China’s Data and Privacy Regime for the Civil Aviation Sector is Under Design: An Initial Exploration of Regulatory Blueprint (Part I)

The Smart Civil Aviation Development Leadership Team of Civil Aviation Administration of China (CAAC) released the updated versions of Measures for the Management of Civil Aviation Data (Draft for Comments) and Management Measures for Civil Aviation Data Sharing (Draft for Comments) on 4 June 2024 (hereinafter referred to as Management Measures (Draft for Comments) and Sharing Measures (Draft for Comments)), and solicited public opinions again, after the first solicitation in mid-March 2024. These measures aim to enhance civil aviation data management by standardising processes, ensuring data security, and promoting interconnectivity and data sharing. As a result, the industry can unlock the full potential value of data and improve governance capacity and service levels. This represents significant progress in utilising data elements within China’s civil aviation sector.

This two-part articledelves into the background, key requirements, and potential impacts of these two documents for stakeholders across the civil aviation industry. The goal is to assist both domestic and international civil aviation enterprises in preparing for their data operations and compliance initiatives.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

 

1. History of Data Regulation in Civil Aviation

Recent policy documents trace the origins of the introduction of the Management Measures (Draft for Comments) and the Sharing Measures (Draft for Comments). As early as 2020, the CAAC issued the Implementation Opinions on Promoting the Construction of New Infrastructure for High-Quality Development of Civil Aviation, which proposed the standards for key data fields and a data catalogue, aiming to standardise data sources and quality requirements to ensure accurate and timely data. Additionally, the Implementation Opinions emphasised the importance of establishing a data-sharing mechanism to achieve data grading, classification, and open sharing.

Subsequently, the CAAC issued top-level design documents such as the 14^th Five-Year Plan for Civil Aviation Development and the Smart Civil Aviation Construction Roadmap in 2021 and 2022. These documents further clarified the objectives of the civil aviation big data governance mechanism. They emphasised the need to explore establishing a system aligned with data element characteristics, improve civil aviation data governance norms, and establish management measures and technical standards. The ultimate goal was to create an industry data resource catalogue, providing robust support for constructing the civil aviation big data system.

Following this, on 19 December 2022, the State Council issued the Opinions of the CPC Central Committee and the State Council on Building a Basic Data System to Better Play the Role of Data Elements (also known as the “Twenty Data Measures”), which provided precise guidance for the development of civil aviation big data. Building upon this, the CAAC outlined the framework and organisational system for civil aviation big data development in the Guidelines on Big Data Development in Civil Aviation and established the following “1+3+4+N” policy system framework in the Data Management Policy and Standards System for Smart Civil Aviation Construction.

Source: Page 4 of Data Management Policy and Standards System for Smart Civil Aviation Construction

Within the policy system framework, two key institutional documents stand out: the Management Measures (Draft for Comments) and the Sharing Measures (Draft for Comments). The Management Measures (Draft for Comments) provide comprehensive regulations for civil aviation data management, covering aspects such as overall requirements, management responsibilities, data aggregation, data sharing, and data security. Meanwhile, the Sharing Measures (Draft for Comments) govern civil aviation data resource sharing, addressing requirements, classification, catalogue compilation and management, provision, use, supervision and guarantees.

2. Data Management Rules and Core Requirements

I. Scope of Application

Regarding the scope of application, Article 3 of the Management Measures (Draft for Comments) stipulates: “These Measures shall apply to any institution or individual engaged in civil aviation data collection, storage, use, processing, transmission, provision, disclosure, destruction, and other data processing activities within the territory of the People’s Republic of China.” It is evident that the subject of the application of the Management Measures (Draft for Comments) is not limited to civil aviation enterprises (such as airlines and airports) but encompasses various entities engaged in civil aviation data processing activities within China (such as third-party agencies providing ticket booking services).

Specifically, for overseas civil aviation enterprises, the Management Measures (Draft for Comments) references the Personal Information Protection Law (hereinafter referred to as “PIPL”) with extraterritorial effect as its superior law. Furthermore, the expression of “any institution or individual within the territory of the People’s Republic of China” in the aforementioned Article 3 implies that the Management Measures (Draft for Comments) may apply to enterprises that have not established legal entities in China but engage in civil aviation data processing activities within China. For example, foreign airlines that collect and process passenger personal information and other civil aviation data based on their operation of civil aviation business within China’s territory– even without a formal legal presence - could fall within the scope of the Management Measures (Draft for Comments).

