China Cybersecurity and Data Protection: Monthly Update - April 2025 Issue

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.

Key Highlights

In March 2025, China continued to establish and improve its legislative systems in key areas such as cybersecurity, personal information protection, and data security by introducing a series of laws, regulations, and national standards. Meanwhile, law enforcement activities in data security and personal information protection have been continuously enhanced, requiring enterprises to strictly implement their responsibilities for data security and personal information protection:

• Cybersecurity: With the Standing Committee of the National People’s Congress (“NPCSC”) listing the revision of the Cybersecurity Law of the People’s Republic of China (“the Cybersecurity Law”) as one of the key tasks for 2025 in its work report, the Cyberspace Administration of China (“CAC”) released a new draft amendment to the Cybersecurity Law this month, accelerating the legislative process in the field of cybersecurity. In addition, the National Cybersecurity Standardisation Technical Committee (“TC260”) is set to release several national standards to regulate the requirements for audit and certification bodies for information security management system (“ISMS”), as well as to guide enterprises in effectively managing cybersecurity incidents and fulfilling their responsibilities in cybersecurity.
• Personal Information Protection: The CAC and the Ministry of Public Security issued management measures to further regulate the compliance requirements for the use of facial recognition technology in processing personal information. At the same time, the TC260 released compliance guidelines to help professional agencies providing personal information protection audits meet the relevant competency requirements. Additionally, national and local CACs and public security departments continue to carry out special governance actions for personal information protection, focusing on key areas such as Apps, mini-programs, and crimes infringing on citizens’ personal information. These efforts aim to severely crack down on various illegal and non-compliant activities that violate personal information rights and interests.
• Data Security: The Shanghai CAC and other departments are set to release management measures to establish and improve the classification and grading system for network data, as well as the management mechanism for important data catalogues. At the same time, local CACs continue to strengthen law enforcement activities in the field of data security, promoting enterprises to effectively fulfil their data security protection obligations.

In addition, relevant regulatory authorities continue to promote reforms aimed at facilitating cross-border data flows, the standardisation of terminology in the data field, and the development and utilisation of public data resources.

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. CAC opened the second public consultation on the draft amendment of the Cybersecurity Law, accelerating the adaptation to new cybersecurity challenges and improving the national cybersecurity governance system (28 March)

The CAC opened the public consultation on the Cybersecurity Law of the People’s Republic of China (Draft Amendment for Second Public Consultation), aiming to adapt to new cybersecurity challenges and accelerate the improvement of China’s cybersecurity governance system. This consultation follows the publication of the first revision draft of the Cybersecurity Law in 2022 and represents a second round of public comments. Compared to the current Cybersecurity Law, this revision proposes a more detailed approach to penalties for violations, including higher maximum fines. It also introduces specific circumstances where a lighter or mitigated or no punishment could be imposed. The draft amendment further strengthens the cybersecurity responsibilities of network operators and critical information infrastructure operators, while enhancing the alignment and coordination with other legal regulations in the areas of cybersecurity and data protection.

2. CAC and Ministry of Public Security jointly issued management measures to regulate facial recognition technology in processing personal information (21 March)

The CAC and the Ministry of Public Security jointly issued the Measures for the Security Management of Facial Recognition Technology Applications. These measures aim to regulate enterprises’ use of facial recognition technology to process facial personal information and protect the legal rights and interests of individuals. These measures specify the obligations to be followed when processing personal information with facial recognition technology, including requirements for informed consent, dedicated storage, and personal information protection impact assessments. These measures also stress that if other non-facial recognition methods are available, facial recognition cannot be the sole verification method. Furthermore, the measures require that personal information handlers file a record with the competent cyberspace authorities within 30 working days once the number of individuals whose facial data is stored reaches 100,000.

