1. Why This Matters
AI model training is no longer a purely technical decision — it is a geopolitical, legal, and strategic one. When reports emerged suggesting that Tesla may be training portions of its AI models on infrastructure in China, the story touched every dimension of modern technology governance: data sovereignty, export controls, intellectual property protection, national security, and corporate strategy.
This is not just about Tesla. Any organisation training AI models across borders — and most large companies do — faces the same questions. Understanding the technical realities, legal frameworks, and risk management strategies is essential for engineers, executives, policymakers, and informed citizens.
2. What the Reports Actually Say
When media or industry sources say a company is "training AI in China," they typically mean that parts of the machine learning pipeline — dataset preparation, model training runs, hyperparameter experimentation, or fine-tuning — are executed on infrastructure located in that country. Reports may be based on:
- Job postings for ML engineers in specific regions
- Partner disclosures from cloud or hardware providers
- Regulatory filings or corporate statements
- Observed infrastructure patterns (IP ranges, data centre locations)
- Open-source code commits from regional engineering offices
It is critical to distinguish between primary disclosures (official company statements, regulatory filings) and secondary reporting (summaries, opinion pieces, anonymous sources). The specifics matter enormously — training a vision model on publicly available Chinese road data is fundamentally different from transferring proprietary model weights to foreign-controlled infrastructure.
3. How Large-Scale AI Training Works
3.1 The Training Pipeline
Training a large AI model is not a single operation — it is a multi-stage pipeline that can span weeks or months:
- Data collection: Gathering raw data (images, text, sensor readings) from various sources.
- Data processing: Cleaning, labelling, augmenting, and formatting data into training-ready datasets.
- Pre-training: Training the base model on massive datasets (billions of tokens or images). This is the most compute-intensive phase.
- Fine-tuning: Adapting the pre-trained model to specific tasks or domains with smaller, curated datasets.
- Evaluation: Benchmarking model performance against test sets and safety criteria.
- Deployment: Packaging the model for inference in production systems.
3.2 Compute Requirements
| Model Scale | Parameters | GPUs Required | Training Time | Estimated Cost |
|---|---|---|---|---|
| Small (BERT-base) | 110M | 8× V100 | 4 days | $2,000–5,000 |
| Medium (Llama 2 7B) | 7B | 64× A100 | ~2 weeks | $150,000–300,000 |
| Large (GPT-4 class) | ~1.8T (rumoured) | 10,000–25,000× A100/H100 | 3–6 months | $50M–100M+ |
| Tesla FSD (vision) | Undisclosed | Dojo + NVIDIA clusters | Continuous | $1B+ infrastructure |
3.3 Distributed Training
Large models are trained across thousands of GPUs simultaneously using techniques like data parallelism (same model, different data shards), model parallelism (model split across GPUs), and pipeline parallelism (different layers on different GPUs). This requires high-bandwidth interconnects (NVLink, InfiniBand) and is extremely sensitive to network latency — which is why training typically happens within a single data centre, not across continents.
4. Why Companies Train Models Abroad
4.1 GPU Scarcity
Demand for AI training hardware far exceeds supply. NVIDIA H100 GPUs have had 12+ month wait times. Companies may use compute capacity wherever it is available — including data centres in other countries — simply because that is where GPUs can be provisioned.
4.2 Data Residency Requirements
Many jurisdictions require that data collected from local citizens be stored and processed within the country. If Tesla collects driving data from Chinese roads, Chinese law (PIPL, CSL) may require that data to stay in China. Training a model on that data locally is a compliance necessity, not a choice.
4.3 Local Engineering Talent
China produces more AI researchers than any other country. Having local ML engineering teams with low-latency access to training infrastructure enables faster experimentation cycles. Many global tech companies maintain AI research labs in Beijing, Shanghai, and Hangzhou.
4.4 Cost Efficiency
Cloud compute pricing varies by region. Chinese cloud providers (Alibaba Cloud, Huawei Cloud, Tencent Cloud) can offer competitive pricing for GPU compute, sometimes 30–50% less than US or EU equivalents for the same hardware.
4.5 Market-Specific Models
A self-driving model for Chinese roads needs Chinese road data: different lane markings, traffic patterns, signage, driving behaviour, and pedestrian density. Training location often follows the data, and localised models perform significantly better than models trained exclusively on foreign data.
5. The Global AI Compute Landscape
| Region | Key Players | GPU Access | Data Laws | Strengths |
|---|---|---|---|---|
| United States | AWS, Azure, GCP, CoreWeave | H100/B200 (restricted export) | Sector-specific (HIPAA, CCPA) | Largest GPU clusters, talent pool |
| China | Alibaba, Huawei, Tencent, Baidu | Domestic chips (Ascend 910B) + older NVIDIA | PIPL + CSL (strict localisation) | Massive data, strong AI talent |
| European Union | OVHcloud, Hetzner, scaleway | H100 available, growing capacity | GDPR (strictest privacy) | Regulatory clarity, privacy focus |
| Middle East | G42 (UAE), NEOM (Saudi) | Growing H100 clusters | Evolving frameworks | Heavy investment, sovereign AI funds |
| Japan / South Korea | SoftBank, Samsung, NTT | Moderate capacity | APPI (Japan), PIPA (Korea) | Robotics, semiconductor manufacturing |
6. Tesla's AI Infrastructure & Compute Needs
6.1 What Tesla Trains
Tesla's AI workloads are among the most demanding in the industry. Full Self-Driving (FSD) processes data from 8 cameras, 12 ultrasonic sensors, and a forward-facing radar to make real-time driving decisions. Training the underlying neural networks requires processing billions of video frames annotated with driving behaviour data.
6.2 Dojo Supercomputer
Tesla designed Dojo — a custom supercomputer built on the D1 chip — specifically for training vision models. Each D1 chip delivers ~362 TFLOPS of BF16 compute. A Dojo ExaPod consists of 120 training tiles, with each tile containing 25 D1 chips. The goal: reduce dependence on NVIDIA GPUs and external cloud providers for training capacity.
6.3 The Data Scale
Tesla's fleet of millions of vehicles generates petabytes of driving data. Each country's data has unique characteristics. A model trained only on US highway data will struggle with Chinese urban traffic patterns (different vehicle types, driving norms, road infrastructure). This creates a genuine technical need for localised training.
6.4 The Optimus Robot
Beyond FSD, Tesla is developing Optimus — a humanoid robot that requires training on manipulation, navigation, and human interaction data. This represents yet another massive AI training workload that may benefit from distributed global compute resources.
7. Data Sovereignty & Governance Frameworks
7.1 China — PIPL & Cybersecurity Law
China's Personal Information Protection Law (PIPL, 2021) and Cybersecurity Law (CSL, 2017) together create one of the strictest data localisation regimes. Key requirements:
- Personal data of Chinese citizens must be stored within China
- Cross-border transfers require security assessments by the Cyberspace Administration of China (CAC)
- "Important data" and "critical information infrastructure" data face additional restrictions
- Automotive data (driving behaviour, location, camera footage) is classified as important data
7.2 European Union — GDPR
The General Data Protection Regulation imposes strict rules on transferring personal data outside the EU. Adequate safeguards (Standard Contractual Clauses, Binding Corporate Rules) must be in place. The Schrems II ruling invalidated the EU-US Privacy Shield, adding complexity to transatlantic data flows.
7.3 United States — Sector-Specific
The US lacks a comprehensive federal data privacy law. Instead, sector-specific regulations apply: HIPAA (health), GLBA (finance), CCPA/CPRA (California consumer data). Executive orders on AI (Oct 2023, Jan 2025) add reporting requirements for large model training runs.
