New Rules on Automotive Data Security to be Effective on 1 Oct 2021
With the proliferation of "smart" vehicle design and the advocation of smart cities initiatives, China has rolled out many innovative phone apps (apps for personal transportation, apps for monitoring public bus waiting time, etc, apps to monitor vehicle performance status, etc), and intelligent city infrastructure (dynamic tuning of traffic light timing, intelligent road-sign, etc). The success and operation of these designs rely heavily on big data provided by vehicle operators and passengers. The security and privacy of using these "automotive data" has become a concern and demand regulation to ensure the fair and secure use of these data.
The Cyberspace Administration of China (CAC) has circulated the Provisions on the Management of Automotive Data Security (Trial) 2021 ("Provisions") since May 2021. The Administration has passed this Provisions on 5 July 2021 and will be put in effect on 1 Oct 2021. The final release version made several changes compared to the previously circulated consultation version. This article gives a brief introduction of this Provisions.
Definitions and Applicability
The automotive data mentioned in this Provisions cover the personal data and important data in relation to the design, production, sales, use, operation and maintenance of automobiles.
Automotive data processing refers to the collection, storage, use, processing, transfer, provision and disclosure of automotive data.
The automotive data processors refer to the organizations that process automotive data, covering automotive manufacturers, components and software suppliers, dealers, services providers, and pay-for-delivery service providers.
Personal data includes data related to the identified or identifiable data associate with the automotive owners,
Important data means data that may, if disclosed, or used improperly, may affect national security or public interest. They include data such as military and government vehicle movements, operational data of E-vehicle charging status, facial recognition and license plate captured by on-board devices, etc.
Principles for the Automotive Data Processors
- In-car processing. All data are to be retained in the vehicle unless it is absolutely necessary.
- No collection by default. No data is being collected unless the driver intentionally enables it.
- Appropriate precision. The coverage, resolution and precision are determined on a case-by-case basis, depending on the purpose of the collection.
- Anonymity. Data should be de-identified or anonymized as much as possible.
Obligations of Automotive Data Processors
(1) Automotive data processors shall inform the automotive users and passengers the following information regarding the processing of personal information in a clear and obvious manner such as in the automobile user manual, on-board display panels, voice, and phone apps：
- The type of personal information that is processed, including vehicle locations, driving patterns, audio, video, images, and biometrics, etc.
- Conditions of collection and criteria and method for stopping the collection.
- The purpose and method of collection.
- The location where personal information is to be kept, the period for which it will be kept, or the criteria of the retention.
- Access and obtain copy of the personal information collected, as well as the method of requesting removal of personal information in the vehicle.
- Name and contact details of the person regarding the users' and passengers' right.
(2) Users or passengers' consent shall be obtained prior to all collection and processing of personal data, or relevant laws and regulations allow it. If consent cannot be obtained due to safety or other reasons, then all data should be anonymized, including masking of faces.
(3) If requested, personal data shall be removed within 10 working days.
Cross-border Data Transfer
All Important Data shall be retained within China. If cross-border transfer is needed, a risk assessment shall be submitted to relevant authorities for evaluation. Data not categorized as Important Data will be managed according to relevant data protection laws.
The type, purpose, scope and quantity of data processed and retained outside of China shall not be longer than what was agreed in the submitted risk assessment. The authority has the right to inspect the data at any time.
The automotive data processors will need to submit annual report to the relevant authorities by 15 Dec of each year on the following:
- The name and contact information of the person in charge of automotive data security management and user rights.
- The type, size, purpose and variety of automotive data being processed.
- Safeguarding and managing automotive data including storage location, retention period, etc.
- whether automotive data are provided to parties outside of China.
- automotive data security incidents and their handling.
- User complaints related to automotive data and their handling.
The Provisions are a good start for an important issue. For sure the Provisions would evolve into more structured regulations but it is a good effort to demonstrate China's commitment to protect personal data and the effort to keep the balance for economic development.
Article provided by: Chris Yau (SGS, Hong Kong)
Dr. Tobias Höllwarth (Managing Director INPLP)