China Cybersecurity and Data Protection: Monthly Update – November 2025 Issue

This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.

Key Highlights

In October 2025, China introduced multiple policies and standards in key areas such as personal information protection, data and network security, data basic institutional system construction, and intensively carried out enforcement and released typical cases to continuously improve the institutional system and emphasize enterprises' primary responsibilities:

• Personal Information Protection: At the legislative level, the Cyberspace Administration of China (“CAC”) and the State Administration for Market Regulation (“SAMR”) jointly issued the Measures for the Certification of the Cross-border Transfer of Personal Information. On the enforcement front, the Supreme People’s Procuratorate released typical cases, including an administrative public interest lawsuit against two real estate enterprise for the unlawful use of facial recognition information, as well as statistics and trends on criminal cases involving infringement of citizens’ personal information in the first three quarters; the Ministry of Industry and Information Technology (“MIIT”) for the first time publicly notified 20 smart terminal models that infringed user rights; MIIT, the Ministry of Public Security (“MPS”), the National Computer Virus Emergency Response Centre (“CVERC”), the Shanghai Communications Administration (“CA”), and the Liaoning CA respectively notified/delisted illegal applications infringing user rights; The CAC of Xiangtan interviewed the persons in charge of multiple livelihood-related Apps and urged rectification of issues relating to the illegal collection and use of personal information; the Beijing No. 4 Intermediate People’s Court released an overview and typical cases of trials relating to personal information protection; and the People’s Bank of China (“PBOC”) imposed penalties on a bank and relevant responsible persons for violating provisions on cybersecurity management, information retention and other requirements.

• Data and Network Security: At the legislative level, the Standing Committee of the National People’s Congress completed amendments to the Cybersecurity Law of the People’s Republic of China, adding provisions related to artificial intelligence and further refining rules on legal liability; MIIT solicited public comments on multiple market access requirements in the automotive sector, requiring relevant enterprises to establish mechanisms for onshore data storage and outbound data transfer assessment; the Cybersecurity Standardization Technical Committee (“TC260”) released several draft standards for public comment, including security requirements for database interconnection and data security protection requirements; and the Standing Committee of the Gansu Provincial People’s Congress issued local data regulations, the Gansu Provincial Data Regulations, to regulate the reasonable use and protection of personal information. On the enforcement and industry fronts, CAC released a Q&A on data export management, clarifying exemption scenarios, the concept of outbound data transfers, and requirements for outbound transfer methods; the Shanghai CAC, together with multiple departments, carried out a special rectification campaign on data security targeting Internet-based medical service enterprises; and the Department of Industry and Information Technology (“DIIT”) of Inner Mongolia Autonomous Region held a conference on network and data security for new-type industrialization, making arrangements for data classification and grading management, risk assessment, and full life cycle data management.

• Data Basic Institutional System Construction: At the central level, the National Data Bureau issued the Guidelines on Typical “Data Element ×” Scenarios, providing operational guidance on data right confirmation, circulation, application, and governance. At the industry level, the China Internet Association issued a self-disciplinary convention stipulating minimal and necessary data interconnection and interoperability, safeguarding users’ rights to be informed and to make choices, as well as privacy rights, and promoting the circulation and sharing of data elements.

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. Standing Committee of the National People's Congress passed amendment decision to the Cybersecurity Law, further improving legal responsibilities for failure to fulfill network operation security protection obligations in accordance with the law (28 October)

The Standing Committee of the National People's Congress passed the Decision on Amending the Cybersecurity Law of the People's Republic of China, which added provisions for the state to support basic theoretical research in artificial intelligence, algorithm development, and other key technologies, while strengthening risk monitoring, assessment, and security supervision; it explicitly increased the fine amounts for violations, distinguishing between general, serious, and particularly serious consequences, with the maximum fine reaching up to ten million yuan; it added legal responsibilities for selling or providing network key equipment and network security-specific products that had not undergone security certification or security testing, or that failed security certification or did not meet security testing requirements; it improved the handling and penalty measures for activities such as network security certification, testing, risk assessment, and the release of network security information; it added provisions for lighter, mitigated, or no administrative penalties; and for foreign institutions, organizations, or individuals engaging in activities that harmed China’s network security, it explicitly allowed for the adoption of sanction measures such as freezing assets.

