The Smart Civil Aviation Development Leadership Team of Civil Aviation Administration of China (CAAC) released the updated versions of Measures for the Management of Civil Aviation Data (Draft for Comments) and Management Measures for Civil Aviation Data Sharing (Draft for Comments) on 4 June 2024 (hereinafter referred to as Management Measures (Draft for Comments) and Sharing Measures (Draft for Comments)), and solicited public opinions again, after the first solicitation in mid-March 2024. These measures aim to enhance civil aviation data management by standardising processes, ensuring data security, and promoting interconnectivity and data sharing. As a result, the industry can unlock the full potential value of data and improve governance capacity and service levels. This represents significant progress in utilising data elements within China’s civil aviation sector.
This two-part articledelves into the background, key requirements, and potential impacts of these two documents for stakeholders across the civil aviation industry. The goal is to assist both domestic and international civil aviation enterprises in preparing for their data operations and compliance initiatives.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].
Recent policy documents trace the origins of the introduction of the Management Measures (Draft for Comments) and the Sharing Measures (Draft for Comments). As early as 2020, the CAAC issued the Implementation Opinions on Promoting the Construction of New Infrastructure for High-Quality Development of Civil Aviation, which proposed the standards for key data fields and a data catalogue, aiming to standardise data sources and quality requirements to ensure accurate and timely data. Additionally, the Implementation Opinions emphasised the importance of establishing a data-sharing mechanism to achieve data grading, classification, and open sharing.
Subsequently, the CAAC issued top-level design documents such as the 14th Five-Year Plan for Civil Aviation Development and the Smart Civil Aviation Construction Roadmap in 2021 and 2022. These documents further clarified the objectives of the civil aviation big data governance mechanism. They emphasised the need to explore establishing a system aligned with data element characteristics, improve civil aviation data governance norms, and establish management measures and technical standards. The ultimate goal was to create an industry data resource catalogue, providing robust support for constructing the civil aviation big data system.
Following this, on 19 December 2022, the State Council issued the Opinions of the CPC Central Committee and the State Council on Building a Basic Data System to Better Play the Role of Data Elements (also known as the “Twenty Data Measures”), which provided precise guidance for the development of civil aviation big data. Building upon this, the CAAC outlined the framework and organisational system for civil aviation big data development in the Guidelines on Big Data Development in Civil Aviation and established the following “1+3+4+N” policy system framework in the Data Management Policy and Standards System for Smart Civil Aviation Construction.
Source: Page 4 of Data Management Policy and Standards System for Smart Civil Aviation Construction
Within the policy system framework, two key institutional documents stand out: the Management Measures (Draft for Comments) and the Sharing Measures (Draft for Comments). The Management Measures (Draft for Comments) provide comprehensive regulations for civil aviation data management, covering aspects such as overall requirements, management responsibilities, data aggregation, data sharing, and data security. Meanwhile, the Sharing Measures (Draft for Comments) govern civil aviation data resource sharing, addressing requirements, classification, catalogue compilation and management, provision, use, supervision and guarantees.
Regarding the scope of application, Article 3 of the Management Measures (Draft for Comments) stipulates: “These Measures shall apply to any institution or individual engaged in civil aviation data collection, storage, use, processing, transmission, provision, disclosure, destruction, and other data processing activities within the territory of the People’s Republic of China.” It is evident that the subject of the application of the Management Measures (Draft for Comments) is not limited to civil aviation enterprises (such as airlines and airports) but encompasses various entities engaged in civil aviation data processing activities within China (such as third-party agencies providing ticket booking services).
Specifically, for overseas civil aviation enterprises, the Management Measures (Draft for Comments) references the Personal Information Protection Law (hereinafter referred to as “PIPL”) with extraterritorial effect as its superior law. Furthermore, the expression of “any institution or individual within the territory of the People’s Republic of China” in the aforementioned Article 3 implies that the Management Measures (Draft for Comments) may apply to enterprises that have not established legal entities in China but engage in civil aviation data processing activities within China. For example, foreign airlines that collect and process passenger personal information and other civil aviation data based on their operation of civil aviation business within China’s territory– even without a formal legal presence - could fall within the scope of the Management Measures (Draft for Comments).
Additionally, the proposed Management Measures (Draft for Comments) state that “where laws and regulations have provisions on civil aviation data and related processing activities involving state secrets, or where laws and regulations have provisions on data management, such provisions shall prevail.” This serves as a reminder to relevant institutions and individuals that compliance with the Management Measures (Draft for Comments) must also align with the requirements from other laws and regulations related to state secrets. Examples include the Data Security Law (hereinafter referred to as “DSL”), the Cybersecurity Law, and the PIPL. This approach is consistent with the established practices in China’s legislative framework. For instance, the recently issued Administrative Measures for Data Security in the Field of Natural Resources by the Ministry of Natural Resources similarly emphasises compliance with relevant national and departmental confidentiality regulations for data processing activities involving state secrets or natural resource data integration.
