Digital Economy and Data Protection Newsletter（25.18）

Click above｜Follow us

Recently, at the legislative level, the National Cyberspace Administration has issued the Measures for the Management of National Network Security Incident Reports, and the National Network Security Standards Committee has issued a number of network security standards, including data processing for Internet platf orm suspension, Gen AI security emergency response, and the 2025 version of the national standard system for data security and personal information protection. At the practical level, the State Cyberspace Administration has issued recent typical cases of law enforcement related to network security, data security and personal information protection, the Ministry of Industry and Information Technology has notified APPs that infringe on users'rights and interests, the Internet and telecommunications departments have investigated and dealt with cases of destruction of network ecology by several Internet platforms according to law, and the General Administration of Municipal Supervision has issued the third batch of typical cases in the field of live e-commerce. At the level of industry governance, the China Securities Association issued the group standard of Technical Specification for Personal Information Protection of Investors in Securities Companies. Overseas, the EU Data Act has been fully implemented on September 12, 2025, Doximity and OpenEvidence have made further progress in the trade secret infringement case of obtaining AI prompts, and Trump has approved the TikTok transaction.

HOTSPOT

CAC Issues National Cybersecurity Incident Reporting Management Measures

On 11 September 2025, the CAC released the National Cybersecurity Incident Reporting Management Measures (hereinafter the “Measures”), which will take effect on 1 November 2025. Network operators that build, operate or provide services through networks within China must report cybersecurity incidents in accordance with the Measures. The Measures classify cybersecurity incidents into four levels—especially serious, serious, relatively serious and ordinary—through the attached Cybersecurity Incident Grading Guidelines. On this basis, the Measures stipulate that for incidents rated “relatively serious” or above, critical information infrastructure operators must report immediately to their protection department and the public-security authority, and in any case within one hour; other network operators must report promptly to the provincial-level cyberspace authority of their jurisdiction, and in any case within four hours. Where a suspected crime is involved, the operator must also file a case with the public-security authority without delay. The Measures further specify the content of incident reports and the requirement to submit post-incident summary reports.

Source: CAC

https://www.cac.gov.cn/2025-09/15/c_1759583017563621.htm

TC260 Issues Cybersecurity Standard Practice Guide — Emergency Response Guide for Generative AI Service Security

On 22 September 2025, the National Cybersecurity Standardization Technical Committee (TC260) released the Cybersecurity Standard Practice Guide — Emergency Response Guide for Generative AI Service Security (hereinafter the “Guide”). The Guide sets out a classification and grading methodology for Gen-AI service security incidents, together with managerial measures and technical methods for the entire emergency-response process. Centered on incident management, it underpins the security of Gen-AI services and offers providers a basic framework, detailed measures and worked examples for building capabilities in prevention, detection, handling and post-mortem analysis across content security, data security and cybersecurity incidents, as well as for fulfilling the important obligation of incident reporting.

For more information, please click here.

Source: TC260

CAC Releases Latest Enforcement Cases on Cybersecurity, Data Security and Personal-Information Protection

On September 16, 2025, the Cyberspace Administration of China (CAC) released typical recent law enforcement cases regarding cybersecurity, data security, and personal information protection. A total of 10 cases are included in this batch, with specific summaries as follows:

(1) Case of Webpage Tampering by a Technology Co., Ltd. in Guangdong

The company failed to fulfill its cybersecurity protection obligations in accordance with the law, did not adopt necessary technical measures to ensure cybersecurity, and failed to promptly fix system vulnerabilities, resulting in webpage tampering. This violates the relevant provisions of the Cybersecurity Law.

(2) Case of Webpage Tampering by an Internet Technology Co., Ltd. in Xinjiang

As a provider of network products and services, the company failed to promptly detect security flaws and vulnerabilities in the website it developed, did not take immediate remedial measures, and failed to inform users and report to the competent authority in accordance with regulations. This violates the relevant provisions of the Cybersecurity Law.

