After a public comment period that began in mid-May, China on Friday officially released regulations on automotive data security management, which will come into effect on October 1.
Automotive data handlers should adopt the principles of “in-vehicle processing”, “no collection by default”, “accuracy range application” and “desensitization” to reduce the disorderly collection and abuse of automotive data, a document says.
If it is necessary to provide important data outside the country for business needs, auto data handlers should implement the requirements of the data outbound security assessment system, according to the document.
Automotive data handlers shall not provide important data outside the country beyond the conclusion of the outbound security assessment, and shall report the relevant information in the annual report, according to the provisions.
The “automotive data” refers to personal information data and important data in the process of design, production, sales, use, operation and maintenance of automobiles.
“Automotive data processing” includes the collection, storage, use, processing, transmission, provision and disclosure of automotive data.
Automotive data handlers shall inform the type of personal information, the collection context, stop collecting ways, and obtain the consent of individuals through a prominent way, according to the regulation.
Automotive data handlers shall also obtain the individual’s sole consent when processing sensitive personal information, limit the purpose of processing, indicate the collection status, and facilitate the termination of data collection for the individual.
Automotive data handlers should anonymize personal data that cannot be collected with the consent of the individual and provided outside the vehicle because of the need to ensure driving safety, the document says.
Only to enhance driving safety, automotive data handlers can collect fingerprints, voiceprints, faces, heart rhythm and other biometric features information, according to the regulation.
In a separate document, the Ministry of Industry and Information Technology (MIIT) explained the specific system for handling important data.
Automotive data handlers handling important data should carry out a risk assessment and report the risk assessment report to the local administrator.
The administrator will check the matters related to the outbound assessment of automotive data on a random basis, and the automotive data handlers should cooperate, the announcement says.
Automotive data handlers should report annual automotive data security management to the local administrator by December 15 each year, according to the document.
The regulations come at a time when the rapid growth of China’s new energy vehicle industry has raised concerns about the security of automotive data.
On April 7, the MIIT began seeking public comments on a smart car management regulation that says smart connected car manufacturers should collect, use and protect personal information in accordance with the law.
The document mentioned for the first time that personal information and important data collected and generated during operations in China should be stored within the country in accordance with relevant regulations. If, due to business needs, it is necessary to provide it outside the country, it should be reported to the regulatory authorities.
On May 12, China released draft regulations on automotive data security management to begin soliciting public comments.
The document has brought Tesla’s data collection practices in China into the spotlight.
In May, Tesla said it had established a data center in China to localize data storage, with more local data centers to be added in the future.
All data generated from vehicles sold in the Chinese market will be stored within the country, the company said.
Tesla will open its vehicle information search platform to owners, which is a work in progress, with details and progress to be announced in the future, the company said.