China has gradually lowered barriers to foreign investors entering the auto industry in recent years, but is now stepping up regulation and supervision of companies in the areas of cyber security and data protection.
On April 7, 2021, the Ministry of Industry and Information Technology (MIIT) released draft “Guidelines for Approval of Manufacturers of Intelligent Connected Vehicles and Products.” They require autonomous vehicle manufacturers to comply with China’s cybersecurity laws and regulations and implement the Multi Level Protection Scheme (MLPS) for the entire life cycle of autonomous vehicles. Companies must conduct data classification, implement gradation management, and localize the storage of personal information and important data collected and generated in China.
On May 12, 2021, the State Internet Information Office published “Certain Provisions on the Management of Automobile Data Security (Draft).” According to the regulations, companies that design, manufacture, sell, operate, maintain or manage automobiles in China must implement the MLPS for the collection, analysis, storage, retrieval and cross-border transfer of personal information or important data. The regulations also define what constitutes personal information and important data: Data from people and vehicles in sensitive areas, as well as audio and video data outside the vehicle that includes faces, voices, license plates, etc.
Because the deployment of autonomous driving technology inevitably involves the collection of important data, compliance requirements for companies engaged in autonomous driving are becoming more stringent. They should monitor the development of China’s legislation in a timely manner and pay close attention to the MLPS.