China Monthly Data Protection Update: March 2025

[co-author: Ken Dai]

Developments Highlights

This monthly report outlines key developments in China’s data protection sector for March. The following events merit special attention:

Data Protection Highlights

• CAC Issues Measures for Administration of Personal Information Protection Compliance Audits: On February 14, 2025, CAC issued the Measures for the Administration of Personal Information Protection Compliance Audits. This Measures, which will come into effect on May 1, 2025, aim to standardize the activities of personal information protection compliance audits.

• State Council Issues Regulation on Administration of Public Security Video and Image Information System: On February 10, State Council issued the Regulation on the Administration of Public Security Video and Image Information System. This Regulation will come into effect on April 1, 2025 and comprehensively regulate the development, utilization and management of public security video and image information system.

• MOFCOM: Vast Majority of Cross-Border Data Flow Applications by Foreign Enterprises Approved: On February 20, Ling Ji, Vice Minister of Commerce and Deputy Representative of International Trade Negotiations, responded to foreign enterprises’ concerns about cross-border data flow at the regular policy briefing organized by the State Council, stating that China’s framework for cybersecurity and data security is open and transparent. At present, the vast majority of applications for cross-border data flow submitted by foreign enterprises have been approved.

For more details, please refer to the main text of the report and the links of the complete coverage.

Legislation

National Data Administration and Ministry of Public Security Issue System of Statistical Survey of National Data Resources

On February 21, 2025, the National Data Administration and the Ministry of Public Security jointly issued the System of Statistical Survey of National Data Resources. The system combines the methods of comprehensive survey and key survey, with survey objects including national administrative authorities, public institutions, companies, social organizations, etc., and survey content covering data-related indicators such as production, storage, computation, circulation, application and security. The system has been implemented since January 2025 and will remain valid for three years, with this year’s survey period from February 18 to March 14.1

CAC Issues Measures for Administration of Personal Information Protection Compliance Audits

On February 14, the Cyberspace Administration of China (“CAC”) issued the Measures for the Administration of Personal Information Protection Compliance Audits (the “Compliance Audits Measures”). The Compliance Audits Measures, which will come into effect on May 1, 2025, aim to standardize the activities of personal information protection compliance audits and clarify the obligations of personal information handlers and professional institutions in compliance audits, including the conditions, frequency, selection of audit institutions and cost-bearing of self-audit and commissioned audit. The Compliance Audits Measures also stipulate requirements of qualification, obligations of confidentiality and prohibition of sub-commission for audit institutions, and clarify the supervision and inspection responsibilities of regulatory authorities and penalties for violations.2

State Council Issues Regulation on Administration of Public Security Video and Image Information Systems

On February 10, the State Council issued the Regulation on the Administration of Public Security Video and Image Information Systems (the “Regulation”). The Regulation will come into effect on April 1, 2025 and comprehensively regulate the development, utilization and management of public security video and image information system. The regulation prohibits the installation of image-capturing devices in privacy-sensitive areas, and requires consent to install such devices in the vicinity of classified entities. The Regulation clarifies the responsibilities of managing entities, telecommunications operators and related service providers to ensure the lawful collection, storage, utilization and confidentiality of video and image information. Meanwhile, the Video & Image Regulation strengthens the management of the entire data lifecycle, stipulating that video and image information should be stored for no less than 30 days, and the information that has achieved the purpose of processing should be deleted when it expires, so as to balance public safety and personal privacy protection.3

Shanghai CA and Other Four Departments Issue Measures on Management of Negative List for Data Export and Negative List (2024 Version) in Pilot Free Trade Zone

On February 8, five departments including the Cyberpeace Administration (“CA”) of Shanghai jointly issued the Pilot Measures on the Management of the Negative List for Data Export in China (Shanghai) Pilot Free Trade Zone and Lingang New Area (the “Data Export Measures”) and the Negative List for the Outbound Management of Data in China (Shanghai) Pilot Free Trade Zone and Lingang New Area (2024 version) (the “Negative List”). The Data Export Measures establish a negative list and an operational guidance mechanism, simplify the process of data export, and strengthen the supervision before, during and after the process, ensuring the security of data export. The Negative List defines the circumstances under which the security assessment or the filing of a standard contract is necessary in the areas of reinsurance, international shipping and commercial trading, and clarifies the outbound requirements for important data and personal information, which applies to registered data handlers in the zone, but excludes operators of critical information infrastructures.4

