Takeaways
- The Cyberspace Administration of China (CAC) has officially initiated the process for reporting information on personal information protection officers. The declaration is being done through an online system, and the first round of reporting must be completed by August 29.
- Multiple departments are jointly promoting data compliance for mobile apps. The Security Requirements for Shake-to-Trigger Advertisement Behavior has been officially released, and two other national standards, the Personal Information Protection Requirements for Products and Services for Minors and the Technical Requirements for Information Deletion of Electronic Products, are currently being developed.
- On the international front, the provisions of the EU AI Act concerning general-purpose AI models are about to take effect. Vietnam has published its directories of important data and core data, which will facilitate the implementation of the prerequisite compliance requirements for the cross-border transfer of these two data types under the Vietnam Data Law, which came into effect on July 1.
Regulatory Highlights
The system for appointing a Personal Information Protection Officer was first introduced in China's Personal Information Protection Law (PIPL) and was further detailed in the Measures for the Management of Personal Information Protection Compliance Audits, which came into effect on May 1, 2025. These measures require that any personal information handler managing the data of over one million individuals must submit information about their designated Personal Information Protection Officer to the cyberspace administration at the city level. On July 18, the CAC issued the Announcement on Launching the Submission of Personal Information Protection Officer Information, clarifying that the submission must be completed online through the "Personal Information Protection Business System." Handlers who have already reached the one-million-individual threshold must complete their submission by August 29. Those who meet the criteria after this date must do so within 30 working days.
The online business system now demonstrates the Instructions for Completing the Personal Information Protection Officer Information Submission System (Version 1), which contains a form to be filled out. In addition to basic information about the company and its officer, the form also requires statistics on the scale of personal information processing for the company as a whole and for different business sectors, including monthly active users, types of personal information processed, and the collection of and methods for obtaining minors' information. Therefore, this submission process is essentially a comprehensive survey of how each company is implementing the PIPL, marking a further step toward the normalization of personal information protection work in China.
Cross-border Data Transfer
On July 17, the second meeting of the China-EU Dialogue Mechanism on Data Cross-Border Flow was held in Brussels. Both sides agreed to establish a working group to cooperate on data cross-border flows in the automotive sector between China and the European Union.
Internet Compliance
On July 22, the National Technical Committee 260 on Cybersecurity of Standardization Administration of China (TC260) released the Practical Guide to Cybersecurity Standards: Security Requirements for Shake-to-Trigger Advertisement Behavior. The guide requires that app operators and third-party ad SDK operators offering shake-to-trigger ad functions shall adhere to principles of transparency, user autonomy, and personal information protection. It also requires them to set a reasonable threshold for ad triggers to prevent users from unintentionally activating ad redirects.
TC260 is also developing a new national standard, the Personal Information Protection Requirements for Products and Services for Minors, which applies to the development, sales, and operation of online products and services for minors. The draft innovatively proposes three protection levels: Basic Protection, Enhanced Interaction, and Age-Appropriate Optimization. Products and services for minors should select the appropriate level based on their form, function, and user base.
Additionally, the CAC is planning to establish a mandatory national standard, Technical Requirements for Information Deletion on Electronic Products, to regulate user data deletion on electronic devices and during the recycling and second-hand trading of these products. According to the current draft, electronic products must include a built-in "one-click clear" function. This function must be capable of deleting apps and their associated data, user media files, cache, backups, system configuration information, NFC binding information, and encryption keys. Once the deletion is complete, the data should not be recoverable, readable, or accessible by technical tools.
On July 3, the Ministry of Industry and Information Technology (MIIT), in collaboration with the Internet Society of China and the China Academy of Information and Communications Technology, published the Compliance Management Guide for the Protection of User Rights in Mobile Internet Application Services. This guide outlines key requirements for protecting user rights across six areas: service provision, personal information protection, algorithmic recommendations, service fees, complaint handling, and customer service hotlines.
On July 14, the CAC released the twelfth batch of deep synthesis service algorithm filing information, which includes a list of 389 deep synthesis service algorithms filed in China as of July 2025. The algorithms cover various sectors, including healthcare, education, travel, apparel, and digital human technology.
Data Transaction
On July 2, the National Data Administration and the State Administration for Market Regulation jointly issued a notice to release the Contract Templates for Data Circulation and Trading.The templates cover four types of contracts: data provision, entrusted data processing, data integration and development, and data intermediary services.
Personal Information Enforcement
On July 8, the Cyber Security Association of China released a list of 12 apps that have completed optimizations to their collection and use of personal information. The association guided the operators of these 12 apps, which fall into seven categories—online communities, app stores, food delivery, housing rentals, live streaming, instant messaging, and job-seeking—to improve how they handle user data. Their efforts focused on addressing issues such as collecting excessive personal information, making excessive requests for sensitive permissions, and making permission settings and account deletion difficult for users.
On July 11, the National Cyber and Information Security Information Notification Center reported 68 mobile applications that illegally and improperly collected and used personal information. On July 23, the Ministry of Public Security's Quality Supervision and Inspection Center for Computer Information System Security Products detected 33 mobile applications with similar violations. Compared to previous reports, two new types of violations were added: requiring users to enable permissions that allow the collection of personal information unrelated to the current functionality in advance, and forcing users to enable non-essential permissions that allow the collection of personal information.
Data Security
On July 1, the full text of the Regulations on the Use of Commercial Encryption in Critical Information Infrastructure was officially released. The regulations will come into effect on August 1, 2025.
Worldwide News
On August 2, the provisions of the EU AI Act concerning general-purpose AI (GPAI) models officially came into effect. In July, the European Commission released a series of documents, including the General-Purpose AI Code of Practice, the Guidance on the Scope of Obligations for Providers of GPAI Models, and the Template for a GPAI Model Providers to Summarise Their Training Content. These documents aim to help the industry comply with the obligations outlined in the AI Act. The Code of Practice is a voluntary tool that proposes compliance solutions for three key obligations: transparency, copyright, and safety and security. Companies that voluntarily sign the code can demonstrate their compliance with the AI Act by fulfilling its requirements, thereby simplifying administrative processes and gaining greater legal certainty. The Guidance serves as a supplement, clarifying key concepts related to GPAI models. Meanwhile, the Template is designed for disclosing training data for GPAI models, making it easier for them to enhance transparency in a simple, standardized, and compliant manner.
On July 10, the Irish Data Protection Commission (DPC) announced an inquiry into TikTok's transfer of EU user personal data to servers located in China. Previously, TikTok had stated that all EEA user data were stored on servers located outside of China and were accessed remotely by TikTok staff from within China. However, in April of this year, TikTok informed the DPC that limited EEA user data had in fact been stored on servers in China. The current inquiry is therefore focused on whether this data transfer complies with the conditions of the GDPR and provides an equivalent level of data protection.
On July 1, Vietnam's Data Law officially took effect. The law imposes strict compliance requirements for the cross-border transfer of "important data" and "core data." Both types of data require an impact assessment and must be declared to the data regulatory authority. Processors of important data can proceed with the transfer if they do not receive objections within five working days, whereas processors of core data must wait for the approval result. The following day, the Vietnamese government released the List of Core and Important Data, specifying 26 types of core data and 18 types of important data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
