Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · GUIDELINES FOR THE SECURITY OF AUTOMOTIVE DATA EXPORT (2026 EDITION)

Guidelines for the Security of Automotive Data Export (2026 Edition).

汽车数据出境安全指引(2026版)

Promulgated by: Cyberspace Administration of China.
2026 Edition.

These Guidelines are formulated in order to implement the Data Security Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Network Data Security Management Regulation and other laws and regulations, to guide and regulate automotive data processors in carrying out data-export activities efficiently, conveniently and securely, and to enhance the facilitation of automotive data export.


I. General Provisions

(I) Scope of Application

Automotive data processors shall carry out data-export activities in accordance with these Guidelines. “Automotive data” as referred to in these Guidelines means the personal information and important data involved in the processes of automotive design, production, sale, use, operation and maintenance. “Automotive data processors” means organizations and individuals that independently determine the processing purpose and processing method in carrying out automotive data processing activities, including automobile manufacturers, parts and software suppliers, telecommunications operating enterprises, autonomous-driving service providers, platform operating enterprises, dealers, repair institutions, and mobility service enterprises.

(II) Data-Export Acts

Where an automotive data processor provides automotive data outside the territory of the People’s Republic of China (“overseas”), it constitutes a data-export act if it meets any of the following:

  1. the automotive data processor transmits automotive data collected and generated during operations within the territory of the People’s Republic of China (“within the territory”) to overseas;

  2. automotive data collected and generated by the automotive data processor is stored within the territory, and overseas institutions, organizations or individuals can query, retrieve, download or export it;

  3. other data processing activities that fall within the circumstances of the second paragraph of Article 3 of the Personal Information Protection Law, namely processing the personal information of natural persons within the territory while overseas.

(III) Management Modes for Data-Export Activities

  1. Where an automotive data processor provides automotive data overseas and meets any of the following, it shall declare a data-export security assessment:

    (1) providing important data overseas (where the data includes surveying and mapping geographic-information data such as spatial coordinates, imagery, point clouds and their attribute information, the external-provision approval or map-review procedures shall be lawfully completed before declaring the data-export security assessment);

    (2) cumulatively providing the personal information of more than 1 million persons (not including sensitive personal information) overseas since January 1 of the current year;

    (3) cumulatively providing the sensitive personal information of more than 10,000 persons overseas since January 1 of the current year;

    (4) a critical information infrastructure operator providing personal information overseas;

    (5) other circumstances clarified by relevant State provisions as requiring the declaration of a data-export security assessment.

    (The numbers of persons are counted by de-duplicated natural persons, and “more than” includes the stated figure.)

  2. Where an automotive data processor (other than a critical information infrastructure operator) provides personal information overseas and meets any of the following, it may choose either of the two modes — concluding a standard contract for the export of personal information, or passing personal-information export certification:

    (1) cumulatively providing the personal information of more than 100,000 but fewer than 1 million persons (not including sensitive personal information) overseas since January 1 of the current year;

    (2) cumulatively providing the sensitive personal information of fewer than 10,000 persons overseas since January 1 of the current year.

    (“Fewer than” does not include the stated figure.)

  3. An automotive data processor is exempt from declaring a data-export security assessment, concluding a standard contract for the export of personal information, or passing personal-information export certification, where any of the following applies:

    (1) automotive data collected and generated overseas is transmitted into the territory for processing and then provided overseas, and no personal information or important data from within the territory is introduced in the processing;

    (2) it is truly necessary to provide personal information overseas in order to conclude or perform a contract to which the individual is a party, such as cross-border vehicle purchase, cross-border delivery, cross-border payment, or cross-border account registration;

    (3) it is truly necessary to provide the personal information of employees overseas in order to implement cross-border human-resources management in accordance with labor rules and regulations formulated in accordance with the law and collective contracts concluded in accordance with the law;

    (4) it is truly necessary to provide personal information overseas in an emergency to protect the life, health and property safety of natural persons;

    (5) an automotive data processor other than a critical information infrastructure operator cumulatively provides the personal information of fewer than 100,000 persons (not including sensitive personal information) overseas since January 1 of the current year;

    (6) an automotive data processor registered in a pilot free trade zone provides data outside the negative list overseas in accordance with the relevant requirements of the pilot free trade zone;

    (7) security-vulnerability data that the automotive data processor has, in order to repair security vulnerabilities, reported to the Ministry of Industry and Information Technology in accordance with the relevant requirements of the Provisions on the Management of Network Product Security Vulnerabilities;