3. TC260 planned to issue guidelines on the competency requirements for professional agencies providing personal information protection compliance audits (4 March)

The TC260 opened the public consultation on the Cybersecurity Standards Practice Guidelines – Competency Requirements for Professional Agencies Providing Personal Information Protection Compliance Audits. The aim of these guidelines is to implement the competency requirements for professional agencies as stipulated in the Management Measures for Personal Information Protection Compliance Audit, supporting the work of personal information protection compliance audits. The guidelines set out the competency requirements that professional agencies shall possess in five key areas: basic conditions, management system, technical capability, personnel competency, and resources related to facilities and equipment. It also provides reference standards for the qualifications and competency of audit personnel, which will help ensure the compliant execution of personal information protection compliance audits.

4. National Data Administration released a new batch of term definitions to enhance consensus on commonly used terms in the data field (28 March)

The National Data Administration released the Explanations of Common Terms in the Data Sector (Second Batch), aiming to further standardise and normalise foundational concepts in the field of data. This document provides explanations for 20 key concepts related to the market-oriented reform areas of data elements, such as “data ownership,” “enterprise data,” and “on-exchange data trading,” covering various aspects including data property rights, data transactions, and data infrastructure. The publication of this batch of explanations will further improve the basic systems and promote a unified understanding of commonly used terms across different sectors of society.

5. TC260 planned to release two national standards to guide enterprises in understanding the principles and processes of cybersecurity incident management activities and to strengthen incident response planning (20 March)

The TC260 opened the public consultation on the Cybersecurity Technology - Cybersecurity Incident Management, Part 1: Principles and Processes (“Part 1: Principles and Processes”) and the Cybersecurity Technology - Cybersecurity Incident Management, Part 2: Incident Response Planning and Preparation Guidelines (“Part 2: Incident Response Planning and Preparation Guidelines”). These standards aim to guide enterprises in strengthening cybersecurity incident management. Part 1: Principles and Processes outlines the basic concepts, principles, and processes of cybersecurity incident management, providing a structured approach for all types of organisations to prepare for, detect, report, assess, respond to incidents, and summarise experiences. Part 2: Incident Response Planning and Preparation Guidelines focuses on the “planning and preparation” and “experience summary” stages of incident management. It offers guidance on incident response planning, preparation, and post-incident experience summaries from aspects such as cybersecurity incident management strategies, updates to cybersecurity policies, and lessons learned.

6. TC260 planned to release a national standard to clarify the requirements for bodies providing audit and certification of an ISMS (20 March)

The TC260 opened public consultation on the Cybersecurity Technology - Requirements for Information Security Management System Audit and Certification Bodies, aiming to regulate and guide bodies providing audit and certification of an ISMS in carrying out their tasks. The document outlines the various requirements that such bodies must follow, including general, structural, resource, informational, and process-related requirements. By adhering to these standards, audit and certification bodies can ensure that they conduct ISMS certification in a capable, consistent, and impartial manner.

7. State Council issued implementation regulations, clarifying measures to prohibit or restrict data and personal information provision to entities included in the countermeasure list (24 March)

The State Council issued the Regulations on the Implementation of the Anti-Foreign Sanctions Law of the People's Republic of China, aiming to refine the relevant provisions of the Anti-Foreign Sanctions Law and implement various counter-sanction measures. These regulations specify that counter-sanctions measures, such as prohibiting or restricting the provision of data and personal information, may be applied to individuals and organisations included in the countermeasure list and other relevant entities, in order to safeguard national interests and the legitimate rights and interests of citizens.

The Shanghai CAC and Municipal Data Bureau opened public consultation on the Management Measures for the Classification and Grading of Network Data and Important Data Catalogues in Shanghai, aiming to establish and improve the network data classification and grading system and the management mechanism for important data catalogues, promoting the development and utilisation of network data. The measures outline the relevant principles, rules, and processes for data classification and grading, clarify the requirements for identifying, declaring, protecting, and managing important data. The measures also emphasise that relevant authorities shall accelerate the classification, grading, and secure, convenient sharing of public data. This is to ensure both the security and efficient utilisation of network data.

