China: Automotive data protection - key compliance requirements and challenges
Since 2021, in the wake of the Provisional Regulations on Data Security Management of the Automotive (the Automotive Data Regulations), and under the purview of China’s data protection legislation landmark legislations - the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), data protection and cybersecurity concerns have become increasingly prominent in the automotive industry. The strengthened rules in processing automotive data impose challenges for automotive companies, especially in the process of human-machine interaction, e.g., the function of 360° panoramic camera, interior remote monitoring, remote intelligent parking, etc. In this article, Sherry Gong and Tong Zhu, from Hogan Lovells, look at the key compliance requirements and challenges for automotive companies to consider when navigating data protection in China.
More detailed principles in processing automotive data
On the basis of the principles established by the PIPL, the Automotive Data Regulations advocate the principles of 'in-car processing' unless necessary for 'out-of-vehicle' processing, 'no collection by default' unless there has been an opt-in, 'proper precision' as well as 'desensitization,' including anonymization and deidentification in processing auto data. These principles have a profound impact on relevant vehicle functions, for example:
- In-car processing - given the 'in-car processing' principle and the restricted consent exemption of transferring the out-of-vehicle data (as set out in Section 2 below), several domestic automotive manufacturers have made announcements to optimize the functions related to exterior cameras and make sure images of the surrounding area can only be viewed on the in-car screen.
- No collection by default - in light of this principle, many automotive manufacturers have rectified to ensure that the relevant business functions (e.g. sentry mode) are activated by the vehicle owners, rather than by default.
Higher notification and consent requirements
The Automotive Data Regulations enhance the notification obligations and consent requirements as set forth under the PIPL, which underline that automotive data handlers should modify the relevant interface design and follow the Privacy by Design approach, for example:
- Notification can be provided through user manuals, onboard display panels, or other appropriate methods, including scenarios for the collection of personal information, the way to opt out, the purpose and usage for processing, storage location and retention periods, and the way to access, copy, and delete data stored in the car or provided outside the vehicle. Against this backdrop, the national standard, Information Security Technology-Security Requirements for Processing of Vehicle Data (the Vehicle Data Standards), set forth the enhanced notification requirements, for example, the retention period for each type of personal information should be specific and clear, e.g., 30 days or one year, and all of the storage locations be notified at the municipal level.
- In addition to the 'separate consent' for processing sensitive personal information as stipulated under the PIPL, the Automotive Data Regulations grant individuals the right to set a time limit for consent. On top of this, the Vehicle Data Standards reinforce that the consent period for sensitive personal information should not be 'always permitted' or 'permanent,' and when processing voice data for voice recognition functions, the options for consent periods should be provided to the individuals, such as single, seven days, three months, and one year. The only consent exemption, under the Automotive Data Regulations, is provided for the transmission of 'out-of-vehicle data' outside of the vehicle without the consent of the pedestrian, on the condition that the transmission is solely for driving safety and anonymization has been taken.
The broader impact of data localization and international data transfer restrictions
The Automotive Data Regulations track the data localization requirements for important data as set forth under the DSL and the Measures for Security Assessment of Data Exportation. In short, the security assessment led by the Cyberspace Administration of China (CAC) should be passed before exportation: (i) when transferring important data abroad; (ii) for international transfers of personal information undertaken by critical information infrastructure operators; (iii) for international transfers undertaken by data handlers processing the personal information of more than one million individuals; or (iv) when the data handlers who have cumulatively transferred abroad the personal information of more than 100,000 individuals or the sensitive personal information of more than 10,000 individuals since 1 January of the preceding year.
Even if the CAC security assessment would not be triggered, the following legislative developments should be noted:
- The final version of Measures on the Standard Contract for the Cross-border Transfer of Personal Information (SCC Measures), together with the template Standard Contractual Clauses (SCC), was issued on February 24, 2023, and became effective on June 1, 2023. Under the SCC Measures, the SCC should be concluded and record-filed with the CAC within 10 business days after the SCC becomes effective.
- In December 2022, version 2.0 of Guidance on Network Security Standardized Practice – Technical Specification for Certification of Personal Information Cross-Border Processing Activities was issued, and a qualified certification institution published an online channel to apply for personal information protection certification in January 2023.
In light of the current market practice, foreign-invested vehicle manufacturers have taken actions to mitigate the risk of data localization and international data transfer restrictions.
More defined range of important data and additional reporting obligation
Even though the general important data catalog is still in draft version, the Automotive Data Regulations, for the first time, clarify the scope of important data in the context of the automotive industry, including: (i) the geographical, passenger flow, and traffic flow information of sensitive areas, such as military zones, defense-related scientific and industrial institutions, or governmental organs of country-level; (ii) data such as vehicle flow and logistics that reflects economic operation; (iii) operational data of vehicle charging networks; (iv) out-of-vehicle audio and visual data, such as facial information and license plate information; (v) personal information involving more than 100,000 personal information subjects; and (vi) other data determined by relevant authorities.
To carry out any important data processing activities, in addition to the regular risk assessment obligation under the DSL, the automotive data handler (including automotive manufacturers, parts and software suppliers, dealers, maintenance organizations, mobility companies, etc.) shall formulate the annual automotive data security management information report to the local CAC, by December 15 of each year. Such annual report obligation must disclose various information to the authorities, including but not limited to, an overview of the scale, purpose, and necessity for each type of automotive data, the technical and management measures (e.g. the measures to implement 'anonymization of out-of-vehicle data'), storage location and retention period, information about cross-border data transmission, etc. At present, over 12 provinces in China have issued notices to implement the automotive data’s annual report requirement.
More intensive cybersecurity and data security requirements to be published
In addition to the above, attention should also be paid to cybersecurity and data security requirements in the context of intelligent connected vehicles. In 2021, the Ministry of Industry and Information Technology (MIIT) issued the Notice on Strengthening the Cybersecurity and Data Security of the Internet of Vehicles, which emphasizes the security protection of intelligent connected vehicles, the internet of vehicles, the concerned service platforms, and data security requirements. On this basis, the MIIT published the Guidelines for the Cybersecurity and Data Security Standards Mechanism for the Internet of Vehicles to shore up the cybersecurity and data security requirements that connected vehicles rely on. This guideline is accompanied by a list of 103 industry standards in total, of which 12 have already been finalized, 15 industry standards are being drafted, and the rest are yet to be formulated. When formally issued, these standards will provide vehicle manufacturers with more clarity on how to implement cybersecurity and data security rules.
In light of the above compliance requirements and challenges, as well as China's ambitions for the growth of the Internet of vehicles, we expect that automotive data protection will remain a hot topic in the future, and we suggest that automotive companies take the following actions:
- establish and maintain a data inventory through data mapping to understand categories and location of data, and identify important data, personal information, and sensitive personal information that the company is processing;
- assess digital functions to benchmark the principles and requirements in processing automotive data, and update the privacy policies and consent mechanisms;
- evaluate the impact of data localization and international data transfer restrictions;
- establish systematic data management policies, and undergo ongoing compliance obligations (e.g. annual report); and
- implement technical measures to safeguard data security and cybersecurity, and closely follow the cybersecurity and data security requirements.