    (8) security-incident data of automotive products, IoV platforms and related systems that the automotive data processor has, in order to dispose of security incidents, reported to the Ministry of Industry and Information Technology and the relevant industry regulatory authorities in accordance with the relevant industry contingency plans for cybersecurity and data security incidents (cybersecurity incidents under the Contingency Plan for Public Internet Cybersecurity Emergencies, and data security incidents under the Emergency Response Plan for Data Security Incidents in the Field of Industry and Information Technology (Trial));

    (9) the source code corresponding to the OTA upgrade software package that the automotive data processor has, in order to eliminate automotive product defects and implement a recall, filed with the State Administration for Market Regulation in accordance with the Regulation on the Recall of Defective Automotive Products.

    The personal information provided overseas as referred to in the preceding paragraph does not include important data.

II. Determination of Important Data

The following reflects the important-data determination catalogue, which in the original is set out as detailed tables of data categories, data items and determination rules across six business scenarios. It is rendered here as structured prose. Where a data item is determined to be important data, its export requires a security assessment.

(I) Research and Development Design Scenario

Covers data collected and generated by automotive data processors when integrating global R&D resources and collaboratively designing and developing products.

  • Product R&D — bills of materials (BOM, including design BOM and component/material specifications, quantities and hierarchical relationships, and key-material ratio schemes, formulation schemes, chemical general formulas and material usage for power-battery cathode/anode active materials, electrolytes, separators, binders and the like), R&D design documents (design models, drawings, schemes, technical documents, test reports), and product/technology development source code. Determination rule: important data if it (1) is supported by a national major special project or national key R&D program; (2) corresponds to relevant technology control points in the Catalogue of Technologies Prohibited and Restricted from Export of China; or (3) involves relevant items in the Dual-Use Items Export Control List of the People’s Republic of China.

  • Product testing — annotated-scene data (image, point-cloud, multimodal and video annotation), simulated-scene data (road-network, environment, traffic-flow, synthetic, and replay simulation files), and test-scene data (accident, hazard and edge scenes). Determination rule: important data if, among other things, it relates to or can be used to derive important and sensitive areas such as military administration zones, units of national defense science, technology and industry, and Party and government organs at or above the county level; can derive classified or sensitive geographic-information data; reflects economic operation of a prefecture-level or higher administrative region (road vehicle flow, personnel flow, logistics) cumulatively for 30 days or more; can derive on-site situations of major-event security control, traffic accidents or other emergencies, or other social-public-security law-enforcement activities and personnel; contains real out-of-vehicle face bounding boxes with a minimum edge length of 32 pixels or more, or real out-of-vehicle license-plate bounding boxes with a minimum edge length of 16 pixels or more; is collected from more than 100,000 vehicles operating within the territory; involves cumulatively more than 2,000 hours of raw imagery collected in real environments (or data generated therefrom); or involves more than 10 million raw images (or data generated therefrom).

(II) Production and Manufacturing Scenario

Covers BOMs and production-control-program source code collected and generated in the manufacturing of automotive products — process BOMs (including power-battery R&D technical schemes and process parameters for core processes such as electrode preparation, assembly, electrolyte injection, formation and capacity grading), and CNC-machine-tool and industrial-robot control-program source code. Determination rule: the same three conditions as the product-R&D rule (national major special project/key R&D program; export-prohibited/restricted technology control points; dual-use items list).

(III) Driving Automation Scenario

Covers algorithms, training data and feature data collected and generated in developing, deploying and applying combined driving-assistance or autonomous-driving functions — algorithm files and source code, algorithm parameters (model weight coefficients), and training data sets (driver-decision data sets; system decision or predictive-planning data sets; operation data sets containing vehicle longitude/latitude, altitude, heading/roll/pitch angles, speed and angular rates; and multimodal training data sets), as well as image and point-cloud feature data. Determination rule: algorithm files/source code/parameters are important data if supported by a national major special project/key R&D program, if related achievements in IoV network and data security or driving-automation functions have received provincial/ministerial-level or higher awards, or if they may affect national science-and-technology security or industry competitiveness. Training/feature data are important data on substantially the same geographic, economic-operation, sensitive-area, public-security and scale grounds as the product-testing rule (including the 100,000-vehicle, 2,000-hour and 10-million-image thresholds), in particular when fused and associated with out-of-vehicle real-scene imagery and radar data.

