August 2025
A Brief Analysis of the New Regulations on the Export Supervision of Automotive Data (Mainland China)
With the continuous expansion of the global market share of China's intelligent connected vehicles, the compliance pressure of cross-border data flow has sharply increased. On June 13, 2025, the Ministry of Industry and Information Technology and seven other departments jointly issued the "Guidelines for Security of Automotive Data Export (2025 Edition) (Draft for Comments)" (hereinafter referred to as the "Guidelines"). The issuance of this document marks a new stage of refined governance in the field of cross-border regulation of automotive data flow in China, providing a clear compliance framework for the rapidly developing intelligent connected vehicle industry.
From a legal perspective, the Guidelines belong to administrative normative documents, and their main function is to support the specific requirements for important data protection and data export in higher-level laws such as the Cyber Security Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and the Personal Information Protection Law of the People's Republic of China, providing practical rules for the automotive industry. The scope of application of the "Guidelines" has significantly expanded compared to the currently implemented "Several Provisions on Automotive Data Security Management (Trial)". In terms of the regulated subjects, for the first time, in addition to traditional automobile manufacturers, component suppliers, dealers, and maintenance institutions, "telecommunications operators, autonomous driving service providers, and platform operators" have been explicitly included in the regulatory scope. It should be noted that the core criterion for determining the applicable entity is whether the type of data it processes belongs to automotive data, rather than mechanical formal judgment.
In addition, in terms of behavior determination, the Guidelines clarify that three types of behavior constitute data export: (1) transferring car data collected and generated during domestic operations to overseas; (2) The data is stored domestically, but overseas institutions, organizations, or individuals can query, retrieve, download, and export it; (3) Processing personal information of domestic natural persons overseas. This definition continues the consistent approach of China's data export management. The key contents of the "Guidelines" are summarized as follows for reference by relevant enterprises.
I. Clarify compliance pathways and innovate exemption mechanisms
The Guidelines have established a clear hierarchical framework for data export compliance, setting differentiated compliance obligations based on different data types and risk levels, forming a three-level management system with "security assessment as the bottom line, standard contracts/certifications as the central axis, and exemption scenarios as exceptions".
A. Mandatory security assessment situation
According to the Guidelines, automotive data processors must declare data export security assessments in the following four situations: (1) providing important data overseas; (2) From January 1st of that year, provide personal information (excluding sensitive personal information) of not less than1 million persons to overseas countries cumulatively; (3) Starting from January 1st of that year, providing sensitive personal information to not less than 10000 persons overseas; (4) Key information infrastructure operators provide personal information overseas. It is worth noting that the "Guidelines" will align the quantitative standards for personal information export with the "Regulations on Promoting and Regulating Cross border Data Flow" (hereinafter referred to as the "322 Regulations"), and will abolish the controversial provision in the previous "Several Regulations on Automotive Data Security Management (Trial)" that "personal information of 100000 persons constitutes important data", resolving the compliance dilemma faced by the industry for a long time. This adjustment significantly reduces the compliance cost of exporting non-essential personal information, reflecting the trend of precision and scientific supervision.
B. Standard Contract and Certification Path
For personal information that does not involve important data to be exported, the "Guidelines" have set up flexible compliance paths. Automobile data processors who meet one of the following conditions may choose to enter into standard contracts or obtain personal information protection certification: (1) from January 1st of the current year, provide personal information of not less than 100,000 persons but less than 1 million persons (excluding sensitive personal information) to overseas parties; (2) Since January 1st of that year, sensitive personal information of less than 10,000 persons has been provided to overseas parties. This path design continues the basic framework of 322 Regulations, but specifically clarifies that scenarios such as "cross-border car purchasing, cross-border delivery, and cross-border account registration" belong to situations where "it is necessary to provide personal information to overseas parties for the purpose of entering into and fulfilling contracts with individuals as one party", providing clear guidance for high-frequency business activities of enterprises.
C. Innovation exemption mechanism
The biggest institutional innovation of the "Guidelines" lies in the system integration and expansion of exemption scenarios, forming nine categories of situations where data export security assessment, standard contracts or certification are exempted. Among them, six categories are roughly consistent with the "322 Regulations", and the last three categories (7-9 items) are special exemption scenarios for the automotive industry added to the "Guidelines". These exemptions are based on pre-administrative procedures (reporting or filing), avoiding duplicate supervision and reducing compliance costs for enterprises.
II. Innovation in Scene based Identification of Important Data
The most significant breakthrough of the "Guidelines" lies in the use of business scenario classification to reconstruct the identification system of important automotive data, transforming abstract legal concepts into actionable rules in specific industry scenarios, covering six major areas: research and development design, production and manufacturing, driving automation, software upgrade services, networked operation, and other situations. Taking R&D design scenarios as an example, in traditional concepts, R&D data is often overlooked because it does not directly involve end users. Based on the perspective of national security and technological protection, the Guidelines include the following data in the important data category: (1) Product R&D data: material lists, R&D design documents, and product technology development source codes related to major national projects and key R&D plans; (2) Product testing data: annotated scenario data and simulated scenario data collected during actual road testing (especially content containing sensitive geographical information). This regulation directly affects the global collaborative R&D model of car companies, requiring them to conduct strict screening and risk assessment when transmitting R&D data across borders. For example, when the Chinese R&D Center of a multinational automobile enterprise transmits a test video of a certain model of autonomous vehicle to the headquarters, if the video contains the surrounding road environment of the military management area, even if it has been blurred, it is still necessary to assess whether it meets the important data standards according to the Guidelines.
