UPDATE: China’s Car Privacy and Security Regulation is Effective on October 1, 2021
The author thanks Hunter Dorwart for his contribution to this text.
On August 20, 2021, the Cyberspace Administration of China (CAC) released an updated regulation on car privacy and data security that comes into force on October 1, 2021. The CAC initially published a draft on May 12 this year. The regulation is called “Several Provisions on the Management of Automobile Data Security (for Trial Implementation),” hereinafter “enacted regulation”. A press release with answers to reporters’ questions was also published on the same date as the enacted regulation.
The purpose of the enacted regulation is to regulate automobile data processing activities, protect the legitimate rights and interests of individuals and organizations, safeguard national security and public interests, and promote the rational development and utilization of automobile data, in accordance with the “Network Security Law of the People’s Republic of China” and the “Data Security Law of the People’s Republic of China.”
The enacted regulation for car privacy and security is not the biggest news to come from China. On August 20, 2021, the National People’s Congress (NPC) of China adopted the first Chinese comprehensive data protection law, the Personal Information Protection Law (PIPL), less than a year after the first draft of the law was published. The PIPL will go into effect on November 1, 2021. For more about PIPL, see my colleague’s recent blog post.
The enacted regulation should be read in conjunction with other laws, regulations, and standards in China’s emerging data protection regime. In theory, laws passed by the National People’s Congress (NPC), such as the Personal Information Protection Law (PIPL), take priority over administrative regulations, such as the one detailed in this post and other regulations passed within China’s larger regulatory bureaucracy such as the recent market regulations for the ride-hailing industry. The CAC is technically not a government agency but rather a super-ministerial body directly under the State Council. It drafts regulations with the input and agreement of other agencies but operates largely independently of them.
This post is an update to a post from May 18, where I summarized the draft regulation (“Several Provisions on the Management of Automobile Data Security”). This post compares the draft regulation with the enacted regulation, highlights notable changes between the two regulations, and concludes with a summary of the notable differences.
Updated scope of covered entities: “Automobile data processors”
Automobile data processors are organizations that carry out automobile data processing activities, including automobile manufacturers, parts and software suppliers, dealers, maintenance organizations, and ride-hailing and -sharing companies (出行服务企业).
In contrast, the draft regulation applies to “operators”, which are defined as “automobile design, manufacturing, and service enterprises or institutions, including automobile manufacturers, component and software providers, dealers, maintenance organizations, online car-hailing companies, insurance companies, etc.”
Covered data: Distinction among “personal information,” “important data,” and “sensitive personal information,” plus a new data type “automobile data”
The enacted regulation adds a fourth type of data: “automobile data.” Automobile data covers personal information data and important data involved in the process of automobile design, production, sales, use, operation, and maintenance.
Automobile data processing includes the collection, storage, use, processing, transmission, provision, and disclosure of automobile data.
Personal information refers to information related to the identified or identifiable vehicle owner, driver, passenger, and people outside the vehicle that have been recorded electronically or by other means and does not include anonymized information. This mirrors China’s Personal Information Protection Law’s definition of personal information but narrows the scope to information specific to the use of vehicles.
In contrast, the definition of “personal information” in the draft regulation includes “the personal information of car owners, drivers, passengers, pedestrians, etc., as well as various information that can infer personal identity and describe personal behavior.”
Sensitive personal information refers to personal information that, once leaked or illegally used, may cause discrimination against car owners, drivers, passengers, and people outside the car, or serious harm to personal and property safety, including vehicle location audio, video, images, and biometric data.
The draft regulation’s definition of “sensitive personal information” (found in Article 8) includes “data that can be used to determine illegal driving.” The enacted regulation does not have this and instead includes “personal information that once leaked or illegally used, may cause discrimination against car owners, drivers, passengers, and people outside the car, or serious harm to personal and property safety.”
Important data refers to data that may endanger national security, public interests, or the legitimate rights and interests of individuals or organizations once it has been tampered with, destroyed, leaked, or illegally obtained or used, including:
(1) Geographical information, personnel flow, vehicle flow, and other data in important sensitive areas such as military management zones, national defense science and industry units, and party and government agencies at or above the county level;
(2) Data reflecting economic operation conditions such as vehicle flow and logistics;
(3) Operating data of the car charging network;
(4) Video and image data outside the car including face information, license plate information, etc.;
(5) Personal information involving more than 100,000 personal information subjects;
(6) Other data that may endanger national security, public interests, or the legitimate rights and interests of individuals and organizations as determined by the State Cyberspace Administration and the State Council’s development and reform, industry and information technology, public security, transportation, and other relevant departments.
