Autonomous vehicle developments put focus on data compliance

China is set to become a significant AV market. Carol Wang and Elizabeth Shi of Rouse discuss the potential data compliance issues companies must consider

The rapid development of the ‘Internet of Vehicles’ means intelligent vehicles are the future of the automotive industry. China aims to have vehicles with partial autonomy account for 50% of new sales by 2025. On 10 March 2020, the country’s Ministry of Industry and Information Technology announced the recommended national standard for ‘Automotive Driving Automation Classification’, which will take effect from January 1 2021. It classifies autonomous driving levels according to the degree of input required from the driver to control the vehicle.

Special report: Future mobility megatrends

Autonomous vehicles (AV) are dependent on large-scale data collection, including personal and technical information. In China, the lack of specific laws and regulations on data compliance raises a number of issues for AV developers moving forward.

Collection, use and protection of personal information

China does not have specific legislation on personal information. However, the Standing Committee of the National People’s Congress issued a draft law on personal information in October 2020, which will soon be finalised and promulgated. For prevalent laws, regulations and rules, there are different definitions of ‘personal information’. According to Article 76 of the Cybersecurity Law, it refers to information recorded electronically or otherwise which can identify a person, whether used independently or in combination with other information.

The definition used in ‘Information Security Technology – Personal Information Security Specification’ (published in March, henceforth the ‘Specification’) is similar to the one in Article 76, but is further categorised into biometric information and sensitive information. Whether the information can identify a person is the key to determining whether it falls within the scope of personal information.

According to the Cybersecurity Law and the Specification, the collection of personal information requires the authorisation and informed consent of the subject. It should not be collected through fraud, deception or manipulation, nor should functions that collect such information be hidden.

AV technology often involves the use of collected information, such as the analysis of vehicle failures or accidents, to reduce driving risks. Because of this, it is necessary to cooperate with other companies. This can lead to to data breaches

Express consent is required for the collection of sensitive information. To collect biometric information, however, the collector must also individually inform the subject of the purpose, method and scope of use of the information. According to the Specification, automotive service providers cannot store biometric information. If necessary, it should be obtained at the collection terminal. The automotive service provider shall gather the biometric information and delete it once the subject is identified.

Though automotive service providers can obtain express consent through prior authorisation, there is often no method to obtain authorisation for information acquired while the driver is operating the vehicle. Automotive service providers should avoid making blanket authorisation plans and instead specify what data is collected in various stages. They should provide drivers with accessible opt-out mechanisms, or provide options to change their privacy preferences.

AV technology often involves the use of collected information, such as the analysis of vehicle failures or accidents, to reduce driving risks. Because of this, it is necessary to cooperate with other companies. This can lead to to data breaches. A key case is that of Canadian automation and robotics engineering company Level 1, which in 2018 leaked 157GB of data, including 47,000 documents of customer information, factory production details, and confidentiality agreements of many notable automotive companies.

Without the approval of the relevant administrative department at or above the provincial level, no mapping data may be provided or shared to foreign organisations and individuals, including wholly foreign-owned enterprises, Sino-foreign joint ventures and cooperative enterprises registered in China

When a data controller entrusts a third party to process personal information, both parties should enter into an agreement to determine responsibilities and obligations. The data controller shall conduct a security audit on the third party, accurately record and store personal information processed by the third party and establish standardised procedures within the company to implement authorisation, audit and remedial measures. In turn, the third party shall process the data in accordance with the scope of the agreement. In the event of a security incident or failure to perform the contract, the third party shall promptly notify the data controller and take remedial measures accordingly.

Privacy policy and user agreement

Interaction between the vehicle and the driver is often achieved through smart mobile devices in the driver’s possession, and apps have become the main channel for the collection and processing of users’ personal information.  For example, the driver must download an app to perform a certain function in the vehicle.

Though China does not have specific legislation on data collection by apps, there was a nationwide campaign throughout 2019 to crack down on the illegal collection and use of personal information through apps. Automotive service providers should therefore pay attention to their privacy policies and fully disclose the security measures and opt-out mechanisms to data subjects in simple and understandable language. They should also comply with the above requirements when providing user agreements.

User profile compliance

User privacy is often involved when recommending user profiles and providing personalised products and services. In this regard, the Specification has made many restrictions, including eliminating clear identity indicators and prohibiting the precise positioning of specific individuals. The difference between user-personalised displays and non-personalised displays should be distinguished, and independent control mechanisms should be established to ensure that users can control the degree of relevance on their displays. The Specification encourages automotive service providers to fully consider the privacy and autonomy of users when developing functions for products in the future.

Outbound data and cross-border transmissions

The development of autonomous driving technology may require cross-border collaborations. When developing such technology, multinational automotive companies may need to obtain information and collect data transmissions from local subsidiaries. China has restrictive regulations in relation to the transmission of personal information and important data.

According to the ‘Measures for Data Security Management (Draft for Comments)’, important data includes large-scale population data and geographical data that, if disclosed, may directly affect areas such as national security and public safety. It generally excludes information relating to the production and operation of an entity and personal information. Network operators should assess possible security risks before transferring important data outside China and report to the relevant industry regulatory authority for approval. If it is unclear which department is in charge, it should be approved by the provincial network information department.

Foreign AV developers will be subject to additional data regulations in China

The same document also states that before personal information is transferred overseas, the network operator should report a personal information exit security assessment to the relevant provincial network information department. If a data controller needs to transmit personal information overseas, it also needs to report to the relevant provincial network information department for a safety assessment.

Map surveying and mapping

According to the Surveying and Mapping Law, surveying and mapping refers to “activities conducted to determine, collect and formulate key geographical elements or man-made surface installations, as well as to process and provide data, information and results gained therefrom.” Article 22 says that the State shall apply a control system for entities engaged in these activities.

Geographic information in autonomous vehicles comes from the collection of real-time data visualised on electronic maps. If a company engaged in the development of autonomous driving technology decides to develop its own electronic map, it should obtain a qualification to engage in surveying and mapping activities. If an automotive service provider cooperates with a third-party mapping service provider for its services, it must ensure that the third-party has the relevant qualifications, otherwise risks will arise.

In addition, the ‘Notice on Strengthening the Production Test and Application Management of Autonomous Driving Maps’ states that mapping data used for autonomous driving technology tests shall be managed in accordance with confidential surveying and mapping results, and effective measures shall be taken to ensure data security. Without the approval of the relevant administrative department at or above the provincial level, no mapping data may be provided or shared to foreign organisations and individuals, including wholly foreign-owned enterprises, Sino-foreign joint ventures and cooperative enterprises registered in China. It is also not permitted for people outside the scope to access mapping data in relevant technical tests or road tests.

There are also obstacles for foreign investors trying to enter the autonomous driving industry. The 2019 Foreign Investment Negative List outlines industries prohibited from foreign investment, which include geodetic surveying, compilation of electronic maps for navigation purposes, and more.

In conclusion, there are great challenges ahead for automotive service providers as AV technology rapidly develops. At the same time, legal supervision lags behind. Automotive service providers should pay attention to updates in laws and regulations to meet compliance requirements, participate in the development of data standards, laws and regulations, and actively promote the healthy development of autonomous driving technology.

Carol Wang is Principal and Head of the Shanghai Litigation Group at Rouse. Elizabeth Shi is a Senior Consultant at Rouse