China Publishes New Draft Regulations on Data Security Management of Automobile Operators to Protect Privacy

Scope and Target of the Draft Regulations

The Draft Regulations would apply to the entire life cycle of automobiles, including design, production, sales, operation, maintenance, and management of automobiles within the territory of the PRC. The relevant “operators” must collect, analyze, store, transmit, query, utilize, delete and provide/transfer personal information and important data in compliance with the requirements of the Draft Regulations.

“Operators” who are governed by the Draft Regulations refer to automobile design, manufacturing, and service companies, including automobile manufacturers, parts and software suppliers, car dealers, maintenance firms, online car ride-hailing companies, and insurance companies, etc.

Definitions for Personal Information, Sensitive Personal Information and Important Data

The Draft Regulations focus on the protection of both personal information and important data.

“Personal Information” refers to personal information of car owners, drivers, passengers, pedestrians, etc., and various information that can infer personal identity, describe personal behavior, etc. It is consistent with the definition under the recently released draft Personal Information Protection Law, in which, personal information is defined as various types of information recorded in electronic or other forms relating to an identified or identifiable natural person, excluding information after anonymization.   

“Sensitive Personal Information” is defined in the Draft Regulations to include vehicle location, audio and/or video of driver or passenger, etc., as well as data that can be used to determine whether the driving is in violation, etc.

The Draft Regulations are the first legislation that clarifies the scope of “important data” from an industry perspective after this concept was first referred to in the Draft Measures on Security Assessment of Cross-Border Transfer of Personal Information and Important Data issued by CAC for public comment on April 11, 2017. 

“Important Data” includes the following information under the Draft Regulations:

• Data on the flow of people and vehicles in important sensitive areas such as military management zones, national defense science and engineering units involving state secrets, and party and government agencies at or above the county level;
• Surveying and mapping data higher than the accuracy of publicly released maps of the state;
• Operating data of the car-charging network;
• Data such as vehicle types and vehicle flow on the road;
• External audio and video data including faces, voices, license plates, etc.;
• Other data that may affect national security and public interest as specified by the State Cyberspace Administration and relevant departments of the State Council.

Key Principles and Requirements for Handling Information

Operators are required to comply with the following key principles and requirements in the process of handling Personal Information and Important Data:

Key Principles

• The principle of handling in the car—unless it is absolutely necessary to provide the information outside the car;
• The principle of anonymization—if it is absolutely necessary to provide the information outside the vehicle, anonymization and desensitization shall be performed as much as possible;
• The principle of minimum retention period—the data retention period shall be determined according to the types of functional services provided;
• The principle of application with accurate range—the coverage area and the resolution ratio of camera, radar and etc. shall be determined according to requirements on the data accuracy of functional services provided;
• The principle of non-collection by default—unless it is absolutely necessary, “not to collect” shall be set as default for each time of driving, and the driver's consent and authorization are only valid for this driving.

Key Requirements

• When handling Personal Information, Operators must inform car users effective contact information of the person responsible for handling car users’ rights and the type of data collected (including vehicle location, biological characteristics, driving habits, audio and video, etc.) through the user manual, onboard display panel or other appropriate methods.
• When collecting Personal Information, Operators shall obtain the consent of the person whose Personal Information is being collected, except where the laws and regulations do not require personal consent. If it is difficult to obtain the consent in reality (such as collecting audio and video information outside the car through a camera) and if it is indeed necessary to collect and provide such Personal Information, the information to be provided must be anonymized or desensitized, including deleting images that can identify natural persons, or partly contouring human faces in these images, etc.
• Biometric data such as fingerprints, voiceprints, face, heart rhythm, etc. of drivers can only be collected for the convenience of car users and to increase the security of vehicle electronics and information systems. At the same time, alternative methods of biometrics should be provided.
• Collection of “Sensitive Personal Information” and transfer such sensitive information outside the vehicle Operators are subject to the following conditions:

- The collection and transfer (outside the vehicle) must be for the purpose of directly serving the driver or passenger, including enhancing driving safety, assisting driving, navigation, entertainment, etc.;

- The default must be set as “not to collect”, the Operator must obtain the driver's consent and authorization each time of the driving, and the authorization will automatically become invalid after the end of driving (i.e., when the driver leaves the driver's seat);

- The Operator must inform the driver and passenger for each time of collection that Sensitive Personal Information is being collected through the in-car display panel or voice;

- The driver can conveniently terminate the collection at any time;

- The Operator must allow vehicle owners to conveniently view and structure their collected sensitive personal information;

- When the driver requests the Operator to delete the information, the operator shall delete it within two weeks.

Strict Restrictions and Requirements on Cross Boarder Transfer

According to the Draft Regulations, Personal Information and Important Data must be stored in the PRC in accordance with the law, and if it is really necessary to provide it overseas, the transfer is subject to security assessment organized by the national cybersecurity and informatization department. Operators shall not provide Personal Information or Important Data outside the territory of the PRC beyond the purpose, scope, method, data type and scale specified during the cross-border transfer security assessment.

The CAC and relevant departments of the State Council have the right to conduct random checks to verify the type and scope of the cross-border transfer of Personal Information and Important Data, and the Operator must cooperate with such verification and show the transfer in a clear and readable manner.

Reporting Obligations on the Operators

Under the Draft Regulations, Operators who handle more than 100,000 individuals' personal information or who process Important Data are required to report their annual data security management status to the cyberspace administrations at the provincial level and relevant departments prior to December 15 each year. 

Our Observations

Automobile manufacturers have been equipping more and more vehicles with cameras and sensors to capture images of a car’s surroundings. Control of use, distribution and storage of these images is a fast-emerging challenge for the industry and regulators worldwide. The Draft Regulations come soon after China’s issuance of another draft rules in late April to ensure the security of data generated by connected vehicles due to concerns about privacy and national security. It shows Chinese government’s focus on protection of personal information, national security, and public interests.

We suggest automobile companies having operations in China (including foreign invested automobile manufacturers, distributors, and service providers) review and enhance internal procedures and policies of collection, processing, storage localization and transfer of Personal Information and Important Data related to the automobiles and users, and closely monitor China's cybersecurity developments.