China Cybersecurity and Data Protection: Monthly Update - June 2025 Issue

This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Key Highlights

In May 2025, China further refined its regulatory framework by promulgating a series of laws, regulations and national standards in the priority areas such as personal information protection, data and cyber security, the construction of basic systems for data and cross-border data flows. Concurrently, enforcement actions in the fields of cybersecurity and personal information protection have been steadily intensified, requiring enterprises to rigorously fulfil their primary responsibilities in these areas.

• Personal Information Protection: At the legislative level, the Cyberspace Administration of China (“CAC”), acting with six other ministries, issued administrative measures to advance the construction of the national network identity authentication public service. At the same time, the CAC released a notice that sets out detailed filing rules for facial-recognition technology deployments. The National Technical Committee 260 on Cybersecurity of Standardisation Administration of China (“TC260”) published two practice guidelines, separately specifying the compliance audit requirements for personal information protection (“PI Audits”) and the competency standards for professional audit institutions. In addition, the Ministry of Industry and Information Technology (“MIIT”) is drafting a mandatory national standard aimed at safeguarding children’s personal information processed by smart watches. On the enforcement side, the Ministry of Public Security (“MPS”), MIIT and the National Computer Virus Emergency Response Centre (“CVECR”) respectively named several mobile applications for unlawfully collecting or using personal information, and the Supreme People’s Court of the People’s Republic of China (“Supreme Court”) clarified in a Q&A that individuals may not vindicate rights such as accessing or copying their personal information through direct lawsuits.
• Data and Cyber Security: The cybersecurity multi-level protection scheme remains a top legislative priority. The State Council released a legislative plan that envisages the long-anticipated Regulations on the Cybersecurity Multi-Level Protection Scheme. The MPS issued documents detailing specific requirements for cybersecurity multi-level protection scheme. Additionally, the MPS released work rules governing the supervision of public-security video and image surveillance systems. Sectoral and local regulators have also introduced multiple regulations addressing data security. For example, the People’s Bank of China (“PBOC”) released two administrative measures prescribing data security and security incident reporting requirements within the banking sector; the Ministry of Natural Resources issued a guideline on the classification, grading and protection of geospatial information data; the Zhejiang Communications Administration adopted an emergency response plan that standardises procedures for data security incidents in the telecommunications sector. On the enforcement side, the Shanghai Communications Administration launched a special campaign to enhance overall data security management across the telecoms and Internet industries, while the Hainan CAC fined an Internet enterprise for failing to honour its cybersecurity and data security obligations.
• Cross-Border Data Flows: The Lin-gang Special Area of Shanghai Pilot Free Trade Zone (“FTZ”) issued operational guidelines for cross-border data transfers, covering sectors such as re-insurance, international shipping, and biopharmaceuticals. These guidelines establish a new mechanism for cross-border data flows based on a “negative list + operational guidance” model. Beijing also released a related plan aimed at facilitating cross-border data flows and exploring the development of important data catalogues. In addition, the CAC addressed the widely discussed issue of cross-border transfer of important data in its recent policy Q&A, offering further clarification for enterprises.
• Construction of the Basic Systems for Data: At the central level, the CAC has circulated draft provisions to regulate the exercise of administrative-penalty discretion by cyberspace authorities. Locally, the Guangdong Department of Industry and Information Technology (“DIIT”) unveiled a plan to bolster information security safeguards for enterprises in the industry and information technology sector. Meanwhile, the Guangdong Data Administration published its work priorities, proposing the exploration of the establishment of a “Data Special Zone” within the Guangdong-Hong Kong-Macao Greater Bay Area The initiative aims to promote the development of a secure and compliant cross-border data flow mechanism, further advancing regional digital integration and coordinated development.

