On April 28, the China Association of Automobile Manufacturers (中国汽车工业协会） released an official decision stating that Tesla has passed China’s data security test and cleared its data security risks, shortly after Musk met with Chinese Premier Li Qiang on the same day.

During the meeting, Premier Li Qiang lauded Tesla's operations in China as a prime example of successful China-U.S. economic and trade cooperation, and reaffirmed that China's vast market will always be open to foreign enterprises. “When China commits, it delivers”. On the same day, Premier Li visited the Beijing International Automotive Exhibition, during which he emphasized that China will further develop its unified national market and enhance its openness to the world, and domestic and foreign enterprises will be treated equally to encourage broader exchanges and cooperation among Chinese and foreign auto companies in capital, technology, management, and talent.

Subsequently, a Chinese media outlet reported that Tesla has announced that the “Chinese government has lifted the ban on Tesla vehicles” in sensitive areas. However, interestingly, the China Association of Automobile Manufacturers and the People’s Daily did not mention it.

According to media reports, Tesla vehicles have been banned from entering military facilities or staying in areas such as military compounds and districts since March 2021. Starting in May 2021, ministries and local governments also prohibited Tesla vehicles from entering, and subsequently, the scope of the ban appeared to expand to include hospitals, important research institutes, and other institutional entities. In July 2022, it was reported that China banned Tesla vehicles from entering Beidaihe or driving in the area.

Strengthening data security protection of connected vehicles has long been on the agenda of Chinese regulatory authorities, but they significantly accelerated this process after Tesla’s data security risk was disclosed. During 2021-2022, various ministries intensively issued regulatory rules:

On September 13, 2021, the Equipment Center of the Ministry of Industry and Information Technology (MIIT) issued a notice on conducting self-inspections for automobile data security and cybersecurity.

On September 15, 2021, MIIT released a notice on strengthening the cybersecurity and data security of the connected vehicle network.

On August 16, 2021, the Cyberspace Administration of China, the National Development and Reform Commission, MIIT, the Ministry of Public Security, and the Ministry of Transport jointly issued the "Several Provisions on Automobile Data Security Management (Trial)" (implemented starting October 1, 2021).

On February 25, 2022, MIIT issued the "Guide for the Construction of Network and Data Security Standard System for Connected Vehicle Network."

On June 23, 2022, the Shenzhen Municipal People's Congress passed the "Shenzhen Special Economic Zone Intelligent Connected Vehicle Management Regulations" (effective from August 1).

On August 30, 2022, the Ministry of Natural Resources issued a notice on promoting the development of connected vehicles and maintaining the security of surveying and mapping geographic information.

Tesla and Mush also made a series of public relations efforts to mitigate the pressure in China:

On March 21, 2021, Elon Musk spoke at the China Development Forum via video link. When asked about the pressure he feels as a tech entrepreneur in the current climate and what suggestions he has for the governments of both countries, Musk said that if Tesla were to engage in espionage in China or elsewhere, it would be completely immobilized.

On September 15, 2021, during the World New Energy Vehicle Congress, Musk emphasized that the security of vehicle data is particularly crucial with the rapid development of autonomous driving, and Tesla believes it is necessary to implement technological measures to alleviate public concerns.

On April 13, 2021, Tesla's Vice President Tao Lin, at a roundtable forum organized by the National Development and Reform Commission, said that data collected by Tesla in China will strictly adhere to Chinese laws and regulations on data management and will be stored locally.

On May 12, 2021, the Cyberspace Administration of China sought public comments on the "Several Provisions on Automobile Data Security Management (Draft for Comments)." Tesla responded via Weibo, stating: "We support and respond to further regulation of industry development, and we collectively contribute to technological innovation. We welcome everyone to actively make suggestions to the relevant departments to promote the healthy and orderly development of the automotive industry."

On May 20, 2021, the Secretariat of the China Cybersecurity Association, together with Tsinghua University's Internet Governance Research Center and the Fuxi Think Tank, held an expert seminar in Beijing on the "Several Provisions on Automobile Data Security Management (Draft for Comments)." Tesla's Vice President Tao Lin participated and spoke at the seminar.

