China Cybersecurity and Data Protection: Monthly Update – September 2025 Issue

This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.

Key Highlights

In August 2025, China introduced multiple policies and standards in key areas such as personal information protection, data and network security, data basic institutional system construction, and cross-border data flows, and intensively carried out enforcement and released typical cases to continuously improve the institutional system and emphasize enterprises' primary responsibilities:

• Personal Information Protection: At the legislative level, the Cybersecurity Standardization Technical Committee (“TC260”) solicited opinions on Data Security Technology - Guidelines and Evaluation Methods for Anonymization of Personal Information, and solicited opinions on the standard systems to systematically sort out standards related to personal information protection and data security. On the enforcement front, the Ministry of Industry and Information Technology (“MIIT”) released a list of administrative enforcement matters, covering multiple enforcement matters in the fields of personal information and data; MIIT, the Ministry of Public Security (“MPS”), the National Computer Virus Emergency Response Centre (“CVERC”), the Beijing Communications Administration (“CA”), and the Shanghai CA respectively notified/delisted illegal applications (“Apps”) infringing user rights; the Chongqing Nan'an District Cyberspace Administration of China (“CAC”) carried out a special action to address the abuse of facial recognition technology; the Cyber Security Association of China (“CSAC”) notified a list of Apps that have completed optimization and improvement of personal information collection and use. At the same time, in the judicial aspect, the Supreme People's Court (“SPC”) released reference cases for inclusion in the database and the 47th batch of guiding cases, providing clear legal guidance on issues related to personal information protection.
• Data and Network Security: At the legislative level, the CACs of Guangxi and Jiangsu Provinces issued negative lists to standardize data outbound from free trade pilot zones. At the same time, the National Industrial Information Security Development Research Center released three industry standards involving identification of important data in the industrial field, data security protection requirements, and data security risk assessment specifications. On the enforcement and industry fronts, a medical institution in Nanchang City received an administrative warning penalty from the CAC for a network security incident, and a well-known chip enterprise also released an official article responding to issues of backdoors, kill switches, and monitoring software, stating full compliance with global network security standards. In addition, in the financial field, the People's Bank of China issued measures to strengthen supervision of financial infrastructure, stipulating data localization and retention periods and other data protection requirements.
• Data Basic Institutional System Construction: Localities took actions in a coordinated manner on data basic institutions: The Shanghai Municipal Government issued measures to standardize authorized operations of public data resources; the Beijing Municipal Government issued opinions to accelerate the development and utilization of public data resources; the Xiamen Municipal Government issued several measures to promote high-quality development of the data industry.

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. TC260 planned to issue standard systems to systematically sort out national standards related to personal information protection and data security (15 August)

The TC260 solicited public opinions on Data Security National Standard System (2025 Edition) and Personal Information Protection National Standard System (2025 Edition), aiming to improve the standard systems for data security and personal information protection. Both systems are structured into six major sections: "basic commonalities—technology/products—management—evaluation and certification—products and services—industries and applications": Data security focuses on data classification and grading and security protection, sharing security, backup and deletion, outbound and operational security management, security risk assessment, capability assessment and certification, as well as standard layouts and gap-filling plans for industries such as government affairs and automobiles. Personal information protection focuses on personal information processing security, sensitive information processing security, de-identification/anonymization and privacy design, personal information protection management, rights protection, impact assessment and compliance audit, application detection and outbound certification, and refines requirements for scenarios such as Apps, SDKs, app stores, intelligent terminals, and offline consumption. Subsequently, the development of mandatory and urgently needed key standards (such as electronic product information erasure and children's watch security) will be accelerated, promoting standard implementation applications and international alignment.

2. TC260 planned to issue national standard to standardize guidelines and evaluation methods for personal information anonymization processing (27 August)

TC260 solicited public opinions on Data Security Technology - Guidelines and Evaluation Methods for Anonymization of Personal Information, aiming to standardize technical paths and assessment methods for personal information anonymization. The document proposes de-identification as the basis, aiming to achieve "unidentifiable and irreversible," supplemented by adversarial testing and irreversibility verification, forming full-process requirements of "preparation—de-identification processing—de-identification effect assessment—adversarial testing—irreversibility verification—issuing phased evaluation reports—management." The standard specifies that evaluation reports should be completed by independent roles and should follow principles of independence, reproducibility, sufficient evidence, minimum necessary disclosure, and auditability, while providing parameter suggestions for different sharing scenarios (such as K-anonymity, L-diversity, T-closeness, differential privacy ε/δ, etc.).

