Translated by Lauren Dudley, Yongjia Chen, Justin Tu, and Scarlett Ho. Edited by Graham Webster.

Several Provisions on the Management of Automobile Data Security (Draft for Comment)

May 12, 2021

Article 1: In order to strengthen personal information and important data protection, standardize automobile^[1] data handling activities, and safeguard national security and the public interest, in accordance with the Cybersecurity Law of the People’s Republic of China and other laws and provisions, these Provisions are formulated.

Article 2: Operators involved in the design, production, sale, maintenance, and management of vehicles within the mainland territory of the People’s Republic of China, and the collection, analysis, storage, transmission, query, use, deletion, as well as the overseas provision (hereafter called “handling”) of personal information or important data, shall comply with relevant laws and regulations and these Provisions.  

Article 3: “Operators” in these Provisions refers to automobile design, manufacture, and services companies and organizations, including vehicle manufacturing companies, component and software suppliers, dealers, maintenance organizations, ride-hailing firms, and insurance companies, etc.

“Personal information” in these Provisions includes the personal information of automobile owners, drivers, passengers, pedestrians, etc., as well as any kind of information that could infer a person’s identity, describe a person’s behavior, etc.

“Important data” in these Provisions includes:

1. Data on the flow of people and traffic in military administrative areas, national defense science and industrial units or other units that involve state secrets, or sensitive, important areas of Party and government administrative units above the county level, etc.;
2. Survey and map data that is more precise than maps publicly issued by the state;
3. Data on the operation of automobile charging networks;
4. Data on types and traffic volume, etc., of vehicles on the road;
5. Audiovisual data of individuals’ faces, voices, and license plates, etc., outside the vehicle;
6. Other data that might affect national security and the public interest, as specified by the state cybersecurity and informatization department^[2] and relevant departments of the State Council.

Article 4: An operator’s purpose for handling personal information or important data shall be lawful, specific, clear, and directly related to the design, manufacture, or servicing of automobiles. 

Article 5: Operators shall implement the Cybersecurity Multi-level Protection Scheme (MLPS) to strengthen personal information and important data protection, and fulfill their cybersecurity obligations according to the law. 

Article 6: It is proposed that during the process of handling personal information or important data, operators insist on: 

1. The on-board handling principle—not providing data outside the automobile unless truly necessary;
2. The anonymized handling principle—if truly necessary to provide data outside the automobile, carry out anonymization and desensitization handling to the extent possible;
3. The minimum retention period principle—determine data retention periods based on the functionality and services provided;
4. The suitable precision and scope principle—determine camera, radar, etc., coverage scope and resolution based on the data requirements for the functionality and services provided; 
5. The non-collection as default principle—unless it is truly necessary, each trip’s default mode is non-collection, and driver consent and authorization only apply to the present trip.

Article 7: Operators handling personal information shall provide effective contact information for the person responsible for handling user rights, as well as the type of data collected, including vehicle position, biometrics, driving habits, audio and video, etc., in the user manual, on the on-board display panel, or through other appropriate means, and supply the following information:

1. The conditions that trigger collection of each type of data as well as methods to stop collection;
2. The purpose and uses of all types of data collected;
3. The data storage location and duration or the rules on storage location and duration;
4. The methods and procedures to delete personal information from within the vehicle and to request the deletion of personal information provided outside the vehicle. 

Article 8: Operators that collect sensitive personal information and provide it outside the vehicle, including vehicle position or audiovisuals, etc., of drivers or passengers, as well as data that can be used to judge illegal driving, etc., shall comply with the following requirements:

1. Adopt the purpose of directly serving drivers or passengers, including increasing driving safety, assisted driving, navigation, entertainment, etc.;
2. Non-collection as the default; the consent and authorization from the driver shall be sought every time, and when driving concludes (defined as when the driver leaves the driver’s seat), the authorization is automatically void;
3. Through on-board display panel, audio message, etc., inform the driver and passengers that sensitive personal information is being collected.
4. Drivers can conveniently terminate data collection at any time;
5. Allow automobile owners to conveniently review and systematically query collected sensitive personal information;
6. When drivers request operators delete data, operators shall delete it within 2 weeks.