(IV) Software Upgrade Service Scenario

Covers source code corresponding to software packages that upgrade vehicle safe-driving and battery-management functions. Determination rule: important data where it simultaneously (1) upgrades vehicles operating within the territory; (2) involves vehicle remote-control functions (excluding control achieved via near-field communication); and (3) involves functions of vehicle start-up/driving, power loss, emergency braking, cruise control, lane keeping, charge/discharge control, or battery temperature control.

(V) Connected Operation Scenario

  • Vehicle data — vehicle identification numbers (VIN), IoV-card identification data (ICCID, IMEI, IMSI, MSISDN), vehicle keys (symmetric keys and asymmetric private keys), vehicle digital certificates (root certificates), and control commands. Determination rules: VIN/IoV-card identification data are important data where, since January 1 of the current year, the data provided overseas, combined with other exported information, can identify more than 1 million persons cumulatively. Vehicle keys and digital certificates are important data where they involve keys/root certificates used in the remote start-up, diagnosis, update or communication of more than 100,000 vehicles operating within the territory. Control commands (remote control of door locks, vehicle start-up, steering, acceleration, braking, parking, charge/discharge and temperature/battery management, excluding near-field control) are important data where they involve vehicles operating within the territory.

  • Vehicle-road perception — out-of-vehicle real-scene imagery (camera images/videos), radar data (point clouds and structured target-level data), location-track data, inertial-navigation data, autonomous-driving map data, and mapping-type data. (Geographic-information data containing spatial position coordinates must first be processed using State-recognized geographic-information confidentiality processing technology.) Determination rule: important data on the same sensitive-area, classified-geographic-information, economic-operation (30-day), public-security, face (32-pixel)/license-plate (16-pixel), 100,000-vehicle, 2,000-hour and 10-million-image grounds as the product-testing rule.

  • Vehicle-road analysis — fusion-computing data (personnel-flow and vehicle-flow data aggregated from roadside-device collection, target-surface 3D coordinate imaging data, and traffic-flow indicator data such as signal queue durations, intersection traffic flow, green-light times and overflow events). Determination rule: important data on sensitive-area, classified-geographic-information, public-security and economic-operation (30-day) grounds; traffic-flow indicator data are also important where they cover at least one complete intersection over a time span of more than one month.

  • IoV platform operation — network-planning data (asset-configuration information and network-topology diagrams of platform core assets), charging-operation data (charging-facility location data, vehicle charging-status monitoring data, and charging account/usage data), and security-assurance data (threat information such as undisclosed vulnerability and security-incident information). Determination rules: asset configuration/topology are important data for IoV platforms serving more than 1 million vehicles operating within the territory, or for platforms that simultaneously provide OTA upgrade services to more than 500,000 vehicles operating within the territory with upgrades touching powertrain, chassis or safe-driving functions. Charging-facility location data are important where they involve sensitive areas; charging-status data are important where collected from more than 100,000 vehicles operating within the territory; charging account/usage data are important where cumulatively provided overseas for more than 1 million persons since January 1 of the current year; threat information is important where it involves high-risk or higher vulnerabilities, or significant or higher network and data security incidents.

(VI) Other Circumstances

Automotive data is also important data where (1) it meets the above determination rules in other export business scenarios; or (2) the automotive data processor has identified and declared it as important data in accordance with relevant State provisions and industry standards, and the Ministry of Industry and Information Technology, the Cyberspace Administration of China or other relevant departments have publicly announced or notified that it is important data.

III. Data-Export Procedure

(I) Data Identification

On the basis of important-data catalogue filing, the automotive data processor shall, in accordance with these Guidelines, identify the automotive data for which it must declare an export security assessment, conclude a standard contract for the export of personal information, or pass personal-information export certification.

(II) Conducting the Data-Export Security Assessment

The automotive data processor shall declare the data-export security assessment through a domestic legal-person entity. Where there is no domestic legal-person entity, a domestic branch shall declare. Where several domestic subsidiaries belong to the same group company (parent company) and have similar data-export business scenarios, the group company (parent company) may declare jointly as the declaring entity. Data that should pass the security assessment shall not be provided overseas by means such as quantity splitting through the conclusion of a standard contract or otherwise.