3. National Industrial Information Security Development Research Centre issued three industry standards involving identification of important data in the industrial field, data security protection requirements, and data security risk assessment specifications (1 August)

The Data Security Institute of the National Industrial Information Security Development Research Center released three industry standards, namely Guidelines for Identification of Important Data in the Industrial Field, Data Security Protection Requirements for Industrial Enterprises, and Specifications for Data Security Risk Assessment in the Industrial Field. Among them, Guidelines for Identification of Important Data in the Industrial Field provides basic principles, processes, and considerations for industrial data processors to identify important data in the industrial field, applicable to industrial data processors conducting identification work for important data in the industrial field; Data Security Protection Requirements for Industrial Enterprises stipulates basic data security protection requirements for industrial enterprise data security protection, full-lifecycle security protection requirements for data, and other protection requirements, guiding industrial enterprises in carrying out data security protection work; Specifications for Data Security Risk Assessment in the Industrial Field stipulates basic principles, elements, processes, and methods for data security risk assessment in the industrial field, applicable to important data and core data processors in the industrial field conducting data security risk assessments for data processing activities within China.

4. Shanghai Municipal Government issued measures to standardize authorized operations of public data resources and cultivate the data element market (1 August)

The Shanghai Municipal Government issued the Measures for Authorized Operations of Public Data Resources in Shanghai, aiming to clarify the development path for authorized operations of public data resources in Shanghai. The measures point out that authorized operations of public data resources adopt an overall authorization model, relying on big data resource platforms for on-chain, cataloguing, classification and grading, achieving centralized and unified management, and promoting the aggregation and governance of public data resources. The Shanghai data authority guides implementing institutions in compiling catalogues for authorized operations of public data resources, increasing supply for public data that does not affect public security and is not prohibited from sharing by laws and regulations. At the same time, the measures emphasize that operating institutions must not directly or indirectly participate in the redevelopment of delivered public data products and services within the authorization scope, must not engage in monopolistic behaviours through monopoly agreements with development entities or abuse of market dominance, and must not engage in unfair competition using data, algorithms, technologies, capital advantages, etc.

5. CACs of Guangxi and Jiangsu Provinces issued negative lists to standardize data outbound from free trade pilot zones (8 August, 13 August)

The Guangxi and Jiangsu Provinces respectively issued the Measures for the Management of Data Outbound Negative Lists in the China (Guangxi) Free Trade Pilot Zone (Trial), the Data Outbound Management List (Negative List) in the China (Guangxi) Free Trade Pilot Zone (2025 Edition), the Measures for the Management of Data Outbound Negative Lists in the China (Jiangsu) Free Trade Pilot Zone (Trial), and the Data Outbound Management List (Negative List) in the China (Jiangsu) Free Trade Pilot Zone, aiming to establish efficient, convenient, and secure mechanisms for cross-border data flows. Guangxi's measures and negative list make institutionalized arrangements around responsibility division, data management (e.g., declaration and assessment processes), negative list formulation and management, dynamic adjustment, and alignment with national rules, emphasizing enhanced cross-border flow convenience under compliance premises to serve key industry scenario applications in the free trade zone. Jiangsu's measures and negative list clarify the applicable scope covering the Nanjing, Suzhou, and Lianyungang areas, establishing a closed-loop management of "pre-event—during-event—post-event." Among them, the negative list consists of three categories: one for data requiring outbound security assessments, one for data requiring filing of standard contracts for personal information outbound or personal information protection certification, and one for data needing outbound through other legal and compliant paths, with dynamic management and reporting mechanisms. At the same time, the measures are supplemented by "reference rules for data classification and grading," proposing references for important data identification, and setting provisions for spot checks, risk judgments, 24-hour reporting of major matters, core data not included in negative lists, and alignment with laws such as export controls, to unify calibres and enhance the convenience and security of data outbound from free trade zones.

