This article was written by Mark Schaub, Xue Han and Atticus Zhao
Autonomous vehicles on roads seems inevitable. However, a number of major breakthroughs will need to take place before fully autonomous vehicles will be driving in the streets. A key breakthrough will be the capability of the vehicle to be fully aware of the ever changing surrounding environment and being able to make decisions correspondingly on a virtually real-time basis.
In the development of autonomous driving technology, the capability of an autonomous vehicle to “see” and “understand” its surroundings is a prerequisite for the vehicle to making right decisions when driving. To achieve this level of awareness will require each autonomous vehicle to be outfitted with advanced sensors to collect information of the driving environment, including cameras, various radar and/or LiDAR.
Sensors are the eyes and ears of autonomous driving. Information collected by the sensors will need to be processed by software algorithm to enable the vehicle to understand the information and act accordingly e.g., decelerate or accelerate? Where to steer? When to brake?
Currently, many carmakers, auto suppliers and high tech companies are testing L3 or L4 autonomous vehicles. To achieve the required level of automation, large volumes of real-scene data will need to be collected by the sensors from the surroundings in order to train and improve the software algorithm. This will enable the algorithm to be effectively aware of the driving environment and decide upon specific actions to be taken based on the information gathered.
During the Data Collection, the sensors of the test vehicle generally will capture the images and information of other vehicles, pedestrians, cyclists as well as traffic signs, traffic lights, road edges, traffic lanes, other infrastructure and landscape.
Accordingly harvesting and analyzing data are key for many carmakers, auto suppliers and high tech companies. Moreover, international companies active in China will often intend to transfer all or part of such information collected in China to their headquarters or affiliates overseas for further processing, e.g., labelling, validation and function development, etc.
However, both driving a car on China’s public roads to collect data through sensors equipped on vehicles (“Data Collection”) and transferring such data abroad (“Data Transfer Abroad”) may give rise to legal risks under PRC law.
The legal risks inherent in the Data Collection and Data Transfer Abroad include:
Surveying and Mapping
In China, surveying and mapping activities are strictly regulated due to issues of national security, concerns over demarcation of borders and state secrets.
Surveying and mapping is defined broadly under PRC Surveying and Mapping Law. According to Article 2 of the PRC Surveying and Mapping Law, surveying and mapping refers to the surveying, collection and presentation of the shapes, sizes, spatial position and attributes etc. of the key elements of natural geography or man-made facilities on the surface, as well as the activities in processing and providing of the obtained data, information and results.
The PRC Surveying and Mapping Law requires that surveying and mapping in China be carried out exclusively by entities holding a license issued by the relevant governmental authority.
For the Data Collection, if only radar and cameras are used then the likelihood (in our opinion) that such activities will fall within the scope of surveying and mapping under PRC law may not be high. However, use of positioning units and/or LiDAR will likely lead to such data collection falling within the scope of surveying and mapping. The risk level will increase if the Data Collection is conducted by a foreign entity or a foreign invested enterprise (FIE).
Legal restrictions on foreign investment
Surveying and mapping in China has been restricted for foreign investment for years. Several types of surveying and mapping activities are prohibited to foreign investors such as land surveying and creating electronic navigation maps.
In the Catalogue of Industries for Guiding Foreign Investment (2017 Revision) (“2017 Foreign Investment Catalogue”), ground moving surveying (“Ground Moving Surveying”) has been added as an activity prohibited for foreign investment. This is also consistently reflected in the 2019 Special Management Measures for the Market Entry of Foreign Investment (“2019 Negative List”).
Ground Moving Surveying was defined in the Classification Standards on Surveying and Mapping Qualification (“2014 Classification Standards”) as a sub-category under the category of geographic information system engineering. 
Under the 2014 Classification Standards, Ground Moving Surveying refers to the activities of processing the real-view geospatial information and data collected in moving status utilizing various sensors integrated in moving vehicles on the ground. We believe the concept of Ground Moving Surveying covers both activities of collection and processing of real-view geospatial information.
As mentioned above, Ground Moving Surveying was prohibited for foreign invesment for the first time in the 2017 Foreign Investment Catalogue which took effect in July 2017. In late 2017, there have been reports of foreign automakers facing restrictions when driving around China and taking photos and recording GPS coordinates.  Some commentators have stated that the prohibition on foreign investment in Ground Moving Surveying activities was aimed at curbing growing activities of similar surveying and mapping activities by FIEs for autonomous cars.