Additionally, the proposed Management Measures (Draft for Comments) state that “where laws and regulations have provisions on civil aviation data and related processing activities involving state secrets, or where laws and regulations have provisions on data management, such provisions shall prevail.” This serves as a reminder to relevant institutions and individuals that compliance with the Management Measures (Draft for Comments) must also align with the requirements from other laws and regulations related to state secrets. Examples include the Data Security Law (hereinafter referred to as “DSL”), the Cybersecurity Law, and the PIPL. This approach is consistent with the established practices in China’s legislative framework. For instance, the recently issued Administrative Measures for Data Security in the Field of Natural Resources by the Ministry of Natural Resources similarly emphasises compliance with relevant national and departmental confidentiality regulations for data processing activities involving state secrets or natural resource data integration.

II. Coordinating Management Departments and Penalties for Violations

Regarding separation of duties, the Management Measures (Draft for Comments) implements the functional divisions proposed in the Guidelines on Big Data Development in Civil Aviation. This establishes an organisational framework with an “internal-external division” to balance development and safety. Specifically, the Management Measures (Draft for Comments) delineate responsibilities as follows:

• Smart Civil Aviation Development Leadership Team is responsible for data sharing governance and promoting the external circulation of data elements.
• Civil Aviation Data Security Work Leading Group Office oversees internal data security regulations, including data classification and grading for internal data security management.

These two departments collectively form the “CAAC Data Coordinating Management Departments” as outlined in the Management Measures (Draft for Comments).

Regarding responsibilities, the Management Measures (Draft for Comments) mandate that the coordinating management department to collaborate with other departments to conduct supervision, inspection, and work evaluations. The results of these evaluation serve as a basis for assessing leaders' performance. Additionally, the coordinating management department possesses certain authorities, enabling it to issue corrective orders to civil aviation enterprises and institutions within specified timeframe. Failure to comply may prompt the coordinating management department to request the CAAC to issue a public reprimand.

III. Definition and Classification of “Civil Aviation Data”

The Management Measures (Draft for Comments) define civil aviation data as “original data and derived data generated electronically or in other ways in the process of industry development, regulatory enforcement, government administration, production and operation, service assurance, etc., or obtained through collection, monitoring and other means and used in civil aviation activities.”

Under the aforementioned definitions, the Management Measures (Draft for Comments) maintain the classification of civil aviation data into three types, as proposed in the Twenty Data Measures:

• Public Data: This category includes data collected and generated by various levels of civil aviation administrative organs, institutions authorised by laws and regulations to manage public affairs, and civil aviation public service operating institutions (such as air transport companies, airports, air traffic management agencies, and transport support enterprises). Public data is used for industry regulation, safety assurance, macro-control, market management, and operational monitoring.

• Enterprise data: This category includes data unrelated to personal information and public interest, and is collected and processed by various operating entities, educational and research institutions, social organisations, and enterprises engaged in civil aviation activities during their production and operation activities. Notably, enterprise data required by the government for lawful duties or public service purposes also falls under the category of public data for that specific use and must be used according to public data limitations.
• Personal Information Data: This type of civil aviation data contains personal information. The definition of personal information is consistent with that in PIPL.

The entities involved in civil aviation data include various operating entities engaged in civil aviation activities, educational and research institutions, social organisations, enterprises, and other legal entities, as well as civil aviation administrative organs at all levels, institutions authorised by laws and regulations to manage public affairs, and civil aviation public service operating institutions such as airlines, airports, air traffic management agencies, and transport support enterprises.

In terms of the scope of data, the definition of civil aviation data is relatively broad, covering not only data directly related to civil aviation activities but also data generated in the process of engaging in civil aviation activities. For instance, employee personal information and other original data, along with its derivatives that are used in civil aviation activities and obtained by non-civil aviation entities fall under the definition. Furthermore, in addition to weather data collected by airlines, airports, and air traffic management bureaus, other enterprises and institutions (such as the National Meteorological Centre) may also collect meteorological data and cooperate with the Civil Aviation Meteorological Centre and regional air traffic management bureaus to use the data for civil aviation.

