- within Technology topic(s)
- in United States
- with readers working within the Accounting & Consultancy, Media & Information and Retail & Leisure industries
- within Technology, Government, Public Sector and Privacy topic(s)
————Takeaways————
- The Cybersecurity Law has been officially revised and will take effect on January 1, 2026. The new law introduces a specific clause for Artificial Intelligence, emphasizes the cross-application of compliance provisions for issues such as personal information and cross-border data transfer, and comprehensively enhances the penalty system. Corporate fines can reach up to RMB 10 million, with penalties for individuals directly responsible as high as RMB 1 million, substantially increasing the non-compliance cost for enterprises that cause serious consequences by failing their cybersecurity obligations.
- The Cyberspace Administration of China (CAC) and the Ministry of Public Security plan to formulate the Regulations on Personal Information Protection for Large Network Platforms. It proposes that the list of large online platforms will be jointly designated and dynamically updated by the CAC and other relevant authorities, without requiring enterprises to conduct self-assessment. In addition, large network platforms will be required to store personal information generated from their operations in China within domestic data centers.
- The Ministry of Industry and Information Technology released its first list of smart terminals infringing user rights (e.g., smartwatches, cameras), expanding the scope of regular product inspections.
- The European Union has released a comprehensive package of reform proposals in the field of digital and technology regulations, including major suggested amendments to the Artificial Intelligence Act and the General Data Protection Regulation (GDPR). These changes are expected to significantly relax the EU's previously stringent data protection framework, creating a more flexible regulatory environment for AI training, the use of anonymized data, and related activities.
————Regulatory Highlights————
Cybersecurity Law Revision Completed, Effective on January 1, 2026
The Decision on Amending the Cybersecurity Law was voted on and adopted at the 18th Session of the Standing Committee of the 14th National People's Congress on October 28, 2025. The Decision will take effect on January 1, 2026. This revision is divided into three main parts:
I.New AI Clause: The revision introduces a dedicated clause for Artificial Intelligence, establishing for the first time in fundamental legislation dual normative principles that support both development and security regulation.
II. Strengthened Legal Linkage: The revision strengthens the cross-application of legal provisions with other data laws. It emphasizes that network operators handling personal information must also comply with the Civil Code, the Personal Information Protection Law, and other laws and administrative regulations. It clarifies that provisions regarding personal information protection, cross-border data transfer of Critical Information Infrastructure (CII) data and others are subject to application by reference to other relevant laws and administrative regulations.
III. Comprehensive Penalty Reform: This is the most significant part of the revision. It adjusts the legal liability for failing to fulfill various cybersecurity obligations by removing the restriction of issuing only a warning for the first offense, allowing for immediate fines, increasing the upper limit of penalties, and strengthening punishments for individuals. Simultaneously, it establishes a more diverse and flexible penalty framework, including the addition of suspension of operations, asset freezing, and provisions for mitigated penalties. For instance, for failing to fulfill obligations related to network operation security, CII security protection, or network information security, resulting in especially severe consequences, corporate fines can reach up to RMB 10 million, and penalties for individuals directly responsible can be as high as RMB 1 million, substantially raising the ceiling for cybersecurity enforcement penalties.
On November 22, the Cyberspace Administration of China (CAC) and the Ministry of Publc Security (MPS) issued the Notice on Public Solicitation of Comments for Regulations on Personal Information Protection for Large Network Platforms (Draft for Comments).
Article 58 of the Personal Information Protection Law stipulates the special obligations of large network platform regarding personal information protection, including establishing an independent supervisory body, formulating platform rules, and regularly publishing social responsibility reports on personal information protection. The Regulations on the Administration of Network Data Security further defines the large network platform as one with more than 50 million registered users or over 10 million monthly active users, featuring complex business types and whose network data processing activities exert an important impact on national security, economic operation, national economy and people's livelihood, among other aspects. On this basis, the Draft for Comment further refines the definition of major online platforms and their obligations for personal information protection, with the main contents as follows:
- Clarify the identification criteria for large network platform, which are comprehensively assessed from the dimensions of user scale, business scope, and the impact of data incidents. Meanwhile, it is specified that the CAC, MPS, and other relevant departments shall formulate and issue a directory of large network platform and update it dynamically, eliminating the need for enterprises to make independent judgments.
