Several Provisions on Vehicle Data Security Management (for Trial Implementation)

State Internet Information Office

National Development and Reform Commission, People’s Republic of China

Ministry of Industry and Information Technology of the People’s Republic of China

Ministry of Public Security of the People’s Republic of China

Ministry of Transport of the People’s Republic of China

make

No. 7

“Several Provisions on Automobile Data Security Management (Trial)” has been reviewed and approved at the 10th office meeting of the State Internet Information Office in 2021 on July 5, 2021, and has been approved by the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, The Ministry of Transport agrees, which is hereby promulgated and shall come into force on October 1, 2021.

Zhuang Rongwen, director of the State Internet Information Office

He Lifeng, Chairman of the National Development and Reform Commission

Xiao Yaqing, Minister of Industry and Information Technology

Minister of Public Security Zhao Kezhi

Minister of Transport Li Xiaopeng

August 16, 2021

 

Several Provisions on Vehicle Data Security Management (for Trial Implementation)

Article 1 In order to regulate automobile data processing activities, protect the legitimate rights and interests of individuals and organizations, safeguard national security and social public interests, and promote the rational development and utilization of automobile data, in accordance with the Cybersecurity Law of the People’s Republic of China and the Data Security Law of the People’s Republic of China ” and other laws and administrative regulations to formulate these Provisions.

Article 2 To carry out automobile data processing activities and safety supervision within the territory of the People’s Republic of China, relevant laws, administrative regulations and the requirements of these Provisions shall be complied with.

Article 3 The “automobile data” mentioned in these regulations includes personal information data and important data in the process of automobile design, production, sales, use, operation and maintenance, etc.

Automobile data processing, including the collection, storage, use, processing, transmission, provision, disclosure, etc. of automobile data.

Automobile data processors refer to organizations that carry out automobile data processing activities, including automobile manufacturers, parts and software suppliers, dealers, maintenance agencies, and travel service companies.

Personal information refers to various information related to identified or identifiable vehicle owners, drivers, passengers, and persons outside the vehicle recorded electronically or in other ways, excluding anonymized information.

Sensitive personal information refers to personal information that, once leaked or used illegally, may lead to discrimination against vehicle owners, drivers, passengers, and persons outside the vehicle, or serious harm to personal and property safety, including vehicle tracks, audio, video, Information such as images and biometrics.

Important data refers to data that may endanger national security, public interests, or the legitimate rights and interests of individuals or organizations once it is tampered with, destroyed, leaked, or obtained or used illegally, including:

(1) Geographical information, personnel flow, vehicle flow and other data of important sensitive areas such as military administrative areas, national defense science and industry units, and party and government organs at or above the county level;

(2) Vehicle flow, logistics and other data reflecting the economic operation;

(3) The operation data of the vehicle charging network;

(4) Out-of-vehicle video and image data including face information, license plate information, etc.;

(5) Personal information involving more than 100,000 personal information subjects;

(6) Other data that may endanger national security, public interests, or the legitimate rights and interests of individuals or organizations as determined by the national cybersecurity and informatization department and the development and reform, industry and information technology, public security, transportation, and other relevant departments of the State Council.

Article 4 The processing of automobile data by an automobile data processor shall be legal, legitimate, specific and clear, and directly related to the design, production, sales, use, operation and maintenance of automobiles.

Article 5 The use of the Internet and other information networks to carry out automobile data processing activities shall implement systems such as network security level protection, strengthen automobile data protection, and perform data security obligations in accordance with the law.

Article 6 The state encourages the reasonable and effective use of automobile data in accordance with the law, and encourages automobile data processors to insist on:

(1) The principle of in-vehicle treatment, unless it is absolutely necessary not to provide it outside the vehicle;

(2) The principle of non-collection by default, unless the driver sets it by himself, the default setting is not to be collected every time he drives;

(3) The principle of application of the accuracy range, and the coverage and resolution of cameras, radars, etc. shall be determined according to the data accuracy requirements of the functional services provided;

(4) The principle of desensitization processing, anonymization, de-identification and other processing should be carried out as much as possible.

Article 7 When processing personal information, automobile data processors shall notify individuals of the following matters through user manuals, on-board Display panels, voice, and applications related to the use of automobiles:

(1) Types of personal information processed, including vehicle tracks, driving habits, audio, video, images, and biometric features, etc.;

(2) The specific circumstances of the collection of various types of personal information and the ways and means to stop the collection;

(3) The purpose, use and method of processing all kinds of personal information;

(4) The storage location and storage period of personal information, or the rules for determining the storage location and storage period;

(5) Ways and channels to view and copy their personal information, delete the personal information in the car, and request to delete the personal information that has been provided outside the car;

(6) The name and contact information of the contact person for user rights affairs;

(7) Other matters that should be notified as prescribed by laws and administrative regulations.

Article 8 When processing personal information, an automobile data processor shall obtain the consent of the individual or comply with other circumstances stipulated by laws and administrative regulations.

