China issues tighter data security rules for ride-hailing firms amid Didi probe, but more clarity still needed
- New rules classify important data as geographical information, traffic data in important and sensitive areas including military regions
- Ride-hailing firms, including Didi, car makers, components and software suppliers, distributors and maintenance providers will be subject to new rules
China has issued a new set of data security rules for cars that also cover ride-hailing platforms, adding clarity on what constitutes “important data” and how it should be handled by companies before being transferred overseas.
The new rules, released on Friday by the Cyberspace Administration of China (CAC), come as Didi Chuxing is still waiting the outcome of a cybersecurity investigation initiated after China’s biggest ride-hailing firm ignored suggestions by the CAC to conduct a data security assessment and “forced its way” to a US initial public offering.
What constitutes “important data”, how much is held by Didi and whether the company’s US listing has the potential to expose or leak data that could harm China’s national security, are the key issues at play.
The previous lack of clear rules on security reviews of important data was one of the reasons why Didi was able to push ahead with its IPO. The new rules, which come into force on October 1, now define this as geographical information, traffic data in important and sensitive areas including military regions, state-owned defence and technology companies and government offices.
Ride-hailing platforms, including Didi, along with car manufacturers, components and software suppliers, distributors and maintenance providers will be subject to the new rules.
Videos and images gathered from outside cars, including people’s facial information and licence plates, also constitute important data, according to the new rules. And if a car company has more than 100,000 users, then their personal information is classified as important data.
Companies must also store important data within China. If companies need to send this data overseas for any reason, they must first pass a security review organised by government bodies, including the CAC. Companies will also need to provide authorities with basic information on who the information is being sent to overseas, and where and how that data will be stored abroad.
The new rules have been jointly agreed by five top government departments, including the CAC, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Public Security Bureau and the Ministry of Transport, according to a joint announcement by the agencies.
“As the smart car industry develops rapidly, information and data security problems are becoming prominent,” said Xia Hailong, a lawyer with the Shanghai Shenlun law firm. “Roll-out of the new rules is closely associated with the backdrop of big companies such as Didi, Tesla and NIO all drawing public attention because of their data problems.”
Earlier this year Tesla faced a public backlash in China amid concerns that the data its cars collect in the country could be sent abroad for espionage purposes. The company denied the allegations and in May said that it had built its data centre in Shanghai to store Chinese data domestically.
Meanwhile, Chinese EV maker NIO has faced public allegations that its staff tampered with data involved in a crash that killed a 31-year-old entrepreneur who was driving one of the company’s cars with its autopilot system turned on. NIO has denied these allegations.
The new CAC rules are the latest in a series of regulatory actions the Chinese government has taken in recent months to clarify which road and infrastructure information collected by smart cars could pose a national security risk if sent overseas.
The National Information Security Standardisation Technical Committee (NISSTC), a Chinese government-affiliated standards-setting body, said in a draft rule in April that networked-vehicle companies that transfer encrypted data outside China may be required to provide information on the encryption method used, as well as the decrypted data, in plain text.
Earlier this month, the Ministry of Industry and Information Technology (MIIT) doubled down on smart car data security in proposed new rules. In an article explaining the MIIT rules on Monday, state-run media People’s Daily said that security is the “key” to smart connected cars, and cited a MIIT engineer who said that strengthening market access control on smart cars and smart car products is “urgently needed,” and that the problems for smart cars include both data and function security.
In an article explaining the new rules, the CAC said that the security risks related to smart cars were becoming increasingly prominent. One of the examples it listed was “transferring data abroad in violation of regulations and without a security assessment,” which is what Didi is widely believed to have done. The CAC, however, did not explicitly name any companies.
Shanghai Shenlun’s Xia said that while the new rules added targeted guidance for data compliance by car companies, they are still not clear and detailed enough, and more guidance is likely in future.
“For probably a long time, companies will still face major law enforcement uncertainties,” he added.
Author: Xinmei Shen, SCMP