# Data Compliance China — Full Corpus > Generated 2026-07-15 from https://datacompliancechina.com This file contains the full text of DCC's editorial corpus: 133 laws and regulatory instruments, 84 briefings, and a 409-term bilingual glossary. Intended for one-pass ingestion by LLM crawlers and research tools. Canonical URLs and per-page markdown: - Briefs: `/posts/.md` - Laws: `/laws/.md` - Glossary JSON: `/glossary.json` - Curated index: `/llms.txt` - Structured catalog: `/manifest.json` --- # I. LAWS AND REGULATIONS ## China–Singapore Joint Data Compliance Guide: Practical Handbook — China Chapter - Chinese title: 中国—新加坡联合数据合规指引:实务手册(中国篇) - Abbreviation: CN-SG Joint Guide - Hierarchy: handbook - Issuing body: Shenzhen Data Exchange · Asian Business Law Institute (Singapore) · Authority of Qianhai · Shenzhen Bureau of Justice - Effective: 2025-08-01 - Status: effective - URL: https://datacompliancechina.com/laws/cs-joint-data-compliance-guide/ - Markdown: https://datacompliancechina.com/laws/cs-joint-data-compliance-guide.md ### Summary A 110-page bilingual practitioner handbook on Chinese data compliance, jointly compiled by the Shenzhen Data Exchange and Singapore's Asian Business Law Institute under the guidance of the Qianhai Authority. The China Chapter is structured around the Guide's two-axis compliance model: subject obligations (organizational structure, policy, classification & grading, partners, risk assessment, incident response) crossed with object types (general / important / personal / public / industry-specific data). Includes the regulator map, cross-border path selection trees, and worked examples. Current as of August 2025. This is the single most accessible authoritative reference DCC has identified for overseas counsel approaching the Chinese data regime. ### Full text **Issued by:** Shenzhen Data Exchange (深圳数据交易所) and the Asian Business Law Institute (亚洲商法研究所), Singapore. **Guiding Organizations:** Shenzhen Municipal Service and Data Administration · Shenzhen Municipal Bureau of Justice · Authority of Qianhai Shenzhen-Hong Kong Modern Service Industry Cooperation Zone · Shenzhen Law Society. **Supporting Organization:** Network Data Security Compliance Laboratory (Shenzhen Qianhai). **Current as of:** August 2025. > *Editor's Note — DCC.* > > This is the most useful single document DCC has come across for orienting > overseas counsel to the architecture of China's data-compliance regime. > It is not a statute and does not bind anyone — but it is co-authored by > the institution that operates China's national data circulation > infrastructure (Shenzhen Data Exchange) and the most senior China data > bar (Fangda, Han Kun, Zhong Lun, Global Law, KWM, Tianda & Gonghe, > V&T, Simmons & Simmons). Its conceptual contribution — the **two-axis > compliance framework** (subject obligations × object types) — is the > mental model we recommend overseas readers internalize first. > > The Guide explicitly permits non-commercial reproduction with source > attribution. The chapter outline below is reproduced from the Guide's > own Table of Contents; the conceptual summaries are DCC's distillation. > The [DCC Overview page](/overview/) renders the same framework in > visual form for first-time readers. ## Why this matters for overseas teams China's data regime has accumulated more than a decade of statutes, regulations, departmental rules, standards, judicial interpretations, and policy directives. For someone approaching it cold, the volume is the obstacle. The Joint Guide solves this in three ways: - **A single mental model.** The Guide explicitly organizes the regime around a *Subject × Object* grid — what an organization must do (Subject Compliance), crossed with what each type of data requires (Object Compliance). Every detailed obligation in the regime fits into one of the resulting cells. - **A regulator map.** Six categories of regulators with overlapping mandates (CAC, MIIT, MPS, SAMR, industry regulators, and the National Data Security Coordination Mechanism) are mapped in Chapter II with each one's specific authority. - **A path-selection framework for cross-border data.** Chapter V walks through the decision logic that maps a specific data transfer to the right compliance pathway — security assessment, standard contract filing, certification, or exemption. For overseas counsel, the Guide is the closest thing in 2025 to an authoritative single-source orientation to the Chinese data regime. ## Chapter outline The Guide's seven chapters in the China Chapter: ### Chapter I — Overview and User Guide - **I.** Introduction: The Context of China–Singapore Digital Cooperation - *(i) The Practical Basis of China–Singapore Data Cooperation and Enterprise Needs* - *(ii) Evolution and Opening Trends of China's Data Compliance Framework* - **II.** China's Practical Framework and Compliance Logic — the **two-axis model** - *(i) Subject Compliance: Core Obligations of Data Processors* (org structure, policy, classification, partners, risk assessment, incident response) - *(ii) Object Compliance: Special Requirements for Different Types of Data* (general / important / personal / public / industry-specific) - **III.** Guidelines for Use and Practical Tools (content index + usage tips) ### Chapter II — Regulatory System and Departmental Responsibilities - **I.** Cyberspace Administration of China (CAC) - **II.** Ministry of Industry and Information Technology (MIIT) - **III.** Public Security Authorities - **IV.** Market Regulation Authorities - **V.** Industry Regulators and Other Authorities (PBoC, NFRA, NHC, MNR, MoE, MoT, etc.) - **VI.** National Data Security Coordination Mechanism ### Chapter III — Compliance Requirements for Data Processing Entities (the Subject Axis) - **I.** Organizational Structure (PIPO appointments, internal committees, reporting lines) - **II.** Policy Development and Personnel Management (internal rules, training, access controls) - **III.** Data Classification and Grading (per GB/T 43697-2024 and sector-specific catalogues) - **IV.** Management of External Partners (entrusted processing, joint processing, third-party sharing) - **V.** Risk Assessment Mechanisms (PIA, important-data risk assessment, network-data activity assessment) - **VI.** Security Incident Response and Handling ### Chapter IV — Compliance Standards for Data Objects (the Object Axis) - **I.** General Data — common requirements (definition, types, key compliance requirements) - **II.** Important Data — identification, assessment, management obligations (per DSL + Network Data Security Regulation) - **III.** Personal Information — PIPL implementation requirements (lawful bases, individual rights, separate consent, cross-border) - **IV.** Public Data — definition, identification, sharing and opening (per Data 20 Articles + NDA registration regime) - **V.** Special Industry Data - *(i) Surveying, Mapping and Geographic Information Data* - *(ii) Health and Medical Data* - *(iii) Financial Credit Reference Data* - *(iv) Automotive Data* - *(v) Other industry-specific verticals* ### Chapter V — Compliance Paths for Cross-Border Data Flow - **I.** Path Selection for Outbound Data Flow - *(i) Security assessment declarations / standard contract filings / PI protection certifications under the applicable compliance paths* - **II.** Requirements for Data Processors in Outbound Data Flow - **III.** Localization Data Storage Requirements - **IV.** Important Data Cross-Border Transfer (compliance requirements + security assessment for important data export) ### Chapter VI — Good Compliance Practice Guidelines Worked examples, scenario-based recommendations, and benchmark practices observed in foreign-invested-enterprise compliance work. ### Chapter VII — Frequently Asked Questions Practical Q&A clarifying common edge cases (small-volume processors, group structures, vendor cascades, etc.). ## The conceptual contribution: Subject × Object The Guide's most useful idea is also its simplest. Every concrete compliance question can be located on a 2D grid: | | **Org structure** | **Policy** | **Classification** | **Partners** | **Risk assess** | **Incident response** | |------------------------------|:----:|:----:|:----:|:----:|:----:|:----:| | **General data** | · | · | · | · | · | · | | **Important data** | · | · | · | · | · | · | | **Personal information** | · | · | · | · | · | · | | **Public data** | · | · | · | · | · | · | | **Industry-specific data** | · | · | · | · | · | · | The grid's value: every detailed obligation in CSL, DSL, PIPL, NDR, the cross-border provisions, the PI audit measures, the GenAI rules, and the sector-specific regulations slots into one of the cells. Once a compliance team has internalized the grid, the corpus stops feeling like a chaos of rules and starts behaving like a structured matrix. See the [DCC Overview page](/overview/) for the rendered grid with each cell anchored to the underlying laws. ## Editorial choices in DCC's coverage of the Guide - **No full text reproduction.** The Guide is 110+ pages. DCC treats it as a primary reference and links overseas readers to the official PDF for the full text. - **Concept distillation.** DCC's [Overview page](/overview/) renders the Guide's framework visually so first-time readers get the model in five minutes. - **Derivative briefs.** Each of Chapters II–V will be the subject of standalone DCC briefs (1500–2500 words each), credited to the Guide. ## Source Original document: *China–Singapore Joint Data Compliance Guide: Practical Handbook* (中国—新加坡联合数据合规指引:实务手册), China Chapter. Jointly compiled by the Shenzhen Data Exchange (深圳数据交易所) and the Asian Business Law Institute (Singapore), under the guidance of the Authority of Qianhai Shenzhen-Hong Kong Modern Service Industry Cooperation Zone. Released August 2025. Official PDF (hosted by Qianhai Authority): [qh.sz.gov.cn/attachment/1/1661/1661659/12551073.pdf](https://qh.sz.gov.cn/attachment/1/1661/1661659/12551073.pdf) The Guide is non-commercial and explicitly permits reproduction with source attribution. --- ## Measures for the Security Assessment of Data Export - Chinese title: 数据出境安全评估办法 - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2022-05-19 - Effective: 2022-09-01 - Status: effective - URL: https://datacompliancechina.com/laws/data-export-security-assessment-measures/ - Markdown: https://datacompliancechina.com/laws/data-export-security-assessment-measures.md ### Summary The first of CAC's three cross-border transfer pathways. Required for CIIOs transferring any personal information or important data abroad, and for non-CIIO handlers above certain thresholds. Establishes the application procedure, evaluation factors, validity period, and self-assessment requirements. Read together with the 2024 Cross-border Data Flow Provisions, which relaxed thresholds. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC). **Document No.:** Decree No. 11 of the Cyberspace Administration of China. **Adopted at the 10th executive meeting of the CAC in 2022 on May 19, 2022. Effective September 1, 2022.** --- **Article 1.** These Measures are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and regulations to regulate data provision abroad, protect personal information rights and interests, safeguard national security and social and public interests, and promote the security and free flow of data across borders. **Article 2.** These Measures apply to the security assessment of critical data and personal information collected and generated by a data handler in its operation in the People's Republic of China, which are to be provided abroad. Where it is otherwise provided for in laws and administrative regulations, such provisions shall prevail. **Article 3.** Security assessment for data provision abroad shall follow principles of the combination of ex-ante assessment and continuous supervision and the combination of risk self-assessment and security assessment, so as to prevent the security risks arising from data provision abroad, and ensure the orderly and free flow of data according to the law. 100 **Article 4.** To provide data abroad under any of the following circumstances, a data handler shall declare security assessment for its provision of data abroad to the Cyberspace Administration of China ("CAC") through the local cyberspace administration at the provincial level: (I) where a data handler provides critical data abroad; (II) where a key information infrastructure operator or a data handler processing the personal information of more than one million people provides personal information abroad; (III) where a data handler has provided personal information of 100,000 people or sensitive personal information of 10,000 people in total abroad since January 1 of the previous year; and (IV) other circumstances prescribed by the CAC for which declaration for security assessment for data provision abroad is required. **Article 5.** Prior to declaring security assessment for data provision abroad, a data handler shall conduct self-assessment on the risks of data provision abroad, with focus on the assessment of the following matters: (I) the legality, legitimacy and necessity of the purpose, scope and method of data provision abroad and data processing by the overseas recipient; (II) the scale, scope, type and sensitivity of the data to be provided abroad, and the risks to national security, public interests or the legitimate rights and interests of individuals or organizations caused by data provision abroad; (III) the responsibilities and obligations that the overseas recipient promises to undertake, and whether the overseas recipient's management and technical measures and capabilities for performing its responsibilities and obligations can guarantee the security of data provision abroad; (IV) risks of the data to be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after data provision abroad; whether the channel for the maintenance of personal information rights and interests is smooth; (V) whether the relevant contracts on the data to be concluded with the overseas recipient or other legally binding documents (hereinafter referred to collectively as the "legal documents") have fully agreed on the responsibilities and obligations to protect the data security; and (VI) other matters that may affect the security of data provision abroad. **Article 6.** To declare security assessment for data provision abroad, the following materials shall be submitted: (I) a declaration form; (II) self- assessment report on the risks of data provision abroad; (III) the legal documents to be concluded by the data handler and the overseas recipient; and (IV) other materials necessary for security assessment. **Article 7.** The cyberspace department at the provincial level shall complete the examination of the completeness of declaration materials within five working days after receiving them. Where the declaration materials are complete, they shall be submitted to the CAC; where the application materials are incomplete, they shall be returned to the data handler and the data handler shall be informed on a one-time basis of materials to be supplemented. The CAC shall, within seven working days after receipt of declaration materials, determine whether or not to accept the same, and notify the data handler of the same in writing. **Article 8.