º¬Ðß²ÝÉçÇø

The automotive industry is transitioning from traditional machine manufacturing to a high-tech, data-driven ecosystem. In the face of new challenges, Chery Jaguar Land Rover board secretary and chief legal officer Gordon Cheng steers automotive enterprises through the field of data compliance

More than a sheer means of transport, modern vehicles are mobile data centres that collect and process vast quantities of information. Such data contains not only the performance parameters of vehicles and operating habits of users, but also sensitive information such as passengers¡¯ personal information and environmental information.

Without question, the extensive collection and application of data have provided both convenience and comfort for passengers and drivers alike, as well as unprecedented business opportunities for automotive enterprises. However, it also poses considerable new challenges in terms of risk control and management.

Data compliance involves not only the protection of user privacy, but also the enterprise¡¯s reputation, and even national security or the public interest at large. The question of how to ensure data compliance is maintained has become one that automotive enterprises cannot afford to overlook.

In the face of increasingly mature and complex legal requirements, what are the most pertinent issues that automotive enterprises must pay close attention to? How do we process and protect different types of automotive data? This article explores these issues in depth while offering practical recommendations and strategies.

Overview

In recent years, China has created a data protection regulatory regime based on laws such as the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law. With its extensive use of various cutting-edge data technologies, the automotive industry has naturally drawn the attention of regulators.

On 16 August 2021, the Cyberspace Administration of China, together with four other authorities, jointly issued the Several Regulations for the Administration of the Security of Automotive Data (for Trial Implementation) (the automotive data regulations), comprehensively setting out requirements in respect of automotive data processing activities and, for the first time, expressly specifying the scope of critical data in the automotive industry.

Subsequently, the Ministry of Industry and Information Technology successively issued a series of documents, including: the Opinions on Strengthening the Administration of the Access of Intelligent Connected Vehicle Producers and Products; the Notice on Conducting Self-Inspection of Automotive Data Security and Cybersecurity; and the Notice on Strengthening Cybersecurity and Data Security Work in the Internet of Vehicles, emphasising what data security requirements are incumbent on intelligent connected vehicle enterprises.

Also, standards such as the Information Security Technology ¨C Security Requirements for Processing of Motor Vehicle Data (security requirements); the Security Guidelines for Processing Vehicle Collected Data; and the Practice Guidelines for Cybersecurity Standards ¨C Verification of the Effects of Partial Obfuscation of Exterior Images of Vehicles have further developed the compliance obligations and offer specific guidelines for practice.

In view of the above-mentioned regulations, automotive enterprises first need to grasp the following basic principles for processing automotive data:

• The in-vehicle processing principle. Data is not to be provided to devices or systems outside the vehicle unless absolutely necessary;
• The principle of non-collection by default. Unless the driver sets it otherwise, the vehicle, when driven, does not in its default mode collect any data;
• The principle of applying an appropriate precision range. The coverage and resolution of cameras, radar and other devices are based on the data precision requirements for the provided functional services; and
• The principle of data masking. Anonymisation and de-identification to the extent possible. Where an automotive enterprise, for the purpose of ensuring driving safety, is unable to secure the consent of the individual for the collection of their personal information outside the vehicle and provide the same to devices or systems outside the vehicle, it is required to anonymise such information.

Running through the entire life cycle of data, from collection, storage, processing and transmission to destruction, these four principles are at the core of understanding automotive data processing requirements. Special data processing requirements may apply to special types of vehicles.

General compliance requirements

Pursuant to article 3 of the above-mentioned automotive data regulations, the term ¡°automotive data¡± means data containing personal information and critical data involved in the process of vehicle design, production, sale, use, operation, maintenance, etc.

(1) Personal information

Personal information refers to various information, recorded electronically or otherwise, related to identified or identifiable natural persons. For automotive enterprises, this mainly involves the personal information of drivers, passengers, pedestrians and potential buyers. In particular, attention should be paid to the notification and informed consent of personal information collection.

However, while the law requires automotive data processors to notify the individual explicitly when securing his or her consent of personal information collection, it is difficult, in an in-vehicle scenario, to perform ¡°notification consent¡± obligations by way of pop-ups or checkboxes as is done in a conventional app, due to the limited size of the onboard display and the interaction of special sensors.

To strike a balance between the two, automotive enterprises may opt for other options appropriate to the local conditions. Possible solutions include a separate chapter or provision of notification in the user manual, voice announcements, specific pop-ups on the onboard display panel, interaction with car-use apps, a separate chapter or provision of notification in the vehicle sales agreement or maintenance service agreement, interaction with mobility service apps, etc.

When sensitive personal information is continuously collected, the above-mentioned security requirements recommend that the processor indicate the collection status by using an onboard display icon or signal indicator light, either flashing or steady. Clear and distinguishable prompts should also be set to reflect different types of information collected.

For example: a flashing or steady icon of a camera may be used to indicate ongoing collection of in-vehicle video data; a flashing or steady microphone icon for in-vehicle audio data; and a flashing or steady upward-pointing triangle icon for positional location data.

During sales, automotive enterprises are advised to enhance dealer management to ensure the personal information of customers and potential customers provided by dealers is fully authorised and lawfully sourced. Direct collection of customers¡¯ personal information in a store directly operated by the automotive enterprise should also be in strict compliance with personal information protection requirements.

An enterprise was once fined RMB100,000 (USD13,750) by the local market regulator for installing facial recognition cameras in a brick-and-mortar shop to collect facial information for statistical analysis without expressly informing consumers of the purpose or obtaining their consent for data collection and usage.

To ensure the processing of personal information in the course of sales is compliant, automotive enterprises may refer to the Compliance Guidelines of Shanghai Municipality for the Protection of Personal Information in the Vehicle Sale Industry, jointly issued by the Shanghai Consumer Rights Protection Committee and the Shanghai Automobile Sales Industry Association on 24 October 2023.

(2) Critical data

Critical data refers to altered, damaged, leaked, illegally obtained or illegally used data that could jeopardise national security, the public interest, or the lawful rights and interests of individuals or organisations.

The above-mentioned automotive data regulations expressly specify that critical data in the automotive sector include the following six types: (1) geographic information, human traffic, vehicle traffic, and data of key sensitive areas such as military control zones, entities of science, technology and industry for national defence, and party and government bodies at the county level or above; (2) data reflecting economic activities such as vehicle traffic and logistics; (3) data on the operation of the vehicle charging network; (4) video and image data outside the vehicle that contains facial information, licence plate, etc.; (5) personal information involving more than 100,000 personal information subjects; and (6) other data that could jeopardise national security, the public interest or the lawful rights and interests of individuals or organisations as determined by the state cyberspace authority and such relevant authorities as the State Council¡¯s development and reform authority, industry and information technology authority, public security authority, and transport authority.

Identifying the scope of critical data can effectively help an enterprise determine whether it is a critical data processor. A processor of critical automotive data is required to additionally bear the special compliance obligations set out below:

• Annual report. It is required to submit information on its automotive data security management during the year to the cyberspace and other relevant authorities of the province, autonomous region or municipality directly under the central government by 15 December each year.
• Risk assessment. It is required to conduct risk assessments and submit a risk assessment report to the local cyberspace authority. In practice, depending on the requirements of the local cyberspace authority, the report will be folded into the annual submission of information on the management of the security of automotive data.
• Security assessment for cross-border transfer. An automotive data processor is required to store critical data within China. If it absolutely needs to provide such data to a foreign party for business purposes, it is required to file with the Cyberspace Administration of China for a cross-border data transfer security assessment.