhance personal information and important data protection.[6] The Draft rules also recommend operators adhere to the principle of in-car processing, data anonymization, minimum data storage period, proportionality in data precision setting and opt-in data collection.[7] Though the above five principles are not strictly mandatory, we suggest companies include relevant requirements within their overall compliance management, conduct in-time gap analysis and correspondingly record the potential impact for further evaluation.

The Draft rules, in great convergence with the Personal Information Protection Law (2nd Draft), further specify personal information protection specific to automobile sector by distinguishing between in-car and external scenarios and etc. The Draft rules clarify when it is hard to obtain consent in practice on data such as audio and videos collected through cameras from external environments of automobiles and when it is truly necessary for processing of such data, then the data at issue shall be anonymized or desensitized, for example, deletion of images containing identifiable individuals or conducting partial blurring to faces in such images.[8]

The Draft rules place great emphasis on knowledge and control of personal information subjects to their personal information, for example, operators shall provide personal information subjects via user handbook or display panel with information such as the personnel responsible for user rights and interests and methods to delete in-car data and to request deletion of data provided away from cars.[9]

The Draft rules for the first time specify that automobile location, audio and video data of drivers and passengers and data for determination of driving violations belong to sensitive personal information and operators processing sensitive personal information shall meet the requirements for purpose limitation (directly serve for drivers and passengers such as ancillary driving and navigation), opt-in collection, obtainment of valid consent on processing under each driving, any-time termination of collection by drivers and etc.[10]

Operators processing biometric personal information shall also adhere to specific purpose limitations, that is, processing merely for the convenience of users, automobile information system safety and etc.[11]

One of the most distinctive features of the Draft rules lies in an explicit stipulation that personal information and important data in automobile sector as defined shall be stored within the territory of the People’s Republic of China, and if such data truly needs to be transferred outside the territory of the People’s Republic of China, operators shall pass the data cross-border security assessments organized by the State Cyberspace Administrative Departments.[12]

Companies especially MNCs in response to the localization requirement should reconsider their IT infrastructure such as server deployment to comply with the law. In addition, the Draft rules put forward several supplemental requirements to further ensure data security under cross-border transfer scenarios. Operators shall take effective measures to specify with and monitor overseas receivers with respect to data processing as agreed, we understand such measures may refer to standard contractual clauses (“SCCs") and audit required in the Personal Information Protection Law (2nd Draft).[13] Operators shall handle user complaints in relation to cross-border data transfer and bear liabilities when detriment to public interests or legitimate rights and interests of users occurs.[14] Operators shall ensure the actual cross-border data transfer activities do not exceed as specified in the security assessments organized by the State Cyberspace Administrative Departments, and shall present relevant records in an explicit and readable manner under spot check by competent authorities on such matters.[15] Operators shall take effective measures to ensure data security under circumstances of access of data stored within the territory of the People’s Republic of China, especially by overseas parties and strictly restrict access to sensitive personal information.[16]

Under the Draft rules, there are three must-dos in relation to data security administration for operators which deserve noticing.

Operators processing important data shall before any processing report to provincial cyberspace administration departments and other relevant departments on information such as data type, scale, scope, data storage location and period, use of data and third-party transmission.[17]

Operators processing important data or personal data over the scale of 100,000 personal information subjects shall, by 15 December of each year, report their annual data security management situations to provincial cyberspace administration departments and other relevant departments,[18] and when cross-border data transfer are involved, such operators shall in addition report information in relation to the receivers, type, volume and purposes of data transferred, user complaints and corresponding handling regarding the transfer and etc.[19]

Operators shall cooperate with data security assessments organized by the State Cyberspace Administrative Departments together with other relevant departments.[20]

On 28 April 2021, the Information Security Technology – Connected Vehicles – Security Requirements of Data (Draft) (hereinafter as the “TC260 ICV Security Draft") was released by the National Information Security Standardization Technical Committee. Though the TC260 ICV Security Draft is in nature a non-binding national standard, it represents great industry practice and may be taken into consideration by competent authorities as reference during enforcements. We thus suggest companies include its requirements within their overall compliance mechanism.

