Digital Economy and Data Protection Newsletter（25.06）

Click above｜Follow us

Recently, in terms of domestic legislation, the revised draft of the Cyber Security Law has again solicited opinions, and it is planned to further adjust the content of legal liability. The revision has been included in the legislative plan of the NPC this year; The Cyberspace Administration of China and the Ministry of Public Security have officially released the "Measures for the Security Management of Facial Recognition Technology Applications", requiring the registration of facial information processing for 100000 people; The Shanghai Cyberspace Administration has released the "Shanghai Network Data Classification and Grading and Important Data Catalog Management Measures (Draft for Comments)" to promote the classification and grading of data and the identification of important data in the city; In terms of domestic law enforcement, the Cyberspace Administration of China and four other departments have issued a document to launch a series of special actions for personal information protection in 2025. Focusing on cross-border data governance, the Cyberspace Administration of China has summarized the results of the one-year implementation of the "Regulations on Promoting and Regulating Cross border Data Flow". Recently, the Cyberspace Administration of China in Beijing issued the "Comprehensive Reform Implementation Plan for Facilitating Cross border Data Flow in Beijing", continuously implementing cross-border data supervision and facilitation measures.

HOTSPOT

The Cyberspace Administration of China has released the revised draft of the Cybersecurity Law of the People's Republic of China for further comments

On March 28, 2025, the Cyberspace Administration of China publicly solicited opinions on the "Revised Draft of the Cybersecurity Law of the People's Republic of China" (hereinafter referred to as the "Revised Draft of the Cybersecurity Law"). The core focus of the revised draft of the Cybersecurity Law this time is on adjusting legal responsibilities and systematically linking it with relevant laws and administrative regulations such as the Data Security Law and the Personal Information Protection Law. For example, increasing the punishment for illegal activities, such as raising the maximum fine for units with network information security violations to 10 million yuan, and raising the maximum fine for individuals to 1 million yuan; Multiple legal liabilities have been added, such as the legal liability for selling or providing network critical equipment and network security specific products that have not been certified for security, have undergone security testing or have failed security certification, and do not meet security testing requirements; Add transitional provisions for situations where administrative penalties are lenient, mitigated, or not imposed. Previously, the National People's Congress had clearly included the revision of the Cyber Security Law into the legislative plan of this year, and the Cyber Security Law is expected to be revised and passed within this year.

Source: Cyberspace Administration of China

The Cyberspace Administration of China and the Ministry of Public Security have issued the "Measures for the Security Management of Facial Recognition Technology Applications"

On March 21, 2025, the Cyberspace Administration of China and the Ministry of Public Security jointly issued the "Measures for the Security Management of Facial Recognition Technology Applications" (hereinafter referred to as the "Measures"), which will come into effect on June 1, 2025. The Measures specifically regulate the application of facial recognition technology and facial information security in the form of departmental regulations, reiterating and refining the protection requirements for facial information based on the "three pillars" and the "Regulations on Network Data Security Management". In addition, similar to the registration mechanism for the use of public surveillance established by the "Regulations on the Management of Public Safety Video Image Information Systems" issued this year, the "Measures" have also created a new registration mechanism for handling facial information. It is recommended that enterprises conduct timely system inspections and sorting.

For more information, please click here.

Source: Cyberspace Administration of China

The Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation have issued a notice on launching a series of special actions for personal information protection in 2025

On March 28, 2025, the Central Cyberspace Office, together with the Ministry of Industry and Information Technology, the Ministry of Public Security and the Municipal Administration of Supervision, issued the Announcement on Carrying out the 2025 Series of Special Actions for Personal Information Protection, indicating that it will further address the typical problems of illegal collection and use of personal information in common service products and common life scenarios in 2025, and carry out a series of special actions around six key issues, including App (including small programs, official account, and fast apps), SDK illegal collection and use of personal information, smart terminal illegal collection and use of personal information, public place illegal collection and use of face recognition information, offline consumption scenarios illegal collection and use of personal information, and personal information related violations Criminal cases.

