[co-author: Ken Dai]
Developments Highlights
Legislation
China Issues First National Standard for Certification of Cross-Border Personal Information Processing
On September 29, 2025, SAMR (the National Standardization Administration) officially issued China’s first national standard for the certification of cross-border personal information processing activities —Information Security Technology — Requirements for Security Certification of Cross-Border Processing of Personal Information. The standard, which will take effect on March 1, 2026, sets out fundamental principles, security requirements, and obligations for safeguarding individuals’ rights in cross-border data processing. It provides the technical foundation for establishing a unified and authoritative certification system in this area.
MOFCOM and Eight Other Departments Issue Policy Measures to Promote Service Exports, Supporting Facilitated Cross-Border Transfers of Personal Information Within Multinational Corporations
On September 22, the Ministry of Commerce (“MOFCOM”), together with the Cyberspace Administration of China (“CAC”) and eight other departments, jointly issued the Several Policy Measures on Promoting Service Exports, setting out initiatives to support the cross-border flow of data as a production factor. The document introduces a series of initiatives to facilitate the cross-border flow of data elements, including: dynamically optimizing the negative list for data outbound transfers in pilot Free Trade Zones(“FTZs”)and exploring the establishment of a nationwide negative list system; supporting qualified regions to pilot streamlined arrangements for the cross-border transfer of personal information within multinational corporations, allowing free flow upon completion of required assessments or certifications.
TC260 Secretariat Issues the 2025 Editions of the National Standard Systems for Data Security and Personal Information Protection
On September 16, the Secretariat of the National Cybersecurity Standardization Technical Committee (“TC260”) issued the National Standard System for Data Security (2025 Edition) and the National Standard System for Personal Information Protection (2025 Edition). Both standard systems focus on key tasks, risk prevention, and industry development priorities, and clarify the foundational, normative, and guiding roles of standards. Together, they provide unified direction and systematic support for the future formulation and revision of national standards in the fields of data security and personal information protection.
CAC Releases Draft Rules on Identifying Platforms with a Large Minor User Base or Significant Impact on Minors
On September 16, CAC, in collaboration with relevant authorities, released the Measures for the Identification of Online Platform Service Providers with a Large Minor User Base or Significant Impact on Minors (Draft for Comments). The draft details the criteria, procedures, and adjustment mechanisms for designating “key platforms.” Under the proposed rules, platforms that meet certain criteria regarding the number of minor users, user activity, content characteristics, or societal influence may be identified as key platforms and will be subject to enhanced obligations for minor protection compliance. The rules aim to implement the Regulations on the Protection of Minors in Cyberspace and reinforce the accountability of major platforms in protecting minors online.
TC260 Issues Cybersecurity Standards Guidelines on Data Processing During Platform Shutdowns
On September 16, TC260 issued the Cybersecurity Standards Practice Guidelines — Security Requirements for Data Processing During Internet Platform Service Suspension. The guidelines set out general security requirements for network data handling when a platform ceases operation, as well as specific security requirements for the processing of personal information and important data. They serve as a reference for data processors, regulators, and third-party assessment bodies.
CAC Releases Draft Provisions on the Establishment of Personal Information Protection Supervisory Committees by Major Online Platforms
On September 12, CAC issued the Provisions on the Establishment of Personal Information Protection Supervisory Committees by Major Online Platforms (Draft for Comments). The provisions focus on supervising platforms’ performance in areas such as personal information protection system development, compliance assessment, cross-border data transfers, and user rights protection. They aim to guide and regulate large internet platforms in establishing independent personal information protection supervision mechanisms, strengthen external oversight, and enhance platforms’ compliance in personal information protection.
CAC Issues Measures for the Administration of Cybersecurity Incident Reporting
On September 11, CAC issued the Measures for the Administration of Cybersecurity Incident Reporting, which will take effect on November 1, 2025. The Measures establish clear obligations, timeframes, and procedures for network operators to report cybersecurity incidents, and provide detailed classification criteria and response requirements.
NPCSC Reviews Draft Amendment to the Cybersecurity Law
On September 8, the 17th Session of the Standing Committee of the 14th National People’s Congress (“NPCSC” ) reviewed the Draft Amendment to the Cybersecurity Law of the People’s Republic of China. The draft consists of nine articles and focuses on enhancing the legal liability framework. It proposes stricter penalties for violations that lead to serious consequences, such as data breaches and the paralysis of critical information infrastructure. The draft also clarifies the legal responsibilities associated with failing to address illegal online content, selling non-compliant security products, and conducting unauthorized cybersecurity certification activities. Furthermore, it introduces provisions allowing for mitigated, reduced, or exempted penalties under certain circumstances.
CAC and Other Departments Jointly Issue the Provisions on the Labeling of Artificial Intelligence-Generated Synthetic Content, Effective September 1, 2025
On September 1, CAC, together with the Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security (“MPS”), and the National Radio and Television Administration (“NRTA”), officially implemented the Provisions on the Labeling of Artificial Intelligence-Generated Synthetic Content. The Provisions mandate that all AI-generated content, including text, images, audio, and video, be clearly marked as such. This labeling is intended to enhance user awareness and ensure traceability, thereby supporting the establishment of a transparent, equitable, and effective governance framework to foster a fair and orderly market environment and promote the healthy development of the AI industry.
Chongqing CAC Releases FTZ Negative List Administrative Measures and 2025 Version of the Cross-Border Data Transfer Negative List
On September 1, Chongqing CAC, together with the Chongqing Municipal Commission of Commerce and the Chongqing Big Data Application Development Administration, jointly released the Administrative Measures for the Negative List of Cross-Border Data Transfers in the China (Chongqing) Pilot FTZ (Trial) and the Negative List for Cross-Border Data Transfers in the China (Chongqing) Pilot Free Trade Zone (2025 Edition). The Measures and the Negative List aim to facilitate Chongqing’s development of a world-class industrial ecosystem for intelligent connected new energy vehicles (“NEVs”). Grounded in enterprises’ actual cross-border data transfer needs, the documents cover 4 business activities, 9 business scenarios, and 110 data items, encompassing the full value chain of the intelligent connected vehicle industry.
Enforcement Cases
MIIT Reports 29 Mobile Apps for Infringing Users’ Personal Information Rights and Interests
On September 18, 2025, MIIT released the fifth batch list of mobile applications found to have infringed upon users’ rights. According to inspections conducted by third-party testing agencies, 29 apps were identified with issues, including the illegal collection and misuse of personal information. MIIT ordered the operators of these apps to rectify the problems within a specified period and warned that those failing to comply will face penalties in accordance with applicable laws and regulations.
Qinghai CAC Handles Case Involving Data Security Risks Caused by OA System Vulnerability
Recently, Qinghai CAC imposed administrative penalties on a local transportation company for failing to fulfill its cybersecurity protection obligations. The company’s OA system contained an authentication bypass vulnerability and had its database directly exposed to the internet, storing a large amount of sensitive personal information and creating a potential data leakage risk.
MPS Cyber Administration Handles Case Involving AI Model Training Company’s Failure to Conduct Personal Information Protection Impact Assessment
During a special operation, the MPS Cyber Administration discovered that a technology company engaged in providing training datasets for AI models had processed sensitive personal information—such as facial and other biometric data—without conducting a personal information protection impact assessment as required under PIPL. The competent local public security authority imposed administrative penalties on the company in accordance with the PIPL and ordered rectification.
MPS Releases Six Administrative Enforcement Cases Involving Failures to Fulfill Cybersecurity, Data Security, and Personal Information Protection Obligations
On September 18, MPS released six typical administrative enforcement cases uncovered during the “Protect the Net 2025” special operation. The cases involved e-government service platforms, bulk SMS systems, school information systems, e-commerce platforms, technology company apps, and a multinational enterprise. Public security authorities imposed administrative penalties and ordered rectification in accordance with the law.
CAC Releases Recent Typical Enforcement Cases on Cybersecurity, Data Security, and Personal Information Protection
On September 16, CAC released a series of recent typical enforcement cases concerning cybersecurity, data security, and personal information protection. The cases involved issues such as website tampering, data leakage, excessive collection of personal information, unlawful use of facial recognition technology, and the launch of deep synthesis services without required security assessments.
CVERC Reports 69 Apps for Illegal Collection and Use of Personal Information
On September 10, the National Computer Virus Emergency Response Center ( “CVERC” ) released a notice identifying 69 mobile applications that had engaged in illegal or non-compliant collection and use of personal information. The reported issues included: failure to clearly inform users of privacy policies; provision of personal data to third parties without obtaining user consent; lack of channels for account cancellation; and collection of minors’ information without obtaining consent from their guardians as required by law.
Dior (Shanghai) Penalized in China’s First Public Case for Failing to Fulfill Personal Information Protection Obligations
On September 9, the MPS Cyber Administration announced an administrative penalty against Dior (Shanghai) Co., Ltd. for violating personal information protection obligations. The investigation found that the company: (1) unlawfully transferred Chinese users’ personal information to its headquarters in France without completing a data export security assessment, signing standard contracts, or obtaining personal information protection certification; (2) failed to fully inform users of how their data would be processed by overseas recipients and did not obtain separate consent; and (3) neglected to implement encryption, de-identification, and other security measures for the collected data. The authority imposed an administrative penalty under the PIPL. This marks China’s first publicly disclosed case for failure to comply with data export filing obligations.
Yunyan District CAC Conducts Administrative Interview over Abnormal Cross-Border Data Transmission
On September 4, Yunyan District CAC conducted an administrative interview with a local enterprise concerning issues of abnormal cross-border data transmission. The investigation revealed that the enterprise had failed to fully perform its obligations for cross-border data security management. Problems identified included the lack of required security assessments, insufficient compliance reviews, and weak cybersecurity education and training. In particular, the enterprise had enabled a “cloud data” synchronization function on devices with public IP addresses, creating potential data leakage risks.
Court Litigation
Tesla Ordered to Provide 30 Minutes of Pre-Accident Driving Data in Industry’s First Case
On September 16, 2025, the Daxing District People’s Court of Beijing issued a first-instance judgment in the case filed by Ms. Zhang—widely known for her “rooftop protest” against Tesla—against Tesla Sales & Service (Beijing) Co., Ltd. The court ordered Tesla to provide Ms. Zhang with the complete driving data for the 30 minutes preceding the traffic accident on February 21, 2021, within ten days after the judgment takes effect. The court held that the vehicle, as an intelligent connected vehicle, generated driving data that was essential for analyzing the cause of the accident and fell within the scope of the consumer’s right to know. The case marks the first in the industry where a consumer has prevailed and obtained full vehicle data by court order.
Beijing Internet Court Releases Typical Cases Involving Artificial Intelligence Disputes
On September 10, the Beijing Internet Court released eight representative cases involving artificial intelligence (AI) disputes. The cases span diverse areas such as intellectual property, personality rights, and contractual relationships, reflecting the rapid pace of technological integration and the legal challenges in assigning responsibility. In its commentary, the Court stressed the importance of using judicial decisions to guide governance and support innovation, recognizing, for example, that AI-generated images may qualify for copyright protection and that AI-driven “deepfake” face-swapping can constitute an infringement of personality rights.