(3) Case of Data Leakage by a Medical Laboratory Co., Ltd. in Shandong

The company’s system failed to retain relevant network logs in accordance with the law and did not adopt technical and other necessary measures to ensure data security, resulting in data leakage. This violates the provisions of laws and regulations including the Cybersecurity Law, Data Security Law, and Regulations on the Security Management of Network Data.

(4) Case of Data Theft from a Technology Co., Ltd. in Zhejiang

The company’s system did not adopt technical and other necessary measures to ensure data security, leading to data theft. This violates the provisions of laws and regulations including the Cybersecurity Law, Data Security Law, and Regulations on the Security Management of Network Data.

(5) Case of Data Theft from a Technology Company in Chongqing

The company’s system did not adopt technical and other necessary measures to ensure data security, resulting in data theft. This violates the provisions of laws and regulations including the Cybersecurity Law, Data Security Law, and Regulations on the Security Management of Network Data.

(6) Case of Data Theft from an Insurance Agency Co., Ltd. in Guangdong

The company’s system failed to retain relevant network logs in accordance with the law and did not adopt technical and other necessary measures to ensure data security, leading to data theft. This violates the provisions of laws and regulations including the Cybersecurity Law, Data Security Law, and Regulations on the Security Management of Network Data.

(7) Case of Potential Data Leakage Risk at a Technology Co., Ltd. in Hunan

The enterprise failed to fulfill its cybersecurity and data security protection obligations in accordance with the law, did not establish cybersecurity and data security management systems, and its system did not adopt technical and other necessary measures to ensure data security, resulting in potential data leakage risks. This violates the provisions of laws and regulations including the Cybersecurity Law, Data Security Law, and Regulations on the Security Management of Network Data.

(8) Case of Over-Scope Collection of Personal Information by an App Operated by a Technology Co., Ltd. in Beijing

The App collected and uploaded information about the installation and uninstallation of the user’s applications in the background when the user did not use any of its functions. When the user used functions such as uploading AI avatars, the App requested unnecessary storage permissions. These acts exceeded the "minimum necessary" scope for achieving the purpose of personal information processing, violating the provisions of laws and regulations including the Cybersecurity Law, Personal Information Protection Law, and Regulations on the Security Management of Network Data.

(9) Case of Illegal Collection of Facial Information by a Technology Co., Ltd. in Shanghai

The company’s vending machines collected facial information without consent during the user payment process. Additionally, the enterprise failed to establish a personal information protection impact assessment system, and its relevant system had high-risk SQL injection vulnerabilities. This violates the provisions of laws and regulations including the Cybersecurity Law, Personal Information Protection Law, and Regulations on the Security Management of Network Data.

(10) Case of Failure to Conduct Security Assessment for Deep Synthesis Services Provided by an App Operated by a Technology Co., Ltd. in Zhejiang

The App provided AI face-swapping services without conducting the required security assessment, and the relevant deep synthesis content was not marked prominently, posing significant security risks. This violates the provisions of regulations including the Administrative Provisions on Deep Synthesis of Internet Information Services, Interim Measures for the Management of Generative Artificial Intelligence Services, Administrative Provisions on Algorithmic Recommendation of Internet Information Services, and Provisions on the Security Assessment of Internet Information Services with Public Opinion Attributes or Social Mobilization Capabilities.

