China Cybersecurity and Data Protection: Monthly Update – December 2025 Issue

This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.

If you would like to subscribe to our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.

Key Highlights

In December 2025, China introduced multiple policies and standards in key areas such as personal information protection, data and network security, and data basic institutional system construction, and intensively carried out enforcement and released typical cases to continuously improve the institutional system and emphasize enterprises' primary responsibilities:

• Personal Information Protection: At the legislative level, the Cyberspace Administration of China (“CAC”) and the Ministry of Public Security (“MPS”) requested public comments on the Provisions on the Protection of Personal Information on Large Online Platforms(Draft for Comments), aiming to standardize personal information processing activities on large online platforms; the Cybersecurity Standardization Technical Committee (“TC260”) solicited public opinions on three cybersecurity standard practice guidelines, namely the Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information Identification Guide (Draft for Comments), the Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information De-identification Guide (Draft for Comments), and the Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information Anonymization Guide (Draft for Comments). On the enforcement front, the Ministry of Industry and Information Technology (“MIIT”), the MPS, the Beijing Communications Administration (“CA”), and the Shanghai CA respectively notified/delisted illegal applications (“Apps”) and SDKs infringing user rights. At the same time, in the judicial aspect, the Beijing Internet Court released a case, clarifying that personal information processors who engage in cross-platform collection and development and utilization of user data through the establishment of a “unified service platform system” still need to fulfil the obligation to inform and obtain consent.
• Data and Network Security: At the legislative level, the CAC planned to issue measures to establish a graded cybersecurity labelling system for products with networking functions; the MPS plans to issue measures to standardize the supervisory and inspection work of public security organs on cyberspace security; the TC260 conducted a systematic review of relevant standards supporting the implementation of the Regulations on Network Data Security Management; the CAC of Zhejiang Province issued a notice requiring the submission of the 2025 Zhejiang Province Automotive Data Security Management Report. On the enforcement front, the Qingdao CAC imposed penalties on a certain technology company for failing to take necessary measures to promptly repair security vulnerabilities and other violations; the CAC of Xiangxi Tujia and Miao Autonomous Prefecture, Hunan Province imposed penalties on a certain school for failing to take measures to fulfil data security protection obligations in its video surveillance system. In addition, in the industry aspect, the China Cyberspace Research Institute released two blue books, respectively summarizing the 2025 cybersecurity-related capabilities, public data development and utilization, and cross-border data flow practices.

• Data Basic Institutional System Construction: Localities took actions in a coordinated manner on data basic institutions: the National Development and Reform Commission (“NDRC”) and ten other departments jointly issued a plan to establish an open and interconnected mechanism for logistics data resources; the Beijing Municipal Committee of the Communist Party of China and the People’s Government of Beijing Municipality issued implementation opinions to build a comprehensive pilot zone for data elements and deepen market-oriented allocation reforms for data elements; the Beijing CAC provided policy interpretations on cross-boundary data flows, planning to promote and apply the existing negative lists for data outbound from free trade zones to the entire municipal area of Beijing; the Tianjin Data Bureau jointly with multiple departments issued an action plan to promote the development of the data labelling industry and build high-quality datasets for industries; the People’s Government of Guangdong Province issued a notice to accelerate the construction of the National Pilot Zone for Digital Economy Innovation and Development.

   

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. CAC planned to introduce measures to establish a tiered cybersecurity labeling system for internet-connected products (21 November)

The CAC solicited public opinions on the Measures for the Administration of the China Cybersecurity Label, for the purposes of enhancing the cybersecurity capabilities of products, strengthening the protection of consumer rights and interests, and safeguarding cybersecurity and public interest. The measures clarify that the cybersecurity capabilities corresponding to the China Cybersecurity Label shall be classified, from low to high, as the basic level, enhanced level, and leading level. The corresponding label levels are represented by one, two, and three stars, respectively. According to the basic level requirements, the product shall meet the basic security requirements specified in relevant national standards, such as having no weak passwords or common default passwords, establishing a vulnerability management mechanism with dynamic patching, and maintaining software updates. According to the enhanced level requirements, the product's cybersecurity capability shall reach the domestically advanced level. According to the leading level requirements, the product's cybersecurity capability shall reach an internationally advanced level and, at the same time, the product's ability to resist high-level cyberattacks shall be assessed through penetration testing. For products requiring the China Cybersecurity Label, the product manufacturer shall carry out cybersecurity capability testing in accordance with the relevant requirements of the implementation rules and determine the cybersecurity capability level. No organization or individual shall forge or falsely use the China Cybersecurity Label or use the China Cybersecurity Label to conduct false publicity.

2. CAC and MPS planned to issue provisions to standardize personal information processing activities on large online platforms (22 November)

The CAC and the MPS requested public comments on the Provisions on the Protection of Personal Information on Large Online Platforms (Draft for Comments), for the purposes of regulating the processing of personal information on large online platforms, protecting the lawful rights and interests of personal information, and promoting the sound development of the platform economy. The provisions clarify the criteria for identifying large online platforms, mainly considering: having 50 million or more registered users or 10 million or more monthly active users; providing important online services or the business scopes covers multiple types of businesses; if the processed data is divulged, tampered with, or destroyed, it will have a significant impact on national security, economic operation, or the national economy and the people's livelihood, among others. The provisions require large online platform service providers to designate the person in charge of personal information protection and disclose to the public the contact information of such a person in accordance with relevant provisions of laws and regulations. At the same time, the provisions encourage large online platform service providers to establish specialized personal information protection working institutions. After completing the establishment of the person in charge of personal information protection and relevant institutions, the basic information on the person in charge of personal information protection, and basic information on the working body for personal information protection and institutions and measures to ensure the performance of duties by the person in charge of personal information protection and the working body for personal information protection shall be reported to the national cyberspace administration department in a timely manner. Large online platform service providers entrusting third-party data centres to store personal information shall report the basic information of such data centres to the CAC. In addition, large online platform service providers shall, in accordance with the relevant rules issued by the state, conduct personal information protection compliance audits, risk assessments, and other related activities or entrust a third-party specialized institution to do so. Relevant enterprises shall provide individuals with convenient methods and channels to exercise their rights to access, copy, correct, supplement, delete, restrict the processing of their personal information, cancel their accounts, or withdraw their consent.

3. MPS planned to issue measures to standardize the supervisory and inspection work of public security organs on cyberspace security (29 November)

The MPS requested public comments on the Measures for Supervisory and Inspection of Cyberspace Security by Public Security Organs (Draft for Comments), for the purpose of regulating the supervisory and inspection work of public security organs on cyberspace security. The measures clarify that public security organs may legally conduct online inspections and offline verifications on entities such as network operators, data processors, and personal information processors through methods such as network information patrols and vulnerability scans. Public security organs shall focus on inspecting contents such as filing procedures for networked units, critical information infrastructure security protection, cybersecurity graded protection, data security, and personal information protection, and shall conduct on-site inspections at least once a year for network operators with cybersecurity graded protection level three or above and critical information infrastructure operators. When necessary, special supervisory inspections may also be conducted. If public security organs discover during supervisory inspections that the inspected objects have risks and hidden dangers in cybersecurity, information security, data security, etc., they shall urge and guide them to take measures to eliminate the risks and hidden dangers, and if they do not constitute violations or crimes, they may, based on specific circumstances, provide reminders, announcements, and interviews to the inspected objects.

4. TC260 planned to issue three practice guidelines, respectively involving three major difficulties in personal information protection: identification, de-identification, and anonymization (24 November)

The TC260 solicited public opinions on three cybersecurity standard practice guidelines, namely the Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information Identification Guide (Draft for Comments), the Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information De-identification Guide (Draft for Comments), and the Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information Anonymization Guide (Draft for Comments), aiming to provide standardized practice guidance around cybersecurity laws, regulations, policies, standards, cybersecurity hotspots, and events. The three guidelines respectively clarify the definitions and judgment rules for identification, de-identification, and anonymization of personal information. The Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information Identification Guide (Draft for Comments) clarifies the four major elements for identifying personal information: “various information,” “related,” “identified or identifiable,” and “natural person.” Among them, “various information” covers various records or descriptions about individuals; when any one of the “content,” “purpose,” or “result” of a certain piece of information involves a specific individual, it is recognized that this information is “related” to the specific individual; when a natural person can be distinguished from all other members in a group or has the possibility of being so, it satisfies “identified or identifiable.” The Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information De-identification Guide (Draft for Comments) clarifies two core de-identification technical paths: simple de-identification based on desensitization technology (“desensitization”) and complex de-identification based on pseudonym replacement technology (“pseudonymization”), providing the implementation framework, process steps, security assurance measures for pseudonymization, as well as examples of desensitization for common types of personal information. The Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information Anonymization Guide (Draft for Comments) clarifies the judgment rules, implementation methods, applicable scenarios, and related technologies for anonymization of personal information, requiring effective anonymization processing of personal information to simultaneously satisfy “non-singling out, non-linkable, non-inferable.”

