This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.
A Deep Dive into China’s Network ID Proposal
In November 2024, China introduced a series of laws, regulations, and policies to further standardise digital economy development and strengthen data security and compliance management, focusing on key areas such as personal information protection, data resource development and management, and data security governance:
Follow the links below to view the official policy documents or public announcements.
The MIIT has issued the Emergency Response Plan for Data Security Incidents in the Industrial and Information Technology Sectors (Trial), aimed at enhancing China’s emergency response capacity for data security incidents in these sectors. This plan establishes a comprehensive emergency organisational system and working mechanism, implementing a tiered management approach for data security incidents. It specifies processes for incident monitoring, early warning, response, and handling, clarifies the responsibilities of local authorities at various levels and data processors, and mandates proactive data risk prevention and regular drills. In the event of an incident, this document requires prompt control and mitigation measures to protect public interests and national security.
2. National Data Bureau seeks public feedback on definitions of terms in the data sector, clarifying specialised terminology (21 October)
The National Data Bureau has opened a public consultation for the Definitions of Terms in the Data Sector, aiming to promote uniformity and standardisation of terminology in this field. This document covers over 40 key terms, providing detailed definitions on various forms of data, value circulation, processing methods, and security management. For example, “data assets” are defined as data resources capable of generating economic benefits, while “data governance” refers to the process of enhancing data quality, security, and compliance. The release of this document will further build consensus and promote a unified understanding of terminology in the field of data across various sectors of society.
3. National Data Bureau planned to issue an action plan to guide and support the development of trusted data spaces (18 October)
The National Data Bureau has opened public consultation on the Action Plan for the Development of Trusted Data Spaces (2024–2028), aiming to guide and support the establishment of trusted data spaces, promote compliant data circulation, and drive efficient data use to foster digital economic growth. The action plan sets a goal to establish over 100 trusted data spaces by 2028, building foundational infrastructure and application ecosystems for data sharing and collaboration. This network will foster wide interconnectivity, resource aggregation, and a thriving ecosystem of data spaces. The plan also emphasizes strengthening three core capabilities: trustworthy data control, resource interaction, and value co-creation. It encourages the promotion of trusted data spaces across enterprises, industries, cities, individuals, and cross-border scenarios, accelerating the development of data space technology standards and security management systems to advance data market integration comprehensively. Public feedback may be submitted via email to support the healthy development of trusted data spaces.
The National Data Bureau opened public consultation on the Implementation Guidelines for the Authorised Operation of Public Data Resources (Trial - Draft for Public Comment), aiming to standardise the authorised operation of public data resources and promote compliance and transparency within the data market. The guidelines propose that public data resources held by county-level and higher governments, as well as national industry authorities, be legally authorised to eligible operational entities for governance and development. This document aims to ensure that data can generate value without compromising national security, public interest, or personal privacy. The guidelines stipulate that data operations must be lawful, prioritise public benefit, and maintain safety and control, and outline key stages such as authorisation agreements, operational implementation, and oversight, providing a regulatory foundation to support the development of an integrated and standardised data market. Public feedback may be submitted via email to contribute to improving the public data management system.
5. NDRC issued measures to standardise public data resource registration and establish a unified national registration system (12 October)
The NDRC opened public consultation on the Interim Measures for the Registration Management of Public Data Resources (Draft for Public Comment), aiming to establish a unified national registration system for public data resources and promote their compliant and efficient use. These measures clarify the processes and requirements for registering public data resources, emphasising that registration activities must adhere to principles of legality, transparency, safety, and efficiency. They cover processes such as initial registration, amendments, corrections, and cancellations. Once registered, data resources will be shared through a digital certificate, “One Certificate, One Code,” to facilitate querying and application. The measures also require data management authorities at various levels to supervise registration entities, ensuring data security and compliance, thereby advancing the efficient management and secure application of public data resources nationwide.