Source: CAC

https://www.cac.gov.cn/2025-09/16/c_1759741437315419.htm

NEWSLETTER

（Click on the source or copy the corresponding link to view the details）

LEGISLATION

The State Cyberspace Administration issued the Measures for the Management of National Network Security Incident Reports
Source: National Cyberspace Administration
https://www.cac.gov.cn/2025-09/15/c_1759583017563621.htm
The State Cyberspace Administration publicly solicited opinions on the Measures for Identifying Service Providers of Network Platforms with a Large Number of Minors and Significant Impact on Minors (Draft for Opinions)
Source: National Cyberspace Administration
https://www.cac.gov.cn/2025-09/16/c_1759740674396520.htm
Zhejiang Intellectual Property Office issued the Guidelines for Application for Registration of Intellectual Property Rights in the Field of Artificial Intelligence in Zhejiang Province (2025)
Source: Zhejiang Intellectual Property Office
https://zjamr.zj.gov.cn/art/2025/9/18/art_1229693039_2569542.html
Guangdong Province issued the Measures for the Management of Authorized Operation of Public Data Resources (Draft for Comments) to implement authorized operation of public data according to scenarios
Source: Guangdong Provincial Administration of Government Affairs Services and Data
https://zfsg.gd.gov.cn/hdjlpt/yjzj/answer/46139
The National Network Security Standards Committee issued the Guidelines for the Practice of Network Security Standards-Guidelines for Emergency Response to Generative Artificial Intelligence Services
Source: TC260
The National Information Security Standards Committee issued the Guidelines for the Practice of Network Security Standards-Data Processing Security Requirements for Internet Platforms to Stop Serving
Source: TC260
https://www.tc260.org.cn/front/postDetail.html?id=20250909092909
The National Information Security Standards Committee issued the Guidelines for the Practice of Network Security Standards-Requirements for the Protection of Personal Information for Scanning Orders
Source: TC260
https://www.tc260.org.cn/front/postDetail.html?id=20250909092930
The National Information Security Standards Committee issued the Guidelines for the Practice of Network Security Standards-Data Security Requirements for Academic Science and Technology Service Platforms
Source: TC260
https://www.tc260.org.cn/front/postDetail.html?id=20250915131112
The National Standard System for Data Security (2025 Edition) and the National Standard System for Personal Information Protection (2025 Edition)
Source: TC260
https://www.tc260.org.cn/front/postDetail.html?id=20250915154109
The National Network Security Standards Committee and the National Computer Emergency Response Center issued the 2.0 version of the Artificial Intelligence Security Governance Framework
Source: National Cyberspace Administration.
https://www.cac.gov.cn/2025-09/15/c_1759653448369123.htm
The national standard "Basic Requirements for Service Management of Takeaway Platform (Draft for Comments)" drafted by the General Administration of Market Supervision is open for comments
Source: National Standard Information Public Service Platform
https://std.samr.gov.cn/gb/search/gbDetailed?id=3AF503703DD11087E06397BE0A0AE27D
The Securities Association of China issued the group standard of Technical Specifications for the Protection of Investors' Personal Information of Securities Companies
Source: Securities Association of China
https://www.sac.net.cn/tzgg/202509/t20250925_68439.html
Nine departments, including the Ministry of Commerce, issued the Policies and Measures for Promoting the Export of Services to support the facilitation of cross-border transmission of personal information within multinational corporations
Source: Ministry of Commerce https://fms.mofcom.gov.cn/zcfg/zhzcfg/art/2025/art_2aa3821acbf744b8ad325c320024b47f.html
China Cyberspace Security Association Releases Smart Toys Personal Information Protection Initiative
Source: China Cyberspace Security Association

INDUSTRY TRENDS

The State Cyberspace Administration has released recent typical cases of law enforcement related to network security, data security and personal information protection
Source: National Cyberspace Administration.
https://www.cac.gov.cn/2025-09/16/c_1759741437315419.htm
National Data Bureau Releases List of Typical Cases of High Quality Data Sets
Source: National Data Bureau
https://www.nda.gov.cn/sjj/zwgk/tzgg/0912/20250912130433113171778_pc.html
Netcom Department Investigates and Punishes Today's Headline Cases of Destroying Network Ecology According to Law
Source: National Cyberspace Administration
Netcom Department Investigates and Punishes Cases of UC Platform Destroying Network Ecology According to Law
Source: National Cyberspace Administration
Netcom departments investigate and deal with cases of micro-blog platform destroying network ecology according to law
Source: National Cyberspace Administration
Netcom departments investigate and deal with cases of fast-hand platforms destroying network ecology according to law
Source: National Cyberspace Administration
Cyberspace Administration of the Central Committee of the Communist Party of China (CPC) has deployed a special campaign to "clear up and rectify the problem of malicious provocation of negative emotions"
Source: National Cyberspace Administration
2025 National Cyber Security Publicity Week "Main Forum of Cyber Security Technology Summit Forum" held in Kunming
Source: National Cyberspace Administration
https://www.cac.gov.cn/2025-09/16/c_1759741440053085.htm
The National Cyberspace Administration Releases the Test Results of Artificial Intelligence Technology Enabling Network Security Application in 2025
Source: National Cyberspace Administration
https://www.cac.gov.cn/2025-09/15/c_1759653448277501.htm
Nine departments, including the Ministry of Commerce, issued the Circular on Several Policies and Measures to Promote the Export of Services, proposing a number of measures to facilitate the cross-border flow of data, including the study and exploration of the formation of a negative list of national free trade zone data exit
Source: Ministry of Commerce
https://fms.mofcom.gov.cn/zcfg/zhzcfg/art/2025/art_2aa3821acbf744b8ad325c320024b47f.html
The public security organs have upgraded the national Internet security management service platform and optimized the public security network filing process
Source: Network Security Bureau of the Ministry of Public Security
The Ministry of Industry and Information Technology Notifies APPs Infringing on Users' Rights and Interests (the 5th batch in 2025, the 50th batch in total)
Source: Ministry of Industry and Information Technology
https://wap.miit.gov.cn/xwfb/gxdt/sjdt/art/2025/art_b261d87bc4be4b24bde196e2d313af76.html
The General Administration of Municipal Supervision released the third batch of typical cases in the field of live e-commerce
Source: Municipal Administration of Supervision
The General Administration of Municipal Supervision has decided to investigate Chengdu Fast Purchase Technology Co., Ltd. for suspected violation of the Electronic Commerce Law
Source: Municipal Administration of Supervision
The General Administration of Municipal Supervision interviewed cargo Lala and asked it to safeguard the legitimate rights and interests of truck drivers, consumers and other relevant subjects, and to promote fair, fair, open and transparent platform rules and algorithms
Source: Municipal Administration of Supervision
China Cyberspace Security Association issued the Consensus on Ethical Standards for Artificial Intelligence Services for Minors
Source: China Cyberspace Security Association
National Data Bureau Holds Press Conference on the Construction of Comprehensive Test Zone for Data Elements (Session 2)
Source: National Data Bureau
https://www.nda.gov.cn/sjj/swdt/wszb/sjyszhsyqjs2/list/index_pc.html
Zhejiang Shaoxing Public Security Organs Cracked a Case of Mobile Phone Unlocking "Middleman" Suspected of Illegally Obtaining Computer Information System Data
Source: Network Security Bureau of the Ministry of Public Security
The Ministry of Transport issued the Plan for the Construction of High-quality Data Sets in the Transport Industry
Source: Ministry of Transport
Cyberspace Administration in Beijing, Tianjin, Guizhou, Gansu and other places have made public the acceptance of reports of network violations and bad information and typical cases in August 2025
Source: National Cyberspace Administration
Jiangxi officially announced the first batch of 13 provincial public data "run up" demonstration scenarios
Source: National Data Bureau
Hunan Cyberspace Administration, in conjunction with the Provincial Health and Health Commission and the Provincial Local Financial Administration, carried out special inspections on the protection of personal information in some hospitals and financial units
Source: Hunan Cyberspace Administration
Zhejiang Communications Management Bureau reported 9 APPs that infringed on users' rights and interestsForcing users to use the directional push function is a violation
Source: Zhejiang Communications Management Bureau
Zhengzhou Supervisory Bureau Interviews Ctrip on Standardizing Business Practices
Source: Zhengzhou Supervision Bureau

OVERSEAS

International:

Hong Kong, Macao and Other Data Protection Agencies Jointly Sign AI Global Joint Statement
Source: Office of the Privacy Commissioner for Personal Data, Hong Kong
https://www.pcpd.org.hk/sc_chi/news_events/media_statements/press_20250922.html
G7 Cyber Experts Group Issues Statement on Artificial Intelligence and Cyber Security in the Financial System
Source: US Treasury
https://home.treasury.gov/system/files/136/G7-Cyber-Expert-Group-Statement-AI-and-Cybersecurity-2025.pdf

EU:

EDPB publishes guidance on the interaction between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR)
Source: EDPB
https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/guidelines-32025-interplay-between-dsa-and-gdpr_en
“The Data Act” was fully implemented on September 12, 2025
Source: EU Legislative Repository
https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng
EDPS publishes Opinion No.23/2025 on the UN Convention on Cybercrime
Source: EDPS
https://www.edps.europa.eu/system/files/2025-09/25-09-04_opinion_united_nations_convention_against_cybercrime_en.pdf
EDPS issues Opinion No.24/2025 on the US-EU Data Exchange Framework
Source: EDPS
https://www.edps.europa.eu/system/files/2025-09/2025-0688_opinion_en.pdf#:~:text=This%20Opinion%20relates%20to%20the%20Recommendation%20for%20a,relating%20to%20border%20procedures%20and%20applications%20for%20visa1
The EDPB reply confirmed that the CJEU C-383/23 judgment is consistent with the guideline 04/2022 on the calculation of GDPR administrative penalties
Source: EDPB
https://www.edpb.europa.eu/system/files/2025-09/edpb_letter_20250917_replycciaedpbguidelinesfines_en.pdf
European Commission issues guidelines on vehicle data to accompany the Data Act
Source: European Commission
https://digital-strategy.ec.europa.eu/en/library/guidance-vehicle-data-accompanying-data-act?sessionid=

US:

Obtaining AI Prompt Words Suspected of Infringing Trade Secrets, New Progress of OpenEvidence v. Doximity in US
Source: Court Listener Database
https://storage.courtlistener.com/recap/gov.uscourts.mad.286183/gov.uscourts.mad.286183.31.0.pdf
The Consumer Safety Technology Act was introduced in the Senate
Source: Senator John Curtis
https://www.curtis.senate.gov/press-releases/senators-launch-consumer-safety-technology-act-to-strengthen-ai-and-blockchain-safeguards/
California Opt-Out Act (CA-AB-566) Passed State Legislation
Source: California Legislative Information Platform
https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202120220AB556
The California CPPA organizes public meetings focusing on the right to expunge and opt-out
Source: CPPA
https://cppa.ca.gov/meetings/agendas/20250926.pdf
California CPPA completes updates to CCPA regulations on cybersecurity auditing, risk assessment, automated decision-making technologies, and insurance companies, which will take effect on January 1, 2026
Source: CPPA
https://cppa.ca.gov/announcements/2025/20250923.html
Conch AI was jointly sued by Disney, Warner and Universal in the US for massive copyright infringement
Source: CNBC News
https://www.cnbc.com/2025/09/16/disney-universal-warner-bros-discovery-sue-chinas-minimax.html?msockid=377cd08c4ec461fd2283c6ae4fa260ce
Trump Approves TikTok Deal, US and ByteDance Each Own One Company
Source: The White House
https://www.whitehouse.gov/presidential-actions/2025/09/saving-tiktok-while-protecting-national-security/#:~:text=The%20Protecting%20Americans%20from%20Foreign%20Adversary%20Controlled%20Applications,parent%20company%2C%20ByteDance%20Ltd.%2C%20on%20national%20security%20grounds

Korea:

PIPC issues guidance on requirements for foreign operators to appoint domestic agents
Source: PIPC
https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS074&mCode=C020010000&nttId=11508&mkt_tok=MTM4LUVaTS0wNDIAAAGc957MW3F7LSBlgUmGSRGuEDEf0poKmeLBxACgvrc1FS9yuEmikS61XA85c248r9ib441Nl6-cwubU_PfLFsQ7lXFMmdM9OX5CdWbz-JRs10xrCg
PIPC inspects the current situation of domestic agent designation of overseas enterprises
Source: PIPC
https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS074&mCode=C020010000&nttId=11538#LINK
PIPC Releases Innovation Plan for Information System and Operation of Pseudonyms? Reduce the threshold of pseudonymy and promote data innovation
Source: PIPC
https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS074&mCode=C020010000&nttId=11532#LINK

Netherland:

AP expressed concern about LinkedIn's plan to use European user data to train AI
Source: AP
https://www.autoriteitpersoonsgegevens.nl/actueel/ap-bezorgd-over-ai-training-linkedin-en-roept-gebruikers-op-om-instellingen-aan-te-passen
AP Releases 2024 Complaint Report, Main Types of Complaints Include Illegal Processing of Personal Data, Exercise of Rights and Camera Surveillance
Source: AP
https://www.autoriteitpersoonsgegevens.nl/documenten/rapportage-klachten-2024
AP releaseCompliance alert for doorbell camera
Source: AP
https://www.autoriteitpersoonsgegevens.nl/actueel/camera-van-de-buren-grote-ergernis-ap-wil-preventieve-aanpak-deurbelcameras

Italy: Italy's AI regulation has been passed, becoming the first EU country to match the EU AI ACT
Source: Reuters News
https://www.reuters.com/technology/italy-enacts-ai-law-covering-privacy-oversight-child-access-2025-09-17/https://www.reuters.com/technology/italy-enacts-ai-law-covering-privacy-oversight-child-access-2025-09-17/
Sweden: IMY publishes guidance on the responsibility of data controllers in data security incidents
Source: IMY
https://www.imy.se/nyheter/personuppgiftsansvarigas-roll-med-anledning-av-miljodata-och-darknet/?mkt_tok=MTM4LUVaTS0wNDIAAAGc957MWzK44Hs5aGsK4S7ExdO8swfnq8qROKQkPY5cLofLxBzkAZLmfyR-YbXg14pUqwbvUgJ5tyUwbmCJzzyWxMDxTcfqsFmsrJkuvrHDi17o4g
Brazil: Brazil launched a series of data protection initiatives, including a child online protection law
Source: Brazilian government website
https://www.gov.br/planalto/pt-br/acompanhe-o-planalto/noticias/2025/09/lula-sanciona-lei-que-protege-criancas-na-internet-e-anuncia-medidas-para-ampliar-concorrencia-e-infraestrutura-digital?mkt_tok=MTM4LUVaTS0wNDIAAAGc_MerTB-NFCV2psDklEdWQAtMtL6qi0x4lc
Canada: Regulatory investigation finds TikTok violates personal information protection laws such as the Personal Information Protection and Electronic Documents Act
Source: OPC
https://www.priv.gc.ca/fr/nouvelles-du-commissariat/nouvelles-et-annonces/2025/nr-c_250923/
Liechtenstein: Data protection authorities issue guidance on employee email access requests and consideration of using AI systems to process personal data
Source: Liechtenstein Data Protection Agency
https://www.datenschutzstelle.li/aktuelles/aktuelles-aus-der-datenschutzstelle-5
France: CNIL clarifies rules on account data retention for inactive digital content
Source: CNIL
https://www.cnil.fr/fr/achat-de-contenus-numeriques-quelle-duree-de-conservation-des-comptes-inactifs
Colombia: SIC Issues External Notice No.1 on Fintech Processing of Personal Data
Source: SIC
https://sedeelectronica.sic.gov.co/transparencia/normativa/circular-externa-001-del-18-de-septiembre-de-2025

Note

本文由Gen AI翻译，仅供参考。

Translated by Gen AI service. For reference only.

本期编辑：吴佳蔚陈煜烺陈瑞庭陈曦宇张丽