Regulating the Processing of Information and New Technology in China
Overview of the information technology sector
China’s information technology (IT) sector has continued to experience rapid growth. At the same time, the government has introduced a series of initiatives, including the Action Plan for Cultivating the Data Factor Market, to promote data ownership clarification, data circulation and trading. As a result, the value of data is increasingly being unlocked across sectors such as financial risk management and intelligent transportation, demonstrating the significant potential of China’s data factor market. Cloud computing has also become a key component of the country’s digital economy infrastructure.
The rapid expansion of China’s IT sector has accelerated the integration of artificial intelligence (AI), data resources and digital infrastructure, while also driving the continuous development of the country’s legal and regulatory framework. As the sector continues to evolve, a more comprehensive and sophisticated regulatory regime is expected to play an increasingly important role in supporting the sustainable development of China’s IT sector.
China’s IT sector is also being shaped by a broader digital transformation agenda that extends well beyond technological innovation. Traditional industries, including manufacturing, finance, healthcare and transportation, are increasingly integrating AI, cloud computing and data analytics into their core business operations. This digital transformation has significantly accelerated demand for data-driven business models and intelligent infrastructure, while also creating new legal and regulatory challenges relating to data governance, cybersecurity and the responsible deployment of emerging technologies.
At the same time, China’s emphasis on developing the digital economy has encouraged businesses to adopt new technologies at an unprecedented pace. As digitalisation becomes increasingly embedded across commercial activities, regulatory authorities are likewise expected to refine the legal framework governing digital innovation. Consequently, legal compliance is no longer viewed merely as a risk management exercise but is increasingly becoming an important element of corporate governance and long-term business strategy for companies operating in China’s digital economy.
Legal and regulatory framework for the IT sector
To regulate the development of the IT sector while balancing innovation and security, China has established a comprehensive legal and regulatory framework covering AI, cybersecurity, personal information protection, data security and cross-border data transfers.
AI regulatory framework
China has established a multi-layered regulatory framework for AI. The Interim Measures for the Administration of Generative AI Services set out the fundamental regulatory framework governing generative AI and have since been supplemented by a series of national standards that provide more detailed compliance requirements. Together, these regulations and technical standards translate high-level legal principles into practical compliance obligations for AI service providers.
Cybersecurity legal regime
China’s cybersecurity regime is built upon the Cybersecurity Law of the People’s Republic of China, which serves as the cornerstone of the country’s cybersecurity regulatory framework. Following its first major amendment in October 2025 (effective from 1 January 2026), the Cybersecurity Law introduced dedicated provisions addressing AI security, supporting the development of AI technologies while strengthening ethical governance and risk management. In addition, the Regulations on the Security Protection of Critical Information Infrastructure further specify the cybersecurity obligations applicable to operators of critical information infrastructure.
Personal information protection regime
The Personal Information Protection Law remains the core legislation governing personal information protection in China. In 2025, a series of supporting regulations came into force, including the Measures for the Administration of Personal Information Protection Compliance Audits and the Measures for the Security Management of Facial Recognition Technology Applications, further strengthening the regulatory framework for personal information protection and cross-border data transfers. The issuance of the Measures for Personal Information Export Certification, together with the implementation of negative lists in pilot free trade zones, has further refined the regulatory regime governing cross-border data transfers.
Data security and cross-border data transfer
China’s data security regime places particular emphasis on data classification and graded protection. Operators of critical information infrastructure are generally required to store within China any personal information and important data collected or generated during their operations, while cross-border transfers of such data are subject to security assessment where required by law. Supporting regulations, including the Measures for Security Assessment of Cross-border Data Transfer, further specify the applicable assessment procedures with the dual objective of safeguarding data security and facilitating the lawful and orderly flow of data across borders.
Overall, China has gradually developed a multi-layered regulatory framework for the IT sector, with the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law forming its legislative foundation, complemented by sector-specific rules governing areas such as AI and cross-border data transfers. In recent years, China’s regulatory approach has evolved from establishing high-level legal principles towards more refined and operational compliance requirements, seeking to strike an appropriate balance between technological innovation, national security and the public interest while providing greater regulatory certainty for businesses operating in the IT sector.
Key regulatory trends in the IT sector
With the rapid development of emerging technologies such as AI, big data and cloud computing, China’s IT regulatory regime has evolved beyond the establishment of a basic legal framework towards more detailed and refined regulatory rules. While continuing to support technological innovation, regulators are placing increasing emphasis on data security, cybersecurity and platform governance, encouraging businesses to establish more sophisticated compliance programmes in response to evolving regulatory expectations.
Deepening AI governance
China’s approach to AI governance continues to evolve towards a more comprehensive regulatory model. Regulatory attention has gradually expanded beyond technical standards to encompass broader issues such as AI ethics and the societal implications of AI deployment. From a technical perspective, regulators continue to develop standards relating to algorithm transparency and explainability in order to enhance the safety, reliability and accountability of AI systems.