5. TC260 conducted a systematic review of relevant standards supporting the implementation of the Regulations on Network Data Security Management (7 November)

The TC260 released a document to systematically review the national standards supporting the implementation of the Regulations on Network Data Security Management, aiming to provide guidance for the implementation of the Regulations on Network Data Security Management. Effective from 25 January 2025, the Regulations on Network Data Security Management stipulate various requirements that must be complied with in conducting network data processing activities and their security supervision. The document, from the perspectives of general provisions, personal information protection, important data security, network data cross-boundary security management, and obligations of network platform service providers, reviews 69 standard documents to support the implementation of 37 articles in the Regulations on Network Data Security Management.

6. Shanghai CAC and multiple departments jointly released guidelines to standardize the full-lifecycle processing activities of health and medical data by internet enterprises in the medical services category (25 November)

The Shanghai CAC jointly with multiple departments released the Compliance Guidelines for Network Data Security and Personal Information Protection for Internet Enterprises in the Medical Services Category in Shanghai, aiming to enhance the compliance levels of network data security and personal information protection for internet enterprises in the medical services category in Shanghai. The guidelines apply to internet enterprises engaged in medical software development, online diagnosis and treatment, appointment registration, electronic prescriptions, inspection result inquiries, and other services within the administrative area of Shanghai, clarifying that health and medical data cover all categories of related electronic data such as personal attribute data, health status data, medical application data, medical payment data, health resource data, and public health data. The guidelines also make multiple provisions on enterprises conducting health and medical data processing activities, such as enterprises collecting personal health and medical data, providing it to partners, entrusting processing, or jointly conducting data processing activities with them, or conducting information push or commercial marketing to individuals, shall obtain separate consent from individuals in advance. Enterprises shall also conduct classified and graded management of health and medical data, adopt technical measures such as data encryption and data desensitization to ensure the security of health and medical data, and establish a full-lifecycle security management mechanism for health and medical data. In addition, they shall formulate clear and reasonable data storage periods and establish mechanisms for responding to rights such as querying, correcting, deleting, and withdrawing consent for patient personal information. Enterprises processing more than 10 million pieces of personal information shall conduct personal information protection compliance audits at least once every two years.

7. Guangdong CAC released guides to further optimize the filing process for standard contracts for cross-boundary flow of personal information within the Guangdong-Hong Kong-Macao Greater Bay Area (28 November)

The Guangdong CAC released the Guide for Filing Standard Contracts for Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area, aiming to implement Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) and the Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao), to facilitate standardized and orderly filing work by personal information processors or recipients in the mainland of the Greater Bay Area. Personal information processors or recipients shall, within 10 working days from the effective date of the Greater Bay Area standard contract, conduct online filing by directly accessing the “Data Outbound Declaration System” or accessing the “Data Outbound Declaration System” from the “National Cyberspace Administration Affairs Hall” column on the homepage of the China Cyberspace Administration website. Personal information processors conducting standard contract filings shall submit a letter of commitment, the Greater Bay Area standard contract, identification documents of the legal representative (photocopies), unified social credit code certificates (photocopies), identification documents of the handling person (photocopies), and authorization letters for the handling person. Among them, the letter of commitment, Greater Bay Area standard contract, and authorization letter for the handling person shall use the downloadable templates provided in the “Filing of Standard Contract for Cross-Boundary Flow of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area” module in the system, and the template contents shall not be added, deleted, or modified on their own. All filing materials shall be stamped with official seals and be in simplified Chinese versions.

8. Zhejiang CAC issued a notice requiring the submission of the 2025 Zhejiang Province automotive data security management report (14 November)

The Zhejiang CAC issued a notice on submitting the 2025 automotive data security management report in Zhejiang Province, for the purpose of regulating automotive data processing activities, protecting the legitimate rights and interests of individuals and organizations, and promoting the reasonable development and utilization of automotive data. The notice requires automotive data processors registered in Zhejiang Province and engaged in important data processing activities, including automobile manufacturers, parts and software suppliers, dealers, maintenance institutions, and travel service enterprises, etc., to compile the 2025 Automotive Data Security Management Report, the Risk Assessment Report from the date of issuance of the notice to December 15, 2025, as required, fill in the Summary Table of Automotive Data Processors, and submit them to the Network Data and Technology Division of the Zhejiang CAC. 