Source: Cyberspace Administration of China

The Shanghai Cyberspace Administration is publicly soliciting opinions on the "Shanghai Municipal Measures for the Classification and Grading of Network Data and the Management of Important Data Catalog (Draft for Comments)"

On March 28, 2025, the Shanghai Cyberspace Administration released the "Shanghai Network Data Classification, Grading, and Important Data Catalog Management Measures (Draft for Comments)" (hereinafter referred to as the "Management Measures"), and the deadline for comments is April 28, 2025. The Management Measures apply within the scope of Shanghai . According to the Management Measures, enterprises are required to comply with relevant national regulations and carry out data classification and grading work in accordance with the requirements of the industry and field to which network data belongs. The data should be classified into at least three levels: core data, important data, and general data, and can flexibly choose business attributes to refine and classify network data step by step based on the existing network data classification foundation in the industry and field to which the network data belongs. Network data processors involved in important data will be included in the list of important data processors. Important data processors shall conduct risk assessments of network data processing activities every year and submit risk assessment reports to the competent authorities. The relevant competent authorities shall promptly notify the municipal cyberspace department and the municipal public security department.

Source: Shanghai Cyberspace Administration

NEWSLETTER

（Click on the source or copy the corresponding link to view the details）

LEGISLATION

The Cyberspace Administration of China has released the revised draft of the Cybersecurity Law of the People's Republic of China for further comments
Source: Cyberspace Administration of China
The Cyberspace Administration of China and the Ministry of Public Security have issued the "Measures for the Security Management of Facial Recognition Technology Applications"
Source: Cyberspace Administration of China
The State Council has issued the "Provisions on the Implementation of the Anti Foreign Sanctions Law of the People's Republic of China", and "other necessary measures" will include "prohibiting or restricting the provision of data and personal information to them"
Source: China Government website
https://www.gov.cn/zhengce/content/202503/content_7015400.htm
The State Administration of Market Regulation has issued the Guiding Opinions on Promoting the Implementation of Compliance Management Responsibilities by Online Trading Platform Enterprises
Source: State Administration of Market Regulation
The National Cryptography Administration publicly solicits opinions on the "Regulations on the Administration of Passwords for the Use of Electronic Authentication Services (Draft for Comments)"
Source: National Cryptography Administration
https://www.sca.gov.cn/sca/hdjl/2025-03/21/content_1061245.shtml
The State Council has issued the "Provisions of the State Council on the Handling of Foreign Related Intellectual Property Disputes"
Source: China Government website
The Office of the China National Intellectual Property Administration issued the Intellectual Property Data User Manual and Open Directory
Source: China National Intellectual Property Administration
https://www.gov.cn/zhengce/zhengceku/202503/content_7013396.htm
The Beijing Cyberspace Administration and three other departments have issued the Implementation Plan for Comprehensive Supporting Reform of Cross border Data Flow Facilitation in Beijing
Source: Beijing Cyberspace Administration
The Shanghai Cyberspace Administration is publicly soliciting opinions on the "Shanghai Municipal Measures for the Classification and Grading of Network Data and the Management of Important Data Catalog (Draft for Comments)"
Source: Shanghai Cyberspace Administration
The National Cybersecurity Standards Committee has released the "Criteria for Determining Network Attacks and Network Attack Events in Cybersecurity Technology" and the "Online Certificate Status Protocol for Public Key Infrastructure in Cybersecurity Technology"
Source: National Cybersecurity Standards Committee
The National Cybersecurity Standards Committee is soliciting opinions on three national standards, including the "Requirements for Network Security Technology Information Security Management System Audit and Certification Institutions (Draft for Comments)"
Source: National Cybersecurity Standards Committee
The National Data Administration has officially released the second batch of explanations for commonly used terms in the data field
Source: National Data Administration
National Data Administration: China plans to revise 41 national standards in the field of data this year
Source: National Data Administration
The National Cybersecurity Standards Committee has issued 15 recommended national standards for cybersecurity
Source: National Cybersecurity Standards Committee
The Ministry of Industry and Information Technology publicly solicits industry standard plans related to artificial intelligence and humanoid robots
Source: Ministry of Industry and Information Technology
https://wap.miit.gov.cn/gzcy/yjzj/art/2025/art_54f1f2f0d10d408dbba1535dbdd3bcc2.html
The first national special plan for the data annotation industry, "Hefei Data Annotation Industry Development Plan (2025-2027)", has been released
Source: Xinhua News Agency
http://ah.news.cn/20250317/3f0724a734b344dbbd4c613b3a3534a1/c.html

