China Cybersecurity and Data Protection: Monthly Update - January 2025 Issue

This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Our View

An In-depth Analysis of China’s Network Data Security Regime - Part I: An Overview of the Regulatory Framework

Key Highlights

In December 2024, China continued its legislative and enforcement activities in key areas such as personal information protection, data resource development and utilisation, and data security. These efforts further guide businesses in advancing compliance with personal information protection requirements, promoting the conversion of data resource value, and ensuring the implementation of data security management requirements. Meanwhile, enforcement actions in the field of cybersecurity have been strengthened, urging companies to strictly fulfil their cybersecurity responsibilities:

• Personal Information Protection: The State Council, the Ministry of Industry and Information Technology (“MIIT”), local cyberspace administrations (“CAC”), and other departments have intensified compliance oversight on personal information protection. Through legislative deliberations, the issuance of compliance guidelines, special governance initiatives, and penalties for non-compliant businesses, these authorities are advancing the standardised construction and use of public security video systems, guiding businesses in effectively implementing personal information protection requirements and facilitating the filing of standard contracts for the export of personal information in an orderly manner.
• Data Resource Development and Utilisation: The National Data Administration is actively promoting the development and utilisation of enterprise data resources, encouraging the cultivation of diverse data enterprises and the high-quality development of the data industry. Additionally, local authorities continue to deepen reforms in the market-oriented allocation of data elements, exploring effective models for the authorised operation of public data and enhancing data asset management, as well as optimising the environment for data circulation and transactions.
• Data Security: The National Financial Regulatory Administration (“NFRA”) is focusing on regulating data processing activities in the banking and insurance sectors, given the large volume of sensitive data in these industries. Furthermore, local authorities are actively carrying out data security enforcement actions, imposing administrative penalties on businesses that fail to fulfil or inadequately fulfil their data protection obligations, and ensuring that businesses adhere to the relevant data security legal requirements.

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. State Council deliberated and approved a draft regulation, requiring standardisation of public security video system construction and use to protect personal information security (16 December)

The State Council deliberated and approved the Draft Regulation on the Management of Public Security Video Image Information Systems, aiming to standardise the construction and use of public security video systems. The full text of the draft has not yet been released. The Ministry of Public Security had previously disclosed the draft-for-public-consultation version on 8 April 2024. According to the draft, businesses may install public security video systems in public places such as shopping centres and parking lots, where there are public safety risks, but it is strictly prohibited to install such surveillance equipment in private places such as hotels and restaurants. Additionally, the draft-for-public-consultation version specifies detailed requirements for the storage period and access permissions of video image information. We will closely monitor any subsequent adjustments to the draft, as its approval will further accelerate the legal process in regulating the deployment and use of public security video systems in China, promoting a balance between public security maintenance and personal information protection.

2. National Data Administration released first batch of commonly used data terminology definition, promoting consensus on fundamental concepts in the data sector (30 December)

The National Data Administration released the Definitions of Terms in the Data Sector (First Batch), aimed at fostering consensus across various sectors on fundamental concepts related to data. The document covers 40 core concepts, including terms such as data, raw data, data resources, and data elements. For example, “data” is defined as any information recorded electronically or by other means, while “data resources” is defined as a collection of data with the potential to create value. The National Data Administration stated that these explanations will be iterated and refined in the future, based on practical needs and developments.

3. NFRA released management measures to guide banks and insurance institutions in standardising data processing activities and ensuring data security (27 December)

The NFRA released the Management Measures for Data Security of Banking and Insurance Institutions, aiming to clarify the obligations of these institutions in conducting data processing activities and to safeguard data and financial security. The measures emphasise the importance of tasks such as data classification and grading, regular audits, and data security risk assessments and monitoring. Specifically, regarding data classification, the measures categorise data into core data, important data, and general data. Among these, general data is further divided into sensitive data and other general data. The measures require relevant organisations to implement stricter protective measures for data classified as sensitive or of a higher level, such as conducting data security assessments prior to any data processing activities.

4. Anhui Data Exchange released trial measures for data property rights registration, standardising data property rights registration practices (3 December)

The Anhui Data Exchange released the Measures for Data Property Rights Registration at Anhui Data Exchange (Trial), providing guidelines for the registration of data property rights. The measures outline institutional requirements related to the registration process, including the responsibilities of applicants, registration authorities, registration procedures, and review processes. Regarding registration review, the registration authority will assess the applicant’s qualifications, data source, data description, and data compliance. The publication of these measures will provide institutional support to further facilitate the circulation and transaction of data property rights.

