Reed Smith In-depth

Key takeaways

  • In 2025, China remains active in promulgating new regulations and rules to strengthen data and privacy protection
  • Cross-border data transfer has been further relaxed in multiple free trade zones in China
  • Industrial regulators are exploring new mechanisms to help business entities identify important data and address regulatory uncertainty
  • App and AI compliance are enforcement priorities of Chinese regulators in 2025

Introduction

China has continued to optimise its data and privacy regulatory framework in the first eight months of 2025 by the introduction of new laws, regulations and guidelines. Notably, personal data protection has been strengthened through the implementation of a compliance audit. At the same time, both national and regional regulators are exploring special mechanisms to facilitate the cross-border data transfer. While important data remains challenging for many business entities, sector-specific regulators are making efforts to flesh out the important data catalogue by implementing industrial guidelines and rules.

This article summarises major legislative and enforcement updates in China’s data and privacy space in the first eight months of 2025.

1. PI compliance audit

The Administrative Measures for Personal Information Protection Compliance Audits (Audit Measures) were promulgated by the Cyberspace Administration of China (CAC) on 12 February 2025 and became effective on 1 May 2025.

The obligations to conduct personal information (PI) compliance audits were initially established in the PRC Personal Information Protection Law and further reinforced in the Network Data Security Administrative Regulations. All data controllers are obliged to conduct PI compliance audits. Companies processing PI of more than 10 million individuals must conduct PI compliance audits at least once every two years, while others can determine their own audit frequency.

Companies may perform audits internally or by engaging external service providers. However, in high-risk scenarios or on the occurrence of significant data breach incidents, regulators have the authority to mandate external audits. In such cases, companies must submit the audit report to the relevant regulator.

The Audit Measures are accompanied by a PI Compliance Audit Guideline, outlining the key areas for compliance audits, including the legal basis for PI collection, privacy policies, and consent; the collection of sensitive PI; automated decision-making; data sharing in M&A and restructuring transactions; third-party data processing; individual rights; data breach response protocols; and organisational and technical measures.

The Audit Measures also require that personal data controllers processing the personal data of more than one million individuals designate a Data Protection Officer (DPO). According to an official notice issued by the CAC in July, qualifying data controllers must complete a mandatory filing of DPO information within a strict deadline. Please see our client briefing  for more details on DPO filing.