This article highlights the key changes made in the Management Provisions:
1.Scope of Application
2. Personal Information
3. Scope of Important Data
In the Management Provisions, video and image data outside the car including facial information and license plate information remains within the scope of important data.
4. Advocative Principles In Data Processing
(iv) Anonymization: data processors should conduct de-identification and anonymization of auto data to the greatest possible extent. In the previous Draft, the principle was set with the “in-car processing principle”, under which information must be anonymized and de-identified to the greatest possible extent before being provided outside vehicles. The Management Provisions, have tweaked this principle by providing a broader application on all aspects relating the process of auto data, including using and storage of auto data. Furthermore, de-identification and anonymization are specifically defined terms under the PIPL: “de-identification” refers to the process by which personal information is handled so as to ensure it is impossible to identify specific natural persons without additional information being provided. On the other hand “anonymization” refers to the process by which personal information is handled so as to make it impossible to identify a specific natural person and which is also impossible to restore.
Another important change is that, the Management Provisions have deleted the fifth principle originally set out in the Draft – namely, the minimum retention period principle. The previous Draft had provided that retention period be determined based on the category of function and service.
However, we do not believe that the deletion of such minimum retention period principle in the Management Provisions does not mean it is no longer applicable. Rather, the legislation is better joined up and it is now explicitly provided in the PIPL, that a mandatory requirement for all sectors, that personal information retention periods shall be the shortest period necessary to realize the purpose of the personal information handling unless otherwise provided for by law.
The foregoing principles have raised some discussions in the Draft as “advocative principles”– the consequence for non-compliance of such advocative principles is not mandatory and therefore are not of legally binding effect. However, we suggest companies taking a wait-and-see approach on the principles, as there has been a trend that such advocative principles, especially those in cybersecurity regime, are likely to be so influential that they become the basis for non-compliance remediation plans and undertakings agreed between companies and regulators.
For this reason, companies are suggested to adopt advocative principles to the extent practical in order to show their compliance efforts in China meet the necessary benchmarks.
5. Statutory Requirements for Processing Personal Information
(v) if requested by an individual, the auto data processor shall delete the sensitive personal information within ten working days.
6. Exception for Consent from Individuals Outside Vehicles
7. Important Data Risk Assessment Report
8. Data Localization and Cross-border Transmission Requirements
Another important change is that the Draft imposed restrictions on data sharing and commercial use by requiring that where scientific research and commercial partners need to inquire and use personal information and important data stored within the PRC, operators should take effective measures to ensure data security and prevent loss of data, and that operators shall strictly limit the use of important data. This restriction was seen by many as a prominent obstacle for the reasonable commercial flow of auto data.
The said restrictions have been removed in the Management Provisions. The Management Provisions stress that one of the purpose of the Management Provisions is to promote reasonable development and utilization of auto data.