Accordingly, if FIEs collect data only with cameras and radar, it is less likely that such activities will fall within the scope of Ground Moving Surveying. However, if positioning units and/or LiDAR are also used then the Data Collection is very likely to fall within the scope of Ground Moving Surveying.
Road Testing and Map Creating
If the Data Collection also includes testing autonomous driving function for example L3 or L4 function on highways then such activities must be conducted in designated road testing areas by licensed vehicles. Conversely, if the Data Collection is conducted by licensed vehicles on designated areas, the risk that the activities be deemed as surveying and mapping or Ground Moving Surveying will be lower.
In addition, if the Data Collection involves the creation of high definition maps then such activities will be prohibited unless the entity holds a mapping license.
Mitigating Measures - Cooperation with a licensed mapping firm
The Data Collection will likely fall within the scope of surveying and mapping if the categories and/or level of details of the data collected is equivalent or similar to data collection for mapping and surveying. This is particularly the case when GPS, INS or equivalent positioning unit and/or LiDAR are used.
For this reason international companies may need to team up with a licensed Chinese mapping firm.
In addition to the surveying and mapping issue, another concern is about privacy.
The Data Collection involves cameras constantly scanning and recording images of pedestrians, drivers of other vehicles and/or cyclists on the road or just the background. This naturally will result in privacy concerns.
Strictly speaking, express consent should be obtained from individuals concerned if facial features are captured. However, it is unrealistic to obtain the consent of each such individual for capturing his/her image by the cameras on the vehicles.
China’s efforts to protect privacy are accelerating. One example is that on 28 May 2019, the Cyberspace Administration of China (CAC) issued the Measures for the Administration of Data Security (Draft for Comments) (“Draft Data Security Measures”), pursuant to which network operators are required to file with the local branch of CAC if they collect important data and personal sensitive information for the purpose of business operation. Apparently, such collection will be subject to greater scrutiny in the future.
We recommend companies follow best practices in collecting and processing the images of pedestrians and other individuals involved, for example, face blurring software should be in place to the extent that no individual can be recognized from the image.
Please refer to our article Self-driving Cars - How to Balance Technology and Privacy for more analysis on privacy.
Data Transfer Abroad
The general legal requirements on transmission of data abroad is established under China Cybersecurity Law (CSL).
The CSL sets out different requirements for and restrictions on network operator and critical information infrastructure operator (critical information infrastructure as the “CII”; critical information infrastructure operator as the “CII Operator”), including some general duties and special requirements for transmission of data abroad.
Following the issuance of the CSL, the CAC published for public comment first draft of Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (the “Draft Assessment Measures”) on April 11, 2017, which further clarifies detailed definitions, scopes and steps for conducting security assessments of personal information and important data to be transmitted abroad as stipulated in the CSL. Subsequently, on July 10, 2017, the CAC published for public comment first draft of Regulations of Critical Information Infrastructure Security Protection (the “Draft Security Regulations”), which outlines the scope of CII.
Network operator and CII Operator
Under the CSL, “network operator” means the owners and administrators of the network as well as network service providers. And CII Operator refers to an operator that operates the networks used in public communications, information services, energy, transportation, water conservancy, finance and public services as well as those networks the failure of which may harm the national security, economy or public interest. The CSL requires CII Operators to retain, within China the personal information and important data collected and produced during operations in China. Although the scope of CII has been broadly outlined in both CSL and Draft Security Regulations, the definition of CII Operator has not been expressly provided.
Specific requirements on data localization
According to Article 37 of the CSL, personal information and important data collected and produced by CII Operators during their operations within the territory of the PRC shall be stored within the PRC. If it is indeed necessary to provide such information and data to overseas parties due to business requirements, mandatory security assessment shall be conducted accordingly. It is worth noting that the Draft Assessment Measures, though having not come into effect yet, significantly expand the scope of application of the data transmission restrictions from “CII Operators” to also include “network operators”.
If the Draft Assessment Measures and other relevant regulations and guidelines take effect in the future in their current drafts, personal information and important data collected and produced by a network operator during their operations within the territory of the PRC shall also be stored within the PRC.
Specific requirements on transmission of data abroad
According to the Draft Assessment Measures, a network operator will need to conduct a self-assessment to transfer personal information or important data outside the PRC unless the volume, size and nature of the data to be transferred reach certain threshold where a mandatory security assessment conducted by relevant regulatory authorities will be required.