The State Council released the Opinions on Accelerating the Development and Utilisation of Public Data Resources, aiming to enhance data security management and incentivise innovation, encouraging regions and departments to pioneer initiatives to strengthen support for the digital economy and national competitiveness. The guidelines identify public data generated by Party and government bodies and public institutions as crucial foundational strategic resources that must be rapidly developed and utilised to support high-quality development. The document sets targets to establish a data development and utilisation system by 2025 and achieve comprehensive integration of public data in the real economy and social governance by 2030. It calls for deepening the reform of data element allocation through government data sharing, public data access, and authorised operation to expand the supply of public data resources. Additionally, it promotes data resource registration, standardised management, and pricing mechanisms, along with fostering application innovation to drive data industry growth.
The NDRC, along with other departments, released the Guidelines for Constructing the National Data Standards System, aimed at building a robust data standards framework to support the development of the digital economy and the potential of data elements. The guidelines outline the overall requirements and structure for the standards system, which includes seven key areas: data infrastructure, data resources, data technology, data circulation, integrated applications, security assurance, and more, covering all stages from data collection, storage, and circulation to security management. By 2026, the plan seeks to establish over 30 foundational data standards to advance data standardisation across the country, ensuring data is “available, transferable, usable, and secure.” The document also stresses the importance of promoting pilot projects, talent development, the construction of a data industry ecosystem, and enhancing international cooperation in standardisation.
8. Shandong Big Data Bureau issued management measures to regulate data transactions and promote compliant, efficient data circulation and usage (15 October)
The Shandong Big Data Bureau released the Shandong Data Transaction Management Measures (Trial - Draft for Public Comment), aiming to regulate data transaction practices, cultivate the data market, and facilitate compliant, efficient data circulation and usage. The measures clarify the scope of applicable data transactions, the responsibilities of transaction parties, and transaction methods, while outlining prohibited transaction content and data compliance requirements. The document emphasises data transaction security management, including the application of security technologies by data transaction institutions, risk prevention, and dispute resolution mechanisms. Additionally, it specifies departmental supervisory responsibilities, credit management, information disclosure, and other oversight measures, establishing complaint and fault-tolerance mechanisms to provide regulatory support for the healthy development of Shandong’s data market.
9. Guangdong Province issued data regulations to strengthen data resource management and promote lawful, orderly data circulation and application (11 October)
The Guangdong Provincial Government Services and Data Management Bureau released the Guangdong Data Regulations (Draft for Public Comment), aiming to standardise data management and circulation, foster the development of the data element market, and ensure data security. The regulations cover aspects such as data resource management, rights protection, and circulation and transactions. They propose establishing mechanisms for data registration, quality monitoring, and transaction management, advocate for a Chief Data Officer system, and promote data resource sharing and utilisation. Additionally, the regulations emphasise data security responsibilities and risk prevention, establishing pilot programs for data asset innovation and a mechanism for cross-border data circulation within the Greater Bay Area (Guangdong-Hong Kong-Macao).
10. Nine national cybersecurity standards approved, covering encryption, network product technology, information security, and more (9 October)
The SAMR and the National Standardisation Administration issued nine national cybersecurity standards under the jurisdiction of the National Technical 260 on Cybersecurity of Standardization Administration of China (“TC260”), set to take effect on 1 April 2025. These new standards encompass key areas such as entity authentication, message authentication codes, hash functions, network and endpoint isolation products, and information security controls. The standards aim to enhance the regulatory framework for cybersecurity technology and improve information security assurance, providing crucial support for the healthy development of the digital economy.
The CAC released examples of military-related violations by self-media accounts, highlighting cases involving the spread of military rumours, fabrication of historical facts, defamation of the military’s image, distortion of policies, incitement of civil-military discord, and exploitation of pro-military sentiment. Some accounts, under the guise of “military storytelling,” published false information that misled the public, such as fabricating incidents like “warship sinking.” Other accounts spread incorrect statements and misinformation in areas of history and policy, even falsely using the military’s name for marketing purposes. Relevant military and government departments stated they would continue to combat these activities, cleanse the online environment regarding military-related content, and encouraged the public to actively report violations to uphold the authenticity and integrity of military-related information.
The Ministry of State Security identified that a foreign company, referred to as Company A, collaborated with a Chinese surveying-qualified company, Company B, under the pretext of autonomous driving research to illegally collect geographic information within China and transfer it abroad, posing a severe threat to national security. To evade regulatory oversight, Company A conducted mapping activities through multiple layers of outsourcing and used advanced equipment to discreetly gather data. Additionally, Company A directly instructed Company B to conduct mapping across multiple provinces, sending foreign technical experts to ensure the data was transmitted overseas. Legal accountability has been enforced on the companies and individuals involved. The Ministry of State Security reminds domestic surveying firms to strictly adhere to legal regulations and urges the public to promptly report any illegal surveying activities they encounter.
13. CAC launched the “Clear and Bright: Standardising Online Language Use” campaign to address irregularities in language and expression online (11 October)
The CAC and the Ministry of Education jointly initiated the “Clear and Bright: Standardising Online Language Use” campaign, aiming to improve the online language environment, particularly in prominent areas such as trending lists and homepage displays, targeting issues like distorted meanings and the excessive use of internet slang. In addition, the campaign directs local CAC and education departments to enhance cooperation, focusing on the protection of minors’ rights. Measures include removing non-standard information, streamlining reporting channels, and fostering a healthy online ecosystem. Public involvement is encouraged to spread awareness of language regulations, promote civilised expression, and collectively contribute to a positive online atmosphere.
14. CAC released typical cases from the “Clear and Bright: 2024 Summer Campaign for Improving the Online Environment for Minors” (9 October)
The CAC, through the “Clear and Bright: 2024 Summer Campaign for Improving the Online Environment for Minors,” took stringent action against online content harmful to minors. The campaign targeted essential areas such as live streaming, short videos, social media, and e-commerce platforms. During the campaign, over 4.3 million pieces of harmful content involving minors were removed, 130,000 violating accounts were closed, and more than 2,000 websites and platforms were shut down. Severe action was taken against typical cases, including the dissemination of violent and vulgar videos, online bullying targeting minors, remote sexual harassment crimes, the sale of prohibited goods, and the removal of non-compliant applications aimed at minors. CAC will continue to drive online environment governance and encourages public oversight and reporting to create a healthy, safe online space for minors.
The CAC recently initiated the “Clear and Bright: Rectifying Unauthorised Internet News Information Services” campaign, aiming to strengthen the regulation of online news information services and reinforce the influence of mainstream media. This three-month campaign focuses on rectifying five major issues: false information and misleading headlines, using news services for illicit gain, impersonation of news agencies, unlicensed or out-of-scope news gathering and publishing, and falsification or transfer of news service permits. Local CAC departments will implement the campaign, requiring websites and platforms to “display licenses prominently,” prioritise compliant news content, and increase public exposure of violations to improve the online news environment.
16. Shanghai CAC announced enforcement action against a medical technology company for failing to fulfill data protection obligations (14 October)
The Shanghai CAC recently imposed administrative penalties on a medical technology company for neglecting its data security obligations, resulting in system vulnerabilities exploited by foreign IP addresses to steal a substantial amount of personal information. The investigation revealed that the company’s internal system was hosted on a cloud platform but lacked effective cybersecurity protections, had insufficient log retention, and contained unauthorised access vulnerabilities, constituting a severe violation of the Data Security Law. The Shanghai CAC issued a warning and imposed a fine on the company. The Shanghai CAC emphasised that data security is in the public interest, especially in the healthcare sector, which must uphold its responsibility to protect personal information, prevent data breaches, and ensure personal and property safety.
17. Two Zhengzhou companies penalised for failing to fulfil cybersecurity obligations, leading to the theft of sensitive data (23 October)
The Zhengzhou CAC issued administrative penalties to two companies that neglected their cybersecurity obligations, resulting in sensitive data breaches. Each company was fined RMB 50,000 and ordered to implement corrective measures. In the first case, an internet information service company had a database configuration with a blank password for remote login, allowing hackers to steal personal data, including names, ID numbers, and phone numbers. The company had not established a comprehensive data security management system or implemented essential technical measures. The second case involved a technology company that misconfigured its database, creating an unauthorised access vulnerability that attackers exploited to retrieve data. This company also lacked proper log management and failed to categorise or classify data. Both companies were fined and warned for violating Articles 27 and 45 of the Data Security Law.