III. Full process compliance obligation system
The Guidelines go beyond simple data classification requirements and establish a compliance obligation system covering the entire process of data export, emphasizing a dual track governance approach of "technology & management".
Enterprises need to establish a top-down compliance management framework: clarify the person in charge of data export security, supervise and take responsibility for data export activities and protection measures; establish a specialized management department to coordinate data export compliance work; establish an internal registration and approval mechanism, set approval permissions and processes, and archive approval materials for future reference. It is worth noting that the "Guidelines" encourage the group declaration mode: if multiple domestic subsidiaries belong to the same group company and have similar data export business scenarios, the group company can act as the reporting entity to merge and declare. This regulation significantly reduces the compliance costs of multinational car companies and avoids the cumbersome procedures of multiple declarations.
At the level of protection technology, the "Guidelines" intend to require automotive data processors to use verification technology, password technology, secure transmission channels or protocols to ensure the confidentiality and integrity of data during the outbound process, and to monitor data outbound transmission behavior in real time, form security logs and retain them. The system related to the export of automotive data needs to have the ability to authenticate the identity of overseas recipients to ensure their authenticity. The Guidelines establish strict log management standards and build a traceable system for data export. These requirements have put forward substantial transformation needs for enterprise IT systems, especially the dual track design of "full retention" and "sampling retention", which balances regulatory efficiency and enterprise burden.
In addition, the Guidelines require enterprises to establish an emergency response mechanism for illegal export of automotive data, promptly handle any abnormal behavior discovered, and report to industry regulatory authorities in accordance with regulations. This regulation is also interconnected with existing regulations such as the "Regulations on the Management of Network Product Security Vulnerabilities" and the "Emergency Plan for Network Security Incidents".
Undoubtedly, the implementation of the Guidelines will have a profound impact on the global layout of China's automotive industry. It is recommended that relevant enterprises carefully study the content of the "Guidelines", break the traditional compliance thinking, shift from "passive response" to "active governance", and integrate the requirements of data export compliance into the entire chain of product design, research and development testing, production and manufacturing, and global services.
From a legal perspective, the Guidelines belong to administrative normative documents, and their main function is to support the specific requirements for important data protection and data export in higher-level laws such as the Cyber Security Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and the Personal Information Protection Law of the People's Republic of China, providing practical rules for the automotive industry. The scope of application of the "Guidelines" has significantly expanded compared to the currently implemented "Several Provisions on Automotive Data Security Management (Trial)". In terms of the regulated subjects, for the first time, in addition to traditional automobile manufacturers, component suppliers, dealers, and maintenance institutions, "telecommunications operators, autonomous driving service providers, and platform operators" have been explicitly included in the regulatory scope. It should be noted that the core criterion for determining the applicable entity is whether the type of data it processes belongs to automotive data, rather than mechanical formal judgment.
In addition, in terms of behavior determination, the Guidelines clarify that three types of behavior constitute data export: (1) transferring car data collected and generated during domestic operations to overseas; (2) The data is stored domestically, but overseas institutions, organizations, or individuals can query, retrieve, download, and export it; (3) Processing personal information of domestic natural persons overseas. This definition continues the consistent approach of China's data export management. The key contents of the "Guidelines" are summarized as follows for reference by relevant enterprises.
I. Clarify compliance pathways and innovate exemption mechanisms
The Guidelines have established a clear hierarchical framework for data export compliance, setting differentiated compliance obligations based on different data types and risk levels, forming a three-level management system with "security assessment as the bottom line, standard contracts/certifications as the central axis, and exemption scenarios as exceptions".
A. Mandatory security assessment situation
According to the Guidelines, automotive data processors must declare data export security assessments in the following four situations: (1) providing important data overseas; (2) From January 1st of that year, provide personal information (excluding sensitive personal information) of not less than1 million persons to overseas countries cumulatively; (3) Starting from January 1st of that year, providing sensitive personal information to not less than 10000 persons overseas; (4) Key information infrastructure operators provide personal information overseas. It is worth noting that the "Guidelines" will align the quantitative standards for personal information export with the "Regulations on Promoting and Regulating Cross border Data Flow" (hereinafter referred to as the "322 Regulations"), and will abolish the controversial provision in the previous "Several Regulations on Automotive Data Security Management (Trial)" that "personal information of 100000 persons constitutes important data", resolving the compliance dilemma faced by the industry for a long time. This adjustment significantly reduces the compliance cost of exporting non-essential personal information, reflecting the trend of precision and scientific supervision.
