Data Protection & Privacy 2025

Last Updated March 11, 2025

China

Law and Practice

Author



Zhong Lun Law Firm is one of the largest full-service law firms in China, with over 400 partners and more than 2,300 professionals, and offices in Beijing, Shanghai, Shenzhen and other major cities in China and around the world. The firm’s cybersecurity and data protection team is an industry leader in China, with a wealth of experience in fields such as cybersecurity, data security and personal information protection. The partners are frequently invited to participate, as legal experts, in the legislative process relating to cybersecurity and data protection legislation. Actively practising in the technology and telecommunications industries in the past two decades, and providing professional legal services to a large number of multinational clients that embrace the challenges of digitalisation, Zhong Lun has accumulated profound experience and developed a unique system of project compliance processes to assist in solving domestic and cross-border data protection issues.

Privacy and data protection provisions within the Chinese legal framework are scattered across laws and regulations at different legislative levels. In terms of specialised legislation on cybersecurity and data protection, China has established a comprehensive legal framework that includes several key laws and regulations – ie, the “Three Fundamental Laws”:

  • the Cybersecurity Law (CSL; 网络安全法);
  • the Data Security Law (DSL; 数据安全法); and
  • the Personal Information Protection Law (PIPL; 个人信息保护法).

These operate together with the “Three Key Regulations”:

  • the Regulations for the Administration of Network Data Security (RANDS; 网络安全数据管理条例);
  • the Security Protection Regulations for Critical Information Infrastructure (关键信息基础设施安全保护条例); and
  • the Regulations on the Graded Protection for Cybersecurity (Draft for Comments) (网络安全等级保护条例 (征求意见稿)).

The Three Fundamental Laws and the Three Key Regulations form the pillars of China's cybersecurity and data protection legal framework, with each addressing different aspects of data security and privacy.

The CSL was enacted on 1 June 2017 and forms the backbone of cybersecurity and data privacy protection legislation in China. The DSL came into effect on 1 September 2021 and is the fundamental law in the data security sphere, widely covering data security mechanisms, obligations and liabilities at both state administration and data processor level. The PIPL came into effect on 1 November 2021 and embraces the new era of personal information (PI) protection as well as corporate data protection compliance. The Three Key Regulations further detail the cybersecurity and data protection requirements set forth in the Three Fundamental Laws from different perspectives.

In addition to the specialised legislation, China's general legislation may also include provisions on privacy and data protection. Specifically, the Civil Code (民法典) plays a significant role in this regard. The Civil Code’s provisions relating to data privacy protections are basically consistent with the requirements provided in the Three Fundamental Laws, further solidifying the legal foundation for privacy and data protection in China. Data protection regulations on privacy are also scattered in:

  • the Criminal Law (刑法);
  • the Law on the Protection of Consumer Rights and Interests (Consumer Protection Law; 消费者权益保护法);
  • the E-commerce Law (电子商务法);
  • Several Issues Concerning the Application of Law in the Trial of Civil Cases Relating to the Use of Facial Recognition Technologies to Process Personal Information (最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定), etc.

Key Regulators

Since data regulation is a topic that impinges upon all industries, there is a wide range of law enforcement departments related to it, many of which have intersecting duties and authorities. There is no centralised regulatory body. Among all these regulators, the most important ones include:

  • the Cyberspace Administration of China (CAC);
  • the Ministry of Public Security (MPS); and
  • the Ministry of Industry and Information Technology (MIIT).

Specifically, according to Article 8 of the CSL and Article 60 of the PIPL, the CAC is in charge of overall planning with regard to data protection and privacy, and co-ordinates the competent authorities. The MIIT, the MPS, the State Administration for Market Regulation (SAMR) and other industry regulators are in charge of law enforcement in the respective industries.

Moreover, it is noteworthy that the National Data Bureau, inaugurated in October 2023, is responsible for overseeing the integration, sharing and development of data resources, co-ordinating the construction of data infrastructure systems, and the planning and construction of digital China, the digital economy and digital society.

How Regulators Operate in Practice

When initiating administrative proceedings and enforcing the Three Fundamental Laws and other relevant laws and regulations, the competent authoritiesmust abide by the Law on Administrative Penalty (行政处罚法). The competent authorities should conduct investigations to ascertain the facts of the alleged violating acts before imposing punishment on anyone (Article 54). The penalised parties should be given opportunities to state their case and defend themselves (Article 7). The penalised party is entitled to a hearing in cases where the administrative punishment involves the suspension of business, rescission of a business permit or licence, or a large penalty (Article 63).

According to Article 7 of the Law on Administrative Penalty, a party that refuses to accept administrative penalties imposed upon it may first apply to the relevant administrative organ for a reconsideration. If the party is still dissatisfied with the reconsideration decision, it is entitled to initiate an action before the people’s courts. Unless otherwise stipulated by applicable laws requiring the exhaustion of administrative reconsideration before seeking judicial review, it may also initiate an action before the people’s courts directly.

Administrative Proceedings

Administrative proceedings initiated by regulators can be triggered in different ways, including:

  • reporting – where users may report to the regulators mentioned in 1.2 Regulators and consumer protection organisations, and investigations are launched accordingly;
  • regular and irregular inspections – where special projects that last several months are launched to target specific industries or pain points in cyberspace; and
  • inquiries into data leakage events, network loopholes or other cybersecurity/data incidents.

In addition to the procedures of administrative proceedings described in 1.2 Regulators, public security departments must abide by the special rules provided for them under the Regulations for Internet Security Supervision and Inspection by Public Security Organs (公安机关互联网安全监督检查规定). For example, there must be at least two police officers in the event of an on-site inspection, and such law enforcement officers must keep any personal and private information that becomes known to them during an inspection confidential.

To oversee the administrative proceedings initiated by the CAC, the Provisions on Administrative Law Enforcement Procedures of Cyberspace Administration Departments (“Enforcement Procedures”, 网信部门行政执法程序规定) came into effect on 1 June 2023, and set the rules on jurisdiction, evidence, enforcement, etc. In addition, the Provisions on Administrative Penalty Procedures for Industry and Information Technology Authorities (工业和信息化行政处罚程序规定) came into effect on 1 September 2023, emphasising the transparency of enforcement activities and protection of the penalised/inspected parties' lawful rights and interests.

Calculation of Administrative Fines

The competent authorities will determine the amount of any fine on a case-by-case basis, taking into consideration the severeness of the violating acts, infringements of legitimate rights and interests on individuals, any adverse impact on society, etc. According to Article 34 of the Law on Administrative Penalty, the administrative authorities may, in accordance with law, formulate discretion benchmarks for administrative penalties to regulate the exercise of such discretion. Such discretion benchmarks for administrative penalties shall be made public.

Under the PIPL, the penalties for violations may include an order of rectification, warning, confiscation of illegal earnings, or the suspension or termination of apps or services. For severe violations, the violator may be fined up to CNY50 million or 5% of its turnover of the previous year at the company level, and the person directly in charge will be fined up to CNY1 million. The company’s business licences and permits may also be revoked.

