New PRC data rules: Impacting all automotive industry

Auteurs

Michael-Florian Ranft

Associé

Munich

Wide coverage involving everyone and everything

By using the very broad term “operator”, the Draft Provisions would apply to almost all members of the automotive supply chain including OEMs, components and software suppliers, dealers, repair shops, online car-hailing service providers, and insurance companies. As far as personal information or so called “important data” are concerned, all data activities such as collection, analysis, storage, transmission, searching, use, deletion and export would be captured. Notably the Draft Provisions expand the scope of personal information from “inside a car” (i.e. information of car owners, drivers, passengers) to “outside a car” (i.e. information of pedestrians, etc.) as well as to other information that can be used to identify an individual or that describes personal activities. The “important data” is further clarified by the Draft Provision and would include:

traffic data in important and sensitive areas (e.g. military zones and defense/science units which involve state secrets, governmental/CPC agencies above county level);
mapping and surveying data more precise than maps published by the State;
operational data of car charging station/networks;
data on vehicle types and flows on roads;
outside-a-car audio and video data that contain information on e.g. faces, voices, car plates; and
other data that concern national security and public interest as classified by the CAC and other ministries.

Under the Draft Provisions, an operator shall process the above data for purposes directly relating to the design, manufacturing and service of cars only and shall comply with cyber security requirements, including to implement the latest multiple level protection scheme (MLPS). Different to GDPR’s focus on protection of personal information, the emphasis on the “important data” (which will be associated with further legal obligations, see below) would create a unique challenge for global players in the auto industry.

Data processing: in-car requirement by default

OEMs and data-rich suppliers would need to pay particular attention to the following data processing principles introduced by the Draft Provisions:

in-car processing data shall be processed “in a car” instead of “out of a car” in principle;

anonymized processing if it is indeed necessary to provide data out of a car, such data shall be anonymized and desensitized;

minimum retention period data retention period shall be determined according to the type of services/functions offered;

precision as necessary coverage and resolution of sensors like cameras and radars shall accord to the precision demanded by the offered services; and

“non-collection” by default by default, no data shall be collected for each drive, and a driver’s consent shall only apply to one single drive.

The Draft Provisions take a “processing in car by default” approach, which weighs privacy over the commercial and operational features of a “connected car”. Processing of sensitive personal data (e.g. vehicle location, audio/video of drivers and passengers, wrongful or illegal driving behavior, etc.) out of a car shall be prohibited, unless:

it is for the purpose of directly serving the driver or passengers, including enhancing driving safety, assisting driving, navigation and entertainment;
it defaults to “non-collection”, and consent from the driver is required for each drive which will automatically become invalid upon end of a drive (i.e. when a driver leaves his/her seat);
the driver and passengers are informed, via in-car display panel or by voice, that (sensitive) personal information is being collected;
the driver may stop data collection at any time in a convenient way;
car owner may review in a convenient way or enquire in a structured way the (sensitive) personal information collected; and
the operator shall be obliged to delete data within two weeks upon request by the driver.

Data collection: transparency principle

The general transparency principle on data collection will also be substantiated under the Draft Provisions. An operator would therefore be obliged to disclose a variety of information about the data collection (e.g. type of data collected, method of and purpose for collection, data storage location and retention period, as well as “right to be forgotten”). Collection of biometric data would be allowed only for purpose of convenient use or for security reasons.

Reporting obligations and data export

The Draft Provisions set extensive reporting requirements on operators that process “important data” or personal data of more than 100,000 individuals. In reality this would be quite challenging: for example, an operator can hardly prevent a driver from using a smart car in a sensitive area, and the threshold of 100,000 individuals may be easily triggered if an operator engages in public transportation or has high sales of smart cars. The reporting requirements would include that a report on the names and contact details of the data security officer and the person responsible for data issues shall be submitted to the CAC and (other) relevant authorities at the provincial level by December 15 of every year as well as that any processing of “important data” shall be reported beforehand, indicating the type, scale and scope of data, storage location, retention period, method of use, and status of sharing with third parties. The Draft Provisions further would require (car-related) personal data and “important data” to be stored within the PRC. Any data export (which will technically also include access to data from overseas), if indeed necessary, shall then:

undergo data export security assessment as organized by the CAC;
have effective measures in place to regulate export of data and to ensure data security;
oblige an operator to take care of data subjects’ complaints and assume legal liabilities for any damages suffered by the data subjects or damages to “public interest” due to data export; and
allow the CAC (together with other authorities) to conduct necessary audit by providing plaintext and readable access.

The Draft Provisions specifically address the scenario where an operator’s overseas R&D or commercial partner needs to access its data stored onshore. In this case, effective measures shall be taken to ensure data security and prevent data breach, while access to “important data” and sensitive personal data shall be strictly restricted.

And more

The Draft Provisions take a rather strict approach and regulate data topics in the automotive industry in a quite comprehensive and far reaching sense. Certain provisions like reporting obligations and data onshore storage requirement will create challenges for the most often internationally active OEMs and suppliers who certainly would highly benefit from aggregation of their global data and equal requirements on a global scale. Tesla’s recent announcement to set up its local data center in China is surely one response of international OEMs to the intensified data compliance requirements in China but most probably not the final and all answer how to stay compliant. There are many other aspects to watch out for (e.g. pedestrian privacy protection, etc.). Given the size of the Chinese auto market, all participants in the automotive industry, whether production or service should start to plan actions to accommodate the new compliance challenges that may be brought by these Draft Provisions and further rules most likely to come in the near future.