China Cybersecurity and Data Protection: Monthly Update - May 2025 Issue

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.

Our View

1. What You Need to Know When Using Facial Recognition Technology in China?
2. An In-depth Analysis of China’s Network Data Security Regime Part II: Detailed Look at Data Protection Requirements

Key Highlights

In May 2025, China continued to enhance its regulatory framework in key areas such as personal information protection, data and cyber security, cross-border data flows, and the development of basic systems for data by issuing a series of laws, regulations and national standards. At the same time, law enforcement actions related to cybersecurity and personal information protection are intensifying, requiring enterprises to strictly fulfil their primary responsibilities for safeguarding cybersecurity and protecting personal information:

• Personal Information Protection: The National Cybersecurity Standardisation Technical Committee (“TC260”) issued several national standards, focusing on key areas such as personal information protection compliance audits (“PI Audits”), automated decision-making based on personal information, the establishment of internal personal information protection oversight bodies within large Internet enterprises, and the processing of sensitive personal information. These standards guide enterprises in implementing personal information protection practices in compliance with regulations. Additionally, important national standards in the field of personal information protection, such as the Personal Information Security Specification, are scheduled for amendments or new release. Enforcement efforts by the Cyberspace Administration of China (“CAC”), Ministry of Industry and Information Technology (“MIIT”), and Ministry of Public Security continue to intensify, especially targeting Apps, mini-programs, and personal information-related crimes, aiming to strictly crack down on various unlawful and non-compliant behaviours that violate personal information rights and interests.
• Data and Cyber Security: The National Financial Regulatory Administration (“NFRA”) announced a work plan for 2025 to formulate cybersecurity management measures for the banking and insurance sectors. On the enforcement side, local CACs are intensifying supervision in data and cyber security, with expanded coverage of areas such as Internet-based healthcare services and the Internet of Vehicles (“IoVs”). These efforts urge enterprises to fulfil their primary responsibilities in data and cyber security.
• Cross-Border Data Flows: The People’s Bank of China and other departments jointly issued compliance guidelines for cross-border data flows in the financial sector, guiding financial institutions to conduct such activities lawfully. The Zhejiang CAC and other authorities released a negative list and management measures to establish and improve the data export system within the Free Trade Zones (“FTZs”). Additionally, the CAC responded to widespread enterprise concerns by providing policy Q&A regarding the export of important data and the implementation of the negative list.
• Construction of the Basic Systems for Data: The National Data Administration and local governments issued multiple work plans, model contracts, pilot notices, and action plans focusing on key tasks such as data circulation and transaction, building trusted data spaces, and cultivating data element markets. These efforts aim to establish and improve China’s basic systems for data, thereby unlocking the value of data elements.

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. TC260 planned to release guidelines to guide enterprises in conducting PI Audits, safeguarding personal information rights and interests (28 April)

TC260 opened the public consultation on the Cybersecurity Standard Practice Guidelines - Personal Information Protection Compliance Audit Requirements, aiming to implement the requirements of laws and regulations such as the Personal Information Protection Law and the Management Measures for Personal Information Protection Compliance Audit. It is also designed to guide enterprises in carrying out PI Audits. The guidelines clearly define the principles and general requirements enterprises should follow when conducting such audits. They outline a systematic audit process covering five key stages: audit preparation, audit execution, audit reporting, issue rectification, and archive management. Additionally, the guidelines identify key compliance and risk points in personal information processing activities. They systematically categorise various typical audit scenarios and provide practical recommendations for each, focusing on audit points, audit methods, and reference audit evidence.

2. TC260 issued several national standards, regulating automated decision-making based on personal information, the establishment of personal information protection supervisory bodies within large Internet enterprises, and the processing of sensitive personal information (9 April, 30 April)

The TC260 issued six national standards covering key areas of personal information protection, including automated decision-making based on personal information, the establishment of personal information protection supervisory bodies within large Internet enterprises, and the processing of sensitive personal information. These standards aim to guide enterprises in effectively fulfilling their personal information protection compliance obligations. Among them, the standard Data Security Technology - Security Requirements for Automated Decision-Making Based on Personal Information clarifies the basic security principles for conducting automated decision-making based on personal information from five aspects: general security requirements, algorithm security requirements, feature generation security requirements, decision security requirements, and special security requirements for typical automated decision-making scenarios. The standard Data Security Technology - Requirements for Personal Information Protection Supervisory Bodies within Large Internet Companies mandates that Internet enterprises providing major platform services with a large number of users and complex business types establish personal information protection supervisory bodies. It sets specific requirements regarding the establishment, responsibilities, working rules, and member duties of such supervisory bodies. Additionally, the standard Data Security Technology - Security Requirements for Processing Sensitive Personal Information provides detailed provisions on the general security requirements for processing sensitive personal information and imposes additional security requirements on processing activities for specific categories of sensitive personal information, such as biometric data, religious beliefs, and financial accounts.

