China eyes strict rules for data collection by car firms to protect privacy
Published: May 12, 2021 09:38 PM
A Tesla Model 3 electric car is seen at the Automobile exhibition area during the third China International Import Expo (CIIE) in Shanghai, east China, Nov. 6, 2020.Photo:Xinhua

A Tesla Model 3 electric car is seen at the Automobile exhibition area during the third China International Import Expo (CIIE) in Shanghai, east China, Nov. 6, 2020.Photo:Xinhua

China's cyberspace administration on Wednesday issued strict draft rules on data collection by car companies, stipulating that operators need to gain permission from users before collecting personal information, and the data should also be stored safely so as to allow car owners to access it in a convenient manner.

Coming as there are growing concerns over personal data security and privacy protection in the country, the draft rules aim to strengthen protection of personal information and important data, as well as safeguard national security and the public interest, the Cyberspace Administration of China (CAC) said in a statement.

Under the draft rules, operators need to inform drivers through display panels or audio methods and get permission every time. Such authorization will automatically expire after driving ends. 

Operators must delete the data within two weeks if drivers request them to do so.

The draft rules suggest that car owners will have to opt in for data collection, a prevailing practice for software, which asks for permission to access cameras and directories, among other spheres of user privacy, Zeng Zhiling, managing director of LMC Automotive Consulting in Shanghai, told the Global Times on Wednesday. 

The detailed rules also draw a clear line between carmakers' and operators' data collection, and their rights to use the data, Zeng added.

The draft rules also stipulate that important data and personal information should be stored within China, and if it is necessary to provide such data abroad, it needs to undergo a security evaluation organized by the administrator.

The personal information protected includes information concerning car owners, drivers, passengers and pedestrians. Important data involves traffic data of sensitive areas such as military administrative areas, defense enterprises, and party and government officials, according to the CAC statement.

Storage of personal data has also become a hot issue after some media reports claimed that Tesla cars were banned in some military facilities in China due to security concerns regarding data collected by the cars. Tesla executives have repeatedly said that data collected in China would be stored in China. 

The draft rules also come after a Tesla owner's dramatic protest over alleged brake malfunction sparked heated discussion in China on how vehicle data should be collected and who owns it.

Tesla originally rejected the vehicle owners' request for data access, but then published it after the event became public knowledge. 

In a brief statement on Wednesday shortly after the draft rules were issued, Tesla said that it supports and responds to the auto industry's further regulated development, and it will work together to promote tech innovation. 

"We welcome everyone to actively offer advice and suggestions to relevant departments to promote sound, orderly development in the auto industry," it said in a post on its Sina Weibo account.

The draft rules are open to public comment until June 11.

Under the draft rules, if operators handle more than 100,000 individuals' personal information, they shall also report their annual data security management situation to cyberspace administrators at the provincial level and relevant departments prior to December 15. 

The rules also include harsh penalties for violations. If operators violate the rules, they will be punished in accordance to the internet security law, and if the case constitutes a crime, criminal responsibilities shall be affixed, according to the draft rules.

Penalties for data privacy infringements need to be crystallized, Zeng said, citing the EU General Data Protection Regulation that sets a maximum fine of 20 million euros ($24.25 million) or 4 percent of the offender's annual global turnover for infringements, whichever is greater. 

Global Times

blog comments powered by Disqus