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. State Council issued 2025 annual legislative plan, proposes drafting the Cybersecurity Multi-Level Protection Scheme Regulations (14 May)

The State Council released its 2025 Annual Legislative Work Plan. In the data and cybersecurity space, the plan covers the Regulations on Government Data Sharing, which has been formally promulgated on 3 June 2025, to standardise data sharing among government departments. Additionally, the plan proposes to formulate or revise several related regulations, including the Regulations on the Cybersecurity Multi-Level Protection Scheme, the Administrative Regulations on Terminal Devices Connecting Directly to Satellite Services, the Satellite Navigation Regulations and the Administrative Measures on Internet Information Services. The plan calls for legislation to foster the sound development of artificial intelligence, strengthen rule-making in priority and emerging fields, and close gaps in the existing legal framework.

2. CAC and other ministries jointly issued administrative measures to advance the national network identity authentication public service and bolster personal information protection (23 May)

The CAC and five co-regulators promulgated the Administrative Measures on the National Network Identity Authentication Public Service, aimed at advancing the development of national network identity authentication services and enhancing the security of citizens’ identity information. The measures specify that network identity authentication public service is to be built on a unified platform, providing natural persons with services such as the issuance of Network ID Number and Network ID Certificate, as well as identity verification. The Network ID Number and Network ID Certificate may be used for identity registration and verification in online services without disclosing plain-text personal identity information. The measures encourage internet platforms to voluntarily connect to the public service system. Once connected, if a user has successfully verified their identity using a Network ID Number and Network ID Certificate, the platform may not require the user to provide plain-text identity information again. In addition to setting out personal information protection obligations for the public service platform, the measures also require that important data and personal information processed by the platform be stored within China. If it is necessary to provide such data abroad for business reasons, a governmental security assessment must be conducted.

3. CAC issued a notice detailing the filing rules for applications of facial-recognition technology (30 May)

The CAC issued the Notice on Launching the Filing Process for the Application of Facial Recognition Technology, aiming to implement Article 15 of the Administrative Measures on the Security Management of Facial Recognition Technology Applications. The notice requires eligible personal information processors to complete filing procedures online. Specifically, starting from 1 June 2025, entities that store facial recognition data for 100,000 individuals or more must file with the provincial-level CAC within 30 working days from the date this threshold is reached. For processors that had already reached this threshold before 1 June, the filing must be completed by 14 July 2025. Additionally, if there are any material changes to the filed information, an updated filing must be submitted within 30 working days of the change.

4. CAC planned to issue regulations, governing cyberspace authorities’ exercise of administrative-penalty discretion (30 May)

The CAC opened public consultation on the Provisions on Benchmarking the Exercise of Administrative-Penalty Discretion by Cyberspace Authorities, aiming to establish a clear framework for the exercise of administrative discretion, promoting consistency and transparency in law enforcement by cyberspace authorities. The proposed provisions divide discretionary penalties into five tiers— exemption from punishment, mitigated punishment, lenient punishment, standard punishment, and aggravated punishment—and specify the circumstances for each. For example, conduct such as severely endangering cybersecurity and data security, processing personal information in serious violation of the law, or being subject to two or more penalties for the same type of violation within one year would warrant aggravated punishment. The regulation also refines the scope of fines by dividing them into three levels based on the statutory range: lenient (below 30%), standard (30%–70%), and aggravated (above 70%). Additionally, it specifies that for violations committed by organisations, directly responsible personnels will also be held accountable. These measures serve as important guidance for enterprises in strengthening compliance and internal governance.

