On February 3, 2026, the Chinese government released the Guidelines on the Security of Cross-Border Transfers of Automotive Data, offering more practical and operational guidance on data flows in the auto sector.

Notice on Issuing the Guidelines on the Security of Cross-Border Transfers of Automotive Data (2026 Edition)

MIIT Network & Information Security [2026] No. 27

To the communications administrations of all provinces, autonomous regions, and municipalities directly under the Central Government; the departments in charge of industry and information technology, cyberspace affairs, development and reform, data administration, public security, natural resources, transport, and market regulation of all provinces, autonomous regions, municipalities directly under the Central Government, municipalities with independent planning status, and the Xinjiang Production and Construction Corps; and to relevant enterprises:

In order to implement the Data Security Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Regulations on the Security Management of Network Data, and other relevant laws and regulations; to promote the secure, efficient, and orderly cross-border flow of data; and under the overall coordination and guidance of the national data security coordination mechanism, the Ministry of Industry and Information Technology (MIIT), together with the Cyberspace Administration of China (CAC), the National Development and Reform Commission (NDRC), the National Data Administration, the Ministry of Public Security, the Ministry of Natural Resources, the Ministry of Transport, and the State Administration for Market Regulation, has formulated the Guidelines on the Security of Cross-Border Transfers of Automotive Data (2026 Edition).

The Guidelines are hereby issued to you. Please implement them conscientiously in accordance with relevant requirements.

Ministry of Industry and Information Technology
Cyberspace Administration of China
National Development and Reform Commission
National Data Administration
Ministry of Public Security
Ministry of Natural Resources
Ministry of Transport
State Administration for Market Regulation

January 30, 2026

For European automakers operating in China, this is generally good news.

At the moment, China and the EU do have a dialogue mechanism on cross-border data flows, which has met twice so far. On the Chinese side, it’s led by the Cyberspace Administration of China (CAC); on the EU side, by the European Commission’s Directorate-General for Trade (DG TRADE). However, these discussions have so far focused only on non-personal data—for example, aggregated clinical trial data from EU pharmaceutical companies in China, or operational data from China’s EV charging infrastructure. China and Germany have also held similar exchanges, again limited to non-personal data.

According to media reports, the EU side has generally raised more concerns. From their perspective, China’s definition of “important data” is still too vague, which makes it difficult for European companies in China to transfer certain non-personal data back to their headquarters for analysis.

From China’s perspective, while EU rules on exporting non-personal data are overall more permissive than China’s, some Chinese companies feel that the EU’s definition of “sensitive data” is overly broad and that restrictions on cross-border data flows for research and development are too tight.

When it comes to personal data—or “personal information” under Chinese law, meaning data that can identify a specific individual, either on its own or combined with other data—there has so far been no formal China–EU negotiation mechanism.

This is largely because the EU treats personal data protection as a fundamental human rights issue, and because of long-standing concerns in Europe about China’s national security and intelligence laws. The prevailing worry is that governments could gain unrestricted access to EU citizens’ personal data.

That said, even under the GDPR, the line between personal and non-personal data isn’t always clear. The GDPR’s definition of personal data is relatively broad and not always precise, meaning that even manufacturing companies can end up holding what counts as personal data—and face restrictions on transferring it to China.

For example, in the EV battery industries, battery performance data linked to a vehicle identification number (VIN) may be classified as personal data under the GDPR. Without going through the required compliance procedures, that data cannot be sent back to R&D centers in China, which directly affects data analysis and product iteration.

So far, the most concrete outcome of the China–EU data dialogue appears to be an agreement to set up a working group focused specifically on cross-border data flows in the automotive sector. The new Chinese guidelines on automotive data exports can likely be seen as part of China’s effort to actively push this process forward.

Here is the full translation of the Guidelines on the Security of Cross-Border Transfers of Automotive Data. All faults are mine.

