China issues interim measures to tighten security management of auto data processing

Chinese regulators unveiled interim regulations today to step up the supervision of auto data processing that is expected to come into effect in October.

The Interim Regulations on Auto Data Security Management were jointly issued by the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the National Development and Reform Commission, the Ministry of Public Security and the Ministry of Transport.

They spell out requirements for handling personal data, personal sensitive data, important data, data localization and data security for connected cars.

Building on the Cybersecurity Law and the Data Security Law that are already in place in China, the interim regulations set rules for auto data processing and will apply to industry players across the board, including auto manufacturers, auto parts makers, software players, wholesalers and maintenance institutes.

The regulations come in the wake of emerging auto data security issues and potential risks such as excessive collection of critical data, handling sensitive personal data without consent and the export of important data without conducting a security assessment, the regulators said. In April this year, Tesla became embroiled in a dispute about sharing data on a brake incident following a Chinese consumer’s complaint.

While handling personal information, auto data processors should brief consumers on the type of information they are collecting, scenarios for collecting information and means of stopping the collection of information, as well as seeking individuals’ consent, the regulations said.

For occasions when data is provided to external parties for the purpose of improving driving security without obtaining personal consent, the data should be anonymized.

The handling of sensitive personal information will be subject to stricter requirements. This will extend to limiting the purposes for collecting data and facilitating the suspension of data collection upon receiving a request from an individual. The collection of biometric data can only be carried out if it is necessary for reinforcing driving safety.

Companies that handle important data will also be subject to additional requirements such as risk-control measures, risk-control reporting to authorities about data type, scope, how it will be used, data-processing activities, annual reporting to regulators about auto data security management and security assessment approval needed for cross-border data transfers.

The regulations defined important data as data that takes in geographic references, personnel and traffic volumes in military control areas, national defense departments and government departments above county-level, data reflecting economic performance, the operation of auto electricity charging networks, and video and image data containing facial recognition.

The regulations stipulate important data should be stored domestically while data exports will require security assessment approval from Chinese regulators and should comply with requirements on purpose, scope, the method of exporting, and the type and scale of the data set in the security assessment approval.

The Chinese government will beef up the building of smart and connected auto network platforms and cooperate with auto data operators in strengthening the security of connected auto networks and auto data, the interim regulations said.

Violators of the regulations will be subject to relevant penalties in the Cybersecurity Law and Data Security Law.

- Analysis by Wang Juan and Xu Yuan