Authorities

CAC Holds Symposium on Policies for Cross-Border Data Flow for EU Enterprises in China

On February 25, 2025, the CAC held a symposium in Beijing on the Policies for cross-border data flow for EU enterprises in China. Officials from the relevant bureau of the CAC introduced China’s policies and regulations on cross-border data flow and provided an overview of China-EU cross-border data flow communication mechanism, and answered questions from EU enterprises in China on cross-border data flow.5

OCCAC Holds National Conference on Law-Based Cyberspace Governance

On February 21, the Office of the Central Cyberspace Affairs Commission (“OCCAC”) held the national conference on law-based cyberspace governance in Guiyang, Guizhou province, to review the progress of the development of the law-based cyberspace governance in 2024 and outline the work plan for 2025. The conference stressed that in 2025, the law-based cyberspace governance should highlight the main theme and strengthen overall coordination, focus on emerging areas and improve the legal framework, promote the standardization and refine the benchmarks for administrative discretion, enhance the effectiveness of legal publicity and expand foreign-related legal cooperation, and consolidate the working foundation and improve the systematic capacity.6

MOFCOM: Vast Majority of Cross-Border Data Flow Applications by Foreign Enterprises Approved

On February 20, Ling Ji, Vice Minister of Commerce and Deputy Representative of International Trade Negotiations, responded to foreign enterprises’ concerns about cross-border data flow at the regular policy briefing organized by the State Council, stating that China’s framework for cybersecurity and data security is open and transparent. China has promulgated the Cybersecurity Law, the Data Security Law, the Measures for the Security Assessment of Outbound Data Transfer, and the Provisions on Promoting and Regulating Cross-border Data Flow, established a facilitation mechanism for cross-border data flow of foreign investment, and organized thematic roundtables. At present, the vast majority of applications for cross-border data flow submitted by foreign enterprises have been approved.7

Hainan Free Trade Port Implements New Policies on Safe and Orderly Flow and Cross-Border Flow of Data

On February 19, the press briefing regarding the implementation of new policies on safe and orderly flow and cross-border flow of data in the Hainan Free Trade Port was held in Haikou, highlighting Hainan’s latest achievements in exploring to develop the system of cross-border data flow. Hainan has formulated the Provisions on the Development of International Data Centers in Hainan Free Trade Port, clarifying the business forms, management systems, and security supervision of international data centers. It has also issued the Negative List for the Outbound Management of Data in the Hainan Free Trade Port, detailing requirements for the outbound management of data and reducing compliance costs for companies.8

Enforcement Cases

Ordos CA Interviews 2 Enterprises on Cybersecurity Issues

On February 27, 2025, Ordos CA conducted an interview with two enterprises on cybersecurity issues. It was found in monitoring and inspection that the information system of a municipal department has a high-risk vulnerability of weak password, and the website of a municipal state-owned enterprise has a risk of leaking personal information. Ordos CA required the two enterprises to immediately carry out investigation and rectification of cybersecurity risks, and strengthen cybersecurity and data security. The interviewed enterprises presented that they would immediately rectify the problems in accordance with the requirements and seriously fulfill the responsibility of cybersecurity supervision.9

Shanghai CA Summons Group of App Operators

On February 26, to implement the requirements of the CAC, Shanghai CA summoned operators of more than 10 apps in Shanghai according to law, issued rectification guidelines for such problems as the lack of functions of account cancellation and unreasonable cancellation conditions, and requiring operators to promptly address relevant problems and protect users’ right to delete personal information. Additionally, Shanghai CA required operators to carry out self-examination and self-correction, formulating and improving internal management systems and operating procedures, and strengthen the study and training of relevant laws and regulations, establishing the concept of r lawful and ethical operations.10