The Draft Data Security Measures issued on 28 May 2019 echoes the Draft Assessment Measures on the expansion of data transmission restrictions from “CII Operators” to include “network operators”. Furthermore, the Draft Data Security Measures provide that transmission of important data needs approval of competent authority or division of CAC at provincial level. If the Draft Data Security Measures take effect in the current form, it will likely mean all the transmission of important data abroad will need approval from authorities and self-assessment system established under the Draft Assessment Measures may not apply.
In addition, the General Administration of Quality Supervision, Inspection and Quarantine, together with the Standardization Administration of the PRC has published for public comment Information Security Technology - Guidelines for Security Assessment of Data Cross-Border Transfer (the “Draft Guidelines”) on August 25, 2017.
The Draft Guidelines sets out a long list of geographic information that will be treated as important data. It is also notable that the Draft Guidelines specifies that the following three circumstances constitute transmission of data abroad, including: (i) providing personal information and important data to entities which are located within the territory of China but not subject to the jurisdiction of China or not registered in China; (ii) the data is not transmitted to and stored in any places outside the territory of China, but can be accessed and viewed by foreign institutions, organizations and individuals (except for public information and webpage visits); or (iii) internal data is transmitted overseas within the network operator’ group.
Based on the Draft Guidelines, providing offshore entities or individuals with “read” access to the data located in China will also likely constitute transmission of data abroad.
In addition to CSL, there are also requirements under the China surveying and mapping laws on transmission of data abroad.
From the CSL, its implementing regulations and draft guidelines, China is in the process of establishing a comprehensive regulating system for data transfer abroad. While CII Operators will generally be subject to stricter assessment process than a network operator, China is likely to tighten its regulating on transmission of data abroad regardless of whether it is a CII Operator or network operator. Compounded with the legal requirements under the CSL, there are also surveying and mapping laws and State secret law that prohibit transferring or providing sensitive geographic information abroad without prior permission by government authorities.
As such, for the Data Transfer Abroad, it is not only subject to the restrictions under CSL, but also subject to the surveying and mapping laws and State secret law. We suggest any entity that intends to transfer data collected from the Data Collection consider the following:
Self-evaluating whether itself is a network operator or CII Operator;
Setting up internal security system on the access of the data collected;
Conducting internal review on the data collected and remove any sensitive geographic information, personal information or any information that is likely to be deemed as State secrets for the data already collected;
For any data already transferred abroad, ensuring the offshore entities receiving the data to cease using, and remove any such data that may contain sensitive geographic information, personal information or any information that is likely to be deemed as State secrets; and
Considering the necessity of the Data Transfer Abroad and, if so, preparing for the security assessment particularly if the Draft Data Security Measures take effect in its current draft – but should bear in mind that the chance of obtaining approval will be remote.
In the development of autonomous driving technology, large volume of data needs to be collected by the sensors from the driving environment to improve the accuracy and efficiency of the sensors as well as to train and improve the algorithm to understand the data and take proper action.
However, collecting such data by driving a car on China’s public roads will have legal implications in respect of surveying and mapping, China’s restrictions on foreign investment and privacy. Entities that have such data collection plan in China should consider these potential legal risks and adopt mitigation measures to reduce the level of risk.
In addition, while there may be commercially valid reasons to transfer collected data abroad for technical development and cost reduction purposes, the data transfer restrictions established under the CSL coupled with the involvement of sensitive geographic information and State secrets means that entities planning to transfer such data abroad need to plan carefully.
Chinese government has been supporting the development of high technology such as AI and autonomous driving. For foreign investment, Chinese government has issued the 2019 Negative List and the list of restricted or prohibited areas has been greatly shortened. However, given the deep rooted national security concerns of the authorities, the restrictions on foreign investment in surveying and mapping may not be relaxed soon. In addition, China may also strengthen the requirements for the localization of important data. For many international companies the Chinese market will be too big to ignore or put in the too hard basket. Accordingly, it will be important to consider the planned activities carefully and adopt an approach that does not stray into sensitive PRC issues.
 There are different views whether a LIDAR is a must for an autonomous vehicle. For example, Elon Musk appears not a fan of LiDAR. See https://www.teamblind.com/article/Musk-thinks-lidar-not-needed-for-self-driving-a1bBe6G1
 Based on SAE levels of automation.
 In Chinese: 测绘资质分级标准
 In Chinese 地理信息系统工程
 数据安全管理办法（征求意见稿）in Chinese
 Article 76(3) of Cybersecurity Law of the PRC.
 Not including Hong Kong, Macau and Taiwan
 Article 2 of Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad.