International automotive OEMs and suppliers have witnessed the rapid development of the PRC data protection regime, including the draft PRC Personal Information Protection Law which just underwent its “second reading”. While existing rules only generally address concerns relating to privacy protection and data export control, rules specific to the automobile industry have been absent for a long time. This makes it difficult for the automotive industry to manage their data compliance in China. Such situation may soon change, as the Cyberspace Administration of China (CAC) presented to the public its new draft Several Provisions on Car Data Security Administration on May 12, 2021 (“Draft Provisions”) to solicit comments.
The Draft Provisions, if promulgated in the current form, would on the one hand bring substantial clarification to the whole industry, though not make things easier.
On the other hand, the new developments are forcing manufacturers to measure their concepts developed under the strict requirements of the GDPR and the guidelines issued by the European data protection supervisory authorities against the requirements of proposed Chinese law. This will be of particular importance where manufacturers will aim at developing and marketing their technologies in a variety of markets with uniform configurations which will be made more difficult where deviating requirements and standards exist in different parts of the world.
Please find below here brief observations and thoughts of our data protection and China experts comparing the Draft Provisions to the concepts and major views of European data protection authorities on the handling of (personal) data from the connected vehicle landscape under the GDPR.