Translation: Several Provisions on the Management of Automobile Data Security (Draft for Comment)


June 10, 2021


June 10, 2021

Translated by Lauren Dudley, Yongjia Chen, Justin Tu, and Scarlett Ho. Edited by Graham Webster.

Several Provisions on the Management of Automobile Data Security (Draft for Comment)

May 12, 2021

Article 1: In order to strengthen personal information and important data protection, standardize automobile[1] data handling activities, and safeguard national security and the public interest, in accordance with the Cybersecurity Law of the People’s Republic of China and other laws and provisions, these Provisions are formulated.

Article 2: Operators involved in the design, production, sale, maintenance, and management of vehicles within the mainland territory of the People’s Republic of China, and the collection, analysis, storage, transmission, query, use, deletion, as well as the overseas provision (hereafter called “handling”) of personal information or important data, shall comply with relevant laws and regulations and these Provisions.  

Article 3: “Operators” in these Provisions refers to automobile design, manufacture, and services companies and organizations, including vehicle manufacturing companies, component and software suppliers, dealers, maintenance organizations, ride-hailing firms, and insurance companies, etc.

“Personal information” in these Provisions includes the personal information of automobile owners, drivers, passengers, pedestrians, etc., as well as any kind of information that could infer a person’s identity, describe a person’s behavior, etc.

“Important data” in these Provisions includes:

  1. Data on the flow of people and traffic in military administrative areas, national defense science and industrial units or other units that involve state secrets, or sensitive, important areas of Party and government administrative units above the county level, etc.;
  2. Survey and map data that is more precise than maps publicly issued by the state;
  3. Data on the operation of automobile charging networks;
  4. Data on types and traffic volume, etc., of vehicles on the road;
  5. Audiovisual data of individuals’ faces, voices, and license plates, etc., outside the vehicle;
  6. Other data that might affect national security and the public interest, as specified by the state cybersecurity and informatization department[2] and relevant departments of the State Council.

Article 4: An operator’s purpose for handling personal information or important data shall be lawful, specific, clear, and directly related to the design, manufacture, or servicing of automobiles. 

Article 5: Operators shall implement the Cybersecurity Multi-level Protection Scheme (MLPS) to strengthen personal information and important data protection, and fulfill their cybersecurity obligations according to the law. 

Article 6: It is proposed that during the process of handling personal information or important data, operators insist on: 

  1. The on-board handling principle—not providing data outside the automobile unless truly necessary;
  2. The anonymized handling principle—if truly necessary to provide data outside the automobile, carry out anonymization and desensitization handling to the extent possible;
  3. The minimum retention period principle—determine data retention periods based on the functionality and services provided;
  4. The suitable precision and scope principle—determine camera, radar, etc., coverage scope and resolution based on the data requirements for the functionality and services provided; 
  5. The non-collection as default principle—unless it is truly necessary, each trip’s default mode is non-collection, and driver consent and authorization only apply to the present trip.

Article 7: Operators handling personal information shall provide effective contact information for the person responsible for handling user rights, as well as the type of data collected, including vehicle position, biometrics, driving habits, audio and video, etc., in the user manual, on the on-board display panel, or through other appropriate means, and supply the following information:

  1. The conditions that trigger collection of each type of data as well as methods to stop collection;
  2. The purpose and uses of all types of data collected;
  3. The data storage location and duration or the rules on storage location and duration;
  4. The methods and procedures to delete personal information from within the vehicle and to request the deletion of personal information provided outside the vehicle. 

Article 8: Operators that collect sensitive personal information and provide it outside the vehicle, including vehicle position or audiovisuals, etc., of drivers or passengers, as well as data that can be used to judge illegal driving, etc., shall comply with the following requirements:

  1. Adopt the purpose of directly serving drivers or passengers, including increasing driving safety, assisted driving, navigation, entertainment, etc.;
  2. Non-collection as the default; the consent and authorization from the driver shall be sought every time, and when driving concludes (defined as when the driver leaves the driver’s seat), the authorization is automatically void;
  3. Through on-board display panel, audio message, etc., inform the driver and passengers that sensitive personal information is being collected.
  4. Drivers can conveniently terminate data collection at any time;
  5. Allow automobile owners to conveniently review and systematically query collected sensitive personal information;
  6. When drivers request operators delete data, operators shall delete it within 2 weeks.

