At a glance: The CAC issued draft rules that limit the collection and processing of auto data. They outline stringent requirements for operators of car data (e.g., companies engaged in manufacturing, maintenance, sales or ride-hailing) including:
- Limit data collection to vehicle management and driving safety; obtain customer consent before every drive; delete customer data upon request
- Anonymize or delete data if consent is difficult to achieve, e.g., pedestrians outside the vehicle
- Store personal information (identifiable information on drivers, passengers or pedestrians) and important data (e.g., external audio and video or data related to sensitive areas like military zones) within China and seek government approval prior to the transfer of data across borders
On April 28, China’s Standardization Committee had already issued a draft standard for comments that gives details on data collection, processing, storage and transmission for autonomous vehicles.
MERICS comment: The draft is part of China’s efforts to regulate data, as discussed above, and follows rapid advances in autonomous driving that have created new security concerns. It is an important step toward protecting user data and providing regulatory clarity in the booming but previously lightly regulated smart car industry.
For foreign enterprises, data security is increasingly a matter of survival in China’s autonomous driving market. A major impetus for China’s regulations is to prevent important data gathered by foreign carmakers from leaving the country. This led the Chinese military to ban Tesla cars from entering its complexes. Tesla, which just opened its Chinese data center, welcomed the draft and founder Elon Musk highlighted that compliance is imperative to avoid risking being shut down.
The draft rules also threaten to deepen the ongoing digital decoupling in the auto sector. Companies operating across different jurisdictions are caught between competing Chinese and foreign laws. This will primarily affect foreign companies in China, who might want to pool anonymized data at their global headquarters.
Policy name: Several Regulations for Automobile Data Security Management (Draft for Comments) (汽车数据安全管理若干规定（征求意见稿）) (Link)
Issuing body: CAC
Date: May 12, 2021 – open for public comments until June 11, 2021