In China, with the continuous promulgation of laws and regulations related to personal information and data safety, the Chinese government has also issued the Provisions on Management of Automotive Data Security (Trial) (“Management Provisions”) on August 16th, 2021, which will take effect on October 1st, 2021.
The Management Provisions have made detailed regulations regarding the entire process of automobile data collection and use (including collection, storage, processing, transmission, outbound transfer, etc.), and put forward strict compliance requirements for operators in the automobile field in terms of personal information and important data protection.
1. What is Automobile Data?
Automobile Data includes personal information data and important data involved in the process of many different aspects, such as the design, manufacturing, sale, use, operation or maintenance of automobiles.
Personal Information refers to any type of information related to an identified or identifiable automobile owner, driver or passenger or any person outside the automobile that is electronically or otherwise recorded, excluding information that has been anonymized, which has no major differences in comparison to the corresponding provisions as set out in the Personal Information Protection Law.
At the same time, the “Management Provisions” is the first regulation which specifically mentions what kind of data is important, including:
1) Geographical information, flows of people or automobiles and other data in respect of any important sensitive area such as a military administrative zone, national defense science and technology development entity, or Party or government agency at or above the county level;
2) Traffic volume, logistics and other data that reflect the performance of the economy;
3) Operating data of the charging networks of automobiles;
4) Video or image data collected outside of an automobile including human facial information, license plate information, etc.;
5) Personal information involving more than 100,000 personal information subjects.
2. Who shall comply with the Management Provisions?
According to the Management Provisions, all the processors of automobile data shall comply with such regulation, including but not limited to automobile manufacturers, parts and software suppliers, dealers, and repair and maintenance providers, car service companies etc.
3. Basic Principles of Data Processing
The Chinese government encourages a reasonable and effective use of automobile data legally and automobile data processors shall comply with the following principles when processing automobile data:
1. The principle of in-automobile processing, unless it is necessary to provide data to a recipient outside of the automobile;
2. The principle of non-collection by default, meaning that the default setting is no collection of data unless the driver sets otherwise as decided by him/her independently;
3. The principle of appropriate accuracy and coverage, meaning that the range of coverage and resolution of any camera, radar etc. is determined based on the requirements for data accuracy by the provided functions or services; and
4. The principle of desensitization, meaning that data shall be anonymized or de-identified as best as possible.
The Data Security Law enters into force on September 1st, with the Management Provisions following suit on October 1st, and finally the Personal Information Protection Law effective from November 1st. It’s clear to see that the compliance pressure faced by companies in the automotive industry has become more and more serious in a relatively short space of time.
If companies have already created data compliance processes and personal information protection systems in the past, it is necessary to review and supplement the relevant contents again; If the aforementioned systems have not yet been established, we suggest that the relevant companies start such compliancy projects immediately.