- Obligations on appointing personal information protection officer and establishing dedicated working body. Large network platform that meets the identification criteria shall designate a personal information protection officer, establish a personal information protection working body, and promptly report the relevant information to the CAC. The Draft for Comment elaborates on the requirements for the appointment of personal information protection officers and the establishment of working bodies, as well as their scope of responsibilities, information disclosure and reporting procedures.
- Obligation on establishment of domestic data center. Personal information collected and generated during operations within the territory of China must be stored in a domestic data center. The person-in-charge shall be a Chinese national without permanent residency or long-term residence permits in foreign countries.
- Other obligations of large network platform, including the right of individuals to make requests related to their personal information, compliance audits, and risk assessments.
The Forth Intermediate People's Court of Beijing exercises centralized jurisdiction over appeal cases of internet-related civil and commercial disputes tried by Beijing Internet Court. Over the past three years, it has concluded a total of 66 second-instance civil cases involving personal information rights and interests, with the main characteristics as follows: Case subjects are diversifying, with internet platforms forming the majority of defendants. Infringement acts are expanding in scope and involve multiple, compounding violations. The burden of proof remains relatively heavy, often centering on the establishment of negative facts. The application of new technologies has exacerbated the concealment and complexity of infringements. Systemic risks exist in the operational processes of digital certification services.
The Forth Intermediate People's Court of Beijing also released seven typical cases:
Case 1: Chi vs A Information Company, B Technology Company, et al. Internet Tort Liability Dispute – "Unified service platform" must obtain separate consent from users when processing sensitive personal information and intimate information.
Case 2: Wang vs A Technology Co., Ltd. Internet Service Contract Dispute - Platform user whose account is permanently banned by the platform cannot withdraw their personal information by cancelling their account.
Case 3: Li vs A Technology Company Internet Infringement Dispute - The exercise of the right to access and copy personal information must be based on the purpose of protecting personal information rights and interests, and is not required to meet any derivative demands, such as for statistical analysis.
Case 4: Xiao vs A Technology Company Internet Infringement Dispute - Human resources and technical costs, or retrieval difficulty, generally do not constitute a valid defense against the right to access and copy personal information. Personal information processors must fully provide the content of all processed information in accordance with the law, including non-actively provided personal information.
Case 5: Fang vs A Information Company Internet Infringement Dispute - The disclosure of employees' salaries and other intimate information shall be within a reasonable scope.
Case 6: Wen vs A Consulting Company Internet Infringement Dispute - The company's Human Resources department must strictly adhere to the principles of legality, justification, and minimum impact when processing employees' personal information.
Case 7: Wang vs Yu Internet Infringement Dispute - The determination of private information should be made based on a comprehensive assessment of the scope of its dissemination, the subjective intent of the individual concerned, and social consensus.
————Cross-border Data Transfer————
On October 31, the CAC released the Policy Q&A on Security Management of Data Exports, addressing ten frequently consulted questions. The Q&A clarified that the contractual necessity exemption for in Regulations on Promoting and Regulating Cross-Border Data Flow covers non-exhaustive examples (e.g., cross-border shopping), but strict adherence to contractual relevance and necessity principles is required, specifically ruling out domestic hotel bookings made by individuals in China. Key guidance confirmed that the two-month security assessment declaration period for important data processors is strictly non-extendable, though materials can be prepared in advance. Also, data accessed by overseas personnel within China is not deemed a data export. Furthermore, the document detailed operational requirements concerning system upgrade reassessment, repeated Standard Contract filings, and rules for the onward transfer of data by overseas recipients, guiding the efficient and compliant cross-border data transfer.
