This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.
In October 2024, China introduced several laws and policies focusing on data security and data resource development to tackle challenges in the digital era and promote high-quality development of the data economy:
Follow the links below to view the official policy documents or public announcements.
1. State Council issues regulation to safeguard network data security and promote lawful use of network data (30 September)
The State Council issued the Network Data Security Management Regulation, effective from 1 January 2025. The regulation aims to standardise network data processing activities, ensure data security, promote lawful and reasonable use of data, protect individual and organisational rights, and safeguard national security and public interests. It covers areas such as data classification protection, network data security responsibilities, personal information protection, security management of critical data, and cross-border data transfers, with strict penalties for violations to enhance network data security.
2. TC260 issued national standard to guide organizations in identifying sensitive personal information (18 September)
The TC260 released the Cybersecurity Standards Practice Guide—Sensitive Personal Information Identification Guidelines. This guide helps organisations identify and manage sensitive personal information, defining it as data that could harm personal dignity, safety, or assets, including biometric data, religious beliefs, financial accounts, and health information. It provides specific rules for identifying and managing such data to ensure compliance with laws like the Personal Information Protection Law and to safeguard data security.
3. SCA issued management measures to further regulate electronic authentication services for e-government and enhance e-government security (10 September)
The State Cryptography Administration (“SCA”) issued the Management Measures for Electronic Authentication Services for E-Government, aimed at regulating the conduct of electronic authentication services for e-government, ensuring the security and reliability of e-government, and safeguarding the legitimate rights and interests of all parties. These measures specify the qualification certification conditions for electronic authentication services for e-government, supervision and management measures, compliance requirements, and clarify that institutions engaged in e-government electronic authentication services must legally obtain qualifications and comply with the national cryptography regulations and relevant legal requirements during the provision of services. These measures will take effect on 1 November 2024, to strengthen the management of electronic authentication services and ensure the authenticity and reliability of electronic signatures.
The Cyberspace Administration of China (“CAC”) and the Government of the Macao Special Administrative Region jointly issued the Guidelines for the Implementation of Standard Contracts for Cross-border Personal Information Transfers in the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao). The guidelines aim to implement the Memorandum of Cooperation between the two parties on cross-border data flow in the Greater Bay Area, promoting the safe and orderly transfer of personal information between China’s mainland and Macao. The guidelines set out the conditions for cross-border personal information transfers through standard contracts, the requirements for contract filing, and the obligations of personal information processors. The guidelines require personal information processors to conduct a personal information protection impact assessment before providing information across borders and complete the filing within 10 working days after the contract takes effect, while also emphasising the timely handling of security incidents and the complaint reporting mechanism.
During the main forum of the 2024 National Cybersecurity Awareness Week Cybersecurity Technology Summit, the CAC and the Economic and Financial Services of the Macao Special Administrative Region Government signed a Memorandum of Cooperation on Promoting Cross-border Data Flow in the Guangdong-Hong Kong-Macao Greater Bay Area. The memorandum aims to promote the safe and orderly cross-border data flow between China’s mainland and Macao and to drive high-quality development in the Greater Bay Area.
Hunan Province recently issued the Hunan Province Data Intellectual Property Registration Management Measures (Trial), jointly formulated by the Provincial Market Supervision Administration and several other departments. These measures officially launch the registration and management of data intellectual property, clarifying that data collections legally acquired and processed can be registered, with electronic data intellectual property certificates issued by the Provincial Market Supervision Administration. These certificates serve as preliminary proof of ownership, usage, circulation, and rights protection for the data collections. The measures aim to promote the application of intellectual property of data in the market-oriented allocation of data, industrial development, and cross-border circulation, strengthen protection mechanisms, and facilitate data innovation and the realisation of its commercial value, while taking into account data security, public interests, and personal privacy.
7. Shanghai Administration for Market Regulation issued local standard detailing data classification and grading requirements for vehicle networks (20 September)
The Shanghai Administration for Market Regulation released a local standard titled Guidelines for Data Classification and Grading in Vehicle Networks. This standard specifies the prerequisites, methods, and processes for data classification and grading in vehicle networks, including special management measures for specific scenarios. It emphasises that data classification should cover the entire data lifecycle, analysing attributes like usage scope, importance, and security risks, to ensure safety and compliance across various application scenarios.
8. Changchun issued new measures, making detailed regulations on data property rights registration to promote data openness and flow (10 September)
The Changchun Municipal Administrative Bureau of Government Services and Digital Construction issued the Changchun Data Property Rights Registration Management Measures, aimed at regulating data property rights registration, protecting the legitimate rights and interests of participants in the data elements market, and promoting the openness, flow, and utilisation of data. The measures provide detailed regulations on the objects, content, procedures, and management supervision of data property rights registration, clarifying the definitions of data resources and data products, the responsibilities of registration institutions, and the rights and obligations of registration subjects. Additionally, the measures establish comprehensive regulatory and confidentiality measures to ensure the legality and security of data property rights transactions.
