China’s legal framework for data protection and data security is largely governed by three key pieces of legislation: the Cybersecurity Law, which came into effect in 2017, and the Data Security Law (DSL) and the on the Protection of Personal Information (PIPL), which came into force in 2021. Navigating the laws that operate in this space can be complex and there is significant overlap. For example, cybersecurity law covers both physical equipment and online tools, including internet technologies, and basically anything that can impact cybersecurity. DSL concerns online data, but also other offline data in paper or paper form or in any other form. It is also broadly defined to cover data processing activities such as collection and storage. The PIPL is primarily focused on personal data which can also be in any form, physical or otherwise.
In addition, the automotive industry, like many sectors, is subject to its own specific directives, namely the Automotive Data Management Regulation. We look at some key points of recent legislation and actions automakers need to consider when mitigating risk and protecting data in China.
The DSL introduced the concept of data categorization, which establishes a hierarchical system based on the importance of data and its impact on national security, public interest and the rights of individuals. The two critical categories are “important data” and “national basic data”. Important data refers to data related to national security, economic development and social public interests. It undergoes a mandatory risk assessment process and government security assessment when exported out of China. National basic data refers to data related to national security, the lifeline of the national economy, important aspects of people’s livelihoods and major public interests. It is subject to a stricter management system and severe legal penalties would apply for mismanagement. The Automotive Data Management Regulation provides clear definitions of what constitutes important data and how to treat it.
The PIPL, often referred to as the Chinese version of the EU General Data Protection Regulation, provides definitions for personal information and sensitive personal information. Data captured by vehicles may constitute sensitive personal information, such as location tracking, video, audio, image capture, and biometric credentials. The PIPL requires prior and separate consents from data subjects before their personal data can be collected and then transferred outside of China, which does not include Hong Kong for this purpose. Data controllers must carry out an internal risk assessment before the cross-border transfer of data and must keep a record of these transfers. Additionally, for personal data to be lawfully transferred outside of China, one of three requirements must be met. Approval can be obtained from the Cyberspace Administration of China (CAC), a government-approved certification agency, or by entering into a transfer agreement with the foreign recipient.
GENERAL PRINCIPLES OF PROTECTION OF AUTOMATIC DATA
The Automotive Data Management Regulation provides that automotive-related data covers personal information and important data throughout the industry cycle, including automotive design, manufacturing, sales, usage , operation and maintenance process. Automotive data processors include car manufacturers, parts and software suppliers, dealerships, repair shops and car sharing companies.
Personal information should only be collected and processed where necessary and reasonable, and the minimum level of data should be collected where possible. For the automotive industry, driver consent is required for any collection of personal information on every trip, and automatic data processors must notify users when processing their personal information.
DATA LOCATION REQUIREMENTS
A recent regulation published by MIIT imposes data localization requirements on manufacturers of smart cars and intelligent and connected vehicles (ICVs). It imposes a government-led security assessment requirement for the cross-border transfer of personal information collected by smart car manufacturers, which previously only applied to Critical Information Infrastructure (CIIO) operators. The government has released a list of 28 industry sectors considered critical information infrastructure, including the transportation industry, banking, national security and defense, military and related industries. Smart car manufacturers can be considered on a par with CIIOs, although they are not specifically referred to as CIIOs.
For companies that are not certified as a CIIO or do not process automotive-related data as a smart car manufacturer, under the Cybersecurity Act and DSL, their data is not subject to the approval of tracing and cross-border transfer unless they meet certain thresholds. The mandatory government-led security assessment would be triggered if one possesses the personal information of more than one million users, or if one cumulatively transfers the personal information of 100,000 people or the personal information susceptible to more than 10,000 people.
If you are a CIIO or ICV manufacturer, the personal information and important data would trigger the location requirement. Data reflecting economic operations, such as vehicle flows, vehicle logistics, car charging network operational data, video and image data outside the vehicle that contains facial information, and information about license plates could all be considered important data and should go through the security assessment process.
MULTI-LEVEL PROTECTION SCHEME
China’s Multi-Level Protection Program (MLPS) has undergone a series of regulatory updates and changes in recent years. It is in place to identify the nature of the systems deployed and the data processed in China, and if and to what extent this could raise cybersecurity concerns. For data, this may depend on the sensitivity of what it relates to, such as the volume of data that is being processed or whether it is personal health data. The MLPS itself is a tiered certification process, which should begin with an internal investigation to determine if the system’s threshold applies and at what level it applies, followed by steps to file it with a local Public Safety Bureau (PSB), leading to an official MLPS Certificate.
In the automotive industry, if you use a network to process automotive data, you may be subject to MLPS requirements.
For operators in the automotive industry, it is important to quickly and efficiently determine whether you are subject to MLPS certification and, if so, identify a reputable third-party expert to work with to manage the disclosure of your data.
COMPLIANCE RISK MITIGATION
With this myriad of considerations, here are some key actions to mitigate risk:
- Perform data mapping to understand categories and location of data and identify important data, personal information, and sensitive personal information that the business processes.
- Perform a gap analysis of current data policies, including the implementation and/or review of internal employee notices and external privacy notices and policies, to comply with informed consent requirements.
- Establish a risk assessment process for key data processing activities, covering the processing of important data, personal (sensitive) information and cross-border data transfer, including internal assessment and government reporting obligations .
- Perform the MLPS as soon as possible.
- Understand location requirements and (if necessary) implement localized storage in China.
These questions and more were discussed in more detail in a recent webinar titled China’s New Privacy Law and Other Regulatory Developments Affecting the Automotive Industry.