Article 9: Operators collecting personal information shall obtain the consent of the person being collected upon, except where laws and regulations provide that obtaining individual consent is not required. Where this is difficult to achieve in practice (such as when collecting exterior audiovisual information through a camera), yet truly necessary to provide, anonymization or desensitization handling shall be undertaken, including by deleting images that can identify a natural person, undertaking partial obscuring handling, etc., on the faces, etc., within the images.

Article 10: Drivers’ biometric data such as fingerprint, voiceprint, facial images, and heart rhythm can be collected only for purposes such as enabling convenience to user applications or enhancing the security of vehicle electronics and information systems, and alternative methods to biometrics shall be provided.   

Article 11: Operators handling important data shall report in advance to province-level cyberspace and informatization departments and relevant departments, regarding the type, scale, scope, storage location and duration, and mode of usage of data, as well as whether operators will provide such data to a third party.

Article 12: Personal information or important data shall be stored within the mainland territory of the People’s Republic of China according to law. If it is necessary to provide it outside the territory, data outbound security assessment organized by the state cyberspace and informatization department shall be undertaken. 

Where there are clear provisions regarding provision of personal information abroad in treaties, agreements, etc., in treaties, agreements, etc., participated in by China or concluded with other countries, regions, or international organizations, those provisions apply, except where China has declared reservations.

Article 13: Operators who provide personal information or important data abroad, shall take effective measures to specify and supervise recipients to use data according to the purpose, scope, and methods agreed by both parties, and to ensure data security.

Article 14: Operators who provide personal information or important data abroad shall accept and handle complaints from users involved, and shall bear corresponding responsibilities according to law for damages to lawful rights and interests of users as well as to the public interest. 

Article 15: Operators shall not exceed the purpose, scope, method as well as type and scale of data, etc., specified in the outbound security assessment when providing personal information or important data abroad. 

The state cyberspace and informatization department shall work with relevant departments of the State Council to check the type, scope, etc., of personal information or important data provided abroad through random inspection, and operators shall display [that information] in a clear and readable format.   

Article 16: Where scientific research and business partnerships require querying personal information and important data, operators shall adopt effective measures to ensure data security and prevent leakage (), and strictly limit query and use of sensitive data such as important data, vehicle position, biometrics, driver and passenger audiovisuals, as well as data that can be used to determine illegal driving.

Article 17: Operators handling the personal information of more than 100,000 personal information subjects, or handling important data, shall report annual data security management status to province-level cyberspace and informatization departments and relevant departments by December 15 of each year, including:

1. Name and contact information of the person responsible for data security and the person responsible for handling matters related to user rights;
2. The type, scale, purpose and necessity of data handling;
3. Data security protections and management measures, including storage location and duration, etc.;
4. The status of domestic third-party data sharing;
5. The status of data security incidents and handling;
6. The status of personal information and data-related user complaints and handling;
7. Other data security situations specified by the state cybersecurity and informatization department.

Article 18: If a data is provided abroad, operators shall, on the basis on Article 17 of these Provisions, report the following:

1. The name and contact information of recipients;
2. The type, volume, and purpose of data transfer abroad;
3. The storage location and scope and method of use of data abroad; 
4. The status of user complaints touching on data provision abroad and their handling;
5. Other situations regarding data provision abroad specified by the state cybersecurity and informatization department as requiring reporting.

Article 19: Operators shall cooperate with data security assessments conducted according to the operator’s data handling status by the state cybersecurity and informatization department and relevant departments of the State Council.

Institutions and personnel participating in security assessments shall not reveal operators’ commercial secrets or undisclosed information learned during assessments, and they must not use information learned from assessments for purposes other than the assessments.

Article 20: Operators that violate these Provisions will be punished by cyberspace and informatization departments and relevant departments at the provincial level and above in accordance with the relevant provisions of the Cybersecurity Law of the People’s Republic of China and other laws and regulations. Where a crime is constituted, criminal liability will be investigated according to law.

Article 21: These Provisions are implemented beginning on [month] [day], 2021.

Translators’ Notes

[1]  The term 汽车 and various other terms referring to automobiles, cars, or vehicles are translated in this document as “automobiles.” The draft provisions do not specify a definition of what classes of vehicles might be covered by these rules.