5. Guangzhou released interim measures to regulate the authorised operation and management of public data, promoting the development and utilisation of public data (12 December)

The Guangzhou Municipal Bureau of Government Services and Data Management released the Interim Measures for the Authorised Operation and Management of Public Data in Guangzhou, aimed at exploring effective routes for the authorised operation of public data and promoting its development and utilisation. The measures outline the fundamental principles and division of responsibilities for public data authorised operation, stipulating that public data shall be processed and used under the premise of ensuring data security. Additionally, the measures emphasise the legal requirements to be followed during the processes of legal acquisition, operation, transaction, and use of data, in order to standardise the authorised operation of public data.

6. Tibet Autonomous Region released management measures to promote and regulate public data management (17 December)

The Tibet Autonomous Region released the Management Measures for Public Data in Tibet Autonomous Region (Trial), aimed at promoting and regulating the management of public data and unlocking its value. The measures require public data authorities at all levels to compile a public data resource catalogues and implement unified catalogues management. Additionally, the measures regulate activities related to the aggregation, sharing, openness, and utilisation of public data, and set out corresponding requirements for the security of public data.

7. Hangzhou released regulations to promote data circulation and transactions, optimising the market-oriented allocation of data elements (23 December)

Hangzhou released the Regulations on Promoting Data Circulation and Transactions in Hangzhou, aimed at optimising the market environment for data circulation and transactions. The regulations emphasise the need to protect the legal rights and interests in the processes of ownership, use, and operation in data circulation and transaction activities, while also standardising the open access and authorised operation of public data. Additionally, the regulations outline a series of safeguarding measures, including exploring a data circulation sandbox regulatory mechanism and supporting the development of specialised data industrial zones, in order to accelerate the cultivation of the data elements market and promote data transactions and circulation.

8. Fujian CAC released implementation measures to guide businesses in standardising the filing of standard contracts for the export of personal information (24 December)

The Fujian CAC released the Implementation Measures for Filing Standard Contracts for the Outbound Transfer of Personal Information in Fujian Province, aimed at guiding and assisting local businesses in standardising the filing of standard contracts for the export of personal information. The measures outline the filing conditions, processes, and deadlines that personal information processors in Fujian must adhere to when providing personal information to overseas recipients through standard contracts clauses. This document provides clearer implementation guidance for businesses undertaking the filing process of the standard contract clauses and will help facilitate the orderly flow of data while ensuring the protection of personal information security.

9. Shanghai Pudong New Area released trial regulations to standardise the authorised operation and management of public data in Pudong New Area (30 December)

Shanghai Pudong New Area released the Trial Regulations on the Authorised Operation and Management of Public Data in Pudong New Area, aimed at regulating the authorised operation and management of public data and promoting high-quality development of the digital economy. The regulations clearly state that the Pudong New Area government may authorise qualified operational institutions to govern, develop, and provide data products and technical services based on public data from the area. Additionally, the regulations specify requirements regarding the selection standards for operational institutions, the signing of authorised operation agreements, operational evaluations, and annual reporting, to ensure the orderly conduct of public data authorised operations.

Enforcement Developments

10. MIIT published a list of Apps (SDKs) that infringe on user rights and interests, with issues including the excessive collection of personal information and inadequate SDK information disclosure (27 December)

The MIIT recently reported 22 privacy-violating Apps and SDKs. The issues involved include the illegal or excessive collection of personal information, mandatory permission requests, and inadequate disclosure of SDK information. The MIIT is continuing its efforts to address violations of user rights by Apps, and instructs the listed Apps and SDKs to rectify these issues in accordance with relevant regulations. Furthermore, the MIIT states that it will take further legal actions against App developers who fail to make the necessary corrections.

11. Beijing Communications Administration reported a list of Apps that have not rectified issues in a timely manner, involving non-disclosure of personal information collection and usage rules (30 December)

The Beijing Communications Administration recently published a list of Apps that have infringed upon user rights and interests. The issues include the collection of personal information in violation of necessity principles, failure to disclose rules for the collection and use of personal information, and failure to explicitly state the purposes, methods, and scope of such collection and use. These Apps are either publicly announced due to failure to rectify the issues or removed from the Internet for non-compliance or inadequate rectification.

12. Shanghai Communications Administration reported 36 privacy-violating Apps and mini-programs (23 December)

The Shanghai Communications Administration recently published a list of 36 Apps and mini-programs found to infringe on user rights and interests. Through random checks of mobile Internet applications in Shanghai, the administration identifies issues such as “self-starting and associated starting behaviours” and “illegal collection of personal information.” The announcement requires these Apps and mini-programs to make timely corrections within a specified period according to relevant regulations, and warns that failure to adequately rectify the issues will lead to legal actions in accordance with the laws.

