Skip to main content Skip to secondary navigation
Main content start

With Auto Data, China Buckles In for Security and Opens Up for Future Tech

Detailed new automotive Provisions could be a model for data classification in dozens of sectors
A long exposure captures car lights traveling under a Shanghai underpass. Unsplash photo by Denys Nevozhai.

As numerous industries across China transition to a data-driven and connected new era, regulatory developments in the digital realm have increasing reach. The Cyberspace Administration of China (CAC) recently published draft provisions on data security in automobiles that mark an important turning point for China’s connected auto industry. More broadly, however, the draft rules may also serve as a bellwether for how Chinese authorities are seeking to build out a comprehensive data regulatory system designed to support the digital economy.

The new "Several Provisions on the Management of Automobile Data Security (Draft for Comment)" (the "Provisions," translated by DigiChina here) outline which types of data collected by smart cars are designated as belonging to categories that are subject to increased security protections and stricter regulations. The draft Provisions lay out obligations for handling different types of data collected or generated by the vehicle—including about the surrounding environment, drivers and passengers, and infrastructure—which is of use for entities ranging from manufacturers to Internet platforms.

While the draft Provisions nominally address national security and privacy concerns around the data-intensive auto industry, they also signal the blossoming of a long-developing data governance regime that stands ready to categorize data and regulate its collection and use across dozens of sectors, with enormous implications for all companies operating in China, as well as for international data governance. They represent a new beginning for Chinese data governance in two major ways:

First, they signal that China is taking a sector-specific approach to data categorization and regulation. Since China’s Cybersecurity Law was finalized in 2016, the dual categories of "important data," related to national security, and "personal information," related to privacy in the digital economy, have shaped broad-strokes data security rules. However, the definitions of these concepts have generally been one-size-fits-all and often vague, and it has been unclear how exactly they apply to specific industries—such as the auto sector. Now, authorities are undertaking a sweeping effort to categorize data using a more granular, sub-sectoral approach, defining with greater specificity what the two categories mean in discrete contexts, thereby clarifying the scope of rules that apply to them. China’s moves toward more granular data classification align with similar initiatives at the Organisation for Economic Co-operation and Development (OECD) and in other jurisdictions, moving beyond the binary of personal and non-personal data to reflect different applications, business models, creators, etc.

If implemented, the Provisions would represent the most detailed binding definition of what constitutes "important data" in any sector since the government outlined 27 broad categories in 2017 in the "Cross-Border Data Transfer Security Assessment Guidelines," which significantly are still in nonbinding draft form. The way in which this sectoral regulation defines important data may offer a signpost for how the category will be defined in additional sectors and how the 2017 guidelines might be implemented, updated, or superseded. 

Second, and relatedly, the draft Provisions hint at a more granular approach to cross-border data transfer rules. These auto sector rules represent a more nuanced approach to cross-border data flows than existing regulations have suggested. What data is listed as having limits or requiring procedures for cross-border transfer is just as significant as what goes unmentioned: Some kinds of connected car data deemed to hold economic potential and low national security risk could be more easily exported now that the categories subject to limits are clearly delineated. The limited categories are many, and there is no guarantee domestic and foreign firms will enjoy identical leeway in practice, but the Provisions suggest a future in which certain green-light areas are more clear.

Driving the details, a recognition that data use is an economic imperative

At the national policy level, China's government now regards data as a strategic economic resource. In April 2020, the State Council released the "Opinions on Improving the Mechanisms for Market-based Allocation of Production Factors," policy guidance that codified China's top-level strategic rationale on data economics. The Opinions suggest that data is critical to the creation of value in the digital economy, just as land and labor are key components to value creation in agricultural economies. Identifying data as an economic asset builds on earlier designations of data as a “national basic strategic resource” in the "Action Plan to Promote the Development of Big Data" and the "13th Five-Year Plan."

Viewed as a strategic resource, data is both to be protected when necessary and unleashed for circulation and application to produce value. To operationalize this strategic view, Chinese policymakers are working to distinguish between different classes of data—some to be guarded, and some to be developed or exploited like a natural resource—in all cases with attention to externalities in terms of national security or privacy harms. This has led to a sweeping effort to inventory and sort data, and to segment it into types based on risk, importance, and impact.

