China’s Internet of Vehicles will become better regulated over the next few years as authorities seek to standardize data and cybersecurity in the industry. A new set of guidelines from the Ministry of Industry and Information Technology provide a roadmap for the development of data and cybersecurity industry standards across a range of fields. The standards include technical requirements for the security of hardware, such as onboard equipment, terminals, and roadside equipment; software, such as service platforms and apps; and standards for the handling of data and other cybersecurity requirements. The guidelines further extend China’s cybersecurity regime to cover connected vehicles, putting it firmly under the purview of existing data, cybersecurity, and personal information protection legislation. China has big ambitions for the growth of the Internet of Vehicles, and more standardization and regulation will also provide a solid framework for the healthy and sustainable development of the industry.
On March 7, 2022, China’s Ministry of Industry and Information Technology (MIIT) issued the Guidelines for the Construction of the Internet of Vehicles Cybersecurity and Data Security Standard System (the “guidelines”) (link in Chinese). This document acts as a roadmap for addressing the cybersecurity and data security needs of China’s Internet of Vehicles (IoV) network and strengthening the standards and technical requirements for the connected vehicle and smart traffic industries.
The reasons for the push to standardize the IoV industry are twofold: more guidelines and standardization will help the industry develop in a healthy and sustainable way and prevent unfettered, disorganized growth, and at the same time bring the industry further into the fold of China’s growing data and cybersecurity regime.
In this article, we first examine China’s ambitions for the IoV industry and the existing framework for cyber and data security. Following this, we provide an overview of industry standards and technical requirements as they unfold – existing, draft stage, and expected.
The IoV refers to the network of hardware and software that allows internet-connected vehicles to communicate and exchange information with one another and the wider traffic infrastructure. Vehicle connectivity is achieved through the implementation of onboard sensors and software systems, roadside equipment, such as smart traffic lights and cameras, satellites, big data, and other communications and artificial intelligence (AI) technology.
The guidelines build upon a foundation of data and cybersecurity regulations as well as development plans for the automotive industry. These are:
China has set its sights on becoming the world leader in connected and self-driving cars. Autonomous driving and smart transport were named as key areas for development in the 14th Five-Year Plan (FYP), China’s highest-level plan for social and economic development. Several policy documents released since 2020 have also set key development targets for the industry, including the Roadmap for Intelligent Connected Vehicle Technology 2.0, which states that by 2025:
China has also already taken several steps to shore up the security of the networks that connected vehicles rely on. In October 2021, the Several Provisions on Vehicle Data Security Management (the ‘provisions’) took effect. Compiled by the Cyberspace Administration of China (CAC), China’s top cybersecurity authority, the document outlined new requirements for manufacturers and operators of intelligent connected vehicles to protect personal information and ‘important’ data.
The provisions classify information from a stakeholder in the automobile industry, such as a car owner, driver, passenger, or pedestrian that can be used to identify the stakeholder, as ‘personal information’. This information is subject to certain legal protections and obligations on the part of the data processor.
In addition, the provisions encapsulate a range of data collected by vehicles as ‘important data’ that is subject to more stringent regulations and security requirements. ‘Important data’ in the context of connected vehicles includes data collected from sensitive areas, such as military zones and government agencies, surveying and mapping data of higher precision than that released by official state maps, and any audio or video data collected from outside the vehicle (collected by vehicle cameras and sensors), such as faces, voices, and license plates.
According to the provisions, personal information and important data collected from stakeholders in China must be stored domestically. The data must also undergo a government security review if it is to be exported abroad. These requirements had previously been imposed on data processors in other fields in China’s Cybersecurity Law, Data Security Law, and Personal Information Protection Law (PIPL), but had not explicitly been extended to carmakers until now.
The guidelines set targets for the development of standards and technical requirements for the IoV industry.
By the end of 2023:
The guidelines provide an overview of the types of standards and technical requirements that need to be formulated. These include general standards applicable across the industry as well as specific standards and requirements for segmented fields, such as the security of terminals and equipment and network communication security standards, to name a few.
The guidelines also come with a list of a total of 103 industry standards, of which 12 have already been finalized and issued and a further 15 are in the process of being drafted. The remaining 76 are yet to be formulated. Below we look at some of the major standards and technical requirements.
These are the general standards for cybersecurity and data security that can be applied across the industry. These are divided into three main categories: technology and definitions, general architecture requirements, and password application standards.