Depending on the nature and severity of the violation, different sanctions and penalties may be imposed by the CSL. For instance, non-compliance with the provisions related to PI protection under the CSL may result in orders to take rectification measures, warning, confiscation of illegal earnings, fines or a combination of these. The fine imposed should exceed the amount of illegal earnings but may not exceed ten times such earnings; if there are no illegal earnings, the fine may not be more than CNY1 million. The person directly responsible may be subject to a fine ranging from CNY10,000 to CNY100,000. In the case of a severe violation, the competent authority may order the suspension of related business, require the violators to undergo rectification, the shutdown of a website, and the revocation of the business licence of the operator or provider. It is worth noting that the revised draft of the CSL, released in September 2022, has increased the upper limits of the fines to align with those prescribed under the PIPL. For severe violation, the amount of the fine may be up to CNY50 million or 5% of the violator’s turnover in the previous year, and the person directly in charge may be fined up to CNY1 million.

The Enforcement Procedures set forth the following rules.

  • A single illegal act shall not be subject to more than two fines. In cases where the act violates multiple legal provisions and should be sanctioned with fines, punishment shall be given in accordance with the provision on the high amount of fines.
  • Administrative punishments may not be imposed if the violation was first-time and minor, the harmful consequence was minor, and the illegal act was promptly corrected. Similarly, administrative punishments shall not be imposed if the violation was minor and rectified in a timely manner, and has not resulted in any harmful consequence.

Among the administrative proceedings undertaken in recent years, violations punished by the administrative authorities include but are not limited to:

  • failure to satisfy transparency requirements and the minimum necessary principle of PI processing;
  • failure to obtain data subjects’ consent before PI collection;
  • insufficient security management; and
  • failure to detect security loopholes in network services.

The most notable cases in recent years involving such violations include the following.

  • In 2022, the CAC fined leading Chinese ride-hailing company DiDi Chuxing approximately CNY8.02 billion, due to its significant violation of the CSL, the DSL and the PIPL in aspects including illegal and excessive collection of users' and drivers' PI, failure to clearly explain the PI processing activities to individuals, etc.
  • In September 2023, the CAC imposed an administrative fine of CNY50 million on China National Knowledge Infrastructure (CNKI), a well-known Chinese online platform, for its alleged unauthorised and excessive PI collection, lack of a public privacy policy and options for account cancellation, and failure to retain PI for the shortest necessary period of time.
  • In June 2024, the National Financial Regulatory Administration announced that Bank of Communications was fined CNY1.6 million for data breaches such as security and operation management loopholes, insufficient disaster recovery management, etc.

Recent Developments in AI Regulation and Implications for Data Protection

China has taken agile legislative action to effectively address the regulatory, legal and ethical challenges posed by AI technology by building and implementing a comprehensive AI regulatory framework in recent years. The Interim Measures for the Administration of Generative Artificial Intelligence Services (“AIGC Measures”; 生成式人工智能服务管理暂行办法) came into effect on 15 August 2023 and expressly outline the regulatory framework for AI-generated content (AIGC) technology, encompassing various stages such as model training, application deployment and model optimisation, and multiple subjects like AIGC developers, service providers and users. AIGC service providers shall conduct an AIGC filing according to the AIGC Measures, as well as an algorithm filing according to the Administrative Provisions on Algorithm Recommendation for Internet Information Services (“Algorithm Provisions”; 互联网信息服务算法推荐管理规定), and the competent authorities will review such AIGC services from a cybersecurity and PI protection perspective, among others.

The Measures for Review of Scientific and Technological Ethics (Trial) (科技伦理审查办法(试行)), which came into effect on 1 December 2023, demonstrate China’s significant attention to technology development as well as ethical reviews of AI. Regarding the specific application of AI technology, as stipulated by the Administrative Provisions on Deep Synthesis in Internet-Based Information Services (互联网信息服务深度合成管理规定), contents generated by deep learning or other new technologies must be identified in a noticeable way and shall be reviewed technically or manually to avoid infringements of the rights and interests of data subjects.

In 2024, China continued to formulate relevant standards and technical documents for AIGC governance. In September 2024, the National Information Security Standardisation Technical Committee (TC260) issued the Artificial Intelligence Security Governance Framework (人工智能安全治理框架), which is designed to promote consensus and co-ordination among governments, international organisations, enterprises and other stakeholders regarding AI governance. The development of AI governance in China is further demonstrated by:

  • the Basic Security Requirements for Generative Artificial Intelligence Service (TC260-003 生成式人工智能服务安全基本要求), released in February 2024;
  • the Notice of the CAC on Seeking Public Comments on the Measures for Labelling Artificial Intelligence Generated Synthetic Contents (Draft for Comment) (人工智能生成合成内容标识办法(征求意见稿)), released in September 2024; and
  • the Guidelines for Emergency Response to Generative Artificial Intelligence Service Security Incidents (Draft for Comment) (生成式人工智能服务安全应急响应指南(征求意见稿)), released in December 2024.

Safeguards Provided for Data Protection

With regard to data protection in the context of the use of AI systems, all phases related to AIGC services need to comply with the corresponding legal requirements for data protection.

For instance, regarding the phase of model training, AIGC developers and AIGC service providers are legally required to use data with lawful sources, to formulate clear data annotation rules and to take effective measures to ensure the authenticity, accuracy, objectivity and diversity of the training data and properly fulfil the data protection obligations (Articles 7 and 8 of AIGC Measures).

Regarding the phase of application operating, certain data protection risks concerning the reliability and robustness of the services, as well as issues related to transparency, necessity, etc, of data processing, may arise out of content generation, data analysis and processing, and AIGC service provision. Based on that, AIGC service providers shall assume responsibility for protecting the collected data and the information input by users, as well as performing their legal obligations as PI handlers. These obligations include:

  • collecting only necessary PI;
  • addressing individuals’ requests to exercise their rights; and
  • preventing the unlawful retention or disclosure of users' input data and usage records to third parties.

Relevant technical measures shall also be taken to enhance the safety, stability and sustainability of services and ensure the normal use of users (Articles 9, 11 and 13 of AIGC Measures).

How AI Regulation Affects Data Protection in China

AI regulation and data protection are closely intertwined in China, where both are governed by legal frameworks designed to balance technological innovation with privacy and data protection. The data compliance issues associated with the entire lifecycle of AIGC, including but not limited to key stages such as model training, service provision and model optimisation, are complex and typically involve multiple parties, such as AIGC developers, service providers and service users, which poses significant challenges for privacy and data protection.

In key data protection regulations in China, specific provisions have been formulated to address AI development while simultaneously ensuring a balance between innovation and data protection, and safeguarding privacy associated with AIGC technologies. For instance, the RANDS provide that, insofar as the training data and processing activities thereof are concerned, the network data handlers providing AIGC services shall fulfil relevant security management obligations (Article 19 of the RANDS). Moreover, the increasingly rapid development of AI technology also drives competent authorities to further incorporate AI regulation into the legal framework of data protection. Action Plan for the Construction of Information Standards (2024–2027) (信息化标准建设行动计划(2024–2027年)) was released on 24 May 2024 and has expressly made AIGC related technical standards a key focus for future legislation.

