International automotive OEMs and suppliers have witnessed the rapid development of the PRC data protection regime, including the draft PRC Personal Information Protection Law which just underwent its “second reading”. While existing rules only generally address concerns relating to privacy protection and data export control, rules specific to the automobile industry have been absent for a long time. This makes it difficult for the automotive industry to manage their data compliance in China. Such situation may soon change, as the Cyberspace Administration of China (CAC) presented to the public its new draft Several Provisions on Car Data Security Administration on May 12, 2021 (“Draft Provisions”) to solicit comments. The Draft Provisions. If promulgated in the current form, would bring substantial clarification to the whole industry, though not make things easier. Please find below brief observations and thoughts of our data protection and China experts.
By using the very broad term “operator”, the Draft Provisions would apply to almost all members of the automotive supply chain including OEMs, components and software suppliers, dealers, repair shops, online car-hailing service providers, and insurance companies.
As far as personal information or so called “important data” are concerned, all data activities such as collection, analysis, storage, transmission, searching, use, deletion and export would be captured.
Notably the Draft Provisions expand the scope of personal information from “inside a car” (i.e. information of car owners, drivers, passengers) to “outside a car” (i.e. information of pedestrians, etc.) as well as to other information that can be used to identify an individual or that describes personal activities. The “important data” is further clarified by the Draft Provision and would include:
Under the Draft Provisions, an operator shall process the above data for purposes directly relating to the design, manufacturing and service of cars only and shall comply with cyber security requirements, including to implement the latest multiple level protection scheme (MLPS). Different to GDPR’s focus on protection of personal information, the emphasis on the “important data” (which will be associated with further legal obligations, see below) would create a unique challenge for global players in the auto industry.
OEMs and data-rich suppliers would need to pay particular attention to the following data processing principles introduced by the Draft Provisions:
The Draft Provisions take a “processing in car by default” approach, which weighs privacy over the commercial and operational features of a “connected car”.
Processing of sensitive personal data (e.g. vehicle location, audio/video of drivers and passengers, wrongful or illegal driving behavior, etc.) out of a car shall be prohibited, unless
The general transparency principle on data collection will also be substantiated under the Draft Provisions. An operator would therefore be obliged to disclose a variety of information about the data collection (e.g. type of data collected, method of and purpose for collection, data storage location and retention period, as well as “right to be forgotten”). Collection of biometric data would be allowed only for purpose of convenient use or for security reasons.
The Draft Provisions set extensive reporting requirements on operators that process “important data” or personal data of more than 100,000 individuals. In reality this would be quite challenging: for example, an operator can hardly prevent a driver from using a smart car in a sensitive area, and the threshold of 100,000 individuals may be easily triggered if an operator engages in public transportation or has high sales of smart cars. The reporting requirements would include that a report on the names and contact details of the data security officer and the person responsible for data issues shall be submitted to the CAC and (other) relevant authorities at the provincial level by December 15 of every year as well as that any processing of “important data” shall be reported beforehand, indicating the type, scale and scope of data, storage location, retention period, method of use, and status of sharing with third parties.
The Draft Provisions further would require (car-related) personal data and “important data” to be stored within the PRC. Any data export (which will technically also include access to data from overseas), if indeed necessary, shall then:
The Draft Provisions specifically address the scenario where an operator’s overseas R&D or commercial partner needs to access its data stored onshore. In this case, effective measures shall be taken to ensure data security and prevent data breach, while access to “important data” and sensitive personal data shall be strictly restricted.
The Draft Provisions take a rather strict approach and regulate data topics in the automotive industry in a quite comprehensive and far reaching sense. Certain provisions like reporting obligations and data onshore storage requirement will create challenges for the most often internationally active OEMs and suppliers who certainly would highly benefit from aggregation of their global data and equal requirements on a global scale. Tesla’s recent announcement to set up its local data center in China is surely one response of international OEMs to the intensified data compliance requirements in China but most probably not the final and all answer how to stay compliant. There are many other aspects to watch out for (e.g. pedestrian privacy protection, etc.). Given the size of the Chinese auto market, all participants in the automotive industry, whether production or service should start to plan actions to accommodate the new compliance challenges that may be brought by these Draft Provisions and further rules most likely to come in the near future.