Introduction
China has continued to optimise its data and privacy regulatory framework in the first eight months of 2025 by the introduction of new laws, regulations and guidelines. Notably, personal data protection has been strengthened through the implementation of a compliance audit. At the same time, both national and regional regulators are exploring special mechanisms to facilitate the cross-border data transfer. While important data remains challenging for many business entities, sector-specific regulators are making efforts to flesh out the important data catalogue by implementing industrial guidelines and rules.
This article summarises major legislative and enforcement updates in China’s data and privacy space in the first eight months of 2025.
1. PI compliance audit
The Administrative Measures for Personal Information Protection Compliance Audits (Audit Measures) were promulgated by the Cyberspace Administration of China (CAC) on 12 February 2025 and became effective on 1 May 2025.
The obligations to conduct personal information (PI) compliance audits were initially established in the PRC Personal Information Protection Law and further reinforced in the Network Data Security Administrative Regulations. All data controllers are obliged to conduct PI compliance audits. Companies processing PI of more than 10 million individuals must conduct PI compliance audits at least once every two years, while others can determine their own audit frequency.
Companies may perform audits internally or by engaging external service providers. However, in high-risk scenarios or on the occurrence of significant data breach incidents, regulators have the authority to mandate external audits. In such cases, companies must submit the audit report to the relevant regulator.
The Audit Measures are accompanied by a PI Compliance Audit Guideline, outlining the key areas for compliance audits, including the legal basis for PI collection, privacy policies, and consent; the collection of sensitive PI; automated decision-making; data sharing in M&A and restructuring transactions; third-party data processing; individual rights; data breach response protocols; and organisational and technical measures.
The Audit Measures also require that personal data controllers processing the personal data of more than one million individuals designate a Data Protection Officer (DPO). According to an official notice issued by the CAC in July, qualifying data controllers must complete a mandatory filing of DPO information within a strict deadline. Please see our client briefing for more details on DPO filing.
2. Continued relaxations for cross-border data transfer in FTZs
The Provisions on Promoting and Regulating Cross-border Data Flows promulgated on 22 March 2024 (CBDT Regulation) authorised China’s free trade zones (FTZs) to formulate and adopt local preferential policies for cross-border data transfer, offering additional flexibilities beyond the national framework.
In 2024, Shanghai, Beijing, and Tianjin FTZs issued their respective negative list/whitelist ahead of other regions. Please see our previous client alert for more information. Building on that effort, Shanghai FTZ issued a negative list of CBDT in February 2025, covering areas of reinsurance, international shipping, and commerce, such as retail, catering, and accommodation.
In the recent months of 2025, the FTZs in Hainan, Zhejiang, Guangxi, and Jiangsu have also released their CBDT negative list tailored to the local strategic industries. For example, e-commerce in Zhejiang; ocean, agriculture, and tourism sectors in Hainan; the health care industry in Jiangsu; and geographic information and cross-border e-commerce in Guangxi.
It is interesting to note that, with the encouragement of the central CAC, negative lists released by one FTZ may be referenced by companies in other FTZs. For example, a reinsurance company registered in the Guangxi FTZ can refer to the CBDT list released by the Shanghai FTZ when transferring reinsurance data abroad, in order to leverage the preferential policies available in other FTZs. This interoperability between various FTZs significantly expands the exemptions and reduces compliance burdens for businesses.
3. Important data guidelines in the industrial field
The concept of “important data” was first introduced under the PRC Cybersecurity Law and later elaborated in the PRC Data Security Law. Companies processing important data must comply with stricter protection requirements, such as conducting regular risk assessments and undergoing a CAC-led security assessment for CBDTs. However, due to the lack of a clear definition, identifying important data has become a challenge for many business entities. While the laws and regulations at the national level only provide some general descriptions, regulators in certain industries are attempting to provide more practical guidance by issuing industrial guidelines and rules.
On 25 December 2024, the PRC Ministry of Industry and Information Technology (MIIT) released the Important Data Identification Guidelines in the Industrial Field, which took effect on 1 April 2025. According to these guidelines, the following would be identified as important data:
- Sensitive industry data: Data processed by companies in sensitive industries, such as steel, nonferrous metals, and petrochemicals, would fall within the scope.
- High-technology data: Data pertaining to high-tech fields are more likely to be identified as important data, such as design data of high-end medical device production, integrated circuits, electronic components, key software, and similar areas.
- Personal data: In line with the Regulations for Network Data Security Management, personal data of more than 10 million individuals or sensitive personal data of more than 100,000 individuals is classified as important data.