** The security assessment for data provision abroad shall focus on the assessment of the risks to national security, public interests, or the legitimate rights and interests of individuals or organizations that may be caused by the activity of data provision abroad, mainly including the following matters: (I) the legality, legitimacy and necessity of the purpose, scope, and method of data provision abroad; (II) the impact of the data security protection policies and regulations and the cybersecurity environment of the country or region where the overseas recipient is located on the security of data to be provided abroad, and whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations of the People's Republic of China and mandatory national standards; (III) the size, scope, types and sensitivity of data to be provided abroad, and the risks that the data may be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the data is provided abroad; (IV) whether data security and personal information rights and interests can be fully and effectively guaranteed; (V) whether the legal documents to be concluded by the data handler and the overseas recipient have fully agreed on the responsibilities and obligations of data security protection; (VI) compliance with Chinese laws, administrative regulations and departmental rules; and (VII) other matters that the CAC considers necessary to be assessed. **Article 9.** A data handler shall expressly agree on the responsibilities and obligations of data security protection in the legal documents concluded with the overseas recipient, which shall at least include the following contents: (I) the purpose and method of data provision abroad and the scope of the data, and the purpose and method, etc. for processing the data by the overseas recipient; (II) the location and duration of storage of the data abroad, as well as the handling measures for data provision abroad after the storage period expires, the agreed purpose is completed, or the legal documents are terminated; (III) restrictive requirements on the overseas recipient's re-provision of the data provided abroad to other organizations and individuals; (IV) the security measures to be taken by an overseas recipient when actual control or business scope has changed substantially, data security protection policies and regulations and cybersecurity environment of the country or region where the overseas recipient is located have changed, or the occurrence of any other force majeure event, under which data security cannot be ensured; (V) remedial measures, liability for breach of contract and dispute resolution in the event of violation of data security protection obligations agreed in legal documents; and (VI) the requirements to properly carry out emergency response when the data provided abroad is at risk of being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used, as well as the ways and methods to protect people's personal information rights and interests. **Article 10.** After accepting a declaration, the CAC shall organize the relevant departments of the State Council, the cyberspace administration concerned at the provincial level and specialized agencies to conduct security assessment in light of the declaration. **Article 11.** During the security assessment, if it is found that the declaration materials submitted by a data handler fail to meet requirements, the CAC may require the data handler to supplement or correct the materials. In case that the data handler fails to supplement or correct the materials without justified reasons, the CAC may terminate the security assessment. A data handler shall be responsible for the authenticity of the materials submitted. If a data handler submits false materials on purpose, it shall be deemed as failing in the assessment, and the data handler shall be held legal liable correspondingly according to the law. 45 **Article 12.** The CAC shall, within 45 working days of issuing a written notice of acceptance to the data handler , complete the security assessment for data provision abroad; if the situation is complicated or supplementary or corrected materials are needed, the assessment may be extended appropriately, and the data handler shall be notified of the expected extension period. The data handler shall be informed of the assessment results in writing. **Article 13.** Where a data handler has any objection to the assessment results, it may, within 15 working days of receiving the results, apply to the CAC for a re-assessment, and the re-assessment results are final. **Article 14.** The results of security assessment for data provision abroad are valid for two years, commencing from the date when the results are issued. The data handler shall re-apply for assessment if any of the following circumstances occurs within the valid period of time: (I) the purpose, method, scope and type of data provision abroad, or the purpose and method of data processing by the overseas recipient have changed, affecting the security of the data provided abroad, or extending the period of storage of personal information and critical data abroad; (II) the security of the data provided abroad is affected due to changes in the data security protection policies or regulations or the cybersecurity environment of the country or region where the overseas recipient is located, any other force majeure event, or any change in the actual control of the data handler or the overseas recipient, or any change in the legal documents between the data handler and the overseas recipient; and (III) any other circumstance affecting the security of the data provided abroad. If it is necessary to continue data provision abroad after the expiration of the period of validity, the data handler shall declare anew assessment 60 working days before the expiration of the period of validity. **Article 15.** The relevant institutions and personnel participating in security assessment shall keep confidential state secrets, personal privacy, personal information, trade secrets, confidential business information and other data they have accessed to in fulfilling their duties, in accordance with the law, and shall not divulge or illegally provide the same to others or illegally use such data. **Article 16.** Any organization or individual who discovers the provision of data abroad in violation of these Measures by any data handler may report the case to a cyberspace administration at the provincial level or above. **Article 17.** Where the CAC finds that data provision abroad that has passed assessment no longer meets the requirements for security management of data provision abroad in the process of actual processing, it shall notify in writing the data handler to terminate data provision abroad. If the data handler needs to continue carrying out data provision abroad, it shall make rectification as required and, upon completion of the rectification, apply for assessment anew. **Article 18.** Any violation of these Measures shall be dealt with in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and regulations; if a crime is constituted, criminal liability shall be investigated in accordance with the law. **Article 19.** For the purpose of these Measures, the term "critical data" refers to the data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, etc. **Article 20.** These Measures shall come into force on September 1, 2022. For data provision abroad that have been carried out before effectiveness of these Measures, if not in compliance with these Measures, rectification shall be completed within six months from the effectiveness of these Measures. --- ## Security Protection Regulations for Critical Information Infrastructure - Chinese title: 关键信息基础设施安全保护条例 - Abbreviation: CII Regulations - Hierarchy: regulation - Issuing body: State Council - Adopted: 2021-04-27 - Effective: 2021-09-01 - Status: effective - URL: https://datacompliancechina.com/laws/cii-protection-regulations/ - Markdown: https://datacompliancechina.com/laws/cii-protection-regulations.md ### Summary These Regulations operationalize the Critical Information Infrastructure (CII) regime under CSL Articles 31–39. They define CII identification rules, set out CIIO obligations (specialized security body, annual testing and risk assessment, security review of network products, breach reporting), and establish the inter-agency coordination structure under CAC + Ministry of Public Security. ### Full text **Promulgated by:** State Council. **Document No.:** Decree No. 745 of the State Council. **Adopted at the 133rd executive meeting of the State Council on April 27, 2021. Effective September 1, 2021.** Premier Li Keqiang. --- ## Chapter I General Provisions **Article 1.** These Regulations are enacted in accordance with the Cybersecurity Law of the People's Republic of China for the purposes of protecting the security of critical information infrastructure and maintaining cyber security. **Article 2.** For the purpose of these Regulations, critical information infrastructure refer to the important network facilities and information systems in important industries and fields such as public telecommunications, information services, energy, transportation, water conservancy, finance, public services, e-government and national defense science, technology and industry, as well as other important network facilities and information systems which, in case of destruction, loss of function or leak of data, may result in serious damage to national security, the national economy and the people's livelihood and public interests. **Article 3.** Under the overall planning and coordination of the Cyberspace Administration of China (hereinafter referred to as the CAC), the public security department under the State Council is responsible for guiding and supervising the protection of the security of critical information infrastructure. The competent telecommunications department of the State Council and other relevant departments shall, in accordance with provisions of these Regulations and relevant laws and administrative regulations, be responsible for protecting, supervising and administering the security of critical information infrastructure within the scope of their respective duties. Relevant departments of the provincial people's government shall protect, supervise and administer the security of critical information infrastructure ex officio. **Article 4.** For the security protection of critical information infrastructure, it is imperative to the principles of comprehensive coordination, division of responsibilities and legal protection, strengthen and implement the responsibilities of critical information infrastructure operators (hereinafter referred to as the "operators") as subjects, and give full play to the role of the government and all sectors of society, so as to jointly protect the security of critical information infrastructure. **Article 5.** The State gives priority to the protection of critical information infrastructure, takes measures to monitor, defends against and deal with cyber security risks and threats from both within and outside the territory of the People's Republic of China, protects critical information infrastructure from attacks, intrusions, interference and damage, and punishes illegal and criminal activities endangering the security of critical information infrastructure in accordance with the law. No individual or organization may illegally invade, interfere with or destroy the critical information infrastructure, or endanger the security of the critical information infrastructure. **Article 6.** Operators shall, in accordance with the provisions of these regulations, relevant laws and administrative regulations and compulsory requirements of national standards, take technical protection measures and other necessary measures based on the graded protection for cyber security, respond to cyber security incidents, prevent cyber attacks and illegal and criminal activities, guarantee the safe and stable operation of critical information infrastructure, and maintain the integrity, confidentiality and availability of data. **Article 7.** Entities and individuals that have made remarkable achievements in or outstanding contributions to the security protection of critical information infrastructure shall be commended in accordance with relevant provisions of the State. ## Chapter II Identification of Critical Information Infrastructure **Article 8.** For the important industries and fields mentioned in Article 2 hereof, the competent authorities and supervisory authorities are the authorities responsible for the security protection of critical information infrastructure (hereinafter referred to as the "protection authorities"). **Article 9.** The protection authorities shall, in light of the actual conditions of respective industries and fields, develop rules for the identification of critical information infrastructure, and file such rules with the public security department under the State Council for the record. The following factors shall be taken into account in the formulation of identification rules: (I) the degree of importance of network facilities, information systems, etc. for the key and core business of the industry and field concerned; (II) the degree of harm that may be caused in the event of any destruction, loss of function or leak of data of network facilities or information systems; and (III) the impact on the relevance to other industries and fields. **Article 10.** The protection authorities shall, in accordance with identification rules, be responsible for organizing the identification of critical information infrastructure of respective industries and fields, notify the operators concerned of the identification results in a timely manner, and report the same to the public security department under the State Council. **Article 11.** Operators shall report relevant information on any material change in critical information infrastructure that may affect the identification results to the protection authorities in a timely manner. The protection authorities shall complete the identification again within three months upon receipt of the report, notify the operator concerned of the identification results, and report the same to the public security department under the State Council. ## Chapter III Responsibilities and Obligations of an Operator **Article 12.** The security protection measures shall be planned, established and put into use simultaneously with the critical information infrastructure. **Article 13.** An operator shall establish sound cyber security protection system and the responsibility system to ensure the input of manpower, financial and material resources. The person chiefly in charge of the operator shall take overall responsibility for the protection of the security of critical information infrastructure, lead the security protection of critical information infrastructure and the disposal of major cyber security incidents, and organize the study and resolution of major cyber security issues. **Article 14.** An operator shall set up a specialized security management body, and conduct security background review of the person in charge of the specialized security management body and persons in key positions. During the review, the public security authority and national security authority shall provide assistance. **Article 15.** The specialized security management body of an operator shall be specifically responsible for the security protection of critical information infrastructure of the operator, and shall perform the following duties: (I) Establishing the sound cyber security management, evaluation and assessment system, and drafting the security protection plan for critical information infrastructure; (II) Organizing and promoting the development of cyber security protection capacity, and conducting the monitoring, testing and risk assessment of cyber security; (III) Developing the operator's own emergency plans, conducting regular emergency drills, and disposing of cyber security incidents in accordance with the national and industrial emergency plans for cyber security incidents; (IV) Identifying key positions for cyber security, organizing the assessment of cyber security work, and proposing rewards and punishments; (V) Organizing cyber security education and training; (VI) Performing the responsibility of personal information and data security protection, and establishing the sound personal information and data security protection system; (VII) Conducting security management of services such as design, construction, operation and maintenance of critical information infrastructure; and (VIII) Reporting cyber security incidents and important matters as required. **Article 16.