INDUSTRY TRENDS

The Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation have issued a notice on carrying out a series of special actions for personal information protection in 2025
Source: Cyberspace Administration of China
National Cyberspace Administration of China: One year since the implementation of the "Regulations on Promoting and Regulating Cross border Data Flow", positive results have been achieved in the management of data export security
Source: Cyberspace Administration of China
The Ministry of Public Security has announced 10 typical cases to crack down on crimes that infringe on citizens' personal information
Source: Cybersecurity Bureau of the Ministry of Public Security
The Cybersecurity Bureau of the Ministry of Public Security reports that a certain institution has been investigated and dealt with due to data security issues
Source: Cybersecurity Bureau of the Ministry of Public Security
The China Consumers Association and others have released a research report on the analysis of the problem of personal information collection and leakage beyond the scope
Source: China Cyberspace Security Association
China Consumers Association issues consumer alert: Beware of the risk of "secret free payment" on mobile phones
Source: China Consumers Association
https://cca.org.cn/Detail?catalogId=475800865030213&contentType=article&contentId=658361791103045
National Data Administration: The establishment meeting and first working meeting of the initiative to promote mutual recognition and interoperability among data trading institutions were held in Beijing
Source: National Data Administration
Due to significant loopholes in customer security management, a certain express delivery company has been investigated by the State Post Bureau
Source: National Post Office
https://www.spb.gov.cn/gjyzj/c100015/c100016/202503/02cefd4e0fc442128211ffce40a958f1.shtml
The Shanghai Economic and Information Commission has released the "Implementation Opinions of Shanghai Municipality on Promoting Innovative Development of Intelligent Computing Cloud Industry (2025-2027)"
Source: Shanghai Economic and Information Commission
https://www.shanghai.gov.cn/hqcyfz2/20250326/99e2192e00734a43a6e26085405e80e5.html
The Shanghai Cyberspace Administration has released five special actions, focusing on rectifying issues such as enterprise related online rumors and AI "short essays"
Source: Shanghai Cyberspace Administration
Hainan Cyberspace Administration releases notice on illegal collection and use of personal information by 16 mobile applications
Source: Hainan Cyberspace Administration
Qinghai Cyberspace Administration issues the first 'fine' for network data security in the province
Source: Qinghai Cyberspace Administration
Hangzhou Internet Court issues the first judicial proposal involving generative AI
Source: Hangzhou Internet Court
The first AI generated image copyright infringement case in Qinhuangdao City has been concluded
Source: Qinhuangdao Intermediate People's Court
Guangdong Traffic Management Bureau publicly reports 8 apps/mini programs that have not been rectified as required
Source: Guangdong Provincial Administration of Communications
Guangdong Traffic Management Bureau announces the removal/ban of 4 apps/mini programs from search
Source: Guangdong Provincial Administration of Communications
Yunnan Cyberspace Administration announces 2025 enterprise inspection plan
Source: Yunnan Cyberspace Administration

OVERSEAS

European Union:

European Commission releases draft extension for UK adequacy decision
Source: European Commission
https://ec.europa.eu/commission/presscorner/detail/en/mex_25_812
IAB Association submits position paper on the pseudonymization guidelines for EDPB
Source: IAB
https://iabeurope.eu/wp-content/uploads/IAB-Europes-response-to-the-EDPB-public-consultation-on-draft-Guidelines-1_2025-on-Pseudonymisation-2.pdf
EDPB proposes a collaborative program to approve binding company rules for controllers and processors
Source: EDPB
https://www.edpb.europa.eu/our-work-tools/our-documents/procedure/edpb-document-setting-forth-co-operation-procedure-approval_en
The European Commission's preliminary investigation suggests that Alphabet is suspected of violating the Digital Markets Act
Source: European Commission
https://digital-markets-act.ec.europa.eu/commission-sends-preliminary-findings-alphabet-under-digital-markets-act-2025-03-19_en
The European Commission provides guidelines for interoperability of Apple products based on DMA
Source: European Commission
https://digital-markets-act.ec.europa.eu/commission-provides-guidance-under-digital-markets-act-facilitate-development-innovative-products-2025-03-19_en