Enforcement Developments

9. MIIT reported a batch of illegal Apps infringing user rights, involving issues such as illegal collection of personal information and forcing users to use targeted push functions (10 November)

The MIIT detected issues of behaviours infringing user rights in 39 Apps and SDKs. Among them, 6 involved default agreement to privacy policies; 3 involved forcing users to use targeted push functions; 12 involved forcing, frequently, or excessively requesting permissions; 19 involved illegal collection of personal information; 9 involved failure to disclose lists of collected personal information; 10 involved excessive collection of personal information; 5 involved inadequate SDK information disclosure; 1 involved information windows that cannot be closed; 1 involved forced automatic renewal; 3 involved illegal use of personal information; 1 involved failure to disclose app distribution information; 1 involved forcing downloads of third-party Apps. The MIIT requires the notified Apps and SDKs to rectify in accordance with relevant regulations, and for those failing to implement rectification, relevant handling work will be organized in accordance with laws and regulations.

10. MPS reported a batch of illegal Apps infringing user rights, involving issues such as excessive collection and use of personal information and failure to provide options to exit or close personalized display modes (17 November)

The MPS detected 40 Apps with illegal collection and use of personal information. Issues focus on failure to list personal information collection and use rules in structured lists; excessive collection of non-essential personal information; failure to provide channels for correcting, supplementing, or deleting user personal information; misleading advertisements; setting unreasonable conditions or additional requirements in account cancellation processes, totaling 14 categories. The notification requires relevant Apps and distribution platforms to rectify; 9 Apps from the previous notification batch that remained non-compliant after retesting have been delisted.

11. Shanghai CA reported a batch of Apps and SDKs infringing user rights, involving issues such as failure to disclose personal information processing rules and excessive collection of personal information (4 November, 26 November)

The Shanghai CA detected 53 Apps (SDKs) and 71 (SDKs) with behaviours infringing user rights. Among them, the issues of the 53 Apps (SDKs) focus on excessive collection of personal information, improper handling of user complaints, failure to disclose personal information processing rules, and difficulties in account cancellation. The issues of the 71 Apps (SDKs) focus on illegal collection of personal information, improper handling of user complaints, failure to disclose personal information processing rules, difficulties in account cancellation, Apps forcing, frequently, or excessively requesting permissions, and forcing users to use targeted push functions. The aforementioned Apps (SDKs) shall immediately rectify the existing issues and conduct a comprehensive self-assessment of the personal information and user rights protection work of the Apps (SDKs), and submit written rectification reports and self-assessment reports to the Shanghai CA within 5 working days from the date of notification. For those failing to complete rectification and submit reports within the deadline, the Shanghai CA will handle in accordance with laws and regulations.

12. Beijing CA notified a batch of problem Apps, involving issues such as collecting and using personal information without user consent and self-start and associated start (3 November)

The Beijing CA detected 8 Apps with issues such as infringing user rights and security risks. Issues focus on failure to disclose collection and use rules, failure to disclose the purposes, methods, and scopes of collecting and using personal information, collecting and using personal information without user consent, forcing users to use targeted push functions, difficulties in correcting and deleting personal information, and frequent self-start and associated start of Apps. In response, the 9 notified Apps should rectify promptly. In addition, the CA notified 7 Apps that failed to rectify or inadequately rectified from the previous batch, now delisted across the network.

13. Beijing Internet Court concluded a personality rights infringement dispute case, clarifying the responsibilities for sharing data among multiple Apps operated by affiliated enterprises without obtaining effective user consent (5 November)

The Beijing Internet Court concluded a personality rights infringement dispute case, clarifying the responsibilities for sharing data among multiple Apps operated by affiliated enterprises without obtaining effective user consent. In this case, two affiliated enterprises agreed through contracts to share user private messages, real-name authentication information, and other data among three application software they respectively operated based on a “unified service platform system,” without effectively informing users and obtaining separate consent. The court held that the two involved enterprises sharing user data among the three application software and jointly determining the purposes and methods of processing user data, agreeing on their respective rights and obligations, should be deemed as joint processing of personal information by multiple entities as stipulated in Article 20 of the Personal Information Protection Law of the People's Republic of China. For the processing of general personal information, such joint processing does not require separate consent from individuals, but still needs to comply with the general requirements for notification and consent; for the processing of sensitive personal information, even if it is joint processing, separate consent from individuals is still required to avoid infringing on users' privacy rights.