7.4 Comparison Table
| Framework | Jurisdiction | Data Localisation | Cross-Border Transfer | AI-Specific Rules |
|---|---|---|---|---|
| PIPL + CSL | China | Required for personal + automotive data | CAC security assessment | Algorithm registration, deep synthesis rules |
| GDPR | EU | Not required, but transfer controls | SCCs, BCRs, adequacy decisions | AI Act (2024) — risk-based framework |
| CCPA/CPRA | California | Not required | No specific restrictions | Automated decision-making disclosure |
| APPI | Japan | Not required | Consent + adequate safeguards | Evolving AI guidelines |
8. Export Controls & Regulatory Landscape
8.1 US Export Controls on AI Hardware
The US Bureau of Industry and Security (BIS) has implemented increasingly strict export controls on advanced AI chips and technology to China:
- October 2022: Initial restrictions on A100 and H100 GPUs to China
- October 2023: Expanded to cover broader range of chips; closed loopholes (A800/H800 variants blocked)
- January 2025: Further tightened with country-tier system and aggregate compute thresholds
8.2 Implications for Training Location
Export controls primarily restrict hardware exports, not model training itself. However, training a model on US-controlled technology and then deploying it abroad, or sharing model weights, may trigger deemed export rules. The legal landscape is evolving rapidly, and companies need continuous legal review.
8.3 Technology Transfer Risks
Even without explicit hardware transfer, AI training across borders can involve technology transfer through: model architecture designs shared with local teams, training scripts containing proprietary techniques, hyperparameter configurations representing years of R&D, and trained model weights that embed the knowledge of the training data.
9. Security Architecture for Cross-Border Training
9.1 The Threat Model
- Data exfiltration: Training data copied or intercepted during transfer or at rest
- Model theft: Trained weights extracted from training infrastructure
- Supply chain compromise: Malicious code injected into training libraries or infrastructure
- Insider threat: Authorised personnel copying data or models to unauthorised locations
- Side-channel attacks: Extracting training data from model outputs or gradients
9.2 Security Controls
| Layer | Control | Implementation |
|---|---|---|
| Data at rest | AES-256 encryption | Full-disk encryption on all training nodes; key management via HSM |
| Data in transit | TLS 1.3 / WireGuard VPN | All inter-node and cross-border communication encrypted |
| Access control | Zero trust + MFA | Short-lived credentials; no standing access; JIT provisioning |
| Model weights | Signed artefacts | Cryptographic signing of all model checkpoints; tamper detection |
| Audit logging | Immutable logs | All data access, training runs, and model exports logged to WORM storage |
| Network | Micro-segmentation | Training cluster isolated from corporate network; no internet egress |
10. Cross-Border AI Training: A Compliance Framework
When an AI company operates across jurisdictions, every training pipeline must navigate multiple overlapping regulatory requirements. The following framework covers the key dimensions that teams evaluating cross-border AI training — including Tesla’s reported China operations — must address.
10.1 The Four Pillars of Compliance
| Pillar | Core Requirement | Key Risk if Ignored |
|---|---|---|
| Data Sovereignty | Data originating in a regulated jurisdiction must meet local processing and storage rules | Regulatory shutdown, fines, and forced data deletion |
| Encryption | All training data — at rest and in transit — must be encrypted to prevailing standards (AES-256, TLS 1.3) | Data breach, liability, and loss of training corpora |
| Access Control | Short-lived credentials (≤4 hours), zero-trust architecture, immutable audit logs | Insider threat, credential theft, inability to prove innocence in an investigation |
| Export Controls | Model architectures and algorithms classified under US EAR (e.g., ECCN 4E001) cannot be used in restricted regions without a licence | Criminal liability, loss of US government contracts, debarment |
10.2 China-Specific Requirements
China’s Personal Information Protection Law (PIPL) and Cybersecurity Law (CSL) create a particularly complex compliance environment:
- Data localisation: “Important data” and personal data collected in China must generally be stored and processed within China. Cross-border transfers require a CAC (Cyberspace Administration of China) Security Assessment for large-scale transfers.
- Automotive data: The 2021 Several Provisions on the Administration of Automotive Data Security specifically restricts cross-border transfer of road imagery, high-precision maps, and vehicle operation data — directly relevant to Tesla’s FSD training pipeline.
- Algorithm governance: Recommendation and generative AI algorithms deployed in China must be registered with the CAC and are subject to regular audits.
10.3 Best-Practice Architecture for Compliant Training
- Data residency ring-fencing: Partition training data by origin region from the point of collection. Never co-mingle data that has different sovereignty requirements in the same training run.