13. A small loan company in Hainan summoned for illegally collecting user personal information and other violations (4 December)

The Hainan CAC and other relevant departments imposed administrative penalties on a small loan company for illegally collecting personal information and other violations, instructing the company to rectify the issues within a specified period. The administration points out that the company’s App fails to fulfil its obligation to inform users about the purposes, methods, scope, and duration of personal information processing, and collects sensitive personal information without providing a separate consent option for users. Companies are advised to take this case as a cautionary lesson, establishing a comprehensive personal information protection system, conducting internal training on time, and effectively fulfilling its obligations to protect personal information.

14. A company in Guangxi penalised by cybersecurity authorities for failing to fulfil cybersecurity responsibilities (5 December)

Recently, public security authorities in Guangxi imposed an administrative penalty on a company for failing to fulfil its primary cybersecurity responsibilities, which resulted in a system vulnerability being exploited and the destruction of some information systems and data. The authorities issue warnings about similar security risks and encouraged businesses to enhance cybersecurity by strengthening firewall and security software management. The authorities also call on individuals to improve their cybersecurity awareness and take measures such as proper password management.

15. A network technology company in Chongqing penalised for failing to fulfil cybersecurity and data security obligations (23 December)

The Chongqing CAC, in accordance with the Data Security Law, imposed administrative penalties, including orders for correction, warnings, and fines, on a network technology company and its responsible personnel. The company fails to fulfil its cybersecurity and data security obligations, including not establishing proper systems and management organisations, failing to implement effective technical measures, allowing unauthorised access, and not retaining network logs as required. The Chongqing CAC calls on businesses to strengthen their legal awareness, improve data security protection measures, and strictly fulfil their responsibilities to ensure both network and data security.

16. A software technology company in Taizhou penalised for failing to fulfil data security protection obligations (24 December)

The public security authorities in Taizhou, Zhejiang, imposed an administrative penalty on a software technology company after the database it was entrusted to build was found to have security vulnerabilities, exposing a large amount of e-government data to the risk of leakage. An investigation reveals that the company fails to fulfil its data security protection obligations and does not establish a comprehensive data security management system as required by laws. The company and its responsible personnel are fined and ordered to comply with data security protection obligations in accordance with laws and regulations.

17. National Computer Virus Emergency Response Centre reported 12 privacy-violating Apps (6 December)

The National Computer Virus Emergency Response Centre recently reported 12 privacy-violating Apps. The issues primarily involve the failure to specify the validity period of privacy policies, insufficient detail in privacy policies regarding the purposes and methods of personal information collection and use, and the provision of personal information to third parties without user consent. Additionally, some Apps do not provide convenient options for users to correct or delete personal information, fails to establish and disclose channels for filing security complaints or reports regarding personal information, and do not offer users a way to withdraw consent. In response to these issues, the National Computer Virus Emergency Response Centre advises users to be cautious when downloading and using non-compliant Apps and to carefully review App privacy policies in order to protect personal privacy information.

18. Zhengzhou CAC summoned two responsible entities over violations including failure to fulfil cybersecurity protection obligations (9 December)

The Zhengzhou CAC recently summoned two administrative entities that failed to implement cybersecurity responsibilities, leading to incidents such as data breaches. The entities are instructed to immediately rectify the issues and strengthen cybersecurity risk prevention. In the first case, an administrative entity fails to effectively supervise an outsourced information system maintenance service provider, resulting in a high-risk vulnerability in the network system database due to weak passwords, which led to the leakage of sensitive data. The second case involves a lack of effective oversight by an administrative entity over local network operators, causing frequent data breaches, page tampering, and other cybersecurity incidents within the jurisdiction.

19. National Audit Office published a report on cases of "profiteering from government data" and corrective actions (22 December)

The National Audit Office recently published a report on the rectification of issues, highlighting several cases where departments illegally charged external parties for government data obtained through information systems. The report also details the corrective actions taken. To date, the relevant entities have addressed the violations, with measures including halting the profiteering from government data via information systems and revising the management procedures for these systems.

Industry Developments

20. National Data Administration and other departments published opinions to regulate and promote the development and utilisation of enterprise data resources, unlocking the full value of enterprise data assets (25 December)

The National Data Administration and other departments issued the Opinions on Promoting the Development and Utilisation of Enterprise Data Resources, aimed at enhancing the development and utilisation of data resources that enterprises generate, legally acquire, or hold during their business operations. The opinions highlight the need to improve mechanisms for the formation, protection, and distribution of data rights and interests, as well as to strengthen enterprises’ data governance capabilities. Those authorities also stress the importance of building a comprehensive data circulation and utilisation service system, promoting high-level openness in the data sector, and creating an open, transparent, and predictable development environment to fully unlock the value of enterprise data resources.