Enforcement Developments

9. CAC and three other departments issued an announcement to launch special governance actions focusing on key issues such as illegal processing of personal information in Apps and offline consumption scenarios to strengthen personal information protection (28 March)

The CAC, the Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security, and the State Administration for Market Regulation jointly issued an announcement outlining the continuation of a special personal information protection campaign in 2025. This initiative aims to further address typical issues related to the illegal or improper collection and use of personal information in commonly used service products and everyday life scenarios. The announcement specifies that the relevant authorities will focus on issues surrounding the illegal or improper collection and use of personal information in areas such as Apps, SDKs, smart devices, facial recognition in public spaces, and offline consumer scenarios. The campaign will also continue to crack down on violations and criminal activities related to personal information, with the goal of effectively safeguarding citizens’ personal information security and guiding enterprises in the compliant collection and use of personal information.

10. Ministry of Public Security released a batch of typical cases, cracking down on crimes involving the infringement of citizens’ personal information (18 March)

The Ministry of Public Security published 10 typical cases of crimes involving the infringement of citizens’ personal information. These cases span various sectors, including educational institutions, the courier industry, recruitment websites, and healthcare departments, and involve illegal activities such as the unlawful acquisition and profiteering of personal information. In these cases, suspects used methods such as creating Trojan programs, colluding with industry insiders, and posting fake job advertisements to unlawfully obtain citizens’ personal information, severely violating individuals’ personal information security.

11. National Computer Virus Emergency Response Centre reported 15 privacy-violating Apps (7 March)

The National Computer Virus Emergency Response Centre recently reported on 15 Apps exhibiting privacy non-compliance issues. These Apps have violated several legal requirements, such as failing to provide proper privacy policies, not offering effective means to correct or delete personal information, or allowing users to deactivate their accounts, and lacking options to withdraw consent for data collection. In response to these issues, the centre advises users to be cautious when downloading and using non-compliant Apps, and to carefully read their user agreements and privacy policies.

12. Jiangxi Pingxiang cybersecurity department penalised an institution for failing to fulfil data security protection obligations (26 March)

The Pingxiang cybersecurity department in Jiangxi imposed an administrative penalty on an institution for failing to fulfil its data security protection obligations. An investigation revealed that the institution did not properly transfer data collected through handheld terminals to a dedicated network for processing, and after authorising a supplier, it failed to fulfil the relevant data security protection obligations, resulting in a significant risk of data leakage. As a result, the local cybersecurity department issued a warning and imposed a penalty on the institution in accordance with Article 27 of the Data Security Law and Article 51 of the Personal Information Protection Law, among other relevant legal provisions, and ordered the institution to make corrections within a specified period.

13. Chongqing CAC imposed penalty on a technology company for personal information leakage and other issues (14 March)

The Chongqing CAC imposed an administrative penalty on a technology company involved in personal information leakage. An investigation revealed that the company failed to effectively fulfil its cybersecurity and data protection obligations, did not properly implement relevant management systems, failed to retain network logs, and did not take necessary measures to safeguard data security, which ultimately led to the theft of personal information and other violations. In accordance with the provisions of the Data Security Law, the Chongqing CAC issued a warning to the company and ordered it to make corrections within a specified period. In addition, the company was fined 50,000 yuan, and the responsible personnel were each fined 10,000 yuan.

14. Hainan CAC launched special governance action, cracking down on illegal collection and use of personal information by Apps (19 March)

The Hainan CAC summarised the achievements of the special governance action on personal information protection for the first quarter of 2025 and reported 16 Apps found to collect and use personal information illegally or beyond the scope of necessity or request excessive permissions. These Apps were ordered to rectify the issues within a specified period to ensure compliance with the obligations under the Personal Information Protection Law. Additionally, the Hainan CAC issues a recommendation urging users to carefully read the privacy terms when using mobile applications, be cautious when granting permissions, and promptly report any violations to the local cyberspace authorities.

15. SCA reported a batch of Apps violating users’ rights and interests, involving the illegal and excessive collection of personal information (4 March)

The Shanghai Communications Administration (“SCA”) reported 15 Apps that have infringed upon user rights and failed to complete the required rectifications. The issues identified include the illegal or excessive collection of personal information, failure to clearly disclose personal information processing rules, and behaviours such as self-launching and associated launching, which violate users’ personal information rights and interests. The SCA has removed these Apps from major App stores and will take further administrative actions or other measures based on subsequent monitoring and regulatory outcomes.