2. CAC and SAMR issued measures to regulate personal information cross-border flow certification activities (17 October)

The CAC and the SAMR jointly issued the Measures for Certification of Personal Information Export, aimed at regulating activities where personal information processors provided personal information overseas through certification methods. The measures specified the scope of application as non-critical information infrastructure operators who, from January 1 of the current year, cumulatively provided more than 100,000 but less than 1 million pieces of personal information overseas, or less than 10,000 pieces of sensitive personal information. In terms of content, the measures included the following specific requirements: prohibited splitting quantities to evade security assessments; required fulfilling obligations of notification, separate consent, and conducting personal information protection impact assessments before applying for certification; required personal information processors to apply for certification from professional certification institutions; if professional certification institutions or the CAC and relevant departments discovered that the personal information export situation was inconsistent with the certification scope or other circumstances where it no longer met certification requirements, the professional certification institution had to suspend or cooperate in suspending its use until revoking the relevant certification certificate, and publicize it through the State Administration for Market Regulation. In addition, in terms of enforcement, the CAC and relevant departments at the provincial level or above could interview certified processors that had significant risks or security incidents.

3. MIIT planned to issue multiple automotive sector access requirements, requiring enterprises to establish and improve their own and product data security management systems (13 October)

The MIIT publicly solicited opinions on multiple automotive sector access requirements, involving requirements for automotive enterprises' network security assurances. Among them, the Road Motor Vehicle Production Enterprise Access Review Requirements (Draft for Comments) required relevant enterprises to establish management systems, risk control mechanisms, security vulnerability emergency management and response mechanisms, continuous improvement mechanisms for network security management systems, network security monitoring mechanisms, and possess the capability to retain relevant network logs for no less than 6 months in accordance with regulations; at the same time, they should meet data security assurance requirements, including establishing management systems, classification and grading, asset management ledgers, full lifecycle risk assessment and security monitoring, domestic storage capabilities and outbound security assessment mechanisms, and possess data security management capabilities for data processing related parties. The Road Motor Vehicle Product Access Review Requirements (Draft for Comments) explicitly stipulated that autonomous driving function products (such as intelligent connected vehicles and over-the-air (OTA) technology) should meet network security and data security technical requirements.

4. TC260 planned to release practice guide, standardizing database networking security requirements (17 October)

The TC260 publicly solicited opinions on the Cybersecurity Standards Practice Guide—Database Networking Security Requirements (Draft for Comments), which proposed requirements for database networking security from both technical and management perspectives, while also proposing security requirements for cloud-based object storage, to prevent security incidents such as data breaches caused by insufficient security protection measures, improper security configurations, or mismanagement. The guide was applicable to directing database systems that accessed public networks for data processing activities, covering core aspects at the technical level such as identity authentication, access control, data encryption, boundary protection, network transmission, and log auditing, and at the management level covering key processes such as operations and maintenance management, cooperative outsourcing management, personnel management, and supply chain management. The key requirements of the guide included: first, establishing a full-process security management system, clarifying responsibilities, and conducting regular assessments; second, implementing least privilege, multi-factor authentication, and desensitization encryption for transmission; third, deploying real-time monitoring, early warning, and emergency response mechanisms; fourth, strengthening compliance auditing, and dynamically adjusting the audit scope and alert thresholds based on business changes and data sensitivity.