Continued development of the data factor market
The development of China’s data factor market is gradually shifting from institutional exploration towards a more mature and standardised market framework. Current policy initiatives focus on establishing clearer and more operational rules governing data ownership and rights while improving the infrastructure for data circulation and trading. At the same time, regulators continue to encourage the innovative use of data across a broader range of industries and business scenarios in order to maximise the economic value of data resources.
Continued optimisation of cross-border data transfer regulation
China continues to refine its regulatory framework governing cross-border data transfers while maintaining a strong emphasis on data security. On the one hand, the mandatory security assessment regime remains a key safeguard for the outbound transfer of important data and sensitive personal information. On the other hand, regulators are exploring more facilitative mechanisms, including “approved list” programmes for eligible businesses, with the aim of improving the efficiency of compliant cross-border data transfers.
Strengthening cybersecurity regulation
China’s cybersecurity regime continues to become more stringent and sophisticated. Regulatory priorities have expanded from the protection of traditional network infrastructure to addressing security risks arising from emerging technologies such as AI and big data. Amendments to the Cybersecurity Law have significantly increased regulatory penalties and imposed more stringent obligations on operators of critical information infrastructure. In parallel, regulatory authorities continue to strengthen certification and testing requirements for cybersecurity products in order to improve the overall security of the digital ecosystem.
Overall, China’s IT regulatory regime is becoming increasingly standardised, refined and mature. Regulatory priorities now extend beyond the formulation of legal rules to their practical application across specific business activities, covering areas ranging from AI governance and data circulation to cross-border data transfers and cybersecurity. For businesses operating in China, keeping pace with regulatory developments and continuously enhancing internal governance and compliance frameworks will be essential to effectively managing legal and regulatory risks.
Key judicial developments in the IT sector
In recent years, the rapid development of China’s IT sector has given rise to a growing number of disputes involving AI, data security, personal information protection and platform competition. Through a series of representative cases, Chinese courts have continued to clarify the application of relevant laws and provide greater legal certainty for businesses operating in the digital economy. The following cases illustrate several of the most significant judicial developments in the IT sector.
AIGC and copyright protection
Chinese courts have handled an increasing number of copyright disputes relating to AI-generated content (AIGC), although a fully consistent judicial approach has yet to emerge.
Recognition of copyright protection for AI-generated works
In the landmark AIGC Copyright Case, the Beijing Internet Court held that where a creator exercises sufficient intellectual input and creative control throughout the AI-assisted creation process, the resulting work may satisfy the originality requirement under China’s Copyright Law and therefore qualify for copyright protection. The court further found that the unauthorised removal of the author’s attribution and online dissemination of the work constituted copyright infringement.
This decision is widely regarded as the first landmark judicial recognition of copyright protection for AI-generated works in China, confirming that content generated through meaningful human intellectual contribution with the assistance of AI tools may enjoy copyright protection.
Diverging judicial approaches
Chinese courts have also reached different conclusions in subsequent cases. In one case, the Zhangjiagang People’s Court held that copyright protects only concrete original expression, whereas prompts entered into an AI system merely represent abstract ideas and therefore do not, by themselves, qualify for copyright protection.
These differing judicial approaches suggest that Chinese courts are adopting an increasingly cautious approach towards determining the copyrightability of AI-generated content, placing greater emphasis on originality and the extent of human creative contribution. From a practical perspective, businesses should maintain comprehensive records of prompts, parameter settings and subsequent human modifications in order to demonstrate authorship and ownership should disputes arise.
Personal information protection
Chinese courts have continued to strengthen judicial protection of personal information by closely scrutinising how online platforms collect and process users’ personal data.
In one Guiding Case issued by the Supreme People’s Court, a user alleged that an online platform had unlawfully required users to provide excessive personal information as a condition for accessing its services. The platform argued that such information was necessary for personalised services and had been voluntarily provided by users.
The court rejected this argument, holding that only a user’s mobile phone number was necessary for the provision of the platform’s core services. Additional profile information did not satisfy the necessity requirement, and users’ consent obtained through mandatory data collection without a genuine opt-out mechanism could not be regarded as valid consent.
This case confirms that platform operators cannot compel users to consent to the collection of non-essential personal information by making such consent a prerequisite for accessing basic services. In practice, businesses should regularly review their authorisation mechanisms to ensure compliance with the principle of data minimisation and avoid relying on default consent, mandatory authorisations or similar practices that may undermine the validity of users’ consent.
Data security
Chinese courts have made it clear that online platforms owe a statutory duty to safeguard users’ personal data and may be held liable where inadequate security measures result in data-related harm.
In one representative case, a user who had booked airline tickets through an online travel platform subsequently received fraudulent text messages containing accurate flight and passenger information. The Beijing Chaoyang District People’s Court held that the passenger’s itinerary and mobile phone number constituted protected personal information. As the platform failed to demonstrate that it had implemented adequate access controls, encryption measures and security management procedures, it was found to have breached its statutory duty to protect users’ personal information and was held liable for the resulting losses.
