The Regulation, the draft of which was first introduced in May 2021 for public comment (see our earlier alert), is formulated based on the PRC Cybersecurity Law, the PRC Data Security Law, newly passed Personal Information Protection Law (PIP Law) and other laws and regulations, and aims to strengthen protection of personal information and important data in automobile-related activities as well as safeguard national security and public interest. This alert summarizes key points under the Regulation.
Scope of Application
The Regulation regulates the activities of processing personal information (Personal Information) and important data (Important Data) involved in the process of automotive design, production, sales, use, operation and maintenance, etc. (collectively as Automobile Data) within the territory of the PRC. Automobile Data processors (Processors) covered by the Regulation include automakers, parts and software suppliers, distributors, maintenance organizations and mobility service companies (including ride-hailing platform operators).
The Regulation adopts the same approach in defining Personal Information and sensitive personal information (Sensitive Personal Information) as the newly passed PIP Law, with an application to the automobile industry.
“Personal Information” under the Regulation refers to all kinds of electronic or otherwise recorded information related to the identified or identifiable vehicle owners, drivers, passengers and persons outside vehicles, etc., not including information that has been anonymized.
The Regulation defines “Sensitive Personal Information” as personal information, of which leakage or unlawful use may lead to discriminatory treatment or serious damage to personal or property safety of vehicle owners, drivers, passengers and persons outside the vehicle, including vehicle location tracking, audio, video, image and biometric characteristics.
Another important definition under the Regulation is “Important Data”, which refers to data which may endanger national security, public interests or the legitimate rights and interests of individuals or organizations if it is tampered with, damaged, disclosed, illegally obtained or illegally used, including:
- Geographic information, passenger flow, vehicle flow and other data of important sensitive areas such as military administrative zones, entities of science, technology and industry for national defense, and Chinese Communist Party organizations and government agencies at or above the county level;
- Data reflecting economic operation such as vehicle flow, logistics, etc.;
- Operational data of the automobile charging network;
- Video and image data outside the vehicles that contain facial information, license plate information, etc.;
- Personal Information involving more than 100,000 personal information subjects;
- Other data that may affect national security, public interest and the legitimate rights and interests of individuals or organizations as specified by the State Cyberspace Administration and other relevant departments of the State Council.
Key Principles and Requirements of Automobile Data Processing
Processors are required to comply with the following key principles and requirements when processing Automobile Data:
Key Principles
- The principle of in-car processing: Automobile Data should be processed inside a car, unless it is absolutely necessary to provide the data outside the car;
- The principle of no collection by default: “No collection” shall be set as default for every drive, unless the driver independently sets it otherwise;
- The principle of proper precision: The coverage and resolution of camera, radar and etc. shall be determined according to the data accuracy requirements of the functional services provided;
- The principle of desensitization: Anonymization and de-identification shall be conducted as much as possible.
Key Requirements
When processing Personal Information, Processors must inform individuals the following items in an obvious way such as a user manual, onboard display panel, audio, vehicle use application:
- Type of data collected, including vehicle location tracking, driving habits, audio, video, images, and biological characteristics, etc.;
- Specific circumstances under which various personal information will be collected and the methods and approaches for stopping the collection;
- Purposes, use and methods of processing various personal information;
- Storage location and retention period of personal information, or rules for determining the storage location and retention period;
- Methods and approaches for making inquiries and copies of personal information, deleting personal information inside the vehicle and requesting the deletion of personal information that has been provided outside the vehicle;
- Name and contact information of the liaison for user rights affairs;
- Other items required by laws and administrative regulations.
When collecting Personal Information, Processors shall obtain the consent of the person whose Personal Information is being collected, except where the laws and administrative regulations do not require personal consent. If it is difficult to obtain the consent in reality and if it is indeed necessary to collect and provide such Personal Information apart from the purpose of driving safety, the information to be provided must be anonymized, including deleting images that can identify natural persons, or partly contouring human faces in these images, etc.
The Regulation sets out the following requirements for Processors to process Sensitive Personal Information:
- The processing activities shall be for the purpose of directly serving the individuals, including enhancing driving safety, intelligent driving and navigation, etc.;
- The necessity and impact on individuals shall be informed of in the form of user manual, onboard display panel, voice, vehicle use applications or other obvious ways;
- Separate consent from an individual shall be obtained and the individual may set the time limit for consent independently;
- Under the premise of ensuring driving safety, the Processor shall remind the individuals of the collection status in a proper manner to allow individuals to terminate the collection conveniently;
- When an individual requests the Processor to delete his or her Sensitive Personal Information, the Processor must delete it within ten working days.
Processors can only collect biometric information such as fingerprints, voice prints, faces and heart rhythm for the purpose and sufficient necessity of enhancing driving safety.
Processors conducting processing activities shall also establish channels for complaints and reports for its customers and timely handle the complaints and reports they receive.
Strict Restrictions and Requirements on Cross Boarder Transfer
The Regulation requires that Important Data must be stored in the PRC in accordance with the law, and if there is business need to transfer any Important Data overseas, security assessment organized by the CAC and other governmental authorities must be conducted. Cross-border transfer of Personal Information that does not constitute Important Data shall be conducted in accordance with applicable laws and administrative regulations.
Processors shall not provide Important Data outside the territory of the PRC beyond the purpose, scope, method, data type and scale specified during the cross-border transfer security assessment.
Reporting Obligations
Processors dealing with Important Data are required to report the following information regarding data security management status to the provincial counterparts of the CAC and other relevant departments prior to December 15 each year:
- The name and contact information of (i) the personnel in charge of Automobile Data security management, and (ii) contact person for matters on users’ rights and interests;
- The type, scale, purpose, and necessity of processing Automobile Data;
- The security protection and management measures of Automobile Data, including the storage location and retention period, etc.;
- Provision of Automobile Data to third parties in the PRC;
- Security incidents and the disposal status of the Automobile Data;
- Customer complaints related to the Automobile Data and the handling status;
- Other information specified by CAC and other relevant departments.
Our Observations
With the promulgation of the Cybersecurity Law, Data Security Law and PIP Law, the Chinese government has established a foundational legal framework in regulating cybersecurity, data security and personal information protection. This Regulation is one of the first industry-focused regulations on data security and personal information protection. Automobile companies having operations in China (including foreign-invested automobile manufacturers, distributors, and service providers) will be exposed to greater compliance risks in terms of data security and personal information protection.
We suggest automobile-related production, distribution and service companies review and enhance internal procedures and policies of collection, processing, storage localization and transfer of Personal Information and Important Data related to automobiles and users, and closely monitor China’s cybersecurity developments.