3. TC260 released a national standards demand list, proposing the revision of the Personal Information Security Specification and the formulation of Personal Information Protection Guidelines for Small-Scale Personal Information Processors (1 April)

The TC260 released the 2025 First Batch of National Cybersecurity Standards Demand List, aiming to establish and improve the national standards system in the field of cyber and data security, strengthening the normative and leading role of national standards in cybersecurity. Notably, TC260 plans to revise the important personal information protection standard GB/T 35273-2020, Information Security Technology - Personal Information Security Specification, to better align with the latest requirements of the Personal Information Protection Law and other current laws and regulations, providing more comprehensive guidance for enterprises in personal information protection. Additionally, TC260 intends to develop the Data Security Technology - Personal Information Protection Guidelines for Small-Scale Personal Information Processors, which will clarify the definition of small-scale personal information processors and outline security protection principles they must follow when processing personal information.

4. People’s Bank of China and five other departments jointly issued compliance guidelines to promote and regulate cross-border data flows in the financial sector (17 April)

The People’s Bank of China, CAC, and four other departments recently jointly issued the Compliance Guidelines for Promoting and Regulating Cross-Border Data Flows in the Financial Sector, aiming to facilitate and standardise cross-border data flow activities conducted by both domestic and foreign financial institutions. The guidelines specify the circumstances under which financial data can be exported and identify the data categories eligible for cross-border flow. They also require financial institutions to implement necessary management and technical measures to ensure data security. As of now, the guidelines have not yet been officially released to the public.

5. NFRA released its 2025 work plan, proposing to formulate cybersecurity management measures specifically for the banking and insurance sectors (18 April)

The NFRA released the Work Plan for the Formulation of Regulations in 2025, aiming to strengthen compliance management across key areas of the financial industry. Regarding cybersecurity, the NFRA plans to formulate the Management Measures for the Cybersecurity in Banking and Insurance Sectors, which will provide specific guidance on cybersecurity management for these industries. The measures are intended to promote banks and insurance institutions in fulfilling their primary responsibilities and obligations for cybersecurity in accordance with laws and regulations.

6. SAMR issued interim measures to standardise the reporting and management of compliance data in online transactions (2 April)

The State Administration for Market Regulation (“SAMR”) issued the Interim Measures for the Reporting and Management of Compliance Data in Online Transactions, aiming to enhance the effectiveness of online transaction supervision and regulate the reporting and management of compliance data in online transactions. The interim measures stipulate that online transaction platform operators should report data related to online transaction operators’ identity information, illegal activity clues, administrative law enforcement cooperation data, and other relevant data for online transaction supervision to market regulatory authorities. If market regulatory authorities need to use the compliance data of online transactions for law enforcement and supervision activities, online transaction platform operators should actively cooperate. The implementation of these interim measures will further standardise the compliance data reporting behaviour of online transaction platform operators and strengthen the supervision and management of online transaction activities by market regulatory authorities.

The Zhejiang CAC and other departments issued the Data Export Management List (Negative List) (2024 Version) for the China (Zhejiang) Pilot Free Trade Zone and its management measures, aiming to promote the lawful and orderly cross-border flow of data within the FTZ. The list specifies compliance requirements for data export from two sectors within the FTZ: B2B e-commerce and clearing/settlement. It significantly reduces the compliance thresholds for data export in these fields. For example, in the B2B e-commerce sector, enterprises are only required to file standard contracts for personal information export or undergo personal information protection certification when exporting specific personal information of 1 million to less than 5 million individuals to foreign recipients from 1 January each year.

Enforcement Developments

8. National Cybersecurity Report Centre published a list of 67 Apps in violation of laws and regulations, involving key issues such as failing to properly fulfil the obligation to inform users and obtaining their consent (18 April)

The National Cybersecurity Report Centre reported 67 Apps for illegal collecting and using personal information. Among these Apps, issues include the failure to properly formulate and publish privacy policies; not specifying the purposes, methods, and scope of personal information usage; failing to inform individuals about third-party data sharing and obtaining separate consent; lack of functions to correct or delete personal information and cancel accounts; and no means for users to withdraw consent.

