In 2025, China’s cybersecurity and data protection compliance governance entered a new stage of accelerated evolution—from institutional construction to systematic operation, and from principle-based norms to in-depth governance.
From the legislative perspective, the Standing Committee of the National People’s Congress (“NPCSC”) completed the first systematic amendment to the Cybersecurity Law (“CSL”), and the Regulations on Network Data Security Management (“NDSM”) formally took effect. These developments further strengthened the foundational legal framework for the coordinated operation of cybersecurity, data security, and personal information protection, significantly enhancing the completeness and internal coherence of the data governance rule system.
In regulatory practice, authorities continued to advance rule implementation and refinement around specific business scenarios. Key focuses included optimising institutional pathways for cross-border data transfer compliance, mandating personal information protection compliance audits, and issuing dense supporting regulations for key industries such as finance and healthcare. Regulatory requirements shifted from “predictable” to “executable,” with clearer boundaries of compliance responsibilities and enforcement standards, further reinforcing the bottom line of data security and personal information protection. Meanwhile, in the construction of data element markets, policy orientation has gradually shifted from strengthening security governance towards promoting the efficient circulation and value release of data elements. Institutional explorations focused on core issues such as data pricing mechanisms, compliant circulation pathways, and utilisation rules, aiming to achieve a more refined balance between risk prevention and unlocking the potential of data elements.
As we head into 2026, the formal implementation of the amended CSL in 2026 will impose new requirements on enterprises regarding cybersecurity and data compliance governance. Beyond this, what additional challenges will businesses face? In the following two-part series, we will further examine the key developments in China’s data protection and cybersecurity landscape in 2025 and the changes expected in 2026.
We highlight our observations on major regulatory and enforcement developments in the data protection and cybersecurity area in 2025 from the following five perspectives:
· Personal information protection: A substantial number of legislative updates in this area aim to further implement the provisions of the Personal Information Protection Law (“PIPL”). These developments cover personal information protection compliance audits, facial recognition, personal information identification, de-identification and anonymisation, as well as enforcement actions in sectors such as consumption, comprehensively strengthening both the intensity and scope of personal information protection.
· Data security: Data security supervision continues to deepen, with the ongoing refinement of relevant laws and regulations, administrative rules, and supporting standard systems centred around data governance across different industries. The overall regulatory framework is becoming increasingly granular and operationalised. While ensuring data security and personal information protection, the regulatory approach places greater emphasis on scenario-based rule design and institutional coordination, balancing risk prevention and control with data element circulation efficiency, and driving the comprehensive evolution of regulatory requirements from principles-based norms toward institutional implementation and industry practice.
· Cross-border data transfer: The regulatory system has been further improved and practices deepened. Centred on implementing the relevant provisions of the CSL, Data Security Law (“DSL”), and PIPL, a multi-layered, scenario-based cross-border data governance framework has been established. This covers the construction of personal information export compliance systems, advancement of regional cross-border data pilots, refinement of industry-specific guides, detailed operational standards, and clarification of compliance boundaries. These efforts have raised the overall standardisation of cross-border data flows while balancing security protection with circulation efficiency, advancing cross-border data governance toward greater systematisation and normalisation.
· Data trading: Progress in building the foundational institutional system for data trading has continued. Regions have intensified exploration in public data authorised operation and data element market cultivation, improving data circulation and trading mechanisms. Through refined rules and strengthened compliance supervision, data trading activities have been further standardised, promoting efficient allocation and safe, orderly flow of data resources, enhancing development and utilisation levels, and unlocking the value of data elements.
· Cybersecurity: The CSL underwent its first revision, providing stronger legal safeguards for a secure and orderly cyberspace through improved institutions, strengthened responsibilities, and increased penalties. A series of newly issued or proposed national standards have also been released, offering enterprises clearer and more actionable guidance for cybersecurity protection work. Enforcement actions have continued on a regularised basis, reinforcing governance and signalling to enterprises the need to earnestly fulfil their primary cybersecurity responsibilities and continuously improve protection and compliance management levels. (Click here to read our commentary on the CSL revisions.)
