China Cybersecurity and Data Protection: Monthly Update – October 2025 Issue

This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.

Key Highlights

In September 2025, China introduced multiple policies and standards in critical areas such as personal information protection, data and cybersecurity, and the development of foundational data systems. At the same time, intensively carried out enforcement and released typical cases to continuously improve the institutional system and emphasize enterprises' primary responsibilities:

• Personal Information Protection: At the legislative level, the Cyberspace Administration of China (“CAC”) planned to issue the Draft Provisions on the Establishment of Personal Information Protection Oversight Committees for Large-Scale Internet Platforms for public consultation. The National Cybersecurity Standardization Technical Committee (“TC260”) released two national standards addressing security certification for cross-border personal information processing and social responsibility of data security and personal information protection. On the enforcement front, the CAC and the Ministry of Public Security (“MPS”) published typical cases concerning cybersecurity, data security, and personal information protection. The Ministry of Industry and Information Technology (“MIIT”), MPS, the National Computer Virus Emergency Response Centre(“CVERC”), and the Hainan CAC issued notifications or delisted applications (“Apps”) infringing user rights. The MPS imposed administrative penalties on a luxury brand company for non-compliance with personal information protection obligations and on an AI service provider for failing to conduct a personal information protection impact assessment. The Shanghai CAC, in collaboration with other authorities, introduced requirements for video surveillance, facial recognition data collection, as well as customer source identification protocols at sales offices.

• Data and Network Security: Legislatively, the National People’s Congress Standing Committee submitted the Draft Amendments to the Cybersecurity Law for review to enhance cybersecurity legal accountability. The CAC issued the Measures for Reporting National Cybersecurity Incidents to standardize incident reporting. The National Energy Administration planned to issue the Draft Measures for Data Security Management in the Energy Sector (Trial) for public consultation to regulate data processing activities in the energy sector. TC260 issued two practice guidelines addressing data processing security for internet platform service terminations and personal information protection for scan-to-order services. The Chongqing CAC, in collaboration with other authorities, issued measures and a negative list to regulate data exports in the China (Chongqing) Free Trade Zone. In enforcement and industry developments, the China Internet Finance Association issued a notice to strengthen self-disciplinary inspections of financial sector Apps. The Chongqing Nan’an District CAC and Zhangjiajie CAC imposed penalties or conducted interviews with enterprises failing to fulfil cybersecurity and data protection obligations.

• Foundational Data Institutional Systems: At the national level, the State Council issued a reply approving pilot reforms for market-based allocation of production elements in select regions, emphasizing data elements market reforms. The Ministry of Commerce, alongside eight other departments, issued a notice prioritizing the promotion and regulation of cross-border data flows to enhance service export trade. At the local level, the Shenzhen CAC issued guidelines to bolster personal information protection for Apps, with several key App stores signing compliance commitment letters.

   

Follow the links below to view the official policy documents or public announcements.

Legislative Developments 

1. Standing committee of the National People's Congress reviewed the draft amendment to the cybersecurity law and solicited public opinions on the draft, aiming to strengthen legal responsibilities for cybersecurity (10, 12 September) 

The Standing Committee of the National People's Congress has submitted the draft amendment to the Cybersecurity Law for review. The draft amendment emphasizes the distinction between serious situations, such as large-scale data breaches and the loss of partial functions of critical information infrastructure, and particularly severe situations, such as the loss of major functions of critical information infrastructure. It proposes increasing fines in reference to the provisions of the Data Security Law. The draft also introduces legal responsibilities for the sale or provision of network critical equipment and cybersecurity products that have not undergone security certification, security testing, or where certification or testing is non-compliant. Additionally, it aims to improve the penalties for violations related to cybersecurity certification, testing, risk assessments, or the dissemination of cybersecurity information. The amendment refines the legal responsibilities for failing to fulfil information disposal obligations and for violating personal information protection rights. It also introduces provisions for mitigating, reducing, or waiving administrative penalties in cases where the violation is minor or rectified promptly, and increases penalties for violations that cause particularly severe impacts or consequences.

2. CAC planned to issue regulations to standardize the establishment and operation of personal information protection supervision committees for large online platforms (12 September)

The CAC solicited public opinions on the Draft Provisions on the Establishment of Personal Information Protection Oversight Committees for Large-Scale Internet Platforms, specifying requirements under Article 58 of the Personal Information Protection Law, establishing an independent supervisory mechanism to regulate how large internet platforms handle personal information. The regulations specify that the supervisory committee must consist of at least 7 members, with external independent members making up no less than two-thirds of the committee to ensure objectivity. The committee will conduct oversight through regular meetings, focusing on key areas such as platform rulemaking, handling of sensitive personal information, and automated decision-making. Platform operators are required to respond to the committee’s recommendations within 10 working days; otherwise, the committee may report to the CAC. The regulations also prohibit operators from interfering with the committee’s independent duties. If a significant personal information security incident occurs due to the committee's failure to perform its duties properly, the provincial or higher-level cyberspace administration authorities may demand the reorganization of the committee.