The TC260 ICV Security Draft applies to data processing activities of connected vehicles. It explicitly stipulates that data collected and processed by connected vehicles shall not be further processed for purposes other than vehicle management and driving safety.[21]

The TC260 ICV Security Draft requires that data collected by connected vehicles related to vehicle location and vehicle traces shall be stored within in-car memory devices and telematics service providers (TSP) no more than seven days.[22]

The TC260 ICV Security Draft prohibits transfer of data such as audio, videos or images collected from car cabin or of processed data on such basis away from vehicles.[23] Data containing personal information shall not be transferred away from vehicles without consent of involved individuals, except for video and image data which has been converted under 1,200,000 pixels resolution and of which identifiable information such as faces and car license plates has been erased.[24]

With regard to data localization and cross-border transfer, the TC260 ICV Security Draft specifies certain data shall not be transferred outside the territory of the People’s Republic China, i.e., data such as roads, buildings, terrain and traffic participants collected from external environments by connected vehicle cameras, radars and other sensors as well as data related to vehicle location and traces, for data such as driving state parameters and abnormal warning information of connected vehicles, if truly needs to be transferred outside the territory of the People’s Republic China, it shall comply with related provisions on cross-border data transfer of the State.[25] In addition, the TC260 ICV Security Draft exerts obligations of provision of information such as data format and encryption method on connecting vehicle companies conducting encrypted cross-border transfer of data under circumstance of spot check and verification by regulatory authorities.[26]

On 7 April 2021, the Guideline for the Administration of the Admission of Intelligent Connected Vehicle Manufacturers and Products (for Trial Implementation) (Draft for Comments) (hereinafter as the “the Draft guideline") was released by the Ministry of Industry and Information Technology (“MIIT"). The Draft guideline applies to ICV manufacturers, which are equipped with conditional autonomous driving function or high-level autonomous driving function, and their products, specifying requirements for security assurance capabilities, necessary functions of products, and access test. The noteworthy aspects in terms of specific requirements are as follows.

The Draft guideline takes the Cybersecurity Law as the upper-level legislation. In order to solve the cyber security threats that ICV manufacturers may encounter, it links up with the Cybersecurity Law and puts forward a set of security requirements.[27] For example, the ICV manufacturers should abide by cyber security laws and regulations and establish a cyber security protection system that covers the entire life cycle of vehicles. Necessary technical measures should be adopted to effectively respond to cyber security incidents, thus protecting vehicles and their network facilities from attacks, intrusions, interference, and destruction. In addition, the systems and the mechanisms mentioned in the Appendix of the Draft guideline, including the cyber security responsibility system, cyber security protection system, cyber security monitoring and early warning mechanism, cyber security emergency response mechanism, data security management system, etc., are the implementation and refinement of the MLPS provided in the Art. 21 of the Cybersecurity Law.[28]

The Draft guideline also relates to the highly debated the Personal Information Protection Law (2nd Draft) and the Data Security Law (2nd Draft). It provides relevant requirements for data localization and other issues related to personal information protection, which responds to the long-term public concerns about data privacy and security risks that may be involved in the ICVs. The Draft guideline stipulates that the ICV manufacturers shall collect, use, and protect personal information in accordance with the law, and implement data classification and categorization management.[29] According to Art. 8 of the Draft guideline, the data collected and recorded by the ICVs shall at least include the operating status of the driving automation system, status of the driver, driving environment information, vehicle control information, etc., which delineates a reasonable range of information collection and establishes the legal basis for ICV manufacturers.

In addition, personal information and important data collected and generated during operations within the territory of the People’s Republic of China shall be stored in the territory in accordance with relevant laws and regulations. If it is indeed necessary to provide it overseas, it should be reported to the competent industry authority.[30] This requirement puts the need for data protection and compliance work for ICV manufacturers on the agenda, yet the detailed requirements such as the reporting process have not been clarified.

The Draft guideline stipulates that the ICV manufacturers and products can apply for the access process to the MIIT, and the MIIT will carry out access application acceptance, technical review, application evaluation, supervision and inspection in accordance with relevant regulations.[31] What needs special attention is that the access process for ICV manufacturers and products is similar to the UN regulations issued by the World Forum for Harmonization of Vehicle Regulations (“WP. 29 Forum"). In June 2020, The WP. 29 Forum passed two new regulations, R155 and R156, regarding Cyber Security Management System (CSMS) and Software Update Management System (SUMS). The R155 and R156 regulations have come into effect on January 22, 2021. However, compared with R155 and R156 regulations, the application process and the review standards in the Draft guideline are still waiting for further refinement.

Following the Good Practices for the Administration of Road Tests for Intelligent Connected Vehicles (for Trial Implementation) issued by the MIIT, the Ministry of Public Security, and the Ministry of Transport on April 12, 2018, provinces/cities including Beijing, Shanghai, Guangzhou, Chongqing, Jiangsu have successively introduced local regulations on-road tests for autonomous driving vehicles and road test licenses. The Draft guideline released this time stipulates multiple testing requirements from six aspects including simulation test, closed-field test, road test, vehicle cyber security test, software update test and data storage test. These requirements emphasize that ICVs shall not only meet the testing requirements of external physical interaction scenarios, but also those of virtual network, promoting the continuous progress of the industry development.