On May 25, 2021, Tesla announced its firm support for the standardized development of the industry and its establishment of a data center in China to achieve localized data storage, with plans to add more local data centers progressively. All data generated by vehicles sold in mainland China will be stored domestically.

In May 2021, Tesla completed the construction of the Shanghai Gigafactory data center in the Lingang area of Shanghai and met all regulatory requirements for data center approvals. This data center stores all data for Chinese users, including production, sales, service, and charging data.

In 2022, Musk published an article titled "Believing in Technology to Create a Brighter Future" on the first issue of "China Cyber Affairs"（中国网信） magazine in 2022. This magazine is managed by the Cyberspace Administration of China and hosted by the China Cyberspace Research Institute, which is a subsidiary of the Cyberspace Administration.

Official Statement of China Association of Automobile Manufacturers： Notification on the Testing of Four Safety Requirements for Automobile Data Processing (First Batch)

To regulate automobile data processing activities, protect users' legitimate rights and interests, encourage leading automobile manufacturers to serve as benchmarks, and promote a society-wide commitment to automobile data security and the development of the automotive industry, the China Association of Automobile Manufacturers and the National Computer Network Emergency Response Technical Team/Coordination Center of China have conducted tests based on the "Several Provisions on Automobile Data Security Management (Trial)" and GB/T 41871-2022 "Information Security Technology—Safety Requirements for Automobile Data Processing" and other relevant regulations and standards. Following the principle of voluntary submission by enterprises, starting in November 2023, these tests assessed the compliance of newly marketed intelligent network-connected vehicles for the 2022-2023 period, focusing on four compliance requirements: anonymization of external facial data, default non-collection of cockpit data, in-vehicle processing of cockpit data, and conspicuous notification when processing personal information. Among the tested, 76 models from six companies, including BYD, Li Auto, Lotus, Hozon New Energy, Tesla, and NIO, met all four automobile data security compliance requirements. The specific list of automobile models is as follows:

April 28, 2024

Attachment: Testing Standards and Methods

Attachment: Testing Standards and Methods

This testing is based on the "Several Provisions on Automobile Data Security Management (Trial)" requirements, following GB/T 41871-2022 "Information Security Technology—Safety Requirements for Automobile Data Processing" and T/CAAMTB 77-2022 "Technical Requirements and Methods for Vehicle Transmission Video and Image Desensitization," and also referencing Appendix C of the "General Requirements for Automobile Data (Draft for Approval)." The testing is organized and implemented as follows:

1. Testing Subjects As of November 15, 2023, in accordance with the "Notice on Carrying Out Automobile Data Security Compliance Work" (CAAM Letter No. 【2023】243), automobile manufacturers voluntarily submitted their newly launched intelligent network-connected vehicles for the 2022-2023 period to the China Association of Automobile Manufacturers for testing.

2. Testing Standards The testing uses the same test requirements, testing environment, technical standards, and testing procedures, covering four areas: anonymization of external facial data, default non-collection of cockpit data, in-vehicle processing of cockpit data, and conspicuous notification when processing personal information. The specific standards are as follows:

a. Anonymization of External Facial Data Requirements - Data from outside the vehicle should not be provided before anonymization is completed. - The detection rate of anonymization for faces and vehicle plates in the video and image data processed by the vehicle should be at least 90%.

b. Default Non-Collection of Cockpit Data Requirements - Vehicles should be set by default not to collect cockpit data unless the driver independently sets otherwise. Collection can begin only after the driver actively selects it through physical buttons or touchscreen interfaces. - A convenient method to terminate the collection of cockpit data should be provided. - Consent for each item of sensitive personal information must be obtained separately. - The consent term for processing sensitive personal information should not be set to "always allow" or "permanent."

c. In-Vehicle Processing of Cockpit Data Requirements - Apart from functionalities such as voice recognition, remote viewing of the vehicle interior, cloud storage, or data transmission to regulatory or law enforcement agencies as required by regulations, the vehicle should not provide cockpit data externally.

d. Conspicuous Notification When Processing Personal Information Requirements - Those handling automobile data should inform individuals of the following via the user manual, in-vehicle display panels, voice, car-related applications, etc.: - Types of personal information being processed. - Specific scenarios of collecting each type of personal information and methods to stop collection. - Purposes, uses, and methods of processing each type of personal information. - Location and duration of personal information storage, or rules determining these. - Methods and approaches to access, copy, and delete personal information inside the vehicle and request deletion of information provided externally. - Contact information of a representative for user rights matters.