3. CAC issued regulations to guide the reporting of national cybersecurity incidents (15 September) 

The CAC issued the Measures for Reporting National Cybersecurity Incidents to standardize incident reporting and mitigate losses and harm. The measures designate network operators constructing or operating networks or providing services through networks in China as reporting entities. The measures require network operators to classify and assess network security incidents involving their organization according to the guidelines in the annex. Incidents that qualify as major or above must be reported. Specifically, a network security incident involving the leakage of personal information of more than 1 million citizens is classified as a major incident. The reporting process varies based on the specifics of the incident; for example, incidents involving critical information infrastructure must be reported within 1 hour, while general network operators must report within 4 hours. The measures also specify that the report should include key details such as the nature of the incident, its impact, actions taken, and any traceable clues. The Cybersecurity Department has established a cybersecurity incident reporting hotline – 12387 - as well as other reporting channels including a website, email, and fax, to receive cybersecurity incident reports. 

4. National Energy Administration planned to issue regulations to manage energy sector data security (13 September)

The National Energy Administration solicited public opinions on the Draft Measures for Data Security Management in the Energy Sector (Trial) to regulate data processing in the energy sector. The measures define energy sector data, covering planning, construction, production, storage, transportation, and consumption across the renewable energy chain, and classify data into general, important, and core levels based on importance, scale, and security risks. The measures outline responsibilities for the National Energy Administration, local energy authorities, and energy data processors, requiring processors of important and core data to designate data security officers and management bodies, with the legal representative or principal responsible as the primary data security officer.

5. TC260 issued two national standards, regulating security certification for cross-border personal information processing and social responsibility of data security and personal information protection (6 September)

The TC260 has issued two national standards. Data Security Technology—Security Certification Requirements for Cross-border Processing Activity of Personal Information clarifies four principles for cross-border personal information processing: legality and necessity, transparency, equal protection, and clear responsibility. It mandates legally binding agreements between processors and overseas recipients, specifying processing purposes, scope, duration, security measures, and remedies. At the same time, the standards also put forward requirements for the responsibilities of personal information protection agencies. Meanwhile, overseas recipients must commit to abiding by Chinese laws and accepting ongoing supervision, and establishing a domestic entity for civil liability. Both parties must appoint personal information protection officers, develop joint cross-border rules, conduct impact assessments (retained for at least three years), and recognize individuals as third-party beneficiaries with rights to access, copy, correct, delete, and withdraw consent. The standard addresses scenarios like multinational groups and overseas cloud/technical support to facilitate certification and compliance. Data Security Technology—Guidance on Social Responsibility of Data Security and Personal Information Protection is the standard outlines governance frameworks and disclosure requirements for data security and personal information protection, covering organizational governance, compliance and innovation, fair operations, user rights protection, and public welfare. It provides performance evaluation methods, case studies, and social responsibility report templates to support third-party evaluations and best practice selection, encouraging enterprises to integrate data security and personal information protection into long-term governance and transparent disclosing.

6. TC260 issued two practice guidelines, standardizing data processing security requirements for internet platform service terminations and personal information protection requirements for scan-to-order services (16 September)

The TC260 issued two practice guidelines. Cybersecurity Standards Practice Guide — Security Requirements for Data Processing When Internet Platforms Cease Services addresses data processing for platforms ceasing operations due to mergers, dissolutions, or bankruptcies, requiring operators to halt new data collection and issue a personal information disposal notice at least 20 working days prior to termination, specifying methods for deletion, transfer, or storage. Platforms handling important data or over 10 million individuals’ personal information must submit a disposal plan 45 working days in advance, assess the effectiveness of data deletion, and retain reports for at least three years. Cybersecurity Standards Practice Guide — Personal Information Protection Requirements for QR Code–Based Ordering stipulates that scan-to-order services may only collect essential information such as order details, payment information, and platform user IDs, prohibiting mandatory collection of phone numbers, location data, or forced subscription to public accounts. Catering businesses must clearly disclose processing rules and obtain explicit user consent upon first use, while establishing a complaint mechanism with a response time of 15 working days.

