China’s New Vehicle Data Export Guidelines: How Automakers Should Prepare

Posted by Written by Arendse Huld Reading Time: 12 minutes

China’s new vehicle data export rules introduce clearer definitions, compliance pathways, and risk management requirements for automakers operating in China. The 2026 guidelines detail what constitutes sensitive vehicle data and outline when companies must undergo assessments or security reviews before transferring data abroad. These updates aim to standardize compliance expectations and reduce ambiguity for foreign and domestic players in the auto sector. 

The Ministry of Industry and Information Technology (MIIT), along with several other government departments, has released new guidelines outlining the rules and requirements for companies in the auto industry to export important data and personal information (PI) outside of China.  

While the data export regulations for companies in the auto industry are the same as for companies in other industrial sectors, the guidelines, officially the ​​Guidelines for the Security of Cross-Border Transfer of Vehicle Data (2026 Edition) provide specific definitions and scenarios related to the auto industry, helping companies to better identify whether they are subject to China’s data and PI export regulations, and how to identify which data is restricted from being exported without undergoing certain compliance procedures. 

 

Key Takeaways for Foreign Auto Companies 

  • High likelihood of handling “important data”: Due to the nature of current-day automotive R&D and manufacturing, as well as fields such as connected vehicle systems and autonomous driving technologies, foreign auto companies are highly likely to be processing “important data,” triggering the strictest data export procedures, which include a data export security assessment.
  • Cumbersome and costly compliance: Cross-border data transfers require multiple steps, data identification, internal assessments, and regulatory evaluations, making the process resource intensive, especially for companies with a broad scope of operations across multiple subsidiaries.
  • Early preparation is essential: Companies should begin compliance preparations early and consider specialized external support to ensure smooth implementation and avoid costly delays or consequences for noncompliance. 
  • Auto industry under closer scrutiny: While the guidelines introduce little that is fundamentally new, they signal that automotive remains a priority sector for regulators, and violations in this area are more likely to draw attention. 
  • More sectors likely to follow: The auto industry is expected to be only the first of several critical industries to receive detailed guidance. Additional regulations and guidelines are anticipated in 2026, meaning companies in other sectors should also strengthen data governance and prepare for heightened compliance expectations. 

Who do the data export rules apply to? 

The guidelines clarify that the rules apply to all “vehicle data processors” exporting “vehicle data”.

Find Business Support
We help businesses evaluate the impact of processes on personal data protection to comply with China's PIPL.

Vehicle data is defined as either PI or important data involved in processes such as the design, production, sales, use, and maintenance of vehicles. 

Vehicle data processors, meanwhile, are organizations and individuals who independently determine the method and purpose of data processing in the process of carrying out vehicle data processing activities. They include manufacturers, components and software suppliers, telecom operators, autonomous driving service providers, platform operators, dealers, maintenance organizations, and mobility service companies. Hereinafter they are referred to as “auto companies” or “companies”. 

Export activity

Auto companies that export vehicle data outside of China and meet one of the following criteria are considered to be carrying out export activities: 

  1. Transmit vehicle data collected or generated during operations in China overseas;
  2. Where vehicle data collected and generated by auto processors are stored overseas, and overseas institutions, organizations, or individuals can search, obtain, download, and export (in the technical sense) this data.
  3. Other data processing activities such as processing the PI of natural persons in China from outside of China for the purposes of providing products or services to people in China, or to analyze or evaluate the behavior of natural persons in China. 

Thresholds for triggering compliance procedures

Under China’s Personal Information Protection Law (PIPL) and its implementation regulations, companies that process the PI of large numbers of individuals are required to undergo either a PI export security assessment, a higher compliance bar, or choose to either enter into a standard PI export security contract with the overseas recipient or undergo PI export security certification by an accredited third-party institution. 

The thresholds for triggering one of the two levels of compliance for automotive companies are the same as for companies in other industries, as summarized in the table below. 

Compliance Requirements for Export of Vehicle Data
Must conduct a data export security assessment  Must sign a standard contract or undergo data export security certification 
Companies that provide important data* overseas  Companies that have exported the PI of between 100,000 and up to (not including) 1 million people since January 1 of the current year**, not including sensitive PI 
Companies that have exported the PI of one 1 million people or more since January 1 of the current year**, not including sensitive PI  Companies that have exported the sensitive PI of under 10,000 people since January 1 of the current year 

Companies that have exported the sensitive PI of 10,000 people or more since January 1 of the current year 

  

Critical information infrastructure operators 

 

Other circumstances stipulated in national regulations 

 
* Where surveying and mapping geographic information data includes spatial coordinates, imagery, point clouds, and their attribute information, entities must lawfully gain approval or fulfill map review processes for their provision to foreign entities before submitting the data export security assessment. 