9. MIIT reported on a batch of Apps that violate user rights and interests, involving issues such as excessive and improper collection of personal information (21 April)

The MIIT released a report on the first batch of Apps and SDKs in 2025 that infringe upon user rights, focusing on issues related to illegal or improper collection and use of personal information. The reported Apps involve problems such as collecting personal information beyond the necessary scope; improperly collecting personal information; forcefully, frequently, or excessively requesting user permissions; inadequate information disclosure by Apps; information windows that jump around or cannot be closed; and insufficient disclosure of information by SDKs. These issues seriously infringe on citizens’ personal information security. The MIIT requires the relevant Apps and SDKs to make prompt corrections. If the corrections are not adequately implemented, the MIIT will take further legal actions.

10. National Computer Virus Emergency Response Centre reported a batch of privacy-violating Apps involving illegal cross-border transfer of personal information and other issues (17 April)

The National Computer Virus Emergency Response Centre detected 13 Apps with privacy compliance violations, including failure to properly provide privacy policies before collecting, using, sharing, or transferring personal information across borders; collecting, sharing, or transferring personal information without user consent; and not providing means for users to withdraw consent. In response to these issues, the centre advises users to be cautious when downloading and using non-compliant Apps, and to carefully read their user agreements and privacy policies.

11. Ministry of Public Security announced three typical criminal cases involving the infringement of citizens’ personal information rights, including illegal acquisition and trafficking of personal information (21 April)

The Ministry of Public Security announced three typical criminal cases involving violations of citizens’ personal information rights, including illegal acquisition, trafficking, and use of personal information. In the first case, the suspects illegally obtained numerous internal customer and business data from education and training enterprises by deploying Trojan programs on their computers. In the second case, merchants, “decryption intermediaries,” and express delivery companies colluded to illegally decrypt and sell personal order information from e-commerce platforms. In the third case, the suspects fraudulently obtained and trafficked job seekers’ personal information by falsifying company information and job positions.

12. Shanghai CAC imposed penalties on a batch of Internet healthcare service enterprises for failing to fulfil their obligations in cybersecurity and data security (28 April)

The Shanghai CAC imposed penalties on a group of Internet healthcare service enterprises for violations including failure to lawfully fulfil cybersecurity and data security protection obligations. Regarding management systems, some enterprises have not established or improved internal management systems for personal information protection, such as failing to designate responsible security personnel or management bodies, and lacking data classification and grading management policies. In terms of security measures, some enterprises have not implemented effective technical and other necessary measures to ensure cybersecurity, for example, failing to conduct cybersecurity grading protection assessments as required. At the data storage stage, some enterprises have not applied security technologies such as encryption or de-identification to patient personal information as mandated, resulting in increased risks of data leakage.

13. SCA issued a special campaign notice, requiring IoV enterprises to enhance their network and data security protection levels in accordance with relevant regulations (23 April)

The Shanghai Communications Administration (“SCA”) launched the “Shielding the Connected Vehicles” 2025 special campaign focused on network and data security in the IoV sector, aiming to enhance the industry’s cybersecurity and data protection levels. This campaign covers the following key targets: enterprises producing and selling intelligent connected vehicle products in Shanghai, service enterprises operating IoV platforms in Shanghai, enterprises operating IoV infrastructure and vehicle-road collaboration facilities in Shanghai, enterprises providing autonomous driving function products and solution services, as well as basic telecommunication enterprises in Shanghai (collectively referred to as “IoV enterprises”). All types of IoV enterprises are required to fulfil their primary responsibilities for cyber and data security in accordance with relevant regulations, strengthening security measures across IoV platforms, data management, emergency response to security incidents, and vulnerability management, among other aspects.

14. SCA reported on five Apps that infringe on user rights and interests, involving key issues such as illegal collection of personal information (11 April)

The SCA reported five Apps and mini-programs with behaviours infringing on user rights and interests, involving four key issues: illegal collection of personal information; forced, frequent, and excessive permission requests; failure to clearly disclose personal information processing rules; and the existence of auto-start and linked start behaviours. The relevant Apps and mini-programs are required to promptly rectify these violations in accordance with applicable regulations. If the rectifications are not properly implemented, the SCA will take legal and regulatory actions accordingly.

The Xinxiang CAC in Henan Province imposed penalties on two enterprises for violating personal information protection and cybersecurity obligations in accordance with the Cybersecurity Law. In the first case, a certain technology company was fined 100,000 CNY because its developed App failed to clearly disclose the purpose, method, and scope of personal information collection and use, collected and used personal information without user consent, and collected sensitive personal information without obtaining separate consent from users. In the second case, a certain engineering company was fined 30,000 CNY for failing to enable cybersecurity logs, resulting in the inability to trace some information.