Interplay Between AI-Related Laws and Data Protection-Related Laws

On one hand, the essential data protection laws (including the Three Fundamental Laws and the Three Key Regulations) are applicable to all data processing activities under AI-related scenarios. AIGC developers and service providers should also comply with such essential data protection laws when carrying out data processing activities. For instance, both the PIPL and the DSL require data minimisation and purpose limitation (in Article 6 of the PIPL and Article 32 of the DSL, respectively), which directly affects how AI models are trained. AI systems that process PI must ensure that users can exercise their rights as set out under the PIPL, such as the right to withdraw consent or request data deletion (Articles 15 and 47 of the PIPL). AI systems must incorporate robust security measures to prevent breaches of PI as set out in Article 27 of the DSL and Article 51 of the PIPL; as a result, AIGC service providers shall build these features into their platforms to comply with such data protection requirements. If AIGC services involve cross-border data transmission, the legal requirements on cross-border data transfer (CBDT) shall also be followed.

On the other hand, in some cases, the AI-related laws specify and complement the data protection requirements in the context of AI. For instance, Article 7 of the AIGC Measures provides that AIGC service providers shall ensure the lawfulness of the training model and data sources when processing training data, and data subjects’ consent shall be obtained if any PI is involved. In addition, echoing the relevant requirements in the PIPL, Article 11 of the AIGC Measures also specifies that users’ PI shall be collected based on the minimum necessary principle, and any illegal use, storage or provision is not allowed. Moreover, AIGC service providers shall timely address and respond to users’ requests to exercise their PI-related rights to access, copy, correct, supplement, delete, etc.

In China, AI regulation and data protection laws, including the PIPL and the AIGC Measures, are designed to complement each other, thereby fostering innovation of AI systems and maintaining respect for individuals' rights. The PIPL focuses on PI protection, whereas AI-related laws such as the AIGC Measures aim to regulate AI systems in a manner that ensures safety, accountability and ethical considerations. Together, they create a comprehensive regulatory structure that guides the responsible development and deployment of AI while safeguarding privacy and data protection rights.

In China, the majority of PI protection litigation cases are public interest litigation. In 2023, procuratorial organs in China handled more than 6,300 public interest lawsuits on PI protection. China also allows individuals to initiate private litigation, and the legal bases for an individual to initiate private litigation mainly include the Civil Code, the Consumer Protection Law, the CSL and the PIPL.

The number of privacy litigation cases brought by individuals has increased rapidly in recent years. According to announcements by the Beijing Internet Court, it received a total of 113 cases related to PI protection disputes between October 2023 and October 2024. In contrast, merely 58 such cases were handled by the same court in the past five years leading up to 2023. This increase highlights a rapid growth trend in PI protection dispute cases.

One of the most noteworthy cases reflecting the impact of international developments on domestic litigation is the first case related to CBDT issues announced by Guangzhou Internet Court (further discussed in 2.2 Recent Case Law). Along with international economic and business developments, CBDT issues have become the focus of data subject attention, and a rise in privacy litigation involving CBDT is expected in the coming year.

One privacy litigation case worth noting involved an individual customer suing a European hotel group for infringement of their PI rights and interests due to CBDT.

In this case, regarding disclosure and transparency requirements, the Guangzhou Internet Court decided that the scope of recipients and the geographical regions are not clearly stated in the privacy notice, and data subjects are not explicitly informed where their PI will be transmitted or how it will be processed, which fails to comply with Articles 7 and 17 of the PIPL. Regarding the legal basis for such CBDT, the court affirmed that intragroup sharing of customers’ PI via the hotel’s central booking system to the overseas booked hotel and the global headquarters is legitimate and necessary for hotel management.

However, the court ruled out the legitimacy of transferring the customer’s PI to intragroup marketing departments and external business partners for the purpose of “marketing”, as it is not “necessary for performing the contract”, and thus the hotel group is still legally required to obtain the customers’ separate consents on such CBDT in accordance with the laws. Since the hotel failed to obtain the customer's separate consent, the court held that the hotel's data processing activities have not obtained adequate legal basis and are thus illegal, and ruled that the hotel should bear the corresponding infringement liability, which includes compensation for damages, the deletion of relevant PI and an apology to the individual.

Article 70 of the PIPL establishes the mechanism of public interest litigation for PI infringement. Where any PI handler processes PI in violation of the PIPL, which infringes upon the rights and interests of a large number of individuals, a lawsuit may be brough to a people's court in accordance with the law by:

  • the People's Procuratorate;
  • the consumer organisations specified by law; and
  • the organisations determined by the CAC.

In the past few years, the number of public interest litigation cases regarding PI protection has increased year by year. For example, prosecutors handled over 2,000 cases in 2021 and this number surged to more than 6,300 cases in 2023. This upward trend reflects the growing frequency of legal actions concerning PI protection initiated by prosecutors and shows the great importance attached to PI protection.

Objectives of Data Regulation

In China, regulations addressing the use of IoT services and the rights and obligations of data holders and data processing services are primarily shaped by a combination of data protection laws, regulations and industry-specific guidelines – ie, the Three Fundamental Laws and certain industrial measures and/or standards, such as:

  • the Measures on Safety Evaluation for Cloud Computing Services (云计算服务安全评估办法);
  • Information Security Technology – Security Technical Requirements of Data Transmission for IoT (GB/T 37025-2018信息安全技术—物联网数据传输安全技术要求);
  • Notice of the Pilot Programme of Vehicle-Road-Cloud Integration Application for Intelligent Connected Vehicles (关于开展智能网联汽车”车路云一体化”应用试点工作的通知);
  • Guidelines for the Construction of Network Security and Data Security Standard System for Telematics (车联网网络安全和数据安全标准体系建设指南), etc.

Through the above regulations, China aims to protect the security and privacy of data collected through IoT devices, which may include PI, important data (ie, data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, etc, the specific scope of which is stated in the catalogues of important data formulated by the national, regional and other relevant departments) and other sensitive information that may be generated, stored or transmitted via IoT devices.

China also promotes the secure use and free flow of such data involved in IoT services, promotes the availability and accessibility of data, and enhances the activity of the data-driven economy, as set out under the Opinions on Building a Basic Data System to Better Play the Role of Data Elements (“Opinions”; 关于构建数据基础制度更好发挥数据要素作用的意见).

Scope of Data Regulation

The main scope of regulations on IoT services, data holders and data processing services is as follows.

  • The CSL emphasises the security of network and information infrastructure from the perspective of technology, and applies to any IoT service that operates on a network. It imposes requirements for network operators, which could be either data holders or data processing service providers, to ensure the security of their networks, including IoT devices.
  • The PIPL focuses on how the data handlers collect, store, use and process the PI generated by IoT devices, and applies to data holders and data processing service providers who collect and process PI in China.
  • The DSL is another key law addressing data security, which covers not only PI but also general data in the course of IoT services provision, especially for “important data” generated or processed by IoT services.
  • Other industrial measures and/or standards (the Measures on Safety Evaluation for Cloud Computing Services, Information Security Technology – Security Technical Requirements of Data Transmission for IoT, etc) collectively depict the roadmaps for the pre-assessment and stringent supervision of the technologies, infrastructures and other key aspects of cloud computing service platforms involved in IoT services.
  • In terms of facilitating data use, the Opinions unveil orientations and guidelines to promote efficient data circulation. A data ownership affirmation mechanism shall be established, in which the legal rights enjoyed by all participants in the process of data production, circulation and use, including data holders and data processing service providers, shall be defined. As far as corporate data that does not involve PI and public interests is concerned, the relevant parties may legally enjoy the rights and interests to hold, use and obtain profits from such data. Regarding PI, a corresponding authorisation mechanism shall be established to collect, hold, host and use PI according to the scope of individual authorisation, so as to promote the rational use of PI. Data holders, data processing service providers and other relevant stakeholders may legally carry out business co-operation and circulate data, sharing the dividends of the digital economy.

