China: Shanghai Municipal Communications Administration adopted 2025 Internet of Vehicles action plan including data governance and personal information protection obligations

On 22 April 2025, the Shanghai Municipal Communications Administration adopted the “Shielding the Connected Car” 2025 Internet of Vehicles (IoV) action plan, establishing binding data protection obligations for IoV enterprises operating in Shanghai. Enterprises are required to identify and maintain catalogues of important data and file them with the municipal authority by 31 July 2025, with updates due within 3 months of any major change. They must also conduct annual data security risk assessments and submit the results by 30 November 2025. For personal information processing activities involving sensitive data, automated decision-making, data sharing, or cross-border transfers, enterprises must perform personal information protection impact assessments and report them by 30 November 2025. Additional requirements include implementing internal data protection policies, evaluating data partners' security capabilities, and filing cross-border transfer assessments without including the outbound data itself.