BYD and Chery are among nine companies whose 43 models have passed China’s latest automotive data security assessment, according to CLS. The voluntary evaluation confirms that these vehicles meet all five national data security requirements. The assessment covers anonymised exterior facial data, in‑vehicle cabin data processing, default non‑collection of cabin data, clear personal information notices, and defined data precision ranges. It reflects China’s ongoing regulatory efforts to manage connected vehicle technologies and safeguard personal and organisational data generated by automobiles.
The nine companies whose models passed all five criteria are BYD, Chery, Changan, SAIC Group, Beijing New Energy Automobile Company (NEV division of BAIC), GAC Aion, GAC Trumpchi, Changan Ford, and SGMW. Specific models are not involved in exterior facial data anonymisation; in such cases, compliance applies to the remaining four criteria. The report does not provide particular model names, production years, or sales volumes.
China’s automotive data security assessment is based on the 2021 Regulation on the Management of Automobile Data Security (Trial), which governs the collection, storage, use, and transfer of personal information and essential data generated throughout a vehicle’s lifecycle. The framework requires manufacturers and related service providers to process cabin data internally, anonymise sensitive data, and obtain explicit consent for the collection of personal information. Technical benchmarks for compliance are defined in the national standard GB/T 41871‑2022, which specifies detailed security requirements for the handling of motor vehicle data, including collection, transmission, and internal processing practices.
The five compliance requirements assessment defines how automotive data should be collected, processed, and protected. Anonymisation ensures that exterior camera data cannot reveal identifiable facial information without proper processing. In‑vehicle processing mandates that cabin data containing personal information is handled internally and not transmitted externally under normal conditions. Default non‑collection requires user opt‑in. Handling personal information requires explicit notification, and precision range rules define acceptable accuracy for data collection and system processing.
Follow us for ev updates