This case confirms that publishing a privacy policy alone is insufficient to discharge a platform’s data protection obligations. Businesses are expected to implement substantive technical and organisational safeguards, including end-to-end encryption, access controls, audit logging and incident response mechanisms. In practice, companies should establish comprehensive data security management systems covering the entire data life cycle rather than relying solely on contractual or policy-based compliance measures.
Unfair competition in the digital economy
In recent years, Chinese courts have taken an increasingly restrictive approach towards business practices that misuse IT to distort fair market competition.
In one representative case, a technology company operating a short-video platform brought an unfair competition claim after another company reproduced substantial amounts of its platform data, including videos, user profiles and comments, without authorisation. The Beijing Haidian District People’s Court held that although the aggregated platform data did not constitute a copyright-protected compilation, it nevertheless represented a protectable commercial interest arising from the operator’s substantial investment. The unauthorised large-scale extraction and use of such data, which effectively substituted the claimant’s services and diverted user traffic, constituted unfair competition.
The judgment establishes an important judicial principle prohibiting competitors from systematically scraping and reusing core platform data to replace or replicate another platform’s services. Businesses that rely heavily on data-driven operations should therefore carefully review both the methods by which data is obtained and the scope of its subsequent use in order to minimise unfair competition risks.
Overall, recent judicial developments demonstrate that Chinese courts are continuing to refine the application of existing laws to emerging issues arising from the development of the IT sector. Through representative cases involving AI, personal information protection, data security and digital platform competition, the courts have provided greater legal certainty for businesses operating in China. As regulatory policies and judicial practice continue to evolve in parallel, businesses should monitor not only legislative developments but also emerging judicial trends and adjust their compliance frameworks and business operations accordingly.
Future regulatory trends and compliance recommendations
Looking ahead, China’s regulatory framework for the IT sector is expected to continue evolving alongside the rapid development of emerging technologies such as AI, big data and cloud computing. Future regulatory initiatives are likely to focus on maintaining an appropriate balance between encouraging technological innovation and safeguarding data security, cybersecurity and other public interests. Further refinement of the regulatory framework is expected in key areas including AI governance, data security, personal information protection and digital platform regulation.
China’s regulatory approach is becoming increasingly rules-based, refined and sophisticated. Supported by a comprehensive legislative and regulatory framework, the current regime seeks to regulate technological innovation, data processing and digital market competition while continuing to provide sufficient space for legitimate technological development and commercial innovation.
Against this regulatory backdrop, businesses should establish comprehensive and ongoing compliance programmes capable of adapting to both regulatory developments and evolving judicial practice.
For example, businesses engaged in AIGC-related activities should maintain comprehensive records of prompts, parameter settings and subsequent human modifications to facilitate the verification of copyright ownership in the event of disputes. When processing personal information, businesses should review and optimise their authorisation mechanisms by eliminating mandatory consent practices, providing genuine opt-out options and ensuring compliance with the principle of data minimisation. In relation to data security, companies should implement integrated technical and organisational safeguards covering encryption, audit logging, monitoring and incident response, supported by regular internal audits and security assessments. Businesses should also avoid scraping or reusing competitors’ proprietary data without proper authorisation and instead compete through independent innovation in order to minimise unfair competition risks.
More broadly, IT companies should continue strengthening their internal compliance governance by establishing comprehensive policies covering data security, personal information protection and intellectual property management.
For both domestic and international businesses operating in China, compliance will increasingly require more than satisfying individual statutory obligations. Instead, companies should develop integrated compliance frameworks covering AI governance, data security, personal information protection, cybersecurity and intellectual property management. Embedding compliance considerations throughout product development, data governance and day-to-day business operations will be essential to balancing technological innovation with sustainable commercial growth in an increasingly complex regulatory environment.
Beyond compliance with individual legal requirements, businesses should increasingly adopt a governance-based approach to regulatory risk management. Rather than treating AI governance, cybersecurity, data protection and intellectual property as separate compliance functions, companies should establish an integrated governance framework capable of addressing legal, technical and operational risks throughout the life cycle of digital products and services.
In practice, this requires close collaboration among legal, compliance, cybersecurity, product development and business teams. Compliance considerations should be incorporated at an early stage of product design and continue throughout data collection, AI model training, deployment, commercialisation and ongoing operation. Companies should also establish internal review mechanisms capable of responding promptly to regulatory changes and emerging judicial developments. Such governance arrangements will not only reduce legal risks but also strengthen corporate resilience and enhance market confidence in an increasingly regulated digital environment.
36F, Jinmao Tower
No 88 Century Avenue
Pudong New District
Shanghai
China
+86 213 886 2288
+86 213 886 2288*1018
shanghai@jtn.com www.jtn.com