The interplay between data regulation and data protection requirements in China is complex but complementary. On one hand, data protection laws such as the Three Fundamental Laws govern the legality, legitimacy and necessity of data processing, as well as the protection of the rights and interests of data subjects involved in IoT services. On the other hand, broader data regulation framework – including the industry-specific regulations and guidelines – aims to oversee specific industries and types of data usage, ensuring that data protection principles are applied in various contexts, particularly in critical sectors such as IoT. Together, they provide a comprehensive approach to ensure cybersecurity and promote data and privacy protection.

The above legal frameworks collectively address different aspects of data handling in China. However, they share unified objectives of safeguarding data privacy, enhancing security and ensuring accountability in the digital age. The Three Fundamental Laws serve as the primary regulation governing data protection, while other industry-specific laws built on the foundation of the Three Fundamental Laws ensure that data is handled responsibly, transparently and in compliance with privacy rights in IoT scenarios. Data holders (which may include IoT service providers and data processors) and data processing service providers in China must navigate the aforementioned multiple frameworks to ensure the protection of user privacy and compliance with stringent data security requirements.

IoT service providers and data processing service providers in China must navigate a complex regulatory framework to ensure compliance with data protection and cybersecurity requirements. The main obligations arising from the applicable laws and regulations regarding the use of IoT services and data processing services are as follows.

  • The CSL sets out that network operators (which may include IoT service providers as well as data processing service providers, which are often involved in IoT operations as cloud service providers) shall ensure the security of networks, comply with cybersecurity obligations in relation to multi-level protection schemes (MLPS), take all necessary remedies and timely report any cybersecurity incidents to relevant authorities (Articles 21, 25 and 42). If the network operator is a Critical Information Infrastructure Operator (CIIO), it must comply with stringent security requirements to protect the infrastructure from cyber-attacks (Article 34).
  • Pursuant to the DSL, while carrying out data processing activities related to IoT services and data processing services, a sound data security management system shall be established throughout the whole process, including carrying out data security training and corresponding security measures (Article 27). Moreover, IoT service providers and data processors shall meet the obligations for the protection of important data collected through IoT devices and generated/processed by IoT services, including designating a responsible person, conducting regular risk assessment and reporting to competent authorities, etc (Articles 27 and 30).
  • Obligations for IoT service providers as provided by PIPL mainly include complying with the minimum necessary principle (Article 6), satisfying the transparency requirement (Article 17) and obtaining valid legal basis for collection and processing of PI (Article 13). IoT device users should also be informed of their PI-related rights. In the event of any CBDT, the relevant obligations in relation to CBDT as provided in 5.1 Restrictions on International Data Transfers shall also be fulfilled by IoT service providers. Data processing service providers usually act as the entrusted party under the PIPL and thus shall process PI according to the purposes, methods, etc, as stipulated in the agreement with the PI handler. In addition, the entrusted party shall not delegate the PI processing to others without the consent of the PI handler (Article 21).

Key regulators of IoT services and data processing services include the CAC, the MIIT and the MPS. The CAC is in charge of the overall planning of data protection and privacy, and the co-ordination of the competent authorities. The MIIT is the industry authority for IoT services and is responsible for the development of industry regulations and enforcement in the field of IoT. As IoT services involve network operations, the MPS, as the enforcement authority of CSL, is responsible for managing and enforcing the relevant requirements under the CSL.

In some cases, other departments (eg, the SAMR) may become responsible for enforcing the data regulation under certain circumstances, such as anti-unfair competition in IoT service provision.

Under the CSL and PIPL regimes, the use of cookies is usually regarded as the collection of PI, which must comply with PI protection-related requirements. According to Article 5 of the PIPL, the collection and use of PI must follow the principles of legality, legitimacy and necessity, which means that the use of cookies for user information collection must comply with these principles. Individuals must be truly, accurately and completely informed about the use of cookies in a prominent manner and in clear and understandable language, and the explicit consent of users must be obtained in accordance with Articles 13 and 17 of the PIPL. The use of cookies should also follow other general principles of data minimisation and data security protection. Furthermore, if cookies are collected and used for behavioural or targeted advertising that has not been agreed to by the data subjects (and no other legal basis exists), that collection and use of cookies would be deemed illegal.

The Advertising Law (广告法) is the fundamental law that regulates advertising. The Measures for Administration of Internet Advertising (互联网广告管理办法) apply to online marketing. The sender must obtain consent to, or a request for, advertising from the recipients, and the sender must also disclose their true identity, contact details and the opt-out method for advertisements distributed via electronic means.

In addition, since online marketing, particularly behavioural and personalised advertising, is normally based on the analysis of PI collected from users, regulations on PI collection and use must be observed. To begin with, PI may not be collected or used for personalised advertising if the PI subjects have not agreed to this. Pursuant to Article 24 of the PIPL, if business marketing or push-based information delivery is conducted towards an individual by means of automated decision-making, an option not targeting the personal characteristics of the individual, or an easy way to refuse to receive this, must be provided to the individual. In addition, according to the Information security technology – Personal information security specification (GB/T 35273–2020 信息安全技术 个人信息安全规范), the use of indirect user profiling generated from PI that is not from particular persons is recommended for online marketing, rather than direct user profiling. Also, where a personalised display is used for online marketing, an option to turn the function off and to delete or anonymise the PI used for such a personalised display should be provided to the users.

Currently, there is no special data privacy law or regulation regulating the employment relationship. The PI of an employee is subject to the same PI protection regime as that of any other regular person. The employee PI protection is governed by the Employment Law (劳动法), the Employment Contract Law (劳动合同法), the CSL, the PIPL and other relevant laws and regulations governing PI. These laws have the following implications for the employment relationship.

Employee Data Protection

Under the PIPL, employers must ensure that they collect, store and process employee PI in compliance with the legal requirements – eg, employees must be informed about how their PI will be collected, processed or shared. An employer must have at least one legal basis for processing employees' PI. These legal bases may include obtaining employees' consent or processing such PI as necessary for human resources (HR) management under labour rules and collective agreements lawfully entered into, etc. If the processing of employees' PI is specified in the employer's lawfully established labour rules or in a legally executed labour contract, and can be defined as being necessary for HR management, then it is generally considered that the employer does not need to obtain the employee's consent for such PI processing. However, if the processing of such PI cannot be adequately justified as being necessary for HR management, the employer still should obtain the employee's consent (including separate consent if applicable) as required by the PIPL.

Employers should also follow the data processing principles of lawfulness, legitimacy, necessity and data minimisation. Employers must ensure employees' privacy-related rights, and adhere to other general requirements for PI processing, such as taking appropriate security measures to safeguard PI.

CBDT of Employee PI

Employers that intend to transfer employees’ PI outside of China must adhere to specific restrictions and requirements as set out under the PIPL. This could have significant implications for multinational companies, particularly those with operations both in China and abroad, as it is common practice for such companies to conduct intragroup sharing of employees’ PI.