5. TC260 planned to release national standard, standardizing data security protection requirements (31 October)

The TC260 released the Data Security Technology – Requirements for Data Security Protection (Draft for Comments), aimed at achieving effective protection, legitimate use, and continuous security of data. This standard divides data into general data, important data, and core data, and formulates corresponding protection requirements, covering the entire lifecycle of data processing, including collection, storage, use, processing, transmission, provision, disclosure, deletion, and other stages. At the same time, it requires data processors to strengthen risk monitoring, promptly identify and address data security defects and vulnerabilities, and quickly respond to and report data security incidents. In addition, this standard proposes higher requirements for the protection of important data and core data, requiring the adoption of measures such as strengthening data security management, implementing full lifecycle protection, regularly conducting risk assessments, and strengthening information system construction management to ensure data security

6. Gansu released data ordinance, systematically standardizing data resource management, circulation, and security assurance (9 October)

The Gansu Provincial People's Congress Standing Committee released the Gansu Province Data Ordinance, aimed at strengthening data resource management, ensuring data security, and promoting the empowerment of high-quality development by data elements. The first chapter of the ordinance clarifies the functional boundaries of the provincial government's data competent department, the provincial cyberspace administration department, the provincial and national public security organs, finance, industry and information technology, and other relevant departments. The second chapter focuses on data resources, requiring standardized collection, registration, and sharing of public data, with superior governments refluxing government affairs data processed by subordinate governments as needed; encouraging enterprise data governance and reasonable utilization of personal information. The third chapter focuses on data circulation, establishing a credible circulation system, orderly opening public data, and building an authorized operation mechanism for public data resources; standardizing data transactions, pricing, and asset evaluation. The fourth chapter focuses on data development and application, promoting digital government, smart cities, and data empowerment for people’s livelihood and industries. The fifth chapter focuses on data security, implementing classification and grading, risk assessment, and emergency response; processors must establish and improve full-process systems, training, contingency plans, and other mechanisms.

Enforcement Developments

7. Supreme People's Procuratorate released typical case, involving an administrative public interest litigation on illegal use of facial information by real estate enterprises (14 October)

The Supreme People's Procuratorate released a typical case involving an administrative public interest litigation case on the illegal use of facial information by certain two real estate enterprises. Specifically, the sales offices of the two real estate enterprises illegally installed facial capture systems, collecting over 28,000 consumer facial photos and videos without consent for commercial analysis, and automatically deleting them after uploading to the cloud, violating the requirements of the Personal Information Protection Law. The market supervision and management department imposed administrative penalties of a fine of RMB 50,000 on each of the two real estate companies in accordance with the law, and promoted the real estate group to which they belong to conduct comprehensive rectification of the sales offices of its subordinate companies.

8. Supreme People’s Procuratorate released number and trends of crimes infringing on citizens' personal information in the first three quarters, involving issues such as personal information grey and black markets, hacker technology intrusions, and online “doxxing” (20 October)

The Supreme People’s Procuratorate released the number and trends of crimes infringing on citizens' personal information in the first three quarters of 2025. Data shows that procuratorial organs nationwide have continuously intensified efforts to crack down on violations and crimes infringing on citizens' personal information, safeguarding citizens' information rights, with a total of over 2,100 cases prosecuted involving more than 4,400 people. The crimes present “three new” trends: first, driven by grey and black markets, targeted acquisition of citizens' personal information; second, iteration of criminal technology, with criminal methods becoming more intelligent and concealed; third, online “doxxing” boosting the escalation of cyber violence. Procuratorial organs emphasize that they will continuously strengthen the crackdown on violations and crimes infringing on citizens' personal information, strictly investigate the sources of citizens' personal information data leaks, and safeguard citizens' information rights.

9. CAC released Q&A, involving typical issues in data export management, clarifying exemption applications, data export concepts, and export method requirements (31 October)

The CAC released a Q&A on data export management, addressing regulations such as the Provisions on Promoting and Regulating Cross-Border Data Flows, answering 10 typical questions, aimed at providing enterprises with compliance guidelines for data export. The Q&A focuses on but is not limited to the following aspects: first, exemption scenarios are expanded but limited, the word “etc.” covers similar contract performance scenarios such as cross-border shopping and delivery, but must simultaneously satisfy “individuals as one party to the contract” and “necessary for export,” and fulfill obligations of notification, separate consent, and impact assessment; the export of personal information when domestic individuals book domestic hotels by hotel enterprises is not exempt. Second, clarifying the concept of data export, if data stored domestically is queried, retrieved, downloaded, or exported from overseas, it constitutes export. Here, “overseas” refers to the data access or invocation behavior occurring overseas; staff of overseas entities accessing data existing domestically while in the territory does not constitute data export. Third, the data export process is further clarified, system upgrades or replacements do not necessarily require re-assessment; data processors must declare security assessment within 2 months after being informed of important data; if it only involves the same overseas recipient and the estimated annual number of personal information exports meets the conditions stipulated for concluding a standard contract, a contract can be filed once based on a reasonable prediction of the number of personal information exports.