5. TC260 issued practice guidelines clarifying specific personal information protection compliance audits requirements and competency requirements for professional audit institutions (26 May)

The TC260 released two practice guidelines to facilitate effective PI Audits. The first, Cybersecurity Standard Practice Guidelines - Personal Information Protection Compliance Audit Requirements, aims to provide detailed audit guidance for enterprises and professional institutions conducting PI Audits. It establishes a series of audit principles, including legality and independence, and clarifies the general requirements and implementation procedures for PI Audits. In terms of content and methodology, the guideline covers 26 specific audit aspects, such as the implementation of the right to deletion and automated decision-making, offering concrete recommendations for various entities on how to conduct PI Audits and retain audit evidence. The second guideline, Cybersecurity Standard Practice Guidelines – Competency Requirements for Professional Institutions in PI Audits, aims to implement the competency requirements that professional institutions should possess for compliance audits. It addresses five dimensions: basic qualifications, management capabilities, professional competence, personnel qualifications, and premises and equipment resources. For example, institutions are required to possess independent legal status, a clean compliance record, robust audit systems, appropriate expertise and staffing, and adequate facilities.

6. MPS issued rules regulating the supervision and administration of public security video and image surveillance systems (28 May)

The MPS promulgated the Rules on the Supervision and Administration of Public Security Video and Image Surveillance Systems, aimed at implementing the relevant provisions of the Administrative Regulations on Public Security Video and Image Information Systems and standardising the supervision and management by public security organs over the construction and use of such systems. These rules require the system administrator of public security video image information systems to complete filing either online or offline, providing basic information about the administrator and the system. County-level public security organs shall process initial filings and amendments within stipulated time limits. The rules also require public-security organs to conduct general or specialised inspections covering 13 items, including the legality of the construction entity, the authenticity of filings and the robustness of security measures. Violations may trigger orders for correction or administrative penalties, with criminal liability pursued for offenses constituting crimes.

7. MPS issued guidance clarifying operational requirements under the cybersecurity multi-level protection scheme (6 May)

The MPS issued the Letter on Further Strengthening Work Relating to the Cybersecurity Multi-Level Protection Scheme, aimed at clarifying issues related to system filing updates, data resource inventories, risk and hazard inspections, and remediation efforts. With respect to filing, the document clarifies that all systems that have already completed filing must redo their documentation using the 2025 templates and submit the materials promptly, regardless of changes; where the security grade changes or major modifications arise, a fresh expert review is required. With respect to the place of filing, as a rule, municipal-level or higher cybersecurity departments within public security organs accept filings, while cross-provincial systems are accepted by provincial-level departments or their designated institutions. Regarding system grading, the document clarifies the definition, scope, and responsible authorities for Level 5 network systems, requires annual classification assessments, but does not mandate large-scale capital investments or domestically sourced equipment upgrades. With respect to data resource inventories, the submission of a data resource survey form is required to support data security supervision. Additionally, the introduction of the “major risk hazard” concept is emphasised, linking assessment results to this indicator. Systems classified as level 3 or above must submit annual protection plans focusing on major risk hazards.

8. PBOC issued two measures clarifying data security and cybersecurity incident reporting requirements for its business domains (9 & 30 May)

PBOC released the Data Security Management Measures for Business Areas of the People’s Bank of China and the Cybersecurity Incident Reporting Management Measures for Business Areas of the People’s Bank of China, aiming to regulate data security management in the banking sector and streamline the reporting process for cybersecurity incidents, thereby strengthening the primary responsibility of financial institutions for data security. The former requires financial institutions to establish a business data resource catalogue, classify business data into three levels—general, important, and core—and implement a classification and grading system alongside a comprehensive security management framework. Financial institutions must comply with end-to-end technical requirements for business data security. The measures require financial institutions to classify business data based on three aspects: business relevance, sensitivity, and availability. For example, based on the sensitivity of business data, stricter protection measures—such as prohibiting email transmission or exporting data outside the authorised environment—must be applied to highly sensitive data items. The latter categorises cybersecurity incidents into four levels: particularly significant, significant, relatively large, and general. Different levels correspond to distinct requirements regarding the timing, content, and procedures for incident reporting. Additionally, it clarifies penalty provisions applicable to violations by financial practitioners to safeguard financial services and maintain financial security.

