Notice issued by the Ministry of Industry and Information Technology and seven other departments on the "Automobile Data Export Security Guidelines (2026 Edition)"

The Ministry of Industry and Information Technology and seven other departments issued a notice on the “Automobile Data Outbound Security Guidelines (2026 Edition).” The notice states that automobile data handlers should declare data outbound security assessments through domestic legal entities. If there is no domestic legal entity, the declaration should be made by a domestic branch. Multiple domestic subsidiaries that are part of the same group (parent company) and have similar data outbound business scenarios can be consolidated and declared by the group (parent company) as the declaring entity. Data that should undergo security assessment must not be split into smaller quantities or provided overseas through standard contracts or other means. Automobile data handlers should conduct self-assessments of outbound data risks and rectify any security issues in accordance with the “Data Outbound Security Assessment Measures,” “Regulations on Promoting and Standardizing Cross-Border Data Flows,” and the “Data Outbound Security Assessment Declaration Guide (Third Edition),” and submit the declaration materials to the Cyberspace Administration. Data handlers that pass the security assessment can carry out outbound data activities; if any situation arises that affects data security during outbound data transfer, a re-declaration and reassessment are required.