文丨天元律师事务所 朱宣烨 曾雯雯 王伟 王明志
In recent years, the smart car industry has continued to develop, subverting the traditional car industry through sensing technology, artificial intelligence, information fusion and other technologies, making it more convenient for people to travel and expanding the functions of cars. It is inevitable that important data and personal information will be collected and used as vehicles keep on getting smarter. On May 12, 2021, the State Cyberspace Administration of China issued "Provisions for the Management of Automotive Data Security (draft for comment)" (hereinafter referred to as "the Draft Regulation"). It refines the "Cyber Security Law", and also dovetails with the pending Data Security Law and the Personal Information Protection Law which have not yet been enacted. The Draft Regulation mainly reflects the following five aspects：
The scope of regulation involves the automotive industry related industrial chain and stipulates the scope of automotive-related personal information and important data
The Draft Regulation regulates a wide range of operators, covering the entire automotive and even travel, insurance and other related industrial chains. In addition to the traditional automotive industry, which generally involves enterprises or institutions such as automotive design, manufacturing, dealerships and maintenance, its related service enterprises are also regulated by the new rules, such as automotive software providers, online car-hailing service providers, insurance companies, etc. We believe that enterprises closely associated with automobiles will inevitably involve important data and personal information and fall within the scope of the new rules, while enterprises with a relatively low degree of association with automobiles, such as automotive financial service enterprises, are yet to be further clarified.
The Draft Regulation stipulates the specific objects of personal information protection in the automotive industry, involving vehicle owners, drivers, passengers, pedestrians, etc. It also enumerates important data, such as mapping data of high-value military surveying, data on the flow of people and traffic in important sensitive areas of military and defense, emphasizing the protection of national security and public interests. However, because the Draft Regulation is still seeking public feedback, the scope of personal information and important data in the Draft Regulation also needs to be further clarified.
The principles of processing personal information and important data by operators reflect the characteristics of automotive data management
The Draft Regulation proposes five major principles, including the principle of in-vehicle processing, the principle of anonymization, the principle of minimum retention period, the principle of precision range application, and the principle of default non-collection. Some of the principles reflect the characteristics of automotive data management, for example, the principle of in-vehicle processing requires that the in-vehicle and out-of-vehicle scenarios should be separated to ensure that personal information and important data are not provided outside the vehicle unless necessary. The principle of precision range application reflects the matching between the accuracy of data collected by sensors and their functions. The principle of default non-collection imposes restrictions on the drivers consent authorization, i.e., it is valid only for one-time driving.
The specific rules for operators to process personal information and important data are clarified, and the informed consent and control by drivers or vehicle owners in the in-vehicle processing scenario is emphasized
The Draft Regulation emphasizes the legitimacy basis for collecting personal information, puts forward the requirement on anonymization or desensitization for situations where it is difficult to obtain consent of cameras collecting information outside the vehicle, and provides for the method of deleting images containing natural person or partial contouring of human faces. The Draft Regulation refines the content of notification in the context of vehicle (through users manual, on-board display panel or other appropriate means). The content of notification includes the type, purpose, and use of the collected information, the conditions and methods of stopping the collection, the retention period, location or retention rules, the methods of requesting data deletion, and the effective contact information of the person responsible for handling the users rights and interests.
The Draft Regulation regulates the collection or provision of sensitive personal information outside the vehicle. The operators actions shall satisfy the requirements of service purpose, default non-collection, notification of ongoing collection, convenient termination of collection, and permission to view the collected information. The operator shall complete deletion within two weeks after drivers request for deletion. For highly sensitive data such as biometric features, the Draft Regulation limits the purpose of use by the operator and requires the provision of alternative means of biometric features.
Strict requirements on cross-border transfer of personal information and sensitive data
The Draft Regulation adopts the requirements of the "Cyber Security Law" for cross-border data transfer of critical information infrastructure, reflecting the states attitude of strict regulation on the cross-border transfer of automotive data, which requires that personal information and sensitive data being stored inside the country is a general principle, and cross-border data transfer shall pass the security assessment organized by the State Cyberspace Administration. The operators outbound activities should not exceed the scope of this assessment and effective measures should be taken to monitor the overseas recipient.
The Draft Regulation requires that operators shall take cautious attitude and effective measures towards their scientific and business partners’ queries to prevent the loss of domestic personal information and important data, and shall strictly limit the use of sensitive data.
In terms of supervision on cross-border data transfer, the Draft Regulation stipulates that the State Cyberspace administration shall, in conjunction with the relevant departments of the State Council, conduct spot check and inspection.
Data Security Law（Draft）also specifies that those who privately provides domestic data to judicial or law enforcement agencies overseas may face a fine of up to 1 million yuan ($155,000).
Detailed reporting obligations, which requires prior report and annual report
The Draft Regulation requires that operators shall fulfill their prior reporting obligations when processing data, and also provides for annual data security management reporting obligations (cross-border data transfer includes additional reporting items) for operators who process personal information involving more than 100,000 people (data subject) and important data operators, all of whom shall report to the cyberspace administrative department and relevant departments at provincial level.
Although the Draft Regulation is still seeking public comment before becoming official, it already reflects the countrys attitude of strict regulation of data in the automotive industry. Operators should make full use of the opportunity to provide timely feedback on the practical problems that may be encountered in the implementation of the new rules while at the same time be prepared to carry out self-examination as early as possible and adjust to meet the regulatory requirements under the guidance of external experts.