Guidelines on the Security of Cross-Border Transfers of Automotive Data

To implement the Data Security Law of the People’s Republic of China, Cybersecurity Law of the People’s Republic of China, Personal Information Protection Law of the People’s Republic of China, and Regulations on Network Data Security Management, among other laws and regulations, guide and standardize automotive data processors to conduct cross-border data transfer activities efficiently, conveniently, and securely, and enhance the facilitation level of automotive data export, these Guidelines are hereby formulated.

I. General Provisions

(1) Scope of Application

Automotive data processors shall conduct cross-border data transfer activities in accordance with these Guidelines. The term “automotive data” as used in these Guidelines refers to personal information and important data involved in the processes of automotive design, production, sales, usage, and operation and maintenance. “Automotive data processor” refers to an organization or individual that independently determines the purposes and methods of processing in automotive data processing activities, including automotive manufacturers, parts and software suppliers, telecommunication operators, autonomous driving service providers, platform operators, dealers, maintenance institutions, and mobility service enterprises, among others.

(2) Cross-border Data Transfer Activities

When an automotive data processor provides automotive data to outside the territory of the People’s Republic of China [Note 1], it constitutes a cross-border data transfer activity if it falls under any of the following circumstances:

1. The automotive data processor transfers automotive data collected and generated during operations within the territory of the People’s Republic of China [Note 2] to outside the territory;

2. The automotive data collected and generated by the automotive data processor is stored within the territory, but institutions, organizations, or individuals outside the territory may access, retrieve, download, or export such data;

3. Other data processing activities conducted outside the territory that fall under the circumstances specified in Paragraph 2, Article 3 of the Personal Information Protection Law, including processing personal information of natural persons within the territory from outside the territory.

(3) Administration Methods for Cross-border Data Transfer Activities

1. An automotive data processor shall apply for a data export security assessment when providing automotive data to outside the territory if it falls under any of the following circumstances:

(1) Providing important data [Note 3] to outside the territory;

(2) Cumulatively providing personal information (excluding sensitive personal information) of more than 1 million [Note 4] individuals to outside the territory since January 1 of the current year;

(3) Cumulatively providing sensitive personal information of more than 10,000 individuals to outside the territory since January 1 of the current year;

(4) A critical information infrastructure operator providing personal information to outside the territory; or

(5) Other circumstances specified by relevant state regulations that require application for data export security assessment.

2. An automotive data processor (excluding critical information infrastructure operators) providing personal information to outside the territory may choose either of the following two methods if it falls under any of the following circumstances:

(1) Cumulatively providing personal information (excluding sensitive personal information) of 100,000 or more but less than [Note 5] 1 million individuals to outside the territory since January 1 of the current year; or

(2) Cumulatively providing sensitive personal information of less than 10,000 individuals to outside the territory since January 1 of the current year.

3. An automotive data processor shall be exempt from applying for a data export security assessment, concluding a standard contract for personal information export, or obtaining certification for personal information export if it falls under any of the following circumstances:

(1) Automotive data collected and generated outside the territory is transmitted to the territory for processing and then provided to outside the territory, and no personal information or important data from within the territory is introduced during the processing;

(2) It is indeed necessary to provide personal information to outside the territory for the conclusion or performance of a contract to which an individual is a party, such as cross-border vehicle purchase, cross-border delivery, cross-border payment, or cross-border account registration;

(3) It is indeed necessary to provide employee personal information to outside the territory for the implementation of cross-border human resources management in accordance with legally formulated labor rules and regulations and collectively negotiated contracts;

(4) It is indeed necessary to provide personal information to outside the territory in an emergency to protect the life, health, and property safety of natural persons;

(5) An automotive data processor other than a critical information infrastructure operator has cumulatively provided personal information (excluding sensitive personal information) of less than 100,000 individuals to outside the territory since January 1 of the current year;

(6) An automotive data processor registered in a pilot free trade zone provides data not included in the negative list to outside the territory in compliance with the relevant requirements of the pilot free trade zone;

(7) For the purpose of patching security vulnerabilities, the automotive data processor has reported security vulnerability data to the Ministry of Industry and Information Technology in accordance with the requirements of the Provisions on the Management of Network Product Security Vulnerabilities;

(8) For the purpose of handling security incidents, the automotive data processor has reported security incident data concerning automotive products [Note 6], connected vehicle platforms, and related systems to the Ministry of Industry and Information Technology and relevant industry regulatory departments in accordance with relevant emergency response plans for cybersecurity and data security incidents in the industry;

(9) For the purpose of eliminating automotive product defects or implementing recalls, the automotive data processor has filed the source code corresponding to OTA upgrade software packages with the State Administration for Market Regulation in accordance with the Regulation on the Administration of Recall of Defective Auto Products.