Cybersecurity standards for terminals and facilities will mainly cover the security requirements related to IoV terminal equipment and infrastructure. These include security requirements for onboard equipment, vehicle networks, roadside communications equipment, and network equipment and systems.
Security standards for network communication mainly regulate the security requirements for IoV communications networks and ID verification.
Below are some of the standards that are yet to be formulated.
Data security standards will mainly cover the data security and personal information protection requirements for smart connected vehicles, IoV platforms, onboard app services, and other sources of data collection and processing related to IoV. The standards cover a number of fields that are also addressed in other data and cybersecurity legislation, such as the Data Security Law, Cybersecurity Law, and PIPL.
Notably, the list of standards to be formulated includes requirements for the transfer of IoV data overseas, as well as requirements for the data security assessment of such data before export. These standards, when formally issued, will provide significant clarity for automakers in China on how to interpret and implement the existing data laws and regulations.
The data security standards also include a subset of classification standards. This refers to the classification of data into different security levels depending on its level of sensitivity. Previous regulations have required data processors in certain industries to classify data as ‘core data’, ‘important data’, and ‘general data’, with different security requirements prescribed for different levels of security risk.
The inclusion of this in the guidelines indicates that regulators are planning specific data classification standards for the IoV industry.
The security standards for app services cover the security requirements of IoV service platforms and apps, as well as security requirements for typical business application service scenarios. The standards regulate:
Security guarantee and support standards refer to the regulation of security standards related to IoV network security management and support services. This includes regulating risks assessments, security monitoring, and emergency response capabilities.
These standards also reflect the requirements of the existing data protection and cybersecurity regime. Multiple pieces of legislation and regulations require data processors to put in place robust security monitoring and reporting systems. For instance, data protection regulations for industrial and telecom companies that were recently rereleased require data processors to formulate an emergency response plan for data security incidents and carry out periodic emergency drills to prepare for possible data leaks, breaches, and cyberattacks.
Given the amount of data collected and stored by IoV operators, it is only natural that such standards and requirements be set for this industry as well. More guidance in the form of industry standards will help companies better manage security operations and ensure their data is protected.
The effort to standardize the IoV industry over the past few years marks a significant shift for the government in its attitude toward IoV technology and the industry as a whole. As in many other technology sectors, authorities have in the past adopted an ‘innovate now, regulate later’ approach to allow the industry, then in its infancy, the space to develop quickly.
The IoV industry is now becoming increasingly mature and saturated and has the potential to become disorganized and inefficient. Ensuring a safe, secure, and well-regulated industry will be key to securing China’s ambitions to become a leader in internet of vehicle technology and services.
In addition to the commercial drives, China is also growing increasingly concerned over national security. This has prompted the government to tighten data and cybersecurity regulations in a number of industries, in particular those deemed to handle particularly sensitive data. The inclusion of standards on the – although not yet – signals that the government considers the IoV industry to be another front on which to bolster cybersecurity.
Public opinion will also be a consideration for authorities. As consumers become more and more tech-savvy and aware of the issues surrounding personal data, there will be more pressure to ensure their information is protected and not misused by companies.
Some challenges remain, however. Certain definitions are still ill-defined even in existing data and cybersecurity legislation. This includes terms such as ‘important data’, which is subject to stricter security requirements than other forms of data. Although attempts have been made to clarify the types of data that fall under this category, the definition remains somewhat vague, and as of writing this article, no catalogs have been released detailing the types of data that fall under this category. This indicates that regulators have experienced some difficulty in properly defining the types of data that inherently pose a security risk.
The inclusion of ‘important data’ in the new guidelines suggests that regulators plan industry-specific definitions for data classification. This could provide a better-defined framework for regulators to classify data types and come out with a concrete set of standards for data classification and would certainly be a huge help for companies in complying with data and cybersecurity regulations.
Whether this can be achieved in the next three years, as suggested in the guidelines, remains to be seen.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at email@example.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
Previous Article « 15 Types of Contracts That Are Not Subject to Stamp Tax in China
Next Article Beijing’s “First-Store Economy”: What Are the New Incentives? »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Doing Business in China 2022 is designed to introduce the fundamentals of investing in China. Compiled by the ...
With the scope and penalties of China’s social credit system being further clarified in 2021, legal and regu...
As a legitimate tool for reasonable tax planning and cost saving, tax incentives play an important role. Compa...
Over the last few months, China has been quickly expanding the pilot program on electronic special value-added...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.