9. Hangzhou government plans to issue data trading regulations to promote data flow and optimise the data trading market environment (2 September)
The Hangzhou Municipal Government has solicited opinions on the Hangzhou Data Flow and Trading Promotion Regulations (Draft), aimed at promoting the market-based allocation of data elements, optimising the data flow and trading environment, and driving the high-quality development of the data industry. The regulations clarify the rights of data originators and processors, encourage legal data trading and processing, support the openness of public and enterprise data, and explore diversified data pricing and revenue distribution mechanisms. Additionally, the regulations set forth compliance supervision for data rights registration, storage certification, and trading institutions, encouraging the participation of third-party professional organisations and promoting the development of the Hangzhou Data Exchange, while constructing a cross-regional data flow platform.
10. MIIT reported 21 apps (SDKs) for infringing user rights, involving issues such as illegal use of personal information (29 September)
The Ministry of Industry and Information Technology (“MIIT”) issued a report on 21 apps and SDKs that have been found to infringe on user rights. MIIT has been continuously rectifying user rights violations by apps and organised third-party testing agencies to conduct spot checks on the related apps and SDKs. The investigation revealed problems such as the illegal collection and use of personal information and the forced request for permissions. The report requires these apps and SDKs to undergo rectification in accordance with relevant regulations and warns that failure to make necessary corrections will result in legal actions.
11. National Computer Virus Emergency Response Centre reported 13 mobile applications with privacy non-compliance issues (25 September)
The National Computer Virus Emergency Response Centre recently detected privacy non-compliance issues in 13 mobile applications. These problems include difficulties accessing privacy policies, failure to disclose operator information, lack of detailed explanations regarding the purpose and methods of personal information collection and use in privacy policies and providing personal information to third parties without user consent. Additionally, some applications began collecting information before obtaining user consent, did not offer convenient ways for users to modify or delete personal information, and failed to provide a method for users to withdraw consent. In response to these issues, the centre advises users to be cautious when downloading and using non-compliant apps, to carefully read privacy policies, and to avoid disclosing personal information.
12. Multiple companies fined for failing to fulfil cybersecurity protection obligations, involving industries such as energy, hospitality, and education (18 September)
In 2024, the cybersecurity department of the Inner Mongolia Public Security Bureau intensified its crackdown on violations of cybersecurity protection obligations, handling several cases of illegal conduct. The involved companies and organisations failed to establish sound cybersecurity systems or implement effective protective measures, resulting in system attacks and information leaks, leading to administrative penalties. Some companies were fined and held accountable for neglecting high-risk vulnerabilities and failing to rectify issues over an extended period. Additionally, during inspections, authorities discovered instances where companies failed to renew domain management fees, causing their websites to be hijacked and turned into gambling sites. These violations highlight that network operators must strictly enforce the cybersecurity grading protection system, promptly addressing and preventing security risks.
13. Ministry of Public Security announced 10 typical cases, cracking down on cyberbullying and related crimes, including violations of citizens’ personal information (14 September)
Since the beginning of 2024, public security authorities have made significant progress in combating cyberbullying and related illegal activities through the “Clean Net 2024” special campaign. In the first half of the year, more than 3,500 cyberbullying cases were solved, with over 800 individuals criminally prosecuted and more than 3,400 administratively punished. The Ministry of Public Security released 10 typical cases involving cyberbullying actions such as privacy invasion, defamation, and malicious insults. These cases included the use of hacking to obtain personal information, paid services for online harassment, dissemination of private videos, and the creation of fake obscene images. The authorities have implemented measures such as improving legal frameworks, strengthening platform supervision, and increasing public awareness, effectively curbing the spread of cyberbullying. They also remind internet users to follow the law when using the internet, reject cyberbullying, and contribute to maintaining a positive online environment.
14. Beijing Internet Court released 10 typical cases on personal information protection, covering aspects such as valid consent for user data sharing (9 September)
The Beijing Internet Court, in collaboration with the Beijing Cyberspace Administration, presented 10 typical cases related to personal information protection. These cases addressed key issues such as the need for valid consent when sharing user data between related products, rules for the removal of publicly available personal information by search engine services, the collection of facial information by apps without user consent, the legality of close relatives exercising the deceased’s personal information rights, the obligations of information processors to inform and bear the burden of proof, and the reasonable use of personal information. The authorities particularly emphasised that the unauthorised use of someone’s likeness for AI face-swapping constitutes an infringement of personal information rights.
