本文由商会会员乾中律师事务所供稿

The Ariticle is drafted by IsCham member - Chamzon Law Firm

2021年8月20日，中国国家网信办联合其他4个监管部门颁布了《汽车数据安全管理若干规定（试行）》（“《规定》”），《规定》将于2021年10月1日生效。我们分析了《规定》对汽车数据处理活动的影响，并对相关行业的公司提出如下合规建议： 

On August 20, 2021, the Cyber Administration ofChina (“CAC”) and other 4 competent authoritiesissued the Regulations on Automobile DataSecurity Administration (for Trial Implementation), or the Automobile Data Security Regulations, which will take effect onOctober 1, 2021. Based on our analysisof the impact of the Automobile DataSecurity Regulations on automobile data processing activities, we share thefollowing compliance recommendations:    

1. 根据《规定》的要求，汽车数据处理者基本上涵盖了汽车设计、生产、销售、使用、运维等上下游全产业链。除传统汽车行业中的汽车制造商、零部件和软件供应商、经销商外，维修机构以及出行服务企业等也可能成为汽车数据处理者。我们认为，从事具有自动/辅助驾驶功能的智能网联汽车生产的企业将是《规定》的重要合规义务主体之一。此外，网约车企业、保险公司都可能被出行服务企业所涵盖。   

Under the AutomobileData Security Regulations, the automobile data processors cover the wholeupstream and downstream chain of the automotive industry, including design, manufacturing,sale, use, and maintenance.  Except forthe automobile manufacturers, component and software suppliers, distributors, maintenance,and travel service companies may also become the automobile data processors. We understand that the companies engaged inthe production of intelligent& connected vehicles with autonomous/assisted driving functions shouldattach more attention to automobile data security compliance. Additionally, the online car-hailing companiesand insurance companies are likely to be categorized as the travel service companies.   

2. 在处理个人信息方面，首先应当严格依据“告知-同意规则”，以显著方式向个人告知《规定》所列举的事项，并获得个人的同意。其次，在保证产品功能的同时，尽可能对所收集的个人信息采取匿名化处理，以降低所存储的个人信息数量，否则其所掌握的个人信息企业将因为涉及个人信息主体超过10万人而被定性为重要数据，并负担相应的合规义务。   

Regarding the processing of personal information, firstly,the processors shall comply with the Inform-Consent Rule.  Specifically, before processing any personalinformation, the processor shall inform the individual(s) of the matters listedin the Automobile Data Security Regulationsin a prominent manner, and obtain their consent.  Secondly, while ensuring the function of the automobile,the processor shall anonymize the personal information as much as possible toreduce the quantity of personal information stored.  Otherwise, the personal information possessedby the processor may be regarded as important data as it involves more than100,000 individuals, and the processor will be subject to relevant regulationsand compliance requirements.   

3. 《规定》首次对汽车数据的处理区分了“车内”“车外”两个场景，并倡导汽车数据处理者应遵循车内处理原则，除非确有必要不提供车外数据。该原则对车载芯片的计算能力和本地化存储能力提出了较高的要求。此外，我们认为企业应尽量控制其采集的车外数据的数量，原因有二：（1）收集车外个人信息无法有效履行“告知-同意规则”，将增加企业的合规负担；（2）其所采集的车外数据可能涉及到重要数据，例如军事管理区、国防科工单位以及县级以上党政机关等重要敏感区域的地理信息、人员流量、车辆流量等数据，也会增加企业的合规负担。   

The AutomobileData Security Regulations distinguish the two scenarios of “inside the car”and “outside the car” for the processing of automobile data, advising that theprocessors should comply with the principle of “inside-car processing”.  The data should not be provided outside thecar unless it is necessary.  Theprinciple of “inside-car processing” requires higher computing power and more localizedstorage capacity with respect to the on-board chips. Additionally, we advise that the processorsshall try to control the quantity of the data collected outside the car for tworeasons: (i) the processors cannot really comply with the Inform-Consent Rule whenthey collect personal information outside the car, which would otherwise increasethe processors’ compliance burden; and (ii) the outside data may includeimportant data, such as geographic information, passenger flow, vehicle flowand other data for sensitive areas, which would also increase the processors’ complianceburden.    

4. 在有关部门出台正式的重要数据具体目录前，企业应将《规定》作为汽车行业的重要数据具体目录，并履行相关合规义务。   

Before the competent authorities issue any specificcatalog for important data, the processors shall take the Automobile Data Security Regulations as the specific catalog forimportant data for the automotive industry, and fulfill the relevant complianceobligations.   

5. 涉及重要数据的企业应积极履行以下合规义务，首先，应当积极开展风险评估义务，并及时向监管机构报送风险评估报告；其次，应建立数据安全管理机构并任命数据安全管理负责人；再者，应按时完成重要数据年报工作。   

For the important data processors, they shall firstof all conduct risk assessment with respect to the important data, and submitthe risk assessment report to the competent authority.  Secondly, the processors shall establish adata security department to be in charge of data security.  Thirdly, the processors shall submit theannual report on important data in a timely manner.    

6. 重要数据存储方面，公司应当实现重要数据本地化存储。如因业务需要确需向境外提供重要数据，应当主动申报并接受国家网信办及有关部门组织的安全评估。向境外提供的重要数据不得超出安全评估所确定的目的、范围、方式和数据种类、规模。   

The processors shall store the important datawithin PRC territory in accordance with the laws. If it is necessary totransfer the important data overseas, the processors shall report such transferand accept the security assessment by the CAC and the relevant authorities. Any important data transferred overseas shallnot exceed the purpose, scope, method, type, and scale determined by the securityassessment.   

7. 处理汽车数据的企业还应当建立专门的团队以处理投诉举报，并确保设置投诉举报入口便捷，处理及时。 

The processors engaging in the automobile dataprocess shall establish a team in charge of the complaints and reports fromusers, set up a convenient entrance for complaints and reports, and handle themin a timely manner.   

本文及其内容不视为乾中律师事务所或其律师的正式法律意见或建议。如果您需要法律咨询或专业分析，请联系乾中律师事务所：dwang@chamzonlaw.com。

Disclaimer: This article and its contents are notregarded as formal legal opinions or suggestions of Chamzon Law Firm or its lawyers. If you require legal advice or professional analysis, please contact Chamzon Law Firm at:dwang@chamzonlaw.com.