China Cybersecurity and Data Protection: Monthly Update - July 2025 Issue

This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Key Highlights

In July 2025, China further advanced its regulatory framework by promulgating a series of laws, regulations, and standards in key areas including personal information protection, data and cyber security, the construction of fundamental data systems, and cross-border data flows. Concurrently, enforcement actions in personal information protection and network data security intensified significantly. Central and local authorities regularly published name lists of violators and conducted frequent enforcement activities, strongly urging enterprises to rigorously fulfil their primary responsibilities for personal information protection and network data security.

• Personal Information Protection: At the legislative level, the National Health Commission of China (“NHC”) issued a notice regulating the use and management of electronic medical record information, emphasizing the “minimum usable” principle of access permissions, log traceability, and watermarking technologies, with violations subject to accountability. The Shanghai office of Cyberspace Administration of China (“CAC”) released a notice detailing the filing requirements for facial recognition technology applications by Shanghai-based enterprises. At the enforcement level, the CAC published the list of administrative inspection items for enterprises for the first time, explicitly identifying personal information protection as a key inspection focus. The Supreme People’s Court (“Supreme Court”) also released representative cases clarifying illegal activities constituting information infringement from the perspectives of online consumption and the use of information network technology to violate personality rights. The Ministry of Public Security (“MPS”), the Ministry of Industry and Information Technology (“MIIT”), the National Computer Virus Emergency Response Centre (“CVERC”), the Beijing Communications Administration (“CA”), and the Shanghai CA has successively announced 45, 57, 64, 9, and 50 Apps that illegally collect personal information, and ordered them to rectify or be removed. The Beijing CAC launched a special rectification on personal information protection and data security in the consumer sector and published a self-inspection checklist. The Chongqing Dadukou District CAC also penalized an enterprise for illegal facial data collection and initiated a special rectification campaign. Industry-wise, the MPS convened a 2025 special work deployment meeting, emphasizing comprehensive protection of cybersecurity, data security, and information security. The Cyber Security Association of China (“CSAC”), jointly with 40 enterprises, released a facial recognition compliance initiative.
• Data and Cyber Security: At the legislative level, the State Council promulgated administrative regulations to standardize government data sharing. Targeting emerging industries, Hangzhou released implementation measures regulating the innovative application of intelligent connected vehicles. Regarding enforcement, the CAC’s first list of administrative inspection items for enterprises also listed cybersecurity and data security as annual inspection priorities, stipulating that new cybersecurity technologies be inspected once every two years, and data security be inspected once a year. Locally, the Beijing CAC lawfully investigated and penalized two enterprises for failing to fulfil data security protection obligations. The Jiangsu CA released the “Longpan Cyber Shield” cybersecurity special action plan and the “Longpan Data Security Shield” data security special action plan, aiming to enhance security safeguards within the province's industrial informatization sector. At the industrial level, the Shanghai CA announced plans to organize the 2025 Shanghai Telecoms and Internet Industry Network and Data Security Inspection. The Guangdong CA also issued a notice standardizing the implementation of 2025 information and communications network security protection work.
• Cross-border Data Flows: At the legislative level, the CAC updated the third edition of Guidelines for the Application of Data Export security assessment. Eight departments, including the MIIT, drafted guidance to regulate automotive data processors^[1] in conducting automotive data export. At the industry level, the General Office of the State Council issued an opinion emphasizing support for Shenzhen to explore new mechanisms for cross-border data flows.
• Construction of the Basic Systems for Data: The CAC released provisions standardising the exercise of administrative penalty discretion by cyberspace authorities, while the State Council General Office issued an opinion calling for deeper reforms in Shenzhen to advance the market‑based allocation of data elements.

Please click on the links below to view the official policy documents or public announcements.

Legislative Developments

1. State Council promulgated administrative regulations to standardize government data sharing and accelerate public data resource development (3 June)

The State Council promulgated the Regulation on Government Data Sharing, aiming to promote the secure, orderly, and efficient sharing and utilization of government data, enhancing the government’s digital governance capabilities and public service efficiency. The Regulation takes the nationwide integrated government big‑data system as its technical base, implements unified catalogue management and a three‑tier classification of “unconditional sharing”, “conditional sharing” and “non‑shareable”, and requires departments to reply to conditional‑sharing requests within ten working days and to provide the data within twenty working days. It also prohibits redundant collection and requires higher‑level data to be returned in a timely and complete manner. The regulation details the full‑cycle security obligations of source departments, requesting departments and competent authorities, establishes mechanisms for security management, verification and error correction, and dispute resolution. Furthermore, it also sets out administrative and, where appropriate, criminal liability for obstructing sharing, using data beyond the authorised scope or causing a leak.

