China Cybersecurity and Data Protection: Monthly Update - February 2025 Issue

This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Key Highlights

In January 2025, China continued to deepen legislation and law enforcement activities in key areas such as personal information protection, data resource development and utilisation, data security, and cybersecurity. This further strengthened the protection of personal information across these key sectors, accelerated the market-oriented allocation of data elements, and required enterprises to implement various data security and cybersecurity management requirements through a series of law enforcement activities:

• Personal Information Protection: The Cyberspace Administration of China (“CAC”), the National Cybersecurity Standardisation Technical Committee (“TC260”), the Ministry of Civil Affairs, and other departments are continuing to implement personal information protection regulations. By issuing certification measures, compliance guidelines, work requirements, and other legal documents, the protection of personal information in areas such as cross-border data transfer, facial recognition payment systems, consumer transactions in malls and supermarkets, and safeguarding the rights and interests of children in distress has been further standardised, thus protecting the legitimate rights and interests of relevant parties.
• Data Resource Development and Utilisation: The National Data Administration, the National Development and Reform Commission (“NDRC”), and other departments are actively promoting the market-oriented allocation reform of data elements. By publishing documents such as explanations of common terms in the data sector, implementation and management guidelines for public data authorisation and operation, and national infrastructure construction guidelines, they accelerate the construction of an improved basic systems for data and fostered a unified data elements market. At the same time, the National Data Work Conference outlines the key work directions for the data sector in 2025, pushing for the further development and utilisation of data resources.
• Cybersecurity and Data Security: The People’s Bank of China has established clear regulations on the reporting of cybersecurity incidents in the financial sector, strengthening data security protection within the industry. Additionally, the Ministry of Industry and Information Technology (“MIIT”) has released implementation guidelines to enhance the data security capabilities of Internet data centres. They also summarise the achievements in cybersecurity and data security construction in the industrial sector for 2024. Moreover, local CAC offices and public security organs are continuing to intensify law enforcement activities in data security and cybersecurity, promoting enterprises’ implementation of their cybersecurity responsibilities and enhancing data security governance capabilities.

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. CAC issued certification measures to standardise cross-border personal information protection certification, promoting the efficient and convenient cross-border flow of personal information (3 January)

The CAC opened the public consultation on the Measures for Personal Data Protection Certification for Cross-Border Data Transfers, aimed at regulating the certification of personal information protection for cross-border transfers and facilitating the secure and efficient flow of personal information across borders. These proposed certification measures aim to provide clear requirements regarding the scope of application, eligibility criteria, certification content, and other related factors, as well as standardising the filing requirements and responsibilities of professional certification bodies. As one of the three compliance routes for cross-border information transfers under Article 38 of the Personal Information Protection Law, personal information protection certification has not been widely adopted in practice due to issues such as fragmented applicable rules, complex certification procedures, and lengthy processing times. The formal implementation of these certification measures in the future will further optimise China’s personal information cross-border management regime, facilitating the flow of personal information across borders.

2. National Data Administration proposed explanation on the second batch of common terms in the data sector, seeking public consultation to promote a unified understanding of terminology in the data sector (23 January)

The National Data Administration opened the public consultation on the Explanations of Common Terms in the Data Sector (Second Batch), aimed at deepening the standardisation and normalisation of foundational concepts in the data field. This document elaborates on 20 important concepts in the market-oriented reform areas of data elements, such as “data ownership”, “derivative data”, and “on-exchange data trading”, covering multiple areas including data property rights, data transactions, and data infrastructure. The release of this batch of explanations will further improve the basic systems for data and promote a unified understanding of common terms in the data sector.

3. TC260 issued guidelines to regulate personal information processing in facial recognition payment scenarios, strengthening personal information protection (26 January)

The TC260 released Cybersecurity Standards Practice Guidelines—Personal Information Security Requirements in Facial Recognition Payments, aiming to guide companies in standardising personal information processing in facial recognition payment scenarios. The guidelines provide detailed explanations of the security obligations that shall be undertaken by facial recognition payment service providers, facial verification service providers, venue managers, and equipment operators during the data processing procedures. Specifically, for facial verification service providers, the guidelines set clear standards for ensuring security during five types of data processing activities—collection, storage, transmission, export, and deletion—thereby enhancing the security of personal information throughout its entire lifecycle.

