On 3 February 2026, the Ministry of Industry and Information Technology (MIIT), the sectoral regulator of the automotive sector, and the Cyberspace Administration of China (CAC), the designated data regulator, together with six other government authorities, published the Guidance for the Secure Cross-Border Transfer of Automotive Data (2026 Edition). This new guidance focuses on the cross-border transfer of personal data by sector operators and the identification of important data in the sector.
Automotive data refers to personal data and important data involved in the design, production, sales, use, and operation of vehicles. Automotive data controllers are organizations or individuals that independently determine the purposes and means of processing automotive data, including automobile manufacturers, parts and software suppliers, telecommunications operators, autonomous driving service providers, platform operators, dealers, maintenance facilities, mobility service providers and other operators in the sector.
Cross-border transfer of personal data involved in automotive data:
The new guidance introduces a few new exemptions. Automotive data controllers will not be required to sign or file the China Standard Contractual Clauses for transferring personal data overseas (“China SCCs’”) or obtain approval from the CAC before transferring personal data involved in the following categories of automotive data outside of China. This applies regardless of the sensitivity or transfer volume of the personal data, provided it does not otherwise constitute important data.
Other than these new exemptions, the existing rules on cross-border transfer of personal data would still apply to automotive data controllers. Please refer to our article for such existing rules: CHINA: Cross Border Data Transfer Requirements – exemptions now available | Privacy Matters
Identification of important data:
With the Network Data Security Management Regulations coming into effect on 1 January 2025, the regulatory approach has gradually shifted from sector regulators proactively identifying important data and publishing catalogues, to data controllers self-identifying important data and filing identification results with sector regulators.
In line with this approach, the new guidance sets out specific standards and specifications for identifying important data involved in automotive data that is collected or generated in the following five contexts and nine sub-contexts:
Compared with the identification of important data under the Several Provisions on the Management of Automotive Data Security (Trial Implementation), which come into effect on 1 January 2025, the new guidance’s standards and specifications are more granular and detailed. It is worth noting, however, that “personal data of more than 100,000 data subjects” is no longer identified as important data per se under the new guidance.
Automotive data controllers must compile their own important data catalogues and submit them to the relevant authorities. However, the new guidance does not explain how this process will work in practice.
New requirements on cross-border data transfers
The new guidance sets out the technical and organizational measures that automotive data controllers must implement when transferring automotive data across borders. For example, controllers must designate specific departments and personnel responsible for handling data transfer matters. They must also set out designated policies and procedures for approving transfers internally. Detailed transfer logs must be retained for at least three years. There are also detailed requirements on the encryption measures must be implemented in transit, as well as requirements on retaining data-exiting network communication traffic samples.
This is the first time that automotive data controllers have received such clear guidance on identifying important data and handling cross-border data transfers. We anticipate that local authorities will start to enforce relevant requirements more rigorously. The time has come for automotive data controllers to take action to ensure compliance.

[View source.]
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.
© DLA Piper
Refine your interests »
Please take our short survey – your perspective helps to shape how firms create relevant, useful content that addresses your needs:
Back to Top
Explore 2025 Readers’ Choice Awards
Copyright © JD Supra, LLC

source