Digital Economy and Data Protection Newsletter（25.12）

Click above｜Follow us

Recently, in terms of legislations, the Anti-Unfair Competition Law (2025) was amended and issued, coming into effect from October 15. The CII Commercial Cryptography Use Management Regulations were introduced to strengthen the security protection of core facilities. The CAC publicly solicited opinions on the Classification Measures for Network Information That May Affect the Physical and Mental Health of Minors, released the Data Outbound Security Assessment Declaration Guide (3rd Edition), and simultaneously introduced the Provisions on the Application of Benchmarks for Administrative Penalty Discretion and the List of Administrative Inspections Concerning Enterprises, further enhancing law enforcement transparency and standardization. In addition, the National Data Bureau and other authorities issued the Model Contract for Data Circulation and Transaction. In the industry, the SAMR publicized cases of online unfair competition. The MIIT launched a special action for industrial network security and circulated a notice on infringing APPs. Telecommunications administrations and CAC branches in multiple regions imposed penalties on non-compliant APPs and generative AI services. The National Audit Office disclosed the audit situation of data resource utilization, and the Beijing Internet Court adjudicated an infringement case involving AI "deepfake" technology. Overseas, the U.S. Supreme Court supported website age verification, privacy and AI bills in multiple states came into effect, local courts ruled that the use of books for AI training constituted fair use, and Google was ordered to pay a huge compensation for data abuse. Under the EU's DSA, multiple rules (such as data access authorization and transparency reports) officially came into force, and the review of the DMA was advanced. Vietnam passed the Personal Data Protection Law, and countries like the UK, Germany, and France also updated their online security and data protection rules.

HOTSPOT

Revision and Release of the Anti - Unfair Competition Law

On June 27, 2025, the 16th Meeting of the Standing Committee of the 14th National People's Congress revised and adopted the Anti - Unfair Competition Law of the People's Republic of China (hereinafter referred to as the "Anti - Unfair Competition Law"), which will come into force on October 15, 20251. Compared with the 2019 version, this revision of the Anti - Unfair Competition Law has, on the one hand, improved the determination of new types of unfair competition acts in the platform economy sector1. For example, it regulates unfair competition acts implemented by leveraging data and algorithms, technologies, platform rules, etc., and specifically adds provisions stipulating that unlawful acquisition of data constitutes an unfair competition act1. On the other hand, the revision strengthens the anti - unfair competition obligations of platform operators, including prohibiting the coercion of merchants into low - price competition, clarifying fair competition rules within platforms, and requiring timely handling and reporting of violations1. In addition, the revision also regulates the default of payments to small and medium - sized enterprises, intensifies the crackdown on operators' abuse of dominant positions, and improves relevant regulatory and penalty provisions.

Source: National People's Congress

http://www.npc.gov.cn/c2/c30834/202506/t20250627_446247.html

The CAC released the "Guidelines for Security Assessment Declaration of Cross-Border Data Transfer (Third Edition)"

On June 27, 2025, the Cyberspace Administration of China (CAC) officially released the "Guidelines for Security Assessment Declaration of Cross-Border Data Transfer (Third Edition)" (hereinafter referred to as the "Third Edition of the Guidelines"). The Third Edition of the Guidelines focuses on clarifying the rules for extending the validity period of the assessment results and simplifying the declaration materials and procedures. According to the "Regulations on Promoting and Regulating Cross-Border Data Flows" and the Third Edition of the Guidelines, the validity period of the cross-border data transfer results that have passed the security assessment is maintained at three years. If an extension is required and no circumstances necessitating a re-application have occurred, the data processor may apply for an extension of three years within 60 working days before the expiration.