9. Ministry of Natural Resources released a guideline to regulate the classification, grading and protection of geographic information data (7 May)

The Ministry of Natural Resources released the Guideline for Classification and Grading of Geographic Information Data (Trial), aiming to enhance geographic information security protection. The guideline lays down core principles for classification and grading, and establishes classification rules that divide data into three categories—basic, remote sensing imagery and thematic. It proposes rules for identifying grading factors, conducting data impact analysis plus comprehensively evaluating to determine the grade. It also provides indicators for spotting important and core data. The guideline further sets out procedures and requirements for classification and grading management, offering strong guidance for data circulating, trading and utilisation.

10. MIIT planned to release a mandatory national standard to clarify data security and personal information protection requirements for children’s smart watches (14 May)

The MIIT launched a public consultation on the mandatory national standard the Safety Technical Requirements for Children’s Watches, aiming to comprehensively regulate the security of children’s smart watches. Regarding information security, the draft standard requires that such devices support secure operating system updates and implement secure management mechanisms for Apps installation. Regarding data security and personal information protection, it requires clear rules for processing children’s personal information, explicit guardian consent before first use, and separate guardian authorisation for microphone, camera and similar permissions. In addition, the draft prohibits automated decision-making in commercial marketing that uses children’s data and bans supplying immutable device identifiers to Apps. With respect to content security, the standard calls for a kids-only content pool, prohibits pre-installed generative voice Q&A Apps, and requires that any non-voice Q&A Apps using generative AI models must undergo regulatory filing.

11. Shanghai FTZ issued practical guidelines for cross-border data transfer in the reinsurance, international-shipping and biopharmaceutical sectors (12 May)

Lin-gang Special Area of Shanghai FTZ issued practical guidelines for cross-border data transfer in the reinsurance, international-shipping and biopharmaceutical sectors. The guidelines implement the “negative list + practical guide” mechanism and give detailed compliance instructions for exempted scenarios under the Regulation for Promoting and Administering Cross-border Data Flows. Among them, the guidelines for the reinsurance sector include data transfer compliance instructions across three key areas, including reinsurance and life reinsurance. The guidelines for the international-shipping sector include data transfer compliance instructions in five scenarios, such as container slot trading, ship inspections, and vessel management. Meanwhile, the guidelines for the biopharmaceutical sector outline data transfer compliance instructions for nine scenarios, spanning commercial partner management and cross-border pharmaceutical procurement.

12. Zhejiang Communications Administration issued an emergency plan that standardised data-security-incident response in the provincial telecom sector (30 May)

The Zhejiang Communications Administration released the Zhejiang Province Telecommunications Sector Data Security Emergency Response Plan (Trial). The plan categorizes data security incidents into four levels based on severity: particularly significant, significant, relatively significant, and general, corresponding to four-tiered warnings (red, orange, yellow, blue) and level I to IV emergency responses. Data processors are required to report relatively significant incidents or more severe incidents within 10 minutes via phone call and submit a written report within 30 minutes upon detection. Furthermore, the plan details the incident response process, covering initial handling, graded response, public opinion monitoring, and response termination conditions. It also mandates post-incident summary reports and the issuance of warning information to strengthen subsequent rectification and risk prevention and control.

Enforcement Developments

13. MPS reported a batch of non-compliant Apps, involving issues such as illegally collecting personal information (20 May)

The MPS Computer-System Security Product Quality-Supervision and Inspection Centre reported that thirty-five Apps illegally collected and used personal information. Key problems included: failure to list personal information collection and usage rules in a structured manner (12 Apps); collecting personal information beyond the scope of user authorization (18 Apps); collecting information or at a frequency unrelated to business functions (12 Apps); declaring permissions in configuration files unrelated to any of the App’s business functions (8 Apps); advertisements exhibiting misleading or deceptive user behaviour (5 Apps); descriptions of collected personal information in the privacy policy being unrelated to business functions (2 Apps); requesting permissions for personal information collection unrelated to business functions (1 App); requiring users to pre-fill or authorize permissions for unused functions (4 Apps); and failing to provide users with specific channels to correct or supplement their personal information (1 App).

