Protection of personal information in the scenario of autonomous vehicles

Lettre d’information Publié le 20/05/2021

In the first half of 2021, China’s intensive legislation on autonomous vehicles, or called intelligent networked vehicles (“INV”) aims to take INV a big step further from the testing phase to commercial application. Firstly, Article 155 of the revised draft Road Traffic Safety Law (announced by the Ministry of Public Security in March) sets the tone for the testing, production, import, sale and road access of INV, and specifically provides for the allocation of responsibility for road safety for L3 level INV. Also, in March, the Standing Committee of the Shenzhen Municipal People’s Congress released the “Regulations on the Administration of Intelligent Networked Vehicles in the Shenzhen Special Economic Zone (Draft for Public Comments)” and invited public comments. In April, the Ministry of Industry and Information Technology (“MIIT”) issued its “Guidelines for the Admission of Intelligent Networked Vehicle Manufacturers and Products (for Trial Implementation)”, which is also an advancement of its “Norms for the Administration of Road Testing and Demonstration Applications of Intelligent Networked Vehicles (for Trial Implementation)” in January.

From a legal perspective, the most important legal issues related to INV include not only product safety, right of way, allocation of legal responsibility for traffic accidents etc., but also network security and data protection. The fact that many Chinese internet companies are competing in the INV industry is evidence of the central role that networks and data play in INV.

Against this background, this article aims to analyse the legal issues related to the protection of personal information in the context of INV under the existing legal framework (including reference to the many draft bills that have been published for consultation).

ILegal framework for the protection of personal information under Chinese law

The Civil Code of the People’s Republic of China, which has just entered into force in 2021, defines personal information as all kinds of information recorded electronically or by other means that can identify a specific natural person, either alone or in combination with other information, including a natural person’s name, date of birth, identity document number, biometric information, address, telephone number, e-mail address, health information, whereabouts information, etc[1]. The privacy provisions[2] are applicable to personal information that can be further defined as privacy.

In the draft Law on the Protection of Personal Information (Second Review Draft, April 2021) “personal information, which, if leaked or used illegally, may lead to discrimination against individuals or serious harm to personal or property safety, including information on race, ethnicity, religious beliefs, personal biometric characteristics, medical and health care, financial accounts, personal whereabouts, etc. ” is further defined as sensitive information[3].

The two aforementioned laws, as well as the Cyber Security Law, lay down the fundamental principles and rules for protection of personal information, while at a more practical level, the “Information Security Technology – Personal Information Security Norms” (GB/T 35273-2020, hereinafter referred to as the “Personal Information Security Norms”), which is a recommended national standard, provides more specific guidelines for the handling of personal information.

In general, personal information controllers should follow the principles of lawfulness, legitimacy and necessity in carrying out their personal information handling activities, which include:

  • Collection of personal information: the means and purposes of collection shall be lawful; the collection of information shall be limited to the minimum necessity; the right of the subject of personal information to make independent choices for a number of business functions shall be guaranteed; the consent of the subject of personal information shall be obtained at the time of collection (except for exceptions provided for by law), and in particular, express consent shall be obtained when sensitive information is collected, and when personal biometric information is collected, the subject of personal information shall be separately informed of the purpose, manner and scope of collection and use of personal information; when personal information is indirectly obtained, the personal information provider shall be required to explain the source of personal information and to confirm the legality of the source of their personal information, etc.[4]
  • Storage of personal information: personal information shall be stored for the minimum period of time necessary to achieve the purpose authorized; immediately after the collection of personal information, it is advisable for the controller of personal information to de-identify it and to take technical and administrative measures to store separately information that can be used to recover the identification of individuals and de-identified information; further measures shall be taken to encrypt and store separately sensitive personal information[5].
  • Use of personal information: access control measures shall be adopted for personal information, access rights shall be kept at the minimum level, internal access approval processes and separated control shall be established; when personal information is displayed, measures should be taken to de-identify personal information to be displayed; the use of user profiles shall avoid clear identity referencing except when necessary; in the use of automatic decision-making mechanisms in information systems, personal information subjects should be provided with a channel to complain about the results of the automatic decision-making process, and manual review of the results of the automatic decision-making process should be supported[6].

