A Brief Analysis of Several Provisions on the Security Management for Automotive Data (Trial Implementation)
Connected vehicles capable of connecting to the internet and sharing data with external parties are experiencing exponential growth in China. Despite the apparent benefits of new technologies, they have also raised significant concerns over personal information protection, data protection and cybersecurity. As they are in many other countries, regulators in China are making tremendous efforts to catch up with these new technologies.
On August 16, 2021, China’s first regulation on automotive data security, Provisions on the Security Management for Automotive Data (Trial Implementation) (hereinafter referred to as the “Provisions”), was unveiled and goes into effect on October 1, 2021. The Provisions establish a preliminary compliance framework for automotive data security in China by defining automotive data and regulated entities, stipulating principles for data processing, specifying obligations of data processors, and setting forth rules for cross-border data transmission.
What is automotive data? – The applicable scope of data and regulated entities
The Provisions define automotive data as “personal information or critical data involved in the design, manufacturing, sales, use, operation and maintenance of automobiles. Compared with a rather broad definition of “Data” in Data Security Law, “any record of information in the electronic or non-electronic form”, it is more tailored to the automotive industry.
The Provisions set out the automotive data and the regulated entities.
First, the regulated entities are the ones carrying out automotive data processing activities, covering the traditional automotive enterprises as well as internet enterprises associated with automotive business. Article 3 of the Provisions provide that automotive data processors means those organizations carrying out automotive data processing activities, including automobile manufacturers, parts and software suppliers, dealers, maintenance providers and riding service providers, etc.
The definition is in line with the context that vehicles are fast becoming intelligent networks. The entities processing vehicle data are not limited to traditional vehicle enterprises, but also include internet enterprises operating around the “vehicle”, like on-board software suppliers and ridesharing service providers. Now the Provisions bring all these into the regulated entities.
Second, the Provisions limit automotive data under protection to “personal information” and “critical data”, avoiding excessively expanding the regulated scope of automotive data.
Similar to the Personal Information Protection Law, the Provisions classify personal information into two categories: data related to an individual and data that can identify an individual. However, the Provisions limit such individuals to vehicle-related persons, including drivers and other occupants in vehicles, vehicle owners and pedestrians outside vehicles. Article 3 provides that personal information means all kinds of information related to the identified or identifiable vehicle owners, drivers, passengers and individuals outside vehicles and recorded by electronic or other means, excluding the information that has been anonymized.
As to the personal information concerning personal and property safety, the Provisions regard it as sensitive personal information, which refers to “the personal information of which the disclosure or illegal use, may lead to discrimination or cause serious harm to personal and property safety of the owners, drivers, passengers and individuals outside the vehicles, including vehicle whereabouts and tracks, audio, video, images and biometric features, etc.”
Another category of automotive data subject to regulation is critical data, which refers to the data that may endanger national security, public interests or the legitimate rights and interests of individuals or organizations once such data are tampered with, damaged, disclosed, illegally obtained or illegally used, including:
- Geographic information, passenger flow, vehicle flow and other data of important sensitive areas such as military administrative zones, entities of science, technology and industry for national defense, and party and government organs at the county level or above;
- Data reflecting economic operation such as vehicle flow, logistics, etc.;
- Operational data of the automobile charging network;
- Video and image data outside vehicles that contain face information, license plate information, etc.;
- The personal information of more than 100,000 persons is involved; and
- Other data that may endanger national security, public interests or the legitimate rights and interests of individuals or organizations as determined by the Cyberspace Administration of China (CAC) and the government agencies of development and reform, industry and information technology, public security and transport, etc.
How should automotive data be processed? – A processor’s data protection obligations
Automotive data processors shall comply with the general obligations of data protection as set out below, regardless of with respect to personal information or critical data.
First, the data processing shall be for a limited purpose. The purpose of processing the automotive data should be lawful, specific, clear, and directly related to the design, manufacture, and service of the vehicle.
Second, a cybersecurity classified protection system shall be implemented to protect the security of data.