** An operator shall ensure the operation funds for its specialized security management body, allocate corresponding personnel, and have the personnel of the specialized security management body participate in making decisions relating to cyber security and informatization. **Article 17.** An operator shall conduct by itself or entrust a cyber security service agency to conduct cyber security testing and risk assessment on its critical information infrastructure at least once a year, timely rectify security problems discovered, and report information as required by the protection authorities. **Article 18.** In the event of occurrence of any major cyber security incident or discovery of any major cyber security threat for the critical information infrastructure, the operator shall report to the protection authorities and the public security authorities as required. For any particularly major cyber security incident such as disruption of the operation of critical information infrastructure in whole or major function failure, divulgence of national basic information and other important data, divulgence of large scale personal information, large economic losses or spread of illegal information over a large scale, or discovery of any particularly major cyber security threat, the protection authorities shall, after receiving such report, timely report to the CAC and the public security department under the State Council. **Article 19.** Operators shall give priority to safe and reliable networking products or services purchased. If the purchase of networking products or services may affect national security, it is required to pass the security review in accordance with the national cyber security provisions. **Article 20.** In purchasing networking products or services, operators shall enter into a security confidentiality agreement with a networking product or service provider in accordance with the relevant provisions of the State, specifying the technical support and security confidentiality obligations and responsibilities of the provider, and supervise the fulfillment of the obligations and responsibilities. **Article 21.** In the event of merger, division or dissolution, an operator shall report to the protection department in a timely manner, and deal with the critical information infrastructure as required by the protection department to ensure security. ## Chapter IV Guarantee and Promotion **Article 22.** The protection authorities shall work out a security plan for the critical information infrastructure of the industry or field, specifying protection objectives, basic requirements, tasks and specific measures. **Article 23.** The CAC shall coordinate with the relevant authorities to establish a cyber security information sharing mechanism, timely summarize, study, judge, share and release cyber security threats, vulnerabilities, incidents and other information, and promote cyber security information sharing among the relevant authorities, protection authorities, operators and cyber security service agencies. **Article 24.** The protection authorities shall establish a sound monitoring and early warning system for the cyber security of the critical information infrastructure of the industry or field, timely learn about the operation status and security situation of the critical information infrastructure of the industry or field, give an early warning and notify threats and hazards to cyber security, and guide the security prevention work. **Article 25.** The protection authorities shall, in accordance with the requirements of the State emergency plan for cyber security incidents, establish the sound emergency plan for cyber security incidents of the industry or field, regularly organize emergency drills, guide the operator to respond to and deal with cyber security incidents, and organize to provide technical support and assistance as needed. **Article 26.** The protection authorities shall regularly organize inspections and testing of the cyber security of the critical information infrastructure of the industry or field, and guide and supervise the operator to promptly rectify potential security risks and improve security measures. **Article 27.** The CAC shall coordinate with the public security department under the State Council and the protection authorities to inspect and test cyber security of the critical information infrastructure and propose improvement measures. When carrying out inspections of the cyber security of the critical information infrastructure, relevant authorities shall strengthen cooperation and information communication to avoid unnecessary inspections and cross and repeated inspections. No fees shall be charged for the inspections, and the inspected entities shall not be required to purchase the products or services of designated brands or designated manufacturers or sellers. **Article 28.** Operators shall cooperate with the inspections and testing of the cybersecurity of the critical information infrastructure carried out by the protection authorities, and the inspections of the cybersecurity of the critical information infrastructure carried out by the public security department, State security department, secrecy administration, password administration and other relevant authorities in accordance with the law. **Article 29.** The CAC, the competent telecommunications department of the State Council and the public security department under the State Council shall, in accordance with the needs of the protection authorities, provide technical support and assistance in a timely manner during the protection of the security of the critical information infrastructure. **Article 30.** The CAC, public security organs, protection authorities and other relevant authorities, cyber security service agencies and the staff thereof shall use the information acquired in the protection of the security of the critical information infrastructure only for the purpose of maintaining cyber security, and the security of such information shall be ensured in strict accordance with the requirements of relevant laws and administrative regulations, and such information shall not be divulged, sold or illegally provided to others. **Article 31.** Without the approval of the CAC and the public security department under the State Council or the authorization of the protection authorities or an operator, no individual or organization may carry out vulnerability testing, penetration testing and other activities that may affect or endanger the security of the critical information infrastructure. Before carrying out vulnerability testing, penetration testing and other activities on the basic telecommunications network, it is required to report to the competent telecommunications department under the State Council in advance. **Article 32.** The State takes measures to give priority to the safe operation of critical information infrastructure such as energy and telecommunications. Energy and telecommunications industries shall take measures to give priority to the safe operation of critical information infrastructure in other industries and fields. **Article 33.** Public security organs and State security organs shall, ex officio, strengthen the security protection of critical information infrastructure in accordance with the law, and prevent and crack down on illegal and criminal activities against the critical information infrastructure and illegal and criminal activities by using the aforesaid information. **Article 34.** The State formulates and improves the security standards for critical information infrastructure, guides and regulates the protection of the security of critical information infrastructure. **Article 35.** The State takes measures to encourage specialized cyber security talent to engage in the protection of the security of critical information infrastructure and includes the training of security management personnel and security technicians of the operator in the national continuing education system. **Article 36.** The State supports technological innovation and industrial development in respect of security protection for critical information infrastructure and organizes efforts to make technological breakthroughs in respect of security protection for critical information infrastructure. **Article 37.** The State strengthens the construction and management of cyber security service agencies, formulates administrative requirements and reinforces supervision and guidance, constantly improves the capability of service agencies, and gives full play to their role in the protection of the security of critical information infrastructure. **Article 38.** The State strengthens military and civilian integration of cyber security and protects the security of critical information infrastructure through military-civilian collaboration. ## Chapter V Legal Liability **Article 39.** For an operator falling under any of the following circumstances, the competent authorities shall order it to make corrections and give it a warning ex officio. In case of refusal to make corrections or resulting in such consequence as endangering cyber security, it shall be subject to a fine of not less than 100,000 yuan but not more than 1 million yuan, and the person directly in charge shall be subject to a fine of not less than 10,000 yuan but not more than 100,000 yuan: (I) Failing to report relevant information to the competent protection authorities in a timely manner when the identification result may be affected due to material changes in critical information infrastructure; (II) Failing to plan, construct or put into use security protection measures and critical information infrastructure simultaneously; (III) Failing to establish a sound cyber security protection system and responsibility system; (IV) Failing to set up a specialized security management body; (V) Failing to conduct background review on the person in charge and personnel in key positions of a specialized security management body; (VI) Failing to have the personnel of a specialized security management body participate in making decisions relating to cyber security and informatization; (VII) Failing to perform the duties specified in Article 15 of these Regulations by a specialized security management body; (VIII) Failing to conduct cyber security testing and risk assessment for critical information infrastructure at least once a year, failing to make timely rectification of security problems found out, or failing to report the relevant information as required by the competent protection authorities; (IX) Failing to enter into a security confidentiality agreement with the provider of networking products or services in accordance with the relevant provisions of the State when purchasing networking products or services; or (X) Failing to report to the competent protection authorities in a timely manner in the event of merger, division or dissolution, or failing to deal with critical information infrastructure as required by the competent protection authorities. **Article 40.** For any operator failing to report to the competent protection authorities or the public security organ as required when a major cybersecurity incident occurs or a major cybersecurity threat is discovered with respect to critical information infrastructure, the competent protection authorities or the public security organ shall, ex officio, order it to make rectifications and give it a warning; in case of refusal to make rectifications or resulting in such consequence as endangering cybersecurity, a fine of not less than 100,000 yuan but not more than 1 million yuan shall be imposed on it, and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the person directly in charge of the operator. **Article 41.** For an operator failing to conduct security review in accordance with the provisions on cybersecurity of the State when purchasing networking products or services that may affect national security, the CAC and other competent authorities shall, ex officio, order it to make rectifications, impose a fine of not less than one time but not more than ten times the purchase amount on it, and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan on the person directly in charge and other persons directly liable. **Article 42.** Where an operator refuses to cooperate with the inspection and testing of the cybersecurity of the critical information infrastructure carried out by the protection authorities, or refuses to cooperate with the inspection and testing of the cybersecurity of the critical information infrastructure carried out by the public security, national security, secrecy administration, password administration and other relevant authorities in accordance with the law, the competent authorities shall order it to make rectifications. If it refuses to make rectifications, a fine of not less than 50,000 yuan but not more than 500,000 yuan will be imposed, and a fine of not less than 10,000 yuan but not more than 100,000 yuan will be imposed on the person directly in charge and other persons directly liable. In a serious case, the operator shall be investigated for corresponding legal liability in accordance with the law. **Article 43.** Whoever illegally intrudes into, interferes with or destroys critical information infrastructure, which endangers the security of such infrastructure, but does not constitute a crime, the public security organ concerned shall, in accordance with the Cybersecurity Law of the People's Republic of China, confiscate his/her illegal gains, detain him/her for not more than five days, and may jointly impose a fine of not less than 50,000 yuan but not more than 500,000 yuan on him/her; if the circumstances are relatively serious, the public security organ concerned shall detain him/her for not less than five days but not more than 15 days, and impose a fine of not less than 100,000 yuan but not more than 1 million yuan on him/her. Where an entity commits any of the acts prescribed in the preceding paragraph, the public security organ concerned shall confiscate its illegal gains, impose a fine of not less than 100,000 yuan but not more than 1 million yuan on it, and punish the person directly in charge and other persons directly liable in accordance with the provisions of the preceding paragraph. Whoever violates the provisions of Paragraph 2 of Article 5 and Article 31 hereof and is subject to public security administrative penalties shall not hold key posts of cyber security management and network operation for five years, and whoever is subject to criminal penalties shall not hold key posts of cyber security management and network operation for life. **Article 44.** Where a cyberspace administration, public security organ, protection authorities or any other relevant authority, as well as their staff, fail to perform their duties of protecting, supervising and administering the security of critical information infrastructure, neglects their duties, abuses their powers, or plays favoritism and commits irregularities, the person directly in charge and other persons directly liable shall be punished in accordance with the law. **Article 45.