Regarding separation of duties, the Management Measures (Draft for Comments) implements the functional divisions proposed in the Guidelines on Big Data Development in Civil Aviation. This establishes an organisational framework with an “internal-external division” to balance development and safety. Specifically, the Management Measures (Draft for Comments) delineate responsibilities as follows:
These two departments collectively form the “CAAC Data Coordinating Management Departments” as outlined in the Management Measures (Draft for Comments).
Regarding responsibilities, the Management Measures (Draft for Comments) mandate that the coordinating management department to collaborate with other departments to conduct supervision, inspection, and work evaluations. The results of these evaluation serve as a basis for assessing leaders' performance. Additionally, the coordinating management department possesses certain authorities, enabling it to issue corrective orders to civil aviation enterprises and institutions within specified timeframe. Failure to comply may prompt the coordinating management department to request the CAAC to issue a public reprimand.
The Management Measures (Draft for Comments) define civil aviation data as “original data and derived data generated electronically or in other ways in the process of industry development, regulatory enforcement, government administration, production and operation, service assurance, etc., or obtained through collection, monitoring and other means and used in civil aviation activities.”
Under the aforementioned definitions, the Management Measures (Draft for Comments) maintain the classification of civil aviation data into three types, as proposed in the Twenty Data Measures:
The entities involved in civil aviation data include various operating entities engaged in civil aviation activities, educational and research institutions, social organisations, enterprises, and other legal entities, as well as civil aviation administrative organs at all levels, institutions authorised by laws and regulations to manage public affairs, and civil aviation public service operating institutions such as airlines, airports, air traffic management agencies, and transport support enterprises.
In terms of the scope of data, the definition of civil aviation data is relatively broad, covering not only data directly related to civil aviation activities but also data generated in the process of engaging in civil aviation activities. For instance, employee personal information and other original data, along with its derivatives that are used in civil aviation activities and obtained by non-civil aviation entities fall under the definition. Furthermore, in addition to weather data collected by airlines, airports, and air traffic management bureaus, other enterprises and institutions (such as the National Meteorological Centre) may also collect meteorological data and cooperate with the Civil Aviation Meteorological Centre and regional air traffic management bureaus to use the data for civil aviation.
A notable highlight of the Management Measures (Draft for Comments) is the introduction of the concept and associated mechanisms of the Civil Aviation Data Resources Catalogue (hereinafter referred to as the “Resources Catalogue”). The Management Measures (Draft for Comments) stipulate that the coordinating management department is responsible for formulating, compiling, and issuing the management system for the Resources Catalogue. Civil aviation enterprises and institutions must create their own data resources catalogues in accordance with management requirements and the principle of “comprehensive compilation”. These catalogues must be reported to the CAAC through a unified platform for registration and consolidation.
The Resources Catalogue encompasses nearly all critical information about data resources, including:
The Resources Catalogue also serves as the foundation for implementing data classification and protection within the civil aviation industry. In accordance with the DSL, relevant departments must follow the data classification and protection system, clarify and compile specific catalogues of important data within their departments and related industries or fields, and implement stringent protection measures for these data.
As one of the relevant departments for the civil aviation industry, the CAAC inherently needs to compile a catalogue of important data within its department and the broader civil aviation sector. Methodologically, identifying important data begins with a comprehensive review of the data resources under its control. Subsequently, this data undergoes classification, followed by grading to identify the important data. Practically, formulating the Resources Catalogue benefits both data processors and regulatory authorities. Data processors, having a concrete understanding of their own data resources and industry context, can effectively conduct data classification and grading by compiling their data resources catalogue. Meanwhile, industry regulatory authorities need to consider industry data circumstances comprehensively, and select and publish a list of important data when formulating the catalogue.
Enterprises should start by conducting an inventory on their data resources and making preliminary selections based on regulatory authorities’ requirements for identifying important data (such as the forthcoming Regulations on Data Classification and Grading in Civil Aviation). The regulatory authority will then consolidate these selections to form the industry’s important data catalogue, which is a more pragmatic approach. This requirement is also consistent with the recent provisions of the Provisions on Promoting and Regulating Cross-border Data Flow issued by the Cyberspace Administration of China, which mandates that data processors “shall identify and report important data per the applicable provisions.”Additionally, the Management Measures (Draft for Comments) propose dividing data into sub-catalogues according to data attributes based on the Resources Catalogue, such as the Civil Aviation Shared Data Resources Catalogue and the Civil Aviation Public Data Resources Catalogue. The Civil Aviation Shared Data Resources Catalogue will also serve as the foundation for industry-level civil aviation data resource sharing under the Sharing Measures (Draft for Comments).
The civil aviation data processing entities are divided into four categories, aligning with recent local data transaction legislations issued by various provinces and autonomous regions:
The primary obligation of data users is to provide feedback on data quality to data providers, assisting in improving data quality. While data managers have broader responsibilities for overall management, most data collection-related obligations specified in the Management Measures (Draft for Comments) primarily fall on data providers, including:
The Management Measures (Draft for Comments) impose rigorous requirements on data providers, such as airlines and airports.