China Monthly Data Protection Update: May 2025

[co-author: Ken Dai]

Developments Highlights

This monthly report outlines key developments in China’s data protection sector for May. The following events merit special attention:

• CAC Completes 298 Data Cross-Border Security Assessments, 7 Projects Rejected for Non-Compliance: On April 9, CAC issued the Data Cross-Border Security Management Policy Q&A, stating that as of March 2025, CAC had completed 298 data outbound security assessments, 44 of which involved important data. Of these, 7 projects were not approved, resulting in a rejection rate of 15.9%.

• RedNote and Bilibili Launch “One-Click Break the Cocoon” Feature to Visualize Information Cocoons and Adjust Recommendation Preferences: Recently, under the guidance of cyberspace authorities, social platforms RedNote and Bilibili introduced the “One-Click Break the Cocoon” feature, which uses visual charts to display the extent of users’ “information cocoons” and allows users to manually adjust their content preference settings for personalized recommendations.

• Taiwanese Bank and Data Security Officer Penalized by Shanghai Regulator for Inadequate Data Controls: On April 7, the Shanghai Bureau of the National Financial Regulatory Administration imposed a 300,000 yuan fine on Cathay United Bank (China) for “insufficient data security controls”, while the responsible officer, Mr. Jin, received a formal warning.

Legislation

TC260 Releases Cybersecurity Standard Practice Guidelines—Requirements for Personal Information Protection Compliance Audits (Draft for Comments)

On April 28, 2025, the National Technical Committee 260 on Cybersecurity of Standardization Administration of China (“TC260”) released the Cybersecurity Standard Practice Guidelines—Requirements for Personal Information Protection Compliance Audits (Draft for Comments), publicly soliciting comments with a feedback deadline of May 6.¹

NDA Issues 2025 Work Priorities on Establishing Foundational Data Systems to Enhance the Role of Data as a Factor of Production

On April 28, the National Data Administration (“NDA”) issued the 2025 Work Priorities on Establishing Foundational Data Systems to Enhance the Role of Data as a Factor of Production, implementing the tasks outlined in the Opinions on Establishing Foundational Data Systems to Enhance the Role of Data as a Factor of Production jointly issued by the CCCPC and the State Council. The document mandates the establishment of a data property rights system that safeguards rights and interests and ensures compliant usage, among other measures.²

NDA Releases Four Model Data Flow Transaction Contracts

On April 18, the NDA issued four sample contracts for data circulation and transactions , including the Data Provision Contract, Data Processing Entrustment Contract, Data Fusion and Development Contract, and Data Intermediary Services Contract, opening a public consultation period from April 18 to May 18, 2025.³

PBOC and Five Other Agencies Jointly Issue Compliance Guidelines for Promoting and Regulating Cross-Border Data Flow in the Financial Sector

On April 17, the People’s Bank of China (“PBOC”), National Financial Regulatory Administration, China Securities Regulatory Commission, State Administration of Foreign Exchange, Cyberspace Administration of China (“CAC”), and NDA jointly issued the Compliance Guidelines for Promoting and Regulating Cross-Border Data Flow in the Financial Sector, which further clarifies the specific circumstances under which outbound data transfer is possible, as well as the list of data items that are permitted to flow across borders.⁴

Zhejiang CA Releases Management Measures and 2024 Negative List for Cross-Border Data Transfers in Pilot Free Trade Zone

On April 10, the Zhejiang Provincial Cyberspace Administration(“CA”), Provincial Department of Commerce, and Provincial Data Administration, in conjunction with relevant departments, formulated the Management Measures for the Negative List of Cross-Border Data Transfers in China (Zhejiang) Pilot Free Trade Zone (Trial) and the 2024 Negative List for Cross-Border Data Transfer Management in China (Zhejiang) Pilot Free Trade Zone, in accordance with the Regulations on Promoting and Regulating Cross-Border Data Flows.⁵

CAC Completes 298 Data Cross-Border Security Assessments, 7 Projects Rejected for Non-Compliance