** In conducting a cybersecurity inspection of critical information infrastructure, where a public security organ, protection authorities or any other relevant authority charges fees, or requires the inspection object to purchase products or services of designated brands or designated production or sales entities, the superior organ shall order it to make corrections and to return the fees collected; if the circumstances are serious, the person directly in charge and other persons directly liable shall be punished in accordance with the law. **Article 46.** Where a cyberspace administration, public security organ, protection authority or any other relevant department, a cyber security service agency and any staff thereof use the information acquired in the security protection of critical information infrastructure for any other purpose, or divulge, sell or illegally provide such information to others, the person directly in charge and other persons directly liable shall be punished in accordance with the law. **Article 47.** For a major cybersecurity incident or an extremely major cybersecurity incident occurred to critical information infrastructure, which is determined as a liability accident upon investigation, the liability of the operator shall be investigated and pursued in accordance with the law, and the liability of the relevant cyber security service agency and relevant department shall also be investigated. In the case of dereliction of duty, malpractice or other illegal acts, liability shall be pursued in accordance with the law. **Article 48.** The operator of a critical information infrastructure for e-government failing to perform the cybersecurity protection obligation as stipulated in these regulations shall be punished in accordance with the relevant provisions of the Cybersecurity Law of the People's Republic of China. **Article 49.** Whoever violates the provisions of these Regulations, causing damage to others, shall bear civil liability in accordance with the law. Whoever violates the provisions of these Regulations, constituting a violation of public security administration, shall be imposed a penalty for public security administration in accordance with the law and, if a crime is constituted, be investigated for criminal liability in accordance with the law. ## Chapter VI Supplementary Provisions **Article 50.** The protection of the security of storage and processing of any critical information infrastructure involving State secrets shall also be subject to the laws and administrative regulations on confidentiality. The password use and management for a critical information infrastructure shall also be governed by the provisions of the relevant laws and administrative regulations. **Article 51.** These regulations shall come into force as of September 1, 2021. --- ## Opinions of the CPC Central Committee and the State Council on Building a Basic Data System to Better Play the Role of Data Elements - Chinese title: 中共中央 国务院关于构建数据基础制度更好发挥数据要素作用的意见 - Abbreviation: Data Twenty Opinions - Hierarchy: regulation - Issuing body: CPC Central Committee and State Council - Adopted: 2022-12-02 - Effective: 2022-12-02 - Status: effective - URL: https://datacompliancechina.com/laws/data-foundation-system-opinions/ - Markdown: https://datacompliancechina.com/laws/data-foundation-system-opinions.md ### Summary The foundational 20-article policy directive jointly issued by the CPC Central Committee and the State Council laying out China's national data basic system: data property rights structural subdivision (holding right / processing right / operation right), classified-and-graded right confirmation for public/enterprise/personal data, the on-floor + over-the-counter trading framework, the income distribution mechanism for data elements, and a multi-party governance model. This is the policy text that informs subsequent national-level legislation and rules on data assets, public data, and data property rights registration. ### Full text **Promulgated by:** CPC Central Committee and State Council. Jointly issued by the CPC Central Committee and the State Council on December 2, 2022. Effective December 2, 2022. --- ## I. General Requirements (I) Guiding ideology. Guided by Xi Jinping Thought on Socialism with Chinese Characteristics for a New Era, we should thoroughly implement the guidelines of the 20th National Congress of the Communist Party of China ("CPC"), implement new development concepts in a complete, accurate and comprehensive manner and accelerate the construction of a new development pattern. It is imperative to adhere to reform innovation and system planning, take protecting national data security and protecting personal information and trade secrets as the premise, take promoting compliant and efficient data circulation and use and empowering the real economy as the main line, focus on data property rights, circulation trading, income distribution and security governance, deeply participate in the development of international high-standard digital rules, establish a basic data system that adapts to data characteristics, conforms to the law of development of the digital economy, ensures national data security and highlights the innovation leadership, fully realize the value of data elements, promote the sharing of development dividends of the digital economy by all the people and provide strong support for deepening innovation-driven development, promoting high-quality development and boosting the modernization of the national governance system and governance capacity. (II) Work principles. - **Following the law of development and innovating institutional arrangements.** We should fully understand and master the basic laws governing data property rights, circulation, trading, use, distribution, governance and security etc., explore the property system and market system that are conducive to the security protection, effective use and compliant circulation of data, improve the systems and mechanisms for the data element market, improve the systems and mechanisms in practice and develop them in exploration so as to promote the formation of a new production relation compatible with digital productivity. - **Adhering to the principle of sharing and releasing value dividends.** We should lower the threshold for market players to access data to a reasonable extent, enhance the sharing and inclusiveness of data elements, stimulate innovation, entrepreneurship and creation, and strengthen anti-monopoly and anti-unfair competition, so as to form a development model featuring regulation according to the law, joint participation, taking what is needed, and sharing dividends. - **Strengthening quality supply and promoting compliant circulation.** We should, following the trend of digital transformation of the economy and society, promote the adjustment and optimization of data element supply and improve the quantity and quality of data element supply. We should also establish a data credibility circulation system and enhance the usability, credibility, circulatable nature and traceability level of data. Efforts should be made to make dynamic management in the whole process of data circulation and activate data value in the process of compliant circulation and use. - **Improving the governance system and supporting the safe development.** It is imperative to coordinate development and safety, implement the overall national security concept, strengthen the construction of the data security support system, ensure safety throughout the whole process of data supply, circulation and use, and define the bottom line and red line of supervision. We should strengthen the management of data by category and by level, effectively control what should be under management and delegate what should be delegated, actively and effectively prevent and resolve various data risks, and form a data governance structure that integrates government regulation with market self-discipline, the rule of law with industrial autonomy, and domestic and international coordination. - **Deepening opening up and cooperation to achieve mutual benefits and win-win situation.** It is imperative to actively participate in the formulation of international rules for cross-border flow of data and explore ways to become a member of regional institutional arrangements for cross-border flow of international data. We should also promote bilateral and multilateral negotiations for cross-border flow of data, boost the establishment of institutional arrangements such as rules of mutual benefits. Moreover, we encourage the exploration of new ways and models for cross-border data flow and cooperation. ## II. Establishing a Data Property Right System for Protection of Rights and Interests and Compliant Use It is imperative to explore the establishment of a data property right system, promote the structural subdivision and orderly circulation of data property rights, and strengthen the supply of high-quality data elements in light of the characteristics of data elements; under the national data classification and hierarchical protection system, we should promote classified and hierarchical right confirmation and authorized use and market-oriented circulation and transactions of data, and perfect the data element right protection system, so as to gradually form a data property right system with Chinese characteristics. (III) Exploring a structural subdivision system for data property rights. It is imperative to establish a classified and hierarchical right confirmation and authorization system for public data, corporate data and personal data. We should, in light of the data source and data generation characteristics, respectively define the legitimate rights of various participants in the process of data production, circulation and use, and establish a mechanism for operating property rights such as the right to hold data resources, right to process and use data and right to operate data products. We should also promote the new model of "joint use and benefit sharing" of non- public data under the market-oriented mode to provide a basic institutional guarantee for the activation of data element value creation and value realization. Meanwhile, we should study the new methods for data property rights registration. Under the premise of ensuring security, efforts should be made to promote data handlers to develop and utilize original data in accordance with the laws and regulations, support data handlers in exercising relevant rights to data application in accordance with the laws and regulations, promote the reuse and full utilization of data use value, and promote the exchange and market-oriented circulation of data use rights. Moreover, we should prudently treat transfer trading of original data. (IV) Promoting the implementation of the right confirmation and authorization mechanism for public data. As for public data generated in the process of Party and government organs at all levels, enterprises and public institutions performing their duties or providing public services in accordance with the law, we should strengthen convergence, sharing and open development, enhance overall authorization for use and management, promote interconnection and break "isolated data islands". We encourage public data to be provided to society in the form of products and services such as models and verification services on the premise of protecting personal privacy and ensuring public security and in accordance with the requirements of "original data within domain and data available but not visible". As for the public data that carries no personal information and does not affect public security, we should promote to expand the scope of supply and use according to their purposes. We should also promote the conditional free use of public data used for public governance and public welfare undertakings and explore the conditional free use of public data used for industrial development. The public data that should be kept confidential in accordance with laws and regulations should not be opened, and the original public data that has not been disclosed in accordance with the laws and regulations should be strictly controlled to directly enter the market, so as to protect the public interest in the supply and use of public data. (V) Promoting the establishment of an enterprise data right confirmation and authorization mechanism. As for data collected and processed by various market players in the production and operation activities not involving personal information and public interests, market players have the right to hold and use them and obtain income from them in accordance with laws and regulations, and we should ensure reasonable returns for their input of labor and other factor contribution, as well as strengthen incentives for the supply of data factors. We encourage the exploration of the new model for the authorized use of enterprise data, give play to the leading role of state-owned enterprises, guide industry leading enterprises and Internet platform enterprises to play their driving roles, promote two-way fair authorization with micro, small and medium-sized enterprises, jointly and reasonably use data, and empower micro, small and medium-sized enterprises for the digital transformation. Meanwhile, we support third-party institutions and intermediary service organizations in strengthening data collection and the formulation of quality assessment standards, promote the standardization of data products, and develop industries such as data analysis and data services. Government departments may, in performing their duties, obtain relevant data of enterprises and institutions in accordance with laws and regulations, provided that they must agree on and strictly observe requirements for use restrictions. (VI) Establishing a sound right confirmation and authorization mechanism for personal information data. For the data carrying personal information, we should promote data handlers to collect, hold, host and use data according to the scope of individual authorization in accordance with laws and regulations and regulate the processing of personal information. It is not allowed to excessively collect personal information by adopting "package authorization", compulsory consent and other means, so as to promote the reasonable use of personal information. We should also explore the mechanism under which the trustees represent individual interests to supervise market players' collection, processing and use of personal information data. The special personal information data involving national security may be authorized to relevant entities in accordance with laws and regulations. We should intensify the protection of personal information and promote key industries to establish sound long-term protection mechanisms. We should strengthen the responsibilities of enterprises as subjects and regulate the collection and use of personal information by enterprises. We should also innovate technical means, promote anonymous handling of personal information, and protect information security and personal privacy in the use of personal information data. (VII) Establishing a sound system for protection of the legitimate rights and interests of various participants of data elements. Efforts should be made to fully protect the legitimate rights and interests of the party with data sources, promote data circulation and use models based on informed consent or with statutory causes, and protect the rights and interests of the party with data sources to acquire, copy or transfer the data generated due to its contribution. We should reasonably protect the rights and interests of data handlers in independent control over the data they hold in