Such data classification is not entirely new. Data in certain sectors or with particular privacy implications has been regulated for years. The Cybersecurity Law employed the distinction between "important data" and "personal information," and national and sectoral standards have set generally non-binding guideposts for making everyday data management decisions. (See Table 1).

Table 1: Select non-binding sectoral guidelines for data categorization

Date

Authority

Guideline

Summary

17 March 2018

State Council

Scientific Data Management Measures

Recommends differentiating various scientific data prior to selective sharing with foreign partners

27 September 2018

China Securities Regulatory Commission

Guidelines for classification of data of the securities and futures industry

Sets forth a voluntary industry standard to catalogue data

27 February 2020

Ministry of Industry and Information Technology

Guidelines for classification of industrial data (interim measures)

Provides guidance in categorizing industrial data to mitigate potential damage caused by data breaches

23 September 2020

People’s Bank of China 

Guidelines for financial data security classification

Sets forth a voluntary industry standard to categorize data

The auto data Provisions have emerged at a point when two comprehensive draft laws—the Data Security Law, to be implemented Sept. 1, 2021, and the Personal Information Protection Law, awaiting final passage—are poised to add new high-level legal frameworks for data governance. In subtly different ways, both of these laws include the concept of data protection or management separated by category (分类) of data. All signs point to a high likelihood that Chinese regulations will move to establish drastically more granular classifications schemes for data across industries.

China is not unique in its push to classify data. Establishing classification schemes for data is a foundational component of data governance around the world. In March 2019, the OECD published "Data in the Digital Age," a report that called on governments to develop a more robust and nuanced understanding of data in order to better understand its economic and security impacts:

“[We must] recognise that … many different types of data are collected and used, and their purpose and value can differ widely. … [T]he best way to categorise [data] will likely depend on the application, policy issue, or business model at stake. For example, in some instances, it might be important to distinguish between public sector and private sector data; in others, whether the data is personal or non-personal. We therefore must not refer to data as a uniform entity, as this may lead to misunderstandings, oversimplifications, and less effective policy.”

Designating 'important data' and 'personal information' in the auto industry

It's no surprise that the auto industry is among the first sectors in China to be targeted for stricter data regulation. Today's cutting-edge cars are equipped with so-called “advanced driver assistance” (ADA) systems, precursors to more fully autonomous vehicles (AVs), that rely on numerous sensors, including cameras, radar, and next-generation distance measurement technologies. Estimates of in-vehicle data generation can run from 1–3 terabytes of data or more per day if fully utilized. This data is crucial for the cars' operation, as well as automakers' research and development.

This massive automotive collection of data creates potential security and privacy risks for both the state and its citizens. Some of the environmental or geographic data gathered, transmitted, or storedby vehicles could have national security implications if abused, or could be used to identify or document behavior of drivers, passengers, and pedestrians. 

From a national security perspective, the new draft Provisions define which types of automobile data would fall under the category of "important data." The definition covers data related to the vehicle itself, but also the infrastructure involved and its surrounding environment, as well as personally identifiable information. From Article 3: 

“Important data” in these Provisions includes:

  1. Data on the flow of people and traffic in military administrative areas, national defense science and industrial units or other units that involve state secrets, or sensitive, important areas of Party and government administrative units above the county level, etc.;
  2. Survey and map data that is more precise than maps publicly issued by the state;
  3. Data on the operation of automobile charging networks;
  4. Data on types and traffic volume, etc., of vehicles on the road;
  5. Audiovisual data of individuals’ faces, voices, and license plates, etc., outside the vehicle;
  6. Other data that might affect national security and the public interest, as specified by the state cybersecurity and informatization department and relevant departments of the State Council.

When it comes to "personal information" and privacy protection, Articles 6–10 set out both broad principles such as non-collection as a default and anonymization or desensitization of data that leaves the vehicle, as well as specific, stringent rules, including a requirement to seek consent every single drive when sending "sensitive personal data" outside the vehicle, and limitations on the use of biometrics.