The core conditions for applying for an extension include: the purpose, scope, and recipient of the cross-border data transfer have not changed; the increase in the scale of cross-border data transfer over the next three years does not exceed 20% of the originally approved amount; the legal documents with the overseas recipient are compliant; and the data transfer has been conducted in compliance with regulations over the past three years without any major data security incidents. Regarding the declaration materials, if documents such as the Unified Social Credit Code have not changed, they do not need to be resubmitted. The Third Edition of the Guidelines has also added the "Application Form for Extension of the Validity Period of the Assessment Results," which requires a detailed explanation of compliance for each scenario. In addition, the Third Edition of the Guidelines has optimized the system operation instructions, merged the template for the commitment letter, and clarified that the "cross-border data transfer link" only needs to provide key information such as the network domain/address of the data processor and the overseas recipient and the method of data transfer, thereby reducing the declaration burden on enterprises.

Source: Cyberspace Administration of China

For more information, please click here.

The CAC issued the "Regulations on the Application of Administrative Penalty Discretionary Benchmarks by Cyberspace Departments" and the "List of Administrative Inspection Items”

On June 26, 2025, the CAC issued the "Regulations on the Application of Administrative Penalty Discretionary Benchmarks by Cyberspace Departments" (hereinafter referred to as the "Regulations"), which will come into effect on August 1, 2025. The Regulations, for the first time, systematically divide administrative penalty standards into five levels of discretion: no penalty, mitigated penalty, lenient penalty, general penalty, and severe penalty, and refine the applicable scenarios.

According to the Regulations, no penaltyshould be imposed for minor illegal acts that are promptly corrected without causing harmful consequences or for acts without subjective fault. Lenient or mitigated penalties may be applied for acts such as voluntarily eliminating harmful consequences or cooperating with investigations. Severe penalties will be imposed for nine types of situations, including serious violations of regulations on the protection of minors, endangering network data security, committing illegal acts twice within one year, and resisting law enforcement. The fine discretion is clearly quantified: lenient penalty ≤ 30% of the statutory range, general penalty between 30% and 70%, and severe penalty ≥ 70%, with a 10% adjustment allowed based on the specific circumstances of the case.

In addition, on June 30, 2025, the CAC released the "List of Administrative Inspection Items for Enterprises by the National Internet Information Office," which clarifies specific inspection items, legal basis, frequency (general frequency, with no upper limit in special cases), and standards. The issuance of the Regulations and the list reduces the uncertainty in law enforcement by cyberspace departments and provides a more transparent enforcement expectation in the fields of cybersecurity and data compliance.

Source: Cyberspace Administration of China

Regulations on the Application of Administrative Penalty Discretionary Benchmarks by Cyberspace Departments：

https://mp.weixin.qq.com/s/EKfXSujjBT9MB5xZHQNr2A?scene=25&sessionid=-1085805565#wechat_redirect

List of Administrative Inspection Items for Enterprises：

https://www.cac.gov.cn/2025-06/30/c_1752998718883876.htm

The General Office of the National Data Administration and the General Office of the State Administration for Market Regulation released model texts of data circulation and transaction contracts

On July 4, 2025, in order to promote the construction of basic data systems, reduce the costs of data circulation and transactions, and facilitate the compliant and efficient use of data, the General Office of the National Data Administration and the General Office of the State Administration for Market Regulation released model texts of data circulation and transaction contracts. The model texts include four versions, each focusing on one of the four most typical scenarios in data circulation: data provision, data processing on commission, data fusion and development, and data intermediary services. The model texts are of a recommended nature, with pre-set general clauses regarding data ownership arrangements, security and confidentiality requirements, liability for breach of contract, and dispute resolution. They also provide targeted and differentiated arrangements concerning the rights and obligations of the parties involved in data circulation transactions, the specifics of the data, and the standards for data delivery and acceptance. The aim is to implement legal requirements, guide market entities to define liability boundaries through standardized texts, establish transactional trust, prevent disputes, and reduce transaction costs.