The definitions of “important data” in the draft and enacted regulation are similar, and both regulations contain specific provisions for automobile data processors processing and sharing this type of data (see below).
Obligations based on the Fair Information Practice Principles (or the Personal Information Protection Principles)
Article 4 requires that the processing of automobile data by auto processors be legal, proper, specific, and clear. Automobile data processing must be directly related to the design, production, sale, use, operation, and maintenance of the vehicle. This Article is similar to language in the draft regulation’s Article 4; however, the enacted regulation has broader language.
Article 5 in both the draft regulation and the enacted regulation is about security and data protection. Automobile data processors must implement network security grade protection, strengthen automobile data protection, and perform data security obligations in accordance with the law.
Article 6 in both the draft regulation and the enacted regulation lists several privacy best practices that automobile data processors are encouraged to follow when processing automobile data (note that this Article applies to “automobile data”). The enacted regulation has four, while the draft had five. In the enacted regulation, the principle of data retention has been moved from Article 6 to Article 7.
The principles in Article 6 are now:
- Process automobile data inside the vehicle unless it is necessary to send it outside the vehicle.
- Non-collection by default. Unless the driver chooses otherwise, the default is to not collect automobile data.
- A principle of precision is determined by the capacity of automobile data processors to meet accuracy standards for processing data regarding the range, the coverage, and resolution of cameras, radars, etc. (“Principle of accuracy range application.”)
- Desensitization treatment, or anonymization and de-identification treatments whenever possible.
Article 6(3) is notable because it appears to introduce a technical standard, which may be considered outside of the scope of a privacy (or data protection) regulation. However, the press release, which contains answers to reporters’ questions, notes that “[d]uring the formulation of the “Regulations,” both safety and development were emphasized…” and “driving safety” is mentioned throughout the enacted regulations. There may be more information provided through technical or industry standards about what exactly this means for manufacturers.
Article 7 in both the draft regulation and the enacted regulation applies to “personal information” (not the broader “automobile data”) and requires automobile data processors to notify individuals through manuals, on-board display panels, voice, and other vehicle-related applications.
The draft regulation lists four things the individual must be made aware of, while the enacted regulation lists seven. As noted above, retention has been moved to Article 7. The complete list of information that must be communicated to individuals is:
(1) The types of personal information processed, including vehicle location, driving habits, audio, video, images, and biometric features, etc.;
(2) The specific circumstances under which various types of personal information are collected and the ways and means to stop the collection;
(3) Purposes, uses, and methods of processing various types of personal information;
(4) Personal information storage location and retention period, or rules for determining the storage location and retention period;
(5) Ways and means of consulting and copying their personal information, deleting the information collected inside of the vehicle, and requesting to delete the personal information that has been provided outside the vehicle;
(6) The name and contact information of the contact person for exercising user rights;
(7) Other matters that should be notified as required by laws and administrative regulations.
While it is not clear from the text, it appears that Article 7 uses “individuals” in a slightly more narrow way than in the definition of “automobile data,” which includes people outside of the vehicle. In Article 7, it appears that “individuals” does not include people outside of the vehicle. This could be because there is a practical challenge of effectively communicating all of the above information to pedestrians, whose interactions with the vehicle may be fleeting. The provisions in Article 7 also appear to focus on types of data collected inside of a vehicle.
Article 8 and 9 in the draft and enacted regulation have been switched.
Article 8 of the enacted regulation (draft regulation Article 9) is about consent to process personal information. When processing personal information, automobile data processors must obtain consent or comply with other requirements as stipulated by laws and administrative regulations.
Notably, the new Article 8 mentions safety. This sentence states that (paraphrased and translated):
Due to the need to ensure the safety of driving, automobile data processors that cannot obtain personal consent to collect personal information from outside the vehicle and that share personal information outside of the vehicle should anonymize the data, including deleting the images or videos that can identify natural persons, partial facial information, or contour processing (对画面中的人脸信息等进行局部轮廓化处理等), which appears to mean using the features of someone’s face to create larger outlines of the person).
The draft regulation’s consent provision (Article 9) did not reference vehicle safety and instead recognized that it might be difficult in practice to obtain consent.
Article 9 of the enacted regulation (draft regulation Article 8) lists requirements for processing “sensitive personal information” and notes that automobile data processors must also meet requirements under other applicable laws, administrative regulations, and mandatory national standards.
Again, one notable difference between the two regulations is that in this particular Article about processing “sensitive personal information”, the draft regulation mentions “driving safety” once, while the enacted regulation mentions “driving safety” thrice. Thus, this further illustrates a greater focus on the importance of balancing vehicle and driving safety with privacy and security.
