Privacy & Information Security Law Blog

Last month, the People’s Republic of China’s Ministry of Transportation, Ministry of Industry and Information Technology and six other administrative departments jointly published the Interim Measures for the Administration of Operation and Services of E-hailing Taxis (the “Measures”). E-hailing is an increasingly popular business in China and has already become a compelling alternative to the traditional taxi. The Measures seek to regulate this emerging industry, and will come into effect on November 1, 2016. Below is a summary of the key requirements.

The Measures contain a data localization requirement under which operators of e-hailing platforms will be required to locate their servers within mainland China. In addition, personal information collected on e-hailing platforms and business data generated during their operations must be stored and used within mainland China, and such information and data must be retained for at least two years.

The Measures also require operators of e-hailing platforms to expressly disclose the purpose, method and scope of the collection and use of the personal information of drivers and passengers while on the platforms. Operators of e-hailing platforms will be required to follow the principle of necessity when they collect personal information of drivers and passengers and may not use such personal information for other businesses without the consent of the data subjects.

Under the Measures, operators of e-hailing platforms must not, except for purposes of cooperating with supervisory authorities or with criminal investigations, provide the personal information of drivers and passengers (such as names, contact information, home addresses, bank or payment accounts, geographical location or travel routes) to any third parties. They are also prohibited from disclosing sensitive information relating to national security, such as geographical coordinates and symbols.

The Measures also require operators of e-hailing platforms to adopt systems for the administration of cybersecurity and technical security measures. In the event of an information leakage, operators of e-hailing platforms must report to the relevant competent authority without delay and take timely and effective remedial measures.

E-hailing platform operators that illegally use or disclose passengers’ personal information may face a penalty of RMB 2,000 to RMB 10,000. They may also be subject to civil liability for compensation and criminal sanctions.