accordance with laws and regulations. On the premise of protecting public interests, data security and the legitimate rights and interests of the party with data sources, we should recognize and protect the right to process and use data obtained in accordance with legal provisions or contractual agreements, respect the labor and other contribution factors of data handlers in data collection, processing and other aspects, and fully protect data handlers' rights to use data and obtain benefits therefrom. We should also protect the management right of data or data derivatives formed by processing, analysis or otherwise, regulate the rights of data handlers to license others to use data or data derivatives in accordance with laws and regulations, and promote the circulation and reuse of data elements. Meanwhile, we should establish a sound mechanism for the transfer of data-related property rights and interests on the basis of legal provisions or contractual agreements. When a data handler is merged, divided, dissolved or declared bankruptcy, we should promote the synchronous transfer of related rights and obligations in accordance with laws and regulations. ## III. Establishing a Compliant and Efficient Data Element Circulation and Trading System Combining On-Floor and Over-the-Counter Markets We should improve and regulate data circulation rules, establish a trading system that promotes use and circulation as well as combination of on the floor and over-the-counter markets, regulate and guide over-the-counter transactions, and cultivate and expand floor trading; we should also orderly develop cross-border data circulation and trading, and establish a reliable data circulation system with identifiable data sources, definable scope of use, traceable circulation process and preventable security risks. (VIII) Improving the system of whole-process data compliance and regulation rules. It is imperative to establish data circulation access standards and rules, strengthen whole-process compliance governance for data of market players, and ensure legal sources of circulation data, effective privacy protection, and standardized circulation and trading. We should, in light of the data circulation scope, impact degree and potential risks, distinguish use scenarios and usage quantities, establish data classification and hierarchical authorization use specifications, explore the development of a data quality standardization system, accelerate the promotion of data collection and interface standardization, and promote data integration, interconnection and interoperability. Meanwhile, we support data handlers in the circulation of data on the floor and over the counter in accordance with laws and regulations in such manners as opening, sharing, exchange and trading. We encourage the exploration of technologies, standards and plans for safeguarding data circulation security. We also support the exploration of diversified pricing models and price formation mechanisms in line with the characteristics of data elements, and promote paid use of public data used for digital development under the government-guided pricing and independent pricing of enterprise and personal information data in the market. Efforts should be made to strengthen the development and regulation of enterprise data compliance system, severely crack down on black market transactions, and ban industries with illegal data circulation. We should also establish and implement data security management certification system, in a bid to guide enterprises to improve data security management through certification. (IX) Building standardized and efficient data trading venues on an overall basis. It is imperative to strengthen the system design of data trading venues, optimize the planning and layout of data trading venues on an overall basis, and strictly control the number of trading venues. We should introduce administrative measures for data trading venues, establish sound data trading rules, and formulate a unified national system of standards for data trading and security to reduce trading costs. We should also guide the joint development of various types of data trading venues, highlight the compliance supervision and basic service functions of national data trading venues, strengthen their public attributes and positioning for public interests, promote the separation of functions of data trading venues and data dealers, and encourage all kinds of data dealers to trade in data trading venues. Meanwhile, efforts should be made to standardize regional data trading venues and industrial data trading platforms established by various regions and departments, build a multi-level market trading system, and promote the circulation and use of regional and industrial data. We should promote the interconnection between regional data trading venues and industrial data trading platforms and national data trading venues. We should also build intensive and efficient data circulation infrastructure to provide a low-cost, efficient and reliable circulation environment for centralized trading on the floor and over-the-counter decentralized trading. (X) Cultivating the circulation and trading service ecology for data elements. We should, by orienting towards the need to promote the compliant, efficient, safe and orderly circulation and trading of data elements, cultivate a number of data dealers and third-party specialized service agencies. Through data dealers, we should provide both parties to data trading with the development, release and underwriting of data products and the compliance, standardization and value-added services of data assets so as to promote improvements to the efficiency of data trading. In key areas such as intelligent manufacturing, energy conservation and carbon reduction, green construction, new energy and smart city, we should vigorously cultivate industrial and industrialized data dealers close to business needs, and encourage data dealers of different ownerships to develop together and compete on an equal footing. It is imperative to orderly cultivate third-party specialized service agencies engaged in data integration, data brokerage, compliance certification, security audit, data notarization, data insurance, data custody, asset evaluation, dispute arbitration, risk assessment and talent training, and enhance the service capability for the whole process of data circulation and trading. (XI) Establishing a safe, compliant and orderly cross-border circulation mechanism for data. We should carry out international exchange and cooperation in terms of data exchange, business interconnection, mutual recognition of supervision and service sharing, etc., promote the construction of cross-border digital trade infrastructure, and should, on the basis of the Global Initiative on Data Security, actively participate in the formulation of international rules and digital technology standards for data flow, data security, certification and evaluation, digital currency and so on. It is imperative to adhere to open development, and promote cross-border two-way orderly data flow. We encourage domestic and foreign enterprises and organizations to carry out business cooperation on cross-border data flow in accordance with the law, support foreign investment in entering open fields in accordance with the law, and promote the formation of an international market with fair competition. We should also explore safe and standardized cross-border data flow modes for typical application scenarios such as cross-border e-commerce, cross-border payment, supply chain management and service outsourcing. We should coordinate data development and utilization and data security protection and explore the establishment of a mechanism for classified and hierarchical management of cross-border data. Data processing, cross-border data transmission, foreign mergers and acquisitions and other activities that affect or may affect national security shall be subject to national security review in accordance with the laws and regulations. According to the principle of reciprocity, we should implement export control over the data that are controlled items relating to the safeguarding of national security and interests and the fulfillment of international obligations in accordance with the law, ensure that the data are used for legitimate purposes, and prevent the security risk of transmitting data abroad. Moreover, we should explore the establishment of a multi-channel and convenient cross-border data flow regulatory mechanism and improve the cross-border data flow regulatory system with coordination and cooperation among multiple departments. We oppose data hegemony and data protectionism and should effectively cope with the "long-arm jurisdiction" in the data field. ## IV. Establishing the Distribution System for Income from Data Elements that Reflects Efficiency and Promotes Fairness It is imperative to follow the development trends of digital industrialization and industrial digitalization, give full play to the decisive role of the market in resource allocation, and better play the role of the government. We should improve the mechanism for market-oriented allocation of data elements and expand the scope of market-oriented allocation of data elements and the channels for participating in the allocation based on value contribution. We should also improve the redistribution adjustment mechanism for income from data elements, so that all people can better share the fruits of the development of digital economy. (XII) Improving the mechanism in which the contribution of data elements is evaluated by the market and the remuneration is determined based on the contribution. We should, in light of the characteristics of data elements, optimize the distribution structure, and establish a fair, efficient data value distribution mechanism combining incentives and regulation. It is imperative to adhere to the principle of "Two unswervingly" and the principle of "whoever invests and contributes will benefits", focus on protecting the input and output income of all participants of data elements, and safeguard the rights and interests of data resource assets in accordance with the laws and regulations. Efforts should be made to explore the ways for individuals, enterprises and public data to share value and benefits, establish and improve a more reasonable market evaluation mechanism, and promote the matching between labor contribution and labor remuneration. We should promote the reasonable allocation of income from data elements to the creators of data value and use value, ensure that the investment in all stages of data value development and mining has corresponding returns, and strengthen the orientation of incentives based on data value creation and value realization. In addition, we should, by various ways of income sharing such as dividend and commission, balance the distribution of benefits among the relevant entities in different stages such as data content collection, processing, circulation and application. (XIII) Giving better play to the role of government in guiding and regulating the distribution of income from data elements. It is imperative to gradually establish a system or mechanism for distribution of income from data elements that ensures fairness and pay more attention to public interests and relatively disadvantaged groups. We should increase efforts of government guidance and regulation, explore the establishment of a mechanism for reasonably sharing the benefits from the opening of public data resources, and allow and encourage various types of enterprises to provide public services based on public data in accordance with the laws and regulations. We should also promote large data enterprises to actively undertake social responsibility, strengthen the support and assistance for disadvantaged groups, and vigorously and effectively deal with various risks and challenges in the process of digital transformation. Meanwhile, we should continue to improve the systems and rules for the data element market, so as to prevent and regulate, in accordance with laws and regulations, problems such as the disorderly expansion of capital in the data field and the formation of market monopoly. We should also coordinate the use of multi-channel fund resources, carry out data knowledge popularization, education and training, improve the digital literacy of the whole society, strive to eliminate the digital divide between different regions and different groups of people, enhance social equity, guarantee people's livelihood and well-being, and promote common prosperity. ## V. Establishing a Safe, Controllable, Flexible and Inclusive System for the Governance of Data Elements It is imperative to integrate safety throughout the whole process of data governance, establish a governance model with multi-party collaboration among government, enterprise and society, innovate government governance modes, clarify the responsibilities and obligations of all parties, improve the industry self-discipline mechanism, regulate the market development order, and form a data element governance pattern combining an effective market with a promising government. (XIV) Innovating the government data governance mechanism. We should give full play to the role of the government in orderly guidance and standardized development, hold the bottom line of safety, clarify the red line of regulation, and create a safe and reliable, innovative, fair and open, and regulation-effective data element market environment. We should also intensify sub-industry regulation and cross-industry collaborative regulation, establish a joint data management and governance mechanism, and establish a sound fault tolerance and error correction mechanism that encourages and embraces innovation. Meanwhile, we should establish systems of compliance notarization, security review, algorithm review, monitoring and early warning for the whole process of production and circulation of data elements, and guide all parties to perform their responsibilities and obligations for data element circulation security. We should also establish a sound data circulation regulatory system, develop a negative list of data circulation and trading clarifying the data items that cannot be traded or that are strictly restricted for trading. Efforts should be made to strengthen anti-monopoly and anti-unfair competition, enhance enforcement and justice in key fields, strengthen the review of concentration of undertakings in accordance with the laws and regulations, investigate and punish monopoly agreements, abuse of market dominance, and illegal concentration of undertakings in accordance with the laws and regulations, and create a fair, competitive, standardized and orderly market environment. We should, on the basis of implementing the graded protection system for cybersecurity, comprehensively strengthen data security protection work, improve the network and data security protection system, and enhance the capabilities of protection in depth and comprehensive defense. (XV) Specifying the data governance responsibilities of enterprises. It is imperative to adhere to the principle of "easy access and strict management", firmly establish the awareness of responsibility and self-discipline of enterprises. We encourage enterprises to actively participate in the construction of the data element market, and should, by orienting towards data source, data property rights, data quality and data use, etc., promote the statement and commitment system for data circulation trading for data dealers and third-party specialized service agencies. We should also strictly implement relevant laws and regulations and promote enterprises to assume corresponding