2. CAC released rules to standardise the exercise of administrative penalty discretion by cyberspace authorities (27 June)

The CAC released the Provision on the Use of Benchmarks for the Exercise of Administrative Penalty Discretion by Cyberspace Authorities, aiming to safeguard the lawful rights and interests of citizens, legal persons and other organisations. The provision divides penalties into five bands—no penalty, mitigated penalty, lenient penalty, standard penalty and aggravated penalty—and link them to three fine ranges within the statutory range: less than 30 percent, 30–70 percent and more than 70 percent. It specifies that serious breaches of minors’ protection obligations or repeated offences within one year must attract aggravated penalties. Voluntary remediation of harm or active cooperation with the investigation allows a lenient or mitigated penalty, and a first minor violation that is rectified immediately may be exempted from punishment. Local CAC offices may refine the benchmarks provided they do not exceed the upper ranges, must inform parties of the facts, reasons and legal basis for discretion, and must record their application of the benchmarks in the penalty decision, which is subject to higher level review.

3. CAC issued third edition of Guidelines for the Application of Data Export Security Assessments (27 June)

The CAC issued the Guidelines for the Application of Data Export Security Assessment (Edition 3), which further refines the security assessment process under the Measures for Security Assessment of Data Export and the Provisions on Promoting and Regulating the Cross‑border Flow of Data. The guidelines streamline the application materials by no longer requiring the filing form of data export security assessment and merging the letter of undertaking into the filing form, and stipulate formatting requirements for the filing form. Meanwhile, the guidelines also provide instructions for operating the online filing system and clarifies the requirements for filling in data outbound transfer links in the self‑assessment report template. Crucially, the guidelines set out the prerequisites, procedure and documentation for data processors that apply to extend the validity period of an existing security assessment decision.

4. MIIT and seven other departments released draft guide to regulate automotive data export (13 June)

The MIIT, along with seven other departments, released the Draft Automotive Data Export Security Guide (2025 Version) for public comment, seeking to build an efficient, convenient and secure mechanism for cross‑border flows of automotive data, and create a favourable environment for industrial development. The draft guide maintains the three‑track model, namely “security assessment – standard contract or certification – exemption” model, for cross‑border transfers of automotive data and adds industry‑specific exemptions, such as vulnerability data that have been reported to MIIT when fixing security flaws. Additionally, it sets out “important data” identification rules across six scenarios—including R&D testing, automated driving and connected‑vehicle operation—requires processors that provide important data abroad to apply for a security assessment, and elaborates the implementation procedure for outbound transfers. On security safeguards, it requires encrypted transmission and identity authentication, full retention of export traffic for one week plus sampled retention for one month, log retention for at least three years, emergency response and other end‑to‑end security measures, balancing industrial innovation and data security.

5. NHC issued notice to regulate the use and administration of electronic medical records (30 June)

The NHC issued the Notice on Further Strengthening the Use and Administration of Electronic Medical Records by Medical Institutions, which aims to standardise how medical institutions and healthcare personnel handle patient information. Inside medical institutions, the notice provides that the institution bears primary responsibility for electronic medical records, must set access authorities and time limits according to the “minimum usable” principle, and must include compliant use of electronic medical records in performance evaluations. For day‑to‑day use, it requires that authorised staff operate within their permissions, that temporary staff receive training, that confidentiality agreements be signed with external service providers, and that technologies such as digital watermarks ensure full traceability of operations. Meanwhile, institutions must also build a security protection system for electronic medical records. The notice also states that relevant departments will hold violators liable for improper handling or leakage.

6. Shanghai CAC issued notice clarifying filing procedures for facial recognition applications (3 June)

The Shanghai CAC issued the Notice on Carrying Out the Filing of Facial‑recognition Technology Application, which further implements the Administrative Measures for the Security Management of Facial Recognition Technology Applications and the national CAC’s Announcement on Carrying Out the Filing of Facial Recognition Technology Application. The notice requires personal information processors that are located in Shanghai and store facial recognition data for 100,000 or more individuals to file via the online Personal Information Protection Business System within thirty working days after reaching the threshold. Filing materials must include the electronic scanned copies of the application information filing form, the personal information protection impact assessment report, identity documents of the legal person and handling officer, and a letter of undertaking; the municipal CAC has opened the hotline 021‑64271056 for weekday enquiries.