[2] “Cybersecurity and informatization” departments at the state (national) or other administrative level refers to the Cyberspace Administration of China and its local branches.

Chinese-language original

(This original text includes introductory language on solicitation of public comments due June 11, 2021)

Source: http://www.gov.cn/xinwen/2021-05/12/content_5606075.htm

国家互联网信息办公室关于《汽车数据安全管理若干规定（征求意见稿）》公开征求意见的通知

2021-05-12 21:40  来源： 网信办网站

【字体：大 中 小】打印      

为加强个人信息和重要数据保护，规范汽车数据处理活动，根据《中华人民共和国网络安全法》等法律法规，国家互联网信息办公室会同有关部门起草了《汽车数据安全管理若干规定（征求意见稿）》，现向社会公开征求意见。公众可通过以下途径和方式提出反馈意见：

1.登录中华人民共和国司法部 中国政府法制信息网（www.moj.gov.cn、www.chinalaw.gov.cn），进入首页主菜单的“立法意见征集”栏目提出意见。

2.通过电子邮件方式发送至：zqyj@cac.gov.cn。

3.通过信函方式将意见寄至：北京市西城区车公庄大街11号国家互联网信息办公室，邮编100044，并在信封上注明“汽车数据安全管理若干规定征求意见”。

意见反馈截止时间为2021年6月11日。

附件：汽车数据安全管理若干规定（征求意见稿）

国家互联网信息办公室

2021年5月12日

汽车数据安全管理若干规定

（征求意见稿）

第一条 为了加强个人信息和重要数据保护，规范汽车数据处理活动，维护国家安全和公共利益，根据《中华人民共和国网络安全法》等法律法规，制定本规定。

第二条 运营者在中华人民共和国境内设计、生产、销售、运维、管理汽车过程中，收集、分析、存储、传输、查询、利用、删除以及向境外提供（以下统称处理）个人信息或重要数据，应当遵守相关法律法规和本规定的要求。

第三条 本规定所称运营者指汽车设计、制造、服务企业或者机构，包括汽车制造商、部件和软件提供者、经销商、维修机构、网约车企业、保险公司等。

本规定所称个人信息包括车主、驾驶人、乘车人、行人等的个人信息，以及能够推断个人身份、描述个人行为等的各种信息。

本规定所称重要数据包括：

（一）军事管理区、国防科工等涉及国家秘密的单位、县级以上党政机关等重要敏感区域的人流车流数据；

（二）高于国家公开发布地图精度的测绘数据；

（三）汽车充电网的运行数据；

（四）道路上车辆类型、车辆流量等数据；

（五）包含人脸、声音、车牌等的车外音视频数据；

（六）国家网信部门和国务院有关部门明确的其他可能影响国家安全、公共利益的数据。

第四条 运营者处理个人信息或重要数据的目的应当合法、具体、明确，与汽车的设计、制造、服务直接相关。

第五条 运营者应当落实网络安全等级保护制度，加强个人信息和重要数据保护，依法履行网络安全义务。

第六条 倡导运营者处理个人信息和重要数据过程中坚持：

（一）车内处理原则，除非确有必要不向车外提供；

（二）匿名化处理原则，确有必要向车外提供的，尽可能地进行匿名化和脱敏处理；

（三）最小保存期限原则，根据所提供功能服务分类型确定数据保存期限；

（四）精度范围适用原则，根据所提供功能服务对数据精度的要求确定摄像头、雷达等的覆盖范围、分辨率；

（五）默认不收集原则，除非确有必要，每次驾驶时默认为不收集状态，驾驶人的同意授权只对本次驾驶有效。

第七条 运营者处理个人信息应当通过用户手册、车载显示面板或其他适当方式，告知负责处理用户权益责任人的有效联系方式，以及收集数据的类型，包括车辆位置、生物特征、驾驶习惯、音视频等，并提供以下信息：

