Alert 07.09.21
Alert
Alert
09.02.21
The Regulation will come into effect on October 1, 2021. All automobile data processing activities conducted within the mainland People’s Republic of China (PRC or China) are subject to the Regulation. The Regulation aims to strengthen data protection in the automobile industry.
The Regulation, the draft of which was first introduced in May 2021 for public comment (see our earlier alert), is formulated based on the PRC Cybersecurity Law, the PRC Data Security Law, newly passed Personal Information Protection Law (PIP Law) and other laws and regulations, and aims to strengthen protection of personal information and important data in automobile-related activities as well as safeguard national security and public interest. This alert summarizes key points under the Regulation.
Scope of Application
The Regulation regulates the activities of processing personal information (Personal Information) and important data (Important Data) involved in the process of automotive design, production, sales, use, operation and maintenance, etc. (collectively as Automobile Data) within the territory of the PRC. Automobile Data processors (Processors) covered by the Regulation include automakers, parts and software suppliers, distributors, maintenance organizations and mobility service companies (including ride-hailing platform operators).
The Regulation adopts the same approach in defining Personal Information and sensitive personal information (Sensitive Personal Information) as the newly passed PIP Law, with an application to the automobile industry.
“Personal Information” under the Regulation refers to all kinds of electronic or otherwise recorded information related to the identified or identifiable vehicle owners, drivers, passengers and persons outside vehicles, etc., not including information that has been anonymized.
The Regulation defines “Sensitive Personal Information” as personal information, of which leakage or unlawful use may lead to discriminatory treatment or serious damage to personal or property safety of vehicle owners, drivers, passengers and persons outside the vehicle, including vehicle location tracking, audio, video, image and biometric characteristics.
Another important definition under the Regulation is “Important Data”, which refers to data which may endanger national security, public interests or the legitimate rights and interests of individuals or organizations if it is tampered with, damaged, disclosed, illegally obtained or illegally used, including:
Key Principles and Requirements of Automobile Data Processing
Processors are required to comply with the following key principles and requirements when processing Automobile Data:
Key Principles
Key Requirements
When processing Personal Information, Processors must inform individuals the following items in an obvious way such as a user manual, onboard display panel, audio, vehicle use application:
When collecting Personal Information, Processors shall obtain the consent of the person whose Personal Information is being collected, except where the laws and administrative regulations do not require personal consent. If it is difficult to obtain the consent in reality and if it is indeed necessary to collect and provide such Personal Information apart from the purpose of driving safety, the information to be provided must be anonymized, including deleting images that can identify natural persons, or partly contouring human faces in these images, etc.
The Regulation sets out the following requirements for Processors to process Sensitive Personal Information:
Processors can only collect biometric information such as fingerprints, voice prints, faces and heart rhythm for the purpose and sufficient necessity of enhancing driving safety.
Processors conducting processing activities shall also establish channels for complaints and reports for its customers and timely handle the complaints and reports they receive.
Strict Restrictions and Requirements on Cross Boarder Transfer
The Regulation requires that Important Data must be stored in the PRC in accordance with the law, and if there is business need to transfer any Important Data overseas, security assessment organized by the CAC and other governmental authorities must be conducted. Cross-border transfer of Personal Information that does not constitute Important Data shall be conducted in accordance with applicable laws and administrative regulations.
Processors shall not provide Important Data outside the territory of the PRC beyond the purpose, scope, method, data type and scale specified during the cross-border transfer security assessment.
Reporting Obligations
Processors dealing with Important Data are required to report the following information regarding data security management status to the provincial counterparts of the CAC and other relevant departments prior to December 15 each year:
Our Observations
With the promulgation of the Cybersecurity Law, Data Security Law and PIP Law, the Chinese government has established a foundational legal framework in regulating cybersecurity, data security and personal information protection. This Regulation is one of the first industry-focused regulations on data security and personal information protection. Automobile companies having operations in China (including foreign-invested automobile manufacturers, distributors, and service providers) will be exposed to greater compliance risks in terms of data security and personal information protection.
We suggest automobile-related production, distribution and service companies review and enhance internal procedures and policies of collection, processing, storage localization and transfer of Personal Information and Important Data related to automobiles and users, and closely monitor China’s cybersecurity developments.