China’s legislators have set another step in regulating data security, this time for the automotive industry, by publishing a draft for comments. China-lawyer Mark Schaub gives an overview of the plans for the China Law Insight. “Companies would be well advised to conduct a systematic review and assessment of the current state of their data handling,” he concludes.
China has continuously strengthened legislation and regulation on cybersecurity, data security and protection of personal information protection.
Automated driving and smart cars will be a major challenge to the Chinese regulators. Smart cars will be collecting, processing and transferring data at previously undreamt of levels. The authorities will need to balance the convenience of automated technology against cybersecurity and privacy concerns. China is accelerating its pace of promulgating laws, regulations, policies and standards to nurture the intelligent vehicle industry but at the same time have in place regulations to ensure such technologies are safe.
The Draft strengthens the protection of personal information and secures data in China’s automotive industry.
However, we believe that some provisions of the Draft require clarification and there is also room for improvement as to how the Draft fits in with other laws. Big data is an important basis for the rapid development of self-driving cars and China’s automotive industry but a balance must be struck between technological innovation and data security. 
The Draft will affect almost all players engaged in the automotive industry. Companies that will be affected should keep a close eye on the legislative process of the Draft and start making preparations now to minimize disruption to their operations. In particular:
Consider data security issues in the process of designing, producing, selling, operating, maintaining and managing cars, and reduce the amount of data collected and stored in car to the greatest possible extent.
While using big data for commercial operations, safeguard the users’ right to know and implement technical safeguards to desensitize and anonymise data, as well as preventing misuse or unauthorized third-party access.
Multinational companies or Chinese companies with R&D centres outside China should consider implementing localized storage as soon as possible by establishing data centres within China and enhancing local R&D capabilities in China.
Finally, companies would be well advised to conduct a systematic review and assessment of the current state of their data handling. Business operations that clearly do not comply with the requirements of the Draft should be adjusted in a timely manner. The companies should also consider formulating internal mechanisms and systems that comply with the Draft as soon as possible. Although the Draft has not come into force it is a clear indication of the Chinese authorities’ intent and clear direction as to where the policy is going.
Are you looking for more strategic experts at the China Speakers Bureau? Do check out this list.