December 12, 2022

Key aspects of data residency for the automotive industry in China

Key aspects of data residency for the automotive industry in China

The Chinese automobile market is by far the largest capital size and one of the most innovative by global standards. The Chinese government has projected that the sale of ICVs will reach 50% of total vehicle sales by 2025

While this is an exciting development for the transportation industry, it is accompanied by fundamental cybersecurity and data protection challenges. The fact that ICVs are equipped with multiple electronic features that often require biometric data from users and are capable of sharing this data with external parties has raised serious automotive data protection and security concerns.

Against this backdrop, China’s government promulgated the recent automotive data residency regulations to guide the industry. This article features the provisions of these regulations and how organizations within the automotive industry can attain compliance with them. You will learn more about the key aspect of China’s automotive data residency regulations.

General auto data protection principles 

Cybersecurity and data protection measures are indispensable requirements that companies that wish to do business in the Chinese automobile market must comply with. The core China data localization laws are the Data Security Law, the Cybersecurity Law, and the Personal Information Protection Law.

These laws are detailed, extensive, and binding on all data controllers operating in China.

The Cybersecurity Law

The CSL was the first landmark legislation for data protection enacted in China. It provides a framework to regularize data protection and cybersecurity in China by establishing mechanisms for the certification of network products and equipment, critical information infrastructure (CII) operations, and cybersecurity review. 

The CSL protects Chinese cyberspace, enhancing the development of the country’s technology and digital economy. It provides certain rights to data subjects, such as the right to be informed of and consent to the collection and use of their data, the right to request that their personal information be deleted if there are any violations whatsoever, and the right to demand the rectification of inaccurate personal information.

Apart from its cybersecurity provisions, this legislation served to protect personal information before the enactment of the Personal Information Protection Law (PIPL).

The Data Security Law

The Data Security Law is the primary legislation for data security in China. It provides a framework for classifying and categorizing data, risk assessment, risk control, security reviews, etc.

The provisions of the DSL are general to all data-controlling industries. Hence, different parastatals have used it as a framework for deriving their own industry-specific regulations, e.g., financial institutions, health facilities, and automobile companies. Article 6 of the DSL names various industries influenced by its provisions, such as transportation, health, communication, and technology. The current Several Provisions on the Management of Automobile Data Security guiding the automotive industry in China are largely influenced by the provisions of the Data Security Law.

The Personal Information Protection Law:

The PIPL focuses on the protection of the personal information of natural persons resident in China. It also has extraterritorial application, as it affects non-Chinese organizations to the extent of their transactions with Chinese residents.

The China PIPL data localization is a comprehensive legislation that ensures that the data of Chinese individuals stay within China. It provides strict rules for cross-border transfer and codifies the rights of data subjects to determine and be aware of how their personal information is being used.

The PIPL data privacy provisions allow data subjects to access their personal data at any time, request rectification of data inaccuracies, and give or withdraw their consent. This law cuts across industries, so automotive companies must comply with China’s PIPL data localization requirements.

Together with industry regulations and standards, these three significant legislations collectively form an extensive legal framework for automotive data protection in the industry.

They are based on the following general principles:

  • Purpose limitation: Personal information must not be used for purposes other than the purpose of collection, or else further consent must be obtained from the subject. This is known as the principle of purpose limitation.
  • Consent: Consent must be obtained from individuals before collecting or using their personal information.
  • Lawfulness: The processing of personal information must be following legislation and regulations in force.
  • Data minimization: Controllers must only collect data necessary to the nature of the service they provide.
  • Integrity and confidentiality: Data obtained must be strictly guarded against leaks, destruction, or damage. Physical and technical measures to protect data must be taken to preserve the secrecy of personal information.
  • Storage limitation: Storage of personal data is only permitted by these laws for the duration required to realize the purpose of collection, after which such data must be properly disposed of.

Chinese data regulations in the automotive industry 

The Several Provisions on the Management of Automobile Data Security (for Trial Implementation) (Vehicle Data Provisions) enacted on October 1, 2021, are at the core of recent developments in the Chinese automobile industry.

