China: Consultation opened on Automobile Data Security Provisions including data residency obligations
Description
Consultation opened on Automobile Data Security Provisions including data residency obligations
On May 12th, the Cyberspace Administration of China (CAC) opened the consultation for its draft Provisions on the Management of Automobile Data Security for consultation. Through the provisions, the CAC aims to regulate the handling of of personal, important and very sensitive personal information (all defined within the draft) by operators of automobiles. The term operators applies in a broad sense as it includes designers, producers and service providers (e.g. dealers, insurers or software providers). The draft proposes the principle of data localisation. Both personal and important data will be required to be stored in China. If necessary, data can be stored elsewhere, however, only after a completed security assessment by the CAC.
Original sourceScope
Policy Area
Data governance
Policy Instrument
Data localisation requirement
Regulated Economic Activity
technological consumer goods
Implementation Level
national
Government Branch
executive
Government Body
other regulatory body
Complete timeline of this policy change
Hide details
2021-05-12
in consultation
2021-06-11
in consultation
2021-08-20
in grace period
Key regulatory dimensions
Regulated subjects
The businesses, government agencies or individuals affected by this policy or regulatory change.
producer / supplier
1
Type
Private organisation
Economic activity
technological consumer goods
Category
All
2
Type
Private organisation
Economic activity
technological consumer goods
Category
All
Policy change by business practice
The detailed activities within the scope of this policy or regulatory change.
personal data (all forms): storage (any form)
Regulatory tool
Regulator reporting requirement
Sanctions
Regulated subjects
2
Regulatory tool
Risk or other impact assessment requirement
User consent: Permit user opt-out
User right to withdraw consent
Purpose/processing limitation
User notification requirement
User consent: Opt-in requirement
Complaint mechanism requirement
Data storage/retention obligation
User right to deletion of personal data
Local operations requirement
Sanctions
Regulated subjects
1
Regulatory tool
Sanctions
Determined by existing law or regulation
Regulated subjects
1 2
data (any form): data processing
Regulatory tool
User consent: Permit user opt-out
Complaint mechanism requirement
Sanctions
Regulated subjects
1
Regulatory tool
Sanctions
Determined by existing law or regulation
Regulated subjects
1 2
personal data: biometric: data collection
Regulatory tool
Regulator reporting requirement
Sanctions
Regulated subjects
2
Regulatory tool
Risk or other impact assessment requirement
User consent: Permit user opt-out
Complaint mechanism requirement
Local operations requirement
Sanctions
Regulated subjects
1
Regulatory tool
Sanctions
Determined by existing law or regulation
Regulated subjects
1 2
personal data (all forms): transfer: cross-border
Regulatory tool
Regulator approval requirement
Complaint mechanism requirement
Sanctions
Regulated subjects
1
Regulatory tool
Sanctions
Determined by existing law or regulation
Regulated subjects
1 2