Digital Economy and Data Protection Newsletter（25.17）

Click above｜Follow us

Recent legislative developments include the NPC reviewing a draft amendment to the Cybersecurity Law to address new challenges, the CAC proposing rules requiring major platforms to establish personal information protection committees under PIPL Article 58, and the Chongqing FTZ issuing a cross-border data transfer negative list, first applied to smart vehicles. In enforcement, following a data security incident, a foreign company was investigated for breaches including illegal cross-border data transfers; meanwhile, MIIT and other departments jointly launched a special campaign targeting online misconduct in the auto industry. Judicially, the Beijing Internet Court released typical AI-related cases involving issues like AI copyright, voice rights, face-swapping, algorithm governance, and personality rights. Overseas, the EU progressed on AI Act transparency guidelines, the CJEU upheld the EU-US Data Privacy Framework, France’s DPA issued a large fine for cookie violations, and the U.S. FTC opened an inquiry into AI chatbots.

HOTSPOT

National People's Congress (NPC) Deliberates Draft Amendment to Cybersecurity Law

On September 12, 2025, the National People's Congress (NPC) released the Draft Amendment to the Cybersecurity Law of the People's Republic of China (for Public Comment) (hereinafter referred to as the "Draft Amendment") for public consultation. The core focus of this Draft Amendment is adjusting legal liabilities and enhancing systemic alignment with laws and administrative regulations such as the Data Security Law and the Personal Information Protection Law. For example:

For illegal acts causing particularly severe consequences like the loss of primary functions of critical information infrastructure (CII), fines for entities will be increased to a maximum of RMB 10 million, and fines for individuals to RMB 1 million.

Additional legal liabilities have been established, including penalties for supplying network critical equipment or specialized security products that fail to meet security certification or testing standards. The amendment also specifies circumstances under which administrative penalties may be mitigated, reduced, or exempted.

Previously, the NPC explicitly included amending the Cybersecurity Law in its 2025 legislative plan, and the revised law is expected to be adopted within the year.

Source: National People's Congress (NPC)

Chongqing Cyberspace Administration and Others Release Negative List Management Measures for Data Outbound Transfers in Free Trade Zone and 2025 Version of Negative List

On September 1, 2025, the Chongqing Cyberspace Administration and other departments jointly released the Interim Measures for the Administration of Negative List for Data Outbound Transfers in the China (Chongqing) Pilot Free Trade Zone (hereinafter referred to as the "Measures" including the Annex: Reference Rules for Data Classification and Grading in the China (Chongqing) Pilot Free Trade Zone), the 2025 Version of the Negative List for Data Outbound Transfers in the China (Chongqing) Pilot Free Trade Zone (hereinafter referred to as the "Negative List" with the first batch focusing on the intelligent connected vehicle industry), and the Interim Implementation Guidelines for the Negative List for Data Outbound Transfers in the China (Chongqing) Pilot Free Trade Zone (hereinafter referred to as the "Guidelines"). These measures apply to data processors registered, operating, or conducting data outbound activities within the Chongqing Pilot Free Trade Zone.

Under the Measures and Guidelines, data processors subject to the Negative List must submit a report on their use of the Negative List to the relevant free trade sub-zone within 15 working days from the date of data outbound activities and undergo regulatory oversight. Additionally, given that the Measures clarify the mutual recognition mechanism for negative lists and prioritize the applicability of data classification and grading standards publicly or internally issued by industry authorities, negative lists for the intelligent connected vehicle industry released by other free trade zones and data classification/grading standards issued by industry authorities may also apply. Enterprises are advised to comprehensively consider the applicability of free trade zone outbound mechanisms in light of relevant regulations.

For more information, please click here.

Source: Chongqing Cyberspace Administration

Beijing Internet Court Releases Typical Cases Involving Artificial Intelligence

On September 10, 2025, the Beijing Internet Court held a press conference on the trial of AI-related cases and released eight typical cases of AI-related disputes:

(1) Case 1: Content generated by artificial intelligence (AI) may be recognized as a "work" if it meets the requirements of "intellectual achievement" and "originality". The ownership of copyright shall be determined based on the original intellectual contributions made by entities such as users and developers to the generated content.

(2) Case 2: AI-synthesized voices are protected if they are identifiable. Even if the original audio recording is legally licensed, the commercial use of its AI-synthesized version without consent still constitutes infringement.

(3) Case 3: For the commercial use of AI voices, the elements for determining infringement are "identifiability + commercial use". In scenarios where e-commerce merchants entrust third parties to conduct promotions and AI-synthesized celebrity voices are used for product marketing, merchants who fail to fulfill their review obligations shall bear joint liability with the promoters.

(4) Case 4: If an AI face-swap makes the original subject unrecognizable, it does not constitute portrait right infringement; however, using video containing facial information for AI synthesis without consent infringes on personal information rights and interests.

(5) Case 5: If a platform’s algorithm misjudges AI-generated content and mutes the user, and fails to fulfill its obligation to explain the algorithmic decision, the platform shall bear liability for breach of contract.

(6) Case 6: Maliciously distorting and defaming others’ portraits via AI and disseminating the result constitutes infringement of portrait rights, reputation rights, and general personality rights simultaneously.

(7) Case 7: If the image of a virtual digital human reflects the unique aesthetic choices of the production team, it constitutes a work of fine art and is protected by the Copyright Law.

(8) Case 8: If a platform encourages users to create AI companion images of celebrities through algorithms, this constitutes infringement of the right to name, portrait right, and general personality right.

For more information, please click here.

Source: Beijing Internet Court

NEWSLETTER

（Click on the source or copy the corresponding link to view the details）

LEGISLATION

The National People's Congress (NPC) Deliberates on the Draft Amendment to the Cybersecurity Law
Source: National People’s Congress
National Cyberspace Administration Issues Exposure Draft of Provisions on Establishment of Personal Information Protection Oversight Committees by Large-Scale Online Platforms
Source: National Cyberspace Administration
National Energy Administration (NEA) Issues the Interim Measures for Data Security Management in the Energy Sector (Draft for Comments)
Source: National Energy Administration
National Cryptography Administration Issues Commercial Cryptography Administrative Inspection Item List
Source: National Cryptography Administration
Chongqing Cyberspace Administration and Other Authorities Issue Administrative Measures for Pilot Free Trade Zone Negative List for Cross-Border Data Export and 2025 Edition Negative List
Source: Chongqing Cyberspace Administration
TC260 Issues Data Security Technology—Security Certification Requirements for Cross-Border Processing Activities of Personal Information and Data Security Technology—Guidelines for Social Responsibility in Data Security and Personal Information Protection
Source: National Cybersecurity Standardization Technical Committee
Ministry of Industry and Information Technology Issues 418 Industry Standards Including Basic Capability Requirements for Facial Information Protection in Face Recognition Systems
Source: Ministry of Industry and Information Technology
https://wap.miit.gov.cn/zwgk/zcwj/wjfb/gg/art/2025/art_6270d6fd51464a03adaa5a80ef93543d.html

INDUSTRY TRENDS

Dior Data Breach Triggers an Investigation: Public Security Authorities Release Administrative Penalties for Illegal Cross-Border Activities
Source: National Cybersecurity Notification Centre
Supreme People’s Court Releases 2025 Typical Anti-Unfair Competition Cases
Source: Supreme People’s Court
MIIT and Five Other Ministries Jointly Launch Special Rectification Campaign Against Automotive-Cyber Disorder
Source: MIIT
Ministry of Public Security Releases Three Typical Criminal Cases of Illegally Cracking UAV Flight-Control Systems
Source: Ministry of Public Security
National Cyberspace Administration Publishes 13th Batch of Deep-Synthesis Service Algorithm Filing Information
Source: National Cyberspace Administration
National Cyberspace Administration Releases “Generative-AI Service Filing Information (July–August 2025)”
Source: National Cyberspace Administration
National Computer Virus Emergency Response Centre Detects 69 Mobile Apps Illegally Collecting and Using Personal Information
Source: National Computer Virus Emergency Response Centre
Beijing Internet Court Issues AI-Related Typical Cases
Source: Beijing Internet Court
Shanghai Cyberspace Administration Launches Special Enforcement Action on Face-Recognition Technology in Real-Estate Sales Offices
Source: Shanghai Cyberspace Administration
Hainan Launches Special Rectification of Mobile Apps Illegally Collecting and Using Personal Information
Source: Hainan Cyberspace Administration
Hainan Cyberspace Administration Reports 28 Apps for Illegal Personal-Data Collection
Source: Hainan Cyberspace Administration
Anhui Communications Administration Issues 6th Batch of 2025 Apps Infringing User Rights
Source: Anhui Communications Administration
Anhui Communications Administration Announces 2025 Telecom & Internet Cyber- and Data-Security Inspection
Source: Anhui Communications Administration
Douyin E-Commerce Discloses AI-Misuse Cases to Guide Merchants Toward Compliance
Source:Douyin E-Commerce Security & Trust Centre
Firm Summoned and Penalised by Cyberspace Office After Abnormal Cross-Border Data Transfer Caused by Cloud-Storage Feature
Source: Yunyan Cyberspace Administration

OVERSEAS

EU:

Commission Seeks Comments on Guidelines and Code of Practice for AI Act Transparency Obligations
Source: European Commission
https://digital-strategy.ec.europa.eu/en/news/participate-drawing-code-practice-transparent-generative-ai-systems
Commission Releases Draft Adequacy Decision for Brazil
Source: European Commission
https://www.gov.br/anpd/pt-br/assuntos/noticias/european-union-releases-preliminary-version-of-adequacy-decision
CJEU Issues Ruling on Pseudonymised Data
Source: CJEU

https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250107en.pdf
Commission Launches Public Consultation and Call for Evidence on Evaluation and Review of Chips Act
Source: European Commission
https://digital-strategy.ec.europa.eu/en/news/commission-launches-public-consultation-and-call-evidence-evaluation-and-review-chips-act
EDPS Publishes Opinion on UN Cybercrime Convention: International Cooperation Should Respect EU Fundamental-Rights Guarantees
Source: EDPS
https://www.edps.europa.eu/press-publications/press-news/press-releases/2025/international-cooperation-fight-crime-should-respect-eu-fundamental-rights-guarantees_en
CJEU Dismisses French MPs’ Challenge to EU-U.S. Data Privacy Framework Validity
Source: CJEU
https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250106en.pdf
Commission Imposes €2.95 Billion Fine on Google for Antitrust Violations in Ad-Tech Sector
Source: European Commission
https://ec.europa.eu/commission/presscorner/detail/pl/ip_25_1992

US:

President Signs Home-Buyer Privacy Protection Act
Source: Congress
https://www.congress.gov/bill/119th-congress/house-bill/2808
CPPA and Attorney General Announce Investigation into Compliance with Consumer Opt-Out Rights for Personal-Data Sales
Source: CPPA
https://cppa.ca.gov/announcements/2025/20250909.html
Federal Trade Commission Opens Inquiry into AI Chatbots Acting as Companions
Source: FTC
https://www.ftc.gov/news-events/news/press-releases/2025/09/ftc-launches-inquiry-ai-chatbots-acting-companions#
FTC Issues $2 Million Proposed Order Against Temu under INFORM Act
Source: FTC
https://www.justice.gov/opa/pr/temu-agrees-2m-civil-penalty-and-injunction-alleged-violations-inform-consumers-act
Senate Judiciary Committee Demands Answers from Meta on COPPA Compliance
Source: Senate Judiciary Committee
https://www.judiciary.senate.gov/press/rep/releases/grassley-blackburn-hawley-demand-answers-on-metas-emotional-targeting-of-children-repeated-alleged-failures-to-comply-with-child-privacy-law

Germany：

BSI Publishes AI Security Guidelines for Automotive Sector
Source: BSI
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2025/250910_TR_KI-Sicherheit_Fahrzeuge.html
Hamburg Data Protection Authority Releases Guidance on Data Act
Source: HmbBfDl
https://www.baden-wuerttemberg.datenschutz.de/datenzugang-data-act/

UK: ICO Issues Guidance on Encryption
Source: ICO
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/a-guide-to-data-security/encryption/
France：

Government Publishes National Oversight Plan for AI Regulation
Source: French Government
https://presse.economie.gouv.fr/la-dge-et-la-dgccrf-publient-le-projet-de-designation-des-autorites-nationales-en-charge-de-la-mise-en-oeuvre-du-reglement-europeen-sur-lia/
CNIL Fines SHEIN Ireland Subsidiary €150 Million for Cookie-Consent Violations
Source: CNIL
https://www.cnil.fr/en/cookies-placed-without-consent-shein-fined-150-million-euros-cnil
CNIL Fines Google €325 Million for Inserting Ads and Cookies Between Emails
Source: CNIL
https://www.cnil.fr/en/cookies-and-advertisements-inserted-between-emails-google-fined-325-million-euros-cnil?utm_source=chatgpt.com&sessionid=839288562

South Korea：

PIPC Announces Revised AI PIA Standards
Source: PIPC
https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS074&mCode=C020010000&nttId=11475
KISA Security Sweep of Robot Vacuum Cleaners Finds Data and Privacy Vulnerabilities
Source: Korea Internet & Security Agency
https://www.kisa.or.kr/402/form?postSeq=2529&page=1

Brazil: National Congress Approves Digital ECA Bill Focusing on Minors’ Protection in Digital Environments
Source: Brazilian National Congress
https://www.dataguidance.com/news/brazil-parliament-approves-digital-eca
Ecuador: SPDP Opens Consultation on Draft Regulations for Personal Data and Artificial Intelligence
Source: SPDP
https://spdp.gob.ec/consultasatendidas/

Note

本文由Gen AI翻译，仅供参考。

Translated by Gen AI service. For reference only.

本期编辑：吴佳蔚陈煜烺林婉琪陈瑞庭张丽