New Legislative Trend of Tightening ICV Data Regulation in China
By:
Jihong CHEN,Peng CAI
Jiawei Wu,Yating Jiao
Jiabin Sun
Introduction
The development of intelligent connected vehicles (“ICV”) is of great strategic importance in China and by 2050 China will fully formulate its standard ICV system covering technology innovation, infrastructure, legislation, cybersecurity and etc.[1]China has accelerated its promulgation of laws, regulations and standards in relation to cybersecurity and data protection in ICV sector.[2] Merely within the last two months, three drafts of key regulation and standards, namely, the Rules on the Administration of Automobile Data Security (Draft for Public Comments), the Guideline for the Administration of the Admission of Intelligent Connected Vehicle Manufacturers and Products (for Trial Implementation) (Draft for Comments) and the Information Security Technology – Connected Vehicles – Security Requirements of Data (Draft), were released, unveiling an era of stringent ICV regulation in China. In close convergence with the Cybersecurity Law, the Personal Information Protection Law (2nd Draft) and the Data Security Law (2nd Draft), these ICV requirements further specify cybersecurity and data protection rules in response to challenges and needs raised by the development in automobile (ICV included) sector. Cybersecurity and data protection issue has always been the Achilles heel of ICV integrated with multiple sensors, electronics and computer systems, together with recent social events related to ICV companies and rising concerns of the public on ICV with regard to cybersecurity, personal information and privacy, product malfunction and quality and even national security. From the perspective of regulatory compliance, we will provide companies with commentary and practical guidance on main provisions of these ICV laws and help companies navigate the regulatory trend in China as well as dos and don’ts under supervision.
In a nutshell, we suggest companies responsively take the following measures:
Be aware of the increasingly stringent regulatory trend in ICV sector as well as the necessity of conducting compliance assessment in advance with respect to the new rules in cybersecurity and data protection
As regards the hot issue of data localization, companies, especially MNCs, should take well consideration in their IT infrastructure deployment to ensure the legality of their data processing activities and establish data localization and cross-border transfer mechanism in accordance with laws
Pay close attention to any legislative progress, keep positive communication with competent authorities and properly put forward legislative suggestions
1 . Rules on the Administration of Automobile Data Security (Draft for Public Comments)
On 12 May 2021, the Rules on the Administration of Automobile Data Security (Draft for Public Comments) (hereinafter as the “Draft rules”) were released by the State Cyberspace Administration of China (hereinafter as the “CAC”). The Draft rules aim to further enhance personal information and important data protection and regulate data processing activities in automobile (ICV included) sector in China. As the first ever binding law to be regarding data security in automobile sector, the Draft rules are of great significance and distinctive features, for example, the scope of important data under automobile scenarios is enumerated in a non-exhaustive manner and the long-lasting controversy of data localization and cross-border transfer requirements is answered as well. We envisage that, with reference to previous legislative moves of the CAC, the Draft rules will come into effect within this year.
Applicable Scope
The Draft rules apply to the processing of personal information and important data within the territory of the People’s Republic of China by operators during the process of design, manufacture, sale, operation and maintenance and management of automobiles.[3] For companies to determine whether they will be subject to the Draft rules, they shall first fully understand the three fundamental concepts of operators, personal information and important data as elaborated in article 3.[4]
The Draft rules greatly cover the whole circle processing activities and multi-participants in the automobile ecosystem such as manufacturer, hardware and software supplier, distributor, online car-hauling companies, maintenance agencies and insurance companies.
For the determination of personal information, the Draft rules adopt the “identifiable + linkage” criteria, that is, any information that can be used to identify or trace individuals as well as personal information of identified individuals such as automobile owners, drivers, passengers and pedestrians.
The Draft rules also for the first time set out the scope of important data in automobile sector in a non-exhaustive manner, including external environmental data such as car flow and people flow of sensitive military and governmental zones, mapping data beyond the precision of published maps and other data with potential impact on national security and public interests.
Basic Principles
The Draft rules entail seven principles relating to processing of personal information and important data.
