Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ ENFORCEMENT

Enforcement tracker.

Public actions by Chinese data regulators — what gets named, by which agency, against which target, citing which rules. Updated as DCC ingests each new bulletin.

24 TRACKED ACTIONS
04 MIIT
02 CAC
01 MPS
02 SAMR
  • § 01 2026-07-15 Other

    The School Is Not a Bystander: Three Model Cases on Schools' Duties in Minors' Online Protection

    Minors' online protection is usually framed as a job for parents and platforms. Three model cases — a Guangzhou Internet Court judgment on defamation in a parent–school WeChat group, a Supreme People's Procuratorate case where procuratorial recommendations pushed a school to build bullying-control systems after a privacy video spread, and a Zhejiang case where a predator used an unauthorized school-named 'confession wall' account to reach students — show Chinese courts and procuratorates deliberately pulling schools into the frame. JunHe's education team distills the school's three statutory functions: internet-literacy education (Minors Protection Law Arts. 64 and 70, Online Protection Regulations Art. 16), cyberbullying prevention and response (Minors Protection Law Art. 39; School Protection Provisions Art. 21), and internet-addiction intervention (Minors Protection Law Art. 71; Regulations Art. 40). The liability stack for schools that do nothing: administrative correction orders and sanctions under Regulations Art. 51, plus civil supplementary liability under Civil Code Art. 1201. Four recommendations follow: documented literacy and AI-content-discrimination education, a staffed-up 'rule-of-law vice principal' mechanism, a full discover–stop–report–handle bullying protocol, and compliance with device-management and anti-addiction requirements. With 196 million minor netizens at 97.3% penetration, the authors argue schools are the 'main battlefield' whether they like it or not.

  • § 02 2026-07-13 Other

    Doubao, Qwen, and NetEase Pull AI Companions Ahead of July 15 — Is Delisting to 'Stay Safe' the Right Move?

    Days before the AI Anthropomorphic Interaction Measures take effect on July 15, 2026, Doubao, Qwen, and NetEase removed agent-style companion features — and at least one AI company had already received a question list from regulators. This translated report from 竞争秩序场 (reporter Wang Jun) maps why the industry calls the rules right in direction but hard in practice: scoping ambiguity around role-play on general-purpose models and UGC agent builders, 'capability regulation' that runs through model training and operations rather than content filters, the psychology-grade judgment needed to spot excessive emotional dependence, and expert warnings that clumsy intervention or perceived surveillance of intimate chats could do its own harm. Includes proposals for public safety-capability toolkits for smaller developers.

  • § 03 2026-07-04 SAMR

    China's 2026 Draft E-Commerce Law Amendment: From Marketplace Transactions to Platform-Economy Governance

    On July 4, 2026, the State Administration for Market Regulation and the Ministry of Commerce released the Draft Amendment to the E-Commerce Law for public comment, with comments due August 4, 2026. The draft has 20 articles and, according to the official notice and Xinhua Q&A, moves in five directions: expanding the law's adjustment scope beyond platforms and in-platform operators to other platform-economy participants; strengthening the platform responsibility system with richer, more graduated regulatory tools; building an integrated supervision mechanism for cross-sector platform operations, including consistent online/offline business supervision and stronger department and central-local coordination; targeting prominent illegal conduct in e-commerce; and deepening open cooperation by aligning rules, regulation, management and standards with international practice, supporting industry self-discipline and orderly outbound expansion, and adding countermeasure tools to protect Chinese enterprises. DCC reads the amendment as an attempt to reposition the E-Commerce Law from a transaction/platform statute into a platform-economy governance statute, with operational implications for platform rulemaking, merchant and worker protection, consumer governance, data/network security clauses, competition compliance, and outbound platform expansion.

  • § 04 2026-07-02 MIIT

    MIIT Public-Naming Bulletin 2026 Batch 4 (Total Batch 57): 32 Apps and SDKs Cited for PI Violations, Excessive Permission Demands, and SDK Disclosure Failures

    On July 2, 2026, MIIT's Information & Communications Administration Bureau issued its fourth public-naming bulletin of 2026 (total Batch 57), citing 32 apps and SDKs for infringing user rights — unlawful and beyond-scope collection of personal information, forced/frequent/excessive permission demands, frequent self-starting and chained starting, uncloseable and redirect-abusing information windows, and inadequate SDK information disclosure. The batch runs under the same 2026 CAC + MIIT + MPS special campaign as the earlier CAC notification and Shanghai takedown covered in DCC's enforcement tracker, on the same rectify-or-face-disposition pathway. DCC transcribes the full 32-entry list from the bulletin's attached image table. The profile: a mobility-and-transport long tail (ride-hailing driver apps, EV charging, bus-information tools) alongside recognizable names — Neta Auto's app, PetroChina Kunlun's charging app, NetDragon's fortune-telling app, iFlyPlus — plus two WeChat mini-programs, multiple Apple App Store listings, one developer named twice, and three SDKs, one of which (闪登 SDK) drew four separate findings including the headline SDK-disclosure failure.

  • § 05 2026-07-02 Other

    When Is a Business Partner a 'Joint Handler'? A Shanghai Insurance-Policy Leak Works Through PIPL Article 20

    A consumer bought insurance through a broker, on a platform company's website, from an insurer — and later found her full policy, personal details included, retrievable by searching her own phone number. The Shanghai judgment behind case (2024)沪01民终410号 had to decide which of the three companies were 'joint handlers' of her personal information under PIPL Article 20, and therefore jointly and severally liable. Writing on 数据何规, Lu Ying and Zhang Bingbin work through the allocation: the platform operating the website was the direct handler; the broker that steered the purchase through a site it presented as its own was a joint handler; the insurer — with an independent, contract-related purpose and no role in downstream processing decisions — was not. The article distills three identification factors (common purpose and conduct; pre-agreed division of roles as joint determination; the appearance presented to the user), separates joint processing from sharing and entrusted processing, and argues that PIPL Article 20(2) is an independent claim basis: a victim can sue all joint handlers for joint and several damages directly. For any broker/platform/underwriter or comparable multi-party data chain, this is the operative test.

  • § 06 2026-06-25 MIIT

    From Naming to Takedown: Shanghai Pulls 46 Apps That Missed the Rectification Window

    On June 24, 2026 the Shanghai Communications Administration (上海市通信管理局, the MIIT's directly-administered local communications authority) issued a notification ordering the takedown of 46 apps and SDKs that, after public naming and a rectification window, still had not fixed user-rights and personal-information violations. DCC reads it as the next rung on the enforcement ladder above the CAC's 30-app naming notification: same 2026 CAC + MIIT + MPS special campaign, but the local communications-administration tier converting an unrectified naming into an operative sanction — removal from distribution, with further measures flagged (suspension of access, administrative penalty, inclusion in the telecom-business bad-record list). The legal basis is PIPL, the Cybersecurity Law, the Telecom Regulations, and the Telecom and Internet User PI Protection Provisions. The 46-app list — transcribed here from the notice's attached image — is almost entirely Shanghai-registered long-tail O2O lifestyle apps (moving, housekeeping and cleaning, pet services, local travel agencies, community group-buy food, fitness and restaurants), and several operators appear with multiple apps taken down at once. DCC's read for overseas counsel: the provincial communications administrations are where a missed rectification window becomes a removed app, and the takedown tier sweeps the small-operator long tail, not just big nationals.

  • § 07 2026-06-18 MIIT

    From Principle to Running System: How the Network Data Security Risk Assessment Measures Operationalize the Data Security Law

    On June 18, 2026 the CAC, MIIT and the Ministry of Public Security jointly issued the Measures for Network Data Security Risk Assessment as Order No. 24, effective August 20, 2026. The 25-article rule adds no new substantive duty; it turns the Data Security Law's open-ended 'conduct risk assessment' obligation into an executable, verifiable, trigger-able governance system. DCC reads it as a three-tier standing model plus an event-driven escalation layer: important-data handlers must assess every year (general-data handlers are encouraged to every three), retain the report for three years and submit it within 20 working days; sectoral competent authorities run annual inspection plans filed by end-January; the national cyberspace administration consolidates and cross-shares reports with telecom, public-security and state-security departments; and where a high-risk finding or a breach of important data or large-scale personal information appears, regulators can compel assessment by a certified institution and order the operator to cease processing important data. The four institutional increments over the DSL: an annual mandatory action, networked multi-department supervision, a three-track assessment structure, and dynamic event-triggered oversight.

