China Monthly Data Protection Update: June 2025

[author: Ken Dai]

Developments Highlights

Legislation

CAC Seeks Public Comments on Draft Rules for Administrative Penalty Discretion

On May 30, to further standardize enforcement and protect the rights of citizens and organizations, the Cyberspace Administration of China (“CAC”) released the Draft Provisions on the Application of Administrative Penalty Discretion Standards by Cyberspace Authorities for public consultation. The draft classifies discretionary penalty measures into several levels: no penalty, mitigated penalty, reduced penalty, standard penalty, and aggravated penalty.¹

China Issues the Measures for the Administration of National Network Identity Authentication Public Services

On May 23, 2025, the Ministry of Public Security, the CAC and four other government departments jointly released the Administration of National Network Identity Authentication Public Services, which will take effect on July 15, 2025. The measures aim to promote a trusted digital identity framework, protect citizens’ personal information, and support the development of the digital economy. They set out the voluntary use and application procedures for online IDs and certificates, define the validity and application scenarios of national online identity authentication. The national online identity authentication platform is now live, allowing users to apply for IDs and certificates via an official app.²

TC260 Two Cybersecurity Practice Guidelines on Personal Information Protection Compliance Audits

On May 19, 2025, National Technical Committee 260 on Cybersecurity of Standardization Administration of China (TC260) issued two practice guidelines: Cybersecurity Practice Guidelines—Requirements for Personal Information Protection Compliance Audits and Cybersecurity Practice Guidelines—Competency Requirements for Service Providers Conducting Personal Information Protection Compliance Audits. These documents define audit requirements, processes, and methods, as well as service provider competency standards, and apply to data processors and audit service providers.³

China Releases Sensitive Personal Information Security Standard (GB/T 45574-2025)

• On April 25, 2025, the SAMR and the Standardization Administration of China released GB/T 45574-2025, Data Security Technology—Security Requirements for Processing Sensitive Personal Information, which will take effect on November 1, 2025. This recommended standard establishes definitions for identifying sensitive personal information and sets out security requirements for its processing.⁴

MIIT Plans to Regulate Children’s Smartwatches, Proposes Measures to Protect Personal Data

On May 14, China’s Ministry of Industry and Information Technology (“MIIT”) released a draft mandatory national standard, Safety Technical Requirements for Children’s Smartwatches, for public comment. The draft covers information security, data security, personal information protection, and content safety. It calls for secure app management to prevent malicious software, and requires clear rules for handling children’s personal data, displayed in the device’s OS or management interface. The draft also prohibits apps from having default access to microphones, cameras, or location data.⁵

China Issues Guidelines on Geospatial Data Classification and Grading (Trial)

On May 12, the Ministry of Natural Resources released the Guidelines on Geospatial Data Classification and Grading (Trial) to strengthen data security, promote data circulation and utilization, and support the secure and orderly use of geospatial data. The guidelines set out clear requirements for data classification, grading, directory management, and dynamic updates, aiming to identify and protect important and core data and ensure security throughout the entire data lifecycle.⁶

Authorities

On May 30, 2025, the CAC issued a policy FAQ on data export security management, addressing key compliance issues regarding the identification and filing of important data and its outbound transfer. The CAC emphasized that data processors must identify and file important data in accordance with applicable laws and regulations. If a data processor has not been notified by relevant authorities or if the data has not been publicly designated as important, it does not need to apply for a data export security assessment; such exports will not be considered illegal and will not face administrative penalties.⁷

CAC Launches Facial Recognition Technology Application Filing

On May 30, CAC announced the launch of a filing system for facial recognition technology applications. According to the Administrative Measures on the Security of Facial Recognition Technology Applications, data processors that use facial recognition technology and store facial information of 100,000 or more individuals are required to file with their respective provincial CAC offices.⁸

Shanghai Targets Unauthorized Photography and Privacy Violations

In response to the growing problem of unauthorized photography and street shoots that violate citizens’ portrait rights, privacy, and personal data—and are then widely shared online—Shanghai’s Cyberspace Administration (“CA”) has launched a special campaign. The initiative aims to strengthen collaboration between regulators and online platforms to effectively tackle illegal content, protect citizens’ rights, and foster a safer, healthier online environment.⁹

CAC Strengthens Regulation of “Doxxing” Practices

Recently, CAC issued a notice to intensify the crackdown on “doxxing” activities. The CAC called on local authorities and online platforms to step up their efforts to combat these practices. Three major online platforms have already been penalized, and the CAC held a special meeting to instruct key platforms such as Weibo, Baidu, and Douyin to fulfill their responsibilities and rigorously address “doxxing” violations.¹⁰