4. SAMR released interim measures to regulate the reporting of compliance data for online transactions (24 January)

The State Administration for Market Regulation (“SAMR”) opened the public consultation on Interim Measures for the Management of Compliance Data Reporting for Online Transactions, aimed at regulating the reporting and management of compliance data for online transactions, and further enhancing the effectiveness of online transaction supervision. The measures clearly stipulate that operators of online transaction platforms shall report various types of compliance data, including online business operator identity information, data on illegal activities, administrative law enforcement cooperation data, and specific product or service transaction data, to market regulatory authorities in accordance with relevant requirements. Additionally, the measures define the specific responsibilities of market regulatory authorities in overseeing the reporting of online transaction compliance data, ensuring the standardisation of relevant regulatory activities.

5. People's Bank of China issued measures to regulate the management of cybersecurity incident reporting in relevant business areas, strengthening cybersecurity management (24 January)

The People’s Bank of China opened the public consultation on the Measures for the Management of Cybersecurity Incident Reporting in the Business Areas of the People’s Bank of China, aimed at regulating the reporting obligations of financial institutions in the event of cybersecurity incidents in relevant business areas. The measures clearly stipulate those financial institutions, based on a graded management system for cybersecurity incidents, shall fulfil their reporting obligations in accordance with the detailed reporting processes and content outlined in the measures, thereby enhancing the cybersecurity management and emergency response capabilities of financial institutions.

6. NDRC and other departments issued interim measures to strengthen the registration and management of public data resources, promoting the development and utilisation of public data resources (20 January)

The NDRC and other departments issued the Interim Measures for the Registration and Management of Public Data Resources, aimed at establishing a nationwide integrated public data resource registration system. The measures emphasise that relevant government and public institutions shall register public data resources within the scope of authorised operations and encourage the registration of public data resources not yet included in the authorised operations. Additionally, the measures define the registration procedures for public data resources and the related management requirements, with national and local data management authorities strengthening supervision and management of registration institutions and entities, further standardising the public data resource registration process.

7. NDRC and other departments issued implementation specifications, clarifying the requirements for authorised operation of public data resources (20 January)

The NDRC and other departments issued the Implementation Specifications for the Authorised Operation of Public Data Resources (Trial), aiming to regulate the authorised operation of public data resources and promote the development of an integrated data market. The specifications clearly outline the specific requirements that government departments shall follow when carrying out the authorised operation of public data resources, including the preparation of an implementation plan for the authorised operation, signing of an authorised operation agreement, and standardising the implementation and management of the authorised operation. These measures are of significant practical importance for exploring effective models for the authorised operation of public data resources and advancing the development and utilisation of public data resources.

8. Ministry of Civil Affairs and other departments issued working measures to regulate the use of personal information of children in distress, safeguarding their legal rights and interests (24 January)

The Ministry of Civil Affairs and other departments issued Working Measures for the Protection of Personal Information of Children in Distress, aimed at legally strengthening the protection of personal information for children in distress. The measures require various government departments and organisations to strictly adhere to the Personal Information Protection Law and other relevant legal requirements when processing personal information of children in distress, ensuring their personal information protection and preventing any breaches. The formulation of these measures is of significant importance in improving the personal information protection framework for vulnerable groups in China and effectively safeguarding the legal rights and interests of children in distress.

9. MIIT issued implementation guidelines, requiring Internet data centre enterprises to strengthen customer data security (14 January)

The MIIT issued the Implementation Guidelines for Customer Data Security in Internet Data Centres, aiming to strengthen the protection of customer data in Internet data centres and enhance the ability to safeguard customer data security. Based on an objective analysis of the risks to customer data security faced by Internet data centres during their operations, the guidelines propose specific security requirements in three key areas: general security capabilities, security capabilities for server hosting business scenarios, and security capabilities for data storage and computing business scenarios. These measures are designed to strengthen the regulated processing and secure management of customer data.

