China Cybersecurity and Data Protection: Monthly Update - March 2025 Issue

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Our View

China’s PI Audit Regulation Finally Released: What You Need to Know

Key Highlights

In February 2025, China continued to strengthen legislative and enforcement activities in key areas of personal information protection, data cross-border flow, data resource utilisation, data security, and cybersecurity. The efforts are strengthening personal information protection in these key areas, improving the compliance system for cross-border data flow, accelerating the market-based allocation reform of data elements, and requiring enterprises to fulfil obligations in cybersecurity, data security, and personal information protection through a series of enforcement actions:

• Personal Information Protection: The State Council, the Cyberspace Administration of China (“CAC”), and other departments have published a series of regulatory documents, including administrative regulations and management measures, to further refine compliance audit requirements for personal information protection and promote the compliant use of public safety video image information systems. Additionally, both the national and local CACs have conducted extensive and in-depth enforcement actions against Apps with major issues, such as non-compliance in providing deletion or correction functions for personal information, to protect the legitimate rights of personal information subjects.
• Data Cross-Border Flow: The Shanghai and Hainan CACs, among others, have published negative lists for data exports from the Free Trade Zones (“FTZs”), providing convenience for enterprises within the FTZs to carry out data cross-border flow activities. Furthermore, the State Council and the national CAC have held multiple meetings to introduce data cross-border flow matters to foreign enterprises, offering guidance and assistance in helping them achieve data cross-border flow legally, compliantly, efficiently, and with high quality.
• Data Resource Utilisation: The National Data Administration and the Ministry of Public Security have launched mechanisms for nationwide data resource statistics and surveys to better understand the extent of the country’s data resources. In terms of public data development and utilisation, the Beijing Municipal Bureau of Government Services and Data Management (“Government Services and Data Bureau”) plans to release implementation opinions to accelerate the compliant development and utilisation of public data resources. Moreover, the national public data resource registration platform has started trial operation, which will contribute to enhancing the management and sharing of public data resources.
• Cybersecurity and Data Security: The National Technical Committee 609 on Data of Standardisation Administration of China (“TC609”) has published a national standards demand list for the data sector, promoting the standardisation and systematisation of the data field. Additionally, both national and local CACs as well as the public security authorities continue to strengthen enforcement activities in data security and cybersecurity, urging enterprises to fulfil their cybersecurity responsibilities and enhance their data security governance capabilities.

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. CAC released management measures, refining the compliance audit obligations for personal information protection and guiding enterprises in implementing compliance audits (14 February)

The CAC issued the Management Measures for Personal Information Protection Compliance Audit, aiming to refine and regulate compliance audit activities related to personal information protection and enhance enterprises’ capabilities in safeguarding personal information. The management measures and corresponding compliance guidelines clarify the scope, frequency, triggering conditions, qualifications of professional audit institutions, and specific audit content for conducting audits. These measures will provide more concrete practical guidance for enterprises in carrying out personal information protection compliance audits, further ensuring adherence to laws and regulations such as the Personal Information Protection Law and the Regulations on Network Data Security Management.

2. State Council issued regulations to standardise the management of public security video image information systems and strengthen the protection of privacy and personal information rights (10 February)

The State Council released the Regulations on the Management of Public Security Video Image Information Systems, aimed at standardising the deployment and use of public security video image information systems and enhancing both public security and personal privacy protection. According to these regulations, enterprises are permitted to install public video systems in public areas with potential security risks, such as commercial centres and parking lots. However, the installation of such surveillance devices is strictly prohibited in restricted areas such as hotels and restaurants. Additionally, the regulations specify the storage duration and security management requirements for video image information, which will further promote a balance between safeguarding public security and protecting personal information.

3. National Data Administration and Ministry of Public Security issued systems to clarify statistical survey requirements for data resources, aiming to further understand the national data resources and development trends (21 February)

The National Data Administration and the Ministry of Public Security jointly issued the National Data Resources Statistical Survey System, aimed at understanding the national data resources and future data development trends through statistical surveys. According to this system, relevant entities, including central enterprises, certain banking institutions, data trading agencies, data service providers, data users, as well as national administrative bodies, public institutions, and social organisations, are required to annually conduct surveys on the data resources they own or control, following the prescribed methods. These entities must report their findings to the relevant regulatory authorities in order to accurately, timely, and comprehensively reflect the state of data resources in China.