Currently only the first two principles, that is, the principle of purpose limitation and implementation of Multi-Level Protection Scheme (“MLPS”) under the Cybersecurity Law are binding. The Draft rules stipulate that the purposes of processing shall be legitimate, specific, explicit and shall be directly relating to automobile design, manufacture and services.[5] We understand that the entire ICV industry and technologies such as autopilot driving are under rapid development and the purpose limitation principle may impose certain setbacks for business operation, we suggest automobile operators adopt the methodology of privacy by design within their business deployment.
The Draft rules, in close convergence with the Cybersecurity Law, also require that operators shall implement MLPS to enhance personal information and important data protection.[6] The Draft rules also recommend operators adhere to the principle of in-car processing, data anonymization, minimum data storage period, proportionality in data precision setting and opt-in data collection.[7] Though the above five principles are not strictly mandatory, we suggest companies include relevant requirements within their overall compliance management, conduct in-time gap analysis and correspondingly record the potential impact for further evaluation.
Personal Information Protection
The Draft rules, in great convergence with the Personal Information Protection Law (2nd Draft), further specify personal information protection specific to automobile sector by distinguishing between in-car and external scenarios and etc. The Draft rules clarify when it is hard to obtain consent in practice on data such as audio and videos collected through cameras from external environments of automobiles and when it is truly necessary for processing of such data, then the data at issue shall be anonymized or desensitized, for example, deletion of images containing identifiable individuals or conducting partial blurring to faces in such images.[8]
The Draft rules place great emphasis on knowledge and control of personal information subjects to their personal information, for example, operators shall provide personal information subjects via user handbook or display panel with information such as the personnel responsible for user rights and interests and methods to delete in-car data and to request deletion of data provided away from cars.[9]
The Draft rules for the first time specify that automobile location, audio and video data of drivers and passengers and data for determination of driving violations belong to sensitive personal information and operators processing sensitive personal information shall meet the requirements for purpose limitation (directly serve for drivers and passengers such as ancillary driving and navigation), opt-in collection, obtainment of valid consent on processing under each driving, any-time termination of collection by drivers and etc.[10]
Operators processing biometric personal information shall also adhere to specific purpose limitations, that is, processing merely for the convenience of users, automobile information system safety and etc.[11]
Data Localization and Cross-border Transfer
One of the most distinctive features of the Draft rules lies in an explicit stipulation that personal information and important data in automobile sector as defined shall be stored within the territory of the People’s Republic of China, and if such data truly needs to be transferred outside the territory of the People’s Republic of China, operators shall pass the data cross-border security assessments organized by the State Cyberspace Administrative Departments.[12]
Companies especially MNCs in response to the localization requirement should reconsider their IT infrastructure such as server deployment to comply with the law. In addition, the Draft rules put forward several supplemental requirements to further ensure data security under cross-border transfer scenarios. Operators shall take effective measures to specify with and monitor overseas receivers with respect to data processing as agreed, we understand such measures may refer to standard contractual clauses (“SCCs”) and audit required in the Personal Information Protection Law (2nd Draft).[13] Operators shall handle user complaints in relation to cross-border data transfer and bear liabilities when detriment to public interests or legitimate rights and interests of users occurs.[14] Operators shall ensure the actual cross-border data transfer activities do not exceed as specified in the security assessments organized by the State Cyberspace Administrative Departments, and shall present relevant records in an explicit and readable manner under spot check by competent authorities on such matters.[15] Operators shall take effective measures to ensure data security under circumstances of access of data stored within the territory of the People’s Republic of China, especially by overseas parties and strictly restrict access to sensitive personal information.[16]
Data Security Obligations and Enforcement
Under the Draft rules, there are three must-dos in relation to data security administration for operators which deserve noticing.
