From May 12, 2021 to June 11, CAC called for public comments on the Regulations on Automobile Data Security Management (Draft for Comments).

The document aims to regulate automobile data processing activities and safeguard national security and public interests. Therefore, some relevant automobile data will be affected by this regulation, including:

  1. Data involving the flow of people and vehicles in military administrative zones, units involving state secrets such as science and industry for national defense, party and government offices above the county level and other important sensitive areas.
  2. Mapping data with a precision higher than the precision issued by government.
  3. Operation data of automobile charging networks.
  4. Data covering types and flow of vehicles on road.
  5. Audio and visual non-vehicle data, including human face, voice, license plate, etc.

 

The Draft gives particular attention to the operators in China that collect, analyse, store, transmit, inquire, use, delete, or tranfer abroad personal information or important data, during their design, production, sales, operations and management processes. The Draft, therefore, involves institutions along the whole chain of the automobile market, with the aim of forming a closed-loop protection of automobile data.

 

The Draft also introduces detailed regulations on the whole process of automobile data, proposing that automobile data operators, when processing personal information and important data, should adhere to the principles of in-car processing, anonymous processing, minimum storage period, moderate precision, and default non-collection.

 

In terms of cross-border data transfers, the requirements for data exit are described in the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law (second draft). For instance, Article 38 of the Personal Information Protection Law (second draft) stipulates that there are three paths for the cross-border provision of personal information: (i) security assessment, (ii) personal information protection certification, (iii) standard contract. Still, Article 12 of the Draft indicates that only the security assessment path will be allowed for personal information and important data collected and generated in the process of motor traffic and transportation activities: “personal information or important data should be stored within China in accordance with the law, and if it is necessary to provide overseas, it should pass the data exit security assessment organized by the Cyberspace Administration of China”.

 

Related information:

In December 2020, the Chinese government issued the mandatory national standard Vehicle Incident Data Recording System, requiring all vehicles sold to be equipped with EDR recording equipment; however, the standard will not be formally implemented until January 1, 2022. Existing laws from China and abroad attribute the control of driving data to individuals. In fact, it is still the car companies that really master this part of data. The ownership of driving data is relatively vague, while there are no comprehensive domestic laws and regulations on data retrieval. Previously, there was no domestic car enterprise granting data query authority to users, resulting in significant difficulties for car owners to obtain driving data in case of disputes with the car company, given the lack of legal support.

 

However, improvements at the regulatory level have recently accelerated. On April 28, TC260 released a call for comments on the draft standard Information Security – Connected Vehicles – Security Requirements for Data Collection. The draft aims to regulate data processing related activities of mass-production passenger cars with networking capabilities, putting forward security requirements for data transmission, storage and cross-border activities. Similar to the draft from CAC, the draft from TC260 explicitly states that:

  1. Vehicles are not allowed to transmit to the outside of the vehicle any data containing personal information, for instance through the network or physical interface, without the individual consent from the person whose personal information are being collected.
  2. The transmission of audio, video, image and other data collected in the cockpit of the vehicle is prohibited.
  3. Data on roads, buildings, terrain and traffic participants, as well as the position and trace collected outside the vehicle by sensors such as cameras and radars, is not be allowed to be transferred outside China.