3. Testing Methods Testing methods vary based on the technical characteristics of the data processing functions of different vehicle models (distinguished by model year) under the same standards for the four compliance requirements:

• Anonymization of External Facial Information Testing Method: Technicians perform data sampling from the vehicle end, followed by anonymization effect analysis and data statistics.

• Default Non-Collection of Cockpit Data Testing Method: Compliance confirmation of various cockpit data collection functions is conducted inside the vehicle.

• In-Vehicle Processing of Cockpit Data Testing Method: Data related to vehicle external communication is captured and analyzed at the vehicle end.

• Conspicuous Notification of Personal Information Testing Method: Compliance confirmation of the "User Privacy Agreement" is conducted on the company's official website, in-car applications, or mobile communication terminal applications.

People’s Daily: Tesla meets the four compliance requirements for automobile data security and has established the Shanghai Data Center to do data localization.

On April 28, the China Association of Automobile Manufacturers released a notification on the testing of four safety requirements for automobile data processing.

The notification states that to regulate the activities of automobile data processing, protect users' legitimate rights and interests, encourage leading automobile manufacturers to set industry benchmarks, and promote a collaborative societal effort to maintain automobile data security and foster the development of the automotive industry, the China Association of Automobile Manufacturers and the National Computer Network Emergency Response Technical Team/Coordination Center of China have conducted tests based on the "Several Provisions on Automobile Data Security Management (Trial)" and GB/T 41871-2022 "Information Security Technology—Safety Requirements for Automobile Data Processing" and other relevant regulations and standards. Starting November 2023, these tests assessed compliance with data security in newly launched intelligent network-connected vehicles for the 2022-2023 period, covering four compliance requirements: anonymization of external facial data, default non-collection of cockpit data, in-vehicle processing of cockpit data, and conspicuous notification when processing personal information. Among the tested, 76 models from six companies including BYD, Li Auto, Lotus, Hozon New Energy, Tesla, and NIO met all four automobile data security compliance requirements.

Furthermore, it is understood that Tesla established the Tesla Shanghai Data Center in 2021 to achieve localized data storage. The company also introduced a third-party organization to audit its information security management system and successfully obtained the Security Management System Certification (ISO27001).

Yicai Magazine（第一财经杂志）： On Musk's first day in China, Tesla passed the national automobile data security compliance requirements! Restrictions on parking and driving have been progressively lifted across various regions.

On April 28, the China Association of Automobile Manufacturers officially released the "Notification on the Testing of Four Safety Requirements for Automobile Data Processing (First Batch)." The notification reported that 76 models from six companies—BYD, Li Auto, Lotus, Hozon New Energy (Neta Automobile), Tesla, and NIO—met the four compliance requirements for automobile data security.

Specifically, Tesla's domestically produced Model 3 and Model Y comply with the automobile data security regulations, making it the only foreign company to meet these compliance requirements. Tesla has announced that restrictions on the movement and parking of intelligent network-connected vehicles, including Tesla, have been progressively lifted across various regions.

To promote a collaborative societal effort to maintain automobile data security and foster the development of the automotive industry, the China Association of Automobile Manufacturers and the National Computer Network Emergency Response Technical Team/Coordination Center of China have organized tests based on regulatory standards. Starting in November 2023, these tests have assessed the compliance of newly marketed intelligent network-connected vehicles for the 2022-2023 period, focusing on four compliance requirements: anonymization of external facial data, default non-collection of cockpit data, in-vehicle processing of cockpit data, and conspicuous notification when processing personal information.

Additionally, Tesla has established the Tesla Shanghai Data Center in 2021 to achieve localized data storage. The company also introduced a third-party authoritative organization to audit its information security management system and successfully obtained the Security Management System Certification (ISO27001).