The Vehicle Data Provisions create a compliance framework for automotive data protection. The provisions are also known as “auto data regulations.” They guide the processing of personal information and important data obtained at any stage in y design, manufacturing, sales, and operation of automobiles.

The Vehicle Data Provisions were enacted in response to the rising security concerns raised by citizens over ICVs. That notwithstanding, its provisions are binding on both automated and traditional vehicle manufacturers insofar as they control or process automotive data.

According to the regulation, “automotive data” is all data involved in automobiles’ design, manufacturing, sales, use, operation, and maintenance.

All persons or organizations involved in data processing for automotive purposes are regulated entities under the provisions. Article 3 lists out the scope of automotive data processors to include not only automobile manufacturers, parts and software suppliers, dealers, maintenance providers, automobile repair shops, cab-hailing, and cab-sharing service providers, but not car insurance companies.

The Regulation narrows the scope of all regulated data into “personal information” and “critical or important data.”

In defining personal data, it borrows from the PIPL’s definition of the term as data that identifies or is capable of identifying an individual. However, the scope is limited under the Provisions to only vehicle-related individuals, like owners, drivers, passengers in vehicles, and pedestrians outside vehicles. Sensitive personal data is personal information whose disclosure or illegal use may adversely affect the personal and property safety of the owners, drivers, passengers, and individuals outside the vehicles. Sensitive personal data include vehicle whereabouts and tracks, audio, video, images, biometric features, etc.

The second category of data under the Regulation is critical or important data. This refers to data that may compromise national security and the public’s interests once it is obtained, disclosed, tampered with, used, or destroyed in an illegal manner. Both categories form the subject matter of automotive data regulations.

The Provisions spell out measures to protect these two categories of data to: preserve the rights of individuals and organizations to the security of their data, and to promote national security and public interests. These provisions must be complied with by companies in the automotive industry for smooth market operations in China.

Customer case study: InCountry experience

The customer company is an industry leader in automobile manufacturing with robust driver and passenger safety advancements. The company runs its business in multiple countries and recently has had to follow the latest updates in compliance with laws and data regulations in force in the People’s Republic of China, where they already have an existing customer base. It is now faced with the imminent problem of data compliance.


Data residency for the Salesforce solution

  • Premium compliance with the local data regulations and data processing requirements of the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law.
  • Seamless integration of data residency services and record security into the sales management pipelines in Salesforce

InCountry’s Solution

In-country data residency for the Salesforce solution was deployed.

  • Data records of Chinese customers are saved to the InCountry platform within the territory of the People’s Republic of China.
  • The personal data of Chinese citizens have been migrated to the InCountry platform and replicated records are stored in Salesforce, which meets the requirements of the Person Information Protection Law of the People’s Republic of China.
  • No changes in infrastructure management and provision for the customer, and minimal development expenses to integrate the InCountry Data Residency for Salesforce solution into the customer’s existing business processes.


Customer compliance with industry regulations and standards

  • The solution guarantees full compliance with the laws and regulations for data residency and localization and lets our customers increase their revenue in the large Chinese automobile market without pausing their operations in trying to meet local data protection regulations.

How automotive companies can comply with regulations in China with InCountry

Global automobile manufacturers doing business in China must, of necessity, comply with automotive data regulations guiding the industry.

There are several methods to attempt compliance with automotive data protection. One way is to constantly review automotive data regulations and keep adjusting internal compliance efforts to data security, processing, and transfer. This, however, is a tedious process and will most likely interfere with daily business operations.

The safest and most efficient method for complying with automotive data residency in China is using InCountry.

InCountry provides an efficient data residency-as-a-service solution to help automobile companies comply with data security requirements in real-time. This alleviates the burden and risk of non-compliance, helping companies concentrate their resources on expansion.

InCountry has achieved major success with several companies operating in China. Take IBM Consulting, for instance, and how InCountry’s Salesforce solution has helped the brand meet all data compliance requirements. 

To explore all of the many ways InCountry can help you with your data compliance, kindly get in touch with our experts.