10. NDRC and other departments issued an implementation plan to improve data circulation security governance rules and fully unlock the market value of data elements (15 January)

The NDRC and other departments issued the Implementation Plan for Improving Data Circulation Security Governance and Promoting the Marketisation and Valorisation of Data Elements, aiming to improve the governance rules for data circulation security and establish comprehensive basic systems for data. The implementation plan outlines the basic security requirements for three categories of data—enterprise data, public data, and personal data—during circulation. It also highlights the need to improve mechanisms for defining responsibilities in data circulation security, strengthen the application of security technologies, expand service offerings, and prevent the risks of data misuse.

11. Jiangsu released regulations on data, strengthening data resource management and promoting orderly circulation and application of data (27 January)

Jiangsu Province issued the Regulations of Jiangsu Province on Data, aimed at strengthening data resource management and promoting the marketisation reform of data elements. These regulations set out normative requirements for relevant departments and organisations involved in data rights and interests’ protection, resource management, circulation and trade, industrial development, and data development and utilisation. It also emphasises the need to enhance data security during the development and utilisation of data resources, while promoting the orderly circulation and secure application of data.

12. Guizhou released pilot measures to strengthen public data authorised operation management based on overall authorisation (16 January)

Guizhou Province issued the Management Measures for the Authorisation and Operation of Public Data in Guizhou Province (Trial), aiming to standardise the authorisation and operation of public data resources and promote the release of data element value. Regarding the operational model, the measures require that, in principle, overall authorisation should be adopted, with sector-specific authorisation implemented only when necessary. Furthermore, the measures clearly define the application requirements for authorisation operation institutions and data development and utilisation institutions, as well as specific implementation requirements and behavioural norms for authorisation operations, providing guidance for relevant public departments and authorised operation institutions to carry out public data authorisation and operation activities.

13. Guangzhou released regulations on data, standardising and promoting data circulation and trade, and driving high-quality development of the digital economy (22 January)

Guangzhou issued the Regulations of Guangzhou on Data, aimed at standardising and promoting activities such as data circulation and trade, as well as the development of the data industry, to activate the market value of data elements. Regarding data resources, the regulations require relevant authorities to establish a management mechanism for public data resource inventories and promote the development of public data authorisation and operation activities. Furthermore, the regulations call for measures to cultivate the data element market, such as improving the data property rights system, strengthening compliant on-exchange trading, and standardising data trading behaviours, to accelerate the development of the data industry. Additionally, the regulations designate Nansha as a “pioneer” for exploring the marketisation of data elements, actively exploring data element reform and development cooperation.

14. Hainan CAC and other departments issued compliance guidelines, focusing on the retail sector, to enhance operators' compliance with personal information protection (9 January)

The Hainan CAC and other departments issued the Compliance Guidelines for Personal Information Protection in the Retail Sector of Hainan Province, aiming to strengthen personal information protection in key areas. The guidelines target various malls and supermarkets in Hainan province, providing clear instructions on how to process personal information in compliance with regulations during business operations. These include requirements such as providing a privacy policy on App or mini-program pages, obtaining explicit consent from consumers when collecting precise location data, and stopping the sending of personalised marketing information upon request, all aimed at improving operators’ compliance with personal information protection.

 

Enforcement Developments

 

 

 

 

 

 

 

 

 

 

 

15. Changsha CAC reported on network management and law enforcement activities for 2024, announcing penalties for violations of data security and cybersecurity obligations (17 January)

The Changsha CAC reported on its network management and law enforcement activities for 2024. The report highlights that in 2024, the Changsha CAC, in collaboration with other relevant authorities, dealt with 3,468 instances of harmful online content. The measures taken against the responsible bodies included interviews, shutting down illegal websites or accounts, revoking website registration permits, removing illegal or non-compliant Apps, and administering administrative penalties to 13 network operators. Additionally, the report published five typical penalty cases related to violations of data security and cybersecurity obligations, covering issues such as the leakage of sensitive personal information, failure to fulfil content review obligations, and failure to effectively carry out cybersecurity responsibilities.

