注册    登录
关注
Py学习  »  Git

Digital Economy and Data Protection Newsletter(25.19)

TMT法律论坛 • 8 月前 • 210 次点击  

Click above|Follow us


Recently, on the legislative side, the CAC and SAMR issued the Measures for Certification of Outbound Transfer of Personal Information, the CAC and NDRC issued the Guidance on Deployment and Application of Large AI Models in the Government Sector, and SAMR approved a new batch of national standards. In practice, SAMR opened an antitrust investigation into Qualcomm and released the third batch of typical service-oriented enforcement cases, MIIT and six other ministries jointly printed the Implementation Plan for Deepening Service-Oriented Manufacturing Innovation (2025-2028), and the Hangzhou Internet Court heard a public-interest civil suit against telecom fraud. Overseas, ISO published the 2025 update of ISO 27701, the European Commission sought comments on AI incident-reporting guidelines and, together with the EDPB, on the interaction between the DMA and GDPR, Ireland’s DPC published the full TT penalty decision, and California passed the OPT-OUT Act, etc.


HOTSPOT

HOTSPOT



CAC and SAMR Issue the Measures for Outbound Transfer Personal-Information Certification


On 17 October 2025, the CAC and the SAMR jointly issued the Measures for Outbound Transfer Personal-Information Certification (the “Measures”). The Measures formally establish, at the level of normative documents, the implementation mechanism for outbound-transfer personal-information certification and will take effect on 1 January 2026, thereby completing the final piece of China’s outbound data-transfer regulatory puzzle. Outbound-transfer personal-information certification is a conformity-assessment activity in which a professional certification body that has legally obtained personal-information protection certification credentials proves the compliance of a personal-information processor’s outbound transfer of personal information and related processing activities. Its scope of application is identical to that of the standard-contract filing mechanism for outbound personal-information transfers. The Measures mainly prescribe pre-certification obligations such as the personal-information protection impact assessment and its key assessment items, management and sharing of certification certificates, filing and supervision of professional certification bodies, and penalties. In addition, an overseas personal-information processor covered by Article 3(2) of the Personal Information Protection Law that applies for outbound-transfer personal information certification must be assisted in the application by a dedicated institution or designated representative it has established in China.


Source: CAC






Irish DPC Publishes Full TikTok Penalty Decision


On 2 May 2025, the Irish Data Protection Commission (DPC) imposed a €530 million (≈ RMB 4.4 billion) fine on TikTok. On 2 October 2025, the DPC released the full decision, finding TikTok in breach of two core GDPR provisions: (1) failure to verify and ensure that EU-user data transferred to China receives protection essentially equivalent to that in the EU (Arts. 44 & 46 GDPR) – €485 million; (2) privacy policy that did not adequately inform users that their personal data would be transferred to China because of remote access by China-based teams (Art. 13(1)(f) GDPR) – €45 million.

Although TikTok relied on Standard Contractual Clauses (SCCs) to legitimize the transfers, the DPC held that it had not discharged its controller duties: TikTok had not sufficiently assessed whether Chinese law and practice could provide essentially equivalent protection, in particular failing to show that the “territoriality principle” excludes the extraterritorial reach of the National Intelligence Law and similar statutes over EU data remotely accessed from China. Despite TikTok’s “Project Clover” data-localization program and multiple legal-expert reports claiming that only limited data are transferred and are subject to external audit, the DPC found the assessment fundamentally flawed and upheld the penalty. The DPC also rejected the argument that “remote access only” inherently lowers regulatory risk and ordered TikTok, within six months of the expiry of any appeal, to bring processing into full compliance with GDPR Chapter V, failing which data transfers will be suspended. TikTok has stated it will appeal in full.


Source:Irish DPC

https://www.dataprotection.ie/en/treoir-ccs/law/decisions/inquiry-tiktok-technology-limited-april-2025






ISO Releases Updated Version ISO/IEC 27701:2025 Information Security, Cybersecurity and Privacy Protection — Privacy Information Management Systems — Requirements and Guidance


On October 14, 2025, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) officially released ISO/IEC 27701:2025 Information Security, Cybersecurity and Privacy Protection — Privacy Information Management Systems — Requirements and Guidance ( the "New Version 27701"). This standard provides specific requirements and implementation guidelines for various organizations to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS).

The New Version 27701 applies to all controllers and processors (including sub-processors) that collect, process, store, or control personally identifiable information (PII), covering public and private companies, government entities, and non-profit organizations. The most notable change of the new version is its transition from an extension standard of ISO/IEC 27001 to an independent management system standard (MSS). This means organizations no longer need to obtain ISO/IEC 27001 certification first and can directly apply for PIMS certification.

The main content of the standard includes general management system clauses such as organizational context, leadership, planning, support, operation, performance evaluation, and improvement. It is also supplemented with reference control objectives and measures for PII controllers and processors, implementation guidelines, and corresponding relationships with other privacy frameworks (e.g., ISO/IEC 29100, EU General Data Protection Regulation (GDPR), and the old version of ISO/IEC 27701).


Source: ISO

https://www.iso.org/standard/27701





EDPB and European Commission Jointly Issue Guidelines on the Interplay Between DMA and GDPR


On October 9, 2025, the European Data Protection Board (EDPB) and the European Commission approved joint guidelines on the interplay between the Digital Markets Act (the "DMA") and the General Data Protection Regulation (the "GDPR") (the "Guidelines"). The first version of the Guidelines has launched a joint public consultation, which will remain open until December 4, 2025. The Guidelines primarily target digital platforms designated as "gatekeepers," aiming to ensure coordinated interpretation and application of the DMA and GDPR while avoiding conflicts. In principle, the DMA pursues a "fair and contestable digital market," while the GDPR safeguards "personal data protection and free flow"—their objectives are complementary, with the former restricting data monopolies and the latter ensuring legal data use. The Guidelines will help gatekeepers, business users, and individuals better understand their obligations and rights under the DMA, and ensure the consistent, effective, and complementary application of the DMA and EU data protection laws.


Source: European Commission

https://digital-markets-act.ec.europa.eu/public-consultation-joint-guidelines-interplay-between-dma-and-gdpr-2025-10-09_en







NEWSLETTER

NEWSLETTER


(Click on the source or copy the corresponding link to view the details)




LEGISLATION

  1. Cyberspace Administration of China (CAC) and State Administration for Market Regulation (SAMR) jointly released the Measures for the Certification of Personal Information Exports

    Source: CAC


  2. CAC and National Development and Reform Commission (NDRC) issued the Guidelines on the Deployment and Application of AI Large Models in Government Affairs

    Source: CAC (Central Cyberspace Affairs Commission)

    https://www.cac.gov.cn/2025-10/10/c_1761819469876932.htm


  3. Ministry of Industry and Information Technology (MIIT) published the Draft Administrative Review Requirements for Road Motor Vehicle Manufacturing Enterprises, Draft Administrative Review Requirements for Road Motor Vehicle Products, and Draft Decision on Amending the Administrative Provisions on the Access of New Energy Vehicle Manufacturing Enterprises and Products

    Source: MIIT

    https://wap.miit.gov.cn/jgsj/zbys/qcgy/art/2025/art_c8630ff7c8474a95be441e53c6ced14a.html


  4. NDRC and SAMR released the Announcement on Regulating Price Disorderly Competition and Maintaining a Sound Market Price Order

    Source: NDRC

    https://www.ndrc.gov.cn/xxgk/jd/jd/202510/t20251009_1400869.html


  5. Supreme People's Court (SPC) promulgated the Provisions on the Jurisdiction of Internet Courts

    Source: SPC


  6. General Office of the State Council (GOSC) issued the Measures for the Administration of Electronic Seals

    Source: State Council

    https://www.gov.cn/zhengce/content/202510/content_7043696.htm


  7. National Data Administration (NDA) published the Guidelines on Typical 'Data Elements ×' Scenarios in Nine Fields Including Industrial Manufacturing and Modern Agriculture

    Source: NDA

    https://www.nda.gov.cn/sjj/zwgk/tzgg/0930/20250930162702169299833_pc.html


  8. MIIT and Standardization Administration of China (SAC) jointly released the 2025 Edition of the Construction Guide for the Comprehensive Cloud Computing Standardization System