21. National Data Administration held a meeting to focus on the high-quality development of the data industry and the promotion of development and utilisation of enterprise data resources (31 December)

The National Data Administration recently held a meeting centred on driving the high-quality development of the data industry and promoting the development and utilisation of enterprise data resources. The meeting addresses key societal issues, including the development of trusted data spaces, data rights and interests, and data export management. It is noted that, as of December 2024, nearly 90% of data export security assessments has been approved. The meeting also emphasises the importance of enterprise data resource development and utilisation in the reform of the market-oriented allocation of data elements, highlighting the need to foster a diverse range of data enterprises. Furthermore, it calls for the provision of public interest data services to small and medium-sized enterprises to help reduce their data application costs.

22. NDRC and other departments issue guiding opinions, emphasising the deepening of market-oriented data element allocation reform and promoting the high-quality development of the data industry (30 December)

The National Development and Reform Commission (“NDRC”) and other departments issued the Guiding Opinions on Promoting the High-Quality Development of the Data Industry, aimed at accelerating the high-quality growth of the data industry. The opinions call for the cultivation of diverse enterprises and categorise data enterprises into six types: data resource enterprises, data technology enterprises, data service enterprises, data application enterprises, data security enterprises, and data infrastructure enterprises. The opinions also specify the need to improve the development and utilisation of data resources, promote compliant data circulation and transactions, and strengthen dynamic security measures in the data sector. The release of these opinions emphasises the need for strengthened coordination and collaboration among the development reform in the data, education, finance, financial regulation, and securities departments at all levels, to jointly promote the implementation of the policies and measures.

23. Ministry of Finance released a pilot scheme to implement full-cycle data asset management and standardise data asset management processes (27 December)

The Ministry of Finance issued the Pilot Scheme for Full-Cycle Data Asset Management, aimed at exploring effective models for data asset management and mitigating the risks associated with the application of data asset value. The scheme selects several central government departments, central state-owned enterprise, and local financial departments as pilot departments. The focus will be on key areas such as the preparation of data asset registers, registration, authorised operation, and data circulation and transactions, to carry out full-cycle data asset management pilots. This initiative is expected to standardise data asset management processes and provide valuable experience for strengthening data asset management in the future.

24. Shanghai CAC and other departments released personal information protection compliance guide packages to raise citizens’ awareness and guide businesses towards compliant operations (4 December)

The Shanghai CAC and other departments released a series of personal information protection compliance guides aimed at both businesses and individuals. These guides are designed to help businesses implement the relevant provisions of personal information protection laws and raise citizens’ awareness of personal data protection. The three key guides—the Handbook for Personal Information Processors, the Corporate Personal Information Protection Compliance Self-Inspection Checklist, and the Shanghai Personal Information Protection Scenario Guidelines—are intended to assist businesses in managing personal information protection throughout the data lifecycle, conducting self-assessments of their compliance, and identifying compliance requirements for various scenarios. In addition, individuals can refer to the Shanghai Citizens’ Personal Information Protection FAQs to understand the security risks associated with personal information in different contexts, thereby enhancing their ability to safeguard their data.

25. Active demand for data resources registration; Qingdao leaded the way in exploring feasible routes for data asset registration (17 December)

The Data Elements and the Second Data Asset Value Conference was recently held in Qingdao, aiming to summarise the current progress in the data asset valuation process and further encourage market participants to engage in the market-oriented allocation of data elements. As of the third quarter of 2024, 54 listed companies have completed the registration of their data resources, categorising them under intangible assets, development expenditure, inventories, and other items. The conference highlights that the registration of data resources is still in its early stages, with challenges such as the low number of registered companies and the limited proportion of total assets represented by data resources. Furthermore, the conference notes that Qingdao has explored a feasible route for data asset registration, which includes steps such as “data sorting—compliance review—asset registration—value assessment—resource registration,” helping several companies successfully register their data resources.

26. Official website of the National Data Administration launched its trial run on 25 December, enhancing interaction with society and promoting high-quality development of data services (24 December)

The official website of the National Data Administration was launched on a trial basis on 25 December, aiming to expand channels for communication and interaction with various sectors of society and to promote the high-quality development of data services. The website includes sections such as organisational structure, news updates, and government affairs transparency, with the public able to access relevant content through the URL: www.nda.gov.cn.