According to Article 5.2 of the Provisions on Facilitating and Regulating Cross-border Data Flows (“CBDT Provisions”; 促进和规范数据跨境流动规定), where it is necessary to outbound transfer employees' PI for the purpose of conducting cross‑border HR management in accordance with the labour rules and regulations formulated and collective contracts concluded in accordance with the laws, companies are exempt from submitting applications of security assessment, obtaining certification from the approved agencies or filing for standard contractual clauses.

For transferring employee PI abroad, employers still need to obtain legal basis for such CBDT and to meet the disclosure obligations in accordance with Article 39 of the PIPL. On the other hand, employers will be exempted from submitting CBDT application procedures for outbound transfers of employees’ PI that are necessary for HR management, thereby significantly reducing the compliance burden borne by employers.

Employer Liability and Accountability

The PIPL and related regulations hold employers accountable for how they handle employee PI. If employers illegally mishandle or misuse employee PI, they could face severe penalties, including fines, restrictions on operations or even legal actions by employees. To avoid such risks, employers need to revise their HR policies to ensure data privacy compliance in employee onboarding, performance evaluations and resignation procedures. Employers shall also provide training for HR staff to understand the legal obligations around employee PI handling. Stringent security measures shall be taken to protect employees' PI from breaches, which also impacts the company's internal practices and operations.

Challenges for Employers

The evolving regulatory legal framework of data privacy is shaping the employment relationship by balancing the protection of employees’ PI against the operational needs of employers. Employers are required to adopt more robust data protection measures and to enhance transparency in their management of employees’ PI. This presents new challenges for employers, such as increased costs associated with implementing data protection efforts and introducing legal complexities. Multinational companies with operations in China must navigate the intricate landscape of data protection laws across multiple jurisdictions. Such companies may also encounter difficulties in aligning and harmonising the data privacy practices concerning their global business operations.

All forms of data or PI processing activities occurring in asset deals shall be governed by the DSL and the PIPL. The requirements and obligations set forth under the DSL and the PIPL for data and PI processing shall be complied with accordingly. Specifically, with regard to any transfer of PI due to merger, division, dissolution or declaration of bankruptcy, etc, Article 22 of the PIPL specifies additional disclosure requirements that relevant data subjects shall be informed of the name and contact information of the PI recipient. In the event of any changes to the original purpose and method of data processing by the PI recipient, consents from the concerned data subjects shall be re-obtained.

According to the CSL, PI collected by CIIOs during their operations in China must be stored within Chinese territory. Where there is a need to transfer such information overseas, a security assessment shall be conducted. The PIPL expands the applicable scope of security assessment. A suitable CBDT mechanism shall be implemented before PI can be transferred overseas. So far, the importing of data from overseas to China has not been the focus of the administration.

The PIPL provides three routes for CBDT compliance:

  • obtaining approval for CAC security assessment;
  • being certified by the recognised agencies; or
  • concluding standard contractual clauses with the overseas recipient.

According to the Measures for the Security Assessment of Data Cross-Border Transfer (“Outbound Measures”; 数据出境安全评估办法), the security assessment mainly covers the legality, legitimacy and necessity of the purpose, scope and method of the outbound transfer of data. It also includes:

  • an impact analysis of the policies and regulations on data security and the network security environment of the country or region where the overseas recipient is located;
  • the data protection level of the overseas recipient;
  • the quantity, scope, type and sensitivity of the data;
  • risk of leakage, tampering, loss, damage, etc;
  • protection of data security and the rights and interests of PI subjects; and
  • legal documents between the data handler and the overseas recipient, etc.

The certification mechanism mentioned in the PIPL is finalised by the Technical Specification for Certification of Cross-Border Transfers of Personal Information V2.0 (网络安全标准实践指南–个人信息跨境处理活动安全认证规范V2.0). The Measures for Certification of Personal Information Protection for Outbound Transfer of Personal Information (Exposure Draft) (个人信息出境个人信息保护认证办法(征求意见稿)) were released on 3 January 2025, further regulating the certification of mechanisms for the outbound transfer of PI.

As for standard contractual clauses, the Measures for the Standard Contracts for Outbound Transfer of Personal Information (个人信息出境标准合同办法) came into effect on 1 June 2023.

Regarding derogations, Article 38 of the PIPL allows the provision of PI according to international treaties or agreements concluded or acceded to by China. Furthermore, the CBDT Provisions that came into effective on 22 March 2024 provide for the following scenarios that are exempt from the CBDT application procedures:

  • CBDT that does not contain PI or important data;
  • where data handlers transfer PI collected and generated overseas after being processed domestically without involving domestic PI or important data in the process;
  • for the establishment or performance of contracts to which individuals are parties;
  • in implementing cross-border HR management based on legally formulated labour rules and collective contracts;
  • in emergency situations to protect the life, health and property safety of natural persons; and
  • where a non-CIIO data handler provides PI of fewer than 100,000 individuals (excluding sensitive PI) to an overseas recipient since January 1 of the same year.

With the goal of stabilising the economy and promoting development, the CBDT Provisions responded to companies’ expectations and have substantially facilitated CBDT and alleviated companies’ compliance burden.

The cross-border transfer of PI and important data is regulated under the Three Fundamental Laws. CIIOs are required by the CSL to conduct a security assessment prior to the cross-border transfer of PI and important data. With respect to important data, data handlers are required by the DSL to abide by the regulations or measures issued by a certain authority, which refers to the Outbound Measures. In addition, the CBDT of certain specially regulated data (eg, human genetic resources information) is subject to specific regulatory rules provided in certain fields and may require government approval, according to applicable regulatory rules for the CBDT of such data.

For non-CIIOs transferring PI, refer to 5.1 Restrictions on International Data Transfers.

In China, the first and foremost data localisation requirement is that national secrets are not allowed to be transferred overseas. Secondly, PI and important data collected by CIIOs in the course of their operations in China are required to be stored domestically, and a security assessment is required for CBDT. Data handlers who are not CIIOs but process PI reaching a certain volume threshold or who collect important data are required to undergo a security assessment. There are also localisation requirements for specially regulated business data, including relating to the following:

  • credit information;
  • personal financial information;
  • map data;
  • essential tech equipment required for online publication services;
  • data and information related to car hailing services;
  • health information of the population; and
  • insurance data and fiscal data.

In principle, such data must be stored within the Chinese territory (excluding the Hong Kong, Macau and Taiwan regions) and may not be freely transferred overseas. Where it is necessary to transfer such data overseas, special requirements for each type of information shall apply, such as obtaining approval from the competent authorities.

According to Article 36 of the DSL, organisations may not provide any foreign judicial or law enforcement body with any data stored within the territory of China without the approval of the competent authority. With respect to internal investigations, the restrictions on data collection and CBDT as mentioned in 5.1 Restrictions on International Data Transfers shall apply.

In addition, the Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and Other Measures of the People’s Republic of China (“the Rules”; 阻断外国法律与措施不当域外适用办法) were released by the Ministry of Commerce of the People’s Republic of China (MOFCOM) on 9 January 2021, with immediate effect. According to Article 36 of the DSL, companies or individuals may not provide data stored within the territory of China to foreign judicial or law enforcement agencies as requested, unless approved by the competent authorities. The Rules are considered to be China’s blocking statute and have set up a relatively comprehensive anti-economic sanctions system to deal with the long-arm jurisdictions of certain countries and regions.