14. Qingdao CAC imposed penalties on a certain technology company for failing to take necessary measures to promptly repair security vulnerabilities and other violations (10 November)

The cybersecurity department of Laoshan District, Qingdao City, Shandong Province (“Laoshan cybersecurity department”) imposed administrative penalties on a certain technology company for violating network data security protection obligations. Specifically, the network platform for which the company was entrusted to provide operation and maintenance services had long-standing SQL injection vulnerabilities and unauthorized access vulnerabilities, posing network data security risks, in violation of the Regulation on Network Data Security Management. The Laoshan cybersecurity department imposed administrative penalties on the company. The Qingdao Laoshan CAC emphasized that operation and maintenance parties are important forces in ensuring the continuous and stable operation of networks and must strengthen daily monitoring, hidden danger investigation, and emergency response capabilities.

15. Xiangxi Prefecture CAC of Hunan Province imposed penalties on a certain school for failing to take measures to fulfil data security protection obligations in its video surveillance system (18 November)

The CAC of Xiangxi Tujia and Miao Autonomous Prefecture, Hunan Province imposed administrative penalties on a certain school in Xiangxi for failing to fulfil data security protection obligations. Specifically, the school's video surveillance system failed to take corresponding protective measures to fulfil data security protection obligations, posing significant data leakage risks, in violation of Article 27 of the Data Security Law. The CAC of Xiangxi Tujia and Miao Autonomous Prefecture, Hunan Province ordered it to rectify within a deadline and imposed an administrative penalty of warning.

Industry Developments

16. NDRC and other departments jointly issued a plan to establish a mechanism for the openness and interconnection of logistics data resources (10 November)

The NDRC and ten other departments jointly issued the Implementation Plan for Propelling the Openness and Interconnection of Logistics Data to Effectively Reduce Logistics Costs Throughout the Society, aiming to establish a mechanism for the openness and interconnection of logistics data resources, and promote the effective reduction of logistics costs throughout the society. The implementation plan emphasizes several points: First, consolidate the foundation for open and interconnected logistics data, by promoting efficient data collection and aggregation and improving logistics data standards and specifications; second, promote the openness and interconnection of public logistics data, by strengthening the sharing and openness of public logistics data, refining the authorized operation mechanism for public logistics data, and enhancing the level of public logistics data application services; and third, promote market-oriented circulation and utilization of enterprises' logistics data, by propelling the openness and interconnection of enterprises' logistics data, expanding the supply of logistics data products and services,  eliminating data bottlenecks in multi-modal transport, and accelerating the unleashing of the potential for industrial empowerment. In addition, the implementation plan proposes the National Public Logistics Data Sharing and Opening List (2025), listing a total of 10 major categories and 20 sub-categories of public logistics data, clarifying three sharing and opening methods: government sharing, social disclosure, and authorized use.

17. China Cyberspace Research Institute released two blue books, respectively summarizing the 2025 cybersecurity-related capabilities, public data development and utilization, and cross-boundary data flow practices (8 November)

The China Cyberspace Research Institute released two blue books, respectively summarizing the 2025 cybersecurity-related capabilities, public data development and utilization, and cross-boundary data flow practices. The China Internet Development Report 2025 summarizes the achievements and trends of China's internet development practices over the past year, proposing that cybersecurity assurance capabilities and governance systems have been continuously promoted in modernization, with cybersecurity protection assurance capabilities significantly enhanced; e-government and digital society construction have improved quality and efficiency, with data empowering high-quality economic and social development achieving remarkable results; the systematization and standardization of network rule of law have been increasingly enhanced, the network business environment has been optimized, and the platform economy has developed in an orderly manner. The World Internet Development Report 2025, from a global perspective, reviews and summarizes the world internet development situation, proposing that innovative government applications continue to promote digital transformation of governments, with significant achievements in public data development and utilization and cross-boundary data flow.