7. Hangzhou issued implementing measures to regulate the innovative application of intelligent connected vehicles (11 June)

Hangzhou issued the Implementing Measures for the Innovative Application of Intelligent Connected Vehicles, aiming to regulate the innovative applications of intelligent connected vehicles. The measures classify and grade testing, pilot operation and commercial operation of vehicles equipped with Level 3 and above automated‑driving systems within the city. For example, an entity that conducts testing applications at Level 4 or higher must be equipped with a robust communications system. Simultaneously, the measures establish a “municipal joint working group + roadside intelligent infrastructure + monitoring management service platform” supervision framework. They also require the implementation of security and data governance measures, including remote monitoring, data caching and retention, accident reports within three days, batch consistency inspections and management of identification‑plate validity. Eligible testing and application entities may expand vehicles of the same type in batches.

Enforcement Developments

8. CAC issued an enterprise focused administrative inspection checklist, prioritising cybersecurity, data security and personal information protection (30 June)

The CAC issued Enterprise‑Focused Administrative Inspection Checklist, specifying inspection authorities, legal bases, frequency limits and evaluation criteria. The checklist provides that security assessments and supervisory inspections for new Internet technologies and applications shall take place no more than once every two years, while reviews of data security and personal information protection—covering governance frameworks, technical safeguards and outbound‑data compliance—shall occur at most once a year. Enterprises must comply with applicable laws, regulations and national recommended standards.

9. MPS reported a batch of Apps that illegally collected personal information, involving issues such as collection beyond the scope and missing collection rules (24 June)

The MPS Computer Information System Security Product Quality Supervision and Inspection Centre detected 45 Apps that had unlawfully collected and used personal information. The violations can be classified into 13 categories, including failure to publish structured lists of collection rules, gathering non‑essential data beyond scope or frequency, mandatory requirement of granting authorisation, misleading advertising and imposing unreasonable hurdles in account‑cancellation processes. The notice orders the Apps and distribution platforms to rectify. 8 Apps that still failed re‑tests after the previous round of inspection have already been removed.

10. MIIT reported a batch of Apps that infringed user rights, involving issues such as excessive and unlawful data collection (26 June)

The MIIT detected 57 Apps and SDKs that infringe user rights. Among these, 31 Apps unlawfully collected personal information; 33 Apps has information windows that cannot be closed or are randomly redirected.; 11 Apps collected data beyond scope; 13 Apps requested permissions forcibly, frequently or excessively; 7 Apps failed to disclose SDK information properly; and 5 forced targeted‑push functions on users. MIIT has required that the notified apps and SDKs shall carry out rectification in accordance with relevant regulations. For those failing to effectively implement the rectification, they will face further action.

11. CVERC reported a batch of non-compliant Apps, involving issues such as failure to prompt uses to read privacy policies (19 June)

CVERC detected 64 Apps that illegally process personal information. The violations can be classified into 13 categories, including failure to display a pop-up window prompting users to read the rules for collecting when the app is first launched, absence of or incomplete privacy policies, data collection without user consent, improper handling of sensitive information or minors’ data, impeding the withdrawal of consent and account cancellation, and failure to store information in encrypted form. The notice orders the developers to rectify. 28 Apps that still failed re-inspection after being listed in the previous notice have been removed from the shelves.

12. Supreme Court released landmark cases on network/IT-enabled personality rights infringements, involving illegal use of AI for voice or facial data (12 June)

The Supreme Court published 6 cases on personality rights infringement through networks and information technology, holding that AI voice dubbing, AI face‑swapping, trading of facial images, remote control of home surveillance cameras and "naming and shaming" on accounts to incite online violence can all constitute torts subject to civil or criminal liability. The rulings stressed that: (1) when a private party unilaterally posts a reward notice seeking clues to another person’s alleged crimes, it is likely to make the general public perceive the targeted person as being suspected of illegal or criminal activities, lowering that person’s social standing and thus infringing the right to reputation; (2) unauthorised commercial use of a natural person’s AI generated voice, where the voice remains identifiable, may constitute a violation of personality rights; (3) Without the consent of a natural person, others shall not create, use, or disclose the natural person's likeness; otherwise, it constitutes an infringement of their right to portrait.; (4) rallying others to file complaints against a social media account and subjecting the account holder to sustained online abuse seriously violates the right to reputation; (5) illegally obtaining, selling or providing citizens' personal information such as facial photos and videos, when the circumstances are serious, constitutes the crime of infringing upon citizens’ personal information; and (6) illegally obtaining control over others'  home surveillance cameras, if the circumstances are serious, constitutes the crime of illegally controlling computer information systems.