- Federated training where possible: Train regional models locally and aggregate only gradient updates or model parameters — keeping raw data on-shore.
- Continuous compliance monitoring: Automated pipeline checks should flag any training job that would move restricted data outside its permitted region before it runs, not after.
- Legal review gate: Any new data-sharing arrangement between jurisdictions should require sign-off from export control counsel before technical implementation begins.
11. Intellectual Property & Model Security Risks
11.1 What Is at Stake
A trained AI model represents an enormous investment: the training data (often proprietary), the architecture (research IP), the hyperparameters (years of experimentation), and the weights themselves (the encoded knowledge). In a cross-border scenario, any of these could be at risk.
11.2 Specific Risks
- Weight extraction: Trained model weights can be copied in minutes — a single checkpoint file contains the entire model's knowledge.
- Architecture disclosure: Training scripts and configuration files reveal proprietary architectural innovations.
- Data reconstruction: Research has shown that training data can sometimes be extracted from model weights through membership inference and model inversion attacks.
- Forced disclosure: Local laws may compel companies to share data, algorithms, or model weights with government authorities.
11.3 Mitigation Strategies
- Train locally and transfer only inference-optimised (quantised, pruned) models abroad
- Use federated learning to improve models from local data without centralising raw data
- Implement digital watermarking in model weights to detect unauthorised distribution
- Maintain separate model lineages for different jurisdictions
- Require security-cleared personnel for access to model weights
12. Geopolitical Context & Supply Chain
12.1 The US-China AI Competition
AI has become a central axis of US-China strategic competition. Both governments view AI leadership as critical to economic competitiveness, military capability, and geopolitical influence. This context colours every decision about cross-border AI development.
12.2 Semiconductor Supply Chain
Advanced AI chips are manufactured by TSMC (Taiwan), using ASML lithography equipment (Netherlands), designed by NVIDIA/AMD/Intel (US), and increasingly demanded by data centres worldwide. This supply chain is concentrated and fragile — disruption at any point affects global AI training capacity.
12.3 China's Domestic Alternatives
In response to export controls, China is accelerating domestic chip development: Huawei's Ascend 910B, Biren BR100, and government-funded semiconductor fabs. While these chips do not yet match NVIDIA's latest (H100/B200) in performance, the capability gap is narrowing, and domestic alternatives reduce reliance on US-controlled supply chains.
12.4 Strategic Autonomy
The broader trend is toward AI sovereignty — each major region building independent AI capabilities. The EU AI Act, China's algorithm regulations, India's AI governance framework, and the UK's AI Safety Institute all represent efforts to establish sovereign influence over AI development within their borders.
13. How to Evaluate Such Reports
13.1 Source Quality Checklist
- Does the report cite primary sources (company filings, regulatory documents, official statements)?
- Is there corroborating evidence (job postings, infrastructure data, partner disclosures)?
- Does the source distinguish between data processing, model training, and model deployment?
- Are claims specific (which model, which data, which region) or vague ("AI activities")?
13.2 Technical Red Flags
- Claims that model training was moved "to save money" without acknowledging data residency requirements — the real reason may be compliance, not cost
- Reports conflating GPU chip exports with model training — these are related but distinct issues
- Analysis that ignores the technical impossibility of efficient cross-continent distributed training (latency makes it impractical)
13.3 Context Matters
Training a model on locally collected data to comply with local laws is fundamentally different from transferring proprietary US-developed model weights to foreign infrastructure. The former is standard practice; the latter raises serious concerns. Most reporting fails to make this distinction clearly.
14. Implications for Users & Stakeholders
14.1 For End Users
Where a model was trained may not change your daily experience with a product, but it affects how your data is handled, which legal protections apply, and what recourse you have if something goes wrong. Users should understand data collection disclosures and opt-out where possible.
14.2 For Investors
Cross-border training creates regulatory risk. A change in export controls, data sovereignty laws, or geopolitical relations could disrupt training pipelines. Companies that depend heavily on cross-border AI infrastructure face material risks that should be disclosed and priced in.
14.3 For Engineers
If you work on distributed training systems, you must understand not just the technical constraints but the legal and security requirements. Implement compliance checks as part of the training pipeline — not as an afterthought. The code example in Section 10 is a starting point.
