文丨天元律师事务所 朱宣烨 曾雯雯 王伟 王明志
（感谢周媛、王若男对本文的贡献）
近几年，智能汽车产业不断发展，通过传感技术、人工智能、信息融合等多方面技术颠覆了传统的汽车产业，更加便利了人们的出行，也拓展了汽车的功能。随着这些技术的应用、汽车越来越智能，不可避免地涉及到重要数据、个人信息的收集和使用。2021年5月12日，国家互联网信息办公室发布《汽车数据安全管理若干规定（征求意见稿）》（以下简称“《规定》”），对《网络安全法》进行细化规定，也和尚未出台的《数据安全法》和《个人信息保护法》进行了一定衔接，意在规范汽车数据的应用。《规定》主要体现了以下五个方面的内容：
In recent years, the smart car industry has continued to develop, subverting the traditional car industry through sensing technology, artificial intelligence, information fusion and other technologies, making it more convenient for people to travel and expanding the functions of cars. It is inevitable that important data and personal information will be collected and used as vehicles keep on getting smarter. On May 12, 2021, the State Cyberspace Administration of China issued "Provisions for the Management of Automotive Data Security (draft for comment)" (hereinafter referred to as "the Draft Regulation"). It refines the "Cyber Security Law", and also dovetails with the pending Data Security Law and the Personal Information Protection Law which have not yet been enacted. The Draft Regulation mainly reflects the following five aspects：
01
规制范围涉及汽车行业相关产业链，规定了汽车相关个人信息及重要数据的范围
The scope of regulation involves the automotive industry related industrial chain and stipulates the scope of automotive-related personal information and important data
《规定》所规制的运营者范围广，涵盖整个汽车乃至出行、保险等相关产业链。除了传统汽车行业一般涉及到的汽车设计、制造、经销、维修等企业或机构外，其相关的服务企业也受到《规定》的规制，例如汽车软件提供者、网约车企业、保险公司等。我们认为与汽车强关联的企业或机构不可避免地会涉及重要数据及个人信息，属于《规范》规制的范畴，而与汽车的关联程度相对较低的企业，例如汽车金融服务企业，还有待《规范》进一步明确。
The Draft Regulation regulates a wide range of operators, covering the entire automotive and even travel, insurance and other related industrial chains. In addition to the traditional automotive industry, which generally involves enterprises or institutions such as automotive design, manufacturing, dealerships and maintenance, its related service enterprises are also regulated by the new rules, such as automotive software providers, online car-hailing service providers, insurance companies, etc. We believe that enterprises closely associated with automobiles will inevitably involve important data and personal information and fall within the scope of the new rules, while enterprises with a relatively low degree of association with automobiles, such as automotive financial service enterprises, are yet to be further clarified.
《规范》规定了汽车行业的个人信息保护所具体指向的对象，涉及车主、驾驶人、乘车人、行人等，还对重要数据进行了列举，比如军事价值高的测绘数据、军政国防重要敏感区域人流车流数据等，强调保护国家安全和公共利益。但由于目前《规定》处于征求意见阶段因而尚不完善，《规范》中的个人信息及重要数据的范围亦有待进一步明确。
The Draft Regulation stipulates the specific objects of personal information protection in the automotive industry, involving vehicle owners, drivers, passengers, pedestrians, etc. It also enumerates important data, such as mapping data of high-value military surveying, data on the flow of people and traffic in important sensitive areas of military and defense, emphasizing the protection of national security and public interests. However, because the Draft Regulation is still seeking public feedback, the scope of personal information and important data in the Draft Regulation also needs to be further clarified.
02
提出运营者处理个人信息和重要数据的原则，体现出对汽车数据管理的特点
The principles of processing personal information and important data by operators reflect the characteristics of automotive data management
《规范》提出了五大原则，包括车内处理原则、匿名化处理原则、最小保存期限原则、精度范围适用原则、默认不收集原则。部分原则体现了汽车数据管理的特点，例如，车内处理原则要求对车内车外进行界分，保障个人信息及重要数据非必要情况不向车外提供。精度范围适用原则则体现了传感器收集数据精度与功能的匹配性。默认不收集原则还对驾驶人的同意授权提出了限制，即只对本次驾驶有效。
The Draft Regulation proposes five major principles, including the principle of in-vehicle processing, the principle of anonymization, the principle of minimum retention period, the principle of precision range application, and the principle of default non-collection. Some of the principles reflect the characteristics of automotive data management, for example, the principle of in-vehicle processing requires that the in-vehicle and out-of-vehicle   scenarios   should be separated to ensure that personal information and important data are not provided outside the vehicle unless necessary. The principle of precision range application reflects the matching between the accuracy of data collected by sensors and their functions. The principle of default non-collection imposes restrictions on the drivers consent authorization, i.e., it is valid only for one-time driving.
