Data Protection Highlights CAC Seeks Comments on Measures for Certification of Personal Information Protection for Outbound Transfer of Personal Information (Draft for Comments): To facilitate the safe and efficient cross-border flow of personal data, the Cyberspace Administration of China (“CAC”) has drafted the Measures for Certification of Personal Information Protection for Outbound Transfer of Personal Information (Draft for Comments) and is open for public comments. 302 Generative AI Services Complete Registration with the CAC: As of December 31, 2024, a total of 302 generative AI services had completed registration with the CAC, with 238 services registered in 2024 alone. Additionally, 105 generative AI applications or functions, directly utilizing registered models via APIs or other means, have been registered with local Cyberspace Administration. CAC Completes 285 Security Assessments on Cross-border Data Transfer with over 90% of them Passing: On December 31, 2024, the NDA held a special press conference on Promoting the High-quality Development of the Data Industry and Facilitating the Development and Utilization of Enterprise Data Resources. Wang Qi, Deputy Director of the Network Data Administration of the CAC, disclosed at the meeting that as of December 2024, the CAC had completed 285 security assessments on cross-border data transfer (“security assessments”) and 1,071 filings of standard contracts for the cross-border transfer of personal information. Among the security assessment projects, 27 did not pass the assessment, accounting for less than 10% of the total. The main reason for failing the assessment was that data handler did not obtain the consent of personal information subjects as required by law. After the implementation of the Regulations on Promoting and Regulating Cross Border Data Flows, the number of security assessment projects decreased by approximately 60% year-on-year, and the number of filings of standard contracts for the cross-border transfer of personal information decreased by approximately 50% year-on-year. In addition, the CAC launched an online filing system. The average time from online filing to receipt of the assessment results by enterprises is less than 30 working days, which is significantly shorter than the 45 working days stipulated in the Measures for Security Assessment on Cross-border Data Transfer. Data Protection Legislation PBC Seeks Comments on Measures for Reporting Cybersecurity Incidents in the Operational Areas of the People's Bank of China (Draft for Comments) SAC/TC260 Seeks Comments on Guidelines for Personal Rights Protection in Shake-to-Open Ads (Draft for Comment) NDRC and NDA Issue Implementation Guidelines for the Authorized Operation of Public Data Resources (for Trial Implementation) MCA Issues Measures for Protecting Personal Information of Children in Difficult Situations Hainan Province Issues Personal Information Protection Compliance Guidelines for the Retail Sector, Covering Store Apps and Mini-Programs CAC Seeks Comments on Measures for Certification of Personal Information Protection for Outbound Transfer of Personal Information (Draft for Comment) NDRC, NDA, and MIIT Issue Guidelines for National Data Infrastructure Construction Authorities NDA Responds to Questions Regarding Implementation Plan for Improving Data Flow Security Governance and Promoting the Marketization of Data Elements MIIT Issues Special Notice on IDC Data Security Protection NDRC, NDA, and Other Departments Release the Implementation Opinions on Promoting the High-Quality Development of the Data Annotation Industry 302 Generative AI Services Complete Registration with CAC CAC Completes 285 Security Assessments on Cross-border Data Transfer with over 90% Passing Enforcement Cases Illegally Obtaining Citizens' Personal Information, 8 MCN Agencies Punished A Company in Ningbo Penalized by Cyberspace Administration for Repeatedly Having Surveillance Video Data Obtained by Overseas Forces Two Zhengzhou Companies Fined by Cyberspace Administration for Illegal Misappropriation and Tampering of Domain Names Three Zhengzhou-based Companies Summoned for Talks by Cyberspace Administration for Cybersecurity Incidents and Failure to Fulfill Cyber - security Obligations Courts Litigation Nearly 1,000 Prosecuted Nationwide in 2024 for Crimes Infringing on Enterprises' Data Security Eight People Convicted of Infringing on Citizens' Personal Information for Illegally Obtaining Personal Data in Online Shopping Orders Data Protection Legislation PBC Seeks Comments on Measures for Reporting Cybersecurity Incidents in the Operational Areas of the People's Bank of China (Draft for