CHINA Trends and Developments Contributed by: Huihui Li, James Hu, Yingjie Kang, Sherry Xu, Bivio Yu and Lisa Zhao, Fangda Partners
Data breach and other cybersecurity incidents The CAC has published the Measures for the Admin - istration of the Reporting of Cybersecurity Incidents, which provide detailed rules on the mechanism of cybersecurity incident reporting under the CSL and took effect on 1 November 2025. According to these measures, data breaches involving the personal data of one million individuals or more shall be notified to competent authorities within four hours upon discov - ery. In September 2025, a multinational luxury company was penalised by the CAC and public security depart - ment due to its data breach that involved the per - sonal information of Chinese consumers. In practice, data breaches or other cybersecurity incidents can trigger regulators’ scrutiny and inspection of compa - nies’ overall compliance with relevant data protection laws, and companies (especially those which possess large amounts of personal information or even impor - tant data) should therefore attach importance to data security matters. AI compliance To implement the primary regulatory rules concerning generative AI – ie, Administrative Measures for Gen - erative AI Services, the Administrative Measures for Deep Synthesis of Internet-Based Information Ser - vices, and the Administrative Measures for Algorithm- generated Recommendations for Internet Information Services, CAC further promulgated the Measures on the Labelling of AI Generated and Synthesised Con - tent, detailing labelling requirements on content gen - erated by AI during generative AI service provision to the public within China. CAC has increased its enforcement of AI regulations since 2025. Based on the statistics publicly avail - able, as of 10 September 2025, CAC disclosed 538 recorded generative-AI services and 263 registered applications – indicating a substantial scale-up from prior years. In April 2025, CAC launched a three-month action plan titled “Clear and Bright Crackdown on AI Tech - nology Abuse”, which is being implemented in two phases. This law enforcement campaign suggests that broad-sweeping and proactive enforcement
tion” initiated by OECD as well as those promoted by the United Nations, by proactively participat - ing in technical discussions, addressing China’s position, and taking a leading role in international tax reform in the face of economic transition and transformation. Trends in Data Protection On 1 January 2025, the Regulations on Network Data Security Management (RNDSM), which provide detailed operational guidelines for the implementation of the Cyber Security Law (CSL), the Personal Infor - mation Protection Law (PIPL) and the Data Security Law (DSL), came into effect. The Cyberspace Admin - istration of China (CAC), which is China’s primary regulator for data protection, as well as other regula - tors in China continued publishing implementing rules and standards on specific issues such as personal information protection compliance audits, data breach notifications and generative AI compliance, as well as carrying out influential law enforcement campaigns. Personal information protection The Administrative Measures on Personal Information Protection Compliance Audit came into effect on 1 May 2025. According to these measures, companies processing personal information of over ten million people shall undergo a compliance audit every two years. If CAC finds that personal information process - ing activities have relatively high risks or there are any personal information security incidents, it may require the companies concerned to: • entrust a third-party audit agency upon CAC’s approval to carry out compliance audits within a prescribed time limit; and • submit the audit report to CAC. The compliance audits will become an important regulatory tool in personal information protection in the coming years. In addition, the CAC has published the Measures on Certification on Cross-Border Transfer of Personal Data which will be effective from 1 January 2026 and which have completed the last piece in the puzzle of China’s cross-border data transfer regulatory tools.
153 CHAMBERS.COM
Powered by FlippingBook