16. Chenzhou CAC published four types of typical cases, focusing on violations of illegal personal information collection and use by Apps, mini-programs, and websites, as well as failure to properly fulfil information management obligations (9 January)

The Chenzhou CAC published its network management and law enforcement activities report for the fourth quarter of 2024. A total of 545 instances of illegal information were cleared, 18 platforms were interviewed, and 20 websites had their registrations revoked. Additionally, the report highlights four types of typical illegal cases, with key violations including: Apps illegally collecting personal information, failure to properly fulfil security management obligations, and the publication of politically harmful information.

17. The CAAM reported a batch of car manufacturers meeting four data processing security requirements, promoting compliance with vehicle data processing (7 January)

The China Association of Automobile Manufacturers (“CAAM”) reported on the monitoring of the latest batch of vehicle data processing, focusing on four security requirements. 139 models from 9 companies were found to meet the compliance standards. Specifically, the CAAM assessed the data security compliance of car manufacturers’ vehicle products based on four key requirements: anonymisation of external facial data, default non-collection of cabin data, in-vehicle processing of cabin data, and clear notification of personal information processing. The corresponding testing standards and methods were also published for reference by other companies.

18. Three companies in Zhengzhou interviewed by local CAC for failing to fulfil cybersecurity protection responsibilities (1 January)

The Zhengzhou CAC conducted interviews with three companies that failed to fulfil their cybersecurity protection responsibilities, resulting in cybersecurity incidents. The companies were instructed to immediately carry out hazard inspections and address the issues, as well as to establish and improve their cybersecurity management systems. Specifically, in Case 1, a human resources company’s website was attacked by a hacker group and infected with a Trojan Horse virus after the company failed to deregister its domain name following the website’s deactivation. In Case 2, a commercial management company’s OA system was illegally accessed by hackers after the system was deactivated and its registration was not cancelled. In Case 3, a park development company’s server was exploited by hackers through vulnerabilities and infected with a Trojan Horse virus.

19. Nanning Cybersecurity Brigades published a batch of law enforcement cases, five companies penalised for failing to fulfil cybersecurity protection responsibilities (11 January)

The Nanning Cybersecurity Brigades published a series of law enforcement cases involving companies that failed to fulfil their cybersecurity protection responsibilities, covering various industries such as passenger and freight transport, business services, and hotels. Specifically, the cases were penalised for violations of Article 21 of the Cybersecurity Law, including key illegal activities such as the excessive collection of citizens’ personal information, failure to establish cybersecurity management systems, and failure to implement encryption measures for storing citizens’ personal information.

20. Two companies in Zhengzhou penalised for failing to fulfil cybersecurity protection responsibilities, resulting in domain name hijacking and tampering (8 January)

The Zhengzhou CAC imposed administrative penalties on two companies that failed to fulfil their cybersecurity protection obligations. In Case 1, a machinery manufacturing company did not take appropriate cybersecurity measures, resulting in its website being hijacked. In Case 2, an environmental technology company failed to meet cybersecurity protection obligations, leading to its website being tampered with. Both companies were penalised for violating Article 21 of the Cybersecurity Law and were issued administrative orders to rectify the issues, along with warnings.

21. National Computer Virus Emergency Response Centre reported 16 privacy-violating Apps (13 January)

The National Computer Virus Emergency Response Centre recently detected 16 Apps with privacy non-compliance issues. These issues primarily include difficulties in accessing privacy policies, failure to clearly state the purposes and methods of personal information collection and use, processing sensitive personal information without separate consent, and providing personal information to third parties without user consent. Additionally, some Apps have not established specific rules for processing minors’ personal information or provided users with a way to withdraw consent. In response to these issues, the centre advises users to be cautious when downloading and using non-compliant apps, to carefully read privacy policies, and to protect personal privacy information.

 

Industry Developments

22. National Data Work Conference held in Beijing, comprehensively summarising 2024 data sector progress and outlining key tasks for 2025 (11 January)

The National Data Work Conference was held in Beijing, where progress in the data sector for 2024 was reviewed. The meeting recognises achievements made over the past year in areas such as the construction of basic systems for data, the development and utilisation of data resources, and the growth of the digital economy. It also clarifies the key areas for advancement in 2025. The conference emphasises the need to accelerate progress in nine areas, including promoting high-quality development of the digital economy and digital society, enhancing the foundation of basic systems for data, and driving the unleashing of data resources' value, all aimed at achieving the goals of building the Digital China.

23. National Data Administration and other departments released guidelines to promote national data infrastructure construction, laying the foundation for the marketisation reform of data elements (6 January)

The National Data Administration and other departments issued the Guidelines for National Data Infrastructure Construction, aimed at guiding the development of data infrastructure and promoting the formation of a horizontally interconnected, vertically integrated national data infrastructure framework to facilitate data sharing. The guidelines outline the concept, development vision, functional architecture, and key construction directions for data infrastructure. They also provide deployment requirements in four key areas: computing infrastructure, network support, security protection, and organisational assurance.

24. NDRC and other departments issued notice requiring the establishment of a pricing mechanism for public data resource authorisation and operation, promoting compliant circulation and use of public data (20 January)

The NDRC and other relevant departments issued the Notice on the Establishment of a Pricing Mechanism for the Authorisation and Operation of Public Data Resources. The document requires the relevant entities involved in the authorisation and operation of public data resources to clearly define the pricing scope and management authority, as well as standardise the pricing mechanism. It also mandates the scientific determination of the maximum allowable income and the upper limit of fees. These measures are intended to establish a scientific pricing mechanism for public data authorisation and operation, thereby promoting the compliant circulation and use of public data.

25. MIIT released infographic summarising achievements in cybersecurity and data security construction in the industrial and information sectors for 2024 (9 January)

The MIIT released a summary of the achievements in cybersecurity and data security within the industrial and information sectors for 2024. In terms of cybersecurity, the protection capabilities of network infrastructure have continuously improved, and a new industrial cybersecurity assurance system has gradually been improved. Additionally, measures such as accelerating the construction of security standards on Internet of Vehicles (“IoVs”) and strengthening the management of service platform filings have further enhanced the security assurance level of the IoVs in China. Regarding data security, the MIIT has continuously strengthened the management of data security in the industrial and information sectors through the improvement of industry policies and standards. Efforts to advance data security capabilities in the industrial field are being steadily promoted.

26. National Healthcare Administration issued a notice, requiring the establishment of working groups to empower healthcare institutions with medical insurance data (23 January)

The National Healthcare Security Administration (“Healthcare Administration”) issued a notice requiring local healthcare administrations to establish working groups focused on medical insurance data and to emphasise the role of this data in empowering healthcare institutions. The document outlines the requirements for the composition and responsibilities of the data working groups, mandating that they regularly publish the specific contents of medical insurance data to healthcare institutions, either monthly or quarterly. Additionally, this document provides a data reference template for the working group personnel to use in their activities.

27. Gansu issued opinions to accelerate the improvement of the data property rights system and promote the market-oriented allocation of data elements (20 January)

Gansu Province issued the Opinions on Accelerating the Improvement of the Data Property Rights System, aiming to enhance the structure of data property rights and facilitate the compliant use and circulation of data. The opinions emphasise the need to establish and improve the operational mechanisms for data property rights, promoting the separation of holding rights, processing and use rights, and product operation rights of data resources, in order to safeguard the legitimate rights and interests of all parties. They also encourage the market-oriented circulation of data, support various entities in exercising their data rights according to the law, and promote the empowerment of data across industries. The opinions further highlight the need to strengthen data property rights registration, compliant circulation, and protection mechanisms, reinforcing the protection and regulation of data rights to support the high-quality development of the digital economy.