Digital Policy Alert logo

China: Automobile Data Security Provisions including data residency obligations issued

Policy overview

Description

Automobile Data Security Provisions including data residency obligations issued

On 20 August 2021, the Cyberspace Administration of China (CAC), together with the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security and the Ministry of Transport, jointl…

Scope

Policy Area
Data governance
Policy Instrument
Data localisation requirement
Regulated Economic Activity
technological consumer goods
Implementation Level
national
Government Branch
executive
Government Body
other regulatory body

Complete timeline of this policy change

Hide details
2021-05-12
in consultation

On May 12th, the Cyberspace Administration of China (CAC) opened the consultation for its draft Pro…

2021-06-11
in consultation

The Cyberspace Administration of China's (CAC) consultation for its draft Provisions on the Managem…

2021-08-20
in grace period

On 20 August 2021, the Cyberspace Administration of China (CAC), together with the National Develop…

2021-10-01
in force

On 1 October 2021, the provisions on the Security Management of Automobile Data (Trial) entered int…

Key regulatory dimensions

Regulated subjects

The businesses, government agencies or individuals affected by this policy or regulatory change.
producer / supplier
1
Type Private organisation
Economic activity technological consumer goods
Category All
2
Type Private organisation
Economic activity technological consumer goods
Category All

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.
personal data (all forms): storage (any form)
Regulatory tool
Regulator reporting requirement
Sanctions
Regulated subjects
2
Regulatory tool
Risk or other impact assessment requirement
User consent: Permit user opt-out
User right to withdraw consent
Purpose/processing limitation
User notification requirement
User consent: Opt-in requirement
Complaint mechanism requirement
Data storage/retention obligation
User right to deletion of personal data
Local operations requirement
Sanctions
Regulated subjects
1
Regulatory tool
Sanctions
Determined by existing law or regulation
Regulated subjects
1 2
data (any form): data processing
Regulatory tool
User consent: Permit user opt-out
Complaint mechanism requirement
Sanctions
Regulated subjects
1
Regulatory tool
Sanctions
Determined by existing law or regulation
Regulated subjects
1 2
personal data: biometric: data collection
Regulatory tool
Regulator reporting requirement
Sanctions
Regulated subjects
2
Regulatory tool
Risk or other impact assessment requirement
User consent: Permit user opt-out
Complaint mechanism requirement
Local operations requirement
Sanctions
Regulated subjects
1
Regulatory tool
Sanctions
Determined by existing law or regulation
Regulated subjects
1 2
personal data (all forms): transfer: cross-border
Regulatory tool
Regulator approval requirement
Complaint mechanism requirement
Sanctions
Regulated subjects
1
Regulatory tool
Sanctions
Determined by existing law or regulation
Regulated subjects
1 2

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.

personal data (all forms): storage (any form)

data (any form): data processing

personal data: biometric: data collection

personal data (all forms): transfer: cross-border