responsibilities in accordance with laws and regulations in various aspects such as data collection and convergence, processing, circulation trading, sharing and utilization. Enterprises shall strictly comply with the Anti-monopoly Law and other relevant laws and regulations, and shall not use data, algorithms and other advantages and technical means to exclude or restrict competition or implement unfair competition. Moreover, efforts should be made to regulate the security management of government data in enterprises' participation in government informatization construction, and ensure that there are rules to follow, development in an orderly manner, and security and controllability. We should also establish a sound data element registration and disclosure mechanism, enhance the social responsibility of enterprises, break the "data monopoly", and promote fair competition. (XVI) Giving full play to the collaborative governance role with multi-party participation by social forces. We encourage industry associations and other social forces to actively participate in the construction of data element market, support the research and development of security technologies and services relating to data circulation, and promote the safe and reliable circulation of data elements in different scenarios. We should also establish a data element market credit system, and gradually improve mechanisms for the identification of dishonest practice, incentives for honesty, punishments for dishonesty, credit repair and objection handling, etc. in respect of data transactions. Efforts should be made to smooth channels for reporting, complaints and dispute arbitration, and maintain good order of data element market. Moreover, effort should be made to accelerate the implementation of national standards for data management capacity maturity and data element management regulations and promote various departments and industries to improve metadata management, data desensitization, data quality, value evaluation and other standards systems. ## VI. Supporting Measures It is imperative to intensify overall promotion, strengthen task implementation, and innovate policy support. We encourage qualified regions and industries to carry out pilot programs in respect of institutional construction, technical paths, and development models, etc. We also encourage enterprises to innovate their internal data compliance management systems and constantly explore and improve the basic data system. (XVII) Effectively strengthening organization and leadership. Efforts should be made to strengthen the CPC's overall leadership in the work of building a basic data system. Under the centralized and unified leadership of the CPC Central Committee, we should give full play to the role of the Inter-ministerial Joint Conference for the Development of the Digital Economy, strengthen the overall planning of work and promote cross-regional and cross-departmental coordination and linkage to strengthen supervision and guidance. All regions and departments should attach great importance to the development of the basic data system, unify their thinking and understanding, intensify reform efforts, formulate work measures in light of their respective realities, refine the division of tasks, and do a good job in promotion and implementation. (XVIII) Increasing policy support. It is imperative to accelerate the development of the data element market and make data element enterprises bigger and stronger. We should improve financial services, guide venture capital enterprises to increase investment in data element enterprises, encourage credit reporting agencies to provide diversified credit reporting services based on business operation data and other various data elements, and support real economy enterprises, especially micro, small and medium-sized enterprises, in carrying out credit financing in enabling digital transformation. Meanwhile, efforts should be made to explore new models for data assets to be included into balance sheet. (XIX) Actively encouraging experimental exploration. We should, by adhering to the combination of top-level design and grassroots exploration, support Zhejiang and other regions and qualified industries and enterprises to carry out pilot practices, give play to the role of high-level open platforms such as free trade ports and free trade pilot zones, and guide enterprises and scientific research institutions to promote innovation in technology and industrial applications relating to data elements. Meanwhile, we should, by adopting the approach of "result-oriented bidding", support qualified departments and industries in accelerating to make breakthroughs in key technologies such as reliable data circulation and security governance, establish innovative fault tolerance mechanisms, explore and improve policies, standards and institutional mechanisms for data element property rights, pricing, circulation, trading, use, distribution, governance and security, and better play the active role of data elements. (XX) Steadily promoting system development. We should, by orienting towards the establishment of a basic data system, gradually improve policies and standards for key links of major areas such as definition of data property rights, data circulation and trading, distribution of income from data elements, authorized use of public data, development of data trading venues and data governance. We should also strengthen theoretical research and legislative research on, among others, data property right protection, data element market system development, data element price formation mechanism, data element income distribution, cross-border data transmission and dispute resolution, and promote the improvement to the relevant legal systems. Meanwhile, efforts should be made to timely summarize and refine replicable and propagable experience and practices and promote new breakthroughs in the building of the basic data system by using the experience of key points to promote work in all areas. The Inter-ministerial Joint Conference for the Development of the Digital Economy shall regularly evaluate the development of the basic data system, make dynamic adjustments in due time, and promote the continuous enrichment and improvement of the basic data system. --- ## Data Property Rights Registration Work Guide (Trial) - Chinese title: 数据产权登记工作指引(试行) - Hierarchy: rule - Issuing body: National Data Administration (NDA), Comprehensive Department - Adopted: 2026-07-01 - Status: effective - URL: https://datacompliancechina.com/laws/data-property-rights-registration-guide-draft/ - Markdown: https://datacompliancechina.com/laws/data-property-rights-registration-guide-draft.md - Source URL: https://mp.weixin.qq.com/s/cdOi12Q4eIbfLiI0r4szcQ ### Summary NDA's first national framework for the registration of Data Property Rights — the rights to hold, use, and operate data established under the Data 20 Articles policy. Issued by the NDA Comprehensive Department on July 1, 2026 as the Trial Work Guide, it sets out registration institutions, the registration procedure (application, acceptance, review, public announcement, objection handling, evidence preservation, certificate issuance), the ownership-clarity rules that determine who can register which right over which data, the five registration types (initial, transfer, change, renewal, deregistration), and liability for institutions and applicants. Compared with the April 2026 consultation draft, the final text tightens security/public-interest gates, adds a definition of derived data, shifts the national platform terminology to a service system, strengthens provincial management and institution-exit rules, narrows public-data registration from mandatory to conditional/voluntary wording, and moves certificate validity from issuance to evidence-preservation completion. ### Full text **Promulgated by:** National Data Administration (NDA), Comprehensive Department. **Document No.:** Guo Shu Zong Zheng Ce [2026] No. 35 (国数综政策〔2026〕35号). **Issued:** July 1, 2026. **Status:** Trial guide in force / for reference implementation. --- > *DCC translation. Translated from the final Trial Work Guide issued by the NDA Comprehensive Department on July 1, 2026, and cross-checked against the April 2026 public-consultation draft. Translated against [DCC's bilingual glossary](/glossary) for terminology consistency, including the data-property-rights vocabulary established by the Data 20 Articles policy (Right to Hold Data, Right to Use Data, Right to Operate Data).* ## What Changed From the Consultation Draft The final Trial Guide keeps the consultation draft's six-chapter, 42-article architecture, but it is not a pure clean-up. The changes move in four directions: more explicit security gating, stronger supervision of registration institutions, more cautious treatment of public data, and tighter mechanics around evidence preservation and certificate validity. **Article 1 — purpose and legal basis.** The final text adds the goals of reducing data-circulation transaction costs and building an "open, shared and secure" national integrated data market. It also expressly anchors the Guide in the Data 20 Articles policy and adds PIPL and CSL to the legal-basis list. **Article 2 — scope.** The final text adds "except as otherwise provided by laws and regulations" and extends the registrable subject matter from data resources and data products to "data products and services." **Article 3 — definitions.** The final text adds a definition of derived data: data formed through professional processing, modelling, analysis, key-information extraction and similar work that substantially changes content, form or structure and significantly increases value while protecting lawful rights and interests. **Article 4 — registration principles.** The final text adds "security and order" as a principle and expressly prohibits registration activity that violates law, harms national security or the public interest, or infringes others' lawful rights and interests. **Articles 5-6 — administration architecture.** The final text removes the draft's reference to "piloting and improving" registration-institution supervision rules and detailed registration rules. It instead frames the national data administration authority as building and managing the National Data Property Rights Registration Service System. Provincial authorities now have clearer daily-management and cross-regional coordination responsibilities. **Article 7 — registration-institution qualifications.** The final text narrows the eligible entity type to enterprise and public-institution legal persons, adds funding-support requirements for public-institution legal persons, broadens the experience requirement from data-circulation service to data-registration or data-circulation related service, adds a registration-reviewer management system, and changes the professional-team standard from "professional qualifications" to "professional capabilities." **Articles 8-11 — institution selection and operation.** The final text consistently uses the National Data Property Rights Registration Service System rather than the Service Platform. It also adds periodic disclosure of business handling and full-time review-team construction, adds explicit commercial-secret protection, replaces the draft's ban on profit-making data-provision activities with a broader ban on using registration convenience for improper benefit, and adds risk-disposal language to annual evaluation. **Article 12 — institution changes.** The draft required reporting within five working days after specified changes. The final text requires reporting five working days in advance, links the report to changes affecting the qualification and operating requirements in Articles 7 and 10, and adds a rectification-or-exit consequence if the institution no longer satisfies the basic conditions after the change. **Article 13 — institution exit.** The prior-notice period increases from two months to six months. The final text replaces the draft's self-preservation / merger / designated-preservation structure with transfer of all registration materials and related data to another surviving registration institution designated by the provincial authority after NDA approval, while preserving the validity of certificates and making clear that prior liability is not extinguished. **Article 15 — public data.** The final text deletes the draft's broad opening sentence that all market-circulable data may be registered. It also changes public-data products and services formed after authorized operation from "shall, after public-data-resource registration, conduct data-property registration" to "may conduct data-property registration" after completion of public-data-resource registration. Public utilities are narrowed from "public utility enterprises and public institutions" to public utility enterprises. **Article 18 — review consequences.** The final text adds that where the applicant cannot supplement supporting materials and the registration institution cannot verify through lawful channels, registration may be terminated. **Article 20 — source-compliance review.** The final text adds a path for unclear contractual entitlement: the institution may ask the applicant to supplement the agreement or make a reasonable and prudent judgment based on the facts. It also consolidates personal-information and important-data checks into a single item tied to PIPL, DSL and other laws, and changes the derived-data comparison from "substantial and significant difference" to "substantial difference" plus significantly higher value. **Article 21 — rights-clarity review.** For data collected by another person under a civil contract, the final text narrows the condition from the principal having the right to "obtain or copy and transfer" the data to the right to obtain the relevant data. The remaining seven scenarios are structurally unchanged. **Articles 22-23 — refusal and recorded limitations.** The final text broadens refusal from data involving national security or state secrets to registration that may harm national security, public interests or lawful rights and interests. It also broadens source illegality from violation of laws and administrative regulations to violation of laws and regulations, and adds legally required recorded matters to the rights-limitation list. **Articles 24-29 — platform mechanics.** Public announcement, evidence preservation, certificate issuance and post-registration objections now operate through the National Data Property Rights Registration Service System. Article 25 is tightened into one paragraph and no longer separately limits the no-registration decision to discovery during the announcement period. **Articles 26-27 — validity of registration.** The final text moves the five-year validity rule from certificate issuance to evidence preservation: the validity period is generally no more than five years and runs from completion of evidence preservation. Article 27 now focuses on certificate issuance and consistency with preserved system information. **Article 31 — certificate use.** The financing use case is sharpened from "data balance-sheet entry, financing, equity contribution" to "data-asset balance-sheet entry, financing guarantees, and equity contribution by valuation." The business-coordination sentence is also reordered so that fairness and independence remain the threshold condition. **Articles 33-37 — registration types.** Later registration types now are handled "in principle" by the institution that handled the initial registration, adding flexibility. Transfer, change, renewal and deregistration applications refer to the data-property-rights registration certificate rather than only the initial-registration certificate. Renewal is now available from six months before expiry through the day before expiry. Deregistration notice becomes written notice to the original applicant. **Articles 38-41 — liability and transition.