The automotive industry is highly globalized. Cross-border data transfers are crucial for the automotive industry – R&D projects run seamlessly across borders, intelligent connected vehicles ("ICVs")[1] need to transfer data overseas so as to allow for their smooth operation and sensors exchange information in real time to monitor performance.
China’s new rules on cross-border data transmissions are especially a challenge for multinational automotive companies.
The framework for cross-border transfers of China data is to be found in the below regulations:
1)Provisions on Standard Contract for Cross-border Transfer of Personal Information (Draft for Comments) ("Draft Provisions on Standard Contract") and its annex, the Standard Contract for Cross-border Transfer of Personal Information issued by the Cybersecurity Administration of China ("CAC") on June 30, 2022;
2)Measures for the Security Assessment of Cross-border Data Transfer ("Assessment Measures") issued by the CAC on July 7, 2022 and will become effective from September 1, 2022;
3)Practice Guidelines on Cyber Security Standards - Security Certification Specifications for Cross-border Processing of Personal Information ("Certification Specifications") issued by National Information Security Standardization Technical Committee on June 24, 2022.
Of these the Assessment Measures effectively establish the rules for cross-border transfers of data. The Assessment Measures set out what thresholds of data trigger a security assessment to be organized by the CAC ("Official Assessment"), as well as declaration requirements, focus of the assessment and the procedures.
Automotive companies will need to plan how to ensure their cross-border transfers of data activities are compliant with the above regulations.
The article aims to assist automotive companies to consider whether their cross-border data transfers are affected and if yes how best to prepare for compliance.
I. Determining the Cross-border Data Transfer Requirement
Based on the relevant provisions of the Cybersecurity Law, the Personal Information Protection Law and the Assessment Measures, there are three main paths that companies would need to follow if the cross-border data transfer triggers the relevant threshold:
1)Company needs to pass an Official Assessment by the CAC ("Official Assessment Path");
2)Company needs to be certified by a professional institution for the personal information protection ("Certification Path");
3)Company uses the standard contract ("Standard Contract") issued by the CAC when contracting with overseas recipients of data ("Standard Contract Path").
Companies may take following actions when determining the applicable path:
Step 1: Combing through cross-border data transfer activities
The first step is for the company to comb through and make an inventory of cross-border data transfer activities. The Assessment Measures provide that "cross-border data transfer activities carried out prior to the implementation of the Assessment Measures that do not comply with the provisions of the Assessment Measures shall be rectified within six months of the date on which the Assessment Measures takes effect[2]." Therefore, past cross-border data transfer activities need to be taken into consideration as well. When taking this Step 1, company may consider the following aspects:
(1)Whether data is transferred overseas
There are two common forms of cross-border data transfer:
1)sending data overseas – i.e. data processor actively transfers data it collects and generates in China to overseas recipients through networks or hardware carriers; or
2)providing access to overseas recipients – i.e. data processor grants rights to overseas recipients (including affiliates, such as foreign shareholders, global or regional headquarter, etc.) to access data stored in China[3].
(2)Details of cross-border data transfer
These include:
1)the background of the cross-border data transfer, such as the type of cooperation with the overseas recipients, the type of products or services provided by the overseas recipients, whether service agreements or other cooperation agreements that have been signed between the parties;
2)the type of overseas recipients, such as individuals, enterprises, public institutions and other organizations);
3)the country or region where the overseas recipient is located;
4)period, frequency and scale of data to be transferred; and
5)overseas recipient’s processing purpose, processing method, storage location and storage period, etc.
(3)Types of data transferred overseas
Automotive companies is strongly recommended to make an inventory of the types of data to be transferred overseas and establish a cross-border data transfer ledger, which would typically include:
1)customer data (for example, car owner's name, mobile phone number, ID number, driving license number);
2)vehicle data (for example, engine number, operating condition data, in-vehicle application service data);
3)business data (for example, sales data, maintenance data);
4)operation and management data (for example, personal information of employees), etc.
The data inventory work would be particularly helpful for automotive companies to identify and confirm whether the data to be transferred overseas constitutes important data and the number of personal information subjects involved.
(4)Personal information subjects involved
If the data to be transferred overseas includes personal information then it will be necessary to consider which personal information subjects are involved (for example, vehicle owner, driver, passenger, employee, contact person of customer or supplier, etc.).