The personal information provided to outside the territory as referred to in the preceding paragraph does not include important data.

(6) Other Circumstances

Automotive data meeting any of the following circumstances:

1. Meeting the determination rules described above in other cross-border business scenarios;

2. Automotive data processors identifying and declaring important data in accordance with relevant state regulations and industry standards, with the Ministry of Industry and Information Technology, the Cyberspace Administration of China, and other relevant departments publicly announcing or notifying that such data constitutes important data.

(1) Data Identification

Based on the important data catalog filing, automotive data processors shall identify automotive data subject to declaration for cross-border security assessment, conclusion of standard contracts for personal information export, or obtaining certification for personal information export in accordance with these Guidelines.

(2) Implementation of Data Export Security Assessment

Automotive data processors shall apply for data export security assessment through a domestic legal entity. Where there is no domestic legal entity, the application shall be submitted by a domestic branch. Where multiple domestic subsidiaries belong to the same corporate group (parent company) and have similar cross-border data transfer business scenarios, the corporate group (parent company) may act as the applicant for consolidated application. It is prohibited to circumvent the security assessment requirement by splitting data volumes or other means, transferring data that should undergo security assessment to outside the territory through standard contracts or other methods.

Automotive data processors shall conduct self-assessment of cross-border data transfer risks and rectify identified risk issues in accordance with the Measures of Data Cross-Border Transfer Security Assessment, Provisions to Standardize and Promote Data Cross-border Flow, and Guidelines for Reporting Data Cross-Border Security Assessments (3rd Edition), and submit application materials to cyberspace administration departments. Upon passing the data export security assessment, automotive data processors may proceed with cross-border data transfer activities; where circumstances affecting the security of outbound data arise, a re-assessment application shall be submitted.

(3) Conclusion of Standard Contract for Personal Information Export

Automotive data processors shall conduct personal information protection impact assessment and rectify identified risk issues in accordance with the Measures for Standard Contract for Cross-border Transfer of Personal Information and Guidelines for Filing Standard Contracts for Personal Information Cross-border (Version 2.0), enter into a standard contract for personal information export with the overseas recipient, and commence cross-border personal information transfer activities only after the contract takes effect.

Automotive data processors shall submit filing materials to cyberspace administration departments. Those meeting relevant requirements will be issued a filing number. Where circumstances that may affect personal information rights and interests arise, a new personal information protection impact assessment shall be conducted, a new standard contract shall be concluded, and the new contract shall be filed.

(4) Certification for Personal Information Export

Automotive data processors shall conduct personal information protection impact assessment and rectify identified risk issues in accordance with the Measures for Certification of Personal Information Export, apply for certification to a qualified professional certification body, and cooperate to complete the certification process. Upon obtaining certification, automotive data processors may commence cross-border personal information transfer activities.

Where personal information export circumstances no longer meet certification requirements, automotive data processors shall re-conduct personal information protection impact assessment and apply for certification.

IV. Security Protection Requirements for Cross-border Automotive Data Transfer

(1) Management Requirements

1. Departmental Requirements

Automotive data processors shall designate a department responsible for cross-border automotive data transfer management to coordinate and advance security management of data export, and supervise the implementation of relevant management requirements for cross-border data transfer.

2. Personnel Requirements

Automotive data processors shall designate a security officer responsible for cross-border automotive data transfer to supervise data export activities and protective measures implemented, and assume responsibility for the security of cross-border data transfer activities.

3. System Requirements

Automotive data processors shall establish system requirements regarding cybersecurity, data security, and personal information protection, with specific provisions for security management requirements for cross-border automotive data transfer.

4. Approval Requirements

Automotive data processors shall establish an internal registration and approval mechanism for cross-border automotive data transfer, set approval authority and procedures, and maintain archives of approval materials.

(2) Technical Protection Requirements

1. Security of Cross-border Data Transfer Transmission

Automotive data processors shall implement the following protective measures:

(1) Employ verification technologies, cryptographic technologies, secure transmission channels, or secure transmission protocols to ensure the confidentiality and integrity of automotive data during cross-border transfer transmission.

(2) Systems related to cross-border automotive data transfer shall have the capability to authenticate the identity of overseas data recipients, ensuring the authenticity of overseas recipient identities.

2. Security Monitoring of Cross-border Data Transfer

Automotive data processors shall conduct security monitoring of network communications for cross-border automotive data transfer transmission and host or system operational behaviors, generating security alert logs and maintaining them.

3. Inspection Support

Platforms or systems that directly transmit automotive data outside the territory shall possess technical support capabilities for security inspection of cross-border data transfer, retaining network communication traffic for cross-border data transfer and supporting data tampering prevention and content parsing.

(1) Full Retention. Retain complete network communication traffic for cross-border data transfer by start and end time, with a retention period of 1 week.

(2) Sample Retention. Support sample retention of network communication traffic for cross-border data transfer by start and end time and IP address range, with a retention period of no less than 1 month.

(3) Log Requirements

1. Log Recording

(1) Network Traffic Logs

Automotive data processors shall record network communication behaviors for cross-border automotive data transfer, including at minimum date, time, source IP address, destination IP address, source port, destination port, transport layer protocol, application layer protocol, and data volume size, generating network traffic logs and maintaining them.

(2) Operational Behavior Logs

Automotive data processors shall record operational behaviors of hosts that directly transmit automotive data outside the territory, including user information, operation time, operation object, operation type, login IP, device information, operation result, and data access permission changes, generating operational behavior logs and maintaining them.

2. Log Retention

Automotive data processors shall retain network traffic logs, operational behavior logs, and security alert logs in a tamper-proof manner, with a retention period of no less than 3 years.

3. Log Audit

Automotive data processors shall audit network traffic logs, operational behavior logs, and security alert logs, responding promptly to address any security risks or hazards such as illegal operations when discovered.

(4) Emergency Response Requirements

Automotive data processors shall establish capabilities for handling unauthorized cross-border automotive data transfer, taking timely action when abnormal behaviors are detected, and reporting to local industry regulatory authorities in accordance with relevant requirements.

Note

Note 1: Hereinafter referred to as “outside the territory” or “overseas”

Note 2: Hereinafter referred to as “within the territory” or “domestic”

Note 3: Where the data includes surveying and mapping geographic information data such as spatial coordinates, images, point clouds and their attribute information, the data processor shall, prior to applying for the data export security assessment, complete the legally required procedures for external provision approval or map review.

Note 4: The count is based on natural persons (deduplicated). The term “or more” (以上) includes the specified number itself.

Note 5: The term “less than” (不满) excludes the specified number itself.

Note 6: Refers to emergency response plans for cybersecurity incidents and data security incidents in the automotive industry formulated by relevant departments.

Note 6: Cybersecurity incidents are defined according to the Emergency Response Plan for Cybersecurity Incidents on Public Internet, and data security incidents are defined according to the Emergency Response Plan for Data Security Incidents in the Industrial and Information Technology Sector (Trial).

Note 7: Classified and sensitive geographic information data shall be identified in accordance with the Provisions on the Scope of State Secrets in Surveying and Mapping Geographic Information Management and the Specifications for the Representation of Content on Public Maps, among others.

Note 8: Near-field communication refers to the communication mode of Near Field Communication Interface and Protocol-1 (NFCIP-1) using inductive coupling devices at a center frequency of 13.56MHz to connect computer peripheral devices (ISO/IEC 18092:2023).

Note 9: Geographic information data containing spatial position coordinates, such as location trajectory data, autonomous driving map data, and mapping data, shall be processed using geographically information confidentiality processing technologies recognized by the state.