7. Chongqing CAC, in collaboration with multiple authorities, issued management measures and a negative list to regulate data exports in the China (Chongqing) Free Trade Zone (5 September)

The Chongqing CAC, with other authorities, issued the Measures for the Administration of the Negative List for Cross-Border Data Transfers in the China (Chongqing) Pilot Free Trade Zone (for Trial Implementation), the 2025 Negative List for Data Exports in the China (Chongqing) Pilot Free Trade Zone, and the Implementation Guidelines for the Negative List (Trial) to facilitate efficient data flows. The measures adopt a “strict control within the list, no application required outside the list” approach, requiring data on the negative list to undergo security assessments, standard contracts, or personal information protection certification, while non-listed data is exempt. Processors must identify important data, obtain separate consent, ensure transmission security, maintain records, and report incidents. National core data remains subject to stricter regulations. The negative list focuses on the automotive industry, covering important data in the scenarios of vehicle R&D and testing, manufacturing, supply chain, and user services. Examples include high-precision maps, vehicle exterior images, critical connectivity and charging instructions, and trajectory/traffic flow data. Quantitative thresholds include mandatory security assessments for annual cross-border transfers of over 1 million individuals’ personal information or 10,000 sensitive personal information records, with standard contracts or certifications for 100,000–1 million personal information records or fewer than 10,000 sensitive records. The measures include a reference rule for data classification across industries to aid compliance.

Enforcement Developments

8. CAC released typical enforcement cases related to cybersecurity, data security, and personal information protection, addressing issues such as webpage tampering, data leaks, and illegal or non-compliant personal information processing (16 September)

The CAC released ten typical cases addressing violations such as webpage tampering, data breaches, illegal handling of personal information, and etc. The typical problems identified include: only reinstalled its system without fixing vulnerabilities like "arbitrary file upload," leading to the login page being tampered with; main portal and eight subpages displayed gambling-related content due to code implantation, and it failed to report the issue in a timely manner; system had directory traversal, unauthorized access, lacked firewall configuration, and did not retain logs, causing system data to be crawled and leaked by search engines; system allowed anonymous access and had an ineffective cloud security group, leading to data theft; database port 3306 was open with weak or no passwords, resulting in 159 consecutive intrusions; system backend had privilege escalation issues, expired cloud firewall, and missing logs, leading to the bulk extraction of data; in-house developers at a company copied large amounts of user data for convenience and opened external network ports, exposing internal data; app collected installation/uninstallation information and accessed unnecessary storage permissions in the background without using the feature, violating the principle of least privilege; vending machine’s payment system collected facial data without consent and did not conduct a personal information protection impact assessment;  system also had high-risk SQL injection vulnerabilities; deep synthesis app failed to conduct a security assessment as required, and its output content lacked clear labelling, resulting in it being removed from the platform by law. These cases have been handled with penalties, including orders for rectification, warnings, fines, and removal from app stores.

9. MIIT notified batch of Apps infringing user rights, involving issues such as forced, frequent or excessive permission requests and frequent self-start or associated startups (18 September)

The MIIT identified 29 Apps and SDKs infringing user rights, including 12 illegally collecting personal information, 1 with frequent self/associated startups, 20 excessively requesting permissions, and 1 mandating targeted serve functions. The MIIT has required that Apps and SDKs make necessary rectifications. If the rectification is not properly implemented, the authorities will organize and carry out related enforcement actions. 

10. MPS imposed penalties on a luxury brand company for failing to fulfil personal information protection obligations, emphasizing the importance of compliance with cross-border data transfer regulations, obtaining user consent, and implementing information security measures (9 September)

The MPS imposed an administrative penalty on a luxury brand company for a data breach involving three violations: transferring user personal information to its French headquarters without security assessments or standard contracts; failing to fully inform users of overseas recipient processing methods or obtain separate consent; and neglecting encryption or de-identification measures. The local public security authorities emphasise that all personal information processors should take this case as a reminder, standardize the handling of personal information throughout its entire lifecycle, and ensure the security of user personal information.

11. MPS penalized an AI service technology company for failing to conduct a personal information protection impact assessment, highlighting the protection of sensitive biometric personal information (15 September) 

The MPS has imposed an administrative penalty on a company mainly engaged in providing AI model training basic data. An investigation found such company had failed to conduct a personal information protection impact assessment as required by the Personal Information Protection Law before processing sensitive personal information such as facial and biometric data. The case serves as a reminder to network data processors providing generative AI services to strengthen the security management of training data and related processing activities and take effective measures to prevent and dispose cybersecurity and data security risks. Related industry chain enterprises should fulfil their cybersecurity, data security, and information security responsibilities. When collecting personal information, obtain consent from the individuals is essential. Before delivering data to external parties, they must conduct the personal information protection impact assessment and the data cross-border security assessment. 