Step 2: Identifying the nature of data and identity of the processor
At this Step 2, automotive companies shall consider the following dimensions to determine the appropriate path for the cross-border data transfer:
(1)Nature of data: whether the data to be transferred overseas includes important data[4]
The scope of important data varies across industries and is determined by industrial/regional governments and departments in accordance with a data classification and hierarchical protection system[5].
The automotive industry is one of the first to define the scope of important data. In accordance with the Several Provisions on the Security Management of Automotive Data (for Trial Implementation) ("Provisions on Automotive Data"), Automotive data includes personal information and important data involved in the design, manufacturing, sales, use, operation and maintenance of automobiles[6], amongst of which, important data includes[7]:
1)geographic information, passenger flow, vehicle flow and other data of important sensitive areas such as military administrative zones, science and industry institutions for national defense, and Party and government organs at the county level or above;
2)data reflecting economic operation such as vehicle flow, logistics, etc.;
3)operational data of automotive charging network;
4)external video and image data containing facial information, license plate information, etc.;
5)personal information involving more than 100,000 personal information subjects;
6)other data that may endanger national security, public interests or the legitimate rights and interests of individuals and organizations as determined by the CAC and the authorities of development and reform, industry and information technology, public security and transport, etc., under the State Council.
Some data (surveying and mapping data for example) would further fall within the scope of data that is prohibited to be transferred outside China by industrial authorities. Therefore, automotive companies need to take industrial regulations and rules into consideration as well.
(2)Identity: whether a domestic data processor has a specific identity
An Official Assessment is required for a cross-border data transfer if the domestic data processor is a critical information infrastructure operator (CIIO) or processes personal information of more than one million individuals[8].
The CIIO identification system established by the Security Protection Regulations for Critical Information Infrastructure, places the onus of determining who is a CIIO to the authorities - so you will know if you are a CIIO. However, this is a work in progress so if you have not yet received an identification result notice, this does not necessarily mean you are not a CIIO – therefore it is wise to seek a preliminary assessment as to status if you have concerns[9].
The criteria as to "processing personal information of more than one million individuals" can be determined based on the results of Step 1. Generally speaking, B2C business operators (e.g. automotive manufacturers, dealers, maintenance/repair agencies, travel service companies) are likely to trigger this threshold given their wide exposure to individuals.
(3)Volume: whether the accumulated volume of transferred data reaches a certain level
According to the Assessment Measures, a data processor that has provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals cumulatively since January 1 of the previous year will need to undergo an Official Assessment before transferring personal information overseas[10].
As mentioned above, B2C companies often meet these thresholds. Moreover, B2B companies with many factory employees may also meet the volume threshold.
When calculating the volume of data, companies should bear in mind that whether data is identified as personal information will depend on specific circumstances. For example, VIN, being a unique code for each vehicle, is widely considered as personal information – but sometimes it is not. If a vehicle is sold to corporate customers (B2B), the VIN corresponds to corporate customers rather than specific individuals, so such information shall not be deemed to be personal information. Therefore, when identifying whether a certain type of data constitutes personal information, automotive companies need to make the determination based on the principles of identifiability and relevance[11], while taking into account the specifics of the data processing activities.
(4)Other circumstances
The Assessment Measures provide that additional scenarios may be forthcoming from the CAC that may trigger an Official Assessment[12].
Currently, it is not clear which scenarios will fall within the scope of "other circumstances". This will need to await further regulations to be issued by the CAC. However, according to the current wording of the Assessment Measures, if a data processor meets the conditions triggering the Official Assessment then it should "declare to the CAC"[13]. The CAC might not conduct an assessment on its own initiative.
Step 3: Determine the path for cross-border data transfer
On the basis of Step 1 and 2, automotive companies may determine the appropriate path for carrying out the cross-border data transfer:
1)If any of the criteria in Step 2 is met, then the Official Assessment Path will apply;
2)If none of the criteria in Step 2 is met, but the data to be transferred overseas contains personal information, then the Certification Path or the Standard Contract Path will apply;
It is noteworthy that the Certification Path is not available for all circumstances. According to the Certification Specifications, the Certification Path is only applicable to the following two scenarios[14]:
1)Cross-border processing of personal information between multinational corporations or subsidiaries or affiliated companies of the same economic or institutional entity; and
2)Personal information processing activities applicable under Article 3 (2) of the Personal Information Protection Law, that is, activities of processing the personal information of domestic natural persons outside the territory of China for the purpose of providing domestic natural persons with products or services or analyzing and evaluating the behavior of domestic natural persons[15] (in which case the overseas data processors shall apply for the certification of personal information protection through their specialized institutions or designated representatives in China, and shall bear the corresponding legal liability)[16].