Legislation regulating CBDT in China has been actively evolving in recent years. Specifically, for the purposes of facilitating data flow and promoting foreign investments, and pursuant to Article 6 of the CBDT Provisions, under the framework of the national system for classified and hierarchical protection of data, pilot free trade zones may, at their own discretion, formulate lists of data that need to be included in the scope of CBDT application procedures (“Negative List”).

In May and August 2024, and February 2025, Tianjin, Beijing Shanghai and Hainan Pilot Free Trade Zones respectively released their Negative List as well as relevant supporting measures. In these free trade zones, only the CBDT of data listed on the Negative List conducted by companies still requires CBDT application procedures, and CBDT application procedures can be exempted for transferring data not listed on the Negative List.

In addition to the Negative List, local governments are also exploring other initiatives to facilitate the flow of data. For example, the Implementation Guidelines for Standard Contracts on Cross-Border Flow of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area (粤港澳大湾区个人信息跨境流动标准合同实施指引) were issued to facilitate data flow among companies within the Greater Bay Area.

In November 2024, aiming to encourage a more efficient, convenient and collaborative approach for international data flows, the CAC issued the Global Data Cross-Border Flow Co-operation Initiative (全球数据跨境流动合作倡议), advocating for the principles of “openness, inclusiveness, security, co-operation and non-discrimination” towards all international stakeholders.

The above underscores the Chinese government's objectives to stabilise the economy and enhance the facilitation of international data transfers.

Zhong Lun Law Firm

22-31/F, South Tower of CP Centre
20 Jin He East Avenue
Chaoyang District
Beijing 100020
PRC

+86 010 5957 2003

+86 010 6568 1022

chenjihong@zhonglun.com www.zhonglun.com
Author Business Card

Trends and Developments


Authors



Global Law Office (GLO) dates back to the establishment of the Legal Consultant Office of China Council for the Promotion of International Trade in 1979. After more than 40 years of persistent effort and development, it has become one of the most prominent large comprehensive law firms in the Chinese legal industry. GLO has been committed to the mission of “serving domestic and foreign clients with globalised vision, a globalised team and globalised quality” since its inception, enabling it to maintain a leading position in the industry in an ever-changing global economic environment. All lawyers at GLO are graduates from first-tier domestic and/or international law schools, most of whom hold LLMs or higher degrees. Many partners are qualified to practise law in the US, UK, Australia, Switzerland, New Zealand or Hong Kong, among others.

Data Practice in China in 2024: A Year-End Review

2024 saw noteworthy developments in cross-border data transfer, data security measures, personal information compliance audit and AI-related litigation, including flexibility in the regulation of cross-border data transfers from China, the practical implementation of rules for personal information protection, and rapid developments in data assets. All these efforts highlight China’s desire to establish a secure and dynamic digital economy that addresses domestic growth needs while keeping an eye on global digital trade, embracing international standards and tackling practical challenges.

Meanwhile, the pervasive application of new technologies like generative artificial intelligence (AI) spurred an increase in litigation on intellectual property right claims and personal information protection, sending cautionary notes to businesses about things they need to prepare for in an ever-changing legal environment.

Cross-border data transfers

Provisions on Facilitating and Regulating Cross-border Data Flows

The Provisions on Facilitating and Regulating Cross-border Data Flows (the “Provisions”) were released by the Cyberspace Administration of China (CAC) on 22 March 2024 and introduced critical updates to China's regulatory mechanisms for cross-border data transfers (the “Regulatory Mechanisms”). Although the Provisions do not change the local processing preference established by the three channels that make up the Regulatory Mechanisms – ie, the Security Assessment, the China standard contractual clauses (CN SCC) and the cross-border privacy certification – it does put the regulation on cross-border data transfer at ease by increasing the triggering thresholds for the Regulatory Mechanisms.

Highlights of the Provisions include the following.

  • The following processing scenarios are exempted from going through any Regulatory Mechanisms:
    1. transfers of employee data necessary for cross-border human resource management;
    2. transfers involving the performance of a contract, such as cross-border shopping, shipping, remittance of payments, payments, account opening, hotel/flight bookings, visa applications, and examination services; and
    3. transfers of fewer than 100,000 individuals’ personal data (excluding important data or sensitive personal data) within a year.
  • Increased threshold for the Security Assessment: data processors other than critical information infrastructure operators (CIIOs) anticipating the transfer of personal data of more than 100,000 but fewer than one million individuals in a year are exempt from the Security Assessment.
  • Clarification on important data determination: important data can only be determined through the notice from the competent regulators or the local authorities, or from the important data catalogue published by such entities.
  • Negative lists within Pilot Free-Trade Zones (FTZs): the FTZs in China will publish negative lists of data for cross-border transfer purposes (the “Negative List”), and data processors located within the FTZs can freely perform the cross-border transfer of data that is not on the Negative List out of China without the need to go through the current Regulatory Mechanisms.

Following the Provisions, the CAC further updated the implementation guidance for Security Assessments and CN SCC filings. These updates include simplified templates for personal information protection impact assessment reports, which further reduce the compliance burdens.

The Provisions and the implementation guidance substantially reduce the need to go through the Regulatory Mechanisms for cross-border data transfers and the compliance burden in preparing the application package for the Regulatory Mechanisms.

FTZs’ Negative Lists and Whitelists

Local governments and FTZs have been active in facilitating cross-border data flows. In 2024, Tianjin and Beijing FTZs published their respective Negative Lists for cross-border data transfers, while the Lingang Special Area of the Shanghai FTZs and the Fujian Pingtan FTZs released Whitelists, identifying data that is exempt from the Regulatory Mechanisms. Although the Negative Lists make more sense in the western style of legal governance, the Whitelists may be easier in implementation given the administrative law enforcement style in China.

Global co-operation

China alerted the global community to its Global Cross-Border Data Flow Co-operation Initiative in November 2024, outlining constructive strategies for cross-border data flows and demonstrating its commitment to balancing development and security. The execution of the Memorandum of Understanding with Germany concerning cross-border data transfers, along with continuous efforts to join regional agreements such as the Comprehensive and Progressive Agreement for Trans-Pacific Partnership and the Digital Economy Partnership Agreement, highlight the dream of fostering an open and collaborative international framework for cross-border data flow in China's favour.

New implementation rules on data security and protection

Network Data Security Management Regulations

After the initial release of the original draft for public comments, the Network Data Security Management Regulations (the “Regulations”) were finally released in September 2024, and came into effect on 1 January 2025. The Regulations address important aspects of network data governance, enhancing and complementing the existing data protection framework under the Cybersecurity Law (CSL), the Data Security Law (DSL) and the PIPL.

Key areas in the Regulations that might impact businesses include the following.

  • Personal data protection: the Regulations set forth more specific requirements for privacy policy formulation based on the PIPL. Businesses must ensure transparency by adhering to the content and display requirements of privacy policies (including the adoption of a dual-list to detail processing activities of collecting personal information and sharing personal information with third parties), obtaining separate consents when legally required, and responding appropriately to data portability requests.
  • Security management of important data: businesses processing important data must conduct risk assessments annually and in certain defined scenarios, as well as implementing appropriate safeguards for important data.
  • Obligations for network platform service providers: network platform service providers should define the data security management obligations of third parties in the platform rules or contracts. Network platform service providers should be held accountable for any legal liability that results from their failure to fulfil their respective supervisory obligations and the resulting harm to users.