The five requirements for processing “sensitive personal information” in Article 9 are:
(1) Having the purpose of directly serving individuals, including enhancing driving safety, intelligent driving, navigation, etc.;
(2) Notifying the necessity and impact on individuals through obvious means such as user manuals, on-board display panels, voice, and car use-related applications;
(3) Individual consent should be obtained, and the individual can independently set the time limit for consent;
(4) Under the premise of ensuring the safety of driving, prompt the collection of data in an appropriate manner to provide convenience for individuals to terminate the collection;
(5) If an individual requests deletion, the automobile data processor shall delete it within ten working days.
There are a few differences between the draft and enacted regulations that are worth noting here.
- The requirement in 9(1) is almost identical, except that the enacted regulation does not explicitly include the purpose of “entertainment” and instead of “assisting driving,” uses “intelligent driving”. This requirement includes “etc.”, so this is presumably not a closed list, and “entertainment” may still be read in.
- The requirement for notice in 9(2) is enhanced in the enacted regulation. The draft regulation (in 8(3)) requires that the individual be informed that sensitive personal information is collected. The enacted regulation requires that individuals be notified of the necessity and the impact on them.
- The draft regulation requires that individuals be able to terminate the collection of sensitive personal data at any time (8(4)). Being able to stop the collection of this data at any time could have raised safety concerns if, for example, the driver terminated the collection of this data while the car is in operation without understanding how that data was being used to operate the car. The enacted regulation has updated language, which may address this concern. Individual consent is required, and the individual can set the time limit for consent (9(3)).
- Related to 9(3), the enacted regulation states in 9(4) that “Under the premise of ensuring the safety of driving, prompt the collection status in an appropriate manner to provide convenience for individuals to terminate the collection.”
- The enacted regulation does not include Article 8(5), “Allow vehicle owners to conveniently view and structured inquiries about the collected sensitive personal information.”
- The draft regulation requires that sensitive personal data be deleted within two weeks upon request by the “driver.” The enacted regulation requires automobile data processors to delete that data within ten working days if requested by an “individual.”
The enacted regulation also includes a purpose and necessity requirement for the collection of a particular type of sensitive personal information: biometric data (such as fingerprints, voiceprints, human faces, heart rhythms). This appears to replace the draft regulation’s Article 10, which focuses on biometric data. Note that the press release states that “[r]egarding personal biometric information, it is clear that the car data processor has the purpose of enhancing driving safety and is necessary to collect it,” underscoring the sensitivity of biometric data and the high bar required to process this type of data.
Article 10 of the enacted regulation adds a new requirement for automobile data processors who process “important data.” In this situation, automobile data processors must conduct risk assessments in accordance with regulations and submit risk assessment reports to the provincial, autonomous region, and municipal network information departments and relevant departments.
The risk assessment report shall include the type, quantity, scope, storage location and period, use of the important data processed, the status of data processing activities and whether it is provided to a third party, the data security risks faced, and countermeasures, etc.
This appears to replace Article 11 of the draft regulation, which requires operators to report to the provincial network information department and relevant departments similar information about important data, but does not use the term “risk assessment.”
Both the draft and enacted regulations contain several Articles pertaining to “important data”. (Articles 11-17 in the draft regulation and Articles 10-14 in the enacted regulation).
As noted above, automobile data processors are required to conduct a risk assessment when processing important data (Article 10).
Article 11 requires important data to be stored in China unless it is necessary to provide it overseas for business purposes. In this situation, there must be a security assessment (“exit safety assessment”) conducted by the State Cyberspace Administration of China with the relevant departments of the State Council.
Automobile data processors should not exceed the purpose, scope, method, type, and scale of important data specified in the exit safety assessment when this data is shared overseas (Article 12). The national cybersecurity and informatization department, in conjunction with relevant departments of the State Council, will verify the matters specified in the exit safety assessment by means of random inspections.
Article 13 requires automobile data processors who process important data to report the following automobile data security management information to the provincial, autonomous region, and municipal network information department and relevant departments before December 15 of each year:
(1) The name and contact information of the person in charge of automobile data security management and the contact person for processing user rights;
(2) The type, scale, purpose, and necessity of processing automobile data;
(3) Safety protection and management measures for automobile data, including storage location, period, etc.;
(4) Providing automobile data to domestic third parties;
(5) Car data security incidents and handling conditions;
(6) User complaints and handling of automobile data;
(7) Other automobile data security management conditions specified by the State Cyberspace Administration in conjunction with the State Council’s industry and information technology, public security, transportation, and other relevant departments.