IV. Civil Aviation Data Resources Catalogue

A notable highlight of the Management Measures (Draft for Comments) is the introduction of the concept and associated mechanisms of the Civil Aviation Data Resources Catalogue (hereinafter referred to as the “Resources Catalogue”). The Management Measures (Draft for Comments) stipulate that the coordinating management department is responsible for formulating, compiling, and issuing the management system for the Resources Catalogue. Civil aviation enterprises and institutions must create their own data resources catalogues in accordance with management requirements and the principle of “comprehensive compilation”. These catalogues must be reported to the CAAC through a unified platform for registration and consolidation.

The Resources Catalogue encompasses nearly all critical information about data resources, including:

• Basic Information: data name, data content, data format, data provider, update frequency, etc.
• Attributes: public attributes, sharing type, security level, etc.
• Usability: requirements for use, conditions of use, scope of application, etc.

The Resources Catalogue also serves as the foundation for implementing data classification and protection within the civil aviation industry. In accordance with the DSL, relevant departments must follow the data classification and protection system, clarify and compile specific catalogues of important data within their departments and related industries or fields, and implement stringent protection measures for these data.

As one of the relevant departments for the civil aviation industry, the CAAC inherently needs to compile a catalogue of important data within its department and the broader civil aviation sector. Methodologically, identifying important data begins with a comprehensive review of the data resources under its control. Subsequently, this data undergoes classification, followed by grading to identify the important data. Practically, formulating the Resources Catalogue benefits both data processors and regulatory authorities. Data processors, having a concrete understanding of their own data resources and industry context, can effectively conduct data classification and grading by compiling their data resources catalogue. Meanwhile, industry regulatory authorities need to consider industry data circumstances comprehensively, and select and publish a list of important data when formulating the catalogue.

Enterprises should start by conducting an inventory on their data resources and making preliminary selections based on regulatory authorities’ requirements for identifying important data (such as the forthcoming Regulations on Data Classification and Grading in Civil Aviation). The regulatory authority will then consolidate these selections to form the industry’s important data catalogue, which is a more pragmatic approach. This requirement is also consistent with the recent provisions of the Provisions on Promoting and Regulating Cross-border Data Flow issued by the Cyberspace Administration of China, which mandates that data processors “shall identify and report important data per the applicable provisions.”

Additionally, the Management Measures (Draft for Comments) propose dividing data into sub-catalogues according to data attributes based on the Resources Catalogue, such as the Civil Aviation Shared Data Resources Catalogue and the Civil Aviation Public Data Resources Catalogue. The Civil Aviation Shared Data Resources Catalogue will also serve as the foundation for industry-level civil aviation data resource sharing under the Sharing Measures (Draft for Comments).

3. Roles and Responsibilities of Data Management

The civil aviation data processing entities are divided into four categories, aligning with recent local data transaction legislations issued by various provinces and autonomous regions:

• Data Provider: The department or institution that collects, stores, processes, and provides data;
• Data User: The individual, department, or institution that obtains and utilises data;
• Data Manager: The department or institution authorised by national laws, regulations and policy documents to guide, supervise and manage the civil aviation data within the industry, the field and the institution;
• Data Platform: The department, organisation, or institution responsible for the construction, management, and operation of various data sharing and service platforms at all levels.

The primary obligation of data users is to provide feedback on data quality to data providers, assisting in improving data quality. While data managers have broader responsibilities for overall management, most data collection-related obligations specified in the Management Measures (Draft for Comments) primarily fall on data providers, including:

The Management Measures (Draft for Comments) impose rigorous requirements on data providers, such as airlines and airports.

• Data Dispersal: Data resources are often scattered across different departments and systems within a company. To ensure comprehensive coverage in the resources catalogue, enterprises need to invest significant effort and coordinate among various departments, which could pose financial, human resources, and time-related challenges in practice.
• Adherence to Requirements: The Management Measures (Draft for Comments) stipulate that data collection activities must adhere to the update frequency and format requirements specified in the Resources Catalogue. However, given the complex and variable nature of real-world circumstances, institutions’ data activities may undergo significant changes, and their daily data resources may fluctuate, making full compliance challenging for enterprises.
• Post-Monitoring and Inspection: The Management Measures (Draft for Comments) also require data providers to conduct post-monitoring and inspection to ensure data’s standardisation, completeness, accuracy, consistency, timeliness, and accessibility. Due to the vast and frequently updated data volumes, more effective methods and motivation are needed to verify the quality of historical data.
• Financial Burdens: Implementing these measures may place additional financial burdens on enterprises. Consequently, the high standards set for data providers in the Management Measures (Draft for Comments) may require revision during practical implementation.