China Monthly Data Protection Update: August 2025

Legislation

On July 22, 2025, the National Technical Committee on Cybersecurity Standardization (“TC260”) released the draft Cybersecurity Standard Practice Guidelines—Personal Information Protection Requirements for QR Code-Based Ordering. The draft prohibits mandatory actions such as following public accounts or submitting mobile numbers, aiming to regulate data practices and prevent privacy violations in digital dining services.

TC260 Releases Guidelines on Security Requirements for “Shake-to-Trigger” Advertising

On July 22, the TC260 issued a guideline outlining security requirements for “shake-to-trigger” advertising mechanisms. The document sets out principles such as user primacy, informed consent, and controllability, aiming to prevent unintended ad activation and enhance user rights protection. The guideline is intended for use by app developers, terminal device manufacturers, third-party SDK providers, and relevant assessment bodies involved in personal data processing.

CAC Releases Draft Mandatory National Standard on Data Erasure for Electronic Devices

On July 14, the Cyberspace Administration of China (“CAC”) released the draft Mandatory National Standard on Data Security Technology – Technical Requirements for Information Erasure of Electronic Products for public comment. The draft outlines technical specifications and functional requirements for data erasure processes in electronic devices, including requirements applicable during product recycling. Notably, it mandates that manufacturers pre-install a “one-click data erasure” feature to ensure the security of user data.

MIIT Issues Compliance Guidelines on User Rights Protection in Mobile Internet Services

On July 3, the Ministry of Industry and Information Technology (“MIIT”) in collaboration with the Internet Society of China and the China Academy of Information and Communications Technology, released the Compliance Guidelines for the Protection of User Rights in Mobile Internet Application Services. The Guidelines aim to help internet companies strengthen compliance management in areas such as service provision, personal information protection, and algorithmic recommendations, while improving mechanisms for safeguarding user rights and fostering a standardized and secure digital services environment.

Authorities

On July 31, 2025, CAC conducted a regulatory interview with NVIDIA regarding cybersecurity concerns associated with its H20 AI chip. Acting under the Cyber Security Law(“CSL”), Data Security Law(“DSL”), and Personal Information Protection Law(“PIPL”), CAC requested the company to explain alleged security vulnerabilities and submit supporting technical documentation. Public reports had raised concerns about potential functionalities such as user tracking and remote deactivation.

Beijing Intensifies Crackdown on Illegal Collection and Misuse of Personal Information

Recently, Beijing CA, in coordination with multiple city-level regulators, has launched a new enforcement campaign focused on the collection and use of personal data in offline consumer scenarios and the use of facial recognition technologies in public spaces. The campaign covers a wide range of sectors, including transportation, hospitality, education, cultural and sports venues, logistics, retail, entertainment, mobility services, and residential property management. Authorities are requiring enterprises to conduct internal compliance reviews and have begun supervisory inspections and random audits. On July 24, over 120 leading companies were briefed on key regulatory obligations under the PIPL and related regulations. Follow-up enforcement is expected, particularly for entities that fail to adequately remediate identified risks.

CAC Requires Designation Reporting for Personal Information Protection Officers by Large-Scale Processors

On July 18, the CAC issued a notice requiring personal information processors handling data of over one million individuals to report the details of their designated Personal Information Protection Officer (PIPO) to the municipal-level CAC office where they are located. The requirement is based on Article 52 of the PIPL and Article 12 of the Administrative Measures for Personal Information Protection Compliance Audits. Entities that meet the threshold after the announcement must report within 30 working days. Those that met the threshold prior to the announcement must complete reporting by August 29, 2025. Any material changes to previously submitted information must be reported within 30 working days of the change.

China and EU Hold Second Meeting of Cross-Border Data Flow Dialogue Mechanism

On July 17, the second meeting under the China-EU exchange mechanism on cross-border data flows was held in Brussels. The two sides conducted in-depth discussions on issues of corporate concern, regulatory interoperability, reciprocity, and institutional coordination. Broad consensus was reached, and both parties agreed to establish a dedicated working group to advance cooperation on cross-border data transfers in the automotive sector.