6. People's Bank of China issued measures to strengthen supervision of financial infrastructure, stipulating data localization and retention periods and other data protection requirements (1 August)

The People's Bank of China issued the Measures for the Supervision of Financial Infrastructure, aiming to strengthen coordinated supervision and construction planning of financial infrastructure. In terms of establishment, the measures stipulate that the establishment of financial infrastructure must comply with laws and the market access negative list, and operating institutions of financial infrastructure must have legal person qualifications and meet specific conditions. In terms of operational requirements, operating institutions should establish transparent governance structures and risk management systems, hold liquid assets for at least 6 months of operating costs, and formulate emergency plans for extreme scenarios. At the same time, technical systems must comply with specifications and implement requirements for network security and critical information infrastructure protection. In terms of supervision, major matters require reporting or filing, cross-border services must meet regulatory reciprocity requirements and regularly disclose business situations, and systemically important financial infrastructure is subject to macro-prudential management by the People's Bank of China.

Enforcement Developments

7. MIIT notified batch of non-compliant Apps infringing user rights, involving issues such as illegal collection of personal information and information windows that cannot be closed (4 August)

The MIIT detected issues of behaviours infringing user rights in 23 Apps and SDKs. Among them, 7 involved illegal collection of personal information; 10 Apps involved information windows that cannot be closed or chaotic jumps; 6 involved excessive collection of personal information; 6 involved Apps forcing, frequently, or excessively requesting permissions; 7 involved inadequate SDK information disclosure; 1 involved forcing users to use targeted push functions. The MIIT requires the notified Apps and SDKs to rectify in accordance with relevant regulations, and for those failing to implement rectification, relevant handling work will be organized in accordance with laws and regulations.

8. MIIT issued list of administrative enforcement matters, involving multiple enforcement matters in the fields of personal information and data (8 August)

The MIIT issued the List of Administrative Enforcement Matters of the Ministry of Industry and Information Technology, involving 268 administrative enforcement matters in the industrial and information technology fields, strengthening multi-link supervision in data compliance and network security aspects. In terms of administrative inspections, enforcement matters include supervising and inspecting the protection of user personal information by telecommunications business operators and internet information service providers; administrative inspections on network operators' implementation of network log retention obligations; and administrative inspections on network operators' implementation of network data security protection responsibilities and management measures, totaling 13 items. In terms of administrative penalties, enforcement matters include penalties for violations of relevant provisions on telecommunications and internet user personal information protection; administrative penalties for network operators failing to implement network log retention obligations; administrative penalties for telecommunications business operators and internet information service providers failing to conduct user personal information protection-related training; administrative penalties for network operators failing to take measures to prevent or remedy leaks, damages, or losses of user personal information; administrative penalties for key information infrastructure operators in the telecommunications and internet industries failing to implement network security review obligations; administrative penalties for deep synthesis service providers and technical supporters violating provisions; and administrative penalties for generative artificial intelligence service providers failing to fulfil primary security responsibilities, totalling 47 items.

9. MPS notified batch of mobile apps illegally collecting and using personal information, involving issues such as excessive collection of personal information and failure to disclose collection and use rules (25 August)

The Computer Information System Security Product Quality Supervision and Inspection Centre of the MPS detected 45 Apps with illegal and non-compliant collection and use of personal information. Issues focus on failure to list personal information collection and use rules in structured lists, excessive or overly frequent collection of non-essential personal information, mandatory authorization, misleading advertisements, setting unreasonable conditions or additional requirements in account cancellation processes, totalling 13 categories. The notification requires relevant Apps and distribution platforms to rectify; 8 Apps from the previous notification batch that remained non-compliant after retesting have been delisted.

10. CVERC notified batch of Apps illegally collecting and using personal information, involving issues such as failure to prompt users to read privacy policies and difficult access to privacy policies (13 August)

The CVERC detected 70 Apps with illegal collection and use of personal information. Issues focus on failure to prompt reading of collection and use rules via pop-ups upon first launch, missing or incomplete privacy policies, collecting personal information without user consent, illegal handling of sensitive information and minors' information, obstructing consent withdrawal and account cancellation, and unencrypted storage, totalling 14 categories. The notification requires relevant developers to rectify; 25 applications from the previous notification batch that remained non-compliant after retesting have been delisted.

11. CSAC issued announcement notifying list of Apps that have completed optimization and improvement of personal information collection and use (4 August)

The CSAC released the 3rd batch of 2025 “List of Apps that Have Completed Optimization and Improvement of Personal Information Collection and Use,” aiming to regulate App personal information processing and enhance user rights protection. This list covers 5 Apps across 3 categories: mail and express delivery, used car trading, and tourism services, focusing on completing optimizations and improvements for issues such as excessive collection of personal information, excessive invocation of sensitive permissions, and inconvenient permission settings and account cancellation. The operators of the 5 Apps have released optimized versions on app stores or official websites and committed to maintaining compliance in updated versions.