In this first half of the article, we outline the three major highlights of China’s data protection and cybersecurity regulation in 2025, as well as the development of personal information protection over the past year.
Part One: Highlights of 2025
In 2025, we witnessed robust developments in the following three areas:
· Personal information protection: where compliance audits have been progressively implemented. To solidify the primary responsibility of controllers and strengthen supervision of processing activities, the Cyberspace Administration of China (“CAC”) issued the Measures for the Administration of Personal Information Protection Compliance Audits (“Audit Measures”) in February 2025. The Audit Measures provide clear guidance on specific measures, applicable scenarios, and implementation methods, positioning compliance audits as an essential tool for building sound compliance governance systems and implementing a multi-level supervision framework.
· Cross-border data transfer: where the institutional framework was further refined around data export security assessments, certification mechanisms, and management of cross-border flows in key industries such as automotive. Operational rules and implementation details became increasingly clear, rendering compliance pathways more stable and predictable.
· Cybersecurity management: where on 28 October 2025 the NPCSC formally adopted the decision amending the CSL. The revision optimised the linkage mechanisms with the Civil Code and PIPL in personal information protection, clarified legal liabilities for network operators and critical information infrastructure operators, and added provisions on artificial intelligence (“AI”) governance to address emerging technological needs. These changes strengthen cybersecurity management and further consolidate the legal foundation of China’s network and data security governance.
In addition to the developments mentioned above, China also issued or solicited comments on a series of implementation regulations, detailed rules, and national or industry standards in 2025. These measures provide more practical guidance for data and cybersecurity compliance and further enhance governance and enforcement.
Part Two: Personal Information Protection
I. Regulatory Developments
1) Personal Information Protection Compliance Audits
In 2025, China's personal information protection work transitioned from principled provisions into an operational regulatory phase. Controllers are no longer merely passively complying with the law, but are required to proactively conduct compliance audits to ensure that their personal information processing activities comply with legal requirements.
On 12 February 2025, the CAC issued the Audit Measures, effective from 1 May 2025. This filled a previous legal gap and provided a clear basis for controllers and professional institutions to conduct audits. The Audit Measures and supporting guides detail the scope of entities, frequency, triggering circumstances, qualifications of professional audit institutions, and audit content, offering concrete operational guidance and further implementing requirements under the PIPL and the NDSM. (For more details, click here and here to read our articles.) Subsequently, the CAC issued the Announcement of the CAC on the Submission of Information on Personal Information Protection Officer (“PIPO”) to implement relevant provisions of the PIPL and Audit Measures. (Click here to read our article on the submission of information regarding PIPO.)
To refine the Audit Measures, the National Cybersecurity Standardisation Technical Committee (“TC260”) issued two practice guides: The Cybersecurity Standard Practice Guide - Personal Information Protection Compliance Audit Requirements and Cybersecurity Standard Practice Guide - Service Capability Requirements for Professional Institutions for Personal Information Protection Compliance Audits, forming a complete standard system. The Cybersecurity Standard Practice Guide - Personal Information Protection Compliance Audit Requirements establishes a series of audit principles including legality and independence, and clarifies the overall requirements and implementation process for personal information protection audits. From the content and methodology perspective, the guide covers 26 specific audit areas, including the protection of the right to deletion and automated decision-making that processes personal information, and provides clear recommendations for various entities on how to conduct personal information protection audits and retain audit evidence. The Cybersecurity Standard Practice Guide - Service Capability Requirements for Professional Institutions for Personal Information Protection Compliance Audits regulates the capability requirements for professional institutions providing personal information protection compliance audit services from five aspects: basic conditions, management capability, professional capability, personnel capability, and premises and equipment resource capability.