13. Supreme Court released landmark cases on civil e‑commerce, confirming that pre-checked consent box of privacy consent may infringe personal information rights (16 June)

The Supreme Court released five civil e-commerce cases, addressing issues such as false advertising, seven‑day no‑reason returns policy, misleading consumers, refund of concert tickets, and excessive data collection. For excessive‑collection case, the defendant is the developer and operator of a certain dictionary app, whose basic function is word query. The court ruled that a user's mobile phone number is not information necessary for using the word query function, so the defendant's act of collecting users' information is excessive. In addition, the App automatically pre-checked the box for users to consent to its privacy policy, failing to secure users’ voluntary, informed consent. Besides, if a user refuses to agree to the privacy policy, the app directly exits and does not provide word query services, which constitutes a refusal to provide basic services. Moreover, it failed to provide users with a convenient way to withdraw consent. The court holds that these practices violate the law and infringe the plaintiff’s personal information rights.

14. Beijing CAC penalised two enterprises for failing to fulfil data security obligations, continuing strengthening enforcement in the data security domain (13 June)

The Beijing CAC penalised two companies for failing to fulfil their data security duties. In the two cases, one operator left back‑end interfaces without safeguards such as access‑control or identity‑authentication; the other had the 9200 port of its Elasticsearch (ES) database open to the public with no access restrictions. Both ultimately led to unauthorized access vulnerabilities in the system or database, exposing personal information data such as names and phone numbers stored therein to the Internet, which were then accessed and stolen by overseas IP addresses. The Beijing CAC found both enterprises in breach of Article 27 of the Data Security Law and, acting under Article 45, issued a warning and a CNY 50 000 fine to each.

15. Beijing CAC focused on the livelihood‑service sector, launching a special rectification on data security and personal information protection, releasing a self‑inspection checklist (21 June)

The Beijing CAC, along with other departments, carried out a special inspection of livelihood‑oriented Apps, covering smart parking, online food ordering, fitness, hotel accommodation, online diagnosis and treatment, children's training, real estate agencies, shared power bank rental, life services, movie ticket booking, and online refuelling. The inspection reached more than 50,000 operators, conducted random remote tests of 197 Apps and uncovered 388 compliance issues, including undisclosed collection rules, lack of consent and failure to conduct desensitization, for which rectification was ordered. The Beijing CAC simultaneously published the Self‑inspection Checklist on Data Security and Personal Information Protection in the Livelihood‑Consumption Sector so that enterprises can assess and correct their own practices.

16. Beijing CA reported a batch of problematic mobile Internet Apps, involving issues such as undisclosed collection rules and difficulty in account cancellation (4 June)

The Beijing CA detected 9 Apps that harm user rights or pose security risks. The issues include undisclosed data collection rules, no clear explanation of collection purposes or scope, compulsory targeted push, onerous account cancellation procedures, data sharing without user consent and missing complaint channels. The Apps reported are required to rectify without delay. Two Apps that still failed re‑tests after the previous round of inspection have now been removed from app stores across the network.

17. Shanghai CA reported a batch of Apps infringing on user rights, including issues such as unlawful data collection, auto activation and associated activation (5 June)

The Shanghai CA detected 50 Apps (SDKs) with user rights infringement. Issues include the absence of explicit data processing rules, collection of personal information beyond the scope, illegal personal information collection, and auto‑activation or associated‑activation. The provider of each App (SDKs) must rectify the issues immediately, conduct a comprehensive self-assessment of personal information and user rights protection, and, within thirty days from the date of this notice, submit written rectification and self‑assessment reports to the Shanghai CA. Those that fail to meet the deadline may face regulatory action.

18. Jiangsu CA released “Longpan Cyber Shield” cybersecurity special action plan and the “Longpan Data Shield” data security special action plan, enhancing security in the industrial information sector (3 June)

The Jiangsu CA issued “Longpan Cyber Shield” cybersecurity special action plan and the “Longpan Data Shield” data security special action plan. Each action will be carried out in three stages: launch, promotion and summary. Between the two actions, “Longpan Cyber Shield” cybersecurity special action applies to network operators in the telecommunications and internet industries across Jiangsu Province. It requires enterprises to complete three tiers of classification and filing, deepening security evaluation and assessment, and implement the “three synchronizations” measures for cybersecurity protection (synchronized planning, construction and application). Meanwhile, enterprises are required to improve the level of cybersecurity prevention, participate in actual combat drills, optimize enterprise security assurance services, and strengthen the development of security technical measures. “Longpan Data Shield” cybersecurity special action targets data processors in the telecommunications and internet industries across Jiangsu Province, calling for the identification and catalogue filing of important data, security‑risk assessments and rigorous management of data partners. This plan further prescribes enhanced risk prevention measures, standardised emergency‑response procedures and a collaborative governance framework to build a robust province‑wide data security posture.