Dealing with network security incidents

As cyber threats and data breaches continue to increase in China, the Chinese regulators are enhancing the requirements regarding network security and the corresponding protection mechanisms, particularly the notification and reporting obligation. Businesses are required to take prompt remedial actions and notify the competent regulatory authorities of any network security incidents. The Regulations mandate reporting within 24 hours for incidents that pose a risk to national security or public interest, which is a shorter timeframe than the 48-hour reporting period established under the Regulations on Network Product Security Vulnerabilities Management for software vulnerability reporting.

In 2024, the rules dealing with network security incidents were made clearer. For example, the Emergency Response Plan for Data Security Incidents in the Industrial and Information Technology Field (Trial), released by the Ministry of Industry and Information Technology (MIIT) and effective in November 2024, provides that data processors are responsible for the prevention, monitoring, emergency response to and reporting of data security incidents. Upon identifying an incident, data processors must first categorise its severity into one of the statutorily defined levels (extremely serious, serious, significant, or general) and notify the relevant regulatory authority. They must then initiate an emergency response by declaring an emergency status, implementing data recovery or tracing measures, and conducting ongoing monitoring and analysis. Finally, a thorough investigation into the cause of the incident, an assessment of its impact, a summary of lessons learned, and a comprehensive report are required.

Determination of important data

This was another key development in 2024. Under the current laws, important data is broadly defined as information that pertains to specific fields, groups or regions, or that reaches a certain level of precision and scale; if such data is leaked, tampered with or destroyed, it could directly harm national security, economic stability, social order, public health or safety.

Currently, as clarified under both the Provisions and the Regulations, the determination of important data rests with the relevant principal authorities. Businesses are obliged to identify and report such important data to the relevant principal authorities for final and official determination.

Nationally, regulators of some specific industries, such as the automotive sector, have established their own data security regulations, providing guidance on the identification of important data.

In addition, the recommended national standard, Data Security Technology – Rules for Data Classification and Grading (the “Standard”), came into effect in October 2024 and provided details for important data identification. The Standard suggested that data processors should first refer to the data classification and grading rules, or to the important data catalogues specified by the competent regulatory authorities in their respective industries, and then use the Standard to determine data levels and assess whether they meet the criteria of important data therein.

Moreover, MIIT released the Second Draft Guidelines for Identification of Important Data in the Industrial Field and the most recent Guidelines for Identification of Important Data in the Telecommunications Field. Both guidelines indicate that personal data related to certain groups, or sensitive personal data affecting over 100,000 individuals, may qualify as important data, underscoring the rising concern over the protection of large-scale personal data sets.

Personal Information Protection Compliance Audit (PIPCA)

The PIPL mandates that businesses conduct a PIPCA regularly or when required by regulators, particularly when personal information processing activities pose significant risks or following data security incidents. The 2023 Draft Measures on Personal Information Protection Compliance Audit Management (the “Draft Measures”) and the recommended national standard, Draft Data Security Technology – Personal Information Protection Compliance Audit Requirements (the “Draft Standard”), released in 2024, further supplemented and clarified the details under the current framework of the PIPCA.

The Draft Measures require businesses that process the personal information of more than one million individuals to conduct at least one PIPCA annually, while other data processors must perform such audits at least once every two years. The Draft Measures outline various aspects of Compliance Audits, including their types, applicable scope, frequency, triggering conditions, audit institutions, time frames, procedures and key focus areas. The Draft Standard further complements these measures by specifying key audit content, methodologies, structured audit workflows, etc.

The PIPCA for personal information protection is accelerating in implementation, with full-scale implementation on its way. Businesses should be prepared to have a PIPCA plan in place, based on the upcoming official PIPCA rules.

Increased focus on AI governance

In recent years, China has been working to balance the benefits and risks of the growth of AI technologies. To support this, the government has introduced national strategies to promote AI development, alongside laws, regulations and guidelines designed to regulate AI services offered to the public.

Draft Artificial Intelligence Law of the PRC

In 2024, China moved forward with AI laws and policies that are commensurate to the development of AI technologies. On 9 May 2024, the State Council’s Legislative Working Plan announced that the draft Artificial Intelligence Law will be reviewed by the Standing Committee of the National People's Congress. The first comprehensive law on AI in China is on the horizon.

Registration of generative AI services

Article 17 of the Interim Measures on Generative AI Services requires generative AI services with public opinion attributes or social mobilisation capability to conduct security assessments and register with the state CAC and its local counterparts, in order to prevent security risks. The registration obligation applies not only to service providers of generated AI but also to the companies that integrate third-party generated AI services into their own services. According to the law, generated AI services that fail to complete the registration process before going online may be shut down.

According to the CAC’s announcement on 8 January 2025, 302 generative AI services had been registered successfully with CAC as of 31 December 2024; 105 services that integrate third-party AI interfaces were also registered. The registration process for these integrated services is simpler than the standard registration process.

National standards regarding the safety of AI services

In 2024, China issued the national standards for AI service security, showcasing the best compliance practices in generative AI business operation. These standards also serve as references for authorities in interpreting and enforcing related regulations.

  • In March 2024, National Technical Committee 260 on Cybersecurity of Standardisation Administration of China (TC260) released a standard titled “Basic Security Requirements for Generative AI Services (TC260-003)”, building on the Interim Measures on Generative AI Services. It provides detailed guidelines for processing training data, model training and service provision, ensuring that generative AI brings user convenience without triggering security risks. This standard serves as a key reference for companies seeking registration with CAC for their generative AI services.
  • In the same month, a draft standard titled “Cybersecurity technology – Generative artificial intelligence data annotation security specification” was introduced and opened for public comments. This standard addresses the safety of manual data annotation used for training models and supports the implementation of data annotation provisions in the Interim Measures on Generative AI Services.
  • In the following months, two additional recommended national standards for generative AI were released for public comments: “Cybersecurity technology – Security specification for generative artificial intelligence pre-training and fine-tuning data”; and “Cybersecurity technology – Basic security requirements for generative artificial intelligence service”. Notably, a compulsory national standard on generative AI was also released for public comments: “Cybersecurity technology – Labelling method for content generated by artificial intelligence”. This type of compulsory standard is uncommon in this field, and thus warrants close attention for companies in the data labelling industry.

Highlights of data assets and use

Data as an asset

On 1 January 2024, the Interim Provisions on Accounting Treatment for Enterprise Data Resources came into effect. These provisions allow data to be recorded as an asset on enterprises’ balance sheets and clearly define the scope of data resources and applicable standards.

As of the end of August 2024, public statistics show that 41 companies listed on the stock exchanges in China have included data assets on their balance sheets, totalling approximately CNY1.3 billion and potentially boosting their revenues. These companies are primarily in the information transmission, software and IT services, and manufacturing sectors. For example, an AI company with significant intellectual property and data resources embedded in its AI models lacks tangible collateral and aims to leverage these data resources as an asset for financing to address capital constraints.

Despite this, companies still face uncertainties and challenges in listing data as an asset. Key issues include confirming data asset rights, protecting individual data security and privacy, and assessing the fair value of data. Most companies are currently observing early adopters and have not yet acted.