If the overseas entity directly collects data in China, although the data is "cross-border" in nature, the data is not "transferred" (i.e. one party provides the data to the other party), it is therefore unclear whether this scenario is subject to cross-border data transfer rules. We are inclined to believe that in this scenario, the overseas entity will be subject to the extraterritorial effect of the Data Security Law and the Personal Information Protection Law, but time will tell.
II. How should automotive companies prepare for data compliance?
The detailed implementation rules for the Certification Path have not been issued but the other two paths for transferring data overseas (i.e. the Official Assessment Path and the Standard Contract Path) require the following documentation for the declaration:
(1)Legal documents signed with the overseas recipients
Under the Official Assessment Path, there are differences between legal documents signed with the overseas recipients and the Standard Contract. The main difference is that the former may include the cross-border transfer of important data in addition to personal information, while the latter only includes the cross-border transfer of personal information.
Despite the above, to facilitate the Official Assessment process and reduce the procedural burden, we recommend preparing the legal documents based on the Standard Contract (if applicable). Specifically:
1)If the data to be transferred overseas only includes personal information but does not constitute important data[17], then the Standard Contract shall be referred to or directly adopted;
2)If the data to be transferred overseas includes important data as well as personal information, then these data sets should be handled separately in the legal documents: for the relevant clauses on personal information, the Standard Contract shall be referred to as far as possible, clauses on important data are recommended to be stipulated in a separate chapter in the document;
3)If the data to be transferred overseas only includes important data but not personal information, then companies can use their own templates for the legal documents signed with the overseas recipients.
In addition, under the Standard Contract Path, if there is an existing agreement signed with the overseas recipient covering the cross-border data transfer, the connection between the Standard Contract and the existing agreement shall also be considered:
First, signing the Standard Contract will not result in the termination or invalidity of the executed agreement. In case of any conflict between the Standard Contract and the existing agreement, the provisions in the Standard Contract will prevail[18].
In addition, since the filing of the Standard Contract has not started yet, the procedural details (for example, whether the CAC will conduct a substantive review of the contract submitted for filing) are not clear. It is doubtful whether the CAC will accept self-drafted contracts. Therefore, we recommend adopting the official Standard Contract template as far as possible. Otherwise, the filing progress might be affected (for example, additional explanations may be required by the CAC). Here are some practical suggestions:
1)If the existing agreement only covers the cross-border data transfer matter, it is suggested that the agreement is terminated, and the provisions thereof which exceed but do not conflict with the Standard Contract are stipulated in an annex (i.e. other provisions agreed upon by the parties) to the Standard Contract;
2)If the existing agreement also covers other matters (such as technical services, distribution arrangements), then it is recommended that the clauses relating to cross-border data transfer are carved out from the existing agreement and re-concluded in the formality of the Standard Contract.
(2)Assessment reports (Personal Information Protection Impact Assessment and/or Cross-border Data Transfer Risk Self-assessment)
The Personal Information Protection Law explicitly requires that the Personal Information Protection Impact Assessment (PIA) shall be taken when personal information is to be transferred overseas[19]. Cross-border Data Transfer Risk Self-assessment ("Risk Self-assessment") is derived from the provisions of the Assessment Measures and is a prerequisite for data processors to declare the Official Assessment.
The main differences between the two assessments are as follows:
Although PIA and Risk Self-assessment are two independent tasks, there is an element of overlap. In order to avoid repeated work, we suggest combining the two assessments. Specifically, if an automotive company has completed the PIA, it may directly conduct a supplementary assessment to the Risk Self-assessment focuses that are beyond the scope of the PIA (such as risk to national security or public interest caused by a cross-border transfer of important data). During the assessment process, automotive companies need to pay attention to keeping relevant assessment materials and supporting documents, and record the assessment process for future use.
(3)Other documents
The other document required for the Official Assessment is the declaration form. We expect that the CAC will issue a standard version in the future. In addition, other documents shall also include supporting documents for Risk Self-assessment, assessment process records, and supporting documents for the adoption of appropriate technical measures.
Under the Standard Contract Path, the documents required for filing with the CAC only include the Standard Contract and the PIA report, no other documents are currently required.
III. Other matters worth considering
1.Strategic plan on the volume of data to be transferred overseas
The volume threshold for triggering the Official Assessment is that "a data processor that has provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals cumulatively since January 1 of the previous year has provided personal information to overseas parties". If feasible, automotive companies may make appropriate annual (or biennial) planning as to the volume of data to be transferred overseas. For example, when the volume threshold is about to be reached, automotive companies may control the amount of personal information to be transferred overseas or even temporarily suspend the transfer so as to avoid triggering an Official Assessment.
In addition, we also recommend that automotive companies take this opportunity to comb through and make inventory of data assets, and timely delete or anonymize the data that is no longer of use, so as to avoid reaching the volume threshold of the Official Assessment.
2.Establishing the domestic data storage center
The Cybersecurity Law specifies that personal information and important data collected and generated by a CIIO during its operation in China must be stored within the territory of China[24].
Similarly, the Personal Information Protection Law provides that if the personal information collected and processed by a CIIO reaches the threshold specified by the CAC (i.e. one million individuals according to the Assessment Measures), then the personal information collected and generated in China shall be stored within the territory of China[25].
At the level of industrial regulations, the Provisions on Automotive Data provides that important data shall be stored within the territory of China[26]. The Opinions on Strengthening the Admission Administration of Intelligent Connected Vehicle Manufacturers and Products issued by the Ministry of Industry and Information Technology in 2021 also requires that personal information and important data collected and generated during the operation in China shall be stored within the territory of China[27].
In practice, some automotive companies store the data collected and generated in China overseas (for example, the data center of overseas headquarters or the server located on an overseas third-party cloud storage platform) due to the unified request of the headquarters or the failure to establish a data center in China for the time being. If the above requirements on localized storage are triggered, such automotive companies shall deploy the data localization as soon as possible considering that the establishment of a domestic data center is practically time-consuming and involves a large investment cost.
3.Restricting overseas remote access
Where automotive companies store the data collected and generated in China, but grant remote access to their overseas headquarters, affiliated parties, cooperative partners, etc. (or some of their personnel), it will still be deemed as transferring data overseas.
Therefore, we suggest that automotive companies adhere to the principle of prudence and endeavor reasonable effort for not to grant remote access to overseas organizations or individuals unless it is absolutely necessary. Even if the necessity is ascertained, automotive companies should also pay attention to restricting the types, scope and amount of data that can be accessed by overseas accounts.
4.Cross-border transfer of surveying and mapping data
As mentioned in Step 2 of Section I above, the Provisions on Automotive Data have specified five types of important data (excluding "other circumstances") for the automotive industry, at the same time, these important data (especially the geographic information, external video and image data of important sensitive areas such as military administrative zones and science and industry institutions for national defense) may, under certain circumstances, further constitute surveying and mapping data.
For example, if an autopilot technology research and development company uses GPS receivers, high-definition cameras, vehicle sensors, laser radars and other equipment to conduct road tests on open roads or collect images outside of the cars, it is likely to be deemed as surveying and mapping activities, and hence needs to comply with the specific industrial rules (e.g. Surveying and Mapping Law of the People’s Republic of China, Regulations on the Administration of Surveying and Mapping Results, Provisions on the Scope of State Secrets in the Administration of Surveying and Mapping Geo-information). For confidential surveying and mapping results and part of non-confidential surveying and mapping geo-information results, automotive companies would need to obtain the approval of relevant competent surveying and mapping geo-information authorities before providing such results overseas[28].
5.Notification and consent for cross-border transfer of personal information
It is notable that the Personal Information Protection Law provides additional requirements on the cross-border transfer of personal information. In particular, separate consent from the relevant individuals is required to be obtained.