  • § 08 2026-06-15 Other

    Ctrip's ¥10 Million Fine: China's First Publicly Disclosed Cross-Border Data Penalty — and the 'Necessity' Doctrine Behind Four Cases

    In June 2026 Shanghai's cyberspace authority fined Shanghai Ctrip Commerce ¥10 million for unlawfully exporting personal information without implementing data-export security-assessment requirements — the first time a Chinese cross-border data penalty amount has been made public. DCC reads the fine against the three earlier Shanghai / MPS cross-border cases compiled by HexCode in 数据何规 (a hotel company that exported fields the CAC assessment had rejected, a property company that exported accommodation and financial-account data with no approval at all, and the Dior breach case) to surface the doctrine all four share: building a CRM or central-reservation system offshore does not make the bulk transfer of customer PI to headquarters 'necessary,' so it cannot escape the security-assessment / standard-contract / certification gate or PIPL's separate-consent and individual-notification requirements. The enforcement gradient — the assessment-rejected exporter was fined while the no-approval exporter was only warned — signals that subjective culpability is weighing on penalty severity.

  • § 09 2026-06-12 CAC

    CAC Names 30 Apps and Mini-Programs for PI Violations — Nearly Half for Ineffective Account Cancellation

    On June 11, 2026 the Office of the Central Cyberspace Affairs Commission published a notification naming 30 apps and mini-programs for personal-information collection and use violations, found in testing organized under the 2026 CAC + MIIT + MPS joint special campaign. The violations fall into four categories — undisclosed PI collection rules (7 apps), frequent demands for non-essential permissions (4), incomplete SDK disclosure (5), and, the dominant category at 14 of 30, failure to provide an effective account-cancellation function. DCC reads the notification as the CAC tier of the same campaign whose MIIT testing tier we covered in the Batch 56 brief: a broader perimeter that expressly includes mini-programs, a 15-working-day rectify-and-report deadline, and a clear signal that exit rights — account cancellation and deletion — are a 2026 testing priority.

  • § 10 2026-06-08 Other

    China's First AI-Ghostwritten 'Seeding Post' Case — a Duty of Care for Generative-AI Providers

    China's first unfair-competition case over AI batch-ghostwritten 'seeding posts' (种草笔记 — the staged, first-person product-recommendation notes that drive discovery commerce on Xiaohongshu/RED). On appeal, the Hangzhou Intermediate People's Court ((2025) Zhe 01 Min Zhong No. 3998) held that the operators of an 'AI writing' tool ('AI写作鹅') that let users one-click-generate fake first-person Xiaohongshu notes — fabricating personal experiences and feelings — committed unfair competition under Article 2 (the general clause) of the Anti-Unfair Competition Law. The court built an explicit four-factor duty-of-care test for generative-AI providers (is it generative AI; does it target a specific scenario/another's product as its 'application layer'; is it directional and inducing; is it a paid, for-profit service), citing Articles 4(3), 5(1) and 22 of the Generative AI Services Interim Measures. Because the tool was named after Xiaohongshu, marketed to mass-produce on-brand 'seeding' copy, charged a membership fee, and shipped with no notice or reminder against the foreseeable misuse, the providers were at fault. The appeal court affirmed liability but cut damages from RMB 200,000 to RMB 100,000 on an 'inclusive and prudent' (包容审慎) view of AI, and reversed joint liability for the third defendant that merely hosted the download. DCC OCR'd the full judgment from the source images; this is our case brief for overseas counsel.

  • § 11 2026-06-05 Other

    China Halts Data-Asset ABS: Exchanges Pull the Handbrake on a ¥200 Billion Pipeline

    According to reporting by Caixin (财新) and 财联社 circulated on 3–5 June 2026, the Shanghai and Shenzhen stock exchanges issued window guidance bringing the entire data-asset ABS (数据资产ABS) business chain to a stop — new filings turned away, approved-but-unissued deals told to pause, even issuance-approved deals told to delay. This halts a category that exploded from roughly 11 issuances raising ~¥4.6bn in 2025 to 21 issuances and ¥15.4bn in the first five months of 2026, with a declared pipeline approaching ¥200bn. The stated trigger is mission drift: pure-data-asset deals are under 2% of the market, while local-government financing vehicles (城投/LGFV) used the loose, fast 'data-asset' label to repackage existing non-standard debt as standardised bonds — data as window-dressing, with no real data cash flow behind it. DCC reads the event, the structural reasons, the three審查 gates the exchanges are expected to harden, and what it means for anyone underwriting, rating, or investing in China data-asset financing.

  • § 12 2026-06-04 Other

    China's First 'AI Hallucination' Tort Judgment — GenAI Is a Service, Not a Product, and the Chatbot's '¥100,000 Promise' Binds No One

    The Hangzhou Internet Court has decided China's first 'AI hallucination' (AI幻觉) tort case — written into the Supreme People's Court's 2026 work report to the NPC. A user asking a chatbot about college applications was told, across seven rounds, that a non-existent campus existed; when finally shown the official website, the model 'apologised' and 'promised' to pay ¥100,000, even generating a fake lawsuit template telling him to sue. He did. The court dismissed every claim and, in doing so, laid down the first judicial articulation of China's generative-AI liability framework: (1) an AI model is not a civil subject, so its 'promise' is no declaration of intent — and is not attributable to the provider either; (2) generative AI is a service, not a product, so fault liability under Civil Code Article 1165 applies, not product liability's no-fault rule under Article 1202; (3) there is no result-based duty to guarantee accuracy for ordinary inaccurate output — only a process duty of care (conspicuous AI-content labelling plus industry-standard accuracy measures), which the provider had discharged; and (4) no proven damage, no causation. For any company deploying GenAI to the Chinese public, this is the operating liability surface and the evidentiary playbook.

  • § 13 2026-06-04 Other

    China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures

    On 12 February 2026 five agencies — the National Health Commission, the Ministry of Public Security, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration — jointly issued the Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial). It is the first operational, sector-specific rulebook that turns the Data Security Law, PIPL, and the Network Data Security Regulation into concrete hospital obligations: a three-tier core/important/general data classification keyed to MLPS levels and commercial cryptography; a five-pillar full-lifecycle security system; a ten-item data prohibition list and an eight-item personal-information prohibition list; heightened protection for special groups; limits on facial recognition and AI; and a real enforcement chain running from named-person accountability through regulatory interviews, administrative penalties, civil tort liability, and criminal referral. DCC reads it for overseas pharma, medtech, and hospital-JV counsel — with the cross-border choke point and its academic-cooperation carve-out as the parts that most affect global clinical-data flows.

  • § 14 2026-05-28 SAMR

    Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine

    In April 2026, the State Administration for Market Regulation (SAMR) imposed administrative penalties on seven major e-commerce platforms in the 'ghost takeout' series — 3.5 billion yuan in aggregate corporate fines, nearly 20 million yuan in individual fines on legal representatives and food-safety officers, and 3-to-9-month business suspensions. While the cases were ostensibly food-safety enforcement, their analytical structure — pierce-the-paper-compliance, per-merchant aggregation of penalties, identification of licensed-entity liability holders, dual penalties on individual compliance officers — translates directly to data-compliance enforcement. Adapted from a substantive practitioner analysis by 黄春林 (Huang Chunlin), this DCC brief works through seven operational lessons that DSO / PIPO / DPO and compliance counsel should apply *before* the analogous enforcement wave reaches data compliance.

  • § 15 2026-05-28 MIIT

    MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse

    MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel.

  • § 16 2026-04-22 Other

    When PIPL Violation Becomes a Crime — Hong Yanqing on China's Personal Information Criminal Threshold

    Hong Yanqing on the criminal-side analog to PIPL — when does mishandling personal information cross from administrative violation into the crime of 'infringing on citizens' personal information'? His critique: the two key elements ('relevant State provisions' and 'serious circumstances') are too loose, and courts have stretched them in ways that should worry compliance teams.

  • § 17 2026-04-04 Other

    When Is Facial Recognition in a Public Place 'Necessary for Public Security'? Hong Yanqing's Four-Element Framework

    Hong Yanqing on how to operationalize PIPL Article 26's 'necessary for public security' principle for public-place video surveillance and facial recognition. His framework: a four-step necessity test, tiered risk regime with a published prohibited list, three-fold technical controls, and a lifecycle closure mechanism — drawing on EU AI Act and US state-level practice.

  • § 18 2026-01-08 Other

    Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense

    When a foreign authority wants data stored in China — or vice versa — three doctrines compete. The U.S. uses a 'data controller standard' (CLOUD Act) that reaches globally on offense and shields domestically through ECPA blocking on defense. The EU uses 'market access' leverage (GDPR Article 3 jurisdictional reach plus Article 48 blocking). China uses a 'data location standard' (territorial sovereignty plus the MLA Law, DSL, and PIPL blocking clauses). Wang Qinglan maps the four discovery paths, the three jurisdictional doctrines, and what compliance teams should build to survive the squeeze.