B. Standard Contract and Certification Path
For personal information that does not involve important data to be exported, the "Guidelines" have set up flexible compliance paths. Automobile data processors who meet one of the following conditions may choose to enter into standard contracts or obtain personal information protection certification: (1) from January 1st of the current year, provide personal information of not less than 100,000 persons but less than 1 million persons (excluding sensitive personal information) to overseas parties; (2) Since January 1st of that year, sensitive personal information of less than 10,000 persons has been provided to overseas parties. This path design continues the basic framework of 322 Regulations, but specifically clarifies that scenarios such as "cross-border car purchasing, cross-border delivery, and cross-border account registration" belong to situations where "it is necessary to provide personal information to overseas parties for the purpose of entering into and fulfilling contracts with individuals as one party", providing clear guidance for high-frequency business activities of enterprises.
C. Innovation exemption mechanism
The biggest institutional innovation of the "Guidelines" lies in the system integration and expansion of exemption scenarios, forming nine categories of situations where data export security assessment, standard contracts or certification are exempted. Among them, six categories are roughly consistent with the "322 Regulations", and the last three categories (7-9 items) are special exemption scenarios for the automotive industry added to the "Guidelines". These exemptions are based on pre-administrative procedures (reporting or filing), avoiding duplicate supervision and reducing compliance costs for enterprises.
II. Innovation in Scene based Identification of Important Data
The most significant breakthrough of the "Guidelines" lies in the use of business scenario classification to reconstruct the identification system of important automotive data, transforming abstract legal concepts into actionable rules in specific industry scenarios, covering six major areas: research and development design, production and manufacturing, driving automation, software upgrade services, networked operation, and other situations. Taking R&D design scenarios as an example, in traditional concepts, R&D data is often overlooked because it does not directly involve end users. Based on the perspective of national security and technological protection, the Guidelines include the following data in the important data category: (1) Product R&D data: material lists, R&D design documents, and product technology development source codes related to major national projects and key R&D plans; (2) Product testing data: annotated scenario data and simulated scenario data collected during actual road testing (especially content containing sensitive geographical information). This regulation directly affects the global collaborative R&D model of car companies, requiring them to conduct strict screening and risk assessment when transmitting R&D data across borders. For example, when the Chinese R&D Center of a multinational automobile enterprise transmits a test video of a certain model of autonomous vehicle to the headquarters, if the video contains the surrounding road environment of the military management area, even if it has been blurred, it is still necessary to assess whether it meets the important data standards according to the Guidelines.
III. Full process compliance obligation system
The Guidelines go beyond simple data classification requirements and establish a compliance obligation system covering the entire process of data export, emphasizing a dual track governance approach of "technology & management".
Enterprises need to establish a top-down compliance management framework: clarify the person in charge of data export security, supervise and take responsibility for data export activities and protection measures; establish a specialized management department to coordinate data export compliance work; establish an internal registration and approval mechanism, set approval permissions and processes, and archive approval materials for future reference. It is worth noting that the "Guidelines" encourage the group declaration mode: if multiple domestic subsidiaries belong to the same group company and have similar data export business scenarios, the group company can act as the reporting entity to merge and declare. This regulation significantly reduces the compliance costs of multinational car companies and avoids the cumbersome procedures of multiple declarations.
At the level of protection technology, the "Guidelines" intend to require automotive data processors to use verification technology, password technology, secure transmission channels or protocols to ensure the confidentiality and integrity of data during the outbound process, and to monitor data outbound transmission behavior in real time, form security logs and retain them. The system related to the export of automotive data needs to have the ability to authenticate the identity of overseas recipients to ensure their authenticity. The Guidelines establish strict log management standards and build a traceable system for data export. These requirements have put forward substantial transformation needs for enterprise IT systems, especially the dual track design of "full retention" and "sampling retention", which balances regulatory efficiency and enterprise burden.
In addition, the Guidelines require enterprises to establish an emergency response mechanism for illegal export of automotive data, promptly handle any abnormal behavior discovered, and report to industry regulatory authorities in accordance with regulations. This regulation is also interconnected with existing regulations such as the "Regulations on the Management of Network Product Security Vulnerabilities" and the "Emergency Plan for Network Security Incidents".
Undoubtedly, the implementation of the Guidelines will have a profound impact on the global layout of China's automotive industry. It is recommended that relevant enterprises carefully study the content of the "Guidelines", break the traditional compliance thinking, shift from "passive response" to "active governance", and integrate the requirements of data export compliance into the entire chain of product design, research and development testing, production and manufacturing, and global services.
The contents of all newsletters of Shanghai Lee, Tsai & Partners (Content) available on the webpage belong to and remain with Shanghai Lee, Tsai & Partners. All rights are reserved by Shanghai Lee, Tsai & Partners, and the Content may not be reproduced, downloaded, disseminated, published, or transferred in any form or by any means, except with the prior permission of Shanghai Lee, Tsai & Partners.
The Content is for informational purposes only and is not offered as legal or professional advice on any particular issue or case. The Content may not reflect the most current legal and regulatory developments. Shanghai Lee, Tsai & Partners and the editors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The contributing authors' opinions do not represent the position of Shanghai Lee, Tsai & Partners. If the reader has any suggestions or questions, please do not hesitate to contact Shanghai Lee, Tsai & Partners.
