[co-author: Ken Dai]
Developments Highlights
This monthly report outlines key developments in China’s data protection sector for January. The following events merit special attention:
- CAC Seeks Public Comments on Network Data Security Risk Assessment Measures:On December 6 2025, the CAC released the draft Network Data Security Risk Assessment Measures (Draft for Comments) for public consultation. The measures aim to standardize network data security risk assessment activities, ensure data security, and promote lawful and effective data utilization. They define risk assessment, clarify responsibility allocation and implementation requirements, stipulate that important data handlers must conduct assessments annually, and encourage general data handlers to do so at least once every three years. Assessments can be performed internally or by accredited third-party agencies. The measures also emphasize the management and reporting of risk assessment reports and propose mechanisms such as information sharing and mutual recognition of results to avoid redundant assessments.
- CAC Clarifies Annual Filing Requirements for Compliance Audits on the Protection of Minors’ Personal Information: On December 29, CAC issued an announcement clarifying that personal information handlers are required to submit, via the online system, their compliance audit reports on the protection of minors’ personal information for the preceding year by the end of January each year. Where a personal information handler fails to conduct such audits and submit the required filings in accordance with the regulations, it will be dealt with in accordance with the law.
- SAMR and CAC Jointly Issue Announcement on Revising Certification Standards for Cross-Border Personal Information Transfers: On December 25, the SAMR and the CAC jointly issued an announcement, explicitly revising the certification standards for personal information protection in cross-border processing activities to GB/T 35273 and GB/T 46068.
Legislation
TC260 Seeks Public Comments on Cybersecurity Standard Practice Guide — Cross-border Personal Information Processing and Protection Requirements in the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao)
On December 22, 2025, the Secretariat of the National Technical Committee 260 on Cybersecurity of SAC (“TC260”) issued a notice soliciting public comments on the draft Cybersecurity Standard Practice Guide — Cross-border Personal Information Processing and Protection Requirements in the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao) (Draft for Comments). This document aims to promote secure and orderly cross-border flow of personal information within the Guangdong-Hong Kong-Macao Greater Bay Area and is intended to implement the security certification work requirements outlined in the relevant cooperation memorandum between the Mainland and Macao.
CAC Seeks Public Comments on Network Data Security Risk Assessment Measures
On December 6, the CAC released the draft Network Data Security Risk Assessment Measures (Draft for Comments) for public consultation, with feedback due by January 5, 2026. The measures aim to standardize network data security risk assessment activities, ensure data security, and promote lawful and effective data utilization. They define risk assessment, clarify responsibility allocation and implementation requirements, stipulate that important data handlers must conduct assessments annually, and encourage general data handlers to do so at least once every three years. Assessments can be performed internally or by accredited third-party agencies. The measures also emphasize the management and reporting of risk assessment reports and propose mechanisms such as information sharing and mutual recognition of results to avoid redundant assessments.
Authorities
CAC Announces First Three Personal Information Export Certification Filing Bodies
On December 30, 2025, CAC announced the first three professional bodies approved and filed for personal information export certification: China Cybersecurity Review, Certification and Market Regulation Big Data Center (“CCRC”), CAC Data and Technology Support Center, and Beijing CESI Certification Co., Ltd. Simultaneously, CAC officially launches a filing system to provide guidance for relevant bodies to complete filing procedures and for personal information handlers to apply for certification.
CAC Clarifies Annual Filing Requirements for Compliance Audits on the Protection of Minors’ Personal Information
On December 29, CAC issued an announcement clarifying that personal information handlers are required to submit, via the online system, their compliance audit reports on the protection of minors’ personal information for the preceding year by the end of January each year. Where a personal information handler fails to conduct such audits and submit the required filings in accordance with the regulations, it will be dealt with in accordance with the law.
SAMR and CAC Jointly Issue Announcement on Revising Certification Standards for Cross-Border Personal Information Transfers
On December 25, the SAMR and the CAC jointly issued an announcement, explicitly revising the certification standards for personal information protection in cross-border processing activities to GB/T 35273 and GB/T 46068.
