6. Data storage localization and data export

Article 11 Important data shall be stored domestically in accordance with the law. If it is necessary for business needs to provide it abroad, it shall undergo a security assessment organized by the national cyberspace administration in conjunction with relevant departments of the State Council. For personal information data not included in important data, the exit security management of personal information data shall be governed by relevant laws and administrative regulations.

If China has concluded or acceded to international treaties or agreements with different provisions, those international treaties or agreements shall apply, except for provisions declared to be retained.

Article 12 Vehicle data processors providing important data overseas must not exceed the purpose, scope, method, data types, and scale specified in the exit security assessment.

The national cyberspace administration, together with relevant departments of the State Council, shall verify the matters specified in the preceding paragraph through random inspections and other means. Vehicle data processors shall cooperate and display them in convenient means such as readability.

Article 14 Automotive data processors providing important data overseas shall, based on the requirements of Article 13 of these regulations, supplement the following reports:

  1. Basic information of the recipient;
  2. The types, scale, purpose, and necessity of outbound vehicle data;
  3. The location, duration, scope, and method of storing automobile data overseas;
  4. User complaints and handling involving overseas provision of vehicle data;
  5. Other situations that require reporting when providing automobile data to overseas are specified by the national cyberspace administration, together with relevant departments of industry and information technology, public security, transportation, and other relevant departments of the State Council.
  1. Data storage and transmission: Guo Jia's security is always a sensitive issue, and Didi's previous US IPO was also criticized for this. The "Regulations" clarify that if important data is stored within China and must be provided overseas due to business needs, it must undergo a security assessment. For personal information data not included in important data, the exit security management of personal information data shall be governed by relevant laws and administrative regulations.

The Cybersecurity Law and Data Security Law only stipulate the local storage and exit security assessment obligations for critical information infrastructure operators, but have not issued detailed rules on the scope of critical information infrastructure.

  1. Now that the "Regulations" have been issued, regardless of whether a smart vehicle is recognized as critical information infrastructure, important data must be stored domestically and must fulfill security assessment obligations before leaving the country.

7. Regulatory reporting requirements

Content

Requirements

Prior reporting

Article 10 Automotive data processors conducting important data processing activities shall conduct risk assessments as required and submit risk assessment reports to the cyberspace administrations and relevant departments of provinces, autonomous regions, municipalities directly under the central government.

The risk assessment report shall include the types, quantities, scope, storage locations and durations of important data being processed, usage methods, data processing activities carried out and whether such data is provided to third parties, data security risks faced, and countermeasures.

Annual report

Article 13 Automotive data processors conducting important data processing activities shall report the following annual automotive data security management status to the provincial, autonomous region, municipal cyberspace administration departments and relevant departments before December 15 each year:

  1. The name and contact information of the person responsible for automotive data security management and the contact person for user rights affairs;
  2. The types, scale, purpose, and necessity of processing automotive data;
  3. Security protection and management measures for automotive data, including storage locations, durations, etc.;
  4. Providing vehicle data to domestic third parties;
  5. Automotive data security incidents and their handling status;
  6. User complaints and handling related to automotive data;
  7. Other automotive data security management status as specified by the national cyberspace administration in conjunction with relevant departments of industry and information technology, public security, transportation, and other relevant departments of the State Council.

Cooperate with evaluation

The national cyberspace administration and relevant departments of the State Council for Development and Reform, Industry and Information Technology, Public Security, Transportation, and other relevant departments shall, according to their responsibilities and the data processing situation, conduct data security assessments for automotive data processors, and automotive data processors shall cooperate.

Institutions and personnel participating in the safety assessment must not disclose trade secrets or undisclosed information about automotive data processors learned during the assessment, nor use information obtained during the assessment for purposes other than the assessment.

Analysis:

  1. Annual Report System: Given that the "Regulations" were recently issued, the upcoming annual report on December 15 is unlikely to be tested this year, and local cyberspace administrations are unclear about how to carry out the annual report work. But to be cautious, companies should proactively communicate with local cyberspace administrations about preparations for the annual inspection, and at least maintain a good attitude.

8. Strengthen management platform construction and increase complaint channels

In contrast, the Provisions add the national need to strengthen the construction of intelligent (connected) vehicle network platforms, carry out intelligent (connected) vehicle network operation and safety assurance services, and collaborate with automotive data processors to enhance the security protection of intelligent (connected) vehicle networks and automotive data.