Operators processing important data shall before any processing report to provincial cyberspace administration departments and other relevant departments on information such as data type, scale, scope, data storage location and period, use of data and third-party transmission.[17]
Operators processing important data or personal data over the scale of 100,000 personal information subjects shall, by 15 December of each year, report their annual data security management situations to provincial cyberspace administration departments and other relevant departments,[18] and when cross-border data transfer are involved, such operators shall in addition report information in relation to the receivers, type, volume and purposes of data transferred, user complaints and corresponding handling regarding the transfer and etc.[19]
Operators shall cooperate with data security assessments organized by the State Cyberspace Administrative Departments together with other relevant departments.[20]
2. Information Security Technology – Connected Vehicles – Security Requirements of Data (Draft)
On 28 April 2021, the Information Security Technology – Connected Vehicles – Security Requirements of Data (Draft) (hereinafter as the “TC260 ICV Security Draft”) was released by the National Information Security Standardization Technical Committee. Though the TC260 ICV Security Draft is in nature a non-binding national standard, it represents great industry practice and may be taken into consideration by competent authorities as reference during enforcements. We thus suggest companies include its requirements within their overall compliance mechanism.
Basic Principles
The TC260 ICV Security Draft applies to data processing activities of connected vehicles. It explicitly stipulates that data collected and processed by connected vehicles shall not be further processed for purposes other than vehicle management and driving safety.[21]
Data Storage
The TC260 ICV Security Draft requires that data collected by connected vehicles related to vehicle location and vehicle traces shall be stored within in-car memory devices and telematics service providers (TSP) no more than seven days.[22]
Data Transmission
The TC260 ICV Security Draft prohibits transfer of data such as audio, videos or images collected from car cabin or of processed data on such basis away from vehicles.[23] Data containing personal information shall not be transferred away from vehicles without consent of involved individuals, except for video and image data which has been converted under 1,200,000 pixels resolution and of which identifiable information such as faces and car license plates has been erased.[24]
Data Localization and Cross-border Transfer
With regard to data localization and cross-border transfer, the TC260 ICV Security Draft specifies certain data shall not be transferred outside the territory of the People’s Republic China, i.e., data such as roads, buildings, terrain and traffic participants collected from external environments by connected vehicle cameras, radars and other sensors as well as data related to vehicle location and traces, for data such as driving state parameters and abnormal warning information of connected vehicles, if truly needs to be transferred outside the territory of the People’s Republic China, it shall comply with related provisions on cross-border data transfer of the State.[25] In addition, the TC260 ICV Security Draft exerts obligations of provision of information such as data format and encryption method on connecting vehicle companies conducting encrypted cross-border transfer of data under circumstance of spot check and verification by regulatory authorities.[26]
3. Guideline for the Administration of the Admission of Intelligent Connected Vehicle Manufacturers and Products (for Trial Implementation) (Draft for Comments)
On 7 April 2021, the Guideline for the Administration of the Admission of Intelligent Connected Vehicle Manufacturers and Products (for Trial Implementation) (Draft for Comments) (hereinafter as the “the Draft guideline”) was released by the Ministry of Industry and Information Technology (“MIIT”). The Draft guideline applies to ICV manufacturers, which are equipped with conditional autonomous driving function or high-level autonomous driving function, and their products, specifying requirements for security assurance capabilities, necessary functions of products, and access test. The noteworthy aspects in terms of specific requirements are as follows.
Security Assurance Capability Requirements
The Draft guideline takes the Cybersecurity Law as the upper-level legislation. In order to solve the cyber security threats that ICV manufacturers may encounter, it links up with the Cybersecurity Law and puts forward a set of security requirements.[27] For example, the ICV manufacturers should abide by cyber security laws and regulations and establish a cyber security protection system that covers the entire life cycle of vehicles. Necessary technical measures should be adopted to effectively respond to cyber security incidents, thus protecting vehicles and their network facilities from attacks, intrusions, interference, and destruction. In addition, the systems and the mechanisms mentioned in the Appendix of the Draft guideline, including the cyber security responsibility system, cyber security protection system, cyber security monitoring and early warning mechanism, cyber security emergency response mechanism, data security management system, etc., are the implementation and refinement of the MLPS provided in the Art. 21 of the Cybersecurity Law.[28]
Personal Information Protection Obligations
The Draft guideline also relates to the highly debated the Personal Information Protection Law (2nd Draft) and the Data Security Law (2nd Draft). It provides relevant requirements for data localization and other issues related to personal information protection, which responds to the long-term public concerns about data privacy and security risks that may be involved in the ICVs. The Draft guideline stipulates that the ICV manufacturers shall collect, use, and protect personal information in accordance with the law, and implement data classification and categorization management.[29] According to Art. 8 of the Draft guideline, the data collected and recorded by the ICVs shall at least include the operating status of the driving automation system, status of the driver, driving environment information, vehicle control information, etc., which delineates a reasonable range of information collection and establishes the legal basis for ICV manufacturers.
