- Cyberspace Administration of China (CAC) has reaffirmed that companies are required to identify and report important data, as well as provide such data with heightened protection or submit it for a security assessment prior to overseas transfer, only when the relevant authorities publish specific industry or sector-related reporting rules, or explicitly inform them of the need for identification and reporting.
- The Administrative Measures for Personal Information Protection Compliance Audit came into effect on May 1. On May 26, National Technical Committee 260 on Cyberspace of Standardization Administration (TC260) released two related guidelines to provide guidance for enterprises and professional institutions to implement the regulations.
- CAC continues to strengthen governance over information recommendation algorithms. In May, platforms such as Douyin and Xiaohongshu issued announcements to disclose algorithm operation rules, launch user content preference adjustment mechanisms, and optimize recommendation algorithms. Cyberspace authorities will carry out regular inspections in the future to supervise and urge platforms to continuously refine their algorithms.
————Regulatory Highlights ————
CAC Provides Q&A on Cross-border Data Transfer Security Management Policies
On May 30, CAC conducted a Q&A session regarding cross-border data transfer security management policies, clarifying the identification and reporting process for important data. According to the responses from the Administration, enterprises generally follow the "publication/communication of identification and reporting rules + enterprise reporting + confirmation by the relevant authority" process for the identification and reporting of important data. For data handlers in industries or fields where no data classification and grading standards or important data identification and reporting rules have been issued, and where enterprises have not been informed by relevant departments to conduct important data identification and reporting, enterprises are not required to identify and report important data, therefore not obliged to fulfill the corresponding duties of heightened protection and security assessment for outbound data.
On May 1, the Administrative Measures for Personal Information Protection Compliance Audit were officially implemented. On May 26, TC260 released two guidelines on personal information protection compliance audit, namely The Cybersecurity Standard Practice Guide – Requirements for Personal Information Protection Compliance Audit and The Cybersecurity Standard Practice Guide – Service Capability Requirements for Professional Institutions Conducting Personal Information Protection Compliance Audit, which provide guidance for enterprises and professional institutions to implement the provisions of the Measures. In response to journalists' questions, CAC clarified the following key points:
- The Cybersecurity Standard Practice Guide – Requirements for Personal Information Protection Compliance Audit standardizes the implementation process, the content and methods, audit evidence, working paper templates, and report templates of personal information protection compliance audit. It can be used as a reference for enterprises and professional institutions to conduct audits.
- Currently, three entities – the Data and Technical Support Center of CAC, the China Cybersecurity Review, Certification and Market Regulation Big Data Center, and the Beijing Cesi Certification Co., Ltd. – have completed the certification rule filing and are qualified to provide certification services for professional institutions in personal information protection.
- According to the provisions of the two Practice Guides, auditors are divided into three levels: entry-level, intermediate, and senior. They have different capability requirements in terms of laws and regulations, professional knowledge, professional skills, project management, and report writing and review. Cyber Security Association of China has compiled the Key Points for the Capability Evaluation of Personal Information Protection Compliance Auditors on its official website and will subsequently conduct capability evaluations for auditors.
CAC Continuously Strengthens the Governance of Information Recommendation Algorithms
On November 24, 2024, the CAC launched the Qinglang Campaign for the Governance of Typical Algorithm Issues on Online Platforms, focusing on risks such as algorithmic promotion of vulgar content, intensification of "information cocoons", and exacerbation of opinion polarization. The CAC guided key platforms to optimize the functions and rules of their information recommendation algorithms. Since the launch of the campaign, major platforms have responded actively by signing the Nanning Declaration on Responsible Algorithms, improving content review mechanisms in algorithmic recommendations, launching dedicated websites, channels, or accounts to publicly explain algorithm rules and principles, and developing innovative features such as cocoon assessment and one-click cocoon breaking. They have also improved user interest and preference management services and enhanced the diversity of algorithm-recommended content. In May, platforms including Douyin, Xiaohongshu, Weibo, Kuaishou, WeChat Channels, and Bilibili issued announcements disclosing the operation rules of their algorithms, launched mechanisms for users to adjust content preferences, and optimized their recommendation algorithms. Given the long-term and systemic nature of algorithm governance, cybersecurity authorities will continue to conduct regular inspections to supervise platforms in continuously improving the operation mechanisms and management rules of their recommendation algorithms.
————Data Compliance ————
On May 22, the full text of national standard Security Requirements for Processing Sensitive Personal Information (Technical Specifications for Data Security) was released, set to be officially implemented on November 1 this year.
On May 30, the CAC issued the Announcement on the Record Filing of the Application of Face Recognition Technology. Personal information processors with the storage of face information of 100,000 people should file with the provincial-level cyberspace administration in their respective localities.
On May 19, the CAC released the 11th batch of filing information on deep-synthesis service algorithms, announcing the list of deep-synthesis service algorithms within China in May 2025. 211 algorithms cover various fields such as medical care, education, travel, clothing, and digital humans.
————Data System————
On May 16, the National Data Administration issued the Action Plan for the Construction of Digital China in 2025. This is the first document issued by the National Data Administration to local data management departments to guide the construction of Digital China.
————Data Law Enforcement ————
On May 29, the Ministry of Industry and Information Technology (MIIT) released the second batch in 2025 of apps infringing user rights. The main infringing behaviors include random redirection of information windows, illegal or over-range collection of personal information, apps' compulsory, frequent and excessive request for permissions, and inadequate public disclosure of SDK information.
On May 28, the Cyberspace Security Association of China released a list of six apps that have completed the optimization and improvement of personal information collection and use, with app categories covering instant messaging, app store, and car-hiring service, and improvement focusing on over-range collection of personal information, excessive invocation of sensitive permissions, inconvenient permission settings, and account cancellation.
On May 27, the Shanghai Cyberspace Administration introduced the three major domains and eight priorities of the "Huangpu Sword Campaign· 2025" special law enforcement action for the protection of personal information. The action will focus on three domains: consumption, platform services, and minors, and will further promote personal information protection.
The National Cybersecurity Reporting Center has successively reported multiple cases of mobile applications illegally and irregularly collecting and using personal information. On May 20, the Center reported 35 mobile applications, including Kimi, for illegal and irregular collection and use of personal information, citing issues such as failing to list collection rules in a structured inventory and collecting information beyond the specified scope. On May 28, the Center notified 63 mobile applications, including issues such as not displaying the privacy policy during the initial operation and having non-standard privacy policies.
On May 6, CAC announced personal information collection and use issues regarding 15 apps and 16 SDKs. These issues include: failing to list one by one the SDKs that collect and use personal information; failing to accurately specify the purposes, methods, and scopes of personal information collection and use by the SDKs; failing to provide personal information policy; fail to specify the measures to respond to users' personal information requests, whether by themselves or by assisting the app; failing to promptly respond to users complaints and other personal information rights requests, etc.
————Worldwide News ————
On May 23, a German court ruled that Meta can use publicly available user data to train AI. The Higher Regional Court of Cologne held that the effective measures taken by Meta significantly mitigated the infringement of the rights of the relevant parties, and there was no improper data consolidation in violation of the Digital Markets Act.
On May 2, Irish Data Protection Commission announced an administrative fine of EUR 530 million against TikTok, stating that the company violated the GDPR in transferring user data from the European Economic Area to China and failing to meet transparency requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
