On 16 August 2021, the Cyberspace Administration of China (CAC), together with the National Development and Reform Commission (NDRC), the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security (MPS), and the Ministry of Transport (MOT), published the Provisions for the Administration of Automobile Data Security (Trial). The Provisions will formally come into effect from 1 October 2021.
All entities who may conduct automobile data processing activities will be subject to the Provisions, including automakers, parts and software suppliers, distributors, maintenance organisations and mobility service companies (including operators of ride-hailing platforms), etc.
The Provisions define ‘Sensitive Personal Information’ as personal information that, if leaked or used unlawfully, may lead to discriminatory treatment or serious damage to the personal or property safety of vehicle owners, drivers, passengers and people outside the vehicle. These include vehicle location tracking, audio, video, image and biometric characteristics.
Another important definition is that of ‘Important Data’. Compared with the original draft version (Call for Comments), the Provisions add two important data types to the category of ‘Important Data’, namely:
- Data reflecting economic operations such as vehicle flow, logistics, etc.;
- Personal Information involving more than 100,000 personal information subjects.
These important data must be stored in the territory of China. If, for business reasons, such important data is needed to be transferred overseas, a security assessment by CAC and other governmental authorities must be conducted. Data processors shall not provide important data outside the territory of China beyond the purposes, scope, methods, data type and scale specified during the security assessment. While the cross-border transfer of personal information that does not constitute important data, shall be conducted in accordance with applicable laws and administrative regulations.
The Provisions are among the industry-focused regulations on data security and personal information protection in China. Automobile companies having operations in China will be exposed to greater compliance risks in terms of data security and personal information protection. Automobile-related production, distribution and service companies should review and enhance internal procedures and policies of data processing related to automobiles and users, and closely monitor China’s cybersecurity developments.