In addition, personal information and important data collected and generated during operations within the territory of the People’s Republic of China shall be stored in the territory in accordance with relevant laws and regulations. If it is indeed necessary to provide it overseas, it should be reported to the competent industry authority.[30] This requirement puts the need for data protection and compliance work for ICV manufacturers on the agenda, yet the detailed requirements such as the reporting process have not been clarified.
Access Requirements
The Draft guideline stipulates that the ICV manufacturers and products can apply for the access process to the MIIT, and the MIIT will carry out access application acceptance, technical review, application evaluation, supervision and inspection in accordance with relevant regulations.[31] What needs special attention is that the access process for ICV manufacturers and products is similar to the UN regulations issued by the World Forum for Harmonization of Vehicle Regulations (“WP. 29 Forum”). In June 2020, The WP. 29 Forum passed two new regulations, R155 and R156, regarding Cyber Security Management System (CSMS) and Software Update Management System (SUMS). The R155 and R156 regulations have come into effect on January 22, 2021. However, compared with R155 and R156 regulations, the application process and the review standards in the Draft guideline are still waiting for further refinement.
Multiple Testing Requirements
Following the Good Practices for the Administration of Road Tests for Intelligent Connected Vehicles (for Trial Implementation) issued by the MIIT, the Ministry of Public Security, and the Ministry of Transport on April 12, 2018, provinces/cities including Beijing, Shanghai, Guangzhou, Chongqing, Jiangsu have successively introduced local regulations on-road tests for autonomous driving vehicles and road test licenses. The Draft guideline released this time stipulates multiple testing requirements from six aspects including simulation test, closed-field test, road test, vehicle cyber security test, software update test and data storage test. These requirements emphasize that ICVs shall not only meet the testing requirements of external physical interaction scenarios, but also those of virtual network, promoting the continuous progress of the industry development.
Summary and Advice As stated at the beginning of the Strategy for Innovative Development of Intelligent Connected Vehicles issued by 11 ministries and commissions including the National Development and Reform Commission on February 24, 2020, the world today is undergoing major changes unseen in a century. A new round of technological revolution and industrial transformation is in the ascendant, and the ICV has become the strategic direction of the development of the global automobile industry. In the current Chinese automobile market, the automobile factories of the new generation have been rapidly rising, and more and more Internet giants announced their entry into the market, hoping to genetically reorganize the traditional automobile industry. The entire industry is facing unprecedented challenges.
The level of detail and strictness of the new requirements has far exceeded all previous laws and regulations concerning automobile cybersecurity and data protection, which indicates the era of strong supervision of ICV data processing is coming. For example, the principles and requirements for the protection of personal information and important data are clearly clarified for the first time; the requirements on the data localization and cross-border transfer have been emphasized, specifying that certain data shall not be transferred outside the territory of the People’s Republic of China; and the requirements for security assurance capabilities, necessary functions of products, and access test have been proposed creatively. Certainly, the relevant rules and procedures will still be constantly adjusted with the progress of industry practice and technology. We will continue to pay close attention to the legislative developments and provide customized legal advice in line with corporate practice for automobile cybersecurity and data protection compliance.
[Note]
[1] The Strategy for Innovative Development of Intelligent Connected Vehicles published on 24 February 2021 by the National Development and Reform Committee (NDRC), the Ministry of Industry and Information Technology (MIIT) together with eight other national authorities. https://www.ndrc.gov.cn/xxgk/zcfb/tz/202002/P020200224573058971435.pdf, last visited at 2021.5.26.