II Personal information protection in the scenario of INV

1. Industry standards

Concretely in the INV field, the Technical Requirements for Data Security of Telematics Services (YDT3751-2020) classifies data into basic data (e.g. vehicle maker and model, logo, colour, etc.), vehicle working condition data (e.g. vehicle characteristics data under operating conditions, etc.), environment awareness data (e.g. data related to the environment, external devices, terminals and pedestrians, etc.), vehicle control data (e.g. vehicle remote control data), application service data and user personal data.

In the Requirements for the Protection of Personal Information of Users of Telematics Information Services (YDT3746-2020) (“Personal Information Protection Requirements” implemented on 2020.10.1), personal information is further defined as information that can be used to identify the user and related to the user’s personal privacy, either alone or in combination with other information, collected by automotive manufacturers, parts and components providers, software providers, data and content providers and service providers in the course of providing services.

The basic approach of the Personal Information Protection Requirements is to categorize and classify personal information horizontally and vertically, and set different security requirements on this basis. In terms of classification, personal information can be divided into three main categories and seven sub-categories, including A user identification information; B user data information on the content of Telematics services; and C user service-related information. The information is further divided into three levels according to its sensitivity, i.e. sensitive personal information, important personal information and general personal information. Sensitive personal information refers to the personal information which, once leaked, illegally provided or misused in the process of Telematics information services, will bring serious harm to the user’s person and property, and will most likely lead to damage to personal reputation, physical and mental health or discriminatory treatment, etc. Among the aforementioned information classified into seven sub-categories, A1-2 user identification, A-3 user biometric identification, and A2-2 information on the identification and authentication of information services for INV transactions are all classified into the sensitive personal information; while as far as personal general information is concerned, only C1-1 business subscription and subscriber relationship is classified into it. A large number of the remaining categories of information are classified as personally important information [7].

In the case of general personal information, information processors are required to implement basic technical and administrative measures to ensure the security of access control to personal information. In the case of important personal information, the necessary technical and administrative measures must be implemented to additionally guarantee the user’s right to information and choice, to protect the confidentiality and integrity of the information and to establish norms for the management of personal information security. Further, in the case of sensitive personal information, strict technical and management measures must be implemented to establish, on top of the aforementioned measures, strict security management practices and real-time data monitoring mechanisms and alerts.

Generally speaking, although the Personal Information Protection Requirements draw up a classification and categorization system for personal information, it does not elaborate more in details of requirements for specific measures compared to the Personal Information Security Code.

2. Relevant drafts under exploration

  • “Information Security Technology – INV Security Requirements for Collected Data (Draft)” (“Security Requirements for Collected Data”) (draft National Standard dated 28/04/2021)

Article 5.1 stipulates that data containing personal information shall not be transmitted outside the vehicle through the network or physical interface of the connected vehicle without the separate consent of the person from whom the information has been collected. The exception is video and image data that is converted to a resolution of less than 1.2 megapixels and that has been erased of personally identifiable information such as faces and license plates.

Article 5.2 stipulates that an INV shall not transmit audio, video, image and other data collected in the cabin of the vehicle, or data obtained through its processing, to outside the vehicle through the network or physical interface.

While the aforementioned restriction in Article 5.1 seems to address the handling of personal information of passers-by collected in the environmental data of an INV, Article 5.2 will more strongly protect the privacy of vehicle owners and occupants.

With regard to data storage, Article 6 stipulates that data related to the location and trajectory of the vehicle collected by the INV shall not be stored in the in-vehicle storage device or in the telematics service platform (TSP) for more than 7 days.

Further, in connection with the data transfer, Article 7.1 stipulates that Data collected by the INV from the environment outside the vehicle, such as road, building, terrain and traffic participants, as well as data related to the location and trajectory of the vehicle, through sensors such as cameras and radar, shall not be allowed to leave the country. If data such as the driving status parameters and abnormal alarm information of the INV need to be exported, they shall comply with the relevant national regulations on data export. The content of the first sentence of this Article 7.1 echoes the provisions of the Special Administrative Measures for Foreign Investment Access (Negative List) that have always prohibited foreign investors from investing and conducting mapping activities in China[8]. The export of personal information will be discussed in depth below.

