On the evening of May 25, Tesla's official Weibo announced that it has established a data center in China to achieve localized data storage.
Tesla, known for its arrogant public image, is now so obedient and quick to respond. What exactly is the content of the "Several Regulations on Automotive Data Security Management (Draft for Comments)" ("Regulations") mentioned on its official Weibo? It's worth reviewing.
On May 12, 2021, the Cyberspace Administration of China released the "Several Provisions on Automotive Data Security Management (Draft for Comments)" ("Regulations") to publicly solicit public opinions.
Nowadays, data security issues in smart vehicles are drawing increasing attention. As China's first departmental regulation for data security management in the automotive industry, the "Regulations" address how data related to cars should be collected, transmitted, processed, and stored.
Let's interpret the key points and highlights of the "Regulations":
1. Who must comply?
According to Article 2 of the Draft Opinions, the applicable entities are operators who, during the design, production, sales, operation and maintenance, and management of automobiles within the territory of the People's Republic of China, collect, analyze, store, transmit, query, utilize, delete, and provide (hereinafter collectively referred to as processing) personal information or important data overseas.
Article 3 clarifies the definition of an operator:
Analysis:
- Regulation of automotive data now covers the entire automotive industry chain. It is worth noting that ride-hailing companies have also been explicitly @;
- Some entities have not mentioned essential auto finance institutions in the car purchase process, such as banks providing auto loans, auto finance companies, and financial leasing institutions. However, logically, all automotive-related manufacturers and service providers should be subject to regulation.
2. What is "important data"?
According to the "Regulations," vehicle data mainly consists of two parts: personal information and important data.
Personal Information includes personal information of vehicle owners, drivers, passengers, pedestrians, and various information that can infer personal identity and describe individual behavior. This is similar to the definitions of personal information in the Cybersecurity Law and the Civil Code, with no major changes.
It is worth noting that the concept of "important data" has been broadly described in the Cybersecurity Law, the Measures for Security Assessment of Personal Information and Important Data Exports (Draft for Comments), and the 2019 Data Security Management Measures (Draft for Comments), but the "Regulations" are the first to explicitly list the scope of important data:
Analysis:
- There have long been rumors online that Tesla was banned from entering government compound compounds, but now clear regulations have finally emerged;
- Autonomous driving cannot be separated from high-precision maps. Autonomous driving is an inevitable trend in intelligent vehicles, putting tight reins on related companies;
- According to this clause, any data recorded by external cameras or radar sensors without desensitization will be classified as "important data," and these related companies face higher compliance requirements.
3. Principles of Data Processing
Article 6 sets out several basic principles for operators handling personal information and important data, namely the in-vehicle processing principle, anonymization principle, minimum retention period principle, accuracy range application principle, and default non-collection principle. These are essentially further refinements of the legitimacy, necessity, and minimization principles stipulated in the Cybersecurity Law, the draft Personal Protection Law, and the draft Digital Security Law:
Analysis:
- In-vehicle processing: In practice, besides in-car storage devices, many companies store automotive data on remote information service platforms or the cloud for processing. If the final draft of the Regulations only defines "in-vehicle" as in-vehicle storage devices, related companies will be quite troubled;
- Anonymization and minimum retention period: technically not difficult to implement, but it places high demands on enterprise data storage, classification, and desensitization processing;
- Accuracy Range This requirement is very high. Camera and radar coverage and resolution requirements vary depending on the scenario. How should you switch between them? Or should everything be taken from the top?
- Default does not collect. Emphasizes the driver's control over a single authorization, but if it happens too frequently, the driver may find it annoying.
4. Personal Information Processing
Articles 7 to 10 set out regulations for personal information collection in two scenarios: inside and outside the vehicle:
Analysis:
- It emphasizes the driver's right to know and control;
- Compliance issues regarding car cameras collecting external audio and video information have always been an unavoidable pitfall. This information is necessary for assisted driving or autonomous driving functions, but when a car is driving on the road, cameras capture countless passersby's faces. How can you obtain each passerby's consent? It is fundamentally difficult to achieve in reality;
The "Regulations" provide a solution: simply perform desensitization processing, such as deleting images that can recognize faces or partially contouring faces.
(To be continued)