** Deduplicated data based on number of natural persons. 

Exemptions

Companies that fall below the thresholds listed above – that is any entity excluding CIIOs that have exported the PI of less than 100,000 people since January 1 of the current year – are not required to undergo any additional compliance procedures to be able to export the data outside of China.  

In addition to this, there are a range of other scenarios under which companies can freely export data, introduced as a means of reducing the compliance burden on companies. These are: 

  • Where vehicle data collected and generated overseas is transferred to China for processing and then reexported overseas, without introducing any personal or important data from within China during the processing;
  • Where it is necessary to provide PI overseas in order to enter into and perform contracts in which an individual is a party, such as cross-border vehicle purchases, delivery, payments, and account registration;
  • Where it is necessary to provide employees’ PI overseas in the course of implementing cross-border HR management in accordance with legally established labor regulations and collectively agreed contracts;
  • Emergency situations in which it is necessary to provide PI overseas for the safety of natural person’s lives, health, and property;
  • Entities registered in free trade zones that meet the relevant requirements of the FTZ that export data not included in the relevant negative lists;
  • Due to the need to patch security vulnerabilities, the entity has reported the security vulnerability data to the Ministry of Industry and Information Technology (MIIT) in accordance with the relevant requirements of the Regulations on the Management of Security Vulnerabilities of Network Products;
  • Where, for the purpose of handling security incidents, entities have reported data on the security incident pertaining to automotive products, vehicle-to-everything platforms, and related systems to the MIIT and relevant industry regulatory authorities in accordance with industry cybersecurity and data security incident emergency response plans; and
  • Source code corresponding to OTA software update packages that the automotive data processor has filed with the State Administration for Market Regulation (SAMR) in accordance with the Regulations on the Management of Defective Auto Product Recalls, where such filing is necessary for eliminating defects in automotive products or implementing recalls.

Cybersecurity incidents should be handled in accordance with the Emergency Response Plan for Public Internet Cybersecurity Incidents, while data security incidents are handled in accordance with the Emergency Response Plan for Data Security Incidents in the Industrial and Information Technology Sector (Trial). 

Note that all PI mentioned above does not include important data.

Determining important data 

The guide provides an extensive breakdown of the scenarios under which different types of data in the auto industry can be designated as “important”, as well as description of the rules   

Importantly, this is not a catalog of “important data” within the auto industry; rather, it is a catalog of the scenarios and rules for determining whether any given data is considered “important”. The scenarios include situations in which the data is related to goods and technologies that are subject to export control regulations, as well as data that could touch on sensitive geographic areas such as military or government facilities. 

The catalog is broken down into six different fields across the auto value chain:  

  1. R&D and design
  2. Production and manufacturing
  3. Driving automation
  4. Software upgrade services
  5. Network operations
  6. Other scenarios 

Below is a sample of the tables provided for determining whether automotive data is considered important. 

Field  Data type 

Applicable rules 
Production R&D (Entities collecting and generating bills of materials, R&D design documents, and development source code data during the process of integrating global R&D resources and collaborative product design and development.) 

Design Bill of Materials (BOM): List of raw materials, components or assemblies required during the design phase, including material specifications, quantities, hierarchical relationships, etc.; formulation schemes, chemical formulas, and material quantities for key materials such as positive and negative electrode active materials, electrolyte, separator, and binder in power batteries. 

Relevant data that meet any of the following conditions:  

1. Are supported by national major projects or national key research and development programs;  

2. Fulfil relevant technical “key control points” control points in the Catalog of Technologies Prohibited and Restricted from Export in China; or  

3. Involve items included in the Export Control List of Dual-Use Items of the People’s Republic of China. 

Manufacturing (Entities collecting and generating bills of materials and production control program source code during the automotive manufacturing process.) 

 BOM for automotive products, parts, or components; R&D technical solutions for power batteries, including process parameters and process window ranges for core processes such as electrode preparation, assembly, electrolyte injection, formation, and capacity testing. 

Automotive driving (Entities collecting and generating algorithmic, training, and feature data during the development, deployment, and application of combined driver assistance or autonomous driving functions) 

Driver decision datasets used to train and validate combined driver assistance or autonomous driving algorithm models, including gear position information, accelerator pedal opening, brake pedal opening, steering wheel angle, etc. 