In addition to the above requirements in Article 13, if automobile data processors share important data overseas there are additional reporting requirements found in Article 14. Articles 13 and 14 replace Articles 17 and 18 in the draft regulation.
Article 15 states that anyone participating in the exit safety assessment must not disclose the trade secrets or other confidential information learned during the assessment or use any information for purposes other than the assessment.
Article 16 appears to be an affirmation that China supports intelligent and connected vehicle operations and will cooperate with automobile data processors to strengthen and secure the network.
Article 17 requires auto data processors to establish appropriate complaints and reporting portals to handle user complaints.
Article 18 replaced article 20 in the draft regulation but has similar language regarding violations and penalties.
In summary, the processing and sharing overseas of “important data” may trigger the requirement of five separate assessments, reports, or inspections.
- Risk assessment: All automobile data processors who process important data should complete a risk assessment. Risk assessments are submitted to the provincial, autonomous region, and municipal network information departments and relevant departments (Article 10).
- Exit security assessment: If an automobile data processor finds it is necessary to share important data outside of China for business purposes, the automobile data processor must pass a security assessment organized by the national network information department in conjunction with the relevant departments of the State Council (Articles 11 and 12).
- Random inspection: The State Cyberspace Administration and relevant departments of the State Council will conduct random inspections to verify the information automobile data processors record in their exit security assessment (Article 12).
- Annual report: All auto data processors that process important data must file an annual automobile data security report (Article 13).
- Annual supplementary report: If an automobile data processor finds it is necessary to share important data outside of China for business purposes, the automobile data processor must supplement the annual report referenced in Article 13 with additional information (Article 14).
Summary of the Main Differences between the Draft Regulation and the Enacted Regulation
- The enacted regulation has a new defined term: “automobile data.” This term appears to be a shorthand to refer to both “personal information” and “important data”. “Sensitive personal information” is a subset of “personal information.”
- The definition of “personal information” has been updated.
- “Sensitive personal information” is explicitly defined and somewhat clarified. The draft regulation’s definition of “sensitive personal information” includes “data that can be used to determine illegal driving”. The enacted regulation does not include this and instead refers to “personal information that once leaked or illegally used, may cause discrimination against car owners, drivers, passengers, and people outside the car, or serious harm to personal and property safety”.
- There is a new risk assessment requirement for processing “important data.”
- The draft regulation applies to “operators,” and the enacted regulation applies to “automobile data processors”. The definitions of both of these terms are different.
- The principle of data retention has been moved from Article 6 (privacy best practices) to Article 7 (requirements to notify individuals).
- More emphasis is placed on “driving safety” in the enacted regulation. For example, see Articles 8 and 9 and the press release. This further illustrates a greater focus on the importance of balancing vehicle and driving safety with privacy and security. This balance or, at times, tension will likely appear in both vehicle and automated vehicle regulations globally.
- The enacted regulation has an updated deletion request timeline for sensitive personal data.
- The enacted regulation has additional requirements and considerations for automobile data processors processing or sharing “important data” overseas.
Some challenges and considerations raised by the enacted regulation are 1) the coming into force date; 2) the introduction of what appears to be technical standards without further detail (e.g., Article 6(3)); and 3) that it is not always clear who exactly “individuals” refers to (e.g., Article 7). The coming into force date is October 1, 2021. Many of the requirements and best practices throughout the regulation likely require software, hardware, and design changes, and the tight deadline could prove challenging for automakers, where the average design and manufacturing span for a vehicle can be two-three years.
The enacted regulation highlights the complexity of the mobility ecosystem in two ways. First is the complexity of the data flows, evidenced by the regulation defining three types of data commonly processed by automobile data processors and introducing a new umbrella data term “automobile data.” Second is the complexity of parties involved, evidenced by the broad definition of “personal information,” which includes the vehicle owner, driver, passengers, and people outside of the vehicle. Similarly, “automobile data processors” is also defined fairly broadly and includes vehicle manufacturers, hardware and software suppliers, dealers, repair shops, and ride-hail companies.
Also notable are the references to and emphasis on driving safety. As vehicles become more connected and automated, safety standards will increasingly influence data processing and thus privacy and data protection regulations, which will in turn impact vehicle design, operations, and safety. This circle of influence underscores the importance of privacy and data protection experts working closely with product designers and computer scientists. Privacy and data protection are slowly but surely moving from the risk and compliance office and into the product and engineering offices. As we travel along the road of car privacy and security regulations, this trend is sure to speed up.
For an overview of China’s recently adopted Personal Information Protection Law, see China’s New Comprehensive Data Protection Law: Context, Stated Objectives, Key Provisions