On 12 May 2021 the Cyberspace Administration of China (CAC) issued Several Provisions on the Safety Management of Automobile Data (Draft) to solicit public opinion. The draft provisions provide a series of stringent data protection and cybersecurity rules for the automobile sector which will affect almost all players in the automobile industry chain. This article summarises the noteworthy rules that the draft provisions propose.

Applicability

The draft provisions apply to all operators in the automobile industry and some related sectors. This covers all enterprises and institutions which design, manufacture and carry out other services relating to automobiles, including:

  • automobile manufacturers;
  • component and software providers;
  • dealers;
  • repair and maintenance service providers;
  • online car-hailing enterprises; and
  • insurance companies.

Personal information and important data

The types of data which are subject to the draft provisions include:

  • personal information, which includes:
    • the personal information of car owners, drivers, passengers and pedestrians; and
    • any information that can be used to identify a person or describe their behaviour; and
  • important data, which includes:
    • data on the flow of people and vehicles in military administrative zones, institutions which are involved in state secrets (eg, science institutions and the national defence industry), Communist Party and government agencies at or above county level and other important sensitive areas;
    • surveying and mapping data with a precision higher than that of maps publicly released by the state;
    • operation data regarding the automobile charging network;
    • data on information such as the types of vehicle on the road and vehicle flow;
    • audio and video data captured outside a vehicle (eg, human faces, voices and licence plates); and
    • other data identified by the CAC and relevant State Council government departments that may affect national security and public interests.

Refraining from excessive data processing

Excessive data processing activities are generally prohibited. Operators must comply with the following rules:

  • Operators should handle data inside the car and not provide data externally unless absolutely necessary.
  • If it is absolutely necessary to provide data externally, operators should adopt anonymisation and desensitisation measures as far as possible.
  • Operators should determine the storage period of data according to the type of function and service provided.
  • Operators should determine the coverage range and resolution of equipment (eg, cameras and radars) according to the data precision requirements of the functions and services provided.
  • By default, operators should not collect data about a driver's journey unless absolutely necessary. Where a driver consents to data collection, such consent is valid only for the journey specified.
  • Operators should refrain from processing sensitive personal information (eg, the location of the car, and audio and video data relating to the driver and passengers) by complying with the following rules:
    • such processing must be for the purpose of directly serving drivers or passengers (eg, to enhance driving safety or assist with driving, navigation or entertainment);
    • by default, operators should not collect data. Operators should obtain the driver's consent for each journey and such consent automatically expires after the driver leaves the driver's seat;
    • operators should inform drivers and passengers that sensitive personal information is being collected (eg, by means of in-car display panels or a voice in the car);
    • the driver must be able to stop the collection of data easily and at any time;
    • operators should enable car owners to access any sensitive personal information collected easily and such information should be presented in a structured manner; and
    • if a driver requests that the operator delete the data, the operator should do so within two weeks.
  • Operators should refrain from processing biometric data (eg, fingerprints, voice prints, human faces and heart rhythms). Biometric data can be collected only for the purposes of facilitating the use and enhancing the security of vehicles' electronic and information systems. Alternative methods should be provided.

Notification and consent

Operators must provide the following information through the user manual, on-board display panel or other appropriate means:

  • the effective contact information of the person responsible for handling the user's rights and interests;
  • the type of data collected (eg, vehicle location, biometric characteristics, driving habits and audio and video);
  • the triggering conditions for the collection of each type of data and the method for stopping such collection;
  • the purpose of collecting each type of data;
  • the place and time limit for the storage of the data or the rules for determining such place and time limit; and
  • how to delete personal information captured inside the vehicle and request the deletion of personal information transferred outside the vehicle.

Unless otherwise provided for by laws and regulations, operators must obtain personal data subjects' consent before processing their personal information. Where it is difficult to obtain such consent (eg, for the collection of audio and video information from outside the car through cameras), operators should carry out anonymisation or desensitisation processing (eg, deleting pictures in which natural people can be identified or contour-processing faces in such pictures).

Cybersecurity obligations

Operators must:

  • implement the Multi-Level Protection Scheme (MLPS)(1) for cybersecurity protection;
  • strengthen the protection of personal information and important data; and
  • fulfil their cybersecurity obligations according to the law.

Data localisation and cross-border data transfer restrictions

The draft provisions propose the following stringent rules for data localisation and cross-border transfer of personal information and important data:

  • Personal information and important data must be stored in Chinese territory.
  • Where absolutely necessary, cross-border transfers of such data must pass the CAC's cross-border data transfer security assessment.
  • Operators must not provide overseas personal information or important data beyond the purpose, scope, method, data type and scale specified in the cross-border data transfer security assessment.
  • The CAC and other relevant State Council government departments may jointly examine the type and scope of personal information or important data provided overseas. Operators must provide the requested information in a clear and readable manner.

Reporting to authorities

Where the processing of personal information involves more than 100,000 personal data subjects or where important data is processed, operators must report the following matters to the cyberspace administration at the provincial level and the relevant department on an annual basis:

  • the name and contact information of the people in charge of data security and dealing with users' rights and interests;
  • the type, scale, purpose and necessity of the data to be processed;
  • data security protection and management measures (eg, storage place and term);
  • sharing of data with third parties in China;
  • cross-border data transfer circumstances (eg, name and contact information of the overseas recipients, type, quantity and purpose of cross-border transfer, place of storage, scope and method of use of the data outside of China and users' complaint-handling circumstances);
  • data security accidents and handling circumstances;
  • user complaints in relation to cross-border data transfer and handling circumstances; and
  • other data security information required by the CAC.

Comment

The draft provisions propose stringent and challenging requirements for almost all players in the automobile industry chain and beyond (eg, insurance companies). The draft provisions appear to be implementation rules made for the automobile sectors pursuant to the draft Data Security Law and the draft Personal Information Protection Law, both of which were issued in April 2021 to solicit a second round of public opinions. The draft provisions generally align with the provisions of these two draft laws. Therefore, it is believed that most of the rules of the draft provisions will likely remain in the final version. Companies affected by the draft provisions are advised to examine their data processing activities and monitor developments in this area closely.

Endnotes

(1) The MLPS is part of the current Chinese cybersecurity regulatory framework. It requires virtually all organisations in China to classify the security levels of their networks and systems and adopt a set of security measures to manage cyber risks. Failing to implement the MLPS may result in administrative penalties or criminal liabilities.