 When integrated with external real-time imagery and radar data, data that meets any one of the following criteria:  

  1. Involves, or could lead to the inferral through aggregation and analysis, sensitive areas such as military management zones, defense science and technology units, and Party or government units at the county-level or above;
  2. Data that, through aggregation and analysis, can be used to deduce classified or sensitive geographic information;
  3. Data reflecting economic activity at the prefectural level or above, such as road traffic volume, pedestrian flow, or logistics data, where the cumulative time period is greater than or equal to 30 days;
  4. Etc. 

Software upgrade services (Source code for a software package that allows entities to upgrade vehicle safety and battery management functions) 

Source code corresponding to the software package for upgrading safe driving and battery management functions 

Data that meet all of the following conditions: 

  1. Involves the upgrading vehicles operating within China; 
  2. Involves remote control functions of vehicles, excluding control functions implemented through near-field communication; and
  3. Involves vehicle start-up and driving, power loss, emergency braking, cruise control, lane keeping, charge and discharge control, and battery temperature control functions.

Network operations (Entities collecting and generating the following during the operation of connected vehicles: Vehicle identification numbers, telematics card identifiers, vehicle keys, vehicle digital certificates, and control commands) 

Original Vehicle Identification Number (VIN), de-identified and reversible VIN 

 Data that meet the following criteria: Entities that since January 1 of the current year, have provided information to overseas entities that, when combined with other exported data, can identify the personal identities of a cumulative total of 1 million people or more. 

Process for data export 

The process for auto companies to export data from China is the same as for companies in other industries. 

Before beginning the process, companies should compile an important data catalog and file it with the local industry regulatory authority as required in the Measures for Data Security Management in the Industrial and Information Technology Sector (Trial)The catalog can be done in line with the guidelines on classifying important data provided in these measures, as well as the official standards [GB/T 43697-2024] titled Rules for data classification and grading.  

Step 1: Data identification 

On the basis of the important data catalog, companies must identify which data they handle requires the stricter compliance procedure of an export security assessment, and which will require the company to sign a standard contract or undergo PI export certification. Only after completing this can they proceed to steps 2 or 3. 

Step 2: Carrying out a data export security assessment (if applicable) 

For any data identified that requires a security assessment, the company must conduct and submit the assessment through their domestic legal entity. The requirements for conducting the assessment are outlined in the Measures for Data Export Security Assessment. 

Companies must also conduct a self-assessment of data export risks and address any risks identified, in accordance with the Measures for Data Export Security Assessment, the Regulations on Promoting and Standardizing Cross-border Data Flows, and the Guidelines for Data Export Security Assessment Application (Third Edition), and submit the materials to the CAC.  

If the data export security assessment is passed, the company may then proceed to carry out the data export activities. However, if any situation arises that could affect the security of the exported data, a new assessment must be submitted. 

Step 3: Signing a standard contract or undergoing data export security certification (if applicable)

For data that falls below the threshold for a full security assessment but is still not exempt from compliance procedures, companies can choose to either sign a standard contract or undergo third-party export security certification. 

Standard contract route

To sign a standard contract, companies must first carry out a personal information protection impact assessment (PIPIA) in line with the Measures for Standard Contracts for Cross-border Transfer of Personal Information (the Standard Contract Measures) and the Guidelines for Filing Standard Contracts for Cross-border Transfer of Personal Information (Second Edition). The company can then sign a standard contract for the cross-border transfer of PI with the overseas recipient of the data, which must align with the contents of the official template provided with the Standard Contract Measures.

Find Business Support
Get help with software selection, system design, and project management to ensure fully compliant ERP systems in China.

Companies can only commence the data export activity after the standard contract takes effect. Within 10 days of the contract taking effect, the company must also file requisite materials with the local provincial-level cybersecurity office, which include the standard contract, the PIPIA, and documents relating to the company and its legal representatives. 

If all the materials meet the requirements, the company will receive a filing number. However, if circumstances are found within the materials that could affect the rights of PI holders, the company must conduct a new PIPIA and sign a new standard contract, and file them again.  

Data export security certification route 

If the company chooses to undergo third-party data export security certification, it must first conduct a PIPIA and address risks that arise in accordance with the Measures for Certification of Cross-border Transfer of Personal Information. The company can then apply for certification from a qualified professional certification body, with which they must cooperate throughout the certification process. Only after passing certification can the company begin to export the data in question. If the export activity at any point ceases to meet the certification requirements, the company will have to conduct a new PIPIA and apply for certification again.  

Note that certification must be conducted by professional institutions that have obtained official qualifications for PI protection certification. Currently, only three institutions have been approved to carry out data export certification: China Cybersecurity Review, Authentication and Market Supervision Big Data Center, Cyberspace Administration of China (CAC) Data and Technology Support Center, and Beijing CESI Certification Co., Ltd. 

