On November 29, 2025, the Ministry of Public Security (“MPS”) released the Measures for the Supervision and Inspection of Cyberspace Security by Public Security Organs (Draft for Comments). The draft expands oversight from Internet security to the broader scope of cyberspace security, bringing data processors and personal information handlers within supervisory reach. It introduces a combined online–offline inspection model, requires annual checks for Critical Information Infrastructure Operators and Grade III networks ( or above), and outlines related rectification obligations.
Shanghai Issues Shanghai Compliance Guidelines for Network Data Security and Personal Information Protection in Medical Service Internet Enterprises
Addressing frequent data security incidents in the sector, the Shanghai Cyberspace Administration (“CA”), in conjunction with local market and health regulators, launched a targeted rectification campaign on November 25, 2025. Concurrently, authorities issued the Shanghai Compliance Guidelines for Network Data Security and Personal Information Protection in Medical Service Internet Enterprises. The initiative aims to standardize industry practices, enhance local compliance levels, and mitigate sector-specific risks associated with online medical services.
TC260 Issues Practice Guidelines for Cybersecurity Standards: Personal Information Identification, De-identification, and Anonymization (Drafts for Comments)
On November 24, the National Cybersecurity Standardization Technical Committee (“TC260”) released three draft practice guidelines for public consultation: the Personal Information Identification Guide, the Personal Information De-identification Guide, and the Personal Information Anonymization Guide. These standards aim to provide data processors with detailed, operational implementation rules.
CAC and MPS Jointly Issue Provisions on the Protection of Personal Information by Large Network Platforms (Draft for Comments)
On November 22, the Cyberspace Administration of China (“CAC”) and the MPS jointly released the Provisions on the Protection of Personal Information by Large Network Platforms (Draft for Comments). The draft sets out criteria for identifying large platforms, requirements for organizational structure and accountability, and obligations on data localization and data center construction. It also clarifies individual rights in data processing and introduces rules for compliance audits and coordinated regulatory oversight.
Authorities
Changsha CA Releases Typical Enforcement Cases on Personal Information Protection
On November 27, the Changsha CA released typical cases from a special enforcement campaign focusing on personal information protection in key public-facing sectors, including education, healthcare, finance, and real estate. The campaign targeted illegal app data collection and unauthorized facial recognition in public venues, resulting in the handling of 79 enforcement leads, interviews with 52 enterprises, 24 on-site inspections, and 5 administrative penalty cases. The four cases disclosed involved a hospital data leak caused by inadequate safeguards, mini-programs lacking account cancellation and correction functions, and unauthorized facial recognition by a property sales office, all of which were subject to rectification orders or administrative penalties.
Shanghai Communications Administration Reports 71 Apps and SDKs for Infringing User Rights
On November 26, the Shanghai Communications Administration released its tenth enforcement notice of 2025 on apps and SDKs infringing user rights. Third-party testing identified violations in 71 applications, including Guanying Preferred, China Eastern’s mobile app, MyDyson, and several financial and securities apps. Key issues involved illegal collection of personal information, failure to clearly disclose processing rules, inadequate handling of user complaints, frequent or excessive permission requests, and obstacles to account cancellation.
Beijing CA Penalizes Mobile Apps for Violating AI Content Labeling Rules
On November 26, Beijing CA penalized several mobile applications for failing to comply with labeling rules for AI-generated content. Measures included regulatory interviews, rectification orders, and app removal. Violations mainly involved providers of generative services failing to add explicit or implicit labels or include key attribute information in metadata, and content distribution service providers failing to verify implicit labels, provide prominent on-page alerts, or offer declaration functions to users.
Shanghai CA Removes 54 Apps and 26 Website AI Functions in “AI Abuse” Enforcement Campaign
On November 24, the Shanghai CA announced the results of a special enforcement campaign targeting AI misuse. App stores were instructed to remove 54 non-compliant applications, and 26 AI features on websites were taken offline. Three service websites were penalized—marking the first application of the Interim Measures for the Management of Generative Artificial Intelligence Services—for refusing to rectify violations. Five enterprises received exemptions for first-time minor violations, such as failing to conduct required security assessments.
CAC Releases Policy Q&A on Cross-Border Data Transfer Management
On October 31, CAC issued a policy Q&A addressing practical questions arising from the implementation of cross-border data transfer rules. The document clarifies key provisions under the Provisions on Promoting and Regulating Cross-Border Data Flows, including exemption criteria, security assessment requirements, and the definition of “overseas” access. It also provides guidance on common scenarios—such as domestic hotel bookings involving outbound data not qualifying for exemptions, and system upgrades that do not require re-submission absent new security risks. The Q&A further explains Standard Contract filing rules (e.g., a single filing may cover one recipient unless volume thresholds trigger a security assessment) and confirms that personal information protection certification is based on the 2022 certification rules and the GB/T 46068-2025 national standard.
Enforcement Cases
Shanxi Police Penalize Two Hotels for Data Security Failures
On November 27, 2025, Shanxi cyber police reported that two hotels failed to desensitize or encrypt sensitive guest information—such as names, ID numbers, and address details—and had no internal data security systems or staff training, creating leakage risks. Both hotels received administrative warnings and were ordered to rectify within 15 days.
Xi'an Tech Company Penalized After Data Leak in Drone Management Platform
On November 23, MPS reported a data breach involving a drone management platform developed by a Xi'an technology company. Hackers exploited existing security vulnerabilities and stole stored data. The Xi'an cyber police found that the platform lacked a full-process data security management system, had not conducted staff training, and failed to implement necessary technical safeguards. The company was held legally liable for failing to fulfill its data security obligations, ordered to rectify within a prescribed period, and guided to patch vulnerabilities and improve internal controls.
Hunan CA Penalizes School for Surveillance System Data Risks
On November 18, the Hunan CA announced an administrative penalty against a school in Xiangxi Prefecture after its video surveillance system was found to lack necessary protective measures and posed a significant data leakage risk. The Xiangxi CAC imposed penalties for the school’s failure to fulfill data security obligations. This is the first such administrative penalty in the prefecture.
Qinghai Police Penalize Two Companies for Failing to Complete MLPS Assessments
On November 13, the Tongren Public Security Bureau in Qinghai Province announced penalties against two companies that failed to complete required Multi-Level Protection Scheme (MLPS) cybersecurity assessments, leaving significant security risks unaddressed. The police issued administrative warnings and rectification notices, ordering the companies to eliminate hazards within a set period and urging them to strictly fulfill their cybersecurity responsibilities.
Qingdao Tech Firm Penalized for Failing to Patch Long-Standing Security Vulnerabilities
On November 10, MPS released a typical case involving a Qingdao technology company that failed to remediate long-standing SQL injection and unauthorized access vulnerabilities in a client’s public service platform. Police found that the company, responsible for system operation and maintenance, did not fulfill its legal and contractual data security obligations, failed to take necessary technical measures, and left data at risk of leakage.
Guizhou Bijie CA Sanctions Company for Personal Information Violations
On November 7, the Bijie CA in Guizhou Province published a case involving multiple personal information protection violations by a local company. Its WeChat Mini Program excessively collected user location data, had incomplete user agreements and privacy policies, lacked an account cancellation function, and contained weak-password vulnerabilities. The authority issued a warning and ordered the company to complete rectification within a specified period.
Platform Penalized for Premature Disclosure of Network Vulnerabilities
On November 6, MPS released a typical case from the “Shield the Net 2025” campaign. A vulnerability discovery and collection platform disclosed detailed information about a network product flaw—along with programs and tools that could be used to exploit it—before the product provider had issued remediation measures. Police imposed administrative penalties on the platform operator and ordered rectification.
Courts Litigation
Beijing Internet Court: Public Disclosure of Employee Salary Information Constitutes Privacy Violation
On 13 November 2025, the Beijing Internet Court released a case involving a listed company that, during its IPO application, published a full labor dispute judgment containing a former employee’s specific salary information on the stock exchange website, claiming it was fulfilling disclosure obligations. The court held that salary data constitutes private information reflecting an individual’s financial status and work capacity, and that disclosure duties must follow the principles of legality, propriety, and necessity. As the employee was a non-core staff member and the dispute amount was insignificant, the case did not constitute material litigation requiring disclosure. The company’s conduct therefore exceeded reasonable disclosure limits and infringed the plaintiff’s privacy rights. The court ordered the company to redact the information, apologize, and compensate for emotional damages.
Beijing Internet Court: Affiliated Apps Liable for Sharing User Data Without Valid Consent
On 5 November, the Beijing Internet Court released a case involving two affiliated apps that automatically synchronized users’ nicknames, profile photos, and sensitive social relationship data without obtaining separate consent. Although the two affiliated companies qualified as “joint processors” under the Personal Information Protection Law, the court held that this status does not exempt them from their statutory duty to provide sufficient notice and obtain valid consent. The unauthorized cross-platform data sharing infringed users’ personal information and privacy rights, and the court ordered the defendants to bear joint liability for damages.
Shanghai Issues First Judgment on Copyright Infringement Involving AI Foundation Models
On 3 November, the Jinshan District People’s Court issued the first-instance judgment in Shanghai’s first copyright case involving the training of a large AI model. The dispute centered on whether a user’s use of copyrighted images of the “Medusa” character to train an AI model was lawful and whether the platform bore liability. The court held that an individual who trains a generative AI model (such as a LoRA model) on copyrighted works without permission, enabling the model to produce outputs substantially similar to the original, infringes the rights of reproduction and communication through information networks. It further found that an AI platform that provides neutral technical tools and fulfills reasonable duties—such as content review, responding to takedown notices, removing the model, and updating keyword filters—does not bear liability absent fault. The user was ordered to cease the infringement and pay RMB 50,000 in damages, while the claims against the platform were dismissed.