12. SPC released reference cases for inclusion in the database involving the characterization of online “doxing” behaviours (14 August)

The SPC released reference cases for inclusion in the database, clarifying that behaviours of illegally obtaining and online “doxing” others' information for defamation purposes can be held criminally liable under Article 253 of the Criminal Law for infringing citizens' personal information, and even if not falling under the nine circumstances listed in the judicial interpretation, can be recognized as the tenth item “other serious circumstances” by comprehensively considering motives, information types and quantities, harmful consequences, etc. In this case, the perpetrators paid to purchase and spread information including accommodation, civil aviation, and railway itineraries, fabricating false posts leading to over 2 million spreads, with the court sentencing 11 months to one year imprisonment and fines for infringing citizens' personal information. This case strengthens criminal crackdowns on information trading and dissemination for purposes such as online violence, reminding platforms and merchants to strengthen reviews.

13. SPC released the 47th batch of guiding cases focusing on judicial protection of data rights, involving data ownership determination, data product utilization, personal information protection, and delivery of online platform accounts (28 August)

The SPC released the 47th batch of guiding cases, themed on “judicial protection of data rights,” establishing adjudication rules around data ownership and circulation, personal information protection, account execution, etc. The six guiding cases respectively clarify the following rules: Platforms enjoy protectable operational interests in the “data collections” they aggregate, and unauthorized scraping and transferring leading to content homogenization and substantial substitution of others' products and services constitute unfair competition; “associated accounts” authorized by users transferring legitimately obtained user data across platforms within reasonable scopes, without disrupting competitive order, do not constitute unfair competition; Lawfully collecting public enterprise data, compiling price indices in compliant methods, and using them reasonably without damaging enterprise rights do not bear infringement liability; Apps forcing collection of user profiles under the guise of automated decision-making without alternative login methods constitute infringement of personal information rights; For necessities in concluding and performing contracts, collecting information related to credit or risks in minimally impactful ways with full notification does not infringe personal information rights; Delivery of online platform accounts must simultaneously change real-name authentication information and bound mobile numbers to ensure complete transfer of rights and account security.

14. Beijing CA notified batch of problematic Apps and delisted non-compliant Apps after rectification, involving issues such as collecting and using personal information without user consent (3 August)

The Beijing CA detected 20 Apps with issues such as infringing user rights and security risks. Issues focus on failure to disclose collection and use rules, frequent self-start and associated start of Apps, collecting and using personal information without user consent, difficulties in correcting and deleting personal information, etc. In response, the 20 notified Apps should rectify promptly. In addition, the CA notified 12 Apps that failed to rectify or inadequately rectified from the previous batch, now delisted across the network.

15. Shanghai CA notified batch of Apps infringing user rights, involving issues such as improper handling of user complaints and self-start and associated start (5 August)

The Shanghai CA notified 145 Apps and mini-programs with behaviours infringing user rights, involving key issues such as illegal collection of personal information, improper handling of user complaints, failure to disclose personal information processing rules, and Apps excessively requesting permissions. Relevant Apps and mini-programs must rectify non-compliant issues in accordance with relevant regulations. For those failing to implement rectification, the Shanghai CA will carry out handling work in accordance with laws and regulations.

16. Shanghai CA notified delisting of 58 Apps infringing user rights, involving failure to implement rectification as required after public notice (21 August)

The Shanghai CA comprehensively deepened the implementation of the special remediation action on mobile internet application software infringing user rights, and in July 2025, publicly noticed a batch of 162 applications with behaviours infringing user rights. Within the specified rectification period, after verification and re-inspection, 58 applications still failed to implement rectification as required, and the Shanghai CA has now delisted the aforementioned applications from major application markets nationwide. In the future, the Shanghai CA will take further handling measures such as stopping access, administrative penalties, and inclusion in the list of bad telecommunications business operations as appropriate.