14.4 For Policymakers
Effective AI governance requires understanding how training actually works. Policies that conflate hardware exports, data localisation, and model deployment will be ineffective or counterproductive. Engage with technical experts when drafting AI regulations.
15. Frequently Asked Questions
Does training AI in China mean Chinese authorities can access the model?
It depends on the legal framework and infrastructure. China's PIPL and CSL give authorities broad data access powers for national security purposes. If training occurs on Chinese infrastructure, there is a legal basis for government access to data stored on that infrastructure. Encryption and access controls help, but cannot fully mitigate sovereign legal authority.
Is cross-border AI training illegal?
No. Cross-border AI training is standard practice and is legal in most jurisdictions, provided data sovereignty requirements are met and export controls are not violated. The legality depends on what data is used, where it originates, what technology is involved, and whether proper approvals have been obtained.
Why can't Tesla just train everything in the US?
Two main reasons: (1) Chinese data sovereignty laws may require that Chinese driving data be processed within China, and (2) models need to be trained on local data to perform well on local roads. A self-driving model trained only on US roads would be unsafe on Chinese roads.
Do export controls prevent AI model training in China?
Export controls primarily restrict the sale of advanced AI hardware (H100, A100 GPUs) to China, not model training itself. Companies can train models on older or domestically produced hardware. However, deemed export rules may apply if significant technology transfer occurs.
What is the difference between training and inference?
Training is the process of creating a model by learning from data — it requires massive compute, happens once (or periodically), and produces model weights. Inference is using the trained model to make predictions in production — it requires less compute and happens continuously. A model can be trained in one location and deployed for inference elsewhere.
How do other companies handle cross-border AI training?
Most global tech companies maintain regional AI labs and data centres. Google, Microsoft, Meta, and Apple all have significant AI operations in multiple countries. Standard practice includes data localisation compliance, regional model variants, and security controls for cross-border model transfers.
Could Tesla's approach change AI regulation globally?
High-profile cases accelerate regulatory attention. Tesla's situation has increased scrutiny on cross-border AI training generally, potentially leading to clearer rules about model training location, data transfer requirements, and disclosure obligations for AI-intensive companies.
16. Glossary
- Data Sovereignty
- The principle that data is subject to the laws and governance of the country where it is collected or stored.
- PIPL (Personal Information Protection Law)
- China's comprehensive data privacy law (2021), often compared to GDPR, with strict data localisation requirements.
- Export Controls
- Government restrictions on the transfer of specific technologies, goods, or information to foreign countries for national security reasons.
- Distributed Training
- Training a machine learning model across multiple GPUs or machines simultaneously, using data, model, or pipeline parallelism.
- Data Residency
- The requirement that data be stored and processed within a specific geographic jurisdiction.
- Deemed Export
- The release of controlled technology to a foreign national within the US, treated as an export under US law.
- HSM (Hardware Security Module)
- A dedicated cryptographic device for managing encryption keys, used to protect data at rest and sign model artefacts.
- Zero Trust
- A security model that requires verification for every access request, regardless of network location or user identity.
- Model Weights
- The numerical parameters learned during training that define how a neural network transforms inputs into outputs.
- Dojo
- Tesla's custom-designed supercomputer for AI training, built on proprietary D1 chips optimised for video processing workloads.
- Federated Learning
- A training approach where models learn from data distributed across multiple locations without centralising the raw data.
17. References & Further Reading
- GDPR — General Data Protection Regulation (full text)
- NIST — AI Risk Management Framework (2023)
- US Bureau of Industry and Security — Export Control Resources
- OECD — AI Principles
- ISO/IEC 27001 — Information Security Management
- Stanford DigiChina — PIPL English Translation
- EU AI Act — Full Text and Analysis
- White House — Executive Order on AI (2023)
If you manage AI workloads across borders, implement compliance-as-code from day one. Use the audit script in Section 10 as a starting point. Document data provenance, enforce encryption and short-lived credentials, and consult regulatory counsel for your specific jurisdictions. Treat training location as a first-class governance decision, not an afterthought.