On October 14, the CAC and the State Administration for Market Regulation (SAMR) jointly issued Decree No. 20, the Personal Information Outbound Certification Measures, which will take effect on January 1, 2026. The Measures stipulate that Personal Information Processors (PIPs) seeking certification must apply to legally qualified professional certification institutions. Overseas PIPs may apply with the assistance of their designated representatives or specialized entities established within China, and the certification institutions will conduct activities in accordance with established standards and rules. The certificate remains valid for three years, requiring a renewal application to be submitted six months prior to its expiration if continued use is needed.
On November 28, the Guangdong Cyberspace Administration issued the Guidelines for the Registration of Standard Contracts for Cross-Border Personal Information Flows in the Guangdong-Hong Kong-Macao Greater Bay Area, further streamlining the registration process and allowing eligible personal information processors or recipients to register with the Guangdong Cyberspace Administration through the online submission system.
In mid-November, Hangzhou Alibaba Overseas Digital Commerce Co., Ltd. completed the filing of its negative list for cross-border data transfers, covering 26 data items including cross-border payment and collection scenarios for domestic sellers. It became the first company in the Hangzhou to achieve compliant data outbound transfer through the negative list approach.
————Personal Information Audit————
On October 20, the first batch of certificated professional institutions for personal information protection compliance audit was unveiled. Thirteen institutions, including the National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT/CC) and the China Software Testing Center, obtained the certificates.
————Internet Compliance————
On October 30, the reporting center of CNCERT/CC announced a list of 70 mobile apps that were found to be illegally collecting and using personal information. These apps, which include 7-Eleven Membership Mini Program and Conch AI, were detected by the National Computer Virus Emergency Response Center between September 1 and September 28. The violations involve 12 types of illegal activities, such as failing to provide a way to withdraw consent for the collection of personal information and failing to encrypt or de-identify personal information.
On October 28 and November 10, the Ministry of Industry and Information Technology (MIIT) successively announced two batches of totally 81 apps and SDKs that violated user rights. The issues included default consent to privacy policies, unauthorized collection of personal information, excessive permission requests and others. Just prior to this, on October 22, MIIT also published its first report on 20 smart terminals involved in user rights violations. These products, which include home network cameras, smart speakers, smartwatches, and smart locks, exhibited violations such as failing to separately notify users about facial information collection, forced automatic renewal, and unauthorized transmission of personal data to the cloud.
On October 13, CAC, in accordance with the Blockchain Information Service Management Provisions, released the twentieth batch of filings, which included the names and filing numbers of 30 domestic blockchain information services. Then, on November 6, under the Regulations on the Administration of Deep Synthesis Services for Internet Information, CAC publicly released the 14th batch of filing information for 680 domestic deep synthesis service algorithms.
————Data Enforcement————
On November 28, cyberspace authorities and market regulation authorities of Shanghai jointly released five typical cases of failing to fulfill personal information protection obligations. One case specifically stated that a restaurant's ordering mini-program requiring consumers to provide their personal mobile phone number, otherwise they cannot place an order, constitutes a disguised mandatory collection of personal information unrelated to the business activity, in violation of the Regulations on the Implementation of the Consumer Rights Protection Law.
On October 15, the Hangzhou Municipal Administration for Market Regulation released the Top 10 Administrative Data Protection Enforcement Cases within the Hangzhou's Market Regulatory System. Among these, six cases involved illegal crawling, interception, and hijacking of transaction orders, sales figures, user traffic, and other data from various apps and websites, with e-commerce platforms being the primary targets. The highest penalty imposed in these cases reached RMB 1.5 million.
In the first three quarters of 2025, prosecutorial organs nationwide prosecuted over 2,100 cases involving over 4,400 individuals for the crime of infringing on citizens' personal information. Case handling by prosecutors revealed three new characteristics of such crimes: the targeted acquisition of specific citizens' personal information, the increasing intelligence and covert nature of criminal methods, and the use of cyber "doxxing" to escalate online bullying. Moving forward, procuratorial organs will strengthen crackdowns, rigorously investigate the sources of data leaks, leverage the function of public interest litigation, and enhance public legal education through case studies, with the goal of building a societal consensus on protecting citizens' personal information and safeguarding data security.
————Industry Development————
On October 20, the National Health Commission and other departments jointly issued the Implementation Opinions on Promoting and Regulating the Development of "Artificial Intelligence + Healthcare" Applications, aiming to advance the use of AI in areas such as intelligent assistance in primary-level diagnosis and treatment, AI-assisted medical imaging diagnosis, and clinical decision support.
On November 25, the Shanghai Cyberspace Administration, the Shanghai Municipal Administration for Market Regulation, and the Shanghai Municipal Health Commission jointly issued the Compliance Guidelines for Network Data Security and Personal Information Protection for Internet Healthcare Service Enterprises in Shanghai. The guidelines specify that before collecting, sharing, or entrusting the processing of personal health and medical data, companies must clearly inform individuals—through prominent means—of the purpose of processing, the types of data involved, and the recipients of any shared data, and obtain their separate consent.
On October 16, the National Internet Finance Association of China publicly released the group standard Security Requirements for Mini Programs in Mobile Finance (T/NIFA 33—2025) on the National Group Standards Information Platform. Previously, under the guidance of the People's Bank of China and relevant regulatory authorities, the association has been continuously conducting self-regulatory management of financial apps in the industry, including record-filing.
The proposal for the international standard on Security and Privacy in Intelligent Mobility Services, spearheaded by China, has been officially initiated within the International Organization for Standard, receiving support from countries including Germany, France, and India. This marks the official commencement of the development of the world's first international standard focused on privacy protection in the field of intelligent mobility.
————Data System————
On November 8, the CAC and the Chinese People's Institute of Foreign Affairs jointly hosted the 2025 Global Development Initiative Digital Cooperation Forum and put forward the Global Development Initiative Digital Inclusion Action Initiative.
On October 13, the Ministry of Public Security approved and released 19 public security industry standards, including mandatory standards on security management requirements for services such as online live streaming and online payment. These standards officially came into effect on December 1.
On October 10, the CAC and the National Development and Reform Commission jointly issued the Guidelines for the Deployment and Application of Large-Scale Artificial Intelligence Models in the Government Sector. The guidelines require government departments to deploy large-scale AI models in a centralized and intensive manner.
————Worldwide News————
On November 19, the European Commission released the Digital Omnibus Regulation Proposal, which suggests a series of reforms to key digital and technology governance laws, such as the General Data Protection Regulation (GDPR) and the AI Act, to loosen the EU's strict digital regulations. According to the Proposal, compliance obligations for companies using personal information—including de-identified data—for AI training and scientific research will be significantly reduced, and data subjects' rights to make requests will be somewhat restricted. Meanwhile, the compliance obligations for high-risk AI systems, originally scheduled to take effect from August 2026, will be postponed by up to 16 months. The scope of relief measures for small and medium-sized enterprises will be further expanded, and employee training requirements for companies will also be moderately relaxed.
On October 24, the European Commission preliminarily determined that TikTok and Meta violated the transparency obligations stipulated in the Digital Services Act (DSA), by creating unnecessary barriers for researchers to access public data. Furthermore, the complaint mechanisms for illegal content on Meta's Facebook and Instagram platforms were also cited for having deficiencies.
In April, Apple and Meta were penalized by the EU for restricting external payment channels and adopting a "pay or consent" model for personalized ads, respectively. According to the Financial Times, the two tech giants are now close to reaching a settlement with the European Commission. This could allow them to avoid ongoing penalties—which can reach up to 5% of their average daily global revenue—that might be imposed if their remedial measures fail to gain EU approval.
On October 23, the UK's Competition Appeal Tribunal (CAT) ruled in a collective action brought by more than 1,500 app developers that Apple had abused its monopoly position in iOS app distribution channels by charging app developers excessively high and unfair commissions. This case is the first large-scale lawsuit against a tech giant under the UK's collective action regime, and Apple could face damages of around GBP 1 billion. The CAT did not grant Apple permission to appeal, but Apple may still file an appeal with higher court.
On November 14, the Indian government released the Digital Personal Data Protection Rules, 2025 (DPDP Rules, 2025). These rules mark the full implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act), and together they form India's data protection system.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