    Source: MIIT

    https://wap.miit.gov.cn/zwgk/zcwj/wjfb/tz/art/2025/art_60eeb6e673e1423ea27ac6dd81830013.html


  9. SAMR approved and released a batch of national standards covering emerging fields such as smart connectivity, digital twins, robotics, and the Internet of Things

    Source: SAMR

    https://www.samr.gov.cn/xw/zj/art/2025/art_704e47330cc3430796bf595311751fc2.html


  10. China-led international standard proposal on Smart Mobility Service Security and Privacy was successfully approved by the international cybersecurity standards organization

    Source: SAMR

    https://www.samr.gov.cn/xw/sj/art/2025/art_3a98c637cbf14456a208ee085fb4de2c.html


  11. China Electronics Chamber of Commerce (CECC) released the Group Standard for Intellectual Property Guidelines for Generative AI

    Source: National Group Standard Information Platform

    https://www.ttbz.org.cn/Home/Show/108768


  12. Shenzhen Municipality published the 2025 Edition of the Guidelines on Strengthening Personal Information Protection for Mobile Applications in Shenzhen

    Source: Cyberspace Administration of Guangdong Province


  13. Zhejiang Province implemented the Measures for the Implementation of the Anti-Telecom and Network Fraud Law of the People's Republic of China in Zhejiang Province

    Source: Hangzhou Internet Court


  14. Gansu Province promulgated the Gansu Provincial Data Regulations

    Source: Gansu Government Service Network

    https://zwfw.gansu.gov.cn/sbqd/swszfapbs/zcwj/art/2025/art_e4ab75c27e124035b0906a2889521323.html?sessionid=-1724061736


  15. Yunnan Province released the Draft Implementation Rules for the Registration of Public Data Resources in Yunnan Province (Trial)

    Source: Yunnan Provincial Data Bureau



INDUSTRY TRENDS

  1. SAMR initiated an investigation into Qualcomm Inc. for suspected violations of the Anti-Monopoly Law

    Source: SAMR

    https://www.samr.gov.cn/xw/zj/art/2025/art_d1fc65d76fd8491a8f5ab7405c5ed798.html


  2. SAMR published the Third Batch of Typical Cases of Service-Oriented Law Enforcement in Market Regulation

    Source: SAMR

    https://www.samr.gov.cn/xw/zj/art/2025/art_92102e3abba4452b849079569f668d3b.html


  3. MIIT and six other ministries jointly issued the Implementation Plan for Deepening the Innovative Development of Service-Oriented Manufacturing (2025–2028), aiming to enhance the supply of industrial data elements

    Source: MIIT


  4. Hangzhou Municipal Market Supervision Bureau (HMMB) released the Top Ten Cases of Data Protection Administrative Law Enforcement in Hangzhou (2017–2025)

    Source: HMMB


  5. Beijing Municipal Market Supervision Bureau (BMMB) cracked down on a case of false advertising using AI technology

    Source: BMMB


  6. Cyberspace Administration of Hunan Province imposed administrative penalties on a cultural tourism company for failing to fulfill data security obligations

    Source: Cyberspace Administration of Hunan Province


  7. Cyberspace Administration of Hunan Province and Hunan Communications Administration jointly notified 41 mobile applications that failed to complete rectification on schedule

    Source: Cyberspace Administration of Hunan Province


  8. Cyberspace Administration of Changde City (Hunan Province) and Changde Municipal Health Commission jointly interviewed 10 medical institutions

    Source: Cyberspace Administration of Changde City


  9. Zhejiang Communications Administration (ZCA) issued a circular on APPs (mini-programs) violating user rights (2025 Batch 8)

    Source: ZCA


  10. Shanghai Municipal People's Government released Several Measures to Accelerate Frontier Technology Innovation and Future Industry Cultivation

    Source: Shanghai Municipal People's Government

    https://www.shanghai.gov.cn/nw12344/20251011/6b29e980fd8741eea2b9408b2877019c.html


  11. Hangzhou Internet Court publicly heard and pronounced judgment on a civil public interest lawsuit against telecom fraud

    Source: Hangzhou Internet Court


  12. WeChat clarified that it will no longer reclaim long-unused accounts or delete inactive users' Moments content

    Source: Xinhua News Agency



OVERSEAS

  1. International: ISO published the updated ISO 27701:2025 Information Security, Cybersecurity, and Privacy Protection – Privacy Information Management Systems – Requirements and Guidelines

    Source: ISO

    https://www.iso.org/standard/27701


  2. European Union:

    1. European Commission (EC) released a draft guidance on AI incident reporting obligations under the AI Act

      Source: EC

      https://digital-strategy.ec.europa.eu/en/consultations/ai-act-commission-issues-draft-guidance-and-reporting-template-serious-ai-incidents-and-seeks


    2. EC proposed the 'AI for Applications Strategy' and 'AI for Science Strategy' to accelerate AI implementation

      Source: EC

      https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2299?mkt_tok=MTM4LUVaTS0wNDIAAAGdZEaZv2o83rbzsIC3ayWWhAQCecN4jKd-X2dx5tsezWg33i3wcpvCuGYp6pH-4wtppVLo5zYkrBblUOieQkG6ZTYrlP01o5Xw-ytCudOmRey5Bw


    3. European Data Protection Board (EDPB) announced transparency requirements as a 2026 enforcement priority

      Source: EDPB

      https://www.edpb.europa.eu/news/news/2025/coordinated-enforcement-framework-edpb-selects-topic-2026_et


    4. EDPB released recommendations on calculating audit cycles for EU large-scale IT systems

      Source: EDPB

      https://www.edpb.europa.eu/our-work-tools/our-documents/csc-documents/recommendations-calculating-audit-cycle-eu-large-scale_en


    5. EC launched DSA investigations into Snapchat, YouTube, Apple App Store, and Google Play

      Source: EC

      https://digital-strategy.ec.europa.eu/en/news/commission-scrutinises-safeguards-minors-snapchat-youtube-apple-app-store-and-google-play-under#:~:text=The%20Commission%20is%20requesting%20Snapchat%2C%20YouTube%2C%20Apple%20and,harmful%20material%2C%20such


    6. New EU rules on political advertising came into effect

      Source: EC

      https://commission.europa.eu/news-and-media/news/new-eu-rules-political-advertising-come-effect-2025-10-10_en


    7. EC released the enhanced second version of the age verification blueprint

      Source: EC

      https://digital-strategy.ec.europa.eu/en/news/commission-releases-enhanced-second-version-age-verification-blueprint#:~:text=The%20Commission%20released%20a%20second%20version%20of%20the,in%20order%20to%20generate%20a%20proof%20of%20age


    8. EC and EDPB jointly published guidelines on the interplay between DMA and GDPR

      Source: EC

      https://digital-markets-act.ec.europa.eu/public-consultation-joint-guidelines-interplay-between-dma-and-gdpr-2025-10-09_en


    9. EC launched the 'Apply AI Alliance' to shape European AI policies

      Source: EC

      https://digital-strategy.ec.europa.eu/en/news/commission-launches-apply-ai-alliance-shape-european-ai-policies


    10. EU mobile game developers criticized the draft Digital Fairness Act and cryptocurrency-related legislative proposals in the Consumer Protection Cooperation Network guidelines

      Source: LinkedIn

      https://www.linkedin.com/posts/ilkkapaananen_lets-not-kill-one-of-europes-few-tech-success-activity-7381554010337554432-db_j


  3. Ireland:

    1. Data Protection Commission (DPC) published the full penalty decision on TikTok

      Source: Irish DPC

      https://www.dataprotection.ie/en/treoir-ccs/law/decisions/inquiry-tiktok-technology-limited-april-2025

    2. Digital Regulation Group (DRG) released the Short Guide to Digital Regulation

      Source: Irish DPC

      https://www.dataprotection.ie/en/news-media/latest-news/DRG-produces-Short-Guide-to-Digital-Regulation


    3. DPC launched an investigation into the resale of precise location data of tens of thousands of mobile phones, involving political and military facilities

      Source: Irish DPC

      https://www.dataprotection.ie/ga/nuacht-agus-na-meain/teolas-deireanai-fos-gcoimisiun-maidir-le-himscrudu-prime-time-rte


  4. United States:

    1. Subpart J of Executive Order 14117 (addressing restricted transactions) took effect

      Source: U.S. Department of Justice (DOJ)

      https://www.justice.gov/nsd/media/1382521/dl?inline


    2. Federal Trade Commission (FTC) accused Sendit App and its CEO of unlawfully collecting children's personal data

      Source: FTC

      https://www.ftc.gov/news-events/news/press-releases/2025/09/ftc-alleges-sendit-app-its-ceo-unlawfully-collected-personal-data-children-deceived-users-about


    3. National Institute of Standards and Technology (NIST) sought public comments on the Cybersecurity Framework 2.0 Manufacturing Profile

      Source: NIST

      https://www.nist.gov/news-events/news/2025/09/cybersecurity-framework-20-manufacturing-profile-nist-ir-8183r2-initial


    4. Cybersecurity and Infrastructure Security Agency (CISA) evaluation found cybersecurity risks in DeepSeek AI models

      Source: NIST

      https://www.nist.gov/news-events/news/2025/09/caisi-evaluation-deepseek-ai-models-finds-shortcomings-and-risks


    5. California Governor signed a bill on customer data breach notification

      Source: California Governor's Office

      https://www.gov.ca.gov/2025/09/29/governor-newsom-signs-sb-53-advancing-californias-world-leading-artificial-intelligence-industry/#:~:text=SACRAMENTO%20%E2%80%94%20Governor%20Newsom%20today%20signed%20into%20law,continuing%20to%20spur%20innovation%20in%20these%20new%20technologies


    6. California Governor signed a bill on transparency for frontier AI

      Source: California Governor

      https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB446


    7. California Governor signed a bill on health and location data privacy

      Source: California State Assembly

      https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB45


    8. California Governor signed the OPT-OUT Act (AB 566)

      Source: California State Assembly

      https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB566


    9. California Governor signed bills strengthening online child protection, including age verification

      Source: California Governor's Website

      https://www.gov.ca.gov/2025/10/13/governor-newsom-signs-bills-to-further-strengthen-californias-leadership-in-protecting-children-online/


    10. California Governor signed the Data Broker Data Collection and Deletion Act (SB 361)

      Source: Legiscan

      https://legiscan.com/CA/bill/SB361/2025


    11. California Privacy Protection Agency (CPPA) fined Tractor Supply $1.35 million for failing to inform consumers/job seekers of privacy rights and ignoring opt-out requests

      Source: CPPA

      https://cppa.ca.gov/announcements/2025/20250930.html


    12. California Attorney General obtained a preliminary injunction blocking the U.S. Department of Agriculture from requiring personal and sensitive information of SNAP beneficiaries

      Source: California Attorney General

      https://oag.ca.gov/news/press-releases/court-blocks-data-grab-attorney-general-bonta-secures-order-halting-trump


    13. California court denied LinkedIn's motion to dismiss three class-action lawsuits over unlawful collection of user health data

      Source: Courthouse News Service

      https://www.courthousenews.com/wp-content/uploads/2025/10/linkedin-class-action-medical-data-denied-dismissal-1.pdf


    14. Florida Attorney General sued Roku for excessive child data processing

      Source: Florida Phoenix

      https://floridaphoenix.com/2025/10/14/florida-attorney-general-alleges-roku-sold-kids-information/


    15. Louisiana Governor prohibited government systems from using Chinese AI platforms

      Source: Louisiana Governor's Office

      https://gov.louisiana.gov/news/4960


    16. New York state's algorithmic pricing disclosure rule was challenged as 'compelled speech,' but the court dismissed the lawsuit

      Source: Court Listener

      https://storage.courtlistener.com/recap/gov.uscourts.nysd.645244/gov.uscourts.nysd.645244.44.0.pdf


  5. Canada:

    1. Interactive Advertising Bureau (IAB) released AI use cases for digital marketing

      Source: IAB Canada

      https://iabcanada.com/iab-canada-releases-ai-use-cases-for-digital-advertising/


    2. Ontario Information and Privacy Commissioner (IPC) updated de-identification guidelines for structured data

      Source: Ontario IPC

      https://www.ipc.on.ca/en/resources/de-identification-guidelines-structured-data


  6. Latvia:

    1. Data State Inspectorate (DVI) published guidelines on disclosing trade union membership

      Source: DVI

      https://www.dvi.gov.lv/lv/jaunums/dviskaidro-vai-darba-devejam-ir-jazina-ka-esmu-arodbiedriba


    2. DVI released guidelines on sharing surveillance footage with police

      Source: DVI

      https://www.dvi.gov.lv/lv/jaunums/dviskaidro-vai-uznemums-var-nodot-videonoverosanas-ierakstus-policijai-ja-tajos-fiksets-noziedzigs-nodarijums


  7. United Kingdom:

    1. Meta's 'pay or consent' advertising model was approved in the UK

      Source: Information Commissioner's Office (ICO)

      https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/09/ico-statement-on-changes-to-meta-advertising-model/?sessionid=-1812497575


    2. Renault UK suffered a data breach due to a cyberattack on a third-party provider

      Source: Sky News

      https://news.sky.com/story/customer-details-stolen-in-renault-uk-cyber-attack-13443469


  8. France: CNIL imposed 16 simplified penalties targeting illegal video surveillance, unauthorized marketing, and non-compliance

    Source: CNIL

    https://www.cnil.fr/fr/la-cnil-prononce-16-nouvelles-sanctions-dans-le-cadre-de-la-procedure-simplifiee


  9. Switzerland: Federal Data Protection and Information Commissioner (FDPIC) updated cookie guidelines

    Source: FDPIC

    https://www.edoeb.admin.ch/en/cookie-guidelines-updated-version


  10. Italy: Italian AI Regulation (Law No. 132) came into force

    Source: Lexology

    https://www.lexology.com/library/detail.aspx?g=0dc3fa7f-4ab1-4504-af5f-ddfca35ef91a


  11. Spain: Agència de Protecció de Dades de Catalunya (APDCAT) updated DPIA online tools and practical guidelines

    Source: APDCAT

    https://apdcat.gencat.cat/en/sala_de_premsa/notes_premsa/noticia/Renovacio-app-AIPD


  12. Brazil: Chamber of Deputies approved a bill banning dangerous content for minors

    Source: Brazilian Chamber of Deputies

    https://www.camara.leg.br/proposicoesWeb/fichadetramitacao?idProposicao=2497761


  13. Vietnam: Ministry of Science and Technology (MST) launched public consultations on the AI law draft

    Source: MST

    https://mst.gov.vn/van-ban-phap-luat/du-thao/2294.htm


  14. Turkey: Personal Data Protection Board (KVKK) updated registration guidelines and Q&A documents for data controllers

    Source: KVKK

    https://www.kvkk.gov.tr/Icerik/8388/KAMUOYU-DUYURUSU


  15. Japan: Personal Information Protection Commission (PPC) held a roundtable on personal information protection policies and released a summary

    Source: PPC

    https://www.ppc.go.jp/personalinfo/kentohkai/kondankai_1/


  16. Ecuador: Superintendencia de Protección y Defensa del Pueblo (SPDP) published a draft data transfer regulation

    Source: SPDP

    https://spdp.gob.ec/proyectos-normativos/#


  17. Indonesia: Komisi Pengawas Persaingan Usaha (KPPU) fined TikTok Shop for delayed notification of an acquisition

    Source: KPPU

    https://kppu.go.id/blog/2025/09/51383/



Note

本文由Gen AI翻译,仅供参考。

Translated by Gen AI service. For reference only.


本期编辑:吴佳蔚 陈煜烺 林婉琪 陈瑞庭 陈曦宇 张丽

Python社区是高质量的Python/Django开发社区
本文地址:http://www.python88.com/topic/188120
登录后回复
关于   移动版
Py学习 - 专注于Python技术发展的社区(原Django社区)
沪ICP备11025650号