14. MIIT reported a batch of non-compliant Apps infringing user rights, involving issues such as excessive and illegal collection of personal information (29 May)

The MIIT reported 49 Apps and SDKs illegally collecting and using personal information. Among these, 27 involved illegal personal information collection; 18 Apps had information windows that could not be closed or jumped randomly; 16 involved collecting personal information beyond the necessary scope; 9 Apps involved forcefully, frequently, or excessively requesting permissions; 7 Apps involved insufficient notification of SDK information; 2 Apps exhibited frequent auto-start and linked start behaviours; and 1 involved misleading downloads via clicks. The MIIT required the reported Apps and SDKs to rectify the issues according to relevant regulations. Those failing to implement adequate rectifications will face legal and regulatory actions.

15. CVECR reported two batches of non-compliant Apps, involving issues such as failure to provide third-party information and violations related to automated decision-making (13 & 28 May)

The CVECR reported 128 Apps that unlawfully collected or used personal information, with prominent issues involving non-compliant privacy policies, opaque data collection and sharing, inadequate user-rights safeguards, improper processing of sensitive data and insufficient security measures. There are prominent issues such as failing to prompt users to read the policy upon first launch, obtaining consent through default acceptance, making the privacy policy difficult to access, and not clearly informing users about the personal information processor’s information, retention periods, etc. In terms of data collection and sharing, issues include failing to specify the purpose and scope of the collection, not disclosing information about third-party data recipients, or obtaining separate user consent. In terms of user rights protection, issues include failing to provide convenient functions for correcting or deleting personal information and deactivating accounts, imposing unreasonable conditions, or not promptly handling user requests. Regarding the processing of sensitive information, issues include failure to obtain separate user consent, lack of disclosure regarding the necessity and impact of such processing, and processing minors' information without obtaining separate guardian consent. With respect to security measures, some enterprises have not implemented encryption or de-identification. Besides, the CVECR reported that 31 Apps still exhibit problems, and the relevant distribution platforms have removed them.

16. Supreme Court issued a Q&A clarifying that individuals may not exercise data subject rights by filing a direct lawsuit (8 May)

The Supreme Court issued a Q&A clarifying that individuals may not exercise data subject rights by filing a direct lawsuit. The Q&A explains that, under Article 52 of the Personal Information Protection Law, individuals may only initiate legal proceedings when their requests to exercise data subject rights have been refused by the personal information processor. To file such a lawsuit, individuals must provide preliminary evidence showing that the processor has rejected their request, demonstrating that their claim has a factual basis. The document also outlines the standards and criteria for courts in handling these cases that courts will only conduct a formal review of the case at the acceptance stage, not a substantive review. The interpretation of “the processor has rejected their request” is broad and also embraces situations in which the processor fails to respond within a reasonable period. The document provides that a personal information processor’s failure to respond to an individual’s request within a reasonable timeframe shall also be deemed as a refusal of such request.

17. Shanghai Communications Administration launched the “Pujiang Escort” campaign to raise overall data-security management standards in the telecommunications and internet sectors (14 May)

The Shanghai Communications Administration issued a notice launching the 2025 “Pujiang Escort” special campaign for data security in the telecom and internet sectors, aiming to enhance the overall data security management level of these sectors. The campaign targets data processors in those sectors and places particular regulatory emphasis on telecom operators that run critical network information systems, process important data or hold personal information on more than 10 million individuals. Key tasks include: facilitating secure circulation and utilization of sectoral data elements; deepening the implementation of the chief data officer regime; advancing the identification and catalogue management of important data; strengthening sectoral data-security risk assessment; enhancing safety management on external data sharing; tightening customer data protection in internet data centres and improving risk prevention and emergency response.