** Liability terminology is aligned to the Service System and "laws and regulations." Article 41 adds an express duty to preserve relevant materials when simplifying procedures for pre-existing data registrations. ## Chapter 1 General Provisions **Article 1. Purpose.** This Guide is formulated in order to establish and improve the Data Property Rights system, build a nationally unified Data Property Rights registration system, reduce the cost of data circulation and transactions, cultivate an open, shared and secure national integrated data market, and implement the *Opinions of the CPC Central Committee and the State Council on Building a Fundamental Data System to Better Leverage the Role of Data as a Factor of Production*, in accordance with the Civil Code of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, and other laws and regulations. **Article 2. Scope.** Data Property Rights registration activities and the administration thereof carried out within the territory of the People's Republic of China shall be conducted with reference to this Guide, except as otherwise provided by laws and regulations. This Guide applies to Data Property Rights registration and administration of data in various forms, including data resources, data products and services. **Article 3. Definitions.** For the purposes of this Guide: - **Data Property Rights** refers to the property rights enjoyed by a rights-holder over specific data, including the Right to Hold Data, the Right to Use Data, and the Right to Operate Data. - **Right to Hold Data** refers to the right of a rights-holder to hold lawfully acquired data, by itself or through another holder it entrusts. - **Right to Use Data** refers to the right of a rights-holder to use data through processing, aggregation, analysis, and other methods to optimize production and operations or to form derived data. - **Right to Operate Data** refers to the right of a rights-holder to provide data externally — for consideration or without consideration — through transfer, licensing, capital contribution, or the lawful creation of security interests over the data. - **Data Property Rights registration** refers to the act of a Data Property Rights registration institution reviewing the description, source, and rights content of data in accordance with this Guide, recording information including the attribution of data rights, and issuing a registration certificate. - **Registration institution** refers to a legal person selected and confirmed by the national data administration authority, included in the National Data Property Rights Registration Institution Catalogue, that carries out Data Property Rights registration activities. - **Registration applicant** refers to a natural person, legal person, or non-legal-person organization that applies to a registration institution for Data Property Rights registration. - **Derived data** refers to data formed by a data processor, in respect of data over which it enjoys the Right to Use Data, on the premise of protecting all parties' lawful rights and interests, through the use of professional knowledge for processing, modelling analysis, key-information extraction and similar methods to achieve substantive changes to the content, form, structure and other aspects of the data, thereby significantly increasing the value of the data. **Article 4. Principles.** Data Property Rights registration activities shall follow the principles of equality and voluntariness, standardization and unification, fairness and good faith, convenience and efficiency, and security and order. They shall not violate laws and regulations and shall not harm national security, the public interest, or others' lawful rights and interests. **Article 5. Administration responsibilities.** The national data administration authority is responsible for the administration of national Data Property Rights registration. Specific duties include: establishing and improving the nationally unified Data Property Rights registration system; guiding and supervising national Data Property Rights registration activities; building and administering the National Data Property Rights Registration Service System; and other duties prescribed by laws and regulations. Provincial-level data administration authorities are responsible for the administration of Data Property Rights registration within their administrative regions. Specific duties include: guiding and supervising Data Property Rights registration activities within their administrative regions, conducting day-to-day administration of registration institutions within their administrative regions, coordinating cross-regional administration, and other duties prescribed by laws and regulations. Provincial-level data administration authorities may entrust municipal-level data administration authorities to carry out specific work. **Article 6. Registration service system.** The National Data Property Rights Registration Service System aggregates registration results and provides, nationwide, unified Data Property Rights registration public announcement, registration-result inquiry and verification, and similar services. It supports the administration of registration institutions and related matters. ## Chapter 2 Registration Institutions **Article 7. Basic qualifications.** Registration institutions shall meet the following basic qualifications: (I) Be an enterprise or public-institution legal person established under the law within the territory of the People's Republic of China and in sound operating condition; for enterprise legal persons, the paid-up registered capital shall not be less than CNY 100 million; public-institution legal persons shall have funding support appropriate to the registration business they carry out; (II) Have fixed office premises and infrastructure that meet operational needs; (III) Have at least two years of experience in data registration or data-circulation related services; (IV) Have a sound governance structure, registration-business administration system, registration-reviewer administration system, data security administration system, data-security risk-response plan, and service-withdrawal protection plan; (V) Have a full-time review team whose members have professional capabilities in data, law and related fields and at least three years of work experience; (VI) Have built an information system that supports Data Property Rights registration business, completed Multi-Level Protection Scheme (MLPS) Level 3 or higher filing for that system, and meet the basic conditions to interface with the National Data Property Rights Registration Service System; (VII) Have no record of unfair competition, operational abnormality, or material illegal or non-compliant conduct in the past three years. **Article 8. Selection.** Registration institutions are recommended by provincial-level data administration authorities and confirmed by the national data administration authority through selection. Selected registration institutions are included in the National Data Property Rights Registration Institution Catalogue, publicly disclosed, and connected to the National Data Property Rights Registration Service System. **Article 9. Selection procedure.** Provincial-level data administration authorities shall conduct recommendation in accordance with the following requirements: (I) Organize qualified enterprise and public-institution legal persons to submit applications; (II) Conduct initial review of materials, expert evaluation, and collective decision-making to determine the recommendation list, and submit it to the national data administration authority. Where the national data administration authority confirms an entity as a registration institution through the selection process, the provincial-level data administration authority shall organize the entity to submit registration-institution information on the National Data Property Rights Registration Service System. **Article 10. General requirements for conducting registration business.** A registration institution may practice across regions and carry out registration business nationwide. A registration institution shall conduct registration business in accordance with the following requirements: (I) Conduct Data Property Rights registration in a public, fair, and impartial manner; (II) Properly preserve registration materials, with a retention period of not less than 20 years; (III) Promptly and accurately disclose the Data Property Rights registration process, fee schedule, complaint channels, etc.; regularly disclose information on registration-business handling and full-time review-team construction; and accept social supervision; (IV) Operate and maintain the information system supporting Data Property Rights registration business and properly interface with the National Data Property Rights Registration Service System; (V) Establish an information-reporting system and report Data Property Rights registration matters to the data administration authority in a timely manner as required; (VI) Undertake confidentiality obligations with respect to materials provided by registration applicants and take necessary measures to safeguard data security and protect trade secrets; shall not disclose or unlawfully use such materials; (VII) Shall not engage in activities that affect the fairness or independence of registration, shall not use registration convenience to seek improper benefits, and shall not, as a registration applicant, apply for registration at its own registration institution; (VIII) Shall strive to enhance registration service capacity, reduce registration costs, and provide reasonably priced registration services; shall not coerce bundling with other charged items. **Article 11. Administration of registration institutions.** Provincial-level data administration authorities shall strengthen the administration of registration institutions. They may, based on supervisory needs, guide registration institutions to conduct Data Property Rights registration business in compliance with laws and regulations through means such as supervision-and-direction and regulatory interview. Where a registration institution conducts Data Property Rights registration business in violation of laws and regulations, the data administration authority, in conjunction with relevant departments, shall verify and take effective measures. Suspected criminal leads shall be referred to relevant departments for handling in accordance with the law. The provincial-level data administration authority of the place where a registration institution is domiciled conducts day-to-day administration of the institution and receives and handles public opinions regarding registration activities. Where a registration institution practices outside its domicile and engages in illegal or non-compliant conduct, the provincial-level data administration authority of the place of practice shall coordinate with the institution's domicile provincial-level data administration authority. Where disagreements cannot be resolved through consultation, the national data administration authority shall provide guidance to resolve the issue. The national data administration authority shall formulate annual evaluation standards for registration institutions and conduct examination of evaluation outcomes. Registration institutions shall, by March 31 of each year, report the previous year's Data Property Rights registration business to the provincial-level data administration authority of their domicile, ensuring that the materials reported are true, accurate, and complete. The domicile provincial-level data administration authority shall conduct annual evaluation of registration institutions and submit the evaluation results and related materials to the national data administration authority by April 30 each year. Where potential risks are found through evaluation, effective measures shall be taken to handle them promptly and properly. **Article 12. Changes in registration institution information.** Where a registration institution undergoes any of the following circumstances, it shall report to the provincial-level data administration authority five working days in advance: (I) Change of name, domicile, registered capital, legal representative, or, for an enterprise legal person, controlling shareholder or actual controller; (II) Material matters that affect the conditions or requirements listed in Article 7 or Article 10 of this Guide, or other material matters that may affect the normal conduct of registration business. After the above changes are reviewed and confirmed, the information shall be updated on the National Data Property Rights Registration Service System within five working days. Where, after the change, the registration institution no longer satisfies the basic-qualification requirements, the domicile data administration authority shall promptly guide the registration institution to rectify or withdraw from registration business. **Article 13. Withdrawal of registration institutions.** A registration institution that wishes to withdraw from Data Property Rights registration business shall report to its domicile provincial-level data administration authority at least six months in advance and submit a withdrawal plan. The domicile provincial-level data administration authority shall make a decision on the withdrawal plan within 20 working days of receiving the report and plan. If withdrawal is approved, the relevant information shall be submitted to the national data administration authority within five working days of approval. Upon review and approval by the national data administration authority, the registration institution shall completely transfer all Data Property Rights registration materials and related data preserved by it to another surviving registration institution designated by the provincial-level data administration authority. After a registration institution withdraws, the Data Property Rights registration certificates it issued during its registration business period remain unaffected, and legal liability arising from its registration acts during its practice period is not exempted in accordance with the law. Where fault during the registration institution's practice period causes harm to others, the surviving legal person bears liability for damages. Where the registration-institution legal person has terminated, the matter shall be handled in accordance with relevant laws and regulations. ## Chapter 3 Registration Procedure **Article 14. Registration procedure.** Data Property Rights registration is conducted through the procedures of application, acceptance, review, public announcement, objection handling, information evidence preservation, and certificate issuance. **Article 15. Public data resources.** For data involving public data resources, the following shall apply: - Data collected and produced by Party and government organs in the performance of their statutory duties, and data collected by other enterprises and public institutions on the basis of need to perform statutory duties, shall not be subject to Data Property Rights registration; - After the authorized operation of public data resources, public data products and services formed through development may be subject to Data Property Rights registration after completion of registration on the public data resource registration platform; - Data produced by public utility enterprises in sectors such as water supply, gas supply, heating, electricity, and public transportation in the course of providing public services may be subject to Data Property Rights registration, unless otherwise provided. **Article 16. Registration application.