China Implements Guidelines for Automotive Data Export Security

As China's autonomous driving companies accelerate their international expansion, concerns regarding automotive data export have emerged. Recently, the Ministry of Industry and Information Technology and seven other departments released the "Automotive Data Export Security Guidelines (2025 Edition) (Draft for Public Consultation)" and invited public feedback. The guidelines specify various scenarios requiring declaration for data export security assessments, including automated driving situations. The guidelines further clarify the critical types of data and assessment criteria that must be declared for security evaluation. Industry insiders have identified three main categories of important data for autonomous driving companies: vehicle operational status data, road environment and personnel data, and in-vehicle personal privacy data. Besides adhering to policy standards, companies must establish data security management systems and implement comprehensive technical controls, such as creating risk warning systems for cross-border data flow to promptly identify and assess risks. According to the guidelines, automotive data processors—organizations engaged in automotive data processing activities, including manufacturers, suppliers, telecom operators, autonomous driving service providers, platform operators, dealers, repair agencies, and mobility service companies—are required to declare security assessments when providing important data to overseas entities or when cumulative exports exceed thresholds for personal information. Important data includes product development data within R&D scenarios, material lists and production control program source code from manufacturing scenarios, and algorithm and training data from automated driving scenarios. The guidelines also highlight significant risks associated with data security in smart connected vehicles, emphasizing the need for comprehensive governance to prevent data breaches, unauthorized access, and cyberattacks. As autonomous driving companies continue to expand overseas, enhanced regulations and technologies for data protection are imperative.