  • Provisions on the Management of Automotive Data Security (Draft for Comments) (“Provisions”) (State Internet Information Office, May 2021)

The Provisions define personal information as personal information of vehicle owners, drivers, passengers, pedestrians, etc., as well as various information that can be used to infer personal identity and describe personal behavior, and define sensitive personal information as including vehicle location, audio and video of drivers or passengers, and data that can be used to determine driving violations[9].

From the perspective of collecting, storing and transmitting personal information, the Provisions emphasize and refine the operator’s obligation to inform, including informing of the types of data collected, the trigger conditions for collecting each type of data and the method of stopping collection; the purpose and use of each type of data collected; the location and duration of data storage, or the rules for determining the location and duration of storage and the deletion of in-vehicle or out-of-vehicle personal information[10]. Furthermore, the operator shall obtain the consent of the person from whom the personal information is collected. Where it is difficult to do so in practice (e.g. collecting audio and video information from outside the vehicle via cameras) and where it is necessary to provide it, anonymisation or desensitisation shall be carried out, including the deletion of images containing natural persons who can be identified, or the partial profiling of faces etc. in these images[11].

For the collection and provision of sensitive personal information outside the vehicle, operators are required to comply with additional requirements including: (i) for the purpose of directly serving the driver or rider, including enhancing driving safety, driving assistance, navigation, entertainment, etc.; (ii) no collection by default, and the driver’s consent should be sought for authorization each time, and this authorization automatically expires at the end of the driving; (iii) the driver and rider shall be informed that sensitive personal information is being collected by means of an in-vehicle display panel or voice; (iv) the driver is able to terminate the collection at any time and at his or her convenience; (v) the owner of the vehicle is allowed to conveniently view and structurally inquire about the sensitive personal information being collected; (vi) if the driver requests the operator to delete it, the operator shall do so within 2 weeks[12].

In the case of driver or rider audio and video, which is sensitive personal information, it is possible for the operator to make it available outside the vehicle if the aforementioned requirements are met, however, it is prohibited in the Security Requirements for Collected Data. This conflict of norms may need to be further reconciled after considering various factors and practical needs (e.g. different business models, private purchase or shared use platforms, different needs for personal privacy and security of travel, etc.).

III- Cross-border transfer of personal information

The cross-border transfer of data has always been an issue of great importance to multinational enterprises operating in China. In the ” Law on Protection of Personal Information (Second Review Draft)” in April 2021, the draft has a special chapter stipulating that if a personal information processor has a genuine need to provide personal information outside the People’s Republic of China for business purposes, etc., it shall meet at least one of the following conditions: (i) pass a security assessment organised by the State Internet Information Department; (ii) be certified by a professional institution for personal information protection in accordance with the provisions of the State Internet Information Department (iii) conclude a contract with the overseas recipient in accordance with the standard contract established by the State Internet Information Department, agreeing on the rights and obligations of both parties, and supervise its personal information processing activities to meet the personal information protection standards stipulated in this Law; (iv) other conditions stipulated by laws, administrative regulations or the State Internet information department[13]. The “Provisions on the Management of Automotive Data Security (Draft for Public Comments)” further stipulate that personal information or important data shall be stored within the country in accordance with the law, and if it is necessary to provide it outside the country, it shall pass the security assessment organized by the State Internet Information Department[14]. This seems to restrict the export of personal information to the only way of security assessment.

According to the “Measures for Security Assessment of Personal Information Export (Draft for Comments)” (the “Assessment Measures”) issued by the State Internet Information Office in June 2019, any personal information leaving the country is required to be reported to the provincial Internet Information Department of the location for a security assessment. One of the focuses of the assessment is to review the content of the contract signed between the network operator and the recipient of personal information. The Assessment Measures are modelled on the Standard Contractual Clauses (SCC) approach adopted by the European Union, which provides comprehensive and detailed regulations on the content of contracts signed between network operators and recipients of personal information.