Third, four recommended principles of data processing are followed.
- The principle of in-vehicle data processing (not providing data to ones outside the vehicle unless it is necessary);
- The principle of default non-collection (setting non-collection as default for every drive unless the driver changes the set);
- The principle of applying the appropriate range of accuracy (determining the coverage and resolution of cameras, radars, etc. according to the data accuracy requirements of the services provided); and
- The principle of anonymization (anonymizing and desensitizing the data as much as possible).
Regarding the principle of the in-vehicle data processing, some special provisions for the connected vehicle are contained in the Information security technology — Connected vehicle — Security Requirements of Data (Draft):
- Without the consent of the individual whose information is to be collected, the connected vehicle shall not transmit data including personal information outside the vehicle through the network or physical interface, except for video and image data that are converted to data less than 1.2 megapixels in clarity and have erased any personally identifiable information such as face and license plate;
- The connected vehicle shall not transmit the audio, video, image and other data collected in the passenger compartment and the data obtained by its data processing to the outside of the vehicle through the network or physical interface.
In addition to the above general requirements, Articles 7 to 10 of the Provisions also set forth more stringent requirements respectively for personal information, sensitive personal information, critical data, which the processors should comply with.
How to transmit vehicle data overseas? – Requirements for cross-border data transmission
Articles 11 to 14 of the Provisions stipulate requirements for cross-border data transmission.
First, as for critical data, it should be stored within the country as the principle and transmitting such data out of the country should be an exception. Cross-border transmission of such data is only allowed when it is really necessary to provide to overseas parties due to business needs and the security assessment of the CAC of China and as other relevant departments of the State Council provisions have been passed.
Second, as to personal information data that does not fall into critical data, the safety management of cross-border transmission of such data is governed by relevant provisions of laws and administrative regulations.
It is worth noting that, despite setting out many requirements regarding cross-border data transmission, the Provisions do not clearly define the “cross-border data transmission” and the criteria for “necessity of cross-border transmission,” which need to be referred to other regulations or national standards.
“Cross-border data transmission,” under Article 3.7 of Information Security Technology- Guidelines for Data Cross-Border Transfer Security Assessment (Draft for Comment), is one-time or continuous activity in which a network operator provides personal information and critical data collected and generated in its operation in the People’s Republic of China directly by way of conducting business and providing services and products, etc., to institutions, organizations or individuals outside the country.
Cross-border data transmission includes the following scenarios:
- Providing personal information and critical data to an entity that is located in the territory of China, but is not under the jurisdiction of China or not registered in the territory of China;
- Data not transferred and stored outside China, but accessed and viewed by institutions, organizations, individuals outside China (except for public information and web access);
- Internal data of the network operator group transferred from inside China to outside China involving personal information and critical data collected and generated by the operator in the process of operation inside China.
For the necessity of the cross-border transfer, Article 5.1 of Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft for Comment) sets out the following “necessary” scenarios for cross-border data transmission:
- Necessary for the performance of contractual obligations;
- Necessary for the conduct of business within the same institution or organization;
- Necessary for departments of the Chinese government to perform official duties.
- Necessary for the implementation of treaties and agreements signed between the Chinese government and the governments of other countries and regions or international organizations.
- Need to maintain the sovereignty of cyberspace and national security, economic development, social public interest, and protection of the legitimate interests of citizens.
With the connected car market booming, we recommend market participants implement programs to ensure compliance with the Provisions in order to minimize potential legal risks.
For a general discussion of Over the Air transmissions, please click here.
 5.1 Without the separate consent of the person whose information is to be collected, the connected vehicle shall not transmit data including personal information outside the vehicle through the network or physical interface, except for video and image data that are converted to data less than 1.2 megapixels in clarity and have erased personally identifiable information such as face and license plate.
 5.2 The connected vehicle shall not transmit to the outside of the vehicle through the network or physical interface the audio, video, image and other data and data collected in the cabin and other data it obtains after its data processing.