Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · AUTOMOTIVE DATA PROVISIONS

Several Provisions on Automotive Data Security Management (Trial).

汽车数据安全管理若干规定(试行)

Promulgated by: Cyberspace Administration of China, National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, and Ministry of Transport.
Document No.: Order No. 7 of the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Ministry of Transport.
Adopted at the 10th room executive meeting of the Cyberspace Administration of China in 2021 on July 5, 2021. Issued August 16, 2021. Effective October 1, 2021.


Article 1. These Provisions are formulated in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China and other laws and administrative regulations, in order to regulate automotive data processing activities, protect the legitimate rights and interests of individuals and organizations, safeguard national security and the public interest of society, and promote the reasonable development and utilization of automotive data.

Article 2. Automotive data processing activities carried out within the territory of the People’s Republic of China and the security supervision thereof shall comply with the requirements of relevant laws, administrative regulations and these Provisions.

Article 3. “Automotive data” as referred to in these Provisions includes personal information data and important data involved in the processes of automotive design, production, sale, use, operation and maintenance.

“Automotive data processing” includes the collection, storage, use, processing, transmission, provision, disclosure and the like, of automotive data.

“Automotive data processors” refers to organizations that carry out automotive data processing activities, including automobile manufacturers, parts and software suppliers, dealers, repair institutions, and mobility service enterprises.

“Personal information” refers to various information recorded electronically or by other means that relates to an identified or identifiable vehicle owner, driver, passenger, person outside the vehicle, or the like, but does not include anonymized information.

“Sensitive personal information” refers to personal information that, once leaked or illegally used, may cause the vehicle owner, driver, passenger, person outside the vehicle, or the like, to suffer discrimination or serious harm to personal or property safety, including vehicle location tracks, audio, video, images, and biometric features.

“Important data” refers to data that, once tampered with, destroyed, leaked, or illegally obtained or used, may endanger national security, the public interest, or the legitimate rights and interests of individuals or organizations, including:

(I) geographic information, personnel flow, vehicle flow and other data of important and sensitive areas such as military administration zones, units of national defense science, technology and industry, and Party and government organs at or above the county level;

(II) data reflecting economic operation such as vehicle flow and logistics;

(III) operating data of the automotive charging network;

(IV) video and image data outside the vehicle containing face information, license-plate information, and the like;

(V) personal information involving more than 100,000 personal-information subjects;

(VI) other data determined by the national cyberspace administration and the relevant departments of the State Council for development and reform, industry and information technology, public security, transport, and the like, that may endanger national security, the public interest, or the legitimate rights and interests of individuals or organizations.

Article 4. Automotive data processors processing automotive data shall do so in a lawful, legitimate, specific and clear manner, directly related to the design, production, sale, use, operation and maintenance of vehicles.

Article 5. When carrying out automotive data processing activities using the Internet and other information networks, the cybersecurity multi-level protection scheme and other systems shall be implemented, automotive data protection shall be strengthened, and data security obligations shall be performed in accordance with the law.

Article 6. The State encourages the lawful, reasonable and effective utilization of automotive data, and advocates that automotive data processors, in carrying out automotive data processing activities, adhere to:

(I) the in-vehicle processing principle — not providing data outside the vehicle unless truly necessary;

(II) the default no-collection principle — defaulting to a no-collection state for each drive unless the driver sets otherwise on their own;

(III) the precision-range applicability principle — determining the coverage and resolution of cameras, radars and the like according to the data-precision requirements of the functions and services provided;

(IV) the desensitization principle — carrying out anonymization, de-identification and other processing as far as possible.

Article 7. Automotive data processors processing personal information shall inform individuals of the following matters by conspicuous means such as the user manual, the on-board display panel, voice, and vehicle-use-related applications:

(I) the types of personal information processed, including vehicle location tracks, driving habits, audio, video, images and biometric features;

(II) the specific situations in which each type of personal information is collected, and the methods and channels for ceasing collection;

(III) the purpose, use and method of processing each type of personal information;

(IV) the place and period of storage of the personal information, or the rules for determining the place and period of storage;

(V) the methods and channels for accessing and copying their personal information, deleting personal information within the vehicle, and requesting the deletion of personal information already provided outside the vehicle;

(VI) the name and contact information of the contact person for matters concerning user rights and interests;

(VII) other matters required to be informed by laws and administrative regulations.

Article 8. Automotive data processors processing personal information shall obtain the consent of the individual or meet other circumstances prescribed by laws and administrative regulations.

Where, due to the need to ensure driving safety, it is impossible to obtain the individual’s consent for personal information collected outside the vehicle and provided outside the vehicle, anonymization shall be carried out, including deleting images that contain content capable of identifying a natural person, or partially contouring face information and the like in the images.

Article 9. Automotive data processors processing sensitive personal information shall meet the following requirements, or meet other requirements such as laws, administrative regulations and mandatory national standards:

(I) having the purpose of directly serving the individual, including enhancing driving safety, intelligent driving, and navigation;

(II) informing the individual of the necessity and the impact on the individual by conspicuous means such as the user manual, the on-board display panel, voice, and vehicle-use-related applications;

(III) obtaining the individual’s separate consent, with the individual able to set the consent period on their own;

(IV) on the premise of ensuring driving safety, indicating the collection status in an appropriate manner and providing convenience for the individual to terminate collection;

(V) where the individual requests deletion, the automotive data processor shall delete it within ten working days.

An automotive data processor may collect biometric features such as fingerprints, voiceprints, faces and heart rhythms only where it has the purpose of enhancing driving safety and sufficient necessity.

Article 10. Automotive data processors carrying out important-data processing activities shall conduct a risk assessment in accordance with provisions, and submit a risk assessment report to the cyberspace administration and the relevant departments of the province, autonomous region or municipality directly under the Central Government.

The risk assessment report shall include the type, quantity, scope, place and period of storage, and method of use of the important data processed, the conduct of data processing activities, whether the data is provided to third parties, the data security risks faced and the response measures thereto, and the like.

Article 11. Important data shall be stored within the territory in accordance with the law; where it is truly necessary to provide it overseas due to business needs, it shall pass the security assessment organized by the national cyberspace administration together with the relevant departments of the State Council. The cross-border security management of personal-information data not included in the important data shall be governed by the relevant provisions of laws and administrative regulations.

Where the international treaties and agreements concluded or acceded to by China provide otherwise, such international treaties and agreements shall apply, except for clauses on which China has declared reservations.

Article 12. An automotive data processor providing important data overseas shall not exceed the purpose, scope, method, and data type and scale, and the like, clarified at the time of the export security assessment.

The national cyberspace administration shall, together with the relevant departments of the State Council, verify the matters prescribed in the preceding paragraph by means of spot checks and the like, and the automotive data processor shall cooperate and present such matters in a readable and otherwise convenient manner.

Article 13. Automotive data processors carrying out important-data processing activities shall, before December 15 of each year, submit the following annual automotive data security management situation to the cyberspace administration and the relevant departments of the province, autonomous region or municipality directly under the Central Government:

(I) the name and contact information of the person responsible for automotive data security management and of the contact person for matters concerning user rights and interests;

(II) the type, scale, purpose and necessity of the automotive data processed;

(III) the security protection and management measures for automotive data, including the place and period of storage, and the like;

(IV) the situation of providing automotive data to third parties within the territory;

(V) automotive data security incidents and the disposal thereof;

(VI) user complaints related to automotive data and the handling thereof;

(VII) other automotive data security management situations clarified by the national cyberspace administration together with the relevant departments of the State Council for industry and information technology, public security, transport, and the like.

Article 14. Automotive data processors providing important data overseas shall, on the basis required by Article 13 of these Provisions, additionally report the following:

(I) the basic situation of the recipient;

(II) the type, scale, purpose and necessity of the automotive data exported;

(III) the place, period, scope and method of storage of the automotive data overseas;

(IV) user complaints related to the provision of automotive data overseas and the handling thereof;

(V) other situations clarified by the national cyberspace administration together with the relevant departments of the State Council for industry and information technology, public security, transport, and the like, that need to be reported regarding the provision of automotive data overseas.

Article 15. The national cyberspace administration and the relevant departments of the State Council for development and reform, industry and information technology, public security, transport, and the like, shall, in accordance with their duties and based on the situation of data processing, conduct data security assessments of automotive data processors, and the automotive data processors shall cooperate.

The institutions and personnel participating in the security assessment shall not disclose the commercial secrets or undisclosed information of the automotive data processor that they become aware of in the assessment, and shall not use the information they become aware of in the assessment for purposes other than the assessment.

Article 16. The State shall strengthen the development of the intelligent (connected) vehicle network platform, carry out the network access operation and security assurance services of intelligent (connected) vehicles, and the like, and, in coordination with automotive data processors, strengthen the network and automotive data security protection of intelligent (connected) vehicles.

Article 17. Automotive data processors carrying out automotive data processing activities shall establish complaint and reporting channels, set up convenient complaint and reporting entrances, and promptly handle user complaints and reports.

Where the carrying out of automotive data processing activities causes harm to the legitimate rights and interests of users or to the public interest, the automotive data processor shall bear corresponding liability in accordance with the law.

Article 18. Where an automotive data processor violates these Provisions, the relevant departments at or above the provincial level for cyberspace, industry and information technology, public security, transport, and the like, shall impose penalties in accordance with the provisions of the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China and other laws and administrative regulations; where a crime is constituted, criminal liability shall be pursued in accordance with the law.

Article 19. These Provisions shall come into force on October 1, 2021.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.