On 3 February 2026, the Ministry of Industry and Information Technology (MIIT), the sectoral regulator of the automotive sector, and the Cyberspace Administration of China (CAC), the designated data regulator, together with six other government authorities, published the Guidance for the Secure Cross-Border Transfer of Automotive Data (2026 Edition). This new guidance focuses on the cross-border transfer of personal data by sector operators and the identification of important data in the sector.

Automotive data refers to personal data and important data involved in the design, production, sales, use, and operation of vehicles. Automotive data controllers are organizations or individuals that independently determine the purposes and means of processing automotive data, including automobile manufacturers, parts and software suppliers, telecommunications operators, autonomous driving service providers, platform operators, dealers, maintenance facilities, mobility service providers and other operators in the sector.

Cross-border transfer of personal data involved in automotive data:

The new guidance introduces a few new exemptions. Automotive data controllers will not be required to sign or file the China Standard Contractual Clauses for transferring personal data overseas (“China SCCs'”) or obtain approval from the CAC before transferring personal data involved in the following categories of automotive data outside of China. This applies regardless of the sensitivity or transfer volume of the personal data, provided it does not otherwise constitute important data.

  • Security vulnerability data, which the automotive data controller has already reported relevant to the MIIT in accordance with the requirements of the “Regulations on the Management of Security Vulnerabilities in Network Products”, as required for addressing security vulnerabilities;
  • Data on security incidents involving automotive products, connected vehicle platforms and related systems, which the automotive data controller has already reported to the MIIT and relevant sectoral regulators in accordance with the sectoral cybersecurity and data security incident emergency response plans, as required for handling security incidents; and
  • Source code corresponding to OTA upgrade software packages, which the automotive data controller has already filed with the State Administration for Market Regulation in accordance with the “Regulations on the Recall of Defective Automotive Products”, as required for eliminating product defects and implementing recalls.

Other than these new exemptions, the existing rules on cross-border transfer of personal data would still apply to automotive data controllers. Please refer to our article for such existing rules: CHINA: Cross Border Data Transfer Requirements – exemptions now available | Privacy Matters

Identification of important data:

With the Network Data Security Management Regulations coming into effect on 1 January 2025, the regulatory approach has gradually shifted from sector regulators proactively identifying important data and publishing catalogues, to data controllers self-identifying important data and filing identification results with sector regulators.

In line with this approach, the new guidance sets out specific standards and specifications for identifying important data involved in automotive data that is collected or generated in the following five contexts and nine sub-contexts:

  • R&D
    • product development: data collected or generated during the integration of global R&D resources and collaborative product design and development processes, such as bill of materials, R&D design documentation, and development source code data; and
    • product testing: data collected or generated during product simulation, track testing, and real-world road testing, such as annotated scenarios, simulated scenarios, and test scenario data;
  • Production manufacturing: bill of materials and production control program source code collected or generated during the manufacturing process of automotive products;
  • Automated driving: algorithms, training data, and feature data collected or generated during the development, deployment, and application of combined driving assistance or autonomous driving functions;
  • Software upgrade service: the source code corresponding to the software package that upgrades the vehicle’s safety driving and battery management functions.
  • Connected operation
  • Vehicle: vehicle identification codes, telematics card identifiers, vehicle keys, vehicle digital certificates, and control commands collected or generated during the operation of connected vehicles;
    • vehicle-road perception: data collected or generated during the networked operation of vehicles and roadside equipment, such as external real-world imagery, radar data, location trajectories, inertial navigation data, autonomous driving maps, and composition-related data;vehicle-road analysis: fusion computing data collected or generated during the process of conducting vehicle-road coordination analysis and constructing vehicle-road coordination systems; and
    • vehicle-to-everything/V2X platform operation: data collected or generated during the construction, operation, and maintenance of V2X platforms, such network planning, charging operation, and security assurance data.

Compared with the identification of important data under the Several Provisions on the Management of Automotive Data Security (Trial Implementation), which come into effect on 1 January 2025, the new guidance’s standards and specifications are more granular and detailed. It is worth noting, however, that “personal data of more than 100,000 data subjects” is no longer identified as important data per se under the new guidance.

Automotive data controllers must compile their own important data catalogues and submit them to the relevant authorities. However, the new guidance does not explain how this process will work in practice.

New requirements on cross-border data transfers

The new guidance sets out the technical and organizational measures that automotive data controllers must implement when transferring automotive data across borders. For example, controllers must designate specific departments and personnel responsible for handling data transfer matters. They must also set out designated policies and procedures for approving transfers internally. Detailed transfer logs must be retained for at least three years. There are also detailed requirements on the encryption measures must be implemented in transit, as well as requirements on retaining data-exiting network communication traffic samples.

This is the first time that automotive data controllers have received such clear guidance on identifying important data and handling cross-border data transfers. We anticipate that local authorities will start to enforce relevant requirements more rigorously. The time has come for automotive data controllers to take action to ensure compliance.