On 29 December 2025, the CAC issued the Announcement of the CAC on the Submission of Compliance Audit Reports Concerning the Protection of Minors' Personal Information, requiring controller that processes minors' personal information to submit a compliance audit report for the preceding year no later than January 31 of each year. Conducting compliance audits on the protection of minors' personal information can promptly identify and rectify issues that controllers may have when processing minors' personal information, thereby safeguarding the personal information rights and interests of minors. At the same time, this also helps to enhance controllers' awareness of the importance of protecting minors' personal information and promote the development of work related to the protection of minors' personal information.
2) Facial Recognition Management
Facial information is sensitive personal information, the leaks of which can cause serious harm to personal and property safety and even public security. On 21 March 2025, the CAC and Ministry of Public Security (“MPS”) jointly issued the Security Management Measures for the Application of Facial Recognition Technology (“Facial Recognition Measures”), improving the regulatory framework and marking a new stage of oversight. (Click here to read our article on the Facial Recognition Measures.) The Facial Recognition Measures translate principles from the Civil Code and PIPL into specific obligations, including informed consent, dedicated storage, and personal information protection impact assessments. Where non-facial recognition alternatives exist, facial recognition must not be the sole verification method.
For sensitive personal information, TC260 issued Data Security Technology - Security Requirements for Processing Sensitive Personal Information, detailing general security requirements and adding stricter rules for categories such as biometrics, religious beliefs, and financial accounts. (Click here to read our article on the national standard of the Sensitive Personal Information.) For the specific scenario of facial recognition payments, TC260 released Cybersecurity Standard Practice Guide - Personal Information Security Protection Requirements in Facial Recognition Payment Scenarios, clarifying security obligations for service providers, verification providers, venue managers, and equipment operators.
To implement Article 15 of the Facial Recognition Measures, the CAC issued an announcement requiring controllers whose stored facial information processed via facial recognition reaches 100,000 or more individuals to file with the provincial-level CAC within 30 working days from the date this threshold is reached. For those who had already reached this threshold prior to 1 June 2025, filings must be completed by 14 July 2025. Furthermore, in the event of any material changes to the filed information, the controller must complete amendment procedures within 30 working days after the change occurs. In response, local cyberspace administrations across the country have actively issued their own notices to initiate the filing process for facial recognition technology applications (“Apps”).
3) Personal Information Identification, De-identification and Anonymisation The TC260 solicited public opinions on three cybersecurity standard practice guidelines, namely the Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information Identification Guide (Draft for Comments), the Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information De-identification Guide (Draft for Comments), and the Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information Anonymisation Guide (Draft for Comments), aiming to provide standardised practice guidance around cybersecurity laws, regulations, policies, standards, cybersecurity hotspots, and events.
· Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information Identification Guide (Draft for Comments) clarifies four major elements (“various information,” “related,” “identified or identifiable,” and “natural person”). Among them, “various information” covers various records or descriptions about individuals; when any one of the “content,” “purpose,” or “result” of a certain piece of information involves a specific individual, it is recognised that this information is “related” to the specific individual; when a natural person can be distinguished from all other members in a group or has the possibility of being so, it satisfies “identified or identifiable.”
· Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information De-identification Guide (Draft for Comments) clarifies two core de-identification technical paths: simple de-identification based on desensitisation technology (“desensitisation”) and complex de-identification based on pseudonym replacement technology (“pseudonymisation”), providing the implementation framework, process steps, security assurance measures for pseudonymisation, as well as examples of desensitisation for common types of personal information.
· Cybersecurity Standards Practice Guide—Personal Information Protection: Personal Information Anonymisation Guide (Draft for Comments) clarifies the judgment rules, implementation methods, applicable scenarios, and related technologies for anonymisation of personal information, requiring effective anonymisation processing of personal information to simultaneously satisfy “non-singling out, non-linkable, non-inferable.”
4) Refinement of PIPL Provisions Across Multiple Sectors
In 2025, sectors including consumption, healthcare, technology, and internet issued detailed requirements on personal information protection obligations.