The automotive data processor shall, in accordance with the Measures for the Security Assessment of Data Export, the Provisions on Promoting and Regulating Cross-Border Data Flows, and the Guide for the Declaration of Data Export Security Assessment (Third Edition), carry out a data-export risk self-assessment and rectify risk issues, and submit the declaration materials to the cyberspace administration. Upon passing the data-export security assessment, the automotive data processor may carry out data-export activities; where circumstances arise that affect the security of the exported data, it shall re-declare the assessment.

(III) Concluding a Standard Contract for the Export of Personal Information

The automotive data processor shall, in accordance with the Measures for the Standard Contract for the Export of Personal Information and the Guide for the Filing of the Standard Contract for the Export of Personal Information (Second Edition), carry out a personal-information protection impact assessment and rectify risk issues, and conclude a standard contract for the export of personal information with the overseas recipient; personal-information export activities may be carried out only after the contract takes effect.

The automotive data processor shall submit the filing materials to the cyberspace administration, and will obtain a filing number where the relevant requirements are met; where circumstances arise that may affect personal-information rights and interests, it shall re-conduct the personal-information protection impact assessment, conclude the standard contract and file again.

(IV) Passing Personal-Information Export Certification

The automotive data processor shall, in accordance with the Measures for Personal-Information Export Certification, carry out a personal-information protection impact assessment and rectify risk issues, apply for certification to a qualified professional certification institution, and cooperate in completing the certification work. Personal-information export activities may be carried out only after passing the certification.

Where the personal-information export situation no longer meets the certification requirements, the automotive data processor shall re-conduct the personal-information protection impact assessment and apply for certification.

IV. Requirements for the Security Protection of Automotive Data Export

(I) Management Requirements

  1. Department requirement. The automotive data processor shall clarify the automotive data export management department, coordinate and advance data-export security management in an overall manner, and supervise and inspect the implementation of data-export-related management requirements.

  2. Personnel requirement. The automotive data processor shall clarify the person responsible for automotive data export security, who shall supervise data-export activities and the protective measures taken, and be responsible for the security of data-export activities.

  3. System requirement. The automotive data processor shall clarify system requirements in cybersecurity, data security, personal-information protection, and the like, and specifically clarify automotive data export security management requirements.

  4. Approval requirement. The automotive data processor shall establish an internal registration and approval mechanism for automotive data export, set approval authority and approval procedures, and organize and archive the approval materials.

(II) Protection Technical Requirements

  1. Data-export transmission security. The automotive data processor shall take the following protective measures: (1) adopt verification technology, cryptographic technology, secure transmission channels or secure transmission protocols to ensure the confidentiality and integrity of automotive data during data-export transmission; (2) ensure that the automotive data export system has the capability to authenticate the identity of the overseas data recipient, so as to ensure the authenticity of the overseas data recipient’s identity.

  2. Data-export security monitoring. The automotive data processor shall conduct security monitoring of the network communications and host or system operation behavior of automotive data export, form security alarm logs and retain them.

  3. Inspection support. The platform or system that directly transmits automotive data overseas shall have the technical-support capability for data-export security inspection, retain the data-export network communication traffic, and support data tamper-proofing and content parsing. (1) Full retention — retain the data-export network communication traffic in full according to start and end times, for a retention period of 1 week. (2) Sample retention — support sampling and retaining the data-export network communication traffic according to start and end times and IP address ranges, for a retention period of not less than 1 month.

(III) Logging Requirements

  1. Log recording. (1) Network-traffic logs — the automotive data processor shall record the network communication behavior of automotive data export, including at least the date, time, source IP address, destination IP address, source port, destination port, transport-layer protocol, application-layer protocol, and data volume, forming network-traffic logs and retaining them. (2) Operation-behavior logs — the automotive data processor shall record the operation behavior of the host that directly transmits automotive data overseas, including user information, operation time, operation object, operation type, login IP, device information, operation result, and changes to data-access authority, forming operation-behavior logs and retaining them.

  2. Log retention. The automotive data processor shall retain the network-traffic logs, operation-behavior logs and security-alarm logs in a tamper-proof manner, for a retention period of not less than 3 years.

  3. Log auditing. The automotive data processor shall audit the network-traffic logs, operation-behavior logs and security-alarm logs, and promptly respond to and dispose of security risks and hidden dangers such as illegal operations when discovered.

(IV) Emergency-Response Requirements

The automotive data processor shall establish the capability to dispose of non-compliant export of automotive data, promptly dispose of abnormal behavior when discovered, and report to the industry regulatory authority of its region in accordance with relevant requirements.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.