On 13 June 2025, the Ministry of Industry and Information Technology of China (“MIIT”) published draft Security Guidelines for Outbound Transfer of Automobile Data 2025 (“Draft Guidelines”) jointly formulated by the MIIT and seven other ministries, and solicited opinions from the public until 13 July 2025. The Draft Guidelines provide compliance guidance for cross-border data flows in the automotive industry, and are formulated based on the Cybersecurity Law of China, the Data Security Law of China, the Personal Information Protection Law of China and the Regulation on Network Data Security Management. The “2025” in the name of the Draft Guidelines indicates that it will be implemented soon this year and will be subject to dynamic adjustments.
The Draft Guidelines are divided into four parts: general principles, outbound transfer of important data, implementation process of outbound data transfer, and security protection requirements for outbound transfer of automobile data, including management requirements, protection technology requirements, log requirements, and emergency response requirements. The general principles stipulate the scope of application of the Draft Guidelines and classify the paths of outbound data transfer. The Draft Guidelines apply to the outbound transfer of automobile data conducted by automobile data processors, including automobile manufacturers, parts and software suppliers, telecommunications operators, autonomous driving service providers, platform operators, dealers, maintenance agencies, and travel service companies. The automobile data refers to personal information and important data in automobile design, production, sales, use, operation, and maintenance. The Draft Guidelines only regulate the following types of outbound data transfer: 1. The automobile data processor transfers the automobile data collected and generated in domestic operations to foreign countries.2. The automobile data collected and generated by automobile data processors and stored in China are queried, retrieved, downloaded, and exported by overseas institutions, organizations, or individuals.3. Other data processing activities, including processing personal information of domestic natural persons abroad for providing products or services to domestic natural persons, or analyzing and evaluating the behavior of domestic natural persons.
The Daft Guidelines divide the paths of outbound data transfer into three categories. The first category is the outbound data transfers that require security assessment, including five situations, such as providing important data abroad, providing personal information of 1 million or more people or sensitive personal information of more than 10,000 people abroad in a year, or providing personal information abroad by operators of critical information infrastructure. The second category is the outbound data transfers that can be implemented by signing a standard contract for personal information outbound transfer with the overseas recipient or personal information protection certification, including two situations, namely, providing personal information of more than 100,000 but less than 1 million people or providing sensitive personal information of less than 10,000 people to overseas in a year. The third category is the outbound data transfers that are exempt from the above security assessment, conclusion of standard contract and passing personal information protection certification, with nine situations, including cross-border contract performance; emergency protection of life and property safety; reported security vulnerability data; automobile data processors registered in the free trade pilot zone provide data outside the negative list to overseas by the relevant requirements of the free trade pilot zone. The third part of the Draft Guidelines, namely the implementation process of outbound data transfer, guides how to conduct data identification, path determination and security assessments for outbound data transfer, conclude the standard contracts, and pass the personal information protection certification.
Outbound transfer of important data is the core part of the Draft Guidelines. The important data refers to the designated types of data in six business scenarios, such as R&D design, manufacturing, driving automation, software upgrade services, and network operation, provided by automobile data processors to overseas customers. For each business scenario, the Draft Guidelines list the specific data types and data items under data types that need to be applied for security assessment and give corresponding judgment rules for each data type or data item. The specific data types include product development and product testing in R&D design scenarios; bill of materials and production control program source code in manufacturing scenarios; driving automation algorithms, driving automation algorithm training data and driving automation algorithm feature data in driving automation scenarios; software upgrade data in software upgrade service scenarios; vehicle data, vehicle-road perception data and vehicle-road analysis data in networking operation scenarios; and network planning data and charging operation data in vehicle networking platform operation scenarios.
The judgment rules are various, including the data included in the national major projects and national key R&D plans; data involving or capable of inferring confidential or sensitive geographic information such as military, national defense and government agencies; data involving regional economic operations or social public security administrative law enforcement; data about the network and data security of the Internet of Vehicles and the results of driving automation functions; data that may have an impact on national scientific and technological security or industry competitiveness; product test data with a minimum side length of 32 pixels or more for the real face boundary box or a minimum side length of 16 pixels or more for the real license plate boundary box outside the vehicle; data collected from original images or original videos over 50 million kilometers or 2,000 hours in real environments; data collected from more than 100,000 vehicles operating in the country; vehicle identification codes and vehicle network card identification codes that can identify the personal identities of more than 1 million people in total; vehicle keys and vehicle digital certificates during the safe start, diagnosis, update, and communication process of more than 100,000 vehicles operating in the country; control instructions for vehicles operating in the country; and charging consumption data of more than 1 million people to overseas in total in a year.