· Consumption sector: TC260 issued Cybersecurity Standard Practice Guide - Requirements for Personal Information Protection in Scan-to-Order Services, limiting collection to necessary order, payment, and platform user ID information and prohibiting forced collection of phone numbers, location data, or mandatory following of official accounts. Merchants must disclose rules and obtain active consent on first use and establish a complaint mechanism with responses within 15 working days. The Hainan CAC and other departments released Compliance Guidelines for Shopping Malls and Supermarkets in Hainan Province, providing clear guidance to all shopping malls and supermarkets within Hainan on the lawful handling of personal information during their business operations, thereby enhancing their compliance standards regarding personal information protection.
· Public security sector: The State Council issued the Regulation on the Administration of Public Security Video Image Information Systems, specifying storage periods and security requirements. This aim to standardise the deployment and use of public security video and image information systems and to enhance both public safety and the protection of personal privacy. The MPS issued supporting supervision provisions—the Provisions on the Supervision and Administration of Public Security Video and Image Information Systems—which aim to implement the relevant provisions of the Regulation on the Administration of Public Security Video Image Information Systems and to standardise the supervision and administration by public security organs over the construction and operation of such information systems.
· Healthcare sector: The National Health Commission issued a notice on Further Strengthening the Use and Management of Electronic Medical Record Information by Medical Institutions. This clarifies that medical institutions bear primary responsibility for Electronic Medical Record information management. They must grant staff access rights and time limits based on the “minimum necessary” principle and incorporate compliance with these usage standards not performance evaluations. Medical institutions are also required to establish an information security protection system for electronic medical records to safeguard data security. The notice stipulates that relevant authorities will hold accountable—according to law—any violations, including unauthorised operations or data breaches, thereby regulating how medical institutions and healthcare professionals use patients’ medical information.
· Technology and internet sectors: To implement requirements under laws such as the PIPL, the CSL, and the Anti-Telecommunication and Online Fraud Law, and to reduce phone number leakage while curbing telecom fraud and nuisance calls, the Ministry of Industry and Information Technology (“MIIT”) launched pilots of Carrying out the Pilot Program of the Number Protection Service Business. The CAC and MPS solicited comments on draft Provisions on Personal Information Protection for Large Network Platforms, which proposes heightened governance obligations for major online platforms—including appointing a PIPO and conducting compliance audits—to regulate their personal information processing activities, safeguard individuals’ legitimate rights regarding personal information, and promote the healthy development of the platform economy. Furthermore, six departments jointly issued Measures for the Administration of National Network Identity Authentication Public Services. This initiative establishes a national online identity authentication public service platform based on official identity document information, promoting non-plaintext identity verification through “online IDs” and “online certificates.” This approach aims to minimise centralised collection of plaintext identity information and enhance the security of citizens’ identity data.
These measures have driven personal information protection from principle-based norms toward refined, scenario-based governance. This transition not only further clarifies the boundaries of responsibilities among different stakeholders in personal information processing but also effectively balances the relationship among public security, commercial operations, and individual privacy protection, thereby providing a more systematic and stable institutional foundation for safeguarding personal information rights and promoting the healthy development of the digital economy.
II. Enforcement Developments
In 2025, personal information protection special actions continued under CAC leadership, forming a regularised multi-departmental enforcement mechanism with MIIT, public security departments, and the Administrations for Market Regulation. Focus was placed on substantive compliance in personal information processing by Apps and platform enterprises.
In 2025, China continued to strengthen enforcement in the area of personal information protection, ensuring that enterprises effectively complied with and implemented relevant legal requirements, including those stipulated in the PIPL. A wide range of enforcement authorities actively participated in these enforcement actions. Moreover, many regions conducted prolonged special actions combining online and offline supervision, targeting six high-incidence issues: Apps/mini-programs, SDKs, smart terminals, facial recognition in public places, offline consumption scenarios, and related crimes. Authorities explicitly adopted stricter measures against entities that failed to rectify violations adequately or exhibited serious compliance issues. Overall, personal information protection enforcement in 2025 maintained the trend of routine, normalised oversight seen in previous years while further deepening enforcement efforts in key priority areas.