12. MPS advanced the “Cybersecurity Protection - 2025” action, releasing six typical enforcement cases addressing failures to comply with cybersecurity, data security, and personal information protection obligations (18 September) 

The MPS released six typical cases under the “Cybersecurity Protection - 2025” action, focusing on network and data security issues and strengthening regulatory efforts. The cases cover illegal activities in multiple fields: a government service system failed to retain network logs as required and did not promptly address system vulnerabilities, leading to security risks that caused a financial loss of over 4 million yuan to the public. A messaging platform did not conduct the required Multi-Level Protection Scheme (“MLPS”), nor did it implement technical protective measures. This resulted in the platform being attacked, leading to the unauthorized sending of over 27,000 fraudulent messages. A smart card billing system in a school had critical vulnerabilities and failed to encrypt stored data, which led to the theft of system data. The school also did not define third-party data security responsibilities. An e-commerce company lacked security protocols, did not conduct MLPS, and had ticketing information scraped and leaked in bulk. A "Contacts" app by a technology company had poor management, leading to data leakage. Both the company and its actual responsible person were penalized. A multinational company in violated regulations by transmitting user information abroad without explicit consent and without implementing security measures. Learning from these cases, network operators must fulfil their security responsibilities and comply with the Personal Information Protection Law, particularly regarding personal information handling, cross-border transfers. 

13. CVERC notified a batch of Apps illegally collecting and using personal information, citing issues such as failure to prompt users to review privacy policies and inaccessible privacy policies (10 September)

The CVERC detected 69 Apps illegally collecting personal information, with 12 categories of issues including missing privacy policy prompts, incomplete privacy policies, unauthorized data collection, mishandling sensitive or minors’ data, obstructing consent withdrawal, and unencrypted storage. The notification requires relevant developers to rectify; 33 applications from the previous notification batch that remained non-compliant after retesting have been delisted.

14. China Internet Finance Association issued a notice mandating enhanced self-disciplinary inspections of Apps in the financial sector (5 September)

The China Internet Finance Association issued the Notice on Further Strengthening Self-Disciplinary Inspections for Apps in the Financial Sector, aimed at continuously improving the level of self-disciplinary management for financial Apps. The inspection targets include Apps that directly conduct financial business and those that provide related services for financial operations, with a focus on Apps that have experienced security incidents, triggered serious public complaints, received high volumes of complaints, failed to file as required, or do not comply with relevant self-disciplinary management requirements. The inspection content primarily addresses prominent issues such as inadequate network protection measures for Apps, incomplete data security management systems, and illegal use of personal information, as well as situations involving weak security management, suspected illegal or non-compliant business operations, and failure to adhere to self-disciplinary management requirements. In terms of format, self-disciplinary inspections are primarily conducted off-site, with on-site inspections carried out when necessary. Apps found to have issues are required to rectify them within a specified period and undergo verification; for institutions that fail to rectify adequately or refuse to cooperate, the Association will impose self-disciplinary penalties and report them to relevant administrative authorities.

15. Shanghai CAC focused on governance of facial recognition technology applications in sales office scenarios, issuing compliance requirement (9 September)

The Shanghai CAC, with other authorities, issued deployment requirements regarding the installation of video surveillance equipment in real estate sales offices scenarios, the collection of facial information, and the identification of contract-signing customer sources. It requires sales offices to fulfil three key obligations: First, in terms of equipment installation, it should be limited to what is necessary for maintaining public safety, with prominent warning signs displayed, and the collected information must not be used for purposes other than those separately consented to; second, prior to collecting information, the purpose, method, and risks of processing must be fully disclosed in a prominent manner, explicit consent from customers must be obtained, and it must not be used as the sole verification method or result in service denial if customers refuse consent; finally, before applying facial recognition technology, a comprehensive personal information protection impact assessment must be conducted and recorded, strict security measures must be taken to protect the information, and when the stored volume of processed facial information reaches 100,000 individuals, it must be filed with the Shanghai CAC.