Comments) On January 24, 2025, to further standardize the reporting and management of cybersecurity incidents in the operational areas of the People’s Bank of China (“PBC”), the PBC has drafted the Measures for Reporting Cybersecurity Incidents in the Operational Areas of the People's Bank of China (Draft for Comments).The draft was publicly released for feedback starting from January 24, 2025, with the deadline for comments set for February 24, 2025. [1] SAC/TC260 Seeks Comments on Guidelines for Personal Rights Protection in Shake-to-Open Ads (Draft for Comment) On January 23, to regulate the display and triggering of shake-to-open ads in mobile apps and third-party SDKs, and to protect user personal rights, Secretariat of the National Technical Committee 260 on Cybersecurity of Standardization Administration (“SAC/TC260”) has prepared the Guidelines for Personal Rights Protection in Shake-to-Open Ads (Draft for Comment) and opened it for public comments.[2] NDRC and NDA Issue Implementation Guidelines for the Authorized Operation of Public Data Resources (for Trial Implementation) On January 16, to implement the Opinions of the General Office of the CPC Central Committee and the State Council on Accelerating the Development and Utilization of Public Data Resources, strengthen the infrastructure for data management, and regulate the authorized operation of public data resources, the NDRC and the National Data Administration (“NDA”) have released the Implementation Guidelines for the Authorized Operation of Public Data Resources (for Trial Implementation). [3] MCA Issues Measures for Protecting Personal Information of Children in Difficult Situations Recently, to legally carry out the work of protecting the personal information of children in difficult circumstances, address issues such as weak awareness of information protection, insufficient professionalism, and lack of standardization among various localities and departments, and reduce the occurrence of incidents of accidental or intentional disclosure of the personal information of children in difficult situations, the Ministry of Civil Affairs (“MCA”) and other departments have jointly issued the Measures for Protecting the Personal Information of Children in Difficult Situations.[4] Hainan Province Issues Personal Information Protection Compliance Guidelines for the Retail Sector, Covering Store Apps and Mini-Programs On January 9, Hainan Province issued the Personal Information Protection Compliance Guidelines for the Retail Sector, which aims to enhance personal information protection in the province's retail sector and improve the compliance levels of businesses. The guidelines apply to all malls, supermarkets, and similar entities within the administrative region of Hainan.[5] CAC Seeks Comments on Measures for Certification of Personal Information Protection for Outbound Transfer of Personal Information (Draft for Comment) On January 3, to facilitate the safe and efficient cross-border flow of personal data, the Cyberspace Administration of China (“CAC”) has drafted the Measures for Certification of Personal Information Protection for Outbound Transfer of Personal Information (Draft for Comment) and is open for public comments. [6] NDRC, NDA, and MIIT Issue Guidelines for National Data Infrastructure Construction On January 3, to implement the strategic directives of the 20th Party Congress on building and operating national data infrastructure and promoting data sharing, the NDRC, NDA, and Ministry of Industry and Information Technology (“MIIT”) have jointly released the Guidelines for National Data Infrastructure Construction.[7] Authorities NDA Responds to Questions Regarding Implementation Plan for Improving Data Flow Security Governance and Promoting the Marketization of Data Elements Recently, the NDRC, NDA, CAC, MIIT, Ministry of Public Security, SAMR, and other departments jointly released the Implementation Plan for Improving Data Flow Security Governance and Promoting the Marketization of Data Elements. Officials from the NDA addressed questions related to this plan.[8] MIIT Issues Special Notice on IDC Data Security Protection The MIIT issued a notice on strengthening the security protection of customer data in Internet Data Centers (IDC). As a crucial part of the new information infrastructure, IDC supports massive amounts of customer data and is vital to the national economy. The notice requires that IDC operators enhance their customer data security capabilities in accordance with relevant laws and regulations.