18. MIIT launched 2024 call for exemplary cases of integration between the real economy and digital economy to guide local governments and enterprises (29 October)
The MIIT has initiated the 2024 call for exemplary cases of deep integration between the real economy and the digital economy, aiming to advance new industrialisation and accelerate the adoption of next-generation information technologies in industries. This call focuses on four areas: digital transformation tools and products, innovative applications of industrial internet platforms, digital leadership practices, and digital supply chain ecosystems. It targets enterprises with independent legal status, strong technical capabilities, and sound financial standing, seeking innovative cases with significant economic and social benefits to serve as models for national integration efforts. The submission deadline is 18 November, with a cap of 40 recommended cases per region and industry association. Selected exemplary cases will be publicly released.
The SAMR released the Guiding Opinions on Encouraging Online Trading Platforms to Leverage Traffic to Support the Development of SMEs and Micro-enterprises, aiming to promote high-quality development in the platform economy and assist SMEs and micro-enterprises in capturing digital opportunities. The document encourages platforms to optimise traffic allocation, improve traffic utilisation efficiency, and establish transparent and fair traffic rules. It also recommends using quantitative data to help SMEs accurately target users and enhance traffic conversion. For agricultural products, specialty products, and newly onboarded businesses, the guidelines suggest various supportive measures such as traffic fee reductions, exclusive tags, and traffic coupons to strengthen their competitiveness. SAMR also emphasised supporting new marketing activities like livestreaming and short videos, encouraging platforms to enhance publicity and provide policy support to increase awareness of traffic policies.
20. National Data Bureau launched the “Key Demonstration Scenarios” initiative, with regular releases of data application demonstration scenarios (28 October)
The National Data Bureau announced the launch of the “Key Demonstration Scenarios” initiative at a meeting on the development and utilisation of public data resources. This initiative plans to release a batch of demonstration scenarios each quarter through the end of 2025, aiming to facilitate supply-demand connections and coordination between national and provincial levels, thereby establishing replicable and scalable models for data development and utilisation. The first batch of 18 demonstration scenarios has been published, covering areas such as “Coordinated Use of Civil and Commercial Satellite Data for Disaster Prevention and Mitigation,” “Innovative Healthcare Payment and Regulation,” and “Tourist Flow Monitoring in Scenic Areas.” These scenarios are designed to provide tangible data application benefits that can be directly experienced by businesses and the public.
The Director of the National Data Bureau stated that eight policy documents will soon be issued, covering areas such as enterprise data development and utilisation, data property rights, and data security governance. These efforts aim to advance the construction of a unified national data market, standardise data circulation and transaction rules, and improve data infrastructure. Additionally, the Bureau will expedite the creation of a unified regulatory framework for the data market, fostering a developmental ecosystem for the data industry. This initiative seeks to unleash the market potential and application value of data resources, promoting their in-depth application across sectors such as industry, agriculture, transportation, and healthcare.
22. The inaugural meeting of the National Data Standardisation Technical Committee was held in Beijing (28 October)
The National Data Standardisation Technical Committee (“NDSC”) was officially established and held its first plenary session in Beijing. The NDSC emphasised the significance of data standardisation in unlocking data potential and enhancing international competitiveness, urging strengthened standards development, practical implementation, and deeper international collaboration. The meeting approved the committee’s charter, operational guidelines, and work plan for 2024–2025, with a commitment to building a collaborative data standardisation platform and laying a foundation for the development of China’s data sector.
23. CAC released the 2024 report on the development levels of digital literacy and skills across China, covering multiple dimensions (25 October)
The CAC published the 2024 Survey Report on the Development Levels of Digital Literacy and Skills. The report reveals significant improvements in digital literacy and skills, with over 60% of citizens reaching a basic or higher level of digital literacy. Among adults, 60.61% meet this threshold, and for minors, the figure is 64.69%. Regional disparities are notable, with residents in the eastern regions generally leading in digital literacy. Education level, profession, and age strongly influence digital literacy, with those who are more educated, younger, or in technical roles displaying higher levels. Urban residents exhibit notably higher digital literacy than those in rural areas. The government is implementing digital support policies in key industries and regions to gradually reduce these gaps and foster adaptability, competency, and creativity in digitalisation across different population groups.