Data exploitation and utilisation

The National Data Bureau was established in late 2023 and took proactive measures in 2024 to facilitate data utilisation and monetisation. On 20 December 2024, the National Data Bureau and other departments issued the Opinions on Promoting the Development and Utilisation of Enterprise Data Resources. The document aims to protect enterprises’ legitimate rights in data collection, development, utilisation and benefit distribution.

On 30 December 2024, the National Development and Reform Commission, the National Data Bureau and other departments issued Guiding Opinions to Promote the High-Quality Development of the Data Industry. The document highlights key areas in the data lifecycle, including data collection, data storage, data governance, data analysis, data trade, data exploitation and data security. In 2025, it calls for co-ordinated efforts between central ministries and local governments to implement the incentives outlined in the guidelines.

Law enforcement and judicial judgments

Regular inspections on apps, mini programs and software development kits (SDKs)

The governmental authorities continue to carry out compliance inspections on publicly available apps, mini programs and SDKs regarding personal information protection laws. The most common non-compliance issues include inadequate privacy policies, illegal collection of personal information, excessive device permission requests, and failure to respond to individuals’ requests for their personal information rights.

Judicial cases concerning AI are on the rise

In 2024, like the EU and the United States, China experienced a surge of disputes relating to artificial intelligence, marking several “first cases” in China. Most of these cases involve copyright issues. Landmark cases in 2024 include the following.

  • In early 2024, the Beijing Internet Court published a case ruling that an AI-generated image was copyrightable. The court determined that the plaintiff’s aesthetic choices and personal judgement in the entire generation process utilising the AI tool were significant, and thus subject to copyright protection.
  • On 8 February 2024, the Guangzhou Internet Court issued a judgment in China on AIGC content infringement. In this case, a text-to-image AIGC tool provider was found liable for infringing the copyright of the Ultraman IP. The court emphasised that AIGC service providers must exercise a “reasonable duty of care” to protect intellectual property rights in accordance with Chinese law.
  • On 23 April 2024, the Beijing Internet Court issued a ruling in the case of infringement of personal rights related to AI-generated voices. The court determined that the protection for natural persons’ voices can extend to AI-generated voices, provided they are identifiable.
  • Disputes over training materials for large language models are increasing as well, but no court judgment has yet been issued. For example, in June 2024 the Beijing Internet Court accepted a case where four painting artists sued a content generation platform. The plaintiffs claimed that the AI painting tool on the platform generated images that conspicuously imitated their artistic styles, alleging that the platform utilised their work to train its AI model for commercial purposes that exceeded fair use under the current framework of copyright protection. This case is still under review.
  • In another notable case concerning illegal use of data in AI model training, a well-known video streaming platform filed a lawsuit against a domestic AI start-up, accusing the start-up of committing copyright infringement in the AI model training and content generation process, because it uses the platform’s copyrighted materials for AI model training without authorisation, and generates content that violates the platform's copyright. The case has been accepted by the court and is now under review.

First case on cross-border transfer of personal information

In September 2024, the Guangzhou Internet Court released a civil case regarding a dispute concerning the cross-border transfer of personal information, which attracted wide attention. A Chinese citizen filed a lawsuit against a famous global hotel group and its Chinese affiliate (“Hotel”), challenging the legality of their cross-border data-sharing practices.

In this case, when the plaintiff joined the Hotel’s membership programme and booked a hotel stay through the Hotel’s app, the plaintiff provided personal information, including their name, contact details, nationality and payment information. Following the reservation, the plaintiff discovered that the personal information had been shared with foreign entities, including marketing partners and affiliates in several countries. The Hotel’s privacy policy, accessible upon registration, included a broad clause allowing cross-border data transfers, but did not specify which entities would receive the information or the purpose for each data transfer.

The Guangzhou Internet Court ultimately ruled in favour of the plaintiff, as follows.

  • The court determined that the Hotel’s privacy policy, which required a single, blanket consent, did not meet the PIPL’s requirements for separate consents for cross-border transfer. The PIPL mandates that, if the personal information processor relies on consents from individuals as a legal basis to process personal information, any cross-border transfer of personal information is subject to separate consents from individuals. It means that individuals should be given a distinct, explicit choice to approve each data transfer outside of China, especially when personal information is shared for non-essential purposes like marketing. Therefore, the court determined that the plaintiff’s action of agreeing to the Hotel’s privacy policy cannot be deemed a valid separate consent.
  • The court also found that the Hotel’s privacy policy allowed data sharing with numerous third parties unrelated to the core purpose of the plaintiff’s reservation. Although the Hotel argued that this data-sharing arrangement was consistent with industry practices, the court ruled that sharing personal information with unrelated third parties or for secondary purposes other than contract performance (eg, marketing and customer profiling) exceeded the “minimum necessary” scope required to fulfil the plaintiff’s booking.

This case serves as an important compliance reminder for multinational companies operating in China or processing Chinese individuals’ personal information, that even privacy policies adhering to international standards such as the GDPR may fall short in meeting PIPL compliance.

What to expect in 2025

Legal developments on data security and protection in 2025 will continue to be shaped by the need for domestic economic growth, technological innovations, and the evolving global politics and interaction. The focus will remain on balancing the already robust data protection with the pressure to grow the domestic economy and technical innovation. In recent years, China has developed a trend of following EU legislative movements to address emerging data protection challenges and manage risks in the new technology development.

For multinational companies that are operating business in China, it is worthwhile keeping a close watch on the implementation of the Network Data Security Management Regulations, which will implement the legal requirements under those three milestone laws of the CSL, the DSL and the PIPL. The PIPCA development, regulations and judicial cases on the use of AI tools also merit attention in 2025.

Global Law Office

36th Floor, Shanghai One ICC
No. 999 Middle Huaihai Road
Xuhui District
Shanghai 200031
China

+86 21 2310 8288

+86 21 2310 8299

vincentwang@glo.com.cn www.glo.com.cn
Author Business Card

Law and Practice

Author



Zhong Lun Law Firm is one of the largest full-service law firms in China, with over 400 partners and more than 2,300 professionals, and offices in Beijing, Shanghai, Shenzhen and other major cities in China and around the world. The firm’s cybersecurity and data protection team is an industry leader in China, with a wealth of experience in fields such as cybersecurity, data security and personal information protection. The partners are frequently invited to participate, as legal experts, in the legislative process relating to cybersecurity and data protection legislation. Actively practising in the technology and telecommunications industries in the past two decades, and providing professional legal services to a large number of multinational clients that embrace the challenges of digitalisation, Zhong Lun has accumulated profound experience and developed a unique system of project compliance processes to assist in solving domestic and cross-border data protection issues.

Trends and Developments

Authors



Global Law Office (GLO) dates back to the establishment of the Legal Consultant Office of China Council for the Promotion of International Trade in 1979. After more than 40 years of persistent effort and development, it has become one of the most prominent large comprehensive law firms in the Chinese legal industry. GLO has been committed to the mission of “serving domestic and foreign clients with globalised vision, a globalised team and globalised quality” since its inception, enabling it to maintain a leading position in the industry in an ever-changing global economic environment. All lawyers at GLO are graduates from first-tier domestic and/or international law schools, most of whom hold LLMs or higher degrees. Many partners are qualified to practise law in the US, UK, Australia, Switzerland, New Zealand or Hong Kong, among others.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.