4. Beijing Government Services and Data Bureau planned to issue implementation guidelines to accelerate the development and utilisation of public data resources, fully unleashing the potential of public data elements (5 February)

The Beijing Government Services and Data Bureau opened the public consultation on the Implementation Opinions on Accelerating the Development and Utilisation of Public Data Resources in Beijing, aiming to expedite the efficient development and use of public data resources in Beijing. The implementation guidelines propose twenty key measures across six areas, including but not limited to strengthening the foundation for public data development and utilisation, streamlining channels for public data development and utilisation, and improving the public data security system. Through these initiatives, Beijing aims to establish a mature public data development and circulation system by 2030, thereby empowering the market-based allocation reform of data elements.

5. Shanghai CAC and other departments released negative list, management measures, and corresponding implementation guidelines, further clarifying the data export compliance mechanism for reinsurance, international shipping, and trade sectors in the FTZ and Lin-gang Special Area (8 February)

The Shanghai CAC and other departments issued the Negative List for Data Export in the China (Shanghai) Pilot Free Trade Zone (2024 Version), along with its management measures and implementation guidelines, aimed at promoting the orderly export of data from the FTZ and guiding enterprises in the correct use of the related list. The newly released negative list adjusts the data export compliance requirements for the reinsurance, international shipping, and trade sectors within the Shanghai FTZ and the Lin-gang Special Area. For example, regarding the export of personal information, the threshold to trigger security assessment for these three sectors has been raised from one million individuals to ten million under the Regulations on Promoting and Regulating Cross-Border Data Flows, significantly lowering the compliance threshold for enterprises in these sectors to transfer data out of China.

The Hainan CAC and other departments issued the Data Export Management List for Hainan Free Trade Port (Negative List) (2024 Version), aimed at regulating and facilitating cross-border data flow activities in the Hainan Free Trade Port. This negative list specifies the compliance thresholds and conditions for data export in five specific industries: deep-sea, aerospace, seed industry, tourism, and duty-free retail businesses. It also defines the scope of important data in each scenario, helping relevant enterprises in the Free Trade Port to effectively categorise their data and choose the appropriate compliance mechanism for data export.

Enforcement Developments

7. CAC reported on 2024 law enforcement, focusing on cracking down on businesses failing to fulfil cybersecurity and data security obligations, as well as Apps infringing on personal information rights and interests (25 February)

The CAC reported on the law enforcement activities of cyberspace authorities in 2024, with a strong emphasis on combating various illegal and regulatory violations online. According to the data provided by the CAC, in 2024, the cyberspace authorities interviewed with 11,159 websites and platforms, issued warnings or fines to 4,046 platforms, ordered 585 websites to suspend certain functions or updates, and removed 200 mobile Apps and 40 mini-programs. In collaboration with telecommunications authorities, they cancelled the licenses or registrations of illegal websites and shut down 10,946 such websites. Additionally, they urged relevant websites and platforms to fulfil their responsibilities and legally shut down 107,802 accounts. In the fields of cybersecurity and data protection, the cyberspace authorities focused on cracking down on violations such as failing to meet legal cybersecurity and data security obligations, not ensuring the protection of personal information, and launching Apps offering generative AI services without proper security assessments. Penalties, including warnings, orders for corrections, fines, and App removals, were imposed in accordance with the law.

8. CAC reported a batch of Apps infringing on personal information rights and interests, with a focus on tackling issues such as users’ difficulty in account cancellation (19 February)

The CAC reported on 82 Apps (including mini-programs) that infringe on personal information rights and interests, taking enforcement actions such as removal from App stores and ordering them to rectify within a specified period. Most of these Apps fail to provide or effectively implement account cancellation features and do not complete account cancellations within the promised timeframe, which are typical issues of not complying with legal requirements for deleting or correcting personal information. Additionally, some Apps are found to have issues such as privacy policies that cannot be accessed, indicating non-disclosure of data collection and usage rules.