Article 9: Operators collecting personal information shall obtain the consent of the person being collected upon, except where laws and regulations provide that obtaining individual consent is not required. Where this is difficult to achieve in practice (such as when collecting exterior audiovisual information through a camera), yet truly necessary to provide, anonymization or desensitization handling shall be undertaken, including by deleting images that can identify a natural person, undertaking partial obscuring handling, etc., on the faces, etc., within the images.

Article 10: Drivers’ biometric data such as fingerprint, voiceprint, facial images, and heart rhythm can be collected only for purposes such as enabling convenience to user applications or enhancing the security of vehicle electronics and information systems, and alternative methods to biometrics shall be provided.   

Article 11: Operators handling important data shall report in advance to province-level cyberspace and informatization departments and relevant departments, regarding the type, scale, scope, storage location and duration, and mode of usage of data, as well as whether operators will provide such data to a third party.

Article 12: Personal information or important data shall be stored within the mainland territory of the People’s Republic of China according to law. If it is necessary to provide it outside the territory, data outbound security assessment organized by the state cyberspace and informatization department shall be undertaken. 

Where there are clear provisions regarding provision of personal information abroad in treaties, agreements, etc., in treaties, agreements, etc., participated in by China or concluded with other countries, regions, or international organizations, those provisions apply, except where China has declared reservations.

Article 13: Operators who provide personal information or important data abroad, shall take effective measures to specify and supervise recipients to use data according to the purpose, scope, and methods agreed by both parties, and to ensure data security.

Article 14: Operators who provide personal information or important data abroad shall accept and handle complaints from users involved, and shall bear corresponding responsibilities according to law for damages to lawful rights and interests of users as well as to the public interest. 

Article 15: Operators shall not exceed the purpose, scope, method as well as type and scale of data, etc., specified in the outbound security assessment when providing personal information or important data abroad. 

The state cyberspace and informatization department shall work with relevant departments of the State Council to check the type, scope, etc., of personal information or important data provided abroad through random inspection, and operators shall display [that information] in a clear and readable format.   

Article 16: Where scientific research and business partnerships require querying personal information and important data, operators shall adopt effective measures to ensure data security and prevent leakage (), and strictly limit query and use of sensitive data such as important data, vehicle position, biometrics, driver and passenger audiovisuals, as well as data that can be used to determine illegal driving.

Article 17: Operators handling the personal information of more than 100,000 personal information subjects, or handling important data, shall report annual data security management status to province-level cyberspace and informatization departments and relevant departments by December 15 of each year, including:

  1. Name and contact information of the person responsible for data security and the person responsible for handling matters related to user rights;
  2. The type, scale, purpose and necessity of data handling;
  3. Data security protections and management measures, including storage location and duration, etc.;
  4. The status of domestic third-party data sharing;
  5. The status of data security incidents and handling;
  6. The status of personal information and data-related user complaints and handling;
  7. Other data security situations specified by the state cybersecurity and informatization department.

Article 18: If a data is provided abroad, operators shall, on the basis on Article 17 of these Provisions, report the following:

  1. The name and contact information of recipients;
  2. The type, volume, and purpose of data transfer abroad;
  3. The storage location and scope and method of use of data abroad; 
  4. The status of user complaints touching on data provision abroad and their handling;
  5. Other situations regarding data provision abroad specified by the state cybersecurity and informatization department as requiring reporting.

Article 19: Operators shall cooperate with data security assessments conducted according to the operator’s data handling status by the state cybersecurity and informatization department and relevant departments of the State Council.

Institutions and personnel participating in security assessments shall not reveal operators’ commercial secrets or undisclosed information learned during assessments, and they must not use information learned from assessments for purposes other than the assessments.

Article 20: Operators that violate these Provisions will be punished by cyberspace and informatization departments and relevant departments at the provincial level and above in accordance with the relevant provisions of the Cybersecurity Law of the People’s Republic of China and other laws and regulations. Where a crime is constituted, criminal liability will be investigated according to law.

Article 21: These Provisions are implemented beginning on [month] [day], 2021.

Translators’ Notes

[1]  The term 汽车 and various other terms referring to automobiles, cars, or vehicles are translated in this document as “automobiles.” The draft provisions do not specify a definition of what classes of vehicles might be covered by these rules.

