China’s legal framework around data protection and security is governed broadly by three key pieces of legislation: the Cybersecurity Law, which came into effect in 2017, and the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), both of which came into effect in 2021. Navigating the laws that operate in this space can be complex and there is significant overlap. For example, the Cybersecurity Law covers both hardware equipment and online tools, including internet technologies, and essentially anything that can impact cybersecurity. The DSL is concerned with data that is online, but also other data that is offline in paper or hard copy or any other form. It is also broadly defined to cover data processing activities like collection and storage. The PIPL is principally focused on personal data that could also be in any form, whether physical or not.
In addition, the automotive industry, like many sectors, is subject to its own specific guidance, namely the Automotive Data Management Regulation. We take a look at some key takeaways from recent legislation and actions for automotive companies to consider when mitigating risk and navigating data protection in China.
The DSL introduced the concept of data categorization, which establishes a hierarchical system based on the importance of data and its impact to national security, public interest, and the rights of individuals. The two critical categories are “important data” and “national core data.” Important data refers to data related to national security, economic development, and social public interests. It is subject to a mandatory risk assessment process and a government security assessment when being exported out of China. National core data refers to data related to national security, the lifeline of the national economy, important aspects of people’s livelihoods, and major public interests. It is subject to a stricter management system and severe legal penalties would apply if mishandled. The Automotive Data Management Regulation provides clear definitions of what constitutes important data and how to handle it.
The PIPL, often referred to as China’s version of the EU General Data Protection Regulation, provides definitions for personal information and sensitive personal information. The data captured by vehicles may constitute sensitive personal information, such as location tracking, video, audio, image capture and biometric identification information. The PIPL requires prior separate consents from data subjects before their personal data can be collected and subsequently transferred outside of China, which does not include Hong Kong for this purpose. Data controllers must conduct an internal risk assessment before the cross-border transfer of data and must keep a record of such transfers. In addition, for personal data to be lawfully transferred outside of China, one of three requirements must be satisfied. Approval can be obtained from the Cyberspace Administration of China (CAC), a government-approved certification agency, or by entering into a transfer agreement with the overseas recipient.
The Automotive Data Management Regulation provides that automotive-related data covers personal information and important data throughout the industry cycle, including automotive design, manufacturing, sales, use, operation, and the maintenance process. Auto data processors include automotive manufacturers, parts and software suppliers, dealers, repair shops, and car sharing companies.
Personal information should only be collected and processed when it is necessary and reasonable, and the minimum level of data should be collected whenever possible. For the automotive industry, driver opt in is required for any collection of personal information during each ride, and auto data processors must notify users when processing their personal information.
A recent regulation issued by the MIIT imposes data localization requirements on smart car and intelligent and connected vehicle (ICV) manufacturers. It imposes a government-led security assessment requirement for the cross-border transfer of personal information collected by smart car manufacturers, which previously only applied to critical information infrastructure operators (CIIO). The government issued a list of 28 industry sectors that are considered critical information infrastructure, including the transportation industry, banking industry, and security and national defense, military, and related industries. Smart car manufacturers can be seen as on a par with CIIOs, despite not being specifically designated as a CIIO.
For companies that are not certified as a CIIO or not processing auto-related data as a smart car manufacturer, under the cybersecurity law and the DSL, their data is not subject to localization and cross-border transfer approval unless they meet certain threshold requirements. The mandatory government-led security assessment would be triggered if one possesses personal information of over 1 million users, or if one is accumulatively transferring cross border the personal information of 100,000 individuals or the sensitive personal information of over 10,000 individuals.
If you are a CIIO or ICV manufacturer, personal information and important data would trigger the localization requirement. Data reflecting economic operations, like vehicle flows, vehicle logistics, operational data of the automobile-charging network, video and image data outside the vehicle that contains facial information, and license plate information could all be deemed as important data and would need to go through the security assessment process.
China’s Multi-Level Protection Scheme (MLPS) has been subject to a series of regulatory updates and changes in recent years. It is in place to identify the nature of systems deployed and data handled in China, and whether and to what extent it could raise cybersecurity concerns. For data, this could depend on the sensitivity of what it relates to, such as the volume of data that is being handled or if the data is personal health data. The MLPS itself is a tiered certification process, which should start with an internal investigation to determine whether the scheme threshold applies and at what level it applies, followed by steps to file this with a local Public Security Bureau (PSB), leading to an official MLPS certificate.
In the auto industry, if you use a network to process auto data, it is possible that you will be subject to MLPS requirements.
For auto industry operators, it is important to quickly and efficiently determine whether you are subject to the MLPS certification and if so, identify a trustworthy third-party expert to work with in order to manage your data disclosure.
With this myriad of considerations, here are some key actions to mitigate risk:
If you are interested in China's New Privacy Law and Other Regulatory Developments Affecting the Automotive Industry, as part of our Morgan Lewis Automotive Hour Webinar Series, we invite you to subscribe to Morgan Lewis publications to receive updates on trends, legal developments, and other relevant areas.