On February 3, 2026, the Ministry of Industry and Information Technology (MIIT), joined with 7 other national ministries of China, issued the Guidelines on the Security of Cross-border Transfer of Automotive Data (2026 version) (hereinafter referred to as “the Guidelines”) to the public, with the purpose of:

·   Support the implementation of national laws and regulations, mainly include Data Security Law of China, Cybersecurity Law of China (2025 Amendment), Personal Information Protection Law of China, Regulation on Network Data Security Management.

·   Refine the management methods for cross-border activities of automotive data, the rules for determining important data, and the requirements for security protection.

·   Promote the efficient, convenient and secure cross-border flow of automotive data.

The Guidelines consist of 4 chapters, with key contents summarized as below:

-          General provisions

This chapter clarifies the scope of application of the guidelines, and specifies the conditions under which the three types of cross-border data transfer management measures: apply for a security assessment, conclude a standard contract for the cross-border transfer of personal information, or obtain certification for the cross-border transfer of personal information. It also lists nine categories of circumstances that are exempt from these three measures, specifically are:

·   Data collected and generated overseas, and processed within China without introducing domestic personal information and important data;

·   Where it is necessary to provide personal information overseas for the conclusion or performance of a contract to which an individual is a party, such as cross-border car purchase, cross-border delivery, cross-border payment, cross-border account registration, etc.;

·   Where it is necessary to provide employee personal information overseas for the implementation of cross-border human resources management in accordance with internal policies and contracts;

·   Where it is necessary to provide personal information overseas in emergency situations to protect the life, health, or property of a natural person;

·   Where a non-critical information infrastructure operator provides personal information overseas to fewer than 100,000 individuals cumulatively from January 1 of the current year;

·   Data provided overseas by entities registered in a Pilot Free Trade Zone, in accordance with relevant requirements, where such data is not included in the negative list;

·   Security vulnerability data that has been reported to the Ministry of Industry and Information Technology in accordance with relevant requirements, for the purpose of patching security vulnerabilities;

·  Security incident data that has been reported to the competent authority in accordance with relevant industry emergency response plans, for the purpose of handling security incidents;

·   Source code corresponding to OTA upgrade software packages that has been filed with the State Administration for Market Regulation (SAMR) in accordance with relevant requirements, for the purpose of eliminating defects in automotive products or implementing recalls.

-          Determination of important data

This chapter provides detailed rules for identifying important data in typical business scenarios based the characteristics of the automotive industry, such as R&D and design, production and manufacturing, driving automation, software upgrades, and connected vehicle operations. The key determining elements are also matched to different scenarios in this Chapter and they include result, geographic information, public safety law enforcement, export control, system function, cumulative duration, scale accuracy, vehicle quantity, personal information etc. 

-          Procedures for cross-border data transfer

This chapter defines the complete workflow for carrying out cross-border data transfer activities, including: identifying and filing important data, determining which management measure applies to the specific activity, and then, based on that determination, carrying out a security assessment, concluding a standard contract, or obtaining certification. 

-          Security protection requirements for cross-border transfer of automotive data.

According to this chapter, automotive data processors shall establish comprehensive security protection capabilities for cross-border data transfer that cover pre‑event prevention, in‑event monitoring, and post‑event handling. This will be achieved by focusing on four key areas: management systems, technical protection, log management, and emergency response.

The draft of the Guidelines was issued in June of 2025, and the published 2026 version is a revision of the 2025 draft based on the comments collected back then. Foreign stakeholders are advised to note that:

- Important data related to security vulnerabilities, security incidents, and source codes of OTA upgrade software packages will be exempted from the security assessment for cross-border data transfer, as long as the corresponding manufacturer/enterprise ensure that: 1) the purpose for the transfer is confirmed to meet the need to fix security vulnerabilities, handle security incidents, or eliminate defects in automotive products and implement recalls; and ii) in accordance with relevant requirements, prior reports or filings are made by the enterprise/manufacturer to the Ministry of Industry and Information Technology, the State Administration for Market Regulation, and other regulatory departments.

- Consistent with the stipulations in the Guidelines of Security Assessment of Data Cross-border Transfer (third edition), when making a declaration, enterprises should provide specific characteristics of the important data and personal information they plan to transfer abroad, including the type of data, the industries involved, the scale and quantity, etc. The original data itself are not required to be submitted.

- Relevant competent authorities may adjust or revise the Guidelines from time to time along with the development of relevant technologies and sectors. So stakeholders are advised to observe the updates of this document.