Apps, Mini-Programs, and Smart Terminals | |
Regulators | CAC (and its local branches), MIIT (and its local branches), and local public security departments. |
Enforcement Overview and Key Focus | In March 2025, the CAC, MIIT, MPS, and State Administration for Market Regulation jointly launched the Notice on 2025 Personal Information Protection Series of Special Actions. Nearly 4,000 Apps, mini-programs, and SDKs were notified nationwide and locally, covering state-owned and foreign enterprises. Some non-compliant Apps were removed, reflecting tightening regulation. · Scope: Apps (including mobile Apps, mini-programs, in-vehicle Apps, WeChat official accounts), smart devices, and offline scenarios. · Main violations: Illegal or excessive collection/use of personal information, forced targeted pushing, excessive permission requests, etc. |
Penalties | · Interview relevant Apps, mini-programmes, and etc. · Regularly notify them and set deadlines for necessary corrections. · Remove those that fail to comply or do not properly address the required corrections; and · Issue warnings and mandate rectifications for enterprises that do not meet personal information security protection obligations. |
Local personal information protection special governance actions | |
Regulators | Local CACs |
Enforcement Overview and Key Focus | In 2025, local CACs launched specialised enforcement campaigns to protect personal information, targeting prominent issues involving violations of personal information rights—particularly in common consumer sectors. A major focus was the regulation of mobile Apps and mini-programs. Furthermore, during enforcement actions, local CACs also conducted on-site inspections, requiring relevant enterprises to fulfil their responsibilities for safeguarding personal information security. Below are examples of such specialised enforcement campaigns carried out in selected regions in 2025: · Beijing: A special rectification campaign targeting the “mandatory facial recognition” practices in public spaces, focusing on the use of facial recognition technologies in public venues and offline consumption scenarios. The initiative covers sectors including transportation, accommodation and tourism, education and training, culture and sports, logistics, and commerce. It follows a closed-loop workflow consisting of three phases: self-inspection and preliminary assessment, departmental supervision and inspection, and spot checks by cyberspace authorities. In addition, Beijing has also initiated a targeted enforcement action on data security and personal information protection in areas affecting people’s daily livelihoods. This includes mobile Apps such as those for smart parking, online food ordering, fitness and exercise, hotel bookings, telemedicine, children's tutoring, real estate agencies, portable charger rentals, lifestyle services, movie ticketing, and online fuel purchases. The campaign covers more than 50,000 business entities, with 197 apps randomly selected for remote technical testing. A total of 388 privacy and compliance issues were identified—including failure to disclose data collection rules, collecting data without user consent, and lack of data anonymisation—and corrective actions have been mandated. · Shanghai: “Bright Sword Pujiang · 2025” action focusing on consumption, platform services, and minors’ personal information protection. It specifically targets eight enforcement priorities aimed at preventing the resurgence of problematic practices in the consumer sector, including excessive collection of personal information, compulsory requests for personal information, inducement-based acquisition of personal information, unauthorised or improper use of personal information, lack of functionality for users to delete their personal information or deactivate their accounts, imposition of unreasonable conditions for deleting personal information, collection of children’s personal information without obtaining parental consent, compulsory or excessive collection of children’s personal information. · Hunan: “Bright Sword Huxiang” action targeting education and training, healthcare, financial services, and real estate/property management. The campaign specifically targets five types of illegal or non-compliant practices involving the collection and use of personal information: unauthorised collection of facial recognition data, excessive scope of data collection, improper methods of data acquisition, inadequate protective measures, and unlawful use of personal information. |
Penalties | Notifications and rectification orders for Apps/mini-programs; warnings and rectification orders in offline actions; interviews and compliance training for violating enterprises. |
Typical cases of personal information protection | |
