China’s New Data Rules

Major takeaways impacting the entire automotive industry

International automotive original equipment manufacturers (OEMs) and suppliers have witnessed the rapid development of the People’s Republic of China (PRC) data protection regime, including the draft PRC Personal Information Protection Law. While existing rules generally address concerns relating to privacy protection and data export control, rules specific to the automobile industry have been lacking for a long time. This makes it difficult for enterprises to manage their data compliance. Such situation may soon change, as the Cyberspace Administration of China (CAC) presented its new draft Several Provisions on Car Data Security Administration (Draft Provisions) on 12th May 2021 to solicit comments. The Draft Provisions, if promulgated in their current form, would bring substantial clarification to the whole industry, though not making things easier. Michael-Florian Ranft, Michael Tan and Johnny Zhao of Taylor Wessing in this article offer some brief observations and thoughts on the regulation.

——————–

Wide coverage involving everyone and everything

By using the very broad term ‘operator’, the Draft Provisions would apply to almost all members of the automotive supply chain, including OEMs, components and software suppliers, dealers, repair shops, online car-hailing service providers and insurance companies.

As far as personal information or so-called “important data” are concerned, all data activities—such as collection, analysis, storage, transmission, searching, use, deletion and export—would be captured.

Notably the Draft Provisions expand the scope of personal information from “inside a car” (i.e., information of car owners, drivers, passengers) to include “outside a car” (i.e., information of pedestrians), as well as to other information that can identify an individual or that describes personal activities. The “important data” is further clarified by the Draft Provision and would include:

  • traffic data in important and sensitive areas (such as military zones and defence/science units that involve state secrets, governmental/party agencies above county level);
  • mapping and surveying data more precise than maps published by the State;
  • operational data of car charging station/networks;
  • data on vehicle types and flows on roads;
  • outside-a-car audio and video data that contain information on faces, voices or car plates, among others; and
  • other data that concern national security and public interest as classified by the CAC and other ministries.

Under the Draft Provisions, an operator will process the above data for purposes directly relating to the design, manufacturing and service of cars only, and is obliged to comply with cybersecurity requirements, including implementing the latest multiple-level protection scheme. Different to the European Union’s General Data Protection Regulation’s (GDPR’s) focus on protection of personal information, the emphasis on the “important data” (which will be associated with further legal obligations as outlined later) would create a unique challenge for global players in the Chinese automotive industry.

Data processing: in-car requirement by default

OEMs and data-rich suppliers should pay particular attention to the following data processing principles introduced by the Draft Provisions:

  • In-car processing: data shall be processed “in a car” instead of “out of a car” in principle;
  • Anonymised processing: if it is indeed necessary to provide data out of a car, such data shall be anonymised and desensitised;
  • Minimum retention period: this shall be determined according to the type of services/functions offered;
  • Precision as necessary: coverage and resolution of sensors like cameras and radars shall accord with the level demanded by the offered services; and
  • “Non-collection” by default: no data shall be collected by default, and a driver’s consent shall only apply to one single drive.

The Draft Provisions take a “processing in-car by default” approach, which weighs privacy over the commercial and operational features of a “connected car”.

Processing of sensitive personal data (such as vehicle location, audio/video of drivers and passengers, wrongful or illegal driving behaviour) out of a car shall be prohibited, unless

  • it is for the purpose of directly serving the driver or passengers, including enhancing driving safety, assisting driving, navigation and entertainment;
  • it defaults to “non-collection”, and consent from the driver is required for each drive, which will automatically become invalid upon end of a drive (i.e., when a driver leaves his/her seat);
  • the driver and passengers are informed, via in-car display panel or by voice, that (sensitive) personal information is being collected.

In addition, the driver may stop data collection at any time in a convenient way, and the car owner may review it in a convenient way or enquire what data was collected in a structured way. Moreover, the operator shall be obliged to delete data within two weeks upon request by the driver.

Data collection: transparency principle

The general transparency principle on data collection will also be substantiated under the Draft Provisions. An operator will be obliged to disclose a variety of information about the data collection (such as type of data collected, method of and purpose for collection, data storage location and retention period, as well as “right to be forgotten” obligations). The collection of biometric data would be allowed only for convenience or for security reasons.

Reporting obligations and data export

The Draft Provisions set extensive reporting requirements on operators that process “important data” or personal data of more than 100,000 individuals. In reality, this would be quite challenging: for example, an operator cannot prevent a driver from using a smart car in a sensitive area, and the threshold of 100,000 individuals may be easily reached if an operator engages in public transportation or has high sales of smart cars. The reporting requirements include the submission of names and contact details of data security officers and persons responsible for data issues to the CAC and (other) relevant authorities at the provincial level by 15th December every year. In addition, prior reporting of “important data” processing will be required, indicating the type, scale and scope of data, storage location, retention period, method of use and status of sharing with third parties.

The Draft Provisions further would require (car-related) personal data and “important data” to be stored within the PRC. Any data export (which will technically also include access to data from overseas), if indeed necessary, shall then:

  • undergo data export security assessment as organised by the CAC;
  • have effective measures in place to regulate export of data and to ensure data security;
  • oblige an operator to deal with data subjects’ complaints and assume legal liabilities for any damages suffered by the subjects or to the “public interest” due to data export; and
  • providing plaintext and readable access to allow the CAC (together with other authorities) to conduct audits.

The Draft Provisions specifically address the scenario where an operator’s overseas research and development or commercial partner needs to access its data stored onshore. In this case, effective measures shall be taken to ensure data security and prevent data breach, while access to “important data” and sensitive personal data shall be strictly restricted.

And more…

The Draft Provisions take a rather strict approach and regulate data topics in the automotive industry in a quite comprehensive and far-reaching sense. Certain provisions like reporting obligations and data onshore storage requirements will create challenges for internationally active OEMs and suppliers, who otherwise could benefit highly from aggregation of their global data and equal data requirements on a global scale.

Tesla’s recent announcement that it will set up a local data centre in China is surely one response of international OEMs to the intensified data compliance requirements, but most probably not the final and only answer to staying compliant. There are many other aspects to watch out for (such as pedestrian privacy protection, among others). Given the size of the Chinese auto market, all participants in the industry, whether production or service, should start to plan actions to accommodate the new compliance challenges that may be brought by these Draft Provisions and further rules likely to come in the near future.

———————-

Taylor Wessing LLP is a full-service international law firm with 28 offices internationally, including in Beijing and Shanghai. With more than 300 partners and over 1,000 lawyers based in 15 countries worldwide, the firm provides practical advice and commercial solutions in relation to all issues of international and national business law to clients across Europe, the Middle East and Asia.