[9] NDRC, NDA, and Other Departments Release the Implementation Opinions on Promoting the High-Quality Development of the Data Annotation Industry The Implementation Opinions propose that by 2027, the data annotation industry will see significant improvements in professionalization, intelligence, and technological innovation. The industry's scale will grow substantially, with an annual compound growth rate exceeding 20%. Key objectives include fostering influential tech-focused data annotation companies and building a robust data annotation industry ecosystem. [10] 302 Generative AI Services Complete Registration with CAC As of December 31, 2024, a total of 302 generative AI services had completed registration with the CAC, with 238 services registered in 2024 alone. Additionally, 105 generative AI applications or functions, directly utilizing registered models via APIs or other means, have been registered with local Cyberspace Administration. [11] CAC Completes 285 Security Assessments on Cross-border Data Transfer with over 90% Passing On December 31, 2024, the NDA held a special press conference on Promoting the High-quality Development of the Data Industry and Facilitating the Development and Utilization of Enterprise Data Resources. Wang Qi, Deputy Director of the Network Data Administration of the CAC, disclosed at the meeting that as of December 2024, the CAC had completed 285 security assessments on outbound data transfer (“security assessments”) and 1,071 filings of standard contracts for the cross-border transfer of personal information. Among the security assessment projects, 27 did not pass the assessment, accounting for less than 10% of the total. The main reason for failing the assessment was that data processors did not obtain the consent of personal information subjects as required by law. After the implementation of the Regulations on Promoting and Regulating Cross Border Data Flows, the number of security assessment projects decreased by approximately 60% year-on-year, and the number of filings of standard contracts for the cross-border transfer of personal information decreased by approximately 50% year-on-year. In addition, the CAC launched an online filing system. The average time from online filing to receipt of the assessment results by enterprises is less than 30 working days, which is significantly shorter than the 45 working days stipulated in the Measures for Security Assessment on Cross-border Data Transfer.[12] Enforcement Cases Illegally Obtaining Citizens' Personal Information, 8 MCN Agencies Punished Police officers from the Cyber Security Department of the Public Security Bureau in Xinfeng, Ganzhou, Jiangxi Province, while conducting in-depth investigation of the data in a case of infringement of citizens' personal information and analyzing the daily activities of the suspects, found that the heads of eight MCN agencies in the jurisdiction used a similar method to log in to a certain software in batches. They purchased real-name-authenticated online accounts through the Internet and reposted and carried articles from other online platforms on a certain online platform to obtain online traffic for profit. The public security organs immediately launched an investigation and lawfully summoned the heads of these eight MCN agencies to the public security bureau for investigation. The heads of the above-mentioned agencies confessed to the illegal acts of their companies. At present, all relevant suspects have assumed legal responsibilities.[13] A Company in Ningbo Penalized by Cyberspace Administration for Repeatedly Having Surveillance Video Data Obtained by Overseas Forces Based on the clues transferred by the CAC, under the full process guidance of the Cyberspace Administration of Ningbo, the Cyberspace Administration of Yinzhou District, Ningbo City, has lawfully filed an investigation into the failure of a technology company in Ningbo to fulfill its data security protection obligations. It has been ascertained that the party involved contracted the business information system of a certain chemical enterprise but failed to fulfill its data security protection obligations. As a result, the network assets (network cameras) used by it to store the surveillance video data of major hazard sources on the safety intelligent control platform in the chemical plant area were repeatedly exploited by overseas forces from the United States, South Korea, Singapore, etc. through weak password vulnerabilities to obtain surveillance video data, which violates Article 27 of the Data Security Law. In accordance with laws and regulations such as the Data Security Law and the Administrative Punishment Law, the Cyberspace Administration of Yinzhou District has ordered the technology company in Ningbo to make corrections, issued a warning, and imposed an administrative penalty of a fine of 50,000 yuan. An administrative penalty of a fine of 10,000 yuan has been imposed on the directly responsible person in charge.