In conclusion, the Draft Guidelines firstly clarify the rules for determining important data in the automotive industry, provide a compliance framework for outbound automobile data transfers, and help domestic and foreign companies expand into the international market.
The Draft Guidelines are divided into four parts: general principles, outbound transfer of important data, implementation process of outbound data transfer, and security protection requirements for outbound transfer of automobile data, including management requirements, protection technology requirements, log requirements, and emergency response requirements. The general principles stipulate the scope of application of the Draft Guidelines and classify the paths of outbound data transfer. The Draft Guidelines apply to the outbound transfer of automobile data conducted by automobile data processors, including automobile manufacturers, parts and software suppliers, telecommunications operators, autonomous driving service providers, platform operators, dealers, maintenance agencies, and travel service companies. The automobile data refers to personal information and important data in automobile design, production, sales, use, operation, and maintenance. The Draft Guidelines only regulate the following types of outbound data transfer: 1. The automobile data processor transfers the automobile data collected and generated in domestic operations to foreign countries.2. The automobile data collected and generated by automobile data processors and stored in China are queried, retrieved, downloaded, and exported by overseas institutions, organizations, or individuals.3. Other data processing activities, including processing personal information of domestic natural persons abroad for providing products or services to domestic natural persons, or analyzing and evaluating the behavior of domestic natural persons.
The Daft Guidelines divide the paths of outbound data transfer into three categories. The first category is the outbound data transfers that require security assessment, including five situations, such as providing important data abroad, providing personal information of 1 million or more people or sensitive personal information of more than 10,000 people abroad in a year, or providing personal information abroad by operators of critical information infrastructure. The second category is the outbound data transfers that can be implemented by signing a standard contract for personal information outbound transfer with the overseas recipient or personal information protection certification, including two situations, namely, providing personal information of more than 100,000 but less than 1 million people or providing sensitive personal information of less than 10,000 people to overseas in a year. The third category is the outbound data transfers that are exempt from the above security assessment, conclusion of standard contract and passing personal information protection certification, with nine situations, including cross-border contract performance; emergency protection of life and property safety; reported security vulnerability data; automobile data processors registered in the free trade pilot zone provide data outside the negative list to overseas by the relevant requirements of the free trade pilot zone. The third part of the Draft Guidelines, namely the implementation process of outbound data transfer, guides how to conduct data identification, path determination and security assessments for outbound data transfer, conclude the standard contracts, and pass the personal information protection certification.
Outbound transfer of important data is the core part of the Draft Guidelines. The important data refers to the designated types of data in six business scenarios, such as R&D design, manufacturing, driving automation, software upgrade services, and network operation, provided by automobile data processors to overseas customers. For each business scenario, the Draft Guidelines list the specific data types and data items under data types that need to be applied for security assessment and give corresponding judgment rules for each data type or data item. The specific data types include product development and product testing in R&D design scenarios; bill of materials and production control program source code in manufacturing scenarios; driving automation algorithms, driving automation algorithm training data and driving automation algorithm feature data in driving automation scenarios; software upgrade data in software upgrade service scenarios; vehicle data, vehicle-road perception data and vehicle-road analysis data in networking operation scenarios; and network planning data and charging operation data in vehicle networking platform operation scenarios.
The judgment rules are various, including the data included in the national major projects and national key R&D plans; data involving or capable of inferring confidential or sensitive geographic information such as military, national defense and government agencies; data involving regional economic operations or social public security administrative law enforcement; data about the network and data security of the Internet of Vehicles and the results of driving automation functions; data that may have an impact on national scientific and technological security or industry competitiveness; product test data with a minimum side length of 32 pixels or more for the real face boundary box or a minimum side length of 16 pixels or more for the real license plate boundary box outside the vehicle; data collected from original images or original videos over 50 million kilometers or 2,000 hours in real environments; data collected from more than 100,000 vehicles operating in the country; vehicle identification codes and vehicle network card identification codes that can identify the personal identities of more than 1 million people in total; vehicle keys and vehicle digital certificates during the safe start, diagnosis, update, and communication process of more than 100,000 vehicles operating in the country; control instructions for vehicles operating in the country; and charging consumption data of more than 1 million people to overseas in total in a year.
In conclusion, the Draft Guidelines firstly clarify the rules for determining important data in the automotive industry, provide a compliance framework for outbound automobile data transfers, and help domestic and foreign companies expand into the international market.