Recently, the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Ministry of Transport jointly issued the “Several Regulations on Vehicle Data Security Management (Trial)” (hereinafter referred to as the “Regulations”). The relevant person in charge of the Cyberspace Administration of China answered questions from reporters on issues related to the Regulations.

Q: Please briefly introduce the background of the promulgation of the Regulations?

A: The promulgation of the “Regulations” is mainly based on the following two considerations: First, the practical need to prevent and resolve automobile data security risks. The automobile industry involves many fields such as the national economy, equipment manufacturing, finance, transportation, production and life. The automobile data processing capability is increasing day by day, and the scale of automobile data is huge. At the same time, the security problems and hidden risks of automobile data exposed are also increasingly prominent. For example, car data processors exceed actual needs and excessively collect important data; illegally process personal information, especially sensitive personal information, without user consent; illegally export important data without security assessment. Therefore, it is urgent to strengthen the security management of automobile data to prevent and resolve the above-mentioned security problems and hidden risks. The second is the objective need to ensure the reasonable and effective use of automobile data in accordance with the law. The Cybersecurity Law and the Data Security Law make basic provisions on data security and personal information protection. The introduction of targeted rules and regulations in the field of automobile data security management, clarifying the responsibilities and obligations of automobile data processors, and regulating automobile data processing activities are conducive to promoting the rational and effective use of automobile data in accordance with the law and the healthy and orderly development of the automobile industry.

In addition, it should be noted that the “Regulations” are positioned in a number of normative requirements, focusing on the security risks of personal information and important data in the automotive field, and making provisions on a number of key issues.

Q: What does the “Regulations” refer to as vehicle data and vehicle data processing activities?

Answer: The “automobile data” mentioned in the “Regulations” refers to the personal information data and important data in the process of automobile design, production, sales, use, operation and maintenance; the “automobile data processing” includes the collection, storage, Use, processing, transmission, provision, disclosure, etc., involve the entire life cycle of automotive data processing. The Regulations also further clarify the meaning and types of personal information, sensitive personal information, important data and car data processors in car data.

Q: What are the general requirements that automobile data processors should meet to carry out automobile data processing activities in the “Regulations”?

A: The Regulations specify the general requirements for automobile data processors to carry out automobile data processing activities. Mainly include: First, the processing of automobile data should be legal, legitimate, specific, and clear, and directly related to the design, production, sales, use, operation and maintenance of automobiles. The second is to use the Internet and other information networks to carry out automobile data processing activities, and should implement systems such as network security level protection, strengthen automobile data protection, and perform data security obligations in accordance with the law. The third is to establish complaint reporting channels, set up convenient complaint reporting portals, and handle user complaints and reports in a timely manner.

Q: What principles does the Regulations advocate for automobile data processors to adhere to in carrying out automobile data processing activities?

A: In the process of formulating the “Regulations”, we insisted on paying equal attention to safety and development, and advocated that automobile data processors adhere to “in-vehicle processing”, “default not to collect”, “accuracy range applicable” and “desensitization processing” in carrying out automobile data processing activities. ” and other principles, reduce the disorderly collection and abuse of automobile data, encourage the rational and effective use of automobile data in accordance with the law, and promote the healthy and orderly development of the automobile industry.

Q: In order to enable automobile data processors to better fulfill their personal information protection responsibilities, what specific requirements are specified in the Regulations?

A: The Regulations clarify the specific requirements for handling personal information and sensitive personal information. Regarding personal information, the first is the obligation of notification. When processing personal information, the automobile data processor shall notify relevant information such as the type of personal information to be processed, the collection situation, the method of stopping the collection, and so on. The second is the obligation to obtain consent. When processing personal information, automobile data processors should obtain personal consent or comply with other circumstances stipulated by laws and administrative regulations. The third is the requirement of anonymization. If it is impossible to obtain personal consent to collect personal information and provide it to the outside of the car due to the need to ensure driving safety, anonymization should be performed. For sensitive personal information, on the basis of fulfilling the obligations of notification and obtaining individual consent, the processing of sensitive personal information by automobile data processors shall also meet specific requirements such as limiting the processing purpose, prompting the collection status, and providing convenience for individuals to terminate the collection. For personal biometric information, it can be collected only if it is clear that the automobile data processor has the purpose of enhancing driving safety and is sufficiently necessary.

Q: In order to regulate important data processing activities, what specific requirements are specified in the Regulations?

A: The Regulations specify the specific system for handling important data. The first is the risk assessment report system. When carrying out important data processing activities, automobile data processors shall conduct risk assessments in accordance with regulations, and submit risk assessment reports to the network and information departments and relevant departments of provinces, autonomous regions, and municipalities directly under the Central Government. The second is the exit security assessment system. Important data should be stored within the country in accordance with the law. If it is really necessary to provide it overseas due to business needs, it should pass the security assessment organized by the national cybersecurity and informatization department in conjunction with the relevant departments of the State Council. The third is the random inspection and verification system. The national network information department, together with the relevant departments of the State Council, will verify the matters related to the export assessment of automobile data by means of random inspection, and the automobile data processor shall cooperate. The fourth is the annual reporting system. The automobile data processor shall report the annual automobile data security management situation to the provincial, autonomous region, and municipality directly under the Central Government Internet Information and relevant departments before December 15 each year. Fifth, the annual supplementary reporting system, automobile data processors that provide important data overseas should supplementally report relevant situations.

Q: Regarding the safety supervision, management and guarantee of automobile data, what specific measures are specified in the Regulations?

A: In addition to the above-mentioned supervision and management measures such as reporting, evaluation, random inspection and verification, the “Regulations” also specify that the national network information department and relevant departments of the State Council’s development and reform, industry and informatization, public security, transportation and other relevant departments can handle data according to their responsibilities. Carry out data security assessments for automobile data processors; clarify that the state strengthens the construction of intelligent (connected) vehicle network platforms, conducts intelligent (connected) vehicles network operation and security services, etc., and cooperates with automobile data processors to strengthen intelligent (connected) vehicles Network and car data security protection.

Q: How to pursue legal responsibility for violating the “Regulations”?

Answer: The “Regulations” clarify that if the automobile data processor violates these regulations, the relevant departments of the Internet, industry and informatization, public security, transportation and other related departments at the provincial level or above shall follow the “Cyber ​​Security Law”, “Data Security Law” and other laws and administrative regulations. If a crime is constituted, criminal responsibility shall be investigated according to law.