The rules clarify what counts as a data export, expand regulatory coverage, and introduce exemptions for scenarios like vulnerability fixes, security incidents and OTA updates to improve efficiency. On February 3, China’s MIIT, together with seven other government departments, jointly issued the Automotive Data Cross-Border Transfer Security Guidelines (2026 Edition). This further refines rules for cross-border data flows in the automotive sector under the existing data export security management framework. The guidelines define the management mechanisms and applicable conditions for automotive data exports, and introduce nine categories of exempted scenarios. Procedures for the Automotive Data Cross-Border Transfer Security Guidelines (2026 Edition) They also provide more detailed criteria for identifying “important data” across business contexts including R&D and design, manufacturing, driving automation, software updates and connected vehicle operations. The document clarifies compliance pathways such as conducting data export security assessments and signing standard contracts for personal information transfers. According to the guidelines, automotive data processors must apply for data export security assessments through their domestic legal entities. If no domestic legal entity exists, the responsibility falls to their onshore branches. Notably, the guidelines offer a more specific definition of what constitutes a “data export activity.” This includes not only transferring data collected during domestic operations to overseas recipients, but also situations where data are stored within China yet can be accessed or downloaded by overseas entities, as well as the overseas processing of personal information of individuals located in China. All such activities fall within the regulatory scope. From an industry perspective, the policy does not represent a sudden tightening. In 2025, China’s automobile production and sales both surpassed 34 million units, while exports exceeded 7 million units. Growth and sales volume of automobiles in China from 2015 to 2025 As vehicles become increasingly intelligent and connected, automotive data have emerged as a critical factor of production. A high-level autonomous driving test vehicle can generate up to 10 terabytes of data per day on average. From algorithm training to after-sales operations, data flows have become highly rigid and indispensable across the vehicle lifecycle. Within the broader national framework for cross-border data security, the guidelines make more targeted arrangements for certain scenarios. Data related to security vulnerabilities, security incidents and source code of OTA software update packages are included among the categories that may be exempt from applying for data export security assessments. The policy rationale is to provide companies with more efficient channels for cross-border data transfers, ensuring that vulnerability remediation, incident response and product recalls can be completed in a timely manner without compromising vehicle operational safety. When implementing such exemptions, enterprises must confirm that the purpose of the data export is indeed for vulnerability remediation, security incident handling or defect elimination, and must report or file records in advance with relevant authorities such as the MIIT and the State Administration for Market Regulation.
+33 others