10. MIIT for the first time notified 20 smart terminals infringing on users' personal information rights, involving issues such as illegal transmission of user personal information to the cloud and collection of facial information without separate notification (22 October)

Since the release of the Announcement on Carrying Out the 2025 Personal Information Protection Special Action, the MIIT has for the first time notified behaviors of smart terminals infringing on users' rights. The 20 smart terminal devices notified this time mainly have the following key violations: illegal collection of user personal information, including collecting personal information beyond the scope and collecting facial information without separate notification and obtaining consent; not explicitly stating personal information processing rules; not providing permission control mechanisms; forced automatic renewal; illegal transmission of personal information to the cloud. For the above violations, MIIT requires relevant enterprises to rectify within a time limit, otherwise further disposal will be carried out in accordance with the law.

11. MIIT notified a batch of apps and SDKs infringing on user rights, involving issues such as default consent in privacy policies and illegal collection of personal information (28 October)

The MIIT’s inspection found that 42 apps and SDKs have issues involving infringement on user rights. Among them, 23 involve illegal collection of personal information; 8 involve collection of personal information beyond the scope; 6 involve illegal use of personal information; 3 involve frequent self-starting and associated starting; 11 involve forced, frequent, or excessive requests for permissions; 1 involves forcing users to use targeted push functions; 2 involve default consent in privacy policies; 2 involve inadequate disclosure of SDK information; 4 involve disordered jumps when clicking information windows; 1 involves not prominently displaying the close button for information windows; 2 involve unclear disclosure of app distribution information. MIIT requires the notified apps and SDKs to carry out rectification in accordance with relevant regulations, and if the rectification is not implemented properly, it will organize and carry out relevant disposal work in accordance with laws and regulations.

12. MPS reported a batch of non-compliant Apps infringing user rights, involving excessive collection of personal information and collection without user consent (10 October)

The MPS detected 34 Apps that illegally collected and used personal information. The issues mainly included: failure to list one by one the purposes, methods, and scope of personal information collection and use; failure to simultaneously inform users of the purposes when requesting to collect users’ and other personal sensitive information; collection of personal information before obtaining user consent; excessive collection of personal information; and failure to provide users with channels or functions for complaints related to personal information, among 15 types of non-compliance in total. The notice required the relevant developers to rectify, and eight Apps that still failed to pass re-testing after the previous notice were removed from App stores.

13. CVERC reported 70 Apps that illegally collected and used personal information, involving failure to prompt users to read privacy policies and difficulty in accessing privacy policies (30 October)

The CVERC detected 70 Apps that illegally collected and used personal information. The issues mainly included 12 types of non-compliance, such as failure at first launch to display pop-up prompts to read rules on collection and use; absence of, or incomplete, privacy policies; failure to inform users and obtain separate consent before providing personal information to third parties; failure to collect personal information or enable relevant permissions only after obtaining user consent; failure to provide convenient means to withdraw consent; failure, when using automated decision-making to push marketing information, to provide non-personalized options or convenient ways to refuse; failure to inform users of the necessity and impact before processing sensitive personal information; failure to formulate special rules or obtain guardians’ consent when processing minors’ personal information; and absence of privacy policies. The notice required the relevant developers to rectify, and 28 Apps that still failed to pass re-testing after the previous notice were removed from App stores.

14. Shanghai CA reported two batches of non-compliant Apps and SDKs infringing user rights, involving failure to clearly state personal information processing rules and excessive collection of personal information (10 October, 20 October)

The Shanghai CA detected 69 Apps and SDKs with varying degrees of illegal and non-compliant collection and use of personal information. Among them, 61 involved failures to clearly state personal information processing rules; 9 involved improper handling of user complaints; 1 involved forced, frequent, or excessive requests for permissions by the App; 1 involved illegal collection of personal information; 1 involved excessive collection of personal information; 1 involved non-standard installation and uninstallation practices; and 1 involved difficulties in account cancellation. The Shanghai CA required developers to submit written reports on rectification and self-assessment within five working days from the date of the notice, and stated that those failing to complete rectification and submit reports within the time limit would be handled in accordance with the law.

15. Shanghai CAC, together with multiple departments, carried out a special rectification campaign to strengthen network and data security and personal information protection of Internet-based medical service enterprises (29 October)

The Shanghai CAC, through inspections, found frequent incidents of system attacks, web page tampering, and data theft involving local Internet-based medical service enterprises. Relying on the “Bright Sword in the Pujiang 2025” campaign, it launched a special rectification campaign focusing on four prominent problems: failure to implement responsibilities, unsound systems, inadequate technical protection, and insufficient public legal education. The campaign identified 18 hidden risks in 8 categories, provided training to more than 100 key enterprises, urged 375 enterprises to conduct self-inspection and rectification, issued 8 security notices, drafted Compliance guidelines, and accepted 30 enterprises upon review. Overall, the campaign enhanced enterprises’ awareness of the rule of law, strengthened technical protection, and safeguarded personal information rights and interests.

16. Liaoning CA reported the first batch in 2025 of Apps infringing user rights, involving illegal collection of personal information and excessive requests for permissions (17 October)

The Liaoning CA detected 10 Apps and SDKs with varying degrees of illegal and non-compliant collection and use of personal information. Among them, 6 involved illegal collection of personal information; 5 involved forced, frequent, or excessive requests for permissions by the App; 1 involved excessive collection of personal information; and 1 involved illegal use of personal information. The Liaoning CA required the relevant operating entities to complete rectification within seven days and submit written reports, and stated that those failing to do so within the time limit would be handled in accordance with the law.

17. Xiangtan CAC held collective interviews with persons in charge of a batch of livelihood-related Apps for illegal collection and use of personal information (22 October)

The Xiangtan CAC, in accordance with the law, conducted collective interviews with persons in charge of seven livelihood-related Apps, including those operated by local higher vocational colleges, hospitals, and enterprises, that had illegally collected and used personal information. At the meeting, it reported issues identified in previous law enforcement inspections, organized study of relevant laws and regulations, and required rectification within a specified time limit, improvement of internal systems, and strict fulfillment of personal information protection responsibilities. Since the beginning of this year, the Xiangtan CAC has focused on sectors such as education, healthcare, and housing and urban-rural development to carry out special campaigns, conducting online and offline inspections of 10 entities, holding three law enforcement interviews, and urging rectification of 21 issues. The Xiangtan CAC emphasized that it will continue to advance special law enforcement and will deal strictly, in accordance with the law, with entities that refuse to rectify.

18. Beijing No. 4 Intermediate People’s Court reported trial situations and typical cases of personal information protection disputes, involving infringement scenarios such as online services and digital certification (30 October)

The Beijing No. 4 Intermediate People’s Court released an overview of trials and seven typical cases relating to personal information protection. In the past three years, the court concluded 66 second-instance civil cases involving personal information rights and interests, with the number increasing year by year and covering areas such as online services, labor disputes, private relationships, and digital certification, reflecting the public’s growing awareness of personal information protection. The typical cases clarified, among others, that: when a “unified service platform” processes sensitive and private personal information, it needs to obtain separate consent from users; platform users cannot, through account cancellation, withdraw personal information associated with permanently banned accounts within a time limit; the exercise of the right to access and copy personal information needs to be based on the purpose of protecting personal information rights and interests; human and technical costs and the difficulty of inquiries cannot serve as valid defenses against requests to access and copy personal information, and personal information processors should provide all processed information content in accordance with the law; companies should disclose employees’ salary and other private information only within a reasonable scope; human resources departments should strictly follow the principles of lawfulness, legitimacy, and minimal impact when processing employees’ personal information; and the determination of privacy information should take into account the scope of dissemination, the parties’ subjective intentions, and social consensus.

19. PBOC Suzhou Central Sub-branch imposed penalties on a bank and relevant responsible persons for violations of provisions on cybersecurity management, information retention and inquiry (11 October)

The PBOC Suzhou Central Sub-branch imposed administrative penalties on a certain bank and relevant responsible persons. The bank committed multiple violations, including breaching account management provisions, failing to fulfill customer identification obligations as required, violating cybersecurity management provisions, violating data security management provisions, and violating provisions on the collection, provision, inquiry, and related management of credit information, and was given a warning and fined. The relevant responsible persons bore responsibility for violations such as failure to retain customer identification data and transaction records as required and violations of provisions on the collection, provision, and inquiry of credit information. The administrative penalties aimed to reinforce financial institutions’ primary responsibilities for cybersecurity, data security, customer identification, and credit information management, and to protect customers’ personal information rights and interests.

Industry Developments

20. National Data Bureau issued guidelines to provide practical guidance on typical data element scenarios in nine sectors and promote industry data development and utilization (2 October)

The National Data Bureau issued the Guidelines on Typical “Data Element ×” Scenarios, focusing on nine sectors including manufacturing, mining, construction, wholesale and retail, transportation and warehousing, accommodation and catering, leasing and business services, and scientific research and technical services. The guidelines systematically sort out practical applications of typical data element scenarios, provide operational guidance, and promote deep integration between data development and utilization and industry. Centering on key links such as data right confirmation, circulation, application, and governance, the guidelines put forward 58 typical scenarios across 21 key areas, covering the whole chain of practices including data collection, annotation, cleaning, analysis, and transactions. The guidelines require strengthening data classification and grading management, desensitization processing, and assessment of cross-border data flows, establishing and improving mechanisms for defining data property rights, and preventing leakage risks.

21. DIIT of Inner Mongolia Autonomous Region held a conference on network and data security for new-type industrialization and deployed special actions to strengthen security protection in the industrial sector (20 October)

The DIIT of Inner Mongolia Autonomous Region held a conference on network and data security for new-type industrialization, with more than 500 participants from the Ministry of Industry and Information Technology,  industry and information technology bureaus of various leagues and cities, key industrial enterprises, and security service providers. The conference further set out requirements on network and data security in three aspects: first, deepening classified and graded management of cybersecurity and strengthening protection, monitoring, and emergency response plans; second, improving data classification and grading and risk assessment, and strengthening full life cycle data management; and third, fostering the security industry and supporting technological breakthroughs and supply–demand matchmaking. The conference required the industry and information technology bureaus of all leagues and cities to improve mechanisms and strengthen supervision; enterprises to fulfill their primary responsibilities, ensure investment, and refine emergency plans; and service providers to innovate service models, deepen cooperation, and provide professional support.

22. China Internet Association issued self-disciplinary convention to promote interconnection and interoperability of Internet platforms (24 October)

Under the guidance of the MIIT, the China Internet Association issued the Self-disciplinary convention on promoting interconnection and interoperability of Internet platforms, which was signed by 61 entities, including many well-known Internet platforms and 32 local Internet associations, covering sectors such as e-commerce, social networking, and payment. The convention provides for phased promotion of interconnection in three major scenarios: first, Internet platforms and third-party platforms are to promote interconnection and interoperability of applications and services, support users in conveniently switching, and must not, without justifiable reasons, restrict third-party services; second, subject to security, Internet platforms and third-party platforms are to promote the identification and access of external links; and third, Internet platforms are to gradually promote data interconnection and interoperability among themselves. The convention emphasizes that data interconnection should follow the principle of minimal necessity and that data should be collected and used within the scope of user authorization or as permitted by laws and regulations; it safeguards users’ rights to be informed, to make choices, and to privacy, and allows users to disable interconnection functions. It also requires the establishment and improvement of data security management systems and emergency response plans, the setting up of convenient complaint channels, and the maintenance of fair competition, with a view to implementing normalized regulation of the platform economy, building an open and collaborative digital ecosystem, and promoting the circulation and sharing of data elements while protecting user rights and interests.