工信部等八部门联合发布安全指引 规范三类汽车数据出境行为

Core Viewpoint The Ministry of Industry and Information Technology and eight other departments have issued the "Automotive Data Export Security Guidelines (2026 Edition)" to regulate the management of automotive data export activities, enhance data security protection, and provide specific rules for identifying important data and protection requirements. Group 1: Overview of the Guidelines - The guidelines aim to implement various laws and regulations, including the Data Security Law and the Personal Information Protection Law, to facilitate safe cross-border data flow while ensuring data security [2][4]. - The guidelines detail the management methods and applicable conditions for automotive data export activities, including nine exemption scenarios for data export [1][5]. Group 2: Data Export Management - Automotive data processors must declare a data export security assessment if they provide important data or exceed certain thresholds for personal information exports, such as providing data for over 1 million individuals [5][6]. - Exemptions from declaring data export security assessments include scenarios where data is collected and generated outside China and then processed domestically before being exported [7][8]. Group 3: Important Data Identification - The guidelines specify important data categories based on various business scenarios, including research and development, production, automated driving, software upgrades, and connected operations [11][19]. - Specific rules for identifying important data include criteria related to national key projects, export control lists, and sensitive information [12][13]. Group 4: Data Export Process - The data export process includes steps such as identifying important data, conducting security assessments, signing standard contracts for personal information export, and obtaining certification for personal information export [45][46]. - The guidelines emphasize the need for automotive data processors to establish pre-protection, monitoring, and post-disposal capabilities for data export security [1][5].