The Assessment Measures also emphasize the legal legitimacy of the source of personal information and the protection of the rights and interests of the subject of personal information. The network operator shall inform the subject of personal information of the basic information of the network operator and the recipient, and the subject of personal information may request the network operator to provide a copy of the contract signed with the recipient, etc[15]. The subject of personal information has the right to request the correction or deletion of his or her personal information. He/she shall also have the right to claim compensation from the network operator or the recipient or both, and the network operator shall pay compensation first if the subject of personal information cannot obtain compensation from the recipient[16].

The Assessment Measures also strengthen the regulation of offshore recipients by requiring offshore network operators to fulfil the responsibilities and obligations of network operators through a legal representative or agency in the territory[17].

In addition, the ” Provisions on the Management of Automotive Data Security (Draft for Public Comments)” stipulate that if scientific research and business partners need to query the use of personal information stored in the territory, the operator shall take effective measures to ensure data security and prevent loss. The use of sensitive data such as vehicle location, biometric features, driver or passenger audio and video, and data that can be used to determine driving violations is strictly limited[18].

IV- Summary

Within the framework of today’s (in force or published for public comments but yet to be refined and approved) laws and regulations, we can sort out the issue of personal information protection for INV as follows.

Personal informationCollectionStorage, transmission and useCross-border transfer
General personal information (if leaked, illegally provided or misused, some but limited harm to the subject’s person and property could be caused)a) the operator has an obligation to inform (informing of the type of data collected, the trigger conditions, the purpose and use of the collection, the location where the data is kept, the duration, and the methods for deletion). b) Consent of the subject is required (or, if consent cannot be obtained for individuals outside the vehicle, desensitized is required)    a) Information processors are required to implement basic technical and administrative measures to ensure the security of access control to personal information. b) Data containing personal information shall not be transmitted outside of the vehicle via network or physical interface without the separate consent of the person from whom it is collected.Passing the security assessment organized by the State Internet Information Department
Important personal information (if leaked, illegally provided or misused, a significant risk to the subject’s person and property could be caused[19])Ibida) Information processors are required to implement necessary technical and management measures to additionally ensure the subject’s right to information and choice, to protect the confidentiality and integrity of information and to establish norms for the management of personal information security. b) IbidIbid
Sensitive personal information (if leaked, illegally provided or misused, a serious risk to the subject’s person and property could be caused)In addition: a) for special purposes only. b) each individual consent granted. c) must be informed on each occasion. d) Easy to terminate, view and delete at any time and limited within a short period of timea) Strict technical and management measures must be implemented, and on top of the aforementioned measures, strict norms for the management of subject’s personal information security and real-time data monitoring mechanisms and alerts must be established. b) INV shall not transmit audio, video, image and other data collected in the cabin of the vehicle and the data obtained through its processing to the outside of the vehicle via a network or physical interface. c) Vehicle location and trajectory related data collected by the INV shall not be stored in the in-vehicle storage device and telematics service platform (TSP) for more than 7 days.Ibid Strictly restrict the use of sensitive data such as vehicle location, biometrics, driver or passenger audio and video, and data that can be used to determine driving violations by foreign entities
Adaltys – 2021

[1] Article 1034 of the Civil Code

[2] Article 1032 of the Civil Code

[3] Article 29 of the Law on the Protection of Personal Information (Second Review Draft)

[4] Information Security Technology – Personal Information Security Norms Article 5

[5] Information Security Technology – Personal Information Security Norms Article 6

[6] Information Security Technology – Personal Information Security Norms Article 7

[7] Article 6, Article 7 of the Personal Information Protection Requirements

[8] Item 23 in Category 9 of the 2020 version of the Negative List

[9] Article 8 of the Provisions

[10] Article 7 of the Provisions

[11] Article 9 of the Provisions

[12] Article 8 of the Provisions

[13] Article 38 of the Law on the Protection of Personal Information (Second Review Draft)

[14] Article 12 of the Provisions

[15] Article 14 of the Assessment Measures

[16] Article 13 of the Assessment Measures

[17] Article 20 of the Assessment Measures

[18] Article 16 of the Provisions

[19] If in the future the approach of the ” Provisions on the Management of Automotive Data Security (Draft for Comments)” is followed, it will only be divided into general personal information and sensitive personal information.