16. Hainan CAC notified 28 Apps for illegally collecting and using personal information, involving issues such as excessive data collection and over-requesting permissions (12 September)

The Hainan CAC detected that 28 Apps and SDKs had varying degrees of illegal and non-compliant behaviour in collecting and using personal information on mobile devices. Among them, 3 Apps failed to provide effective functions for correcting or deleting personal information or cancelling accounts; 19 Apps failed to inform users of the purpose of personal information collection or provided unclear purposes; 14 Apps collected personal information beyond the necessary scope or requested excessive permissions; 8 Apps failed to publish channels for personal information security complaints and reports, or failed to handle personal rights requests in a timely manner; 2 Apps required users to grant multiple permissions at once, otherwise denying use; 2 Apps sought user consent through non-explicit methods such as default agreement to privacy policies; 1 App’s privacy policy and other personal information collection and use rules are difficult to access. The Hainan CAC emphasized that relevant operators must complete rectification within 15 working days from the date of the notice's release, and failure to do so will result in lawful disposition. 

17. Chongqing Nan’an District CAC imposed penalties on a company for violations including failure to establish and maintain a cybersecurity incident response plan (29 September)

The Nan’an District CAC penalized a company for violating personal information protection obligations. Specifically, the company failed to process personal information in accordance with regulations, did not provide users with account cancellation functions, neglected its reviewing obligations regarding user-published information (including profile pictures, nicknames, etc.), and failed to establish or improve cybersecurity incident emergency response plans, thereby violating the Personal Information Protection Law and the Cybersecurity Law. The Nan'an District CAC ordered the company to rectify the issues within a specified period and issued a warning as an administrative penalty. The company has now completed comprehensive rectification as required. The Nan'an District CAC emphasized that it will continue to strengthen the analysis of clues from public complaints, supervisory inspections, and departmental referrals, and lawfully handle and penalize various online illegal and non-compliant activities.

18. Under the guidance of Hunan CAC, Zhangjiajie CAC penalized a company for failing to fulfil data security protection obligations (2 September)

Under guidance from the Hunan CAC, the Zhangjiajie CAC penalized a Wulingyuan District company for inadequate cybersecurity protections. Specifically, the company neglected to safeguard network security; its system contained a weak-password vulnerability that could be exploited by external attackers, creating a risk of sensitive personal information leakage. The Zhangjiajie CAC ordered the company to rectify the issues and issued a warning penalty. It also emphasized that it would continue to intensify cybersecurity law-enforcement efforts and investigate and punish all types of illegal and non-compliant conduct in accordance with the law. 

Industry Developments

19. State Council issued a reply approving pilot reforms for market-based allocation of elements in select regions, including reforms related to the data element market (11 September) 

The State Council approved a two-year pilot for market-based allocation of production elements in 10 regions like Beijing’s sub-centre and southern Jiangsu cities, emphasizing data elements market reforms. Pilots focus on establishing data circulation rules, enhancing data sharing, expanding application scenarios, strengthening security, and developing data trading systems. Specifically, the regions have proposed to deepen and improve mechanisms for data openness and sharing, expand the scenarios for data development and application, strengthen data security protection, cultivate data markets, and establish systems for data circulation and transaction, among many other aspects of data element reforms.

20. Ministry of Commerce, in collaboration with eight other departments, issued a notice to promote service export trade, emphasizing the promotion and regulation of cross-border data flows (22 September)

Nine departments, including the Ministry of Commerce, issued Several Policy Measures on Promoting Service Exports. Under the premise of complying with the national network management system, it supports relevant enterprises and scientific research institutions in using the network more conveniently for international trade and academic research and participating in international competition. In terms of data, the measures emphasise promoting and regulating the cross-border flow of data, as well as accelerating the development of international data service businesses. Specifically, the initiatives include: formulating a catalogue of important data and issuing more operational guidelines for identifying important data; optimizing and dynamically updating the negative list for data export in pilot free trade zones, and exploring the formation of a national negative list for data export in pilot free trade zones; supporting qualified regions in exploring convenient arrangements for cross-border transmission of personal information within multinational corporations, allowing personal information to flow freely across borders within multinational corporations that have passed evaluation or certification; supporting qualified regions in carrying out international data service businesses; and supporting the construction of international data centres and cloud computing centres.. 

21. Shenzhen CAC issued guidelines to strengthen personal information protection for Apps, with several key local App stores signing compliance commitment letters (28 September)

The Shenzhen CAC issued the 2025 Guidelines for Strengthening Personal Information Protection for Apps in Shenzhen, providing 15 rules across privacy policy norms, user consent, data processing compliance, and user rights protection. Addressing concerns like forced authorizations, excessive permissions, and AI data misuse, the guidelines require: long-term valid privacy policies with minor-specific rules; prohibiting default or bundled consents, with separate consent for sensitive data; optional non-targeted recommendations; and compliant AI training data use. Major App stores signed compliance commitment letters to enforce review and dynamic management responsibilities.