CAC Releases Cyberspace Law Enforcement Data for 2024

On February 25, the CAC released law enforcement data for 2024. The national cyberspace system severely cracked down on online violations, summoned 11,159 website platforms, warned or fined 4,046 website platforms, ordered 585 websites to suspend relevant functions or information updates, removed 200 mobile applications, and took enforcement actions against 40 mini programs. The national cyberspace system focused on addressing such issues as the infringement of minors’ rights and interests, cyber violence, and the spread of false information, strengthened enforcement efforts in cybersecurity, data security, and personal information protection, and enhanced interagency coordination and cross-departmental interaction.11

Courts Litigation

4,848 Public Interest Litigation Cases in Areas Such As Personal Information Protection Handled by Procuratorates from January to November in 2024

On February 24, 2025, the Supreme People’s Procuratorate (“SPP”) held a press conference on “China’s Solution for Public Interest Protection”. Zhang Xueqiao, deputy Procurator-general of the SPP, stated that from January to November in 2024, in the field of personal information protection and combating telecommunication and internet fraud, people’s procuratorates nationwide focused on such problems that reflected strongly by the public as the disclosure of personal information by travel agencies, express companies, medical institutions and real estate agencies, and illegal collection and access to personal information by Internet enterprises, handling 4,848 cases.12

Lawsuit Against Sam’s Compulsory Face Recognition Accepted by People’s Court of Xixiangtang District, Nanning, Guangxi

On February 20, the People’s Court of Xixiangtang, Nanning, Guangxi accepted the case regarding personal information protection dispute between Ding Ming and Nanning Sam Supermarket Co., Ltd. and Walmart (China) Investment Co., Ltd. Ding Ming, the plaintiff, argued that Sam Supermarket uses face recognition as the only authentication method for offline consumption, which violates relevant laws and regulations on personal information protection and limits consumers’ rights to autonomous choice and fair transaction. Lawyers pointed out that Sam’s actions may infringe on consumer rights and constitute fraud and coercion.13

ECUPL Students’ Case Against Weibo for Personal Information Infringement: Weibo Agrees to Adjust Visitor Rules After Second-Instance Mediation

At the beginning of 2025, with the mediation of the judge, Weibo adjusted its visitor record system and increased the number of invisible visits for ordinary users from 3 to 10. In April 2024, a student team from the East China University of Political Science and Law (“ECUPL”) sued Weibo to the Beijing Internet Court on the grounds that the “recharging SVIP to view visitor records” function of Weibo was suspected of infringing users’ personal information. In September, the first-instance court ruled that Weibo did not infringe the right of users, but affirmed that “visitor records constitute personal information.” The student team insisted on appealing, and during the appeal, Weibo agreed to adjust the relevant visitor record system.14

Endnotes

1. https://www.nda.gov.cn/sjj/zwgk/zcfb/0221/20250221142127617666200_pc.html

2. https://www.cac.gov.cn/2025-02/14/c_1741233507681519.htm

3. https://www.gov.cn/zhengce/content/202502/content_7003024.htm

4. https://www.pudong.gov.cn/0060011/20250210/801231.html?jqeXaGC5oAiB=1740973271421

5. https://mp.weixin.qq.com/s/sYx-3epGZFA3GnUHtuDz5g

6. https://www.cac.gov.cn/2025-02/22/c_1741837562990951.htm

7. https://finance.ifeng.com/c/8h7j8fK0nSF

8. https://mp.weixin.qq.com/s/HhGzPgYB_v94116a5NBjTg?scene=25 https://mp.weixin.qq.com/s/S7zExxaf3jfWIbKkhVI5dw?scene=25

9. http://www.nmgwx.gov.cn/msdt/15068.jhtml

10. https://mp.weixin.qq.com/s/QQv0y89hHgfdrRUk7NHLNQ?scene=25

11. https://mp.weixin.qq.com/s/nuvWo8RolVkDioDALo5BYQ?scene=25

12. http://m.chinanews.com/wap/detail/zwsp/fz/2025/02-24/10373388.shtml

13. https://mp.weixin.qq.com/s/F_ACR8YaI0d9KHC5cy3gJg?scene=25

14. https://mp.weixin.qq.com/s/d2YlLjlMToU33V6q7uocvw?scene=25