China Publishes Regulations on Management of Automobile Data Security

On 16 August 2021, Several Regulations on the Management of Automobile Data Security (for Trial Implementation) (汽车数据安全管理若干规定(试行), "Automobile Data Regulations") were jointly promulgated by five departments / ministries of China (including the Cyberspace Administration of China and the PRC Ministry of Industry and Information Technology). The Automobile Data Regulations took effect on 1 October 2021. We list down below the key highlights of the Automobile Data Regulations.

Key Features of the Automobile Data Regulations

Definition of Important Data

Article 3 of the Automobile Data Regulations provides for the definition of Personal Information, Sensitive Personal Information, and Important Data. It is notable that the Automobile Data Regulations explicitly define the scope of important data for the automotive industry ("Important Data") as the "data which once tampered with, damaged, leaked or illegally obtained or utilized, may endanger national security, public interests or the legitimate rights and interests of individuals and organizations". Important Data includes:

1. Data on the geographic information, flow of people and vehicles in important sensitive areas such as military management zones, national defence science and engineering units and governmental authorities at or above the county level;
2. Vehicle flow, logistics and other data reflecting economic operating status;
3. Operating data of vehicle-charging networks;
4. Audio and video data outside a vehicle, such as face information and licence plate information;
5. Personal information involving more than 100,000 individuals;
6. Other data that may endanger national security, public interests or the legitimate rights and interests of individuals or organisations as specified by the State Cyberspace Administration and relevant departments of the State Council, such as development and reform, industry and information technology, public security, and transportation.

Key Principles for Handling Information

Article 6 of the Automobile Data Regulations provides four key principles for handling personal information and Important Data, comprising the following:

1. the Principle of processing data inside vehicles (车内处理原则);
2. the Principle of non-collection by default (默认不收集原则);
3. the Principle of applying the appropriate range of accuracy (精度范围适用原则); and
4. the Principle of processing with de-sensitisation (脱敏处理原则).

Articles 7 through 10 of the Automobile Data Regulations further elaborate on different detailed requirements for handling Personal Information, Sensitive Personal Information, and Important Data.

Restrictions and Requirements on Cross-Border Transfer and Reporting Obligations on the Operators

According to Article 11, Important Data shall be stored within the territory of China in accordance with the law, and if it is necessary to transfer the Important Data to a country or place outside PRC due to business needs, such transfer will be subject to security assessment by relevant governmental authorities. The storage and cross-border transfer of Personal Information which is not Important Data shall be handled in accordance with relevant provisions of laws and administrative regulations. You may refer to our Legal Update on the PRC Personal Information Protection Law for more information here.

Article 12 further provides that automobile data processors shall not transfer the Important Data to a country or place outside the territory of the PRC beyond the purpose, scope, method, data type, and scale specified during the cross-border transfer security assessment.

According to Article 13, automobile data processors who process Important Data are required to report their annual data security management status to the relevant authorities prior to 15 December of each year. Article 14 further stipulates that automobile data processors who carry out cross-border transfers of Important Data shall report more information regarding such cross-border transfer.

What Businesses Need to Do

China has continuously strengthened the legislation and regulation of cybersecurity, data security and protection of personal information protection in recent years. The Automobile Data Regulations are the regulatory responses to the growing concerns regarding data security as smart cars continue to evolve and prosper in China. It is advisable for companies in the automotive industry to conduct a systematic review and assessment of the current status of their internal procedures and policies of collection, processing, localised storage, and cross-border transfer of Personal Information and Important Data.