5. Protection of personal sensitive information
Articles 8 and 10 specifically address personal sensitive information:
Analysis:
- Strictly limit the collection of sensitive information such as GPS positioning and in-car voice and video to serving drivers or passengers, and allow drivers to authorize it once and terminate at any time, for easy viewing, and for time-limited deletion;
- Providing car owners with convenient and structured ways to query sensitive personal information is a major breakthrough. In previous Tesla owner rights protection cases at auto shows, there has always been debate over whether ownership of "driving data that cannot identify personal identity" belongs to the driver or the car company (click here for interest: Tesla Auto Show Data Dispute). The "Regulations" do not directly answer this question, but at least now car owners can confidently demand driving data from car companies. Tesla has also announced plans to launch a car owner platform, allowing owners to view driving data;
6. Data localization and storage
Analysis:
- According to the Draft Personal Identification Protection Law, when non-critical information infrastructure operators process personal information in quantities that meet the Cyberspace Administration's requirements, they must store personal information domestically and complete security assessment procedures upon exit. However, the "Regulations" do not set a threshold for the quantity of personal information. It stipulates that personal information and important data must be stored domestically and must be exported only after a data cross-border security assessment organized by the national cyberspace administration;
- Articles 13 to 15 are general requirements for data export, while Article 16 makes special provisions for research and commercial cooperation. Istill don't understand what the intent is;
- Localized data storage is imperative. So Tesla responded immediately and began building cloud services domestically. Although there are differences in standards and thresholds for data export compared to existing regulations, unification is only a matter of time.
Multinational companies need to carefully consider setting up IT servers, and migrate data already existing abroad to domestic sources. Of course, this is a huge boon for domestic companies providing cloud storage services, such as Alibaba Cloud.
7. Regulatory reporting requirements
Analysis:
- Prior reporting is required before handling important data;
- For handling personal information involving more than 100,000 personal information subjects, or operators handling important data, in addition to the annual inspection for business administration, there is now a new requirement for annual data reports
8. Conclusion
The "Regulations" form a comprehensive automotive data protection system from three aspects: national security, public interest, and personal information protection. Clear and pioneering requirements have been set in areas such as the scope of important data, rules for handling sensitive data, data localization, and outbound supervision, but the details still require further clarification and guidance from relevant authorities. (End)

