Digital Economy and Data Protection Newsletter（26.09）

HOTSPOT

（Click on the source or copy the corresponding link to view the details）

1. The General Office of the State Council released the State Council’s 2026 Annual Legislative Work Plan, expressly committing to improve AI governance and to accelerate comprehensive legislation on the healthy development of AI

   Source: www.gov.cn (Chinese Government Network)

   
   

2. The National Medical Products Administration (NMPA) released the Implementing Measures for the Protection of Drug Trial Data

   Source: National Medical Products Administration (NMPA)

   
   

3. The Cyberspace Administration of Beijing and two other departments released the Administrative Measures for the Data Export Negative List of the China (Beijing) Pilot Free Trade Zone and the National Comprehensive Demonstration Zone for Expanding Opening-up of the Service Sector (Trial), the Data Export Management List (Negative List) of the China (Beijing) Pilot Free Trade Zone and the National Comprehensive Demonstration Zone for Expanding Opening-up of the Service Sector (2025 Edition), and the Filing Guidelines for the Data Export Management List (Negative List) of the China (Beijing) Pilot Free Trade Zone and the National Comprehensive Demonstration Zone for Expanding Opening-up of the Service Sector (2026 Edition)

   Source: Cyberspace Administration of Beijing

   
   

1. The Ministry of Industry and Information Technology (MIIT) released a notice on apps (SDKs) that infringe user rights and interests (3rd batch of 2026, 56th batch overall)

   Source:  The Ministry of Industry and Information Technology (MIIT)

   
   

2. The Ministry of Justice issued an announcement stating that practices related to the EU’s foreign-subsidies investigations constitute improper extraterritorial jurisdiction

   Source:  Ministry of Justice

   
   

3. The Supreme People’s Court released 5 cases relating to crimes of infringing citizens’ personal information

   Source:  Supreme People’s Court

   
   

4. The Reporting Center of the Cyberspace Administration of China (CAC) compiled the Guide to Online Reporting, the Guide to Online Rumor-Refutation, and the Guide to Reporting Online Infringement, systematically explaining the basics of online reporting and rumor-refutation, as well as reporting channels and methods

   Source:  Cyberspace Administration of China (CAC)

   
   

5. The Cyberspace Administration of China (CAC) released an announcement on filing information for generative AI services (March to April 2026)

   Source: Cyberspace Administration of China (CAC)

   https://www.cac.gov.cn/2024-04/02/c_1713729983803145.htm?sessionid=

   
   

6. The Cyberspace Administration of China (CAC) released an announcement on the 23rd batch of domestic blockchain information service filing numbers

   Source:  Cyberspace Administration of China (CAC)

   
   

7. The Central Cyberspace Affairs Commission rolled out a comprehensive deployment to advance the standardized labeling of short-video content

   Source:  Cyberspace Administration of China (CAC)

   
   

8. The National Cyber and Information Security Information Notification Center reported 41 mobile apps that illegally collect and use personal information

   Source:  National Cyber and Information Security Information Notification Center

   
   

9. The Cybersecurity Bureau of the Ministry of Public Security issued an “AI-generated content security” reminder and disclosed an administrative-penalty case against an individual

   Source:  Cybersecurity Bureau of the Ministry of Public Security

   
   

10. The Cybersecurity Bureau of the Ministry of Public Security announced that cyber-police cracked 2 cases involving paid deletion of negative product reviews, with 7 people held in criminal detention

    Source:  Cybersecurity Bureau of the Ministry of Public Security

    
    

11. The National Data Administration released the second of its second batch of representative cases on putting public data “to work” | Worry-free purchasing of used new-energy vehicles in Shanghai

    Source:  National Data Administration

    
    

12. The National Data Administration released the first of its second batch of representative cases on putting public data “to work” | Energy and meteorological data supporting the full industrial chain of new-energy development and utilization

    Source:  National Data Administration

    
    

13. The National Information Security Standardization Technical Committee (TC260) released 1 planned recommended national cybersecurity standard (project list)

    Source:  National Information Security Standardization Technical Committee (TC260)

    
    

14. The National Information Security Standardization Technical Committee (TC260): 10 national cybersecurity standards approved and released

    Source: National Information Security Standardization Technical Committee (TC260)

    https://www.tc260.org.cn/portal/article/2/5fe2f07b128a4811b316be53e4566468?sessionid=

    
    

15. The National Information Security Standardization Technical Committee (TC260) released the Ethics and Security Guidelines for AI Applications 1.0

    Source:  National Information Security Standardization Technical Committee (TC260)

    
    

16. CCTV News reported the verdict in the nation’s first case of AI ghost-writing of “product-recommendation posts”, setting a red line for the governance of “digital slop”

    Source:  CCTV News

    
    

17. Chongqing launched a “Qinglang (Clear and Bright): Rectifying Chaos in AI Applications” special campaign

    Source:  Cyberspace Administration of Chongqing

    
    

18. Cyberspace Administration of Hainan: completed the nation’s first security assessment for the export of remote-sensing satellite data

    Source:  Cyberspace Administration of Hainan

1. International: CISA and the G7 jointly released the Software Bill of Materials for AI — Minimum Elements guidance, aimed at helping public- and private-sector stakeholders improve the transparency of AI systems and supply chains

   Source: CISA

   https://www.cisa.gov/resources-tools/resources/software-bill-materials-ai-minimum-elements

   
   

2. EU:

1. The EDPB released Opinion 13/2026 on the Finnish Data Protection Ombudsman’s draft decision approving, pursuant to GDPR Article 43(3), the accreditation requirements for certification bodies

   Source: EDPB

   https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-132026-draft-decision-office-data_en

   
   

2. The European Commission released draft guidelines on high-risk AI systems

   Source: European Commission

   https://digital-strategy.ec.europa.eu/en/library/draft-commission-guidelines-classification-high-risk-ai-systems

   
   

3. CJEU: confirmed that regulators may intervene to determine the standards and amount of fair remuneration for the online use of press publications

   Source: EUR-Lex

   https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62023CJ0797

   
   

3. US:

1. The FTC began enforcing the TAKE IT DOWN Act and released accompanying resources

   Source: FTC

   https://www.ftc.gov/news-events/news/press-releases/2026/05/ftc-begins-enforcing-take-it-down-act

   
   

2. The Oklahoma Attorney General sued Temu, alleging unlawful collection of personal data and deceptive business practices

   Source: Office of the Oklahoma Attorney General

   https://oklahoma.gov/oag/news/newsroom/2026/may/drummond-files-lawsuit-against-temu-for-stealing-oklahomans-data-and-deceiving-consumers.html

   
   

3. The Texas Attorney General launched an investigation into Meta glasses, to protect Texas residents’ privacy from unlawful surveillance and facial-data collection

   Source: Texas Attorney General

   https://texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-launches-investigation-meta-glasses-protect-texans-privacy-unlawful

   
   

4. The Texas Attorney General sued Netflix, alleging that it unlawfully collected user data without users’ knowledge or consent and surveilled children and consumers in Texas

   Source: Texas Attorney General

   https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-sues-netflix-spying-texas-kids-and-consumers-illegally-collecting-users

   
   

4. UK: The ICO fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 after a serious cyberattack led to the personal information of 633,887 people being stolen and published on the dark web

   Source: ICO

   https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/05/fine-of-nearly-1m-issued-against-south-staffordshire-plc-and-south-staffordshire-water-plc/

   
   

5. France:

1. The CNIL released its 2025 annual report, with both the total amount of fines and the number of complaints reaching record highs

   Source: CNIL

   https://www.cnil.fr/fr/rapport-annuel-2025

   
   

2. The CNIL published an article on privacy-protection issues in the digital euro project

   Source: CNIL

   https://cnil.fr/fr/confidentialite-de-leuro-numerique-ou-en-sommes-nous

   
   

6. Germany: The Hamburg supervisory authority assessed the Russmedia case, clarifying the boundaries of platform governance

   Source: Hamburg DPA

   https://datenschutz-hamburg.de/fileadmin/user_upload/HmbBfDI/Datenschutz/Informationen/260512_Information_Praxisfolgen_Russmedia.pdf

   
   

7. Belgium:

1. A fintech company was fined €120,000 for breaches in the performance of its duties

   Source: Belgian Data Protection Authority

   https://www.gegevensbeschermingsautoriteit.be/burger/de-geschillenkamer-legt-3-boetes-op

   
   

2. The APD/GBA released several penalty decisions concerning issues in call-recording/monitoring scenarios, including insufficient transparency, the absence of a processor contract, test recordings, inadequate notice to employees, and recording-retention periods

   Source: Belgian Data Protection Authority

   https://www.autoriteprotectiondonnees.be/citoyen/la-chambre-contentieuse-inflige-3-amendes

   
   

8. Spain: The AEPD fined Medios de Prevención Externos Sur €36,000 after a ransomware attack led to the breach of health and identity data

   Source: AEPD

   https://www.aepd.es/documento/ps-00528-2025.pdf

   
   

9. Poland: Amendment to the National Cybersecurity System Act — sending notifications to entities entered into the register ex officio

   Source: Government of Poland

   https://www.gov.pl/web/cyfryzacja/nowelizacja-ustawy-o-krajowym-systemie-cyberbezpieczenstwa-ksc--wysylka-zawiadomien-po-wpisach-z-urzedu-do-wykazu

   
   

10. Slovenia: The Commissioner issued an opinion on the disclosure of rental-car users’ personal data to vehicle owners

    Source: Information Commissioner of Slovenia

    https://www.ip-rs.si/mnenja-zvop-2/posredovanje-osebnih-podatkov-kon%C4%8Dnih-uporabnikov-rent-a-car-vozila-lastniku-1778767206

    
    

11. Singapore:

1. The Infocomm Media Development Authority (IMDA) released version 1.5 of the Model Governance Framework for Agentic AI

   Source: IMDA

   https://www.imda.gov.sg/-/media/imda/files/about/emerging-tech-and-research/artificial-intelligence/mgf-for-agentic-ai.pdf

   
   

2. The Government and Google published the findings of the AI Agents Sandbox study

   Source: CSA

   https://www.csa.gov.sg/news-events/press-releases/ai-agents--insights-from-the-singapore-government-and-google-sandbox-/

   
   

3. The Infocomm Media Development Authority (IMDA) released a case study on the responsible deployment of OpenClaw

   Source: IMDA

   https://www.imda.gov.sg/-/media/imda/files/about/emerging-tech-and-research/artificial-intelligence/openclaw-case-study.pdf?ref=inline-article

   
   

12. Australia:

1. The OAIC updated Chapter 3 of the APP Guidelines, i.e. the guidance on “collection of solicited personal information”

   Source: OAIC

   https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-3-app-3-collection-of-solicited-personal-information

   
   

2. The OAIC updated its statement on the Instructure / Canvas global cyber incident

   Source: OAIC

   https://www.oaic.gov.au/news/media-centre/statement-on-instructure-canvas-cyber-incident

   
   

3. The NSW IPC released a guide on the privacy risks associated with generative AI tools

   Source: IPC

   https://www.ipc.nsw.gov.au/sites/default/files/2026-05/Guide_Privacy_risks_associated_with_the_use_of_generative_AI_tools_May_2026.pdf

   
   

13. New Zealand: The OPC released its latest privacy survey, finding that issues such as AI decision-making, facial recognition, and children’s digital lives are now mainstream privacy concerns

    Source: OPC

    https://www.privacy.org.nz/tuhono-connect/statements-media-releases/new-survey-privacy-concerns-are-no-longer-niche-worries/

    
    

14. Turkey:

1. The KVKK published a data-breach notification concerning 1Onbir Grup, involving unauthorized access to and deletion of data and affecting employees, users, customers/prospective customers, and others

   Source: KVKK

   https://www.kvkk.gov.tr/Icerik/8750/kamuoyu-duyurusu-veri-ihlali-bildirimi-1onbir-grup-bilisim-teknolojileri-otomotiv-sanayi-ticaret-limited-sirketi

   
   

2. The KVKK and the Radio and Television Supreme Council (RTÜK) of Turkey released a guide on the processing of personal data in live-broadcast reality-show programs, aimed at balancing privacy protection with the public’s right to know / the public interest

   Source: KVKK

   https://www.kvkk.gov.tr/Icerik/8741/canli-yayimlanan-reality-show-niteligindeki-programlarda-kisisel-verilerin-islenmesine-yonelik-rehber-lansmani

   
   

15. Industry Developments:

1. Google released new Android security and privacy features for 2026

   Source: Google

   https://blog.google/security/whats-new-in-android-security-privacy-2026/

   
   

2. OpenAI adopted Google’s SynthID (content provenance)

   Source: OpenAI

   https://openai.com/zh-Hans-CN/index/advancing-content-provenance/