————Take Aways————
- The revised Anti-Unfair Competition Law will come into effect on October 15. The new law emphasizes the legality of data acquisition and use by online operators, raising the maximum penalty limit from the original RMB 3 million to RMB 5 million.
- The national standard, Data Security Technology—Security Requirements for Processing of Sensitive Personal Information, has been made publicly available in full. The Standard specifies the identification, determination, and processing requirements for sensitive personal information. According to the Standard, a single ID card number and non-continuous rough activity tracks will no longer be identified as sensitive personal information.
- The Guidance on the Application for Security Assessment of Cross-border Data Transfers (The Third Version) has been officially released. In addition to simplifying and optimizing the original material requirements, it also introduces a mechanism for data processors to apply for an extension of the validity period of data export security assessment results, and clarifies the application conditions, procedures, and materials.
————Regulative Highlights————
The new Anti-Unfair Competition Law will come into force on October 15, 2025. This revision improves the provisions on unfair competition acts and regulatory penalties, with refinement of online unfair competition acts such as infringement of data rights and interests and malicious transactions. On the one hand, it emphasizes the legality of data acquisition and use; on the other hand, it refines the expression of "technical means" in the original provisions, making it clear that business operators are prohibited from engaging in unfair competition acts by using data, algorithms, technology, platform rules, etc. Meanwhile, the new Anti-Unfair Competition Law has also increased the penalty: the maximum fine for online unfair competition acts has been raised from the original RMB 500,000 to RMB 1 million, and the maximum penalty for serious circumstances has been increased from RMB 3 million to RMB 5 million.
These typical cases were released on June 12, with the main contents as follows:
- An individual's unauthorized release of reward notices to collect clues about others' illegal or criminal acts may constitute an infringement of reputation rights — the reputation right dispute case between a development company and Zheng
- Unauthorized use of others' voices in AI form without permission shall bear liability for infringing upon personality rights — the personality right dispute case between Yin and Company A, Company B, etc
- Unauthorized use of others' portraits for "face swapping" shall bear liability for infringing upon portrait rights — the portrait right dispute case between Peng and a software operating company
- Using an online account to "name and shame someone" and calling on fans to make complaints and conduct online violence constitutes an infringement of reputation rights — the reputation right dispute case between Chen and Meng, etc
- Illegally trading facial information with serious circumstances constitutes the crime of infringing upon citizens' personal information — the case of Xu and Li infringing upon citizens' personal information
- Illegally obtaining control over others' in-home surveillance cameras, if the circumstances are serious, constitutes the crime of illegally controlling computer information systems — the case of Han illegally controlling computer information systems
————Personal Information Protection————
On June 21, Beijing announced the results of the special rectification work on data security and personal information protection in the field of people's livelihood consumption. During the campaign, a total of 197 apps were inspected, and 388 problems related to personal information protection were identified.
On June 23, the Cyberspace Administration of Shanghai issued the Initiative on Compliant Application of Facial Recognition Technology in Shanghai, focusing on the long-term governance of the safe application of facial recognition technology.
On June 17, the National Technical Committee on Cyberspace of Standardization Administration (TC260) published the full text of the national standard Data Security Technology—Security Requirements for Processing of Sensitive Personal Information, which will formally take effect on November 1, 2025. The standard emphasizes that the identification of sensitive personal information should not only consider individual items of information but also the overall attribute of the aggregation of general personal information items. In terms of the scope of sensitive personal information, a single ID card number will no longer be identified as sensitive personal information. As for location track information, it emphasizes that it refers to continuous activity tracks within a certain period; therefore, isolated and rough location information will also no longer be regarded as sensitive personal information.
————Data System Construction————
On June 27, CAC released the Guidance on the Application for Security Assessment of Cross-border Data Transfers (The Third Version), which optimized and simplified the materials that data processors need to submit when applying for the security assessment of cross-border data transfer, and clarified the conditions, procedures, materials, etc. for data processors to apply for extending the validity period of the security assessment results.
On June 6, CAC released the Report on the Development of China's Network Rule of Law (2024). The report summarized the network legal system, network law enforcement, China's data cross-border flow system, and the network protection system for minors.