** Registration applicants shall, on a voluntary basis, apply for Data Property Rights registration to a registration institution by themselves or by entrusting others; they shall submit a registration application form and supporting materials regarding data source, Data Property Rights attribution, and other matters. Materials submitted shall be true, accurate, and complete, with no false records, misleading statements, or material omissions. **Article 17. Acceptance.** Upon receipt of Data Property Rights registration application materials, the registration institution shall handle the application as follows and inform the applicant of the acceptance result within three working days: (I) Where application materials are erroneous, incomplete, or non-conforming, the institution shall provide written notice of non-acceptance and inform the applicant in one go of the materials to be supplemented and the time limit for supplementation. If the applicant does not supplement materials on time, the application is deemed not made; (II) Where application materials are complete and conforming, or where all required supplementary materials have been submitted as required, the institution shall accept the application and inform the applicant in writing. A registration institution shall not refuse to accept an application without legitimate reason. The acceptance date is the date on which the institution informs the applicant of acceptance. Where the registration institution fails to provide written notice of non-acceptance as required, the application is deemed accepted. The first working day after the notification time limit expires is the date of acceptance of the registration. **Article 18. Review principles.** After accepting an application, the registration institution shall conduct reasonable and prudent review of the accuracy of the data description, the compliance of the data source, and the clarity of the Data Property Rights. The registration institution may require the applicant to supplement supporting materials and, where necessary, verify with interested parties or other relevant subjects. Where the registration applicant is unable to supplement supporting materials and the registration institution is unable to verify through lawful channels, the registration may be terminated. **Article 19. Accuracy review of data description.** When reviewing the accuracy of the data description, the registration institution shall focus on whether the data name is concise, accurate, and unambiguous. The data name shall, in principle, include time, region, sector, content, and data type. **Article 20. Compliance review of data source.** A registration applicant does not enjoy Data Property Rights over data obtained in violation of laws or regulations. When reviewing the compliance of the data source, the registration institution shall review the following: - For data generated through collection, whether the collection conduct is lawful and compliant; - For data obtained through agreement, whether the relevant agreement stipulates that the applicant enjoys the relevant Data Property Rights; where there is no stipulation or the stipulation is unclear, the registration applicant may be asked to supplement the stipulation, or a reasonable and prudent judgment may be made in light of the actual circumstances; - For public data collected through automated procedures, whether the registered data is public data and whether the applicant's means and methods of data collection are lawful and compliant; - For data created through derivation, first whether the applicant has the Right to Use Data over the original data; second, whether the agreement stipulates the property-rights attribution of derived data — if no clear stipulation exists, whether there is a substantial difference in content, form, structure and other aspects from the original data, and whether the derived data has significantly higher value than the original data; - For data involving personal information, important data or similar data, whether the data was obtained in compliance with the Personal Information Protection Law of the People's Republic of China, the Data Security Law of the People's Republic of China and other laws and regulations. **Article 21. Clarity review of Data Property Rights.** The registration institution shall review the clarity of Data Property Rights in accordance with the following requirements: (I) Data processors may register the Right to Hold, the Right to Use, and the Right to Operate over data collected and generated in their own production and operations, or in jointly participated production and operations, provided that the data was collected without violating laws, regulations, or contractual terms; (II) Where various subjects, based on civil contract, authorize others to collect data that they cause to be produced and have the right to obtain the relevant data, they may register the Right to Hold, the Right to Use, and the Right to Operate over the obtained data; (III) Natural persons may register the Right to Hold, the Right to Use, and the Right to Operate over data they lawfully collect, generate, or obtain; (IV) For public data collected through automated procedures by a data processor that implements the national data classification and grading protection system requirements — and that does so without unlawful intrusion into others' networks, without disrupting normal network service operations, without destroying effective technical measures, and without harming the lawful rights and interests of individuals or organizations — the data processor may register the Right to Hold and the Right to Use. For data products formed therefrom — provided they do not substantively substitute for the products and services of the data-collected party — the data processor may register the Right to Hold, the Right to Use, and the Right to Operate; (V) Where multiple data processors cooperatively advance data integration and development, they shall register the relevant rights in accordance with their contract. Where there is no contractual stipulation on Data Property Rights over integrated data, or where the stipulation is unclear, each participating party may register the Right to Hold and the Right to Use. Subject to obtaining the consent of the other participating parties, the parties may register the Right to Operate; (VI) Where a data processor, on the basis of the Right to Use Data held by it, applies professional knowledge — processing, modeling and analysis, key information extraction, etc. — to effect a substantial change in the content, form, or structure of the data, and thereby significantly enhances the value of the data to form derived data, the data processor may register the Right to Hold, the Right to Use, and the Right to Operate over the derived data, on the premise of protecting the lawful rights and interests of all parties; (VII) Where another party is entrusted to process data, except as otherwise provided by law or stipulated by contract, the entrusted party may not register the Right to Hold, the Right to Use, or the Right to Operate over the original data, process data, or result data of the entrusted processing. The Right to Hold Data, the Right to Use Data, and the Right to Operate Data are mutually independent. The same rights-holder may hold all of them or only one or more of them; over the same data and the same right, different rights-holders may hold rights simultaneously without exclusion. **Article 22. Non-registration.** Where, upon review, any of the following circumstances exists, the registration institution shall not register and shall provide written notice to the applicant: (I) The data registration may endanger national security, the public interest, or the lawful rights and interests of individuals or organizations; (II) The data source violates the provisions of laws and regulations; (III) There is an unresolved data-attribution dispute; (IV) The applicant has concealed actual circumstances or provided false certifications; (V) Other circumstances stipulated by laws and regulations as not eligible for registration. **Article 23. Recording of rights limitations.** Where any of the following circumstances exists, it shall be recorded by way of remark: (I) Where the term, conditions, or other matters of exercise of Data Property Rights are stipulated; (II) Property-preservation measures, including seizure, lawfully implemented by the people's court, people's procuratorate, public security organ, or other authorized organ; (III) Temporary control measures taken by the administrative competent authority for the purpose of safeguarding national security and the public interest; (IV) Matters that laws and regulations require to be recorded; (V) Other matters that the registration institution deems necessary to record. **Article 24. Public announcement.** Where none of the circumstances in Article 22 apply, the registration institution shall publicly announce, on the National Data Property Rights Registration Service System, the applicant's information, data name, data overview, and recorded rights limitations. With legitimate reasons, the applicant may apply to the registration institution for non-publication; the registration institution shall determine the matter in light of the actual circumstances. The public announcement period is five working days, calculated from the date the announcement is published on the National Data Property Rights Registration Service System. **Article 25. Handling of objections during the announcement period.** Where an objection is raised against the announcement content, the objecting party shall provide reasons and related materials. The registration institution shall investigate the objection within 10 working days from receipt of the objection, may require the applicant to provide explanation, and shall promptly issue a handling decision. Where it is found that registration should not occur, the registration institution shall make a decision not to register. **Article 26. Information evidence preservation.** The registration institution shall, in the National Data Property Rights Registration Service System, perform evidence preservation on important matters and registration results during the registration process, including but not limited to the applicant's basic information, basic data situation, rights content, and rights limitations. This shall ensure that registration information cannot be tampered with, that the registration process is traceable, and that registration content can be verified. The applicant may voluntarily provide data watermark, data fingerprint, or similar information for the registration institution to preserve as evidence. The registered matters are deemed registered upon completion of evidence preservation of the registration information. The validity period of Data Property Rights registration is generally no longer than five years, calculated from the date evidence preservation of the registration information is completed. Renewal requires renewal registration. **Article 27. Certificate issuance.** Upon completion of registration, the registration institution shall issue a certificate in accordance with the unified format and coding requirements provided by the National Data Property Rights Registration Service System and shall affix the institution's dedicated registration seal. (A sample certificate and the coding rules appear in Annex 6.) Where the content of the registration certificate is inconsistent with the information preserved in the National Data Property Rights Registration Service System, the latter shall prevail. **Article 28. Time limit for registration.** The registration institution shall complete Data Property Rights registration procedures within 10 working days from acceptance of the application. Where extension is required due to complex data source, large data scale, or other reasons, the period may be appropriately extended, but the extension shall not exceed an additional 10 working days. Registration institutions are encouraged to optimize and innovate registration services to improve efficiency and shorten time limits. Time spent supplementing supporting materials, public announcement, and objection handling is not counted toward the period specified in the preceding paragraph. **Article 29. Handling of objections after registration is complete.** Where an objecting party considers that a Data Property Rights registration involves an attribution dispute or a registration error, the party may raise an objection to the registration institution via the National Data Property Rights Registration Service System. Submission of an objection requires the objection application and preliminary evidence. The registration institution shall review the completeness of the objection materials. If complete, the institution shall provide written notice to the registration applicant within five working days of receiving the materials. If the applicant acknowledges the objection content, the registration institution shall, in accordance with procedures, modify the registration content or deregister. If the applicant does not acknowledge the objection content, the applicant shall submit relevant explanatory materials. The registration institution may require the applicant and the objecting party to cooperate in the investigation and may issue an objection-handling conclusion. If both parties accept the conclusion, the registration institution shall handle the matter accordingly. If either the applicant or the objecting party does not accept the registration institution's handling conclusion, the party may, as agreed, apply to an arbitration institution for arbitration or institute a lawsuit with a people's court. The registration institution shall handle the matter in accordance with the effective legal instrument of the people's court or arbitration institution. Local data administration authorities with conditions to do so are encouraged to provide mediation services. **Article 30. Inquiry of registration materials.** A registration applicant or interested party may, in accordance with the law, inquire about and copy necessary Data Property Rights registration materials. The registration institution shall provide them. Relevant state organs may, in accordance with the provisions of laws and regulations, inquire about and copy Data Property Rights registration materials related to the matters they are investigating or handling. Units and individuals that inquire about or copy Data Property Rights registration materials shall explain the purpose of inquiry and copying to the registration institution. They shall not use the materials obtained for other purposes; without the consent of the rights-holder, they shall not disclose the materials obtained. **Article 31. Use of registration certificates and national mutual recognition.** In the following activities, a Data Property Rights registration certificate may serve as proof of the attribution and content of Data Property Rights: (I) In data circulation transactions, as proof of Data Property Rights; (II) In data-asset balance-sheet entry, financing guarantees, equity contribution by valuation and similar activities, as proof of lawful ownership or control of data; (III) In the resolution of data-related disputes, as evidence of attribution determination; (IV) In support policies such as data-enterprise cultivation and accreditation, as evidence to judge a company's data situation. Registration institutions are encouraged, on the premise that registration