Some local bureaus of MIIT have launched a pilot project for the identification of important data. Key business entities in the region are requested to classify and grade their data, conduct self-evaluation, and submit a list of important data to the local MIIT. The local MIIT will review the submitted list, informing them of the final important data list.
4. Version 3 of the Security Assessment Guidelines for CBDT
There are three mechanisms to implement cross-border data transfers in China: (i) CAC-led security assessment; (ii) Chinese SCC; and (iii) certification by qualified third parties. On 27 June 2025, the CAC released the third version of the Security Assessment Guidelines for cross-border data transfers, updating previous versions issued on 31 August 2022 and 22 March 2024, respectively.
Under the CBDT Regulation, the approval of a security assessment is valid for three years and can be extended by application. However, the CBDT Regulation does not provide detailed guidance on how to extend the approval. Version 3 clarifies the conditions for extending the approved security assessment. Companies can apply for the extension if all of the following conditions are met:
- There must be no changes to the purpose of the CBDT or the scope of personal data transferred abroad;
- There must be no changes to the data exporter in China or the overseas data recipient;
- If transferring personal data, the volume transferred over the next three years must not increase by more than 20% compared to the volume approved for the previous three years;
- If transferring important data, the data size transferred over the next three years must not increase by more than 20% compared to that of the previous three years; and
- The company must have strictly followed the approved assessment when conducting the CBDT, with no major data breaches or incidents in the past three years.
5. CBDT Guidelines for Automotive Data
On 13 June 2025, the MIIT, CAC, Ministry of Transport, and other regulatory bodies jointly published the draft CBDT Guidelines for Automotive Data, seeking public comments.
Once finalised, these guidelines will apply to a broad range of stakeholders in the automotive sector, including automakers, parts and software suppliers, telecom operators, autonomous driving service providers, platform companies, dealers, maintenance service providers, and even travel agents, among others.
In addition to general exemption scenarios under the CBDT Regulation (e.g., HR management, contract performance, and similar activities), the draft introduces sector-specific exemptions. Subject to certain conditions, China’s CBDT legal mechanism can be exempted for data transfers outside China if the transfer is for purposes such as patching security vulnerabilities, handling security incidents, fixing automotive product defects, or conducting product recalls.
The draft also provides examples of important data in the automotive context, such as source codes in product development scenarios, algorithms for autonomous driving, and vehicle identification numbers in networked operations. These examples provide the much-needed clarity for businesses to identify important data.
6. Recent enforcement trends by Chinese regulators
In the first eight months of 2025, Chinese regulators have been active in launching compliance investigations and enforcement campaigns focusing on apps, AI compliance, and the filing of algorithms and large language models (LLMs).
In May, the Central CAC launched a special campaign against the misuse of AI technology. The main violations identified include the failure to file the LLM and algorithm; infringement of privacy and IP rights; failure to implement security measures; and failure to conduct security assessments. Following the Central CAC, the Shanghai CAC launched a similar campaign in June, with 15 large online platforms participating and updating their respective AI compliance mechanisms.
MIIT continues to monitor apps compliance. In April, MIIT published the first non-compliant apps list of 2025, focusing on apps related to medical health, entertainment, games, sports, and fitness. The main non-compliances include the collection of personal data beyond the scope of the privacy notice; failure to disclose the SDK information; and frequent and excessive requests for authorisation, among others. Operators of non-compliant apps have been requested to take corrective actions immediately.
Failure to comply could result in severe consequences. Chinese regulators can impose fines on both business entities and senior management, remove apps from app stores, suspend services, or even revoke business licences. Companies must take necessary compliance steps to reduce the enforcement risks.
Compliance suggestions
The continued evolution of China’s data and privacy regime presents both opportunities and challenges for business entities. Multinational companies operating in China are advised to consider the following steps to ensure compliance:
- Review personal data processing status and appropriate audit procedures. With the Audit Measures now in effect, regulators may begin enforcement later this year or early next year. Companies must develop audit plans and conduct the compliance audit promptly.
- Companies based in FTZs must monitor the local negative lists and leverage the special relaxation policies to reduce the compliance burden for cross-border data transfer.
- Entities engaged in sensitive or high-tech industries must closely monitor the guidelines and policies issued by industrial regulators, carry out data classification and grading, and take a proactive approach in identifying and managing important data.
- Continuously optimise data processing practices, update privacy documentation, and address compliance gaps in response to new regulatory and enforcement developments in China.
Our China data and privacy team has significant hands-on experience in advising on complex and high-stakes data compliance matters. Please feel free to reach out to us if you would like to discuss any aspect further.
In-depth 2025-228