[2] “Cybersecurity and informatization” departments at the state (national) or other administrative level refers to the Cyberspace Administration of China and its local branches.

Chinese-language original

(This original text includes introductory language on solicitation of public comments due June 11, 2021)



2021-05-12 21:40  来源: 网信办网站

【字体:大 中 小】打印      


1.登录中华人民共和国司法部 中国政府法制信息网(,进入首页主菜单的“立法意见征集”栏目提出意见。









第一条 为了加强个人信息和重要数据保护,规范汽车数据处理活动,维护国家安全和公共利益,根据《中华人民共和国网络安全法》等法律法规,制定本规定。

第二条 运营者在中华人民共和国境内设计、生产、销售、运维、管理汽车过程中,收集、分析、存储、传输、查询、利用、删除以及向境外提供(以下统称处理)个人信息或重要数据,应当遵守相关法律法规和本规定的要求。

第三条 本规定所称运营者指汽车设计、制造、服务企业或者机构,包括汽车制造商、部件和软件提供者、经销商、维修机构、网约车企业、保险公司等。









第四条 运营者处理个人信息或重要数据的目的应当合法、具体、明确,与汽车的设计、制造、服务直接相关。

第五条 运营者应当落实网络安全等级保护制度,加强个人信息和重要数据保护,依法履行网络安全义务。

第六条 倡导运营者处理个人信息和重要数据过程中坚持:






第七条 运营者处理个人信息应当通过用户手册、车载显示面板或其他适当方式,告知负责处理用户权益责任人的有效联系方式,以及收集数据的类型,包括车辆位置、生物特征、驾驶习惯、音视频等,并提供以下信息:





第八条 运营者收集和向车外提供敏感个人信息,包括车辆位置、驾驶人或乘车人音视频等,以及可以用于判断违法违规驾驶的数据等,应当符合以下要求:







第九条 运营者收集个人信息应当取得被收集人同意,法律法规规定不需取得个人同意的除外。实践上难以实现的(如通过摄像头收集车外音视频信息),且确需提供的,应当进行匿名化或脱敏处理,包括删除含有能够识别自然人的画面,或对这些画面中的人脸等进行局部轮廓化处理等。

第十条 仅当为了方便用户使用、增加车辆电子和信息系统安全性等目的,方可收集驾驶人指纹、声纹、人脸、心律等生物特征数据,同时应当提供生物特征的替代方式。

第十一条 运营者处理重要数据,应当提前向省级网信部门和有关部门报告数据类型、规模、范围、保存地点与时限、使用方式,以及是否向第三方提供等。

第十二条 个人信息或者重要数据应当依法在境内存储,确需向境外提供的,应当通过国家网信部门组织的数据出境安全评估。


第十三条 运营者向境外提供个人信息或者重要数据的,应当采取有效措施明确和监督接收者按照双方约定的目的、范围、方式使用数据,保证数据安全。

第十四条 运营者向境外提供个人信息或者重要数据的,应当接受和处理所涉及的用户投诉;造成用户合法权益或公共利益受到损害的,应当依法承担相应责任。

第十五条 运营者不得超出出境安全评估时明确的目的、范围、方式和数据类型、规模等,向境外提供个人信息或重要数据。


第十六条 科研和商业合作伙伴需要查询利用境内存储的个人信息和重要数据的,运营者应当采取有效措施保证数据安全,防止流失;严格限制对重要数据以及车辆位置、生物特征、驾驶人或者乘车人音视频,以及可以用于判断违法违规驾驶的数据等敏感数据的查询利用。

第十七条 处理个人信息涉及个人信息主体超过10万人、或者处理重要数据的运营者,应当在每年十二月十五日前将年度数据安全管理情况报省级网信部门和有关部门,内容包括:








第十八条 如果存在向境外提供数据的情况,运营者应当在本规定第十七条基础上,报告以下情况:






第十九条 国家网信部门会同国务院有关部门根据处理数据情况对运营者进行数据安全评估,运营者应当予以配合。


第二十条 运营者违反本规定的,由省级以上网信部门和有关部门依照《中华人民共和国网络安全法》等法律法规的有关规定进行处罚。构成犯罪的,依法追究刑事责任。

第二十一条 本规定自2021年 月 日起施行。