3 June 20218 minute read

Episode 18: Increased scrutiny over connected car and automobile industry data from Chinese regulators, including push towards data localisation

The Chinese cybersecurity authorities have published new draft rules clarifying data and cyber compliance obligations for the automobile industry, including a push towards most personal information and important data being kept in China. China is a leading market for connected and autonomous vehicles, and use and analytics of connected vehicle data has been encouraged by Chinese Government support of big data and AI technology. This is a reminder for the automobile industry - and its supporting industries and insurers - to ensure a robust compliance framework to protect that data, and to reconsider processing of such data outside of China.

The draft “Several Provisions on the Safety Management of Automobile Data” (Draft Provisions), published last month by the Cyberspace Administration of China (CAC), clarifies the principles and rules that must be complied with when handling both “personal information” and “important data” generated by and in connection with the automobile industry. The Draft Provisions apply across the industry, not just to vehicle designers and manufacturers, but also parts and software providers, dealers, maintenance and repair agencies, online car hailing organisations and insurance companies.

The Draft Provisions largely align with the existing China data protection and cybersecurity frameworks, including the Cybersecurity Law (CSL), the Personal Information Security Specification (PIS Specification), the Draft Personal Information Protection Law (Draft PIPL), the Draft Data Security Law and online mapping regulations. The Draft Provisions are particularly helpful in highlighting data and infrastructure within the automobile industry that the lead regulators (notably the CAC, but others to be specified in due course) consider to be high risk, as well as guidance on tricky connected vehicle issues such as obtaining consent.

Key highlights of the Draft Provisions include:

  • Personal information: clarification that personal information (as protected under the CSL, PIS Specification and the Draft PIPL) includes note only information about vehicle owners, drivers and passengers, but also pedestrians (eg via online cameras and accident logs), as well as various information that can be used to infer personal identity or describe personal behaviour, etc.

    The Draft Provisions also clarify that sensitive personal information includes vehicle location; audio or video of drivers or passengers; and data that can be used to determine illegal driving; and biometric data (such as fingerprint, voiceprint, face and hear rate).

  • Processing of personal information: useful guidance is provided on tricky issues regarding collection – and notice/consent – from users and passengers of vehicles, including:
    1. that privacy notices must include:
      • details of each type of data to be collected;
      • the triggers for collecting each type of data, and how to stop the collection;
      • the purpose and use case for each type of data;
      • the location and duration of data retention, or the rules for determining the location and duration of data storage;
      • how to delete in-vehicle personal information or request deletion of personal information transferred outside of the vehicle; and
      • valid contact information for the person/role responsible for handling data subject rights;
    2. express consent must be obtained. Default or deemed consent is not sufficient;
    3. consent must be given by the driver, not the vehicle owner. It is unfortunately not clear whether separate consent would be required from passengers; and
    4. consent is specific to each journey.

    Additional obligations apply to processing of sensitive personal data and biometric data, including:

    1. notifying the drivers and passengers by voice or reminders on the operation panel that sensitive personal data is being collected; and
    2. deletion of sensitive personal information within two weeks when requested by the driver, etc.
    3. collection and use of biometric data can only be for the users’ convenience or to increase the security of the vehicle system, and the operator must provide less-privacy intrusive alternatives.
  • Important data: useful guidance is provided on the types of (personal and non-personal) data within the automobile industry that may comprise “important data” that must be protected (and in some cases kept in China) under the CSL, notably:
    • data on people and vehicle flows in areas involving state secrets (such as military administrative zones, national defense science and industry) or other sensitive areas (such as certain government departments);
    • surveying and mapping data that is more accurate than data in the maps publicly released by the State;
    • operational data of automobile charging networks;
    • the type or flow of vehicles on the road;
    • audio or video data containing faces, voices, license plates, etc. outside of the vehicle; and
    • other data that may affect national security and public interests.
  • Data localisation of personal information and important data: the regulators expect personal information and important data of the automobile industry to be processed and stored in Mainland China. That is, such data should not be transferred or accessed outside of Mainland China without having undertaken a security assessment in conjunction with the CAC. In addition, if approved, the CAC would expect the organisation to:
    • implement contractual and operational safeguards to ensure any overseas recipient of the data processes it in accordance with Chinese data and cyber laws (including the Draft Provisions);
    • ensure procedures are in place to deal with user complaints about handling of the data; and
    • report annually to the CAC with details of the overseas recipients and activities, location etc.
  • Online mapping/geolocation: use and collection of online mapping or geolocation data remain heavily regulated. Helpfully for the automobile industry, organisations within the automobile industry may now conduct mapping as long as they comply with a series of compliance obligations in relation to important data, which include reporting to the CAC.
  • Data/systems security: a reminder that automobile industry must implement the Multi-Level Protection Scheme for systems hosted in China. MLPS remains a high priority for the Chinese regulators, and it appears likely that the automobile industry will (like the hotel industry last year) be on the regulators’ radar. In any case, the regulators would now have the right to conduct discretionary data security assessments.
  • Annual regulator reporting: those that (1) process personal information of more than 100,000 data subjects, or (2) process important data, must submit an annual report to CAC’s local offices covering the following:
    • names and contact information of data security officers and officers in charge of handling users’ rights and interests;
    • type of processed data, and scale, purpose and necessity of data processing;
    • data security protection and management measures, including storage location and duration;
    • data shared with third parties;
    • data security incidents and handling;
    • user complaints related to personal information and data; and
    • other data security situations.

    These industry-specific reporting obligations are more onerous than those under the general data and cyber laws and, as such, the automobile industry will need to implement increased governance measures to support this reporting.

The Draft Provisions are available (in Chinese only) on the CAC website, and are open for public consultation until 11 June 2021.

The Draft Provisions will not prevent the automobile industry from processing and analysing personal and important data from vehicles and their users in China, including deploying AI, big data analytics and data lakes to do so for product improvement, personalised (connected) services and so on, but they reiterate the importance of a robust data compliance framework, and suggest an increased regulatory scrutiny around such activities.

Print