Data protection in China – the automotive industry in focus

The core of the Regulations lies in the extensive obligations for the processors of automotive data in China. Such legal obligations are also relevant for German and European car manufacturers and suppliers with Chinese operations. This is because the collection and processing of vehicle data is an important foundation for playing a leading role in the future automotive industry (e.g. autonomous driving and Internet of Vehicles, “IoV”). 

The Regulations affect the so-called "automotive data processors" who process "automotive data" in China. Automotive data processors include automobile manufacturers, parts and software suppliers, distributors, maintenance and driving service providers. Automotive data refers to personal information and "important data" related to the design, manufacturing, sales, use, operation and maintenance of vehicles. Processing of automotive data means collection, storage, use, processing, transmission, provision and publication of the data.

The concept of "important data" is again defined very broadly, including data that might endanger national security, the public interest or the rights and interests of individuals or organizations in case it is tampered with, damaged, disclosed, unlawfully obtained or used.

The Regulations lay down four principles in the processing of vehicle data: priority of data processing in the vehicle itself, no automatic data collection, application of the accuracy range, and anonymization as far as possible.

It is particularly important to note that important data should be basically stored in China. Overseas transmission and storage can only take place after a security inspection by the relevant authority. This makes it more difficult for foreign automotive industry players to transfer data from the important Chinese automotive market to their foreign headquarters, which could result in the relocation of data centers or the storage of data in China.

Furthermore, automobile manufacturers and companies distributing vehicles or providing services in China should review their internal compliance rules regarding the collection, processing, storage and transfer of personal information data and important data on automobiles and their users.

Following the issuance of the Provisional Regulations for the Management of Data Security in the Automotive Industry in August 2021, China's Ministry of Industry and Information Technology released a notice on strengthening cybersecurity and data protection of Internet of Vehicles one month later.

Further rules, regulations and standards related to data protection in the automotive industry in China are expected to be released in the future. It’s important to monitor the legislative developments closely.