18. Beijing Municipal Committee of the Communist Party of China and the People’s Government of Beijing Municipality issued implementation opinions to build a comprehensive pilot zone for data elements and deepen market-oriented allocation reforms for data elements (6 November)

The Beijing Municipal Committee of the Communist Party of China and the People’s Government of Beijing Municipality issued the Implementation Opinions on Building the Data Element Comprehensive Pilot Zone and Deepening the Market-Oriented Allocation Reform of Data Elements, aiming to fully release the vitality of data elements, comprehensively activate the value of data elements, cultivate and develop new quality productive forces, and promote high-quality development in the capital. The implementation opinions propose to take market-oriented allocation reforms for data elements as the main line, coordinate data development and security, consolidate the “two foundations” of data basic systems and infrastructure, clear the “four links” of data supply, circulation, application, and security, and build the “three systems” of data technology innovation, element services, and industrial development, to construct a national data management center, a national data resource center, and a national data circulation and trading center. The implementation opinions propose that by 2027, a benign interaction between data basic system construction and practical exploration will be achieved, and the pilot tasks of the national comprehensive pilot zone for data elements will be completed first in Beijing; by 2029, data elements will achieve smooth flows and efficient allocation, and data elements will become a new competitive advantage for Beijing.

19. Beijing CAC provided policy interpretations on cross-boundary data flow, planning to promote and apply the existing negative lists for data outbound from free trade zones to the entire municipal area of Beijing (10 November)

The Beijing CAC held a press conference on the National Comprehensive Pilot Zone for Data Elements (Beijing), introducing the situation of Beijing's cross-boundary data flow work and answering reporters' questions. In terms of policy systems, on the basis of the first batch of five fields released, the Beijing CAC, focusing on the development directions of key industries such as high-level autonomous driving, is accelerating the independent compilation of the second batch of negative lists, and establishing mutual recognition mechanisms for lists with free trade zones in other provinces and cities, to achieve overall coverage of data outbound scenarios in key industrial categories by Beijing's negative lists in one go; in addition, the Beijing CAC is exploring the promotion and application of the original free trade zone negative lists to the entire Beijing area, so that enterprises in Beijing with data outbound needs can fully enjoy the national data outbound policy dividends across Beijing, and the specific policies involved are currently being reported to national ministries and commissions for approval in accordance with procedures, and after approval, the Beijing CAC will release and implement them as soon as possible.

20. Tianjin Data Bureau and multiple departments jointly issued an action plan to promote the development of the data labelling industry and build high-quality datasets for industries (14 November)

The Tianjin Data Bureau jointly with multiple departments issued the Action Plan of Tianjin Municipality on Accelerating the Development of the Data Labeling Industry and Promoting the Construction of High-Quality Datasets for Industries (2025-2027), aiming to actively cultivate new business forms in data labeling and significantly enhance the supply levels of high-quality datasets for industries. The action plan lists key tasks including: First, cultivate and strengthen industries, incubate and cultivate high-quality enterprises, attract and nurture industry leading enterprises, establish and improve industrial ecosystems, and strengthen regional collaborative linkages; second, strengthen innovation drive, promote technological innovation, and push forward standard formulation and application; third, coordinate industrial layouts, promote coordinated industrial layouts, and enhance supporting service capabilities; fourth, build high-quality datasets for industries, expand public data supplies, strengthen traction in industry fields, and stimulate demands from various entities; fifth, improve service platforms, build public platforms for data labeling, construct supply-demand docking platforms for datasets, and build platforms for data circulation and utilization; and sixth, build talent teams, strengthen professional talent cultivation, and promote vocational skill level recognition.

21. The People’s Government of Guangdong Province issued a notice to accelerate the construction of the the National Pilot Zone for Digital Economy Innovation and Development (20 November)

The People’s Government of Guangdong Province issued the Construction Plan for the National Digital Economy Innovation and Development Pilot Zone in Guangdong Province (2025-2027), aiming to accelerate the construction of the national digital economy innovation and development pilot zone, promote deep integration of the real economy and digital economy, and assist high-quality economic and social development in Guangdong Province. The construction plan emphasizes six points: First, promote market-oriented allocation reforms for data elements and strengthen the supply of core elements; second, optimize the construction layout of data infrastructure and consolidate the foundation for digital economy development; third, accelerate breakthroughs in key core technologies and build world-class digital industry clusters; fourth, comprehensively promote digital transformation and deepen artificial intelligence empowerment in thousands of industries; fifth, promote appropriate digitalization reforms and fully stimulate the vitality of digital economy development; and sixth, deepen coordinated development of digital economy and build a new pattern of high-level open cooperation. 

* With thanks to Olive Chang (Paralegal, Beijing) for help in drafting this update.