Security protection requirements for data export 

In addition to the specific compliance procedures for the export of vehicle data and related PI, auto companies must also meet a series of additional administrative, system, technical, and procedural requirements to ensure the security of the data throughout the export process. 

Management requirements 

Management and personnel 

Auto companies are required to set up a vehicle data export management department to coordinate and promote data export security management and supervise and inspect the implementation of relevant management requirements for data export. They must also designate a person in charge of vehicle data export security to supervise data export activities and the protective measures taken, and be responsible for the security of data export activities.  

System and approval 

Companies must designate system requirements for cybersecurity, data security, and PI protection, and specify specific requirements for vehicle data export security management.  

They must also establish an internal registration and approval mechanism for vehicle data export, set approval authority and processes, and organize and archive approval materials.  

Technical requirements

Security for cross-border data transfer 

Companies must implement the following protective measures: 

  1. Employ verification techniques, cryptographic technologies, secure transmission channels, or secure transmission protocols to ensure the confidentiality and integrity of automotive data during cross-border transmission.
  2. Ensure that systems involved in cross-border automotive data transfer have the capability to authenticate the identity of overseas data recipients, ensuring the veracity of their credentials.

Cross-border data security monitoring and inspection 

Companies must conduct security monitoring of network communications, host or system operations during cross-border data transfer, generating and retaining security alert logs.

Additionally, platforms or systems supporting direct cross-border transfer of automotive data must have the technical capabilities for cross-border data security inspection, retaining network traffic associated with data transmission while supporting data tamper-proofing and content parsing. 

For full retention, outbound network communication traffic records shall be retained based on start and end time for a period of one week. For sampled retention, the system shall support retaining outbound network communication traffic records based on start and end time and IP address range, with a retention period of no less than one month. 

Log requirements

Network traffic logs 

Companies must record network communication activities involving the cross-border transfer of automotive data. Records shall include at minimum: date, time, source IP address, destination IP address, source port, destination port, transport layer protocol, application layer protocol, and data volume. These must be compiled into network traffic logs for retention. 

Operational activity logs

Automotive data processors must record operational activities of hosts directly transmitting automotive data overseas. This should include user information, operation time, operation target, operation type, login IP, device information, operation outcome, and changes to data access permissions. Operational activity logs shall be generated and retained. 

Log retention

Companies must retain network traffic logs, operational behavior logs, and security alert logs in a tamper-proof manner for a period of no less than three years. 

Log auditing

Companies must audit network traffic logs, operational activity logs, and security alert logs. Upon detecting security risks such as unauthorized operations, they must respond and address the issue promptly. 

Emergency response requirements 

Companies must establish capabilities to address unauthorized cross-border transfers of automotive data. Upon detecting abnormal behavior, they must take remedial action and report the incident to the relevant local industry regulatory authorities as required. 

See also the regulations on cybersecurity incident reporting for companies in China. 

Consideration for foreign auto companies 

Given the broad scope of data and processing activity that falls within China’s cross-border data transfer rules, any foreign car maker or designer with operations in the country will have to undergo the often cumbersome compliance procedures for data export. Moreover, within this industry there is a high likelihood that data will fall under the “important” category and thus trigger the highest level of security procedures, the data export security assessment. Companies employing automotive R&D systems, software services, and self-driving platforms should assess the data classification rules carefully as they are highly likely to be handling important data due to the nature of their operations, but any company within the industry could find themselves in this position.

Related Reading
China PIPL: Key Compliance Signals from CAC’s January 2026 Q&A

Due to the multiple steps involved – from data identification to internal data impact assessments to security evaluations – the process can become rather burdensome and costly, in particular for large companies with operations across a wide array of fields and subsidiaries. Companies should therefore get the ball rolling early and consider employing external help to ensure procedures are executed smoothly. 

While the information provided in the guidelines is not strictly new, they send a signal to companies that the automotive industry is a priority sector and may be closely monitored for violations, further highlighting the importance of compliance for companies. 

For this reason, automotive is likely only the first of several critical sectors that will be given the guideline treatment. Further draft regulations and guidelines are expected to be released over the course of 2026, so companies in other industries should anticipate rising compliance expectations and take steps to embed compliance procedures into operations to comply with existing regulations on data security and PI protection. 

About Us

China Briefing is one of five regional Asia Briefing publications. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong in China. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in Vietnam, Indonesia, Singapore, India, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.

For a complimentary subscription to China Briefing’s content products, please click here. For support with establishing a business in China or for assistance in analyzing and entering markets, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.