Due to the need to ensure driving safety, if it is impossible to obtain personal consent to collect personal information outside the car and provide it to the outside of the car, it should be anonymized, including deleting pictures containing natural persons that can be identified, or partial facial information in the picture. Outline processing, etc.

Article 9 When processing sensitive personal information, automobile data processors shall meet the following requirements or other requirements such as laws, administrative regulations and mandatory national standards:

(1) It has the purpose of directly serving the individual, including enhancing driving safety, intelligent driving, navigation, etc.;

(2) Notifying the necessity and the impact on individuals through user manuals, on-board display panels, voice, and applications related to car use;

(3) Individual consent shall be obtained, and individuals may independently set the consent period;

(4) On the premise of ensuring driving safety, prompt the collection status in an appropriate way to provide convenience for individuals to terminate the collection;

(5) If an individual requests deletion, the automobile data processor shall delete it within ten working days.

Vehicle data processors have the purpose and sufficient necessity to enhance driving safety before they can collect biometric information such as fingerprints, voiceprints, faces, and heart rhythms.

Article 10 When an automobile data processor conducts important data processing activities, it shall conduct risk assessment in accordance with regulations, and submit a risk assessment report to the network information department and relevant departments of the province, autonomous region, and municipality directly under the Central Government.

The risk assessment report shall include the type, quantity, scope, storage location and duration, usage method, data processing activities and whether to provide it to third parties, data security risks faced and countermeasures, etc., of the important data processed.

Article 11: Important data shall be stored within the territory of the country in accordance with the law, and if it is really necessary to provide it overseas due to business needs, it shall pass the security assessment organized by the national cybersecurity and informatization department in conjunction with the relevant departments of the State Council. The relevant provisions of laws and administrative regulations shall apply to the security management of the exit of personal information that is not included in the important data.

If an international treaty or agreement concluded or acceded to by our country has different provisions, the international treaty or agreement shall apply, except for the clauses in which our country has declared reservations.

Article 12 When an automobile data processor provides important data overseas, it shall not exceed the purpose, scope, method, data type and scale, etc. specified in the exit safety assessment.

The national cybersecurity and informatization department shall, in conjunction with the relevant departments of the State Council, verify the matters stipulated in the preceding paragraph by means of spot checks, etc., and the automobile data processor shall cooperate and display it in a readable and other convenient way.

Article 13 An automobile data processor carrying out important data processing activities shall submit the following annual automobile data security management information to the network information department and relevant departments of the province, autonomous region, and municipality directly under the Central Government before December 15 each year:

(1) The name and contact information of the person in charge of automobile data security management and the contact person for user rights affairs;

(2) The type, scale, purpose and necessity of processing automobile data;

(3) Security protection and management measures for vehicle data, including storage location and duration, etc.;

(4) Information on providing vehicle data to domestic third parties;

(5) Vehicle data security incidents and handling;

(6) User complaints and handling related to automobile data;

(7) Other vehicle data security management situations specified by the national cybersecurity and informatization department in conjunction with the State Council’s industry and information technology, public security, transportation and other relevant departments.

Article 14 The automobile data processor that provides important data overseas shall, on the basis of the requirements of Article 13 of these regulations, supplementary report the following:

(1) The basic information of the recipient;

(2) The type, scale, purpose and necessity of outbound vehicle data;

(3) The place, duration, scope and method of overseas storage of automobile data;

(4) Complaints and handling of users who provide automobile data overseas;

(5) The national cybersecurity and informatization department, in conjunction with the relevant departments of industry and informatization, public security, transportation and other relevant departments of the State Council, clearly provide other situations that need to be reported when providing automobile data overseas.

Article 15 The national cybersecurity and informatization department and the relevant departments of the State Council’s development and reform, industry and informatization, public security, transportation and other relevant departments shall, in accordance with their duties, conduct data security assessments on automobile data processors based on data processing conditions, and automobile data processors shall cooperate.

Institutions and personnel participating in the safety assessment shall not disclose the business secrets and undisclosed information of the automobile data processor learned in the assessment, and shall not use the information learned in the assessment for purposes other than the assessment.

Article 16 The state strengthens the construction of intelligent (connected) vehicle network platforms, conducts network-connected operation of intelligent (connected) vehicles and security services, etc., and cooperates with car data processors to strengthen the security protection of intelligent (connected) vehicle networks and vehicle data.

Article 17 When an automobile data processor conducts automobile data processing activities, it shall establish a complaint and report channel, set up a convenient complaint and report entrance, and handle user complaints and reports in a timely manner.

Where the conduct of automobile data processing activities causes damage to the legitimate rights and interests of users or public interests, the automobile data processor shall bear corresponding responsibilities in accordance with the law.

Article 18 If the automobile data processor violates these regulations, the relevant departments of network information, industry and information technology, public security, transportation, etc. at or above the provincial level shall comply with the “Internet Security Law of the People’s Republic of China” and the “Data Security Law of the People’s Republic of China”. and other laws and administrative regulations for punishment; if a crime is constituted, criminal responsibility shall be investigated according to law.

Article 19 These regulations shall come into force on October 1, 2021.

The Links:   TLV320AIC3106IRGZR 104PW191