9. National Computer Virus Emergency Response Centre reported 14 privacy-violating Apps (17 February)

The National Computer Virus Emergency Response Centre recently reported on 14 Apps exhibiting privacy non-compliance issues. These issues primarily include failure to properly provide privacy policies, absence of mechanisms allowing users to withdraw consent for data collection, and lack of specific rules for processing the personal information of minors. In response to these issues, the centre advises users to be cautious when downloading and using non-compliant Apps, and to carefully read their user agreements and privacy policies.

10. Shanghai CAC interviewed with a batch of App operators, focusing on violations of users’ right to delete personal information due to non-compliance in providing data deletion or correction features (27 February)

The Shanghai CAC conducted interviews with the operators of over ten Apps in its jurisdiction that failed to provide the legally required features for deleting or correcting personal information. The administration has ordered these companies to make immediate corrections. This move follows the CAC’s earlier orders for these privacy-violating Apps to rectify their issues. The interviews aim to further understand local companies’ non-compliance situations, allowing regulatory bodies to offer corrective guidance and urge businesses to adopt effective measures to protect the personal information rights and interests of users in accordance with the law.

The Ordos CAC conducted interviews with two entities that violated the Cybersecurity Law and the Data Security Law, instructing them to immediately rectify the issues and strictly implement their cybersecurity responsibilities. According to the interviews, one entity fails to properly implement cybersecurity measures for its information systems, with issues such as weak passwords and high-risk vulnerabilities, leading to the system operating with security flaws and posing significant cybersecurity risks. The other entity fails to anonymise personal sensitive information, resulting in the risk of personal information leakage.

Industry Developments

12. CAC held a seminar to introduce China's cross-border data flow policies and regulations to EU businesses in China, as well as the China-EU data cross-border flow mechanism (25 February)

The CAC held a seminar in Beijing for EU businesses in China, introducing China’s cross-border data flow policies and regulations, as well as the China-EU data cross-border flow mechanism. The seminar also addressed questions from EU businesses regarding cross-border data flow. Representatives from 23 EU companies in China and the China-EU Chamber of Commerce attended the meeting and expressed positive feedback on China’s policies and measures to promote and regulate cross-border data flows.

13. State Council held a routine briefing to explain the approval process for cross-border data flow applications by foreign enterprises, providing guidance to help foreign businesses comply with laws and regulations for efficient cross-border data flow (20 February)

The State Council held a routine policy briefing to address concerns raised by foreign enterprises regarding challenges in cross-border data flows. The meeting introduces a series of measures and achievements aimed at promoting and facilitating the cross-border data flow of foreign businesses. It highlights that, under laws and regulations such as the Regulations on Promoting and Regulating Cross-Border Data Flows, the vast majority of foreign enterprises’ applications for cross-border data flow have been approved.

14. TC609 released a list outlining the first batch of national standard demand list for the data sector in 2025, urging relevant individuals and organisations to submit applications (10 February)

The TC609 released the first batch of national standard demand list for the data sector in 2025, encouraging relevant organisations to actively apply. This list covers several aspects, including data terminology definitions, data service capability assessments, and data quality evaluations for analysis and machine learning, among others. It aims to enhance the foundational, regulatory, and leading roles of national standards in the national data work system.

15. MIIT and 13 other departments announced the list of typical cybersecurity technology application projects for 2024, with 135 demonstration projects selected (5 February)

The Ministry of Industry and Information Technology (“MIIT”) and 13 other departments announced the list of typical cybersecurity technology application projects for 2024, with 135 cybersecurity management demonstration projects from nearly 300 enterprises standing out in this selection. This initiative aims to select high-quality demonstration projects to encourage enterprises to continuously strengthen their cybersecurity management and create high-quality, cutting-edge technology innovation platforms for cybersecurity.

16. The National Public Data Resource Registration Platform was launched for trial operation on 1 March 2025, aiming to strengthen public data resource management and sharing (19 February)

The National Public Data Resource Registration Platform was lunched for trial operations on 1 March 2025, with the goal of enhancing public data resource management and sharing, and fully unlocking the value of data. The establishment of this platform will accelerate the development and utilisation of public data resources and play a significant role in promoting government data sharing applications, exploring public data authorised operations, and creating diverse data application scenarios.