China Data Regulations for Connected Vehicles

Since July 2021, Chinese authorities have published several measures on data regulation in the connected vehicle industry, showing the government’s determination to govern data generated by the industry and significantly increasing the compliance risk for U.S. companies.

According to the Ministry of Industry and Information Technology’s (MIIT‘s) latest Notice on Strengthening the Cybersecurity and Data Security of Connected Vehicles, published in September, all manufacturers, platform service providers, and telecommunication service providers must set up data security review and data classification systems. They must also enhance protection of “important data” and personal information.  The measure echoes the requirements set out for all automobile “data handlers”, in the Provisions on the Management of Automobile Data Security (Trial), co-published by five ministries, including MIIT, in August.

The State Administration for Market Regulation and the National Information Security Standardization Technical Committee (TC260) later followed up with the Security Requirements of Vehicle Collected Data, identifying what specific types of data auto companies should collect and how they should store, transfer, and comply with authorities’ requirements to review the data.

Connected vehicles’ cross-border data transfer is also being strictly governed, requiring security review by authorities before some data can be moved outside China. Details can be found in the draft Draft Security Assessment Measures for Cross Border Data Transfer.

If you would like to discuss these issues in greater detail, please contact office.beijing@trade.gov.