Industry Developments

16. CAC released a policy Q&A, addressing issues related to the security management of important data and negative lists for data export (9 April)

The CAC issued a policy Q&A to continuously strengthen the promotion and implementation of data export security management policies. Notably, the Q&A provides interpretations on key issues such as the export of important data and the applicability of the negative list in FTZs. Firstly, to ensure consistency in negative list standards across different FTZs, if a negative list has already been issued for a specific sector by one FTZ, other FTZs may refer to it and do not need to draft their own duplicate lists. Moreover, the scope of the negative list will gradually expand to cover more sectors in the future. Secondly, the Q&A clarifies that enterprises can identify important data based on the Appendix G - Important Data Identification Guidelines - of the national standard Data Security Technology - Data Classification and Grading Rules. Important data that must be exported can only do so after passing a data export security assessment. Additionally, the Q&A addresses key issues related to China’s data export regulatory regime, the necessity of personal information export, and cross-border transfer of personal information within corporate groups, which will guide and assist enterprises in efficiently and compliantly conducting data export activities.

17. TC260 released its work priorities for 2025, focusing on accelerating the development of national cybersecurity standards, with an emphasis on key areas such as PI Audits (18 April)

The TC260 released its work priorities for 2025, aiming to accelerate the development and implementation of national standards in key areas such as cybersecurity. The document emphasises focusing on critical scenarios such as content and security governance for AI and PI Audits, to speed up the formulation of relevant national cybersecurity standards. The document also calls for leveraging the hosting of the SC27 international conference to actively lead the development of international standards. Additionally, multiple measures should be taken to enhance the effectiveness of national cybersecurity standards implementation, strengthen strategic planning and forward-looking research on cybersecurity standards, and continuously improve the committee’s working mechanisms and capacity building.

18. National Data Administration released its work priorities for 2025, focusing on advancing the construction of basic systems for data and promoting the marketisation and value realization of data elements (28 April)

The National Data Administration released the 2025 Work Priorities for Building the Basic Systems for Data and Better Leveraging the Role of Data Elements, aiming to promote the construction of the basic systems for data and fully unlock the potential of data elements. The work priorities are aimed at implementing the tasks outlined in the “Twenty Data Measures” and propose four main priorities for 2025: first, to establish a data property rights regime that ensures the protection of rights and compliance in usage;  second, to establish a compliant and efficient data element circulation and transaction regime that integrates both on-exchange and off-exchange; third, to establish a data element revenue distribution system that reflects efficiency and promotes fairness; and fourth, to establish a secure, controllable, and flexible data element governance regime.

19. National Data Administration planned to issue model contracts for data transactions, covering scenarios such as data provision, entrusted processing, integrated development, and intermediary services (18 April)

The National Data Administration opened the public consultation on four types of model contracts in the field of data circulation and transaction, aiming to promote compliant and efficient data flows and transactions. These four model contracts provide contractual reference and guidance for enterprises engaging in data provision, entrusted data processing, integrated data development, and data intermediary services. They clearly define the business models and the rights and obligations of the parties involved, helping enterprises conduct data circulation and transaction activities in a compliant and efficient manner.

20. National Data Administration issued a notice to organise a pilot project for three types of trusted data spaces: enterprise, industry, and city (7 April)

The National Data Administration issued a notice to organise the 2025 pilot project for the innovative development of trusted data spaces, aiming to promote compliant and efficient circulation of data elements and deepen the development and utilisation of data resources. The pilot project will focus on building three types of trusted data spaces: enterprise, industry, and city. Key tasks include creating co-innovation application models, establishing efficient data resource circulation mechanisms, developing industry ecosystem cultivation systems, building sustainable operation and development models, promoting implementable and easily replicable technical pathways, and exploring interoperability among data spaces. Additionally, the notice clarifies the application requirements for enterprises and other applicants as well as subsequent implementation, intending to form replicable and scalable experience models and to explore new models and paths for large-scale circulation and utilisation of data resources.

21. Henan issued a three-year action plan to accelerate the cultivation of the data element market and promote the establishment of the basic system for data elements (17 April)

Henan issued the Action Plan for the Cultivation of the Data Element Market (2025–2027), aiming to fully leverage the decisive role of the market in the allocation of data resources and to unlock the potential of data elements. The plan specifies that foundational data regime innovations should be strengthened through actions such as establishing a data property rights regime and improving data circulation and transaction rules, accelerating data development and utilisation. In addition, key initiatives including activating data market demand, fostering a prosperous data industry ecosystem, achieving breakthroughs in digital technology innovation, and strengthening data infrastructure foundations. The goal is to basically establish a provincial foundational regime for data elements by 2027 and ensure that all indicators of data market construction rank among the top nationwide.

This article was written with the assistance of Derek Xia and Shaun Liu.