Some of these requirements, if adopted in the final version, would impose legal obligations on data collectors—most prominently car manufacturers in this case—similar to those recommended in the European Union’s 2020 "Guidelines on Processing Personal Data in the Context of Connected Vehicles and Mobility-related Applications." Some would impose binding requirements even beyond the largely non-binding European guidance. For example, in contrast to the Chinese draft's requirement that consent be sought anew every single drive to transmit data on vehicle position or audiovisuals of drivers or passengers (Article 8), the EU guidelines only mandate manufacturers to inform drivers of such collection activities and minimize data gathering in principle.

The Provisions are not final, and it is likely that domestic Chinese automakers have pushed back against some of these proposed requirements during the comment period that ended June 10, as the most stringent rules could block some of the services offered by manufacturers and limit the amount of data that could be collected. This would reduce the availability of valuable data inputs that auto firms could leverage to improve their self-driving algorithms. It may also put Chinese auto companies at a technical disadvantage versus their U.S. competitors, who are not yet subject to specific federal laws or regulations on connected car data security in their home market, despite several proposed bills pertaining to connected driving. At the moment, U.S. AV companies such as Waymo and Tesla are among the most experienced self-driving companies, and they collect vast pools of real-world driving data.

In China, the Provisions come at a time when this data-intensive sector has been embroiled in public controversy related to its data security practices. Cars produced by U.S. electric vehicle giant Tesla, which rely on an array of sensors for functions including partially automated driving, have been reportedly banned from parking near military and sensitive government premises due to national security concerns. A high-profile customer protest also raised questions about Tesla’s user data protection practices. Additionally, domestic brands such as Xpeng, NIO, and Li Auto have claimed that data collection devices widely installed in their vehicles are not activated, but user manuals for these cars provide very limited descriptions of these sensors and their data collection functions. This lack of transparency has also elevated regulatory interest around the data handling practices of smart vehicle companies.  

The conundrums Chinese policymakers face in regulating increasingly data-hungry vehicles are emblematic of a fundamental dilemma at the heart of the data age: finding the appropriate balance between enabling companies to leverage data for economic benefit and enhancing data security. Put another way, how can policy unlock the innovative and productive potential of ballooning data resources, while at the same time protecting against national security and privacy harms if the data is abused? With the release of these draft Provisions, China’s answer to this question appears increasingly clear: Designate which data is sensitive within a given sector, and restrict its collection and transfer, thus freeing up the remaining data to circulate throughout the economy with less restriction.  

Beyond automobiles: Sector-specific data classification

China’s emerging approach to creating more finely tuned definitions of “important data” and “personal information” within the auto industry may serve as a demonstration of how data classification will play out in other sectors. Indeed, as an increasingly robust body of laws, regulations, standards, and industry-specific guidelines emerge that steer data organization and categorization practices in both the public and private sectors, it is increasingly evident that China is moving toward a sector-specific approach to data categorization and regulation, making concrete the broad rules in key laws such as the Cybersecurity Law, the Data Security Law, and the still-draft Personal Information Protection Law.

While the draft Provisions represent the most concrete categorizations of "important data" to date, some clues as to the future roll-out may be found in the 2017 draft Cross-Border Data Transfer Security Assessment Guidelines, a technical standard that outlines the scope and process for security assessments required for outbound transfer of certain data under the Cybersecurity Law. Those Guidelines included a crucial appendix, the "Guidelines on Identifying Important Data," which gave examples of “important data” across 27 categories, including electricity, communications, manufacturing, investment, chemicals, digital information, geographic information, non-ferrous metals, e-commerce, national defense, nuclear facilities, water, and transportation. Now, public records indicate Chinese standards-setting groups are at work on a standalone version of the "Guidelines on Identifying Important Data," suggesting renewed efforts to make data classification more concrete across key industries.