United States: Kentucky Governor's Office revises consumer data privacy bill
Source: Kentucky
https://apps.legislature.ky.gov/record/25RS/hb473.html
Germany:

DSK expresses opinions on the draft law for implementing the Data Act
Source: DSK
https://datenschutzkonferenz-online.de/media/st/Data_Act_Umsetzung_Laenderstellungnahme.pdf
Hamburg HmbfDL releases recommendations on data retention
Source: HmbfDL
https://datenschutz-hamburg.de/news/digitaler-fruehjahrsputz-alte-daten-loeschen-neue-speicherfristen-beachten

France:

CNIL announces audit focus for app data, right to be forgotten, etc. in 2025
Source: CNIL
https://www.cnil.fr/fr/les-controles-de-la-cnil-en-2025
CNIL seeks public opinion on the compliance and security of medical records
Source: CNIL
https://www.cnil.fr/fr/conformite-et-securite-des-dossiers-medicaux-la-cnil-lance-une-consultation-publique-sur-un-projet
CNIL publicly solicits opinions on the proposal to use location data of connected vehicles
Source: CNIL
https://www.cnil.fr/fr/vehicules-connectes-et-localisation-consultation-publique-projet-de-recommandation
CNIL releases 2025 work plan to provide GDPR compliance support for professionals
Source: CNIL
https://www.cnil.fr/fr/accompagnement-des-professionnels-le-programme-de-travail-de-la-cnil-pour-2025

Britain:

ICO announces plans for new regulatory measures
Source: ICO
https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/03/package-of-measures-unveiled-to-drive-economic-growth/
UK government launches data brokerage industry consultation
Source: UK government
https://www.gov.uk/government/calls-for-evidence/data-brokers-and-national-security/data-brokers-and-national-security

Sweden: Government releases cybersecurity strategy for 2025-2029
Source: Swedish government
https://www.regeringen.se/informationsmaterial/2025/03/nationell-strategi-for-cybersakerhet-2025-2029/
Spain: Ministry of Digital Transformation seeks opinions on AI law draft
Source: Spanish Ministry of Digital Transformation
https://citizen.digital/news/spain-to-impose-massive-fines-for-not-labelling-ai-generated-content-n359013
Luxembourg: Administrative Court upholds CNPD's fine decision against Amazon Europe for violating GDPR
Source: Luxembourg Administrative Court
https://justice.public.lu/fr/actualites/2025/03/tribunal-administratif-jugement-amazon-amende-cnpd.html
Latvia: DVI clarifies the legality of personal data transmission in debt collection
Source: DVI
https://www.dvi.gov.lv/lv/jaunums/dviskaidro-vai-manus-personas-datus-drikst-nodot-arpustiesas-paradu-piedzinai-vai-citam-kreditoram
Canada:

OPC announces exploratory consultation results on age confirmation for 2024
Source: OPC
https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/completed-consultations/consultation-age/report_age_2025/
OPC releases privacy breach risk self-assessment tool
Source: OPC
https://www.priv.gc.ca/en/opc-news/news-and-announcements/2025/nr-c_250326/

South Korea: Congress passes PIPA amendment requiring foreign operators to designate local representatives and enforce supervision
Source: South Korean National Assembly
https://www.law.go.kr/%EB%B2%95%EB%A0%B9/%EA%B0%9C%EC%9D%B8%EC%A0%95%EB%B3%B4%EB%B3%B4%ED%98%B8%EB%B2%95
Japan: Personal Information Protection Commission announces 2025 action plan and outline
Source: PIPC
https://www.ppc.go.jp/files/pdf/R7_katsudouhoushin.pdf
https://www.ppc.go.jp/files/pdf/R7_katsudouhoushin_gaiyou.pdf

Note

本文由Gen AI翻译，仅供参考。

Translated by Gen AI service. For reference only.

本期编辑：吴佳蔚陈煜烺林婉琪陈瑞庭张丽