[2] For example, the Road Traffic Safety Law (Amendments Draft) proposed by the Ministry of Public Security on 24 March 2021, the Guideline for the Administration of the Admission of Intelligent Connected Vehicle Manufacturers and Products (for Trial Implementation) (Draft for Comments) issued by the Ministry of Industry and Information Technology (“MIIT”) on 7 April 2021 and the Regulation of Shenzhen Special Economic Zone on the Administration of Intelligent and Connected Vehicles (Draft for Comments) issued by the Standing Committee of the Shenzhen Municipal People's Congress on 24 March 2021 and etc.
[3] Article 2, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[4] Article 3, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[5] Article 4, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[6] Article 5, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[7] Article 6, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[8] Article 9, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[9] Article 7, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[10] Article 8, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[11] Article 10, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[12] Article 12, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[13] Article 13, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[14] Article 14, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[15] Article 15, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[16] Article 16, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[17] Article 11, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[18] Article 17, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[19] Article 18, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[20] Article 19, Rules on the Administration of Automobile Data Security (Draft for Public Comments)
[21] Article 4.1, Information Security Technology-Connected Vehicles-Security Requirements of Data (Draft)
[22] Article 6, Information Security Technology-Connected Vehicles-Security Requirements of Data (Draft)
[23] Article 5.2, Information Security Technology-Connected Vehicles-Security Requirements of Data (Draft)
[24] Article 5.1, Information Security Technology-Connected Vehicles-Security Requirements of Data (Draft)
[25] Article 7.1, Information Security Technology-Connected Vehicles-Security Requirements of Data (Draft)
[26] Article 7.2, Information Security Technology-Connected Vehicles-Security Requirements of Data (Draft)
[27] Article 3, Guideline for the Administration of the Admission of Intelligent Connected Vehicle Manufacturers and Products (for Trial Implementation) (Draft for Comments)
[28] Article 21, Cybersecurity Law: The State implements the Multi-level Protection Scheme for cyber security. Network operators shall fulfill the following obligations of security protection according to the requirements of the Multi-level Protection Scheme for cyber security to ensure that the network is free from interference, damage or unauthorized access, and prevent network data from being divulged, stolen or falsified.
[29] Article 3, Guideline for the Administration of the Admission of Intelligent Connected Vehicle Manufacturers and Products (for Trial Implementation) (Draft for Comments)
[30] Article 3, Guideline for the Administration of the Admission of Intelligent Connected Vehicle Manufacturers and Products (for Trial Implementation) (Draft for Comments)
[31] Article 10, Guideline for the Administration of the Admission of Intelligent Connected Vehicle Manufacturers and Products (for Trial Implementation) (Draft for Comments)
The End
About the Author
Jihong CHEN
Beijing Office
Equity Partner
Practices:IP Licensing & Enforcement, Cybersecurity & Data Protection, Antitrust & Competition
Industry Sectors:Financial Services, Telecommunications and Technology
Peng CAI
Beijing Office
Equity Partner
Practices:Cybersecurity & Data Protection, IP Licensing & Enforcement, Compliance & Anti-corruption
Industry Sectors:Telecommunications and Technology, Healthcare and Life Sciences
Jiawei Wu
Associate
Beijing Office
Intellectual Property Department
Yating Jiao
Beijing Office
Intellectual Property Department
Jiabin Sun
Beijing Office
Intellectual Property Department
The author recommended articles in the past:
《Commentary on the New Draft Personal Information Protection Law》
《Annual Reviews on Cyber Security Law 2018》
特别声明:
以上所刊登的文章仅代表作者本人观点,不代表北京市中伦律师事务所或其律师出具的任何形式之法律意见或建议。
如需转载或引用该等文章的任何内容,请私信沟通授权事宜,并于转载时在文章开头处注明来源于公众号“中伦视界”及作者姓名。未经本所书面授权,不得转载或使用该等文章中的任何内容,含图片、影像等视听资料。如您有意就相关议题进一步交流或探讨,欢迎与本所联系。
点击“阅读原文”,可查阅该专业文章官网版。