China has that Regulation on the security management of automotive data (for test implementation) (“Auto Data Regulation”), which will take place on October 1, 2021. The Auto Data Regulation is intended to change the supervisory landscape of the automotive industry with regard to the processing of automotive data. As a result, some industries like autonomous driving could be affected (if not paralyzed). Some multinational corporations whose operations include data transferred from China must consider relocating some of their data processing to China.
First, there will be significant hurdles to getting critical auto data out of the country.
Automotive data includes personal information data and critical data involved in the process of automotive design, production, sale, use, operation, and maintenance of automobiles. If it is important data, it will be stored in the territory of China, and if the data that needs to be disclosed to foreign parties for business purposes, it must go through the security assessment organized by the State Cyberspace Administration together with the relevant departments of the State Council.
Critical data is data that, once tampered with, corrupted or disclosed, or illegally obtained or used, may jeopardize national security or public interests or the legitimate rights and interests of individuals or organizations, including: (1) geographical information, passenger flows, Vehicle flow and other data in the military administrative zones, national defense science and industrial units, party and government organs at the county level or above, and other important sensitive areas; (2) data reflecting economic operations, such as vehicle flow and logistics; (3) vehicle charging network operational data; (4) video and image data outside the vehicle including face information and license plate information, etc.; (5) personal data involving more than 100,000 individuals as subjects of personal data; (6) other data determined by the state cyberspace administration and the relevant departments for development and reform, industry and information technology, public security, transport and other relevant departments of the State Council that affect national security or public interests or legitimate rights and may jeopardize the interests of individuals or organizations. This important data essentially corresponds to the operation of multinational companies, New Energy Vehicles, unmanned driving.
It certainly remains to be seen how the security assessment process for making the data available outside of China will go through. However, even though some important data can be transferred outside of China after the security assessment process, some data may be too important to transfer outside of China (e.g. for high resolution maps or internet maps). MNCs not only have to adapt to the effects of the car data regulation, but also the data protection act.
Second, classified protection becomes more than just a best practice.
Article 5 of the regulation points out: Anyone who processes vehicle data using the Internet or another information network must implement the systems for classified protection, strengthen the protection of vehicle data and meet the obligation of data security. In practice, data processing in the automotive sector always includes the Internet information network, which means that the automotive industry must implement a classified protection system for network information security.
What is Classified Protection? The classified protection is a compliance obligation (as well as a privilege) under the Chinese Cybersecurity Law (Article 21), the Data Protection Law (Article 27), and the Car Data Regulation (Article 5). With CP certification, a company would have prima facie evidence that its network system met some basic legal security requirements. The gaps that have ever been marked with red flags could then be closed. If the obligations are met, the company could fend off some possible investigation or punishment under the law (including criminal law).
How is classified protection carried out? Network systems from level 1 to level 5 are classified under classified protection. The higher the level, the more requirements must be met. The certification authorities (who need certification licenses) would run tests and decide what level a network system is at and advise where the vulnerabilities are. However, a certification body may not provide corrective services, just as a referee cannot be a player at the same time – the corrective services must be provided by corrective bodies in order to eliminate the weak points in IT, processes and control measures of the network system. Although a rectification agent does not need a license to perform its rectification services, the rectification agent must have both IT and risk management capabilities.
Why is classified protection important? Put simply, classified protection can help close gaps and remove weaknesses in network systems. We can learn the importance of classified protection from the following fault case.
In 2015, an automaker issued a safety recall affecting 1.4 million vehicles in the U.S. after security researchers revealed that one of its cars could be hacked. The hackers had taken control of one of his branded cars through his internet-connected entertainment system. As a result, the manufacturer called a voluntary recall to update the software in affected vehicles.
From the above cases, you may understand that classified protection or a similar risk management system is not just something beautiful. It’s an insurance policy or a golden shield to manage risk and ward off liabilities.
Is Classified Protection Mandatory? The answer is yes for every network operator – basically every business operator with a network is a network operator, regardless of whether he is a critical information infrastructure operator (“CIIO”) or not. The Cybersecurity Act provides for a mandatory review of the classified protection for a CIIO once a year.
The Cybersecurity Act defines CIIO as a network system in the sectors of public telecommunications and information services, energy, communications, water resources, finance, public service and electronic public service. Once sabotaged, the CIIO could cause great and irreparable damage to itself and surrounding units.
Classified protection is also mandatory for non-CIIOs. From level 3, the classified protection must be carried out at least once a year. Although many non-CIIOs have not yet implemented classified information despite the legal requirements of the Cybersecurity Act (as well as the Data Protection Act and the Auto Data Regulation), some companies have nonetheless resorted to classified information in order to obtain the privilege for additional protection of. get hacked and especially punished for those who rely on the internet to provide products and services. It could be foreseeable that law enforcement for non-CIIOs would be stepped up as law enforcement agencies have more experience with the enforcement rules, which are more sophisticated and practical.
Does a traditional manufacturer have to carry out classified protection? The answer is yes. The classified protection has evolved to version 2, which provides both general requirements and extended requirements for cloud computing systems, mobile connection systems, Internet of Things, big data and industrial controls. Since a traditional manufacturer has an industrial control system, the system must also be certified for classified protection.
Third, the difficulty of collecting automotive data has greatly increased.
According to the regulation, the vehicle data processor should observe the following when carrying out vehicle data processing activities: (1) “handling in vehicle” principle, unless provision outside the vehicle is really necessary; (2) Principle “no collection by default”, unless the driver agrees to this; (3) Principle of “accuracy within the application” – the detection range and resolution of cameras and radar devices are determined according to the data accuracy requirements of the functional services provided; (4) The principle of “desensitization treatment” is to be applied with priority to anonymization and decoding.
With the principles set and applied, it would be difficult for an automotive data processor to collect either personal data or important data.
Fourth, the risk assessment report has become an integral part of the compliance process.
The regulation requires an automotive data processor performing critical computing activities to conduct a risk assessment in accordance with the regulations and submit risk assessment reports to the government. The risk assessment report contains information on the type, amount and scope of important data to be processed, storage location and duration as well as type of use, data processing activities to be carried out and their transfer to third parties, data security risks and countermeasures for this and so on.
Any automotive data processor processing critical data must report the automotive data protection management information to the relevant government agency by December 15 of each year. Automobile data processors who provide important data to foreign parties are required to prepare supplementary reports on: (1) basic recipient information; (2) Type, scope, purpose and necessity of the outgoing vehicle data; (3) Location, duration, scope and type of storage of vehicle data abroad; (4) the automotive data security incidents and their handling; (5) other information that the State Cyberspace Administration and the relevant departments for industry and information technology, public safety, transport and other relevant departments of the State Council have expressly required to report.
In response to the Auto Data Regulation (as well as some other laws such as Personal data protection law and Data Protection Act), the National Technical Committee for Information Security Standardization of China adopts Standard Information Security Technology – Security Requirements for Data Collected from Vehicles. There will be practical guidance on security management of car data, covering aspects such as data transmission, data storage, cross-border data management and data from special vehicles. This document is a welcome undertaking for any single data processor involved in data processing in the automotive sector to manage risk.