China Monthly Data Protection Update: July 2025

[co-author: Ken Dai]

Developments Highlights

Legislation

On June 27, 2025, the Cyberspace Administration of China (“CAC”) released the third edition of the Data Export Security Assessment Application Guide. The new version streamlines documentation requirements and clarifies the procedures for extending the validity period. Eligible data processors are required to submit assessments and may apply for an extension up to 60 working days before expiration. Online submissions accepted via the Data Export Declaration System.¹

CAC Issues Cyberspace Administrative Penalty Discretion Standards

On June 27, the CAC published the Cyberspace Administrative Penalty Discretion Standards, which will take effect on August 1, 2025. The new framework establishes a five-tier penalty system (no penalty, mitigated, lenient, standard, severe) and specifies application criteria. The standards emphasize legal uniformity, fairness, and proportionality. Provincial CAC branches are authorized to draft local implementation rules. A supervision mechanism is introduced to ensure proper discretion.²

CAC Seeks Public Comments on Draft Classification Measures for Online Information Potentially Harmful to Minors’ Physical and Mental Health

On June 13, the CAC released the Draft Classification Measures for Online Information Potentially Harmful to Minors’ Physical and Mental Health for public comments. The draft outlines 12 categories of content that may induce harmful behavior, 8 types of content that may distort values, and 8 forms of inappropriate use of minors’ images. It requires prominent warnings for such content and prohibits its display in key locations such as homepages, aiming to strengthen online protections for minors and foster a healthier digital environment.³

MIIT, CAC and Six Other Departments Release Automotive Data Cross-Border Security Guidelines 2025 (Draft for Comments)

On June 13, the Ministry of Industry and Information Technology (“MIIT”), the CAC and six other departments jointly released the Automotive Data Cross-Border Security Guidelines (2025 Edition) (Draft for Comments) for public comment. The Draft aims to establish an efficient and practical framework for cross-border automotive data flows and to clarify security and compliance requirements for outbound automotive data transfers.⁴

Authorities

On June 26, the MIIT’s Information and Communications Administration issues its third batch (48^th overall) of 2025 notices regarding apps and SDKs infringing user rights. Third-party testing identified 57 applications illegally collecting or using personal data.⁵

Four Chinese Ministries Flag 45 Apps for Excessive Data Collection

On June 24, the CAC, the MIIT, the Ministry of Public Security and the SAMR jointly released the third batch of 2025 non-compliant app listings. Testing by the Ministry of Public Security identified 45 apps with 12 types of violations, including failure to disclose data collection rules, excessive collection of personal information, and forced requests for unnecessary permissions. Popular apps like “Hellobike” and “Hongguo Short Drama” were found to have multiple violations, while 8 of 35 apps listed in the previous notice had not completed rectification as of the latest review.⁶

Shanghai Regulators Issue Facial Recognition Compliance Guidelines

On June 23, Shanghai CA, together with the Municipal Communications Administration, Public Security Bureau, and eight other departments, convened a joint coordination meeting and issued the Shanghai Facial Recognition Technology Application Security Governance Mechanism (Version 1.0) and a compliance initiative. The initiative sets out six key prohibitions, including a ban on mandatory use without necessity and processing or analysis without consent. Authorities will focus on addressing key biometric application issues, developing compliance guidelines, and strengthening public awareness.⁷

Beijing Launches Data Security Campaign Targeting Consumer Apps

On June 16, Beijing CA launched a special campaign targeting data security and personal information protection in 11 consumer service sectors, including smart parking and online food ordering. Random inspections of 197 apps uncovered 388 issues, primarily involving failure to disclose data collection rules and collection of personal information without consent.⁸

NCVERC Reports 64 Apps Illegally Collecting Personal Data

On June 18, the National Computer Virus Emergency Response Center(“NCVERC”) reported that 64 mobile applications were found to have violated personal information protection rules. Issues included failure to clearly disclose privacy policies, unclear or excessive data collection scopes, sharing personal data without user consent, mandatory data collection, and unreasonable barriers to account deletion.⁹

Enforcement Cases

On June 13, 2025, the Beijing CA reported two cases of failure to implement proper data access controls. One company exposed personal data to overseas IPs due to backend vulnerabilities; the other left its Elasticsearch database open without access restrictions. Both companies were fined RMB 50,000 and received official warnings.¹⁰

Gansu Authorities Investigate Unlawful Sale of Personal Information Collected Through Access Control System

Recently, the cybersecurity division of the public security bureau in Qingyang, Gansu Province, investigated a case involving the unlawful sale of personal information. A property management employee exploited access to the residential access control system to obtain and sell residents’ personal and vehicle information to real estate agents for profit. One individual has been placed under criminal detention, while two property managers and four real estate agents have received administrative penalties.¹¹

Chongqing Real Estate Firm Fined RMB 10,000 for Illegal Facial Data Collection

Chongqing Dadukou District CA, penalized a property developer for unauthorized facial recognition data collection. The company secretly installed image-capturing devices at its sales office, gathering and storing 12,000 customer records (including over 5,000 facial images) without consent for marketing purposes. The company was ordered to rectify the violations, received a formal warning, and was fined RMB 10,000.¹²

Court Litigation

On June 16, the Supreme People’s Court of P.R.C. (“SPC”) issued a landmark personal information protection case establishing that automatic pre-checked privacy policy consent boxes constitute infringement. The case involved a dictionary app that forcibly collected users’ phone numbers by: (1) automatically pre-selecting the “agree to privacy policy” option; (2) denying service to users who refused to consent; and (3) failing to provide a means to withdraw consent. The court emphasized that app operators must follow the “minimum necessity” principle and must not mandatorily collect personal information unrelated to the service.¹³

1. https://www.cac.gov.cn/2025-06/27/c_1752652339765002.htm?sessionid=
2. https://mp.weixin.qq.com/s/MkVwI75Pw31QC7fDrfvV0w?scene=25&sessionid=#wechat_redirect
3. https://www.cac.gov.cn/2025-06/20/c_1752130362026338.htm?sessionid=
4. https://mp.weixin.qq.com/s/CoHGvrJPVWjq6GG79NB-Vw?scene=25&sessionid=#wechat_redirect
5. https://mp.weixin.qq.com/s/KiKmXAyiz1qaqbeUpCxF2g?scene=25&sessionid=#wechat_redirect
6. https://mp.weixin.qq.com/s/1aCQ8SaOfP1GuVUTDEVYVA?scene=25&sessionid=#wechat_redirect
7. https://mp.weixin.qq.com/s/NF2eFiJb3Qr82HjWL1CSPQ?scene=25&sessionid=#wechat_redirect
8. https://www.beijing.gov.cn/ywdt/gzdt/202506/t20250616_4113716.html?sessionid=
9. https://mp.weixin.qq.com/s/3LPauhKPOT_XL5URWuashA?scene=25&sessionid=#wechat_redirect
10. https://mp.weixin.qq.com/s/Fzt00_CXsooCHWtWGutL7g?scene=25&sessionid=#wechat_redirect
11. https://mp.weixin.qq.com/s/epxD0FzVy_oOltG_rbw3Mw?scene=25&sessionid=#wechat_redirect
12. https://mp.weixin.qq.com/s/mjAOSkvJkfZWU8R7h9dDfA?scene=25&sessionid=#wechat_redirect
13. https://www.court.gov.cn/zixun/xiangqing/467931.html?sessionid=