Source: National Data Administration

NEWSLETTER

（Click on the source or copy the corresponding link to view the details）

LEGISLATION

Anti-Unfair Competition Law of the People's Republic of China revised and promulgated
Source: National People's Congress
http://www.npc.gov.cn/c2/c30834/202506/t20250627_446247.html
The National Cryptography Administration, Cyberspace Administration of China, and Ministry of Public Security issued the Regulations on the Use of Commercial Cryptography for Critical Information Infrastructures
Source: National Cryptography Administration
Cyberspace Administration of China issued the Classification Measures for Network Information That May Affect the Physical and Mental Health of Minors (Draft for Solicitation of Comments)
Source: Cyberspace Administration of China
Cyberspace Administration of China issued the Guidelines for Outbound Data Security Assessment Declaration (3rd Edition)
Source: Cyberspace Administration of China
Cyberspace Administration of China issued the Provisions on the Application of Benchmarks for Administrative Penalty Discretion in Cyberspace Affairs
Source: Cyberspace Administration of China
Cyberspace Administration of China released the List of Administrative Inspection Items Concerning Enterprises
Source: Cyberspace Administration of China
https://www.cac.gov.cn/2025-06/30/c_1752998718883876.htm
Ministry of Industry and Information Technology issued the Notice on Carrying out Pilot Projects for Number Protection Services
Source: MIIT
National Health Commission issued the Notice on Further Strengthening the Management of Electronic Medical Record Information Use in Medical Institutions
Source: National Health Commission
State Administration for Market Regulation issued the Law Enforcement Guide (I) on the Application of the Advertising Law of the People's Republic of China
Source: SAMR
National Cybersecurity Standardization Technical Committee released three national cybersecurity standards, including Cybersecurity Technology—Disaster Recovery Specifications for Information Systems
Source: National Cybersecurity Standardization Technical Committee
National Cybersecurity Standardization Technical Committee released six draft cybersecurity standard practice guidelines for public consultation, including Identification Methods for AI-Generated and Synthetic Content—Implicit Metadata Identification for Documents—Text Documents (Draft for Comments)
Source: National Cybersecurity Standardization Technical Committee
National Cybersecurity Standardization Technical Committee released four draft national standards for public consultation, including Cybersecurity Technology—Storage Security Guidelines
Source: National Cybersecurity Standardization Technical Committee
Model Text for Data Circulation and Transaction Contracts released
Source: National Data Bureau

INDUSTRY TRENDS

The "Qinglang · Optimizing Business Environment on the Internet—Rectifying Online 'Vicious Comments' Against Enterprises" special campaign publicly exposed a batch of typical cases
Source: Cyberspace Administration of China
MIIT launched the 2025 Cybersecurity Special Action for Escorting New-Type Industrialization
Source: MIIT
Cyberspace Administration of China released the List of Authorized Sources for Internet News Information
Source: Cyberspace Administration of China
The National Audit Office released a work report disclosing the audit situation of domestic data resource utilization and public resource trading platforms
Source: National Audit Office
https://www.audit.gov.cn/n5/n26/c10619920/content.html
SAMR announced five typical cases of online unfair competition
Source: SAMR
MIIT issued a notice on APPs (SDKs) infringing on user rights and interests (2025 Batch 3, Total Batch 48)
Source: MIIT
Shanghai Communications Administration circulated a notice on 162 APPs (SDKs)
Source: Shanghai Communications Administration
Zhejiang Communications Administration circulated a notice on APPs (mini-programs) infringing on user rights and interests
Source: Zhejiang Communications Administration
Guangdong Communications Administration publicly circulated a notice on 8 APPs that failed to complete rectification as required
Source: Guangdong Communications Administration
Hunan Communications Administration issued a notice on taking down 4 mobile applications that infringed on user rights and interests (2025, First Batch)
Source: Hunan Communications Administration
Gansu Communications Administration issued a notice on 8 APPs/mini-programs infringing on user rights and interests (2025 Second Batch)
Source: Gansu Communications Administration
The National Network Security Bulletin Center found through testing by the Ministry of Public Security's Computer Information System Security Product Quality Supervision and Inspection Center that 45 mobile applications illegally collected and used personal information
Source: National Network Security Bulletin Center
Beijing carried out a special rectification of data security and personal information protection in the people's livelihood consumption sector
Source: Beijing Cyberspace Affairs Office
Shanghai Cyberspace Affairs Office filed penalties against a batch of generative AI service websites that refused to rectify
Source: Shanghai Cyberspace Affairs Office
Shanghai released a public notice on registration information for generative AI services (June 30)
Source: Shanghai Cyberspace Affairs Office
Beijing Internet Court heard a personality rights infringement case involving AI "deepfake" technology
Source: Beijing Internet Court