Regulators | The People’s Court, People’s Procuratorate, and the MPS |
Enforcement Overview and Key Focus | · The Supreme People’s Court released typical cases on infringement of personality rights via network and information technology, clarifying that acts such as AI dubbing, face-swapping, trading facial data, remote camera control, account “doxxing” to incite online violence may all constitute civil or criminal infringements, for which violators must bear corresponding legal liability. · The Supreme People’s Procuratorate highlighted “three new” trends in crimes infringing citizens’ personal information: grey/black market-driven acquisition, more intelligent concealment techniques, and “doxxing” fuelling online violence escalation. The procuratorate emphasized its commitment to strengthening enforcement against such illegal activities, rigorously investigating sources of personal data breaches, and safeguarding citizens’ information rights. · The MPS published cases of crimes across multiple sectors, including education and training institutions, courier services, job recruitment platforms, and medical insurance agencies—exposing widespread unlawful practices related to the illicit collection and profit-driven misuse of personal data. |
Penalties | These cases led to remedies such as cessation of infringement, public apologies, compensation for damages, warnings, fines, imposition of fix-term imprisonment, etc. |
III. Outlook for 2026
The new laws and regulations issued in 2025 elaborate on the principle-based requirements of the PIPL. In 2026, we expect Chinese personal information protection to feature rule stability, strengthened implementation, and deepened governance. With the institutional framework largely complete, regulatory focus will shift from legislation to enforcement effectiveness, responsibility fulfilment, and governance capability evaluation.
For enterprises, compliance will require systematic organisational, technical, and process improvements for sustainable, long-term data governance and trust-building. In line with the legislative and enforcement trends of 2025, we anticipate the following developments in 2026:
· Personal information protection compliance audits moving toward regularisation and accountability: Audits will transition from initial setup to routine implementation and substantive accountability. Focus will shift to utilisation of audit results and handling of non-compliance, formalistic audits, or inadequate rectification. The PIPO system, professional institution qualifications, and industry self-discipline are expected to be further refined. Compliance audits will no longer be one-off compliance exercises but will instead become a core component of corporate data governance frameworks, gradually forming a closed-loop system integrated with risk assessment, internal controls, and accountability mechanisms.
· Strong enforcement and scenario-based refinement in facial recognition management: With the implementation of the Facial Recognition Measures, facial recognition regulation in 2026 is expected to exhibit a parallel trend of robust enforcement oversight and refined, scenario-specific standardisation. On one hand, the facial recognition filing system will serve as a key lever for regulatory authorities to gain a comprehensive grasp of technology Apps and implement classified supervision; cases of non-filing, use beyond authorised scope, or insufficient alternative technologies may face more explicit enforcement consequences. On the other hand, standards and guidelines tailored to specific scenarios such as payments, access control, and public services will continue to be refined, effectively embedding principles such as “minimum necessity” into product design and business workflows.
· Formal implementation of standards on identification, de-identification, and anonymisation: The draft guidelines around personal information identification, de-identification and anonymisation are expected to take effect, providing substantive guidance. Boundaries, technical feasibility, and responsibility allocation will become clearer, shifting personal information protection from legal interpretation toward a balanced technical and management compliance challenge.
· Normalisation of personal information protection enforcement: Multi-departmental (CAC, MIIT, public security departments, etc.) regularised enforcement will continue and expand, covering sinking markets to medium-sized enterprises in multi-dimensional supervision.
For more information please contact:
James Gong |
| Yiting Wang |
| Olive Chang |
|
| |||
+86 10 5933 5699 |
| +86 10 5933 5542 |
| +86 10 5933 5509 |
* With thanks to Jingyu Zhang (Intern) and Lin Wu (Intern) for their contribution to this article.
Follow us on social media:
