China: Requirements for submission of data security and personal information risk assessment reports under 2025 Internet of Vehicles action plan enters into force

On 30 November 2025, enterprises covered by the 2025 Internet of Vehicles (IoV) action plan adopted by the Shanghai Municipal Communications Administration must submit two types of data protection assessments to the municipal authority. First, they must file an annual data security risk assessment report covering the handling of important data, conducted either internally or through a third party. Second, they must submit personal information protection impact assessments for processing activities involving sensitive data, automated decision-making, delegated processing, joint use, public disclosure, or cross-border transfers of personal data. Both obligations apply to IoV enterprises operating in Shanghai, including intelligent connected vehicle manufacturers and vehicle networking platform operators. The assessments must comply with the Data Security Law, the Personal Information Protection Law, and relevant sectoral rules.