On October 28, 2025, China adopted the first major amendments to the 2017 Cybersecurity Law, which took effect on January 1, 2026. The revised Law establishes an additional tiered penalty regime featuring stricter fines for...more
On December 29, 2025, the Cyberspace Administration of China ("CAC") officially released the Notice on the Filing of Compliance Audit Results for the Protection of Minors’ Personal Information ("Filing Notice")....more
On December 6 2025, the CAC released the draft Network Data Security Risk Assessment Measures (Draft for Comments) for public consultation. The measures aim to standardize network data security risk assessment activities,...more
On December 29, 2025, the Cyberspace Administration of China (CAC) issued the Announcement on the Reporting of Minors' Personal Information Protection Compliance Audit Status, which requires personal information handlers to...more
All data controllers processing personal data under the age of 14 (“minors“) must now submit an annual report to Chinese data regulator, the Cyberspace Administration of China (“CAC“). For 2025, the report must be submitted...more
This monthly report outlines key developments in China’s data protection sector for December. The following events merit special attention: On November 22, CAC and the MPS jointly released the Provisions on the Protection of...more
On 18 July 2025, the Cyberspace Administration of China (“CAC”) issued the Announcement on the Reporting of Personal Information Protection Officer Information (“CAC PIPO Reporting Announcement”), which launched a centralized...more
On September 9, 2025, Dior (Shanghai) Co., Ltd. (“Dior Shanghai”) was publicly sanctioned in China for unlawfully transferring personal information (“PI”) overseas. This marks the first administrative penalty in China for...more
On September 9, 2025, China announced the landmark administrative penalty against Dior (Shanghai) over unlawful cross-border transfers of personal information, with the primary violation being the failure to satisfy the...more
In a move to further bolster data privacy, China’s State Administration for Market Regulation and the Standardization Administration of China jointly issued a national standard, GB/T 45574-2025, Data Security Technology –...more
On 18 July 2025, China’s Cyberspace Administration (CAC) officially launched its online portal (Portal) for registration of China Data Protection Officers (China DPO). This operationalizes the requirements under Article 52 of...more
This monthly report outlines key developments in China’s data protection sector for August. The following events merit special attention: CAC Summons NVIDIA Over Cybersecurity Concerns Related to H20 Chip: On July 31, CAC...more
INTRODUCTION - Almost eight years after the Cybersecurity Law (“CSL”) came into force in the PRC in 2017, the Cyberspace Administration of China (“CAC”) issued draft amendments to the CSL (“2025 Draft Amendments”) on 28...more
On July 18, 2025, the Cyberspace Administration of China (the “CAC”) issued the Notice on Launching the Reporting Mechanism for Personal Information Protection Officers (the “Notice ”). This development marks a significant...more
As the digital economy continues to thrive and remote work becomes increasingly mainstream, an “offshore model” of business operation has emerged. Under this model, companies may provide services to users in a given...more
In August 2024, China Judgements Online published a ruling issued by the Guangzhou Internet Court on September 8, 2023, in a case widely regarded as China’s first judicial decision addressing cross-border personal information...more
The cross-border transfer of personal information (hereinafter referred to as “PI,” and such transfers as “PI export”) is a routine and often essential part of business operations for companies in China—particularly...more
Chinese data regulators are intensifying their focus on the data protection compliance audit obligations under the Personal Information Protection Law (“PIPL“), with the release of the Administrative Measures for Personal...more
The Guangzhou Internet Court (the “Court”) recently issued its first judgment involving the cross-border transfer of personal data under the Personal Information Protection Law (“PIPL”).1 An international hotel group was...more
The PRC National Technical Committee 260 on Cybersecurity of SAC (“TC260”) published new Guidelines on Identifying Sensitive Personal Information (“Guidelines”) on 18 September 2024, nearly three months after it released the...more
The Guangzhou Internet Court released the first ruling interpreting the requirements for cross-border transfer of personal information under the Personal Information Protection Law (PIPL). This case has significant...more
On September 30, 2024, China’s State Council released the Network Data Security Management Regulations, which will enter into force on January 1, 2025. The regulations apply to “electronic data processed and generated through...more
Additional and clarified data compliance obligations will soon come into force under the long-awaited Network Data Security Management Regulation (“Regulation“), which was released on 30 September 2024. The Regulation is...more
China published the finalized Regulation for the Administration of Network Data Security (Network Data Regulation) on September 30, 2024. This regulation was first released as a draft version dated November 2021. Throughout...more
The Personal Information Protection Law (“PIPL“) requires a data controller to conduct compliance audits of its personal data processing activities on a regular basis (“Self-supervision Audits“). Apart from such...more