ENG

China Data Protection and Cybersecurity: Annual Review of 2024 and Outlook for 2025 (I)

Published

Jan 24 2025

Reading Time

19 minutes

Written By

james gong Module
James Gong

Legal Director
China

I am a Legal Director based in Hong Kong and lead the China data protection and cybersecurity team.

fengming jin Module
Fengming Jin

Associate
China

I am an associate in the Privacy and Data Protection practice in our Beijing office. I am experienced in data privacy, cybersecurity, telecommunications, and employment law compliance.

Related

Practices

Trending Topics

Regions

Countries

Offices

In 2024, China continued to deepen its practices in cybersecurity and data compliance governance. Regulators in various industries have successively introduced a large number of new laws and regulations, further refining the obligations of businesses in areas such as personal information protection, data security, and cybersecurity. Notably, as restrictions on cross-border data flow gradually ease, China is accelerating the exploration of updated pathways to ensure the safe and orderly flow of data across borders. At the same time, pilot programmes for personal information protection compliance audits have been gradually launched, with the aim of accumulating valuable experience to support the promotion and application of relevant national standards. Furthermore, under the coordination of the National Data Bureau, the establishment of basic systems for data is advancing steadily. Through local pilot initiatives, efforts are being made to fully harness and activate the market value of data elements, thus promoting the development of the digital economy.

As we head into 2025, the implementation of the Regulations on Network Data Security Management will introduce new requirements for businesses in terms of cybersecurity and data compliance governance. In addition to these, what new challenges will businesses face? In the following two-part series, we will further explore the progress of data protection and cybersecurity developments for China in 2024, and how it is likely to shape the landscape in 2025.

We highlight our observations on major regulatory and enforcement developments in the data protection and cybersecurity area in 2024 from the following four perspectives:

  • Personal information protection, where a large number of legislative updates in this area are aimed at further implementing the specific requirements of the Personal Information Protection Law (“PIPL”). These regulatory changes cover a range of topics, including cross-border data transfer, personal information protection compliance audits, electronic identity authentication, and enforcement actions targeting personal information protection in the consumer sector.
  • Data security, where China has issued its first administrative regulation in the realm of data protection and cybersecurity, the Regulations on Network Data Security Management (“Network Data Regulations”). This document provides detailed provisions regarding multiple aspects, including data classification and protection, network data security responsibilities, personal information protection, the security management of important data, and the cross-border flow of data, etc. Additionally, various key industries have issued regulatory documents to enhance the compliance governance of sector-specific data, further raising the standards of data security management.
  • Cybersecurity, a realm where the Network Data Regulations explicitly require network data processors to adopt necessary technical and other measures to strengthen network data security defences. Additionally, we have observed that the release or forthcoming issuance of several national standards and industry guidelines provides businesses with specific guidance for implementing cybersecurity protections. On the enforcement side, ongoing cybersecurity law enforcement activities have further reinforced network security governance, urging businesses to strictly fulfil their primary responsibility for cybersecurity and to enhance their security protection levels.
  • Data exchange and transactions, where the development of basic systems for data exchange and transactions is accelerating, with local governments actively exploring measures regarding the authorised operations of public data, the inclusion of data assets in balance sheets, and the registration of data-related intellectual property rights, etc. These initiatives are designed to strengthen the effective development and utilisation of data resources. Not only do they promote the dynamic growth of the data element market, but they also provide enterprises with a robust regulatory framework to engage in data exchange and transactions as well as the related activities.

In this first article, we outline three major highlights for China in the area of data protection and cybersecurity regulation in 2024, as well as the development of personal information protection.

Part One: Highlights of the Year 2024

In 2024, we witnessed significant progress in the following three areas:

  • Cross-border data transfer, where the official release of the Regulations on Promoting and Regulating the Cross-Border Data Flow (“Cross-Border Data Regulations”) provides clear guidelines on the three routes for cross-border data transfer as outlined in the PIPL. This document has further clarifies the compliance requirements for enterprises in cross-border data transfers, ensuring the safety and orderly flow of cross-border data. Under the guidance of the Cross-Border Data Regulations, the Guangdong-Hong Kong-Macao Greater Bay Area (“GBA”) and various Free Trade Pilot Zones (“FTZs”) have actively introduced measures to facilitate data export activities for businesses operating within these regions.
  • Personal information protection, where measures to implement the relevant provisions of the PIPL will be gradually rolled out. For instance, after the PIPL and other related laws and regulations called for the implementation of personal information protection compliance audits, the Network Data Regulations reiterated this requirement. In July 2024, the national standard Data Security Technology - Personal Information Protection Compliance Audit Requirements (Exposure Draft) (“Audit Requirements”) was released, which elaborates on this principle and is intended to provide specific operational guidance for businesses to conduct compliance audits. Recently, pilot programmes for personal information protection audits based on the Audit Requirements have been gradually launched, with the goal of accelerating the implementation of such audits. Furthermore, in July, the Management Measures on National Network Identity Authentication Public Services (Exposure Draft) were released, which, on the basis of clarifying the concepts of Network ID Number and Network ID Certificate, establish specific provisions on how to apply for and use these identifiers. 
  • Network data security management, where China’s first administrative regulation in the realm of network data security governance, the Network Data Regulations, was officially released, further strengthening the system coordination among the three framework laws - the PIPL, the Data Security Law, and the Cybersecurity Law. The Network Data Regulations also provides for the refinement of the relevant principle-based provisions. The Network Data Regulations categorises different responsible entities and specifies the compliance requirements that each type of entity must observe when processing network data. It is worth noting that the Network Data Regulations contain a dedicated chapter that specifies the management requirements for important data security and emphasises that local authorities should promptly establish catalogues of important data for relevant industries and sectors. This will assist businesses in identifying and declaring important data.

In addition to the developments mentioned above, China also released a series of implementation regulations, detailed rules, and national or industry standards in 2024, either for public consultation or formal enactment. These measures aim to provide more detailed guidance for data and cybersecurity compliance, further enhancing China’s data protection and cybersecurity governance and enforcement efforts.

Part Two: Personal Information Protection

I. Regulatory Developments

1) Cross-Border Data Transfer Mechanism

Prior to 2024, China maintained a relatively strict regulatory approach towards businesses engaged in cross-border data transfer. Additionally, through prior exploration, China has established three routes for such transfer: data export security assessments, standard contract filings, and personal information protection certification (“Data Export Safeguard Measures”). However, in March 2024, the Cyberspace Administration of China (“CAC”) released the Cross-Border Data Regulations, which introduce several rules that significantly ease the compliance burden on businesses under the Data Export Safeguard Measures. These include the introduction of exemption scenarios deemed necessary for cross-border data transfer, adjustments to the threshold triggering the Data Export Safeguard Measures, and optimising the required filing materials and procedures. (Click here to read our comments on the Cross-Border Data Regulations).

Additionally, in November, the CAC released the Compliance Guidelines on Data Export in China, which summarise the requirements set out in the Cross-Border Data Regulations and outline the scope of application and detailed procedures for businesses to conduct data export security assessments and standard contract filings. The guidelines also provide contact information of the provincial-level CACs, helping businesses better understand and comply with the requirements for cross-border data transfer.

Since the implementation of the Cross-border Data Regulations, the efficiency of security assessment and filing for export data transfer has significantly improved. According to data disclosed by the CAC, by December 2024, a total of 285 data export security assessment submissions have been reviewed and completed, with a passing rate of approximately 90%. The time taken for businesses to receive assessment results, from submission to outcome, has also been greatly reduced to 30 working days. Regarding standard contract filings, by December, 1,071 filings for personal information export standard contracts have been completed. With exemptions provided under the Cross-Border Data Regulations, the number of filings has decreased by approximately 50% year-on-year. From the disclosed data, the implementation of the Cross-Border Data Regulations has effectively increased the efficiency of businesses conducting data cross-border transfer activities, thereby strongly promoting the cross-border flow of data.