The Guangdong Communications Administration (“GDCA”) reported on 8 Apps and mini-programs that failed to complete the required rectification, urging them to finish the necessary changes within a specified period. The violations involved include the illegal and excessive collection of personal information, as well as failure to disclose the rules for collecting and using personal information. The GDCA states that if these Apps and mini-programs fail to rectify the issues within the given time frame, further legal actions will be taken to safeguard users’ legitimate rights and interests.

Industry Developments

17. CAC released its progress report, summarising the achievements in data outbound security management one year after the implementation of the Data Cross-Border Flow Regulations (21 March)

The CAC summarised the achievements in data outbound security management one year after the implementation of the Regulations on Promoting and Regulating Data Cross-Border Flow (“Data Cross-Border Flow Regulations”). The CAC states that through the introduction of cross-border data facilitation measures, optimisation of security assessment procedures, and promotion of data outbound security management policies, China has further eased conditions for cross-border data flow, significantly reduced the time required for security assessments, and continuously improved enterprises’ compliance with data outbound requirements. In addition, with the active development of multilateral and bilateral digital governance dialogues and exchanges, cross-border data cooperation has also progressed steadily.

18. MIIT and 14 other departments issued guiding opinions, urging small and medium enterprises to strengthen compliance awareness and management levels of cybersecurity and data protection (13 March)

The MIIT, along with other 14 departments, issued the Guiding Opinions on Promoting Small and Medium Enterprises to Enhance Compliance Awareness and Strengthen Compliance Management, aiming to guide small and medium enterprises in increasing their compliance awareness and improving their compliance management levels. The guidelines specify the cybersecurity and data protection compliance obligations that small and medium enterprises shall follow, clearly stating that small and medium enterprises shall implement measures such as establishing data security compliance management systems, preventing data breaches, and adhering to cross-border data compliance requirements to effectively fulfil their cyber and data security protection obligations, ensuring the safety of data and personal information.

19. NPCSC released work report, calling for advancing the legislative work in cybersecurity and digital economy sectors in a high-quality manner (14 March)

The NPCSC released its work report, summarising the achievements of 2024 and outlining key tasks for 2025. In terms of cybersecurity and the development of the digital economy, the work report specifies that efforts to amend the Cybersecurity Law shall continue in 2025, with a focus on improving the national security system and public safety governance mechanisms. Additionally, in emerging fields such as the digital economy and big data, relevant departments shall strengthen legislative research and advance legislation in a high-quality manner.

20. National Data Administration held a work progress meeting to report on the national public data resource registration (12 March)

The National Data Administration held a work progress meeting to report on the operation of the National Public Data Resource Registration Platform and the registration status of public data resources. The meeting highlights that since the platform’s launch on 1 March, it has achieved interoperability with eight provincial-level platforms that have completed their construction. To date, 475 public data resources have been published, covering 38 major categories of the national economy. Moving forward, the National Data Administration will work closely with regions and departments to jointly promote the development of a nationwide integrated data resource registration system.

21. Beijing CAC and other departments released an implementation plan to promote data cross-border flow facilitation reform, establishing an efficient, convenient and secure mechanism for data cross-border flow (27 March)

The Beijing CAC and other departments released the Implementation Plan for the Comprehensive Reform of Facilitating Cross-Border Data Flow in Beijing, aimed at further advancing the reform of data cross-border flow facilitation and updating policies and measures for data outbound in a timely manner. The plan outlines key directions such as creating an efficient and transparent policy environment, strengthening trusted circulation technology, and fostering a compliant service industry ecosystem. Specific measures, such as establishing a negative list mechanism applicable outside free trade pilot zones and a mechanism for identifying and certifying important data in key industries and sectors, are expected to gradually build an efficient, convenient, and secure system for data cross-border flow.