OVERSEAS

International: The International Consumer Protection and Enforcement Network (ICPEN) investigated manipulative design practices in online games
Source: ICPEN
https://icpen.org/news/1432
United States:

EPIC released an AI risk assessment report
Source: EPIC
https://epic.org/press-release-report-privacy-harms-from-ai-necessitate-robust-risk-assessments/
The U.S. Supreme Court supported state legislation mandating age verification for websites with sensitive content
Source: U.S. Supreme Court
https://www.supremecourt.gov/opinions/24pdf/23-1122_3e04.pdf
Google was ordered to pay over $300 million for illegal use of Android users' data
Source: Reuters
https://www.reuters.com/sustainability/boards-policy-regulation/google-hit-with-314-million-us-verdict-cellular-data-class-action-2025-07-01/
A U.S. court ruled that Anthropic's unauthorized use of authors' books to train AI constituted "fair use," but illegal bulk storage constituted an independent infringement
Source: Authors Guild of America
https://authorsguild.org/app/uploads/2025/06/gov.uscourts.cand_.434709.231.0_3.pdf
A U.S. court ruled that Meta's unauthorized use of books from the "Shadow Library" to train AI constituted "fair use," and held that "fair use" should be judged as a whole; Meta's use of the "Shadow Library" after failing to attempt authorization did not equal malicious infringement
Source: Courthouse News Service
https://www.courthousenews.com/wp-content/uploads/2025/06/kadrey-et-al-vs-meta-order-motion-partial-summary-judgment.pdf
Tennessee Information Protection Law came into effect
Source: Tennessee General Assembly
https://wapp.capitol.tn.gov/apps/BillInfo/Default.aspx?BillNumber=SB0073
Virginia Consumer Protection Law amendment came into effect
Source: Virginia General Assembly
https://lis.virginia.gov/bill-details/20251/SB754
Colorado Biometric Identifiers Act came into effect
Source: Colorado General Assembly
https://leg.colorado.gov/bills/hb24-1130
Texas Governor signed the Data Broker Notification Requirements Act
Source: Texas Legislature
https://www.capitol.state.tx.us/BillLookup/BillStages.aspx?LegSess=89R&Bill=SB1343
Texas Governor signed the Data Broker Act
Source: Texas Legislature
https://www.capitol.state.tx.us/BillLookup/BillStages.aspx?LegSess=89R&Bill=SB1343
Texas Governor signed the Electronic Health Record Act
Source: Texas Legislature
https://www.capitol.state.tx.us/BillLookup/Text.aspx?LegSess=89R&Bill=SB1188
Texas Governor signed the Responsible AI Governance Act
Source: Texas Legislature
https://capitol.texas.gov/BillLookup/History.aspx?LegSess=89R&Bill=HB149
Connecticut Governor signed a bill amending the consumer privacy law
Source: LegiScan
https://legiscan.com/CT/bill/SB01295/2025
The state of Utah sued Snap, alleging that Snapchat My AI induced addiction
Source: Utah Attorney General
https://attorneygeneral.utah.gov/2025/06/30/utah-sues-snapchat-for-unleashing-experimental-ai-technology-on-young-users-while-misrepresenting-the-safety-of-the-platform/?sessionid=-905156827

European Union:

The European Commission adopted a delegated act on data access under the Digital Services Act (DSA)
Source: European Commission
https://digital-strategy.ec.europa.eu/en/news/commission-adopts-delegated-act-data-access-under-digital-services-act
The Commission facilitated data access for researchers under the DSA
Source: European Commission
https://digital-strategy.ec.europa.eu/en/news/commission-facilitates-data-access-researchers-under-digital-services-act
The implementing regulations on transparency reporting obligations stipulated in the DSA came into effect on July 1
Source: European Commission
https://digital-strategy.ec.europa.eu/en/library/implementing-regulation-laying-down-templates-concerning-transparency-reporting-obligations
The Voluntary Code of Practice on Disinformation incorporated into the DSA framework came into effect on July 1
Source: European Commission
https://ec.europa.eu/commission/presscorner/detail/en/ip_25_505
The Commission sought feedback on the review of the DMA
Source: European Commission
https://digital-markets-act.ec.europa.eu/consultation-first-review-digital-markets-act-2025-07-03_en
The Commission launched AI tools on an online platform for researchers and industry
Source: European Commission
https://digital-strategy.ec.europa.eu/en/news/commission-launches-ai-tools-online-platform-researchers-and-industry
The Commission sought feedback on protecting media service providers on online platforms
Source: European Commission
https://digital-strategy.ec.europa.eu/en/news/commission-seeks-feedback-protecting-media-service-providers-online-platforms
The Commission released the Roadmap for Effective and Lawful Access to Data by Law Enforcement
Source: European Commission
https://home-affairs.ec.europa.eu/news/commission-presents-roadmap-effective-and-lawful-access-data-law-enforcement-2025-06-24_en
Ad-hoc meeting of the European Board for Digital Services to communicate on the draft guidelines for measures to ensure a high level of privacy, security, and protection for minors online
Source: European Commission
https://digital-strategy.ec.europa.eu/en/news/ad-hoc-meeting-european-board-digital-services-1
EDPB submitted comments on the European Commission's guidelines for the online protection of minors under the DSA
Source: EDPB
https://www.edpb.europa.eu/our-work-tools/our-documents/other/edpb-comments-european-commissions-guidelines-art-28-dsa_en
EDPB released the Helsinki Statement on enhancing clarity, support, and engagement
Source: EDPB
https://www.edpb.europa.eu/our-work-tools/our-documents/statements/helsinki-statement-enhanced-clarity-support-and-engagement_en
ENISA released the NIS 2 technical implementation and cybersecurity skills guidelines
Source: ENISA
https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance

United Kingdom:

ICO launched a consultation on the updated version of its international data transfer guidelines
Source: ICO
https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2025/06/ico-call-for-views-on-international-transfers-guidance/
Ofcom released guidelines on age verification requirements for online adult content services
Source: Ofcom
https://www.ofcom.org.uk/online-safety/protecting-children/age-checks-for-online-safety--what-you-need-to-know-as-a-user
The Code of Practice on Age Assurance and Children's Access based on the Online Safety Act came into effect on July 1
Source: Ofcom
https://www.ofcom.org.uk/siteassets/resources/documents/consultations/category-1-10-weeks/statement-age-assurance-and-childrens-access/statement-age-assurance-and-childrens-access.pdf?v=388849&__cf_chl_rt_tk=JAF7elbFxQh9Kyvzv5ZjBn4iKvN.jBB8.KMvGfBC.ak-1751534330-1.0.1.1-IaDaWWf8thHBuOlSI..9R9Poc.oPN1W0StSXda28MiI
The Competition and Markets Authority proposed designating Google as having "Strategic Market Status" (SMS) in the fields of general search and search advertising
Source: Competition and Markets Authority
https://www.gov.uk/government/news/cma-takes-first-steps-to-improve-competition-in-search-services-in-the-uk

Germany:

BMI released a draft bill on the NIS2 directive
Source: BMI
https://www.bmi.bund.de/SharedDocs/gesetzgebungsverfahren/DE/CI1/nis2umsucg.html
BSI released a draft AI system quality assurance guideline
Source: BSI
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2025/250701_QUAIDAL.html
The Berlin Data Protection Commissioner ruled that Deepseek's data transfer was illegal
Source: Berlin Data Protection Commissioner
https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/publikationen/DSK/2025/20250627-Berlin-DPA-Press-Release-DeepSeek.pdf

France:

The Act on the Protection and Regulation of the Digital Space transposing the DSA and DMA came into effect on July 1
Source: French Government
https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000049563368
CNIL released a study on the economic impact of the GDPR in cybersecurity
Source: CNIL
https://www.cnil.fr/en/cybersecurity-economic-benefits-gdpr
CNIL announced a partnership to launch an AI audit tool
Source: CNIL
https://www.cnil.fr/fr/paname-un-partenariat-pour-laudit-de-la-confidentialite-des-modeles-dia

Norway:

The Ministry of Digitalization and Public Administration submitted a draft AI bill for consultation
Source: Ministry of Digitalization and Public Administration
https://www.regjeringen.no/no/aktuelt/lov-om-kunstig-intelligens-i-norge-sendes-na-pa-horing/id3113732/
The Ministry of Digitalization and Public Governance accepted and released guidelines on how to use AI governance responsibly
Source: Ministry of Digitalization and Public Administration
https://www.regjeringen.no/no/dokumenter/ki-assistenter-i-arbeidslivet-en-praktisk-guide/id3109040/

Canada: Canada considered banning Hikvision based on national security, and Hikvision responded
Source: Hikvision
https://www.hikvision.com/ca-en/newsroom/latest-news/2025/our-response-to-the-government-of-canada-s-order-to-shut-down-hi/
Vietnam: Adopted the Personal Data Protection Law
Source: National Assembly of Vietnam
https://baochinhphu.vn/quoc-hoi-thong-qua-luat-bao-ve-du-lieu-ca-nhan-102250626151253737.htm
South Korea: PIPC released partial amendments to the PIPA enforcement decree
Source: PIPC
https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS074&mCode=C020010000&nttId=11294
Brazil: ANPD extended public consultation on biometric data processing
Source: ANPD
https://www.gov.br/anpd/pt-br/assuntos/noticias/prorrogado-prazo-para-participacao-na-tomada-de-subsidios-sobre-dados-biometricos
New Zealand: Standards for providing non-government third parties with access to or collection of personal information held by the government came into effect on July 1
Source: New Zealand Ministry of Internal Affairs
https://www.dia.govt.nz/press.nsf/d77da9b523f12931cc256ac5000d19b6/20054d47b7674203cc258c7d000c6674!OpenDocument
Luxembourg: CNPD released guidelines on data retention for payment service providers
Source: CNPD
https://cnpd.public.lu/content/dam/cnpd/fr/dossiers-thematiques/services-paiement/cnpd-lignes-directrices-dure-conservation-services-de-paiement.pdf
Belgium: The Belgian Data Protection Authority dismissed 16 cases from NOYB
Source: Belgian Data Protection Authority
https://www.autoriteprotectiondonnees.be/citoyen/actualites/2025/06/26/l-apd-explique-pourquoi-elle-classe-sans-suite-des-plaintes-de-noyb
Brunei Darussalam: The Personal Data Protection Order was approved and published in the Gazette
Source: Brunei Government Gazette
https://www.agc.gov.bn/AGC%20Images/LAWS/Gazette_PDF/2025/EN/S%2011_2025[E].pdf

Note

本文由Gen AI翻译，仅供参考。

Translated by Gen AI service. For reference only.

本期编辑：吴佳蔚陈煜烺林婉琪陈瑞庭张丽