18. Hainan CAC imposed an administrative penalty on an Internet company for failing to discharge cybersecurity and data security obligations (14 May)

The Hainan CAC has found that an Internet company failed to fulfil its cybersecurity and data security obligations, resulting in the leakage of some data and serious damage to data security. According to the Data Security Law, the company was ordered to rectify the situation, received a warning, and was fined CNY 50,000.

Industry Developments

19. CAC published a policy Q&A addressing the identification, declaration and cross-border transfer of important data (30 May)

The CAC published the Q&A on Data Export Security Management Policies to guide enterprises in conducting compliant data export activities. Firstly, it notes that sectoral regulators are formulating data classification and grading standards and important data identification rules, and that sectoral regulators of industry, telecommunications, natural resources and statistics sectors have already issued guidelines for identifying important data. Where an enterprise has not been notified to declare important data and no applicable rules exist, the absence of a declaration or heightened protection will not be deemed a violation. Secondly, for data export, a processor must identify and declare important data as required. If data has not been designated or publicly announced as important data, enterprises are not required to apply a security assessment for cross-border data transfer, and such activity will not be treated as an unlawful export of important data. Once data is designated as important data, the processor must apply for a security assessment with the provincial CAC within 2 months of the notification or public announcement.

20. Beijing issued a plan to promote cross-border data transfer and explore important data catalogues for the autonomous-driving and genomics sectors (16 May)

Beijing issued the Implementation Plan for Promoting High-Quality Development of Service Trade and Digital Trade through High Level Opening-Up, proposing to significantly enhance international competitiveness in digital trade by 2030 through approximately five years of exploration, with the goal of increasing digital service exports to about 70% of the city’s total service exports. In terms of digital trade development, the plan requires continuous promotion of cross-border data transfer and in-depth implementation of comprehensive supporting reforms for the facilitation of cross-border data transfer. Meanwhile, the plan proposes to develop data classification guidelines and catalogues of important data for sectors such as autonomous driving and biotechnology, with clear identification standards established for critical data. Furthermore, the plan outlines a series of measures to liberalize market access in the digital domain, enhance the quality and scale of specialized digital trade segments, foster the growth of digital trade entities, and strengthen governance in the digital sector.

21. Guangdong issued an action plan to enhance information-security capabilities in the industrial and information technology sectors (6 May)

The Guangdong DITT and the Communications Administration jointly issued the Guangdong Province Action Plan for Enhancing Information Security Capabilities of Enterprises in the Industrial and Information Technology Sectors (2025-2027), aiming to accelerate the improvement of information security protection capabilities for enterprises in industrial and information technology sectors. The plan urges enterprises to raise their overall protection level, to establish classification and grading systems for data security and to increase investment in security technologies. It stresses the cultivation of specialised and innovative small and medium-sized enterprises in niches such as AI security, data security, industrial-control security and quantum security, and encourages collaboration among security vendors, insurers and industrial enterprises to develop sector-specific cyber-insurance products.

22. Guangdong Data Administration issued work priorities, proposing exploring a “Data Special Zone” in the Guangdong–Hong Kong–Macao Greater Bay Area (27 May)

Guangdong Data Administration published the 2025 Work Priorities for Digital Guangdong, driving high-quality socioeconomic growth through integrated, systematic, and coordinated digital transformation. The document outlines 50 specific tasks across 6 major modules and 17 sections. Regarding the data factor market, it emphasizes advancing the development and utilization of data resources, establishing mechanisms for data asset accounting, rights confirmation, and trading, while supporting the improvement of public data authorization frameworks and exchange supervision rules to cultivate high-quality data products. For digital government initiatives, it calls for enhanced sharing of administrative data and broader digital applications in grassroots governance. In addition, it will explore the construction of a “Data Special Zone” in the Guangdong-Hong Kong-Macao Greater Bay Area, aiming to establish secure, compliant, and orderly cross-border data flow mechanisms to further elevate regional digital collaboration.