MIIT Launches Pilot Program for Number Protection Services

On July 2, MIIT launched a pilot program using 15-digit numbers in the 700 segment to mask users’ real phone numbers in services such as delivery, ride-hailing, and e-commerce. Jointly operated by platform stakeholders, the program aims to enhance personal data protection, standardize number resource management, and help prevent telecom fraud.

CAC Issues Compliance Checklist Outlining Inspection Frequency and Standards for Data Security and Cross-Border Transfers

On June 30, CAC released a formal checklist of administrative inspection items for enterprises, marking the first time that regulatory expectations for data security and personal information protection have been consolidated into a structured compliance framework. The checklist limits most inspections to once per year and includes a dedicated annual assessment focused on whether organizations have established sound internal policies covering data classification and grading, risk assessment, personal information processing, and cross-border data transfers. It also examines the implementation of effective technical safeguards and adherence to the CSL, DSL, PIPL, and relevant national standards and outbound data transfer regulations. This codified approach is expected to help enterprises better understand enforcement priorities and allocate compliance resources more effectively.

Enforcement Cases

On July 17, 2025, Sichuan public security authorities announced administrative penalties against a Chengdu-based technology company for failing to implement required cybersecurity protection measures during the development and operation of a ticketing management system. The company did not comply with the multi-level protection scheme (MLPS) under the CSL, resulting in a data breach that was subsequently exploited by malicious actors. Both the company and responsible individuals were subject to enforcement action.

NCVERC Identifies 68 Mobile Applications for Non-Compliance with Personal Information Regulations

On July 11, the National Computer Virus Emergency Response Center(“NCVERC”) reported that 68 mobile applications were found to be in violation of personal data protection requirements. Key issues included collecting personal information without sufficient notice and valid user consent; failing to specify the purpose and scope of third-party data sharing; disclosing personal data to third parties without separate consent or anonymization; failing to provide or implement mechanisms for data correction, deletion, account cancellation, or withdrawal of consent; processing sensitive personal information without separate consent; and conducting personalized targeting via automated decision-making without offering opt-out options.

Jiuquan Rural Commercial Bank Fined for Data Security Compliance Failures

On July 11, Jiuquan Rural Commercial Bank was fined RMB 239,500 and issued an official warning for violations of data security and personal credit information management obligations. The bank failed to designate a data security officer, lacked a comprehensive data security governance framework, and did not fulfill requirements related to customer identity verification and credit information handling. Two responsible individuals were each fined RMB 11,500.

Court Litigation

In a recent decision, the Beijing Internet Court found both a social media user and the platform operator jointly liable for privacy violations arising from a doxxing incident. The court held that the platform, as a personal information processor, failed to implement adequate technical and organizational measures to prevent the disclosure of user data and did not notify affected individuals or report the incident to regulators as required. Citing Article 69 of the PIPL, which applies a presumption of fault in personal data infringement cases, the court concluded that the platform bears responsibility for the data breach. The user and the platform were ordered to issue a public apology and compensate the plaintiff for emotional distress.

Landmark “Data Resource” Case: Taobao/Tmall Awarded RMB 30M for Data Rights and Trade Secrets Infringement

In June 2025, the Nanjing Intermediate People’s Court handed down its first-instance judgment in the unfair-competition dispute widely dubbed “Data Resources Case No. 1.” The court held that the defendant, by using technical means to unlawfully obtain and exploit operating data from the Taobao and Tmall platforms, had infringed the plaintiffs’ data rights and trade-secret-protected business information, thereby violating Articles 9 and 12 of China’s Anti-Unfair Competition Law. The court found that the defendant’s conduct breached the platforms’ data-security boundaries, disrupted the “Business Consultant” (Sheng Yi Can Mou) business model, and harmed the legitimate interests of both the platforms and their users, constituting unfair competition. Upholding the plaintiffs’ claims, the court applied punitive damages at twice the compensatory level and ordered the defendant to pay RMB 30 million in damages.