17. Chongqing Nan'an District CAC carried out action to address abuse of facial recognition technology, focusing on on-site assessments in travel venues (27 August)

The Nan'an District CAC conducted on-site assessments of facial recognition applications at a company and a station and other travel venues within its jurisdiction, focusing on comprehensive inspections of key links such as implementation of network security responsibilities, security management systems, security of facial recognition technology applications, and operating status of facilities and equipment, and issued rectification notices on-site; for individual enterprises with facial information storage reaching 100,000, it clarified the requirement to file with the municipal CAC in accordance with the law. Subsequently, it will normalize supervision in key areas such as facial recognition, urge industry authorities to fulfil duties, and enhance regional data security and personal information protection levels.

18. A medical institution in Nanchang City received administrative warning penalty from CAC for network security incident (11 August)

The Nanchang CAC, upon notification from superior CAC departments, filed an investigation into a medical institution within Nanchang City whose affiliated IP was suspected of being remotely controlled by hackers and frequently communicating with malicious domains. Through on-site inspections, remote inspections (sampling technical analysis), transcript inquiries, etc., the Nanchang CAC ascertained: The medical institution failed to fulfil network security protection obligations, failed to take technical measures to prevent behaviours harming network security, leading to the networks it operated and used being infected with Trojan viruses, communicating with overseas websites, and violating relevant laws. Therefore, the Nanchang CAC imposed an administrative penalty of warning on the medical institution. In the future, the Nanchang CAC will continue to strengthen enforcement in areas such as network security, data security, and personal information protection in accordance with the law.

Industry Developments

19. Beijing Municipal Government issued opinions to accelerate the development and utilization of public data resources and improve institutional mechanisms for the development and utilization of public data resources (12 August)

The Beijing Municipal Government issued the Implementation Opinions on Accelerating the Development and Utilization of Public Data Resources in Beijing, aiming to establish and improve institutional mechanisms for the development and utilization of public data resources in the city. The implementation opinions emphasize six points: First, consolidate the foundation for the development and utilization of public data resources, improve public data catalogues, enhance public data quality, and conduct public data resource grading; second, smooth channels for the development and utilization of public data resources, efficiently carry out government data sharing, orderly promote public data opening, and standardize management of authorized operations of public data; third, strengthen service capabilities for the development and utilization of public data resources: Establish price formation mechanisms for authorized operations, strengthen supervision and management, and layout new data infrastructure; fourth, release innovative vitality in the data element market, enrich data application scenarios, strengthen central-local coordination and regional cooperative development, promote circulation and trading of public data products, and prosper data industry development ecosystems; fifth, coordinate development and security, increase innovation incentives, strengthen security management, and encourage pilot trials; sixth, improve work mechanisms, strengthen organizational leadership, reinforce funding guarantees, enhance support capabilities, and strengthen evaluation and supervision.

20. Xiamen Municipal Government issued several measures to promote high-quality development of the data industry (7 August)

The Xiamen Municipal Government issued the Several Measures of Xiamen City to Promote High-Quality Development of the Data Industry, aiming to promote high-quality development of the data industry and accelerate the construction of Xiamen Data Port. The measures emphasize several points: First, strengthen data industry planning layouts, cultivate multi-source data operating entities and industry innovation enterprises, and build data element innovation and entrepreneurship carriers; second, build new paradigms for enterprise data circulation, enhance enterprise data governance capabilities, promote enterprise data asset registration, cultivate normalized data trading markets, develop specialized data service ecosystems, and support innovative practices in cross-border data flows; third, promote data application innovation, expand data resource supplies, accelerate the development and utilization of public data, promote the release of enterprise data value, and stimulate vitality in data application innovation; fourth, optimize the industry development environment, improve dynamic security assurance capabilities in the data field, and strengthen industry financial support.

21. Certain chip enterprise responded to issues of backdoors, kill switches, and monitoring software, stating full compliance with global network security standards (6 August)

A certain chip enterprise issued a security statement claiming its GPUs have no backdoors, kill switches, or monitoring software, and opposes pre-installing remotely disableable “single-point controls” at the hardware level. The company uses “defence in depth” and independent verification as security baselines, emphasizing fixing vulnerabilities rather than creating backdoors, citing handling experiences of “Spectre/Meltdown” and the failure lessons of the 1990s “Clipper chip,” pointing out that backdoors and hardware-level kill switches would introduce centralized systemic risks, undermine trust, and national critical infrastructure security. The chip enterprise distinguishes user-voluntary, transparent software-level diagnostics/monitoring from hardware backdoors uncontrollable by users, calling on policymakers to ensure security through existing compliance and technical means, opposing weakening hardware integrity in exchange for controls.