China issues new rules on data protection in the auto industry
Published on 15th Sep 2021
New rules on automotive data security coming into force in October
In another step to tighten data rules in China, on 16 August 2021 the China Administration of Cyberspace (CAC), together with four other ministries, issued the Administrative Rules on Automotive Data Security. The new rules will enter into force on 1 October 2021 as implementation rules for data protection in the automobile industry, under the umbrella of the new Data Security Law (DSL) and the Personal Information Protection Law (PIPL).
The new automotive data rules aim to define a new supervisory landscape for data protection in the industry, and will have a huge impact on the sector.
“Automotive data” is broadly defined as the personal information and other important data involved in the design, manufacture, sale, use and maintenance of vehicles. An automotive data processor could include the auto manufacturers, parts and software suppliers, distributors, dealers, repairers and transportation service providers, thus covering the processers along the whole industry chain.
As with PIPL, the new rules also distinguish between normal personal information and sensitive personal information in the auto industry context, and the processing of sensitive personal information is subject to more onerous requirements (for example a stand-alone consent, and the right to erasure within 10 working days if requested).
Principles for automotive data processing
According to the new rules, auto data processors (similar to data controllers under the EU's General Data Protection Regulation (GDPR)) must comply with the following principles in carrying out automobile data processing:
- “in-vehicle handling” unless necessary for “out of vehicle” processing;
- “non-collection by default” unless there has been an opt-in;
- “accuracy and scope proportional to the purpose”– the coverage range and resolution of cameras and radars should correspond to that necessary for the purpose or function of the service;
- “de-identified treatment” principle - data should be anonymised or de-identified if possible
Auto data processors may therefore find it more challenging to legitimately collect and process auto data under the new rules. From a technical perspective, it may also mean that auto manufacturers need to deploy stronger in-vehicle data storage and handling capabilities to be compliant.
Localisation requirements on important automotive data
Under the new rules "important automobile data" is defined as the data that, once tampered with, damaged, or disclosed, unlawfully obtained or used, may cause harm to national security, the public interest or legitimate rights and interests of individuals or organisations, including:
- geographical information, passenger flow, vehicle flow in military zones, national defence science and industry units, communist party and government organs at the county level or above, and other important sensitive areas;
- data on the vehicle flow on roads and logistics, and other similar information reflecting economic performance.
- operational data of vehicle charging networks;
- external video and image data that contains facial information and licence plate information;
- personal information involving more than 100,000 data subjects; and
- other data determined by the CAC and other relevant PRC ministries and departments.
The new rules provide that "important automotive data" collected by the auto data processor must be stored within the territory of China.
Where a transfer of important data out of China is necessary for business reasons, it must pass a security review by CAC together with other relevant ministries and departments. This would have a great impact upon international auto manufacturers, especially autonomous car manufacturers, that store the personal information of their customers and/or other important data outside of China, as they would have to consider re-locating their data centre to China.
Although the details of the “mandatory security review” process remain to be clarified, it is likely that certain information will be considered too important to be transferred out of China, even if a general green light has been obtained after the review process.
The transfer of personal information (not being important auto data) out of China is subject to the requirements on the cross-border transfer of data under PIPL (for example, stand-alone consent, certification for data protection security or transfer under standard contractual clauses (SCCs)).
Compulsory multiple level protection systems
Multiple level protection systems (MLPS) are not new to network operators, as provided for under the PRC Cybersecurity Law. Operators of all types of networks, including computer networks and mobile networks, are required to implement MLPS. MLPS are a mechanism that protect networks and information systems according to their classification of importance. Under MLPS, network systems are classified from Level 1 to Level 5. The higher the level of security protection is, the more strict the requirements are.
The new automotive data rules reiterate the application of MLPS to automotive data processors that carry out data processing through the internet or other information networks. This means MLPS are expressly made a compulsory obligation to “digitalised” automotive data processors, if not all automotive data processors.
Regular risk assessment
Under the new rules, auto data processors are obliged to conduct risk assessments in processing important auto data. The assessment reports must be submitted to the authorities.
In addition, auto data processors must submit an annual report detailing their management of data security for their businesses, including details of the data protection officer, security measures, location for storage, data incidents, customer complaints and their handling, and where there is a transfer out of China, a report on the transfer.
Risk assessments and reporting will become a regular thing as part of the compliance process under the new rules. The National Information Security Standardisation Technical Committee is also formulating a standard for "Information Security Technology – Security Requirements of Vehicle Collected Data", to provide more practical guidance on auto data management, which, once in place, will hopefully provide more clarity for implementation. Businesses should keep watching out for developments.