03
明确运营者处理个人信息和重要数据的具体规则，强调车内场景下驾驶人或车主对处理行为的知情同意和控制
The specific rules for operators to process personal information and important data are clarified, and the informed consent and control by drivers or vehicle owners in the in-vehicle processing scenario is   emphasized
《规定》强调收集个人信息的合法性基础，并且针对摄像头收集车外信息此类难以获得同意的情形提出了匿名化或脱敏的要求，规定了删除自然人画面或人脸局部轮廓化处理的方法。《规定》对于告知的内容以汽车为场景（通过用户手册、车载显示面板或者其他适当方式）进行了细化，告知的内容包括收集信息的类型、目的、用途，停止收集触发条件及方法，保存期限、地点或保存规则，请求删除数据的方法，以及负责处理用户权益责任人的有效联系方式。
The Draft Regulation emphasizes the legitimacy basis for collecting personal information, puts forward the requirement on   anonymization or desensitization for situations where it is difficult to obtain consent of cameras collecting information outside the vehicle, and provides for the method of deleting images containing natural person or partial contouring of human faces. The Draft Regulation refines the content of notification in the context of vehicle (through users manual, on-board display panel or other appropriate means). The content of notification includes the type, purpose, and use of the collected information, the conditions and methods of   stopping the collection, the retention period, location or retention rules, the methods   of requesting data deletion, and the effective contact information of the person responsible for handling the users rights and interests.
《规定》对于收集或向车外提供敏感个人信息进行了规制，运营者前述行为应当满足服务目的、默认不收集、告知正在进行收集、方便终止收集、允许查看被收集的信息的要求，还要求运营者应在相应驾驶人要求删除后两周内完成删除。对于生物特征这类敏感程度极高的敏感数据，《规定》限定了运营者的使用目的，并且要求提供生物特征的替代方式。
The Draft Regulation regulates the collection or provision of sensitive personal information outside the vehicle. The operators actions shall satisfy the requirements of service purpose, default non-collection, notification of ongoing collection, convenient termination of collection, and permission to view the collected information. The operator shall complete deletion within two weeks after drivers request for deletion. For highly sensitive data such as biometric features, the Draft Regulation limits the purpose of use by the operator and requires   the provision of alternative means of biometric features.
04
从严要求个人信息及敏感数据出境
Strict requirements on cross-border transfer of personal information and sensitive data
《规定》采取了《网络安全法》对于关键信息基础设施的数据跨境的要求，体现了国家对汽车数据出境从严监管的态度，其要求个人信息和敏感数据仍然是以境内存储为原则，出境应当通过国家网信部门组织的数据出境安全评估。运营者的出境活动并不能超出该评估的范围，并且应当对境外接收者采取有效措施进行监督。
The Draft Regulation adopts the requirements of the "Cyber Security Law" for cross-border data transfer of critical information infrastructure, reflecting the states attitude of strict regulation on the cross-border transfer of automotive   data, which requires that personal information and sensitive data being stored inside the country is a general principle, and cross-border data transfer shall pass the security assessment organized by the State Cyberspace Administration. The operators outbound activities should not exceed the scope of this assessment and effective measures should be taken to monitor the overseas recipient.
《规范》要求运营者对于其科研和商业合作伙伴的查询等行为采取谨慎态度和有效措施，防止境内个人信息和重要数据流失，对于敏感数据的查询利用更是要求严格限制。
The Draft Regulation requires that operators shall   take cautious attitude and effective measures towards their scientific and business partners’ queries to prevent the loss of domestic personal information and important data, and shall strictly limit the use of sensitive data.
在数据出境监管方面，其规定国家网信部门会同国务院有关部门以抽查方式进行核验。
In terms of supervision on cross-border data transfer, the Draft Regulation stipulates   that the State Cyberspace administration shall, in conjunction with the relevant departments of the State Council, conduct spot check and inspection.
《数据安全法（草案）》也明确规定未经主管机关批准向境外的司法或者执法机构提供国内数据的，最高可被处以100万元人民币（约合15.5万美元）的罚款。
Data Security Law（Draft）also specifies that those who privately provides   domestic data to judicial or law enforcement agencies overseas may face a fine of up to 1 million yuan ($155,000).
05
细化报送义务，要求进行事前报告及年度报送
Detailed reporting obligations, which requires   prior report and annual report
《规定》要求运营者处理数据应履行事前报告义务，并且对于处理个人信息所涉个人信息主体超过10万人的运营者以及重要数据运营者还规定了年度数据安全管理情况报送义务（涉及数据出境还有报送增项），报送的对象均为省级网信部门和有关部门报告。
The Draft Regulation requires that operators shall   fulfill their prior reporting obligations when processing data, and also provides for annual data security management reporting obligations (cross-border data transfer includes   additional reporting items) for operators who process personal information involving more than 100,000 people (data subject) and important data operators, all of whom shall report to the cyberspace administrative department and relevant departments at provincial level.
尽管《规定》尚在征求意见，但已经体现出国家对于汽车行业数据进行强监管的态度，相关企业应当充分利用征求意见的机会及时反馈规范落地可能遇到的现实问题，同时，应当尽早准备开展自查，结合相关国家标准，在外部专家指导下制定、调整适应合规监管要求的方案。
Although the Draft Regulation is still seeking public comment before becoming official, it already reflects the countrys attitude of strict regulation of data in the automotive industry. Operators should make full use of the opportunity to provide timely feedback on the practical problems that may be encountered in the implementation of the new rules   while   at the same time   be prepared to carry out self-examination as early as possible and adjust to meet the regulatory requirements under the guidance of external experts.