（一）收集每种类型数据的触发条件以及停止收集的方法；

（二）收集各类型数据的目的、用途；

（三）数据保存地点、期限，或者确定保存地点、期限的规则；

（四）删除车内、请求删除已经提供给车外的个人信息的方法步骤。

第八条 运营者收集和向车外提供敏感个人信息，包括车辆位置、驾驶人或乘车人音视频等，以及可以用于判断违法违规驾驶的数据等，应当符合以下要求：

（一）以直接服务于驾驶人或者乘车人为目的，包括增强行车安全、辅助驾驶、导航、娱乐等；

（二）默认为不收集，每次都应当征得驾驶人同意授权，驾驶结束（驾驶人离开驾驶席）后本次授权自动失效；

（三）通过车内显示面板或语音等方式告知驾驶人和乘车人正在收集敏感个人信息；

（四）驾驶人能够随时、方便地终止收集；

（五）允许车主方便查看、结构化查询被收集的敏感个人信息；

（六）驾驶人要求运营者删除时，运营者应当在2周内删除。

第九条 运营者收集个人信息应当取得被收集人同意，法律法规规定不需取得个人同意的除外。实践上难以实现的（如通过摄像头收集车外音视频信息），且确需提供的，应当进行匿名化或脱敏处理，包括删除含有能够识别自然人的画面，或对这些画面中的人脸等进行局部轮廓化处理等。

第十条 仅当为了方便用户使用、增加车辆电子和信息系统安全性等目的，方可收集驾驶人指纹、声纹、人脸、心律等生物特征数据，同时应当提供生物特征的替代方式。

第十一条 运营者处理重要数据，应当提前向省级网信部门和有关部门报告数据类型、规模、范围、保存地点与时限、使用方式，以及是否向第三方提供等。

第十二条 个人信息或者重要数据应当依法在境内存储，确需向境外提供的，应当通过国家网信部门组织的数据出境安全评估。

我国参与的或者与其他国家和地区、国际组织缔结的条约、协议等对向境外提供个人信息有明确规定的，适用其规定，我国声明保留的条款除外。

第十三条 运营者向境外提供个人信息或者重要数据的，应当采取有效措施明确和监督接收者按照双方约定的目的、范围、方式使用数据，保证数据安全。

第十四条 运营者向境外提供个人信息或者重要数据的，应当接受和处理所涉及的用户投诉；造成用户合法权益或公共利益受到损害的，应当依法承担相应责任。

第十五条 运营者不得超出出境安全评估时明确的目的、范围、方式和数据类型、规模等，向境外提供个人信息或重要数据。

国家网信部门会同国务院有关部门以抽查方式核验向境外提供个人信息或重要数据的类型、范围等，运营者应当以明文、可读方式予以展示。

第十六条 科研和商业合作伙伴需要查询利用境内存储的个人信息和重要数据的，运营者应当采取有效措施保证数据安全，防止流失；严格限制对重要数据以及车辆位置、生物特征、驾驶人或者乘车人音视频，以及可以用于判断违法违规驾驶的数据等敏感数据的查询利用。

第十七条 处理个人信息涉及个人信息主体超过10万人、或者处理重要数据的运营者，应当在每年十二月十五日前将年度数据安全管理情况报省级网信部门和有关部门，内容包括：

（一）数据安全负责人以及负责处理用户权益相关事务责任人的姓名和联系方式；

（二）处理数据的类型、规模、目的及必要性；

（三）数据的安全防护和管理措施，包括保存地点、期限等；

（四）与境内第三方共享数据情况；

（五）数据安全事故及处理情况；

（六）与个人信息和数据相关的用户投诉及处理情况；

（七）国家网信部门明确的其他数据安全情况。

第十八条 如果存在向境外提供数据的情况，运营者应当在本规定第十七条基础上，报告以下情况：

（一）接收者的名称和联系方式；

（二）出境数据的类型、数量及目的；

（三）数据在境外的存放地点、使用范围和方式；

（四）涉及向境外提供数据的用户投诉及处理情况；

（五）国家网信部门明确的向境外提供数据需要报告的其他情况。

第十九条 国家网信部门会同国务院有关部门根据处理数据情况对运营者进行数据安全评估，运营者应当予以配合。

参与安全评估的机构和人员不得披露评估中获悉的运营者商业秘密、未公开信息，不得将评估中获悉的信息用于评估以外目的。

第二十条 运营者违反本规定的，由省级以上网信部门和有关部门依照《中华人民共和国网络安全法》等法律法规的有关规定进行处罚。构成犯罪的，依法追究刑事责任。

第二十一条 本规定自2021年 月 日起施行。