  • § 19 2025-12-19 Other

    Will Judicial Review 'Reset' the Data Registration Rush? — Reading Wang Qinglan on the SPC's New Data Disputes Case Category

    Wang Qinglan, head of compliance at a Chinese data exchange, asks what the Supreme People's Court's new 'data disputes' case category — effective January 1, 2026 — does to the data property rights registration certificates that institutions across the country have been issuing. Her argument: certificates issued through formal-only review will not survive substantive judicial scrutiny, and a single rejected certificate could erode trust in the entire registration regime. The path forward is a three-tiered protection model and aligned standards across regulators, registration institutions, and courts.

  • § 20 2025-12-15 Other

    PIPO vs. DPO — How China's Personal Information Protection Officer Differs from the GDPR Data Protection Officer

    The Cyberspace Administration of China announced in July 2025 that personal-information processors handling data on 1 million or more individuals must submit Personal Information Protection Officer (PIPO) information to CAC. Compliance Talker's global legal policy research team contrasts China's PIPO regime under PIPL Article 52 with the GDPR's Data Protection Officer (DPO) framework under Articles 37–39. The most consequential difference: PIPO carries individual administrative liability — up to RMB 1 million in personal fines and industry bans — where DPO does not.

  • § 21 2025-12-09 Other

    Is There Such a Thing as 'Game Data Compliance' in China? — Li Wenlong's Field Notes

    Li Wenlong (科技利维坦) reports field observations on personal-data collection inside Chinese games, framed around three questions: is there an industry-specific 'game data compliance' mode; where is enforcement actually concentrated; and does the Chinese picture differ from abroad. His read: domestic game-data compliance is still at a 'wild-west stage' — the violations being caught are the blunt, clearly-unlawful kind (a game demanding photo-album permission), and the enforcement frontier is no different from any other app ecosystem. A principle-level framework was in place before 2023, but the yardstick stays crude, with no breakthrough on concrete evaluation standards — which caps how deep either enforcement or compliance can go. Overseas (GDPR and consumer law), games were under-scrutinised until the last year or two. The forward warning: games will be the main carrier of VR and will embed many models, so the compliance picture is about to get far more complex. For overseas counsel advising game studios on the China market: a reality check on what is — and isn't — being enforced.

  • § 22 2025-10-28 Other

    Reading the FRT Application Measures — What the 100k-Record Filing Threshold Actually Triggers

    The Administrative Measures for the Application Security of Facial Recognition Technology took effect June 1, 2025. The May 2025 announcement on FRT filing implementation followed. Compliance Talker's global legal policy team walks through the seven specific compliance obligations the Measures impose — the non-exclusive-use rule, end-side storage default, 100k-individual filing threshold, separate-consent reinforcement, PIA mandate, and more — with practical implementation guidance on each. For overseas firms with any China-facing FRT deployment, this is the operational walkthrough.

  • § 23 2024-09-19 Other

    What Does Data Registration Actually Confirm? — A Doctrinal Reading

    Long before the SPC's January 2026 'data disputes' case category started squeezing data registration certificates against judicial review, Wang Qinglan had already written the foundational critique: data registration does not 'confirm rights' because there are no legal data rights to confirm. The Data 20 Articles created data property rights, not data legal rights, and Chinese property rights are not Article-conferred civil rights. Registration certificates are 'trust credentials,' not 'rights certificates.' This is the doctrinal essay overseas counsel should read before the SPC sequel.

  • § 24 2024-04-11 Other

    Case Study — A Public-Data Operator Hands Personal Data to a Bank. Two Compliance Failures.

    A real-case analysis from Wang Qinglan. A state-affiliated auction company holds the public-data operating right for vehicle license-plate auction data. A bank persuades it to hand over the personal data of winning bidders. The bank builds a targeted credit product and pays the auction company RMB 12 million a year in revenue share. Two compliance failures: (1) no individual consent under PIPL; (2) no credit reference business license under the Credit Reference Industry Regulation and Credit Reference Business Measures. Public-data authorized operation does not displace the credit reference licensing regime.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →