China issues regulations for car owner privacy, automobile data security
China issues regulations for car owner privacy, automobile data security
China released the Regulations on the Management of Automobile Data Security (for Trial Implementation) (called “the Regulations” for short) earlier this month to regulate processing of automobile data, protect personal information, national security, and public interests, and promote the rational development and utilization of automobile data.
The Regulations were jointly issued by the Cyberspace Administration, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Ministry of Transport of China. They will formally come into effect on October 1, 2021.
In this document, the automobile data refer to the personal information and important data generated across the entire lifecycle of automobiles, including design, production, sales, operation, maintenance, and management of automobiles within the territory of the People's Republic of China.
“Personal information” refers to the information of car owners, drivers, passengers, pedestrians, etc., and various information that can infer personal identity, describe personal behaviors, etc.
“Important data” under the Regulations include operating data of the car-charging network, surveying and mapping data higher than the accuracy of publicly released maps of the state, data about vehicle types and vehicle flow on roads, external audio and video data including faces, voices, license plates, and other data that may affect national security and public interests as specified by China’s Cyberspace Administration and relevant departments of the State Council.
The Regulations advocates several key principles for automobile data progressing, including “handling in the car”, “anonymization”, and “non-collection by default”. Besides, the document notes the data retention period shall be determined based on the types of functional services provided, and the coverage area and the resolution ratio of camera, radar and etc. shall be specified according to requirements on the data accuracy of functional services provided;
The Regulations stress that when handling personal information, operators must get the consent of the car owner whose personal information is being collected, unless laws and regulations do not require personal consent. Such biometric data as fingerprints, voiceprints, face, heart rhythm, etc. of drivers can only be gathered when operators has the purpose and find it necessary to improve driving safety.