19. Chongqing Dadukou CAC imposed administrative fine on company for unlawfully processing facial information and plans to carry out a special rectification on issues related to personal information processing (3 June)

The Dadukou District CAC in Chongqing, along with other departments, investigated a local company that had secretly installed facial image‑capture devices in a sales office and, without giving notice or obtaining separate consent, collected and stored customer information for more than 12,000 entries. Among them, over 5,000 facial information entries are included for marketing purposes. Dadukou CAC ordered it to rectify within a time limit, issued a warning and imposed a CNY 10,000 administrative fine under the Regulations on Network Data Security Management.

Industry Developments

20. General Office of State Council issued opinion requiring deepening the reform of market‑based allocation of data elements in Shenzhen (10 June)

General Office of the State Council issued the Opinions on Further Promoting Shenzhen’s Comprehensive Reform Pilot to Deepen Reform, Innovation and Opening-up. The opinions emphasize the need to promote the high-quality development of the real economy empowered by data and deepen the reform of market-oriented allocation of data elements. Specifically, it calls on Shenzhen to refine trading rules and technical standards, to explore mechanisms for data transactions, trusted circulation and profit distribution, and to generate institutional outcomes in compliance assessment and certification. On the premise of security, the opinion also supports the graded and classified opening of public data in accordance with law, pilots the use of three‑dimensional territorial space models, and explores efficient, convenient, and secure mechanisms for cross-border data flow.

21. MPS held 2025 “Network Cleanup” and “Network Protection” deployment meeting, stressing full protection of cyber, data and information security (20 June)

The MPS convened its 2025 work‑deployment meeting for the “Network Cleanup” and “Network Protection” campaigns, demanding a strategy of decisive enforcement, ecosystem governance, active prevention and integrated operations to combat online crime. The meeting requires (1) tougher crack‑downs: persistent, law‑based strikes against offences such as personal information infringement, online rumours, hacking, paid posting (“water armies”), illicit data markets and cyber‑bullying, with major cases placed under special supervision; (2) stronger capabilities: refinement of the “expertise + mechanism + big data” policing model; and (3) greater synergy: fuller use of the national cyber and information security notification system to press Internet platforms to shoulder primary responsibility. It stresses combining enforcement with regulation so that cybersecurity, data security and information security receive comprehensive protection.

22. CSAC issued initiative to regulate facial recognition technology, building a dedicated governance framework (11 June)

Under the guidance of the CAC’s Data Bureau, the CSAC and 41 enterprises released the Facial Recognition Technology Compliance Initiative, which sets out nine compliance directions aligned with the Measures for the Security Management of Facial Recognition Technology Applications. The initiative directs enterprises to follow the principles of necessity and proportionality, informed consent and prior assessment, to forbid forced “face‑swiping”, to use state‑authorised identity verification channels first, to delimit collection areas reasonably and to encrypt stored data. It recommends full privacy impact assessments and robust technical safeguards, as well as timely filings and active cooperation with supervisory checks. The initiative also urges operators to offer alternatives and special protections for minors, older adults and other vulnerable groups, so as to foster a “safe and orderly” ecosystem for facial‑recognition use.

23. Shanghai CA planned 2025 telecom and internet sector network and data security inspections, releasing inspection report template (9 June)

The Shanghai CA plans to conduct a special inspection on network and data security in 2025 targeting basic telecommunications enterprises, internet enterprises, domain name registration service agencies, and other entities that provide public internet network information services. The following six aspects will be subject to key review: construction and execution of network and data security management systems; implementation of telecom network security measures; protection of industrial‑Internet networks; grading and filing for vehicle‑network security; execution of data security safeguards; and protection of personal information and user rights. Enterprises must complete self‑checks and submit documentation by 20 June and be ready for on‑site or remote inspections by 15 October; those that fail to rectify in time or refuse inspection before major events will face penalties and be included on a dishonest list. The Shanghai CA also published a template for the Network Security Inspection Summary Report for companies’ self‑inspection.

24. Guangdong CA issued notice standardising 2025 network security protection, requiring safeguards for major events (17 June)

The Guangdong CA released the Notice on Standardising the 2025 Information Communication Network Security Protection Work, reinforcing the primary responsibility of network operators. It directs enterprises to plan, build and operate security measures simultaneously, implement telecom network security management requirements, manage exposed surface risks, strengthen threat monitoring and improve emergency response. With regards to safeguards, operators must perform classification and filing, compliance evaluation and risk assessment: units at level 3 and above must complete these annually, while level 2 units must do so at least every two years. The Guangdong CA will thereafter carry out security vulnerability detection, review classification reports, compliance evaluation forms and risk assessment reports, and publicly name entities with high-risk flaws or missing filings.