China Cyberspace Security Association Releases Sixth 2025 Batch of Apps Completing Personal Information Collection and Usage Optimization
On December 23, the China Cyberspace Security Association released its sixth batch of apps for 2025 that have completed optimization of personal information collection and usage. To standardize app behavior and protect personal information rights, the Association guided six app operators across five categories—hotel services, online communities, women’s health, remote conferencing, and investment and wealth management—to rectify issues like excessive data collection and overuse of sensitive permissions, in accordance with laws including the Cybersecurity Law and the Personal Information Protection Law (“PIPL”). The operators have updated their apps in stores or on official websites, committing to maintain compliance. The list includes apps like Huazhu Hui, eLong Travel and Zhihu.
SCA Removes 38 Apps Failing to Rectify User Rights Violations
On December 22, following laws including the PIPL and requirements of a four-agency special campaign, the Shanghai Communications Administration (“CA”) reviewed apps previously flagged for user rights violations. Within the stipulated rectification period, 38 apps failed to complete required fixes. According to the notice, apps including Guancha.cn, KDS and Liulishuo Reading have been removed from stores. Shanghai CA states it will continue monitoring and may take further severe measures such as service termination or administrative penalties.
CVERC Reports 69 Apps for Illegally Collecting and Misusing Personal Information
On December 4, the National Computer Virus Emergency Response Center (“CVERC”) (released via the National Cybersecurity Notification Center), based on relevant laws and the requirements of the 2025 Personal Information Protection Special Campaign, detected and reported 69 mobile applications illegally collecting and using personal information. The reported issues cover 11 major categories including unclear privacy policy notifications, data collection without consent, and insufficient user rights safeguards.
Enforcement Cases
Chongqing Rongchang Website Investigated for AI-Generated Illegal Content Due to Lack of Cybersecurity System
Recently, the Chongqing Rongchang District CA imposed administrative penalties on a local website platform. An investigation found the website failed to establish a cybersecurity system and content review mechanism. Its “AI Chat” feature generated content prohibited by law, and no effective measures were taken to stop its transmission, violating the Cybersecurity Law and the Interim Measures for the Management of Generative Artificial Intelligence Services. The Administration ordered rectification within a deadline, issued a warning to the responsible person, and requires improvements to management and review systems.
Two Hotels in Jinzhong, Shanxi Penalized by Police for Failing to Properly Protect Guests’ Personal Information
Recently, the cyber security department of the Public Security Bureau of Zuoquan County, Jinzhong City launched a special inspection campaign and imposed administrative penalties in accordance with the law on two hotels that posed personal information leakage risks. Inspections revealed that the staff of these hotels had conducted full registration of guests’ personal details—including names, phone numbers, ID card numbers, and household registration addresses, without adopting masking or de-identification measures. Meanwhile, the hotels had failed to establish relevant data security management systems, organize data security education and training, and fulfill their data security protection obligations, thereby exposing guests’ personal information to leakage risks.
Industry Trends
CAAM and Three Other Agencies Announce First 43 Vehicle Models Meeting Five Automotive Data Security Requirements
On December 19, 2025, the China Association of Automobile Manufacturers, jointly with three agencies including the National Computer Network Emergency Response Technical Team/Coordination Center of China, released an announcement listing the first batch of vehicle models meeting five compliance requirements for automotive data security. Starting August 2025, voluntary vehicle models have been tested against the Provisions on Management of Automotive Data Security (Trial) and relevant national standards, covering five requirements including anonymization of face information of individuals outside the vehicle and in-vehicle processing of cabin data. Forty-three models from nine companies, including Chongqing Changan, BYD, and SAIC Motor, have passed the tests, meeting all or some data security requirements.
NEA Issues Trial Management Measures, Categorizing Energy Data and Strengthening Primary Security Responsibilities
On December 12, the National Energy Administration (NEA) issued the Energy Sector Data Security Management Measures (Trial). These measures aim to regulate data processing activities and enhance data security management in the energy sector. They will take effect on July 1, 2026, and remain valid for five years. Key contents include categorizing energy sector data into General, Important, and Core levels, and clarifying that handlers of Important and Core Data bear primary responsibility, with the legal representative or primary person in charge as the primary person responsible for data security. The measures require data handlers to establish comprehensive full-lifecycle security management systems and fulfill requirements such as multi-level protection. Additionally, provincial energy authorities and central state-owned energy enterprises must strengthen capabilities for data security monitoring, early warning, and emergency response within their jurisdictions or enterprises.