If the 2017 version is a guide, definitions for could be quite granular. Under "electrical," for instance, it had listed 18 data categories, ranging from grid capacities to "other information that could support attacks on electrical infrastructure." This infrastructure-centric view on “important data” in the power industry parallels the way the draft auto Provisions designate “data on the operation of vehicle charging networks” as “important.” There are similar comparisons to be made in terms of how the auto provisions treat mapping, military, and traffic data, and how geographic data, military data, and transportation data is categorized in the 2017 Guidelines. 

It appears likely a combination of new binding rules such as the auto data Provisions and influential but nonbinding standards such as the pending important data guidelines will clarify ambiguities in how data is to be handled across numerous industries.

Implications for Cross-Border Data Transfer 

Just as significant as what is ultimately designated as "important data" or "personal information" is what data is not. That's because under the Cybersecurity Law, as echoed in the draft Provisions, inclusion in those categories is what triggers a need for an outbound transfer security assessment. 

Taking auto data as an example, the draft Provisions are quite broad in specifying what data would be subject to security reviews before transfer abroad. While it is possible automakers will find ways to satisfy regulators that data recipients abroad do not pose national security or privacy risks, it is likely foreign automakers would have more difficulty gaining approvals for arrangements that would allow them to gather data from cars on Chinese roads and incorporate it into R&D efforts conducted outside China. For instance, two weeks after the auto data provisions were released, Tesla announced that all data generated by vehicles sold in China will be stored locally.

Tesla's experience may be a test case. At the end of last year, Shanghai’s Lingang District, which hosts Tesla’s Gigafactory, launched a five-year development plan for the connected car sector. The plan envisions the establishment of a "smart and connected car cross-border data circulation service institution" to facilitate flows of technical data. In principle, that stream of auto data could include traffic scene library data, automatic driving algorithm outputs, automatic driving test data, over-the-air upgrade information for onboard software, remote malfunction analysis data, etc. This would seem to be in tension with the draft Provisions, and it is unclear whether the Shanghai authorities would push for revisions or reach arrangements with national authorities regarding the so-called Pilot Free Trade Zone of which Lingang is a part.

The road ahead

Synthesizing trends in the draft auto data Provisions, the Data Security Law, the Personal Information Protection Law and other recent policy moves, the apparent motivations behind China's data classification push might be summarized as follows: (1) to centralize state control over data management; (2) to carve out space for data-fueled economic development subject to different regulatory obligations compared with data deemed vital to national security; (3) to better understand and sort data resources to leverage their economic value; (4) to address legitimate cybersecurity concerns; (5) to respond to public concerns about infringement on privacy rights; and (6) improve the technical interoperability and standardization of datasets and enhance efficiency of data sharing.

Whether these objectives are ultimately achieved will depend on several unknowns. Unlocking data's economic potential while attentive to national security and citizen privacy concerns across sectors will require a great deal of work in each sector, and the speed, reach, and subtlety of that effort is yet to be seen. Broad rules around "important data" have now been in question for nearly five years since the Cybersecurity Law was finalized, and the newly passed Data Security Law and pending Personal Information Protection Law also introduce concepts that call for more detailed regulations that will take time. Even assuming rapid, nuanced policymaking, enforcement is always a challenge for Chinese authorities; a profusion of new rulesets in data classification also creates more compliance to monitor, and data regulators' bureaucratic capacity is unlikely to grow apace with their responsibilities. Finally, China's high-level official push for self-reliance in science and technology and its high-stakes conflicts with the United States and others in technology fields introduce geopolitics into what could be a relatively sober sphere of data governance in less sensitive economic sectors.

Amidst this uncertainty, however, the Chinese government's forward lurch in granular data protection and cultivation will present immediate challenges and opportunities to businesses in China and around the world, as well as a series of early test cases as other governments confront the multiplying challenges of effective data governance.

Kendra Schaefer is a partner at Trivium China, leading the firm's tech advisory practice. Samm Sacks is a senior editor of DigiChina, a senior fellow at Yale Law School's Paul Tsai China Center, and a cybersecurity policy fellow at New America. Xiaomeng Lu is a senior analyst in the geo-technology practice at Eurasia Group.