In practice, if an automotive company (as a data processor) directly collects personal information, then the obligation to obtain a separate consent for the data to be transferred overseas shall, in principle, fall upon the automotive company itself. If an automotive company receives personal information from a third party, it should analyze and determine its role in the data processing (such as the recipient in the data providing relationship, or the entrusted party in the data process on behalf relationship), and determine in advance whether it is obliged to obtain separate consent.
Conclusion
As the automotive industry deals in large amounts of data (and varied data which may be important or sensitive data), it will be particularly affected by the new regulations in respect of new cross-border data transfer rules.
Given the diversity and complexity of the data involved in the automotive industry, we recommend automotive companies consider the type and volume of data being transferred overseas and consider whether any thresholds are triggered and if yes which path can be adopted to transfer the data overseas. As this may require substantial preparation work, it is wise to commence this as soon as possible given the obligations come into effect from September 1, 2022. If the company believes an Official Assessment will be required, actions need to be taken before the rectification deadline as specified in the Assessment Measures (i.e. March 1, 2023).
Article 37 of the Good Practices for the Administration of Road Testing and Demonstrative Application of Intelligent Connected Vehicles (for Trial Implementation) provides: "ICVs refer to the new generation of vehicles that are equipped with advanced in-vehicle sensors, controllers, actuators and other devices, integrate modern communications and network technologies to achieve intelligent information exchange and sharing between vehicles and X (people, vehicles, roads, clouds, etc.), and are capable of sensing complex environments, making decisions intelligently, and controlling in a coordinated manner, enable safe, efficient, comfortable, and energy-saving driving, and eventually replace human operations." ICVs are also referred to as smart vehicles, autopilot vehicles, etc."
Article 20 of the Measures for the Security Assessment of Cross-border Data Transfer
On July 7, 2022, the CAC answered journalists’ questions on the Measures for the Security Assessment of Cross-border Data Transfer.
Article 4 (1) of the Measures for the Security Assessment of Cross-border Data Transfer
Article 21 of the Data Security Law
Article 3 of the Several Provisions on the Security Management of Automotive Data (for Trial Implementation)
Article 3 of the Several Provisions on the Security Management of Automotive Data (for Trial Implementation)
Article 4 (2) of the Measures for the Security Assessment of Cross-border Data Transfer
Article 10 of the Security Protection Regulations for Critical Information Infrastructure
Article 4 (3) of the Measures for the Security Assessment of Cross-border Data Transfer
Annex A to the Information Security Technology - Personal Information Security Specification (GB/T 35273-2020)
Article 4 (4) of the Measures for the Security Assessment of Cross-border Data Transfer
Article 4 of the Measures for the Security Assessment of Cross-border Data Transfer
Article 1 of the Practice Guideline on Cyber Security Standards - Security Certification Specifications for Cross-border Processing of Personal Information
Article 3 of the Personal Information Protection Law
Article 2 of the Practice Guideline on Cyber Security Standards - Security Certification Specifications for Cross-border Processing of Personal Information
Article 3 of the Several Provisions on the Security Management of Automotive Data (for Trial Implementation) stipulates that "personal information involving more than 100,000 individuals" is important data; Article 26 of the Regulations on Network Data Security Management (Draft for Comments) stipulates that processing of personal information of more than one million individuals shall be deemed as processing of important data.
Article 9 of the Standard Contract for Cross-border Transfer of Personal Information, the Annex to the Provisions on Standard Contract for Cross-border Transfer of Personal Information (Draft for Comments)
Article 55 of the Personal Information Protection Law
Article 55 of the Personal Information Protection Law
Article 4 of the Measures for the Security Assessment of Cross-border Data Transfer
Article 5 of the Provisions on Standard Contract for Cross-border Transfer of Personal Information (Draft for Comments)
Article 5 of the Measures for the Security Assessment of Cross-border Data Transfer
Article 37 of the Cybersecurity Law
Article 40 of the Personal Information Protection Law
Article 11 of the Several Provisions on the Security Management of Automotive Data (for Trial Implementation)
Article 2 (1) of the Opinions on Strengthening the Admission Administration of Intelligent Connected Vehicle Manufacturers and Products
Article 2 of the Notice on Strengthening the Production, Testing and Application Management of Autopilot Maps, and Article 17 of the Administrative Measures of the National Administration of Surveying, Mapping and Geo-information for the Provision and Use of Non-confidential Surveying and Mapping Geo-information Results