State-Owned Enterprise in Guangxi Penalized for Failing to Prevent Cyberattack

Recently, a state-owned enterprise in Guigang, Guangxi, was hacked due to security flaws in its internal office system. The company failed to implement required technical measures to prevent computer viruses, cyberattacks, and intrusions, and did not adequately fulfill its cybersecurity obligations. The Guigang CA ordered corrective action and issued an official warning.¹¹

Company in Zhengzhou Penalized for Violating the Cybersecurity Law

Recently, the Zhengzhou CA imposed administrative penalties on a company for failing to fulfill its cybersecurity obligations, resulting in a security incident. The company was ordered to rectify the issues, issued a warning, and fined RMB 30,000. Investigators found multiple problems, including no logging, unsecured firewall ports, unpatched vulnerabilities, unencrypted databases, and outdated software. These gaps allowed foreign hackers to upload malicious content, causing a serious negative impact.¹²

CAC: Ongoing Efforts to Strengthen Oversight of Recommendation Algorithms

On May 25, the CAC announced continued efforts to regulate recommendation algorithms. Since the launch of the “Clean Cyberspace” campaign, it has pressed major platforms to address issues like vulgar content, echo chambers, and polarization. Platforms have improved content reviews, disclosed algorithm principles, and added features like “echo chamber assessment” and “one-click exit” to diversify recommendations. The CAC will keep inspecting and guiding platforms to enhance algorithm governance and recommendation quality.¹³

Tech Company in Hainan Penalized for Violating the Data Security Law

Recently, the Hainan CA found that a local tech company failed to fulfill its obligations under the Data Security Law. The company’s system lacked necessary technical and management measures to protect data security, resulting in unauthorized access and partial data leaks. The Hainan CA ordered the company to rectify the issues, issued a warning, and imposed a fine of RMB 50,000.¹⁴

Courts Litigation

On May 20, 2025, the SPC issued the Interpretation on Several Issues Concerning the Application of Law in the Trial of Administrative Cases on Government Information Disclosure. According to Geng Baojian, President of the SPC’s Administrative Tribunal, Article 8, paragraph 2 of the Interpretation provides that courts should adopt appropriate trial methods based on the circumstances of each case to prevent the disclosure of state secrets, trade secrets, personal privacy, and other information that is legally required to be kept confidential.¹⁵

Haidian Court Concludes Three Cases on Data Scraping and Reuse

In recent years, disputes over unfair competition arising from unauthorized scraping and reuse of data sets have increased. Offenders often use technical means to acquire data painstakingly collected by competitors, seeking to gain a market advantage without investing the necessary labor and costs. The Haidian District Court in Beijing recently concluded three such cases, issuing rulings that upheld platform operators’ data rights and imposed significant damages to deter violations, encouraging lawful data collection and use while promoting fair competition.¹⁶

1. ^{https://www.cac.gov.cn/2025-05/30/c_1750315544142395.htm}
2. ^{https://www.cac.gov.cn/2025-05/23/c_1749711107837215.htm}
3. ^{https://mp.weixin.qq.com/s/gUJGP9s5KIEeR-4-sAyZ4w}
4. ^{https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=F9F3A2EBF49E9B4D73AD8C8912986D5A}
5. ^{https://www.tc260.org.cn/front/postDetail.html?id=20250427144040&sessionid=-2059071962}
6. ^{https://www.mnr.gov.cn/dt/ywbb/202505/t20250507_2883976.html}
7. ^{https://www.cac.gov.cn/2025-05/30/c_1750315283722063.htm}
8. ^{https://www.cac.gov.cn/2025-05/30/c_1750315544241157.htm}
9. ^{https://mp.weixin.qq.com/s/d4YXAWueP175TRQyjRffsw?scene=25#wechat_redirect}
10. ^{https://mp.weixin.qq.com/s/5PW4hrxBxEoemc7tD0Z7fw?scene=25#wechat_redirect}
11. ^{https://mp.weixin.qq.com/s/J1zmFkBJwM6g67lGEThLDw}
12. ^{https://mp.weixin.qq.com/s/x4jcyW6vZVwMCT4BydsbLw?scene=25#wechat_redirect}
13. ^{https://www.cac.gov.cn/2025-05/22/c_1749536203490537.htm}
14. ^{https://mp.weixin.qq.com/s/mIo8xENK4QOP1MwhEBMz6g?scene=25#wechat_redirect}
15. ^{https://mp.weixin.qq.com/s/1ELZF6THMLso_EUVyJf5Sg}
16. ^{https://www.163.com/dy/article/K19CO3J0051200BP.html}