On April 9, CAC issued the Q&A on Data Cross-Border Security Management Policies, addressing key concerns raised by enterprises and the public to provide authoritative guidance, assisting data handlers in conducting cross-border data transfers efficiently and compliantly. According to the Q&A, as of March 2025, CAC had completed 298 data outbound security assessments, 44 of which involved important data. Of these, 7 projects were not approved, resulting in a rejection rate of 15.9%.⁶

TC260 Announces Information Security Technology—Personal Information Security Specification Is to Be Revised

On April 1, the Secretariat of the TC260 released the first batch of 2025 national cybersecurity standard development priorities, proposing revisions to GB/T 35273-2020 Information Security Technology—Personal Information Security Specification. The updates will ensure compatibility with current legal frameworks.⁷

Authorities

2025 Data Security and Personal Information Protection Regulations and Policy Series Seminar Successfully Held in Hangzhou

On April 23, the “Digital Security China Tour - 2025 Data Security and Personal Information Protection Regulations and Policy Series Seminar (Hangzhou Station)” was held in Hangzhou, Zhejiang Province. This seminar provided both authoritative interpretations of policies and regulations as well as practical guidance for industry scenarios, effectively preventing data security risks and providing solid safeguards for the high-quality development of the digital economy.⁸

RedNote and Bilibili Launch “One-Click Break the Cocoon” Feature to Visualize Information Cocoons and Adjust Recommendation Preferences

Recently, under the guidance of cyberspace authorities, social platforms RedNote and Bilibili introduced the “One-Click Break the Cocoon” feature, which uses visual charts to display the extent of users’ “information cocoons” and allows users to manually adjust their content preference settings for personalized recommendations.⁹

CAC Intensifies Crackdown on Doxing and Illegal Personal Data Trading

On April 15, CAC held a national internet reporting work conference in Zhengzhou, Henan Province. The meeting required strengthening coordinated efforts in handling online ecological reports, improving the effectiveness of enterprise-related cyber infringement reporting, intensifying the acceptance and handling of reports on illegal activities such as “Kaihe” doxing (public exposure of others’ privacy) and illegal trading of personal information, and actively fostering a healthy and clear online ecosystem.¹⁰

Shanghai Medical Service Internet Companies Fined for Data Breaches Due to Cybersecurity Vulnerabilities Exploited by Foreign IP

Recently, the Shanghai CA identified during a special enforcement campaign that a number of internet-based healthcare service companies had failed to fulfill their cybersecurity and data security protection obligations as required by law. Their systems contained cybersecurity vulnerabilities that were accessed and exploited by foreign IP addresses, resulting in personal information leaks. The Shanghai CA imposed administrative penalties on these healthcare service internet companies in accordance with relevant laws and regulations.¹¹

Ministry of Public Security Discloses Three Typical Cases of Personal Information Infringement Involving Illegal Acquisition and Trading

On April 21, 2025, the Ministry of Public Security announced three typical cases of crimes involving the infringement of citizens’ personal information. Investigations revealed that criminals had created an entire industry chain by using methods such as implanting Trojan programs and colluding with insiders, conducting illegal activities that severely disrupted citizens’ daily lives.¹²

119 Apps Named in Special Campaign on Personal Information Protection for Violations Including Illegal Cross-Border Data Transfers

In April, the National Computer Virus Emergency Response Center (“CVERC”) detected 67 mobile applications illegally collecting and using personal information. Among the violations, an app shared personal data with overseas recipients without informing users of necessary details, such as the recipient's identity, contact information, processing purpose, data types, and how users can exercise their rights. Additionally, did not obtain users' separate, explicit consent for cross-border data transfers.¹³

National Computer Virus Emergency Center Detects Privacy Violations in 13 Mobile Apps

On April 17, the CVERC identified 13 mobile applications with privacy compliance violations through internet monitoring, in accordance with the Cybersecurity Law, Personal Information Protection Law, Methods for Identifying Illegal Collection and Use of Personal Information by Apps, and other relevant laws, regulations, and national standards.¹⁴

Taiwanese Bank and Data Security Officer Penalized by Shanghai Regulator for Inadequate Data Controls

On April 7, the Shanghai Bureau of the National Financial Regulatory Administration imposed a 300,000 yuan fine on Cathay United Bank (China) for “insufficient data security controls” , while the responsible officer, Mr. Jin, received a formal warning.¹⁵

Illegal Acquisition of Personal Information and Abuse of AI for Harassment: College Student Suspected of Crime Apprehended by Cyber Police

Recently, cybersecurity departments of public security authorities cracked a case involving illegal acquisition of computer information system data. The suspect, a college student, unlawfully obtained over 20,000 pieces of students’ personal information and later used AI technology to send harassment text messages to over 2,000 of these students.¹⁶

Courts Litigation

China’s First Unfair Competition Case Involving Bulk Scraping of Encyclopedia Entries Concluded

On April 26, 2025, the Primary People’s Court of Haidian District of Beijing Municipality announced the conclusion of China’s first unfair competition case involving the bulk scraping of encyclopedia entries. The judicial ruling safeguards the competitive interests of encyclopedic platform operators derived from substantial investments and imposes significant damages to effectively deter the unfair competition practice of unauthorized data scraping.¹⁷

Guangdong Releases Top 10 Data Intellectual Property Cases of 2024

On April 12, the Guangdong Administration for Market Regulation (Guangdong Intellectual Property Administration) announced the Top 10 Data Intellectual Property Cases of 2024. Since launching pilot initiatives, it has advanced institutional framework construction, deposit registration, circulation and trading, rights protection, and value realization, completing registration for data IP cases with high innovation, socio-economic benefits, and replicable significance.¹⁸

FOOTNOTES

1. https://www.tc260.org.cn/front/postDetail.html?id=20250427144040&sessionid=-2059071962
2. 2 https://mp.weixin.qq.com/s/bZcM5MnkQ4bNW2UjGe9mmA?scene=25&sessionid=-2068061038#wechat_redirect
3. https://www.nda.gov.cn/sjj/hdjl/yjzq/yjzqform/list/index_pc.html?code=ff808081-95c633c9-0196-4963398e74d2&sessionid=1635656491
4. https://www.gov.cn/lianbo/bumen/202504/content_7019409.htm?sessionid=2076501230
5. https://www.zjwx.gov.cn/art/2025/4/10/art_1694583_58876603.html?sessionid=-2141986625
6. https://mp.weixin.qq.com/s/iYVkA0u2I26kZww2TItEgQ?scene=25&sessionid=-2140943642#wechat_redirect
7. https://mp.weixin.qq.com/s/PNXoC2aSARxmdY0lysmZZg?scene=25&sessionid=-2138861553#wechat_redirect
8. https://mp.weixin.qq.com/s/nHpz_c4FeCbP2urOQ4Zadg?scene=25&sessionid=-2069970773#wechat_redirect
9. https://mp.weixin.qq.com/s/9DfuflZBTJ00hbFboO1nsQ?scene=25&sessionid=-2070028371#wechat_redirect
10. https://mp.weixin.qq.com/s/apqlxlJlC2_L659kJbRnsg?scene=25&sessionid=2077889636#wechat_redirect
11. https://mp.weixin.qq.com/s/-EznCqFnu_4vCBZDSJhC7g?scene=25&sessionid=-2050953805#wechat_redirect
12. https://mp.weixin.qq.com/s/EyEHoDP0eUQ9fBfRh6PB1Q?scene=25&sessionid=-2070142666#wechat_redirect
13. https://www.cverc.org.cn/zxdt/report20250420.htm?sessionid=2077126909
14. https://mp.weixin.qq.com/s/8JnPwAwllxECbLtMTCT9_g?scene=25&sessionid=2076827168#wechat_redirect
15. https://www.mpaypass.com.cn/news/202504/11112505.html?sessionid=-2142738188
16. https://mp.weixin.qq.com/s/-8xU7P5VnV3hioA-99rqSw?scene=25&sessionid=-2140792060#wechat_redirect
17. https://mp.weixin.qq.com/s/m-tVQAZHMLHk_25kZexZMA?scene=25&sessionid=-2060532543#wechat_redirect
18. https://baijiahao.baidu.com/s?id=1829286966012188012&wfr=spider&for=pc&sessionid=-2142841073