[14] Two Zhengzhou Companies Fined by Cyberspace Administration for Illegal Misappropriation and Tampering of Domain Names Recently, the Cyberspace Administration of Zhengzhou discovered that two local companies failed to fulfill their network security protection obligations, leading to the illegal misappropriation and tampering of their domain names. In accordance with the Cybersecurity Law, the Cyberspace Administration of Zhengzhou has separately ordered the two companies to rectify the situation and issued administrative penalties in the form of warnings.[15] Three Zhengzhou-based Companies Summoned for Talks by Cyberspace Administration for Cybersecurity Incidents and Failure to Fulfill Cyber - security Obligations Recently, in accordance with laws and regulations such as the Cybersecurity Law, the Data Security Law, and the Regulations on Cybersecurity of Henan Province, the Cyberspace Administration of Zhengzhou have lawfully summoned three companies for talks. These companies failed to fulfill their cyber - security protection obligations and experienced cyber - security incidents. [16] Courts Litigation Nearly 1,000 Prosecuted Nationwide in 2024 for Crimes Infringing on Enterprises' Data Security In recent years, cases of lawbreakers infringing on the data security of enterprises have occurred occasionally, harming the legitimate rights and interests of enterprises and affecting their innovative development. In 2024, procuratorial organs across the country prosecuted nearly 1,000 people for various crimes that infringed on the data security of enterprises. By using typical cases, procuratorial organs guided enterprises to enhance data security, internal risk control, and other aspects of work, effectively safeguarding the legitimate rights and interests of enterprises and facilitating their innovative development.[17] Eight People Convicted of Infringing on Citizens' Personal Information for Illegally Obtaining Personal Data in Online Shopping Orders So-called "order decryption" refers to obtaining the accounts of insiders through illegal channels, logging into the back-end systems of express delivery companies, and querying and obtaining consumers' complete information, thus facilitating targeted marketing by merchants. In nearly a year, eight people including Yu engaged in "order decryption" through the technology company they operated, infringing on more than 4 million pieces of citizens' personal information. Recently, the court sentenced the eight people including Yu to fixed-term imprisonment ranging from three years to six months respectively for the crime of infringing on citizens' personal information, and also imposed fines on each of them.[18] [1]http://www.pbc.gov.cn/tiaofasi/144941/144979/3941920/5576137/index.html [2] https://www.tc260.org.cn/front/postDetail.html?id=20250122145342 [3] https://www.nda.gov.cn/sjj/zwgk/zcfb/0120/20250120171914419632974_pc.html [4] https://www.gov.cn/zhengce/zhengceku/202501/content_7000927.htm [5] http://www.hkwb.net/news/content/2025-01/10/content_4312159.htm [6] https://www.cac.gov.cn/2025-01/03/c_1737600915141373.htm [7] https://www.ndrc.gov.cn/xwdt/tzgg/202501/t20250106_1395457_ext.html [8] https://mp.weixin.qq.com/s/kfXabt9HUqB4GMK5TJ7oYQ [9] https://www.miit.gov.cn/zwgk/zcwj/wjfb/tz/art/2025/art_1bbf7c744c994183abb3ad6148658960.html [10] https://www.nda.gov.cn/sjj/zwgk/zcfb/0113/20250113101518513076594_pc.html [11] https://mp.weixin.qq.com/s/gOnPIuexMgB4UcUisvJLuQ [12] https://baijiahao.baidu.com/s?id=1819955579806660895 [13] https://baijiahao.baidu.com/s?id=1822185798662030577 [14] http://ningbo.zjjubao.com/a/html/80100235 [15] https://mp.weixin.qq.com/s/inZ6Nh6nT2BAZQJe63ZlPw [16] https://mp.weixin.qq.com/s/dfNVYHHvzfewzRPy2RWSFg [17] https://news.cctv.com/2025/01/24/ARTIPcPxZCNGRFELpKCcg8nB250124.shtml [18] https://newspaper.jcrb.com/2024/20241224/20241224_004/20241224_004_3.htm About the Lawyer 戴健民 大成上海　合伙人 jianmin.dai@dentons.cn 戴律师是最早一批在中国数据与隐私保护以及网络安全领域进行实践的律师之一，自2012年开始就已在该领域为众多跨国公司和大型企业提供法律服务，目前已为近百家在华运营的企业提供了涉及数据生命周期各个阶段的法律服务，涉及医药与生命科学、汽车（包括零配件与自动驾驶）、化工、广告与传媒、时尚与奢侈品、大数据与互联网、物流与供应链等诸多行业，并获得了2024年名律堂联合法佬汇发起的《中国知名企业法总推荐的优秀律师律所》之年度客户尊选律师；2024年律新社数据合规领域品牌之星：领先律师；2024年《亚洲法律杂志》（ALB China）十五佳网络安全和数据保护律师；2024年LEGALBAND中国顶级律师排行榜：网络安全和数据合规推荐律师等众多荣誉。 邓志松 大成北京　合伙人 zhisong.deng@dentons.cn 邓律师是新兴的中国数据保护领域是为数不多的具有丰富经验的律师之一，曾为国内外诸多客户提供合规体系建设、商业模式设计以及应对行政调查和民事诉讼等方面的法律建议并获得高度评价。邓律师是国家工信安全中心数据合规标准专家，中国网络空间安全协会个人信息保护专家组成员，中国法学会网络与信息法学研究会会员。2021年，邓律师被ACE LEGALTECH AWARDS评选为“2021年度十五佳数据隐私律师”。