On June 3, CAC released a notice on the 19th batch of filing numbers for domestic blockchain information services. A total of 42 domestic blockchain information services declared by 39 legal entities from 13 regions were filed.
————Artificial Intelligence————
On June 30, the Shanghai Cyberspace Administration released a new batch of artificial-intelligence service registrations, adding eight generative AI services and bringing the total number registered to 95.
On June 20, the CAC released the first-phase results of its campaign to curb the "misuse of artificial-intelligence technology", which targets abuses such as deep-fake face and voice swaps that infringe individual rights, as well as the lack of labeling on AI-generated content that could mislead the public.
On June 17, a deputy to the National People's Congress submitted a proposal to draft an Artificial Intelligence Law, aiming to establish a comprehensive and rigorous legal framework for AI.
————Data Law Enforcement————
On June 30, the CAC issued the Checklist of Enterprise-Related Administrative Inspection Items, identifying six key inspection areas that include platform content management, Internet news and information services, and data security and personal information protection. Unlike the other items, the checklist sets the inspection frequency for security assessments and oversight of new Internet-technology applications at twice per year, underscoring the regulator's heightened focus on emerging technologies.
On June 27, the CAC issued the Provisions on the Application of the Benchmark for Discretionary Power for Administrative Punishment by Cyberspace Authorities, which will come into force on August 1, 2025.
On June 20, the Ministry of Public Security officially launched the 2025 "Internet Clean-up" and "Internet Protection" campaigns, designating crimes involving the unlawful handling of personal information as one of the primary enforcement focuses and emphasizing the protection of cybersecurity and data security as well as tighter regulation of internet platforms.
On June 27, the State Administration for Market Regulation (SAMR) announced five typical cases of online unfair competition, which involved practices such as e-commerce data scraping, falsification of transaction data, and other violations.
On June 18 and 24, China's National Cybersecurity Notification Centre identified a total of 109 mobile APPs that had illegally collected or misused personal information.
————Worldwide News————
On June 27, DeepSeek may be removed from mainstreaming APP stores in Germany for transferring user data to China in violation of GDPR. On May 6, the Berlin Data Protection Commissioner demanded that DeepSeek remove its app from German app stores and cease the illegal transfer of personal data to China, or comply with GDPR requirements for lawful data transfers to third countries. Since DeepSeek failed to comply, the Berlin Data Protection Commissioner issued a notification to the Apple App Store and Google Play under the Digital Services Act's illegal content reporting framework. Both companies will review the request and decide whether to remove the DeepSeek APP.
On June 25th, the U.S. District Court for the Northern District of California ruled that Meta's use of pirated books to train its AI models may still constitute fair use. However, the judge in this case (Kadrey et al. v. Meta Platforms, Inc.) also emphasized the limited scope of the ruling. It does not represent an endorsement of the legality of Meta using copyrighted materials to train language models; it merely addresses the deficiencies in the plaintiffs' claims and evidence presentation. Days earlier, the same court (Bartz v. Anthropic PBC) granted Anthropic permission in a separate ruling to scan and use legally purchased books for training its large language models. However, it rejected Anthropic's claim for copyright exemption regarding the use of pirated copies for training. Both rulings determined that the use of copyrighted books by artificial intelligence differs in nature from the original works and is transformative.
Following its fine by the European Commission in April of this year for its pay-or-consent model for collecting personal data for personalized ads, the European Commission issued another warning to Meta on June 27. The Commission stated that if its adjusted personalized advertising service is still found non-compliant with the Digital Markets Act (DMA), Meta could face daily fines of up to 5% of its average daily worldwide turnover.
On June 18th, the European Commission preliminarily found AliExpress in violation of regulations. The investigation concluded that AliExpress breached multiple obligations under the Digital Services Act (DSA), including the duty to assess and mitigate the risks related to the dissemination of illegal products, due to insufficient resources devoted to its content review systems.
On June 23, Vietnam adopted the Personal Data Protection Law, which will come into force on January 1, 2026. The law prohibits trading in personal data. Violators may face fines of up to 10 times the revenue generated from such trading, while penalties for violating cross-border data transfer regulations can reach 5% of the violator's total annual revenue from the preceding year.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
