The Cyberspace Administration of China (CAC) on May 12 issued the Draft Provisions on the Management of Automobile Data Security (Draft Provisions)1 for public comment through June 11. The Draft Provisions aim to regulate the collection, analysis, storage, utilization, and export (cross-border transmission) of personal information2 and important data3 generated throughout the lifecycle of automobiles by Operators (defined below). This client alert focuses on the requirements stipulated in the Draft Provisions regarding cross-border transmission of automobile-related personal information and important data.
Data localization is a critical component of China’s cybersecurity with respect to personal information and important data, with cross-border data transmission as an exception to requirements for data localization. China’s Cybersecurity Law imposes data localization requirements on critical information infrastructure operators (CIIOs) to store personal information and important data within China. When there is a business need for the transmission of such information and data overseas, a prior security assessment is required pursuant to relevant regulations.
The fast-evolving cybersecurity legal regime imposes data localization obligations on parties other than CIIOs. The Draft Personal Information Protection Law and the Draft Data Security Law4 as a general principle require data processors (which may or may not be CIIOs) who handle personal information and/or important data to store the same within China. If it is necessary to provide personal information and important data overseas, certain precautions need to be followed. For important data to be transferred out of China, including to Hong Kong and Macao, the data processor would first need to conduct a government-imposed data security assessment. For personal information to be so transferred, the data processor would need to (i) conduct a government-imposed security assessment; (ii) obtain a personal information protection certification from a qualified professional organization; or (iii) enter into a standardized agreement with the overseas receiver. The regulations and guidelines for cross-border data transmission are still evolving, especially rules governing specific industries. The Draft Provisions are among the industry-specific rules regulating automobile-related data security.
Article 12 of the Draft Provisions would provide that personal information and important data be stored within China, and where it is necessary to provide such information and data abroad, the Operator shall conduct a cross-border data transmission security assessment organized by the CAC. The key concepts are as follows:
Personal information refers to personal information of the vehicle owner, driver, passengers and pedestrians, as well as a broad array of information which can infer personal identity and/or describe individual behavior. This goes beyond personal information as defined in the Civil Code, Cybersecurity Law and Draft Personal Information Protection Law that adopt the “identifiable + identified” approach, i.e., stand-alone or combined information to identify a natural person or otherwise related to an identified or identifiable natural person. The Draft Provisions also stop short of expressly excluding anonymized data from personal information. By adopting an expansive definition of personal information, the regulator regulates not only personal information and behavior information attributable to identified or identifiable persons, but also information attributable to un-identified or un-identifiable persons, with or without anonymization and desensitization.
Important data includes (i) data on the flow of people and vehicles in important sensitive areas, such as military control areas, entities involving state secrets such as those concerning science/technology and industry for national defense, and Party and government organs at or above the county level, national defense or state secrets; (ii) surveying and mapping data that is more accurate than such data made public by the State; (iii) operational data on vehicle charging grids; (iv) statistics on the types and flows of vehicles on the road; (v) audio and video data outside a vehicle, including human faces, voices, and license plates; and (vi) other data deemed to affect national security and public interest. In a nutshell, important data covers data which may have a bearing on national security and/or the public interest which are expansively defined in China.
The obligors which bear the legal responsibilities to comply with the data security requirements under the Draft Provisions are Operators. Operators refer to automobile designers, producers and service providers, including automobile manufacturers, compartment and software providers, dealers, maintenance providers, car hailing companies and insurers. It is the intention of the legislator to regulate data security throughout the entire lifecycle of an automobile ranging from R&D to manufacture to sales and maintenance. However, it is unclear whether multiple Operators concurrently bear the legal obligation for a single data transmission if they all have access to and process the same data.
When it comes to cross-border data transmission, the Draft Provisions provide that personal information and important data related to automobiles shall in principle be stored within China – this is the “data localization” principle. If there is a need to provide such data overseas, cross-border data security analysis shall be conducted through CAC (Art. 12). How such government-led analysis is to be done remains to be clarified as general measures and guidelines for cross-border data transmission have yet to be finalized.
Note also that heightened scrutiny and data security compliance obligations apply to the Operator if there is a need to transmit overseas personal information involving more than 100,000 people and/or important data. These include filing annual administrative reports to the relevant cybersecurity authority including information on the person in charge, information regarding the data itself and the purpose of its processing and transmission, measures regarding management of the data, and information on the overseas receivers (Arts. 17 & 18).
Separately, certain automobile-related data may not leave China under any circumstances, regardless of whether it constitutes important data or contains personal information. The Draft National Standard of Safety Requirements for Collecting Data of Connected Vehicles released on April 28 provides that data on roads, buildings, terrain, traffic participants and other data collected from connected vehicles’ external environment through cameras, radar or other sensors, as well as data related to vehicle location and trajectory, may not leave China. Precautionary measures need to be conducted with respect to data related to connected vehicles’ driving status parameters and abnormal warning information to leave the country. Such national standard is still in draft form with the relevant implementation requirements yet to be specified.
If the Draft Provisions are issued in their current form, Operators throughout the entire lifecycle of an automobile will bear burdensome data security obligations when it comes to cross-border data transmission, i.e., before personal information and/or important data are provided overseas, the Operators need to conduct a CAC-led data security assessment. No specific details on the procedures or timeframe for the CAC-led data security assessment are specified in the Draft Provisions. In addition, it is not entirely clear who bears this obligation. For instance, in the R&D stage, the car manufacturer, designer and software provider may all have access to and process the same set of data. When certain data involving personal information and/or important data need to be transmitted to the overseas R&D center to train algorithms, who conducts the CAC-imposed data security assessment, who bears liability in the event of a breach, and to what degree? All of these questions remain unanswered. Perhaps most importantly, the requirements for data localization and restrictions on cross-border data transfers will likely impede multinationals’ ability to engage in R&D, testing and commercialization of autonomous vehicles using artificial intelligence technologies in China because of the need to collect, cross-border transmit, and analyze on a real-time basis a large volume of important data, including mapping, traffic, location and other data.
Multinational companies involved in the automobile industry ranging from designers to components suppliers, software providers and manufacturers need to closely monitor the development of industry-specific data localization requirements in China, and take precautions before conducting cross-border data transfers, including carefully identifying the types of data at issue, applying necessary anonymization and desensitization measures, conducting self-imposed and government imposed data security assessment, when necessary, and considering whether to localize certain data entirely.
Personal Information is defined in Article 76(5) of the Cybersecurity Law as various information which is recorded in electronic or any other form and used alone or in combination with other information to recognize the identity of a natural person, including but not limited to name, date of birth, ID number, personal biological identification information, address and telephone number of the natural person.
Important data is not defined in the Cybersecurity Law or Draft Data Security Law, but is defined in the Draft Data Security Management Measures as data which, if disclosed, may affect national security, economic security, social stability or public health and safety, such as undisclosed government information, information relating to large-scale population, population genetics and health, geography and mineral resources. Important data generally does not include information relating to the operation, production or internal management of enterprises, or personal information.
The Data Security Law was enacted on June 11. A client alert on that statute will be published next week.