ARTICLE
18 June 2026

China’s 2026 Automotive Data Cross-Border Transfer Guidelines

GT
Greenberg Traurig, LLP

Contributor

Greenberg Traurig, LLP logo

Greenberg Traurig, LLP has more than 3,100 lawyers across 51 locations in the United States, Europe, the Middle East, Latin America, and Asia. The firm’s broad geographic and practice range enables the delivery of innovative and strategic legal services across borders and industries. Recognized as a 2025 BTI “Best of the Best Recommended Law Firm” by general counsel for trust and relationship management, Greenberg Traurig is consistently ranked among the top firms on the Am Law Global 100, NLJ 500, and Law360 400. Greenberg Traurig is also known for its philanthropic giving, culture, innovation, and pro bono work. Web: www.gtlaw.com.

Explore Firm Details
China’s new Automotive Data Cross-border Transfer Guidelines (2026 Edition) (Guidelines), jointly issued by eight Chinese ministries and effective July 1, 2026...
China Privacy
Sherry Xiaoxuan Ding,George Qi, and Philip Ruan

China’s new Automotive Data Cross-border Transfer Guidelines (2026 Edition) (Guidelines), jointly issued by eight Chinese ministries and effective July 1, 2026, are best understood as an effort to make automotive data transfers more operationally workable while tightening sector-specific expectations around what counts as important data. For foreign automakers, suppliers, software providers, mobility platforms, and multinational groups collaborating with China’s automotive sector, an important takeaway is that the Guidelines do not simply restate China’s general data export regime, but tailor it to core automotive business scenarios, define what activities count as cross-border transfers, add industry-relevant exemptions, and sharpen the analysis needed to determine when automotive data may trigger security assessment requirements.

Key Contents of Guidelines:

The Guidelines are most useful when read through four practical questions for industry participants: what counts as automotive data, what conduct constitutes a cross-border transfer, which transfers may now benefit from exemptions, and which categories of data remain likely to attract heightened scrutiny as important data.

1. Scope:

The Guidelines apply to automotive data processors and define “automotive data” broadly as personal information and important data generated across the vehicle lifecycle, including design, production, sales, use, and maintenance. This matters for a wide range of actors, not only OEMs, but also parts and software suppliers, telecom operators, autonomous driving service providers, platform operators, dealers, repair institutions, and mobility service companies carrying out the following cross-border data activities:

  • Automotive data collected or generated during operations in China and transmitted outside China.
  • Automotive data stored in China but made available to offshore entities or personnel through access, query, download, or export functions.
  • Other offshore data processing activities that fall within fall within Article 3 of the Personal Information Protection Law, including certain extraterritorial processing of personal information of individuals in China.

2. Automotive data processors have three compliance paths: data outbound security assessment, standard contract for personal information export, or personal information export certification.

3. Exemptions

The Guidelines identify nine exemption scenarios, several of which are notable because they aim to reduce friction for routine commercial operations and urgent technical collaboration. For foreign businesses, the most significant additions are the clearer low-volume personal information exemption and the sector-specific carve-outs for vulnerability remediation, incident response, and recall-related OTA source code filings. These nine exemptions include the following:

  • Cross-border contracts where an individual is a party (car purchase, delivery, payment, account registration).
  • HR management under labor rules/collective contracts for cross-border personnel management.
  • Emergencies for protecting the life, health, and property safety of natural persons.
  • Key component/software suppliers providing non-personal information for R&D, manufacturing, upgrades, or maintenance.
  • International standards, research, and certification activities.
  • Legally public automotive data.
  • Security vulnerability data reported to China’s Ministry of Industry and Information Technology (MIIT).
  • Security incident data reported to MIIT/regulators.
  • Non-personal information on product defects.

4. Important Data Determination

This is the part of the Guidelines that is likely to matter most in practice because it moves beyond high-level principles and gives sector-specific rules for identifying data that could still trigger a mandatory security assessment even where companies are trying to rely on more streamlined transfer mechanisms. The Guidelines approach important data identification through business scenarios, reflecting the view that sensitivity in the automotive sector often depends on how data is generated, used, and shared in particular operational contexts.

  • Business Scenarios: R&D, manufacturing, driving automation, software upgrades, and connected operations.
  • Detailed Rules: Examples include:
    • R&D: core technical parameters, key component designs, and whole-vehicle R&D data.
    • Manufacturing: process parameters, production line data, and quality control.
    • Driving automation: algorithms, high-precision maps, and driving behavior data.
    • Software upgrades:source code, upgrade packages, and logs.
    • Connected operations:platform data, remote control, and user behavior.

5. Data Outbound Process

For multinational automotive groups, this section helps translate the legal framework into an operational workflow: identify the data, determine whether it is important data or personal information, choose the correct transfer mechanism, and then document and control the transfer accordingly. When handling outbound data, automotive data processors should consider the following steps:

  • Identification and Filing:Establish mechanisms; classify/grade data; file important data.
  • Management Path:Decide compliance method based on type, scale, and sensitivity.
  • Implementation:Aligns with CAC’s third edition outbound assessment guidelines, which only require metadata (type, scale), not raw data.
  • Transmission Control: Strictly manage servers transmitting data abroad, with clear permissions and approvals.

6. Security Protection Requirements

Although framed as security measures, these requirements also signal regulator expectations around governance maturity, meaning companies that transfer automotive data cross-border should be prepared to show not only a lawful transfer path but also internal accountability, technical controls, and traceability. Automotive data processors may wish to consider the following:

  • Management System:Assign responsible department; establish rules and procedures.
  • Technical Safeguards:Use verification, encryption, secure channels/protocols; ensure authentication of foreign recipients.
  • Log Management:Keep detailed logs (time, type, scale, purpose, recipient) for no less than three years.
  • Emergency Response:Prepare contingency plans, conduct drills, report incidents promptly, and take remedial measures.

This article is part of GT’s Q1 2026 China Newsletter.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Sherry Xiaoxuan Ding
Sherry Xiaoxuan Ding
Photo of George Qi
George Qi
Photo of Philip Ruan
Philip Ruan
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More