At the regional legislative level, with the release of the Cross-Border Data Regulations, the GBA and various FTZs have actively followed suit, introducing a series of policy documents to promote cross-border data flow for businesses within the regions:

  • GBA: After the signing of a memorandum of cooperation on cross-border data flow between China’s Mainland and Hong Kong in 2023, along with the release of related standard contract implementation guidelines (you may see our views from here and here), the CAC and the Government of the Macao Special Administrative Region signed the Memorandum of Cooperation on Facilitating Cross-Border Data Flow within the Guangdong-Hong Kong-Macau Greater Bay Area in September 2024. Subsequently, they jointly released the Implementation Guidelines for Standard Contracts on Cross-Border Personal Information Flow in the Guangdong-Hong Kong-Macau Greater Bay Area (Mainland China, Macao). The issuance of these guidelines further facilitates the safe and orderly flow of personal information between Mainland China and Macao within the GBA, strengthening the collaborative efforts in cross-border data flow between the two regions. Additionally, to promote the safe and orderly cross-border flow of personal information in the GBA, the National Cybersecurity Standardisation Technical Committee (“TC260”) released the Cybersecurity Standards Practice Guide—Requirements for Cross-Border Processing and Protection of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) in November 2024, providing certification and recognition basis for the implementation of cross-border security mutual recognition of personal information within the GBA. 
  • FTZs: The Cross-border Data Regulations grants the FTZs the authority to independently develop negative lists for data export transfer and explicitly state that businesses within these FTZs may transfer data, which is not listed in the negative list, outside of China, without implementing any Data Export Safeguard Measures. Following this, the Tianjin FTZ released China’s first negative list for FTZs on 9 May, further regulating the restrictions and requirements on cross-border data flow. On 26 August, the Beijing FTZ also issued a negative list for data export transfer and its management measures, defining the procedures for data export transfer within the FTZs and adjusting the thresholds of triggering the Data Export Safeguard Measures obligations in sectors such as pharmaceutical, civil aviation, retail, modern services, and artificial intelligence training data, etc. Furthermore, in 2024, the Shanghai FTZ introduced several normative documents to support cross-border data flow within the FTZ. Prior to the release of the Cross-border Data Regulations, the Shanghai FTZ has issued the Measures for Classified and Hierarchical Management of Cross-Border Data Flow in the China (Shanghai) Pilot Free Trade Zone Lingang New Area (Trial) in February, classifying cross-border data into three categories: core data, important data, and general data, and requiring a general data list for general data to be issued by relevant bodies. After the release of the Cross-Border Data Regulations, and diverging from the single-list regulatory approach of issuing a negative list for data export, the Lingang New Area of Shanghai FTZ continues to adopt a dual-list regulatory approach of “general data list + negative list.” As such, on 17 May, the Lingang New Area published the first batch of data cross-border scenario-based general data list, focusing on three fields: intelligent connected vehicles, public funds, and biomedicine. It states that data listed in the general data list may flow freely across borders from the FTZ provided relevant management requirements are met.

At the international cooperation level, China launched the Global Cross-Border Data Flow Cooperation Initiative this year, calling for enhanced international collaboration to jointly promote global cross-border data flow and facilitate trade. Furthermore, China and the European Union formally established a China-EU Cross-Border Data Flow Exchange Mechanism and signed the Memorandum of Understanding on Sino-German Cooperation in Cross-border Data Flow with Germany, actively advancing Sino-European data cross-border cooperation. These initiatives not only demonstrate China’s proactive stance in global data governance but also offer new opportunities for international data cooperation. Going forward in 2025, we will continue to monitor the progress of these cooperations and their impact on global data flow. 

2) Personal Information Protection Compliance Audits

Personal information protection compliance audits are a crucial step in assessing whether an enterprise’s personal information protection practices comply with legal requirements. In China, laws and regulations such as the PIPL and the Regulations on the Protection of Minors in Cyberspace establish fundamental provisions for enterprises to carry out personal information protection compliance audits. The Network Data Security Regulations also require network data processors to regularly conduct compliance audits, either independently or through professional agencies, to assess their processing of personal information.

To refine these requirements and provide guidance for businesses conducting relevant audits, the CAC issued the Management Measures for Personal Information Protection Compliance Audit (Exposure Draft) in 2023 (“Management Measures”). These measures aim to provide specific guidance on how personal information protection audits should be conducted (Click here to read our comments on the Management Measures). In 2024, the TC260 issued the Audit Requirements, which provides national standard-level guidance to assist businesses in implementing and carrying related compliance audits. The Audit Requirements offers guidance on various aspects of the personal information protection compliance audit process, including procedures, evidence, content, and audit methods, for businesses to reference. Building upon the Management Measures, the Audit Requirements supplements audit content on the minimum necessity for collecting personal information and, in accordance with the Regulations on the Protection of Minors in Cyberspace, include additional audit content focused on the protection of minors’ personal information. Furthermore, as the Management Measures was published earlier, the Audit Requirements has been amended to incorporate provisions concerning the cross-border transfer of personal information under the Cross-Border Data Regulations.

To verify the scientific validity, operability, and applicability of the Audit Requirements, a pilot programme for personal information protection compliance audits has been launched by the TC260. This pilot program will involve 36 selected entities across sectors such as the Internet, finance, transportation, healthcare, and telecommunications. The aim of this pilot programme is to gradually implement the personal information protection compliance audit requirements. Through the practical experiences of these pilot entities, relevant authorities will be able to gather valuable feedback and insights, further improving the audit requirements and ensuring their effective application across various industries. This initiative will not only help enhance enterprises’ compliance levels but also provide a more robust safeguard for personal information protection.

3) Detailed Provisions Relating to the PIPL Principles across Multiple Sectors

In 2024, several sectors, including logistics, Network ID Certificate, and mobile application governance, have introduced explicit requirements for personal information protection.

At the national level, the State Post Bureau issued the Management Measures for the Security of Personal Information in Delivery Services (Exposure Draft) in February 2024, clarifying the compliance requirements for logistics companies when processing users’ personal information. Additionally, in July, the Ministry of Public Security and the CAC jointly released the Management Measures for National Public Services for Network Identity Authentication (Exposure Draft), which sets forth the application conditions and usage scenarios of network identity authentication, in order to enhance protection of personal information in the online realm (click here to read our comments on the network identity authentication). Additionally, at the end of the year, the State Council deliberated and approved the Draft Regulation on the Management of Public Security Video Image Information Systems, aimed at regulating the construction and use of public security video systems.

At the regional level, local provinces and cities are working to further refine the provisions of the PIPL for specific application scenarios, providing practical guidance for businesses in their personal information protection compliance efforts. For instance, the Shanghai Internet Association published the Compliance Guide for Protecting Personal Information and User Rights in Mobile Internet Applications to guide relevant entities in fulfilling their obligations under the PIPL and effectively safeguarding users’ personal information. In December, the Shanghai CAC and the Shanghai Municipal Administration for Market Regulation jointly issued four packages of personal information protection guidances for businesses and individuals, aimed at helping businesses comply with personal information protection requirements and raising awareness of personal information protection among citizens. Furthermore, in July, the Nanchang CAC released the Compliance Guidelines for Consumer Personal Information Protection in QR Code Payment Services in Nanchang, offering practical recommendations for businesses involved in QR code-based consumption services and strengthening personal information protection in this field.

II. Enforcement developments

In 2024, China continued to strengthen law enforcement in personal information protection, ensuring that businesses effectively comply with and implement the relevant requirements of the PIPL and other related laws and regulations. A wide range of governmental bodies, including the Ministry of Industry and Information Technology (“MIIT”), the CAC, public security departments, and the Administrations for Market Regulation, have been actively involved in these enforcement activities. 

Additionally, many regions have carried out prolonged, special law enforcement actions focused on personal information protection. Through combining online enforcement with offline supervision and concentrating on common consumer scenarios, they require businesses to correctly fulfil their obligations related to personal information protection, safeguard citizens’ personal information security, and maintain personal information rights and interests. Overall, the trend of administrative law enforcement in personal information protection continued in 2024, with an ongoing effort to deepen enforcement activities in key sectors.

Apps, mini-programmes, and websites
RegulatorsCAC (and its local branches), MIIT (and its local branches), and local public security departments.
Enforcement overview and key focus
  • The CAC and the MIIT have carried out continuous governance efforts targeting Apps, SDKs, and mini-programmes that illegally collect and misuse personal information in 2024. Specifically:

- The MIIT and its local branches continued to report on several batches of Apps, SDKs, and mini-programmes that infringed on user personal information rights in 2024. The issues involved include the excessive collection of personal information and failure to disclose rules for the processing of personal information. 

- Additionally, local CACs also conducted enforcement activities, focusing on rectifying problems such as the illegal collection of personal information by Apps in key daily consumer scenarios such as catering and parking (as more details in the table below).

  • Local CACs and public security departments conducted extensive law enforcement activities regarding the implementation of personal information protection obligations by small and medium-sized enterprises in 2024. For instance:

-  A company in Qinzhou, Guangxi, collected tens of thousands of personal information records by renting Apps, but failed to establish internal management systems and operating procedures as required, thus not fulfilling its personal information protection obligations, resulting in administrative penalties imposed by the public security departments. 

- Additionally, the Shanghai CAC addressed a series of penalty cases based on the PIPL. The violations included a real estate agency failing to implement personal information security protection measures and a catering company neglecting to fulfil its primary responsibilities, which led to security vulnerabilities in the system storing personal information.

Penalties
  • Interview relevant Apps, mini-programmes, and websites;
  • Regularly notify them and set deadlines for necessary corrections;
  • Remove those that fail to comply or do not properly address the required corrections; and
  • Issue warnings and mandate rectifications for enterprises that do not meet personal information security protection obligations.
Local personal information protection special governance actions
RegulatorsLocal CACs
Enforcement overview and key focus
  • In 2024, local CACs in various regions launched special governance actions aimed at addressing key issues related to the infringement of personal information rights in common consumer sectors. Among these, the governance of Apps and mini-programmes became a major focus of these actions. Additionally, during enforcement actions, local CACs also engaged in on-the-ground efforts, requiring relevant companies to fulfil their responsibilities for personal information security protection via off-line interviews. The following are examples of special governance actions undertaken in certain regions in 2024:

- Shanghai launched the “Bright Sword Pujiang 2024” special law enforcement action for the personal information rights protection in the consumer sector. This initiative targeted key scenarios in daily consumer activities, such as QR code-based ordering, parking QR code scanning, misuse of facial recognition, protection of minors’ personal information, and ticket purchasing services for tourist attractions. The aim of this action was to regulate personal information processing activities by enterprises. During the enforcement action, issues related to excessive collection, mandatory demand, and inducement of personal information in the collection process by Apps and mini-programmes, etc., were addressed through multiple compliance training sessions for 24 chain coffee enterprises in Shanghai.

- Chongqing focused on three types of QR code-based consumption scenarios—parking, catering, and supermarket shopping—by launching a three-month special enforcement action for personal information protection.

- Hunan initiated the “Bright Sword Huxiang - Personal Information Rights Protection in the Consumer Sector” special action, which concentrated on rectifying issues such as the illegal collection and use of citizens’ personal information by Apps.

Penalties
  • Violating Apps and mini-programmes were reported and ordered to rectify the violations within a specified period. 
  • During offline enforcement activities, illegal businesses were issued warnings and required to make corrections. 
  • Additionally, local special governance actions typically involve conducting off-line interviews with non-compliant businesses and demanding that they promptly rectify their practices through measures such as compliance training.
Typical cases of personal information protection
RegulatorsThe People’s Court, People’s Procuratorate, and Local Administrations for Market Regulation
Enforcement overview and key focus
  • The Beijing Internet Court released several batches of typical cases involving personal information protection, focusing on key issues such as AI-based face-swapping, the collection of personal information by Apps without consent, and the failure to fulfil security obligations related to personal information protection.
  • The Supreme People’s Procuratorate issued a batch of typical cases related to the prosecution of cybercrimes, including a case involving the offence of infringing on citizens’ personal information. In that case, the defendant committed the offence of illegal purchasing and reselling WeChat accounts containing citizens’ personal information, where the defendant profited unlawfully through online channels.
  • The Shanghai Municipal Administration for Market Regulation published a series of typical cases concerning consumer personal information protection. These cases involved issues such as the unauthorised use of facial recognition technology to collect personal information without consumer consent, illegal collection and use of consumers’ personal information, and failure to provide legal sources of personal information, etc.
PenaltiesThese cases led to remedies such as cessation of infringement, deletion of personal information, public apologies, compensation for damages, warnings, and fines.

II. Outlook for 2025

Some of the new laws and regulations released in 2024 are extensions of the regulatory efforts initiated in 2023. For instance, the Audit Requirements updated the process for personal information protection compliance audits based on the Management Measures. Others are more specific elaborations on the principles outlined in the PIPL, reflecting the continuity of China’s legislative efforts in personal information protection.

Looking ahead to 2025, we expect China to further refine the relevant principles of the PIPL to ensure that top-level design is effectively implemented at the application level. In line with the legislative and enforcement trends of 2024, we anticipate the following developments in 2025:

  • Implementation of personal information protection audits: To date, the Management Measures and Audit Requirements have not been officially issued. While entities can refer to these provisions provided in the draft-for-comment versions to initiate personal information protection compliance audits, there are still practical issues that require active attention from the relevant authorities. For instance, the current regulations stipulate that businesses must conduct audits annually or biennially, but the exact meaning of “annually” remains unclear – it is unclear that whether companies should follow the calendar year or the financial year, which may impact the scheduling and compliance of audit practices. With the launch of pilot programmes for personal information protection compliance audits in 2024, these issues might be gradually resolved through practical experience and eventually reflected in legislation. This will assist businesses in better understanding and implementing compliance requirements, ensuring the effectiveness and sustainability of personal information protection efforts. 
  • Ongoing optimisation and standardisation of Data Export Safeguard Measures: With the successful implementation of the Cross-Border Data Regulations and the growing demand for cross-border data transfers, we anticipate that China will continue to optimise and standardise cross-border data transfer activities in 2025. This will primarily be reflected in the continued release and adjustment of negative lists in various FTZs, as well as promoting cross-border data cooperation in the GBA. Additionally, the long-standing issues associated with cross-border data transfer via personal information protection certification, such as complex certification processes, low approval rates, and high costs, etc., have resulted in limited practical adoption of this route. On 3 January 2025, the CAC released the Measures for the Personal Information Protection Certification on the Personal Information Export (Exposure Draft) (“Certification Measures”), aiming to facilitate personal information export activities and regulate the certification of personal information protection. In terms of content, the Certification Measures does not represent a substantive breakthrough in the legal foundation for prior personal information protection certification efforts. However, we can expect relevant authorities to promote the development of personal information protection certification systems by increasing the number of specialised certification institutions, reducing certification timelines, and other measures. This will assist businesses in more efficiently conducting cross-border data transfer while ensuring the security and compliance of personal information. 
  • Strengthening international exchange and cooperation on cross-border data transfer: We expect that in 2025, China will continue to enhance international cooperation to facilitate cross-border data flow by signing memorandums of understanding, promoting personal information protection certifications, and even establishing mutual recognition mechanisms with other countries. Additionally, China is likely to participate in the development of international standards and regulations in this area.
  • Normalisation of personal information protection law enforcement: We anticipate that in 2025, China will continue to conduct regularised law enforcement in the field of personal information protection. The CAC, the MIIT, the public security departments, and other authorities will continue to collaborate in accordance with their respective responsibilities to carry out widespread enforcement. The scope of enforcement will expand, covering not only sunken markets but also medium-sized enterprises, with multi-layered regulatory approaches. In terms of enforcement methods, both online and offline approaches will be further developed to ensure comprehensive and multi-dimensional supervision of personal information protection regulation.

 

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected]

Latest insights

More Insights
featured image

Privacy Unpacked Episode 6 - Pseudonymisation in Focus: Key Takeaways from the EDPB Guidelines

1 minute Feb 25 2025

Read More
Curiosity line blue background

China Cybersecurity and Data Protection: Monthly Update - February 2025 Issue

Feb 21 2025

Read More
Curiosity line teal background

China Data Protection and Cybersecurity: Annual Review of 2024 and Outlook for 2025 (II)

22 minutes Feb 12 2025

Read More
More Insights