The Global Data Business Conference highlighted plans to expedite the development of a data property rights system, with a focus on enhancing related rules such as data property registration, quality management, responsibility delineation, and compliance management. This initiative aims to standardise data market transactions and unlock the potential of data elements, fostering the deep integration and innovative development of the data economy across various industries.
25. SAMR launched a pilot program to open credit supervision data to platform enterprises, fostering a trustworthy and accountable social environment (17 October)
The SAMR initiated a pilot program in Haidian District, Beijing, to open credit supervision data to selected platform enterprises. Over two years, the program will provide 3–5 chosen platforms with access to data on the national list of businesses with abnormal operations and the list of serious violations and dishonest conduct. This initiative addresses the issue of asymmetric credit information between platforms and their resident merchants, encouraging platforms to establish comprehensive credit records, fulfil their compliance responsibilities, and strengthen integrated online and offline supervision. SAMR plans to draw lessons from the pilot to expand its application, offering a new pathway to enhance the credit system and governance within the platform economy.
At the 2024 Global ESG Leaders Conference, the China Securities Regulatory Commission (“CSRC”) disclosed that by the end of September 2023, over 2,200 listed companies had disclosed sustainability or social responsibility reports—a record high with an average annual growth rate of 20% over three years. Currently, more than 40% of listed companies have established ESG governance frameworks and policies, over 60% have identified and disclosed materiality analysis pathways, and more than 70% engage stakeholders through surveys, discussions, and other forms. Quantitative disclosures, such as carbon emissions, have seen significant growth, with over 1,000 companies reporting their emissions, reflecting an average annual growth of more than 50% over three years. Among them, companies in the CSI 300 Index have notably increased disclosure rates on wastewater, hazardous waste emissions, greenhouse gas emissions, and energy consumption, forming a group of leading companies excelling in ESG governance. Additionally, the rapid development of financial tools like ESG funds and green bonds has further accelerated the growth of these high-performing companies.
27. MOHURD released a comprehensive plan for “Digital Housing and Urban Development” to create livable, resilient, and smart cities (12 October)
The Ministry of Housing and Urban-Rural Development (“MOHURD”) published the Comprehensive Plan for “Digital Housing and Urban Development”, proposing a “2+2+N+3” framework to drive digital housing and urban development, aiming for significant progress by 2027 and major achievements by 2035. The plan emphasises strengthening digital infrastructure and data resource systems, enhancing information security, and establishing policy and standards systems. It aims to promote applications in digital housing and smart cities, achieving three main goals: co-governance of large systems, intelligent governance with big data, and accessible services for the public. Through advancing smart housing, smart cities, and digital rural areas, MOHURD seeks to build a modern urban system that is liveable, resilient, and smart, while improving the efficiency of government and public services through data-driven approaches.
28. China and ASEAN issued a joint statement to promote sustainable and inclusive digital ecosystem cooperation (11 October)
China and ASEAN countries issued a joint statement aimed at establishing an open, secure, and inclusive digital ecosystem to support the digital development of their economies and societies. Both parties agreed to enhance policy exchange and strategic alignment, promote digital infrastructure development, accelerate the application of emerging technologies, advance industrial digital transformation, and strengthen digital security and resilience. The statement also emphasised improving digital literacy and capabilities, fostering inclusive growth, and supporting SMEs in their digital transformation efforts. China and ASEAN will deepen cooperation between the public and private sectors through frameworks such as the China-ASEAN Digital Ministers’ Meeting to build a sustainable and inclusive digital ecosystem.
29. Beijing Asset Valuation Association addresses key issues in data asset valuation to enhance understanding of data property rights (8 October)
The Beijing Asset Valuation Association released the 2024 Issue 1: Q&A on Data Asset Valuation Practices, providing professional guidance on common issues encountered during data asset valuation. The Q&A addresses topics such as applicable scenarios for data asset valuation, assessment objects, legal ownership, quality evaluation, data security, identification of application scenarios, and the prerequisites and limitations of using the income approach for valuation. This guidance aims to assist valuation institutions and professionals in better understanding the critical factors in data asset valuation, enhancing the professionalism and timeliness of valuation practices to address challenges like limited data asset circulation and unrealised application potential.