Since April 2024, public security authorities have focused on cracking down on advertising-related cyber black and grey market crimes through the “Clean Net 2024” special campaign, solving more than 170 cases and arresting over 460 suspects. The criminal methods involved include illegally obtaining visitor information, hijacking traffic, and forcing pop-up ads. The Ministry of Public Security will maintain strong pressure, continue to promote cybersecurity inspections, rectify illegal websites, and enhance industry governance and crime prevention to fully curb such illegal activities and maintain order in cyberspace. The authorities also call on internet users to increase their awareness of prevention, resist participating in cyber black and grey market activities, and report related illegal behaviour.
The China Communications Enterprise Association released the Guidelines for Data Security Compliance in the Industrial and Information Technology Sectors (Draft for Public Comment), aimed at regulating data processing activities in the industrial and information technology sectors to ensure data security and promote industry compliance management. The guidelines provide detailed operational instructions, covering data classification and grading, full lifecycle data protection, data security risk assessments, and cross-border data security management. It emphasises the establishment of data security management systems, the implementation of protective measures, and addressing risks in data transmission, sharing, and storage. Additionally, the guidelines cover compliance obligations for data transactions, offering enterprises clear pathways to achieve compliance.
Under the guidance of the Shanghai CAC, the second batch of key platforms released their reports on social responsibility for the online protection of minors. Following the first batch, nine new platforms introduced a range of innovative measures to strengthen the protection of minors online. For example, a video platform launched a guardian authorisation process, a shopping platform introduced a protection model for minors’ online purchases, and an audio platform established a graded reading growth system. These platforms have actively demonstrated their achievements in regulating online content, protecting information, and preventing addiction, reflecting their ongoing commitment to the healthy growth and protection of minors.
The National Data Bureau held a citywide digital transformation promotion meeting in Chongqing, where it released 50 typical cases for the first time, covering new scenarios such as data circulation. These cases were selected from 293 across the country and categorised into 4 major groups and 10 subfields. For instance, these cases include: Beijing achieved a unified digital platform through a four-level smart city planning and control system, while Shanghai developed a spatial-temporal “one map” base to support refined urban management. Chongqing explored grassroots digital reform to modernise governance capabilities, and Guangzhou and Chengdu focused on innovations in safety operations and data resource development. The National Data Bureau further emphasised that the next step is to promote advanced experiences, explore a common component sharing mechanism, and encourage cities to accelerate digital transformation based on their own conditions.
19. National Data Bureau issued opinion to promote efficient development and utilisation of enterprise data resources (27 September)
The National Data Bureau released the draft opinion on Promoting the Development and Utilisation of Enterprise Data Resources. It aims to advance compliant, efficient data use by enhancing mechanisms for realising, protecting, distributing, and circulating data rights. The document encourages companies to improve data governance, shift to data-driven models, promote cross-industry collaboration, support SME digitalisation, and participate in global data governance, while ensuring secure and compliant cross-border data flows.
20. National Data Bureau proposed nine key opinions to promote high-quality development of the data industry and build a national integrated data market (27 September)
The National Data Bureau released the draft Guiding Opinions on Promoting High-Quality Development of the Data Industry for public consultation. The opinion outlines key areas such as data collection, storage, circulation, development, security, and infrastructure construction. It proposes strategies including promoting industry planning, fostering diverse business entities, accelerating data technology innovation, enhancing resource utilisation, expanding data circulation, and strengthening security. The goal is to significantly grow the data industry by 2029, fostering globally competitive enterprises and products.
21. MIIT issued 2024 version of digitalisation assessment indicators for SMEs, providing clearer and more precise digitalisation evaluations (9 September)
The MIIT released the Digitalisation Assessment Indicators for Small and Medium-sized Enterprises (2024 Edition), aimed at offering a more scientific and practical tool for SMEs to assess their digitalisation level and guide their transformation. The assessment indicators have been optimised based on feedback from the 2022 version and offer three usage methods: SMEs can independently fill in the assessment and pledge its accuracy to obtain results, which will serve as a reference in the recognition of “Specialised, Refined, and New” SMEs. SMEs can access a free online system for evaluations; and digital transformation pilot enterprises are required to undergo on-site evaluations using the new indicators.
The World Internet Conference International Organisation held a theoretical seminar in Beijing, bringing together experts and leaders from various countries and regions in the internet field to discuss advancing the concept of a community with a shared future in cyberspace. The seminar summarised the theoretical achievements and practical experiences in building this concept and discussed the importance of global cooperation in the new era of internet development. The meeting emphasised that building a community with a shared future in cyberspace is crucial for addressing global internet development challenges, promoting security and stability, and fostering shared prosperity in the internet sector. All parties were called to jointly advance a new order of internet governance to ensure the internet benefits the world.