The Trial Provisions on Administration of Automotive Data Security (“Automotive Data Regulation”) was promulgated on August 16, 2021 and became effective since October 1, 2021. The Automotive Data Regulation is the first sectoral data protection regulation under the Data Security Law and the Personal Information Protection Law. Companies in the automotive sector are familiarizing themselves with the data protection requirements under this legal regime.
This article aims to add one more important dimension in an overall compliance – export control of such automotive data. The data subject to China Export Control Law (“ECL”) normally may not include the key data and personal information as defined under the Automotive Data Regulations, unless export of such key data or personal information embodies the risks of endangering national security and interest or being used by terrorists or for proliferation purposes.
This article only focuses on the regulatory requirements under ECL for the export control of so-called automotive data. The automotive data protection relevant to cross-border transmission or providence under the Automotive Data Regulations will be a subject of a separate article.
I. Automotive Data under Export Control Law
Pursuant to Article 2 of ECL, the export of dual-use items, military items, nuclear items including goods, technologies, services, or other items that relate to maintenance of national security and interests, or fulfillment of nonproliferation or other international obligations (“Controlled Items”) is subject to control, and the Control Items also include data such as technical information and so forth that is related to the Controlled Items.
The literal meaning of the wording “and so forth” supports the understanding that besides technical information, other information if relevant to the Controlled Items also constitutes the data subject to export control.
The automotive data in this article refers to such data relevant to the Controlled Items of the automotive industry.
II. Automotive Data: Activities Subject to Export Control
The activity subject to ECL is limited to the export activities of the controlled automotive data, and the export activities can be manifested by the cross-border transmission, deemed export (e.g., releasing or otherwise transferring controlled automotive data to a foreign person in China), and re-export that occur outside of China.
(a) Cross-border Transmission
Cross-border transmission of the controlled automotive data can be accomplished by way of e-mail, telephone, fax, letter, or permitting foreign access to a server located in China. Although the party obliged to apply for an export license for controlled automotive data is confined to “exporting business operators” under ECL, it is very likely such exporting business operators would be interpreted as including any entity or person, who participates in such transmission of the controlled automotive data.
(b) Deemed Export
The oral communication or display of drawings or other data to a foreign national in China, or any other activity that enables such foreign nationals to access controlled automotive data, will require an export license before such deemed export is initiated. Such deemed export of automotive data will very likely occur within the R&D center in China where domestic and foreign employees are working closely together.
(c) Re-export
A foreign company in possession of the controlled automotive data, if any, must apply for a license by Ministry of Commerce (“MOFCOM”) if exporting the same data out of the given foreign country. For instance, if a subsidiary in China transmits the AI data to its parent company in Germany with a license, the transfer of such data from this parent company to another company in France would constitute a re-export and the parent company must obtain an export license from MOFCOM before re-export the same data.
III. Automotive Data Controlled under ECL
(a) Definition of Data
ECL only provides that the data subject to export control includes technical information and so forth related to the Controlled Items. The term “data”, as defined in the Data Security Law, means any record of information, electronic or otherwise. We thus understand from the data definition that the data means any information materialized or recorded outside the human brain, and any information materialized in any text, graphics, voice, code, and so forth. Accordingly, control of the export of any records of information is the core of the internal compliance program (“ICP”) for automotive data.
(b) Automotive Data Relevant to Control Lists
Automotive data is controlled under ECL if relevant to the dual-use items, military items, nuclear-related items, or corresponding technologies or services, as may be contained in the control lists. The determination of “relevance” is complex and technical. Automotive companies need to screen whether the data to be exported is related to items or technologies listed on the Export Control License Catalogue of Dual-Use Items and Technologies (“the Dual-Use Catalogue”), the Catalogue of Prohibitive and Restrictive Technology for Export (“the Technology Catalogue”), or the List of Military Items subject to Export Management (“the Military List”). Below shows an example of goods or technologies related to automobiles on the control lists:
Exhibit A – the Dual-Use Catalogue
Exhibit B – the Technology Catalogue (Adjusted on 8 August 2020)
As an instance of controlled items such as the frequency converter, the data related to the development, production, or maintenance of the same item will be also controlled. As far as restrictive control technology No. 056101X is concerned, since it is likely to be related to national security and interest, though the license concerned is not a dual-use export license but a normal license only, the exporting company nevertheless should treat such technology control as a matter of export control under ECL and incorporate the same technology into its ICP. Obviously, any data relevant to such restrictive technology must also be covered by the export control ICP.
IV. Export Control ICP
Given that violation of ECL may result in five to ten times the value of the illegal revenue under ECL, the automotive company in China must put ICP in place so as to prevent the risks of violation. Such ICP can be prepared in line with “Guidance of the Ministry of Commerce on the Establishment of Internal Compliance Mechanism of Dual-Use Item Exporting Business Operators” (MOFCOM Order No. 10, 2021, “ICP Guidance”).
As far as controlled data is concerned, automotive companies need first identify the controlled goods, technologies, and services covered by the Dual-Use Catalogue or the Military List, then decide whether certain data is relevant to such controlled items and thus has been properly controlled. The companies then need to identify whether a given technology is on the Technology Catalogue. If on the list, the data relevant to the technology is also controlled, and the ICP must address the controlling of these data relevant to the controlled items or prohibited or restricted technologies. Such data must be stored on a server in China, not accessible by foreign nationals or foreign companies. A technical control plan is also desirable to control and trace such data flow, internal or external.