State Internet Information Office: need to strengthen the protection of important data, standardize automotive data processing activities

Easy Car News A few days ago, in order to strengthen the protection of personal information and important data, standardize automotive data processing activities, according to the "People's Republic of China *** and the State Network Security Law," and other laws and regulations, the State Internet Information Office in conjunction with the relevant departments drafted the "automotive data security management a number of provisions (draft)", is now open to public consultation

Some Provisions on the Management of Automobile Data Security (Draft for Public Comments) proposes that operators should obtain the consent of the person whose personal information is collected, except for those who do not need to obtain the individual's consent as stipulated by laws and regulations. Personal information or important data should be stored in the territory in accordance with the law, and if it is necessary to provide to the outside world, it should be through the data exit safety assessment organized by the national net credit department. Operators shall not provide personal information or important data outside the country beyond the purpose, scope, method, data type and scale specified in the outbound security assessment.

Several Provisions on Automotive Data Security Management (Draft for Public Comments) are as follows:

Article 1 In order to strengthen the protection of personal information and important data, standardize automotive data processing activities, safeguard national security and the interests of the public ****, and in accordance with the Chinese People's Republic of China **** and the State of the Law on Cybersecurity and other laws and regulations, the formulation of the provisions of this regulation .

Second Article Operators shall comply with relevant laws and regulations and the requirements of these provisions when collecting, analyzing, storing, transmitting, querying, utilizing, deleting, and providing (hereinafter collectively referred to as processing) personal information or important data outside of China in the process of designing, producing, selling, operating, maintaining and managing automobiles within the territory of the People's Republic of China*** and the People's Republic of China.

Article 3 Operators referred to in these provisions mean automobile design, manufacturing and service enterprises or organizations, including automobile manufacturers, parts and software providers, dealers, maintenance organizations, online car enterprises and insurance companies.

Personal information referred to in these regulations includes personal information of vehicle owners, drivers, riders, pedestrians, etc., as well as all kinds of information that can infer personal identity and describe personal behavior.

The important data referred to in this provision include:

(i) data on the flow of people and vehicles in important and sensitive areas such as military management zones, units involving state secrets such as the National Defense Science and Industry, and party and government organs at or above the county level;

(ii) surveying and mapping data higher than the accuracy of the state's publicly-released maps;

(iii) data on the operation of the vehicle charging network;

(iv) data on the type of vehicles on the road, the type of vehicles on the road, the type of vehicles on the road and the type of information that can be inferred to describe the behavior of individuals. (D) data on the types of vehicles on the road, vehicle flow, etc.

(E) off-vehicle audio and video data containing faces, voices, license plates, etc.

(F) other data explicitly specified by the State Internet Information Service and the relevant departments of the State Council that may affect national security and public **** interests.

Article 4 The purpose of the operator's handling of personal information or important data shall be lawful, specific and clear, and directly related to the design, manufacture and service of the automobile.

Article 5 The operator shall implement the network security level protection system, strengthen the protection of personal information and important data, and fulfill the network security obligations in accordance with the law.

Article 6 advocates that operators adhere to the following principles in handling personal information and important data:

(1) the principle of in-vehicle handling, and not provide it outside the vehicle unless it is necessary;

(2) the principle of anonymization, and if it is necessary to provide it outside the vehicle, anonymization and desensitization shall be carried out as far as possible;

(3) the principle of minimum retention period, and determine the retention period of data according to the type of function and service provided;

Article 5 The operator shall implement the network security level protection system to strengthen the protection of personal information and important data. (c) the principle of minimum retention period, according to the type of functional services provided to determine the data retention period;

(d) the principle of application of the accuracy range, according to the requirements of the provided functional services on the accuracy of the data to determine the coverage and resolution of the camera, radar, etc.

(e) the principle of the default non-collection, unless it is necessary to do so, each time the driving default non-collection, the driver's consent to the authorization is valid only for the current driving.

Article 7 The operator handling personal information shall, through the user manual, in-vehicle display panel or other appropriate means, inform the valid contact information of the person responsible for handling the user's rights and interests, as well as the type of data to be collected, including the vehicle's location, biometrics, driving habits, audio and video, etc., and provide the following information:

(i) the triggering conditions for the collection of each type of data as well as the method of ceasing the collection;

(ii) the purpose and use for which each type of data is collected;

(iii) the location and duration of data retention, or the rules for determining the location and duration of retention;

(iv) the method and steps for deleting personal information in the vehicle, or for requesting deletion of personal information that has been provided outside the vehicle.

Article VIII operators to collect and provide sensitive personal information to the outside of the vehicle, including the location of the vehicle, the driver or rider audio and video, as well as data that can be used to determine illegal driving, etc., shall comply with the following requirements:

(a) to directly serve the purpose of the driver or rider, including enhancement of driving safety, assisting in driving, navigation, entertainment, etc.;

(ii) Default to no collection, the driver's consent to authorization should be obtained each time, and this authorization will automatically expire after the end of driving (when the driver leaves the driver's seat);

(iii) Notify the driver and riders that sensitive personal information is being collected by means of the in-vehicle display panel or by voice;

(iv) Enable the driver to terminate the collection at any time and at his/her convenience;

(v) Allow the owner of the vehicle to conveniently view and structurally query the sensitive personal information being collected;

(vi) When the driver requests the operator to delete, the operator shall do so within 2 weeks.

Article 9 the operator shall obtain the consent of the person whose personal information is collected, except for the laws and regulations that do not require the consent of the individual. Practically difficult to achieve (such as through the camera to collect audio and video information outside the car), and really need to provide, should be anonymized or desensitized, including deletion of images containing natural persons can be identified, or the face of these images, such as local contouring treatment.

Article 10: Biometric data such as fingerprints, voiceprints, faces, heart rhythms, etc. of drivers may be collected only for the purpose of facilitating the use of the user and increasing the security of the vehicle's electronic and information systems, and at the same time alternatives to biometrics shall be provided.

Article 11 Operators dealing with important data shall report in advance to the provincial Internet information department and relevant departments on the type, scale, scope, preservation location and time limit, the way of use, and whether to provide to a third party.

Article XII of the personal information or important data shall be stored in the territory in accordance with the law, and if it is necessary to provide to the outside world, it shall pass the data exit security assessment organized by the national Internet information department.

Treaties, agreements, etc. that China participates in or concludes with other countries and regions or international organizations have explicit provisions on the provision of personal information outside China, their provisions shall apply, except for the provisions that China declares to reserve.

Article 13 Where an operator provides personal information or important data outside China, it shall take effective measures to clarify and supervise the use of the data by the recipient in accordance with the purpose, scope and manner agreed upon by the two parties, and ensure the safety of the data.

Article XIV operators to provide personal information or important data outside the country, shall accept and deal with the user complaints; cause the legitimate rights and interests of the user or public **** interests are harmed, shall bear the corresponding responsibility according to law.

Article 15 The operator shall not provide personal information or important data outside the country beyond the purpose, scope, mode and data type, scale and so on, as specified in the exit security assessment.

The State Internet Information Service in conjunction with the relevant departments of the State Council to verify the type and scope of personal information or important data provided outside the country by means of random checks, the operator shall be displayed in an explicit and readable manner.

Article XVI of the scientific research and business partners need to query the use of personal information and important data stored in the territory, the operator shall take effective measures to ensure data security, to prevent the loss of; strictly limited to the use of important data, as well as the location of the vehicle, biometrics, driver or passenger audio and video, as well as can be used to determine the violation of the law to drive the query and use of data and other sensitive data.

Article 17 Handling of personal information involves more than 100,000 subjects of personal information, or the operator of the important data processing, shall, before December 15 of each year, the annual data security management will be reported to the provincial Internet information department and the relevant departments, including:

(a) the person in charge of data security as well as the name and contact information of the person in charge of the handling of user rights and interests of the person responsible for the affairs concerned;

(i) the name and contact information of the person responsible for the handling of user rights and interests; <

(ii) the type, scale, purpose and necessity of the data being processed;

(iii) security protection and management measures for the data, including the place of preservation, duration, etc.

(iv) the enjoyment of the data with third parties in the territory***;

(v) data security accidents and the handling of such accidents;

(vi) the personal information and data-related (vii) other data security situations specified by the State Internet Information Service.

Article 18 In the event that there is a situation where data is provided outside the country, the operator shall, on the basis of Article 17 of the present provisions, report the following:

(1) the name and contact information of the recipient;

(2) the type, quantity and purpose of the outbound data;

(3) the location, scope of use and mode of storage of the data outside the country;

p>(4) user complaints involving the provision of data outside the country and the handling of such complaints;

(5) other circumstances specified by the State Internet Information Service that need to be reported for the provision of data outside the country.

Article 19 The State Internet Information Service, in conjunction with the relevant departments of the State Council, shall conduct a data security assessment of the operator based on the processing of data, and the operator shall cooperate.

Institutions and personnel involved in the security assessment shall not disclose the commercial secrets and undisclosed information of the operator learned in the assessment, and shall not use the information learned in the assessment for purposes other than the assessment.

Article 20 If the operator violates the provisions of this regulation, it shall be punished by the net information department above the provincial level and the relevant departments in accordance with the "Chinese People's **** and the State Network Security Law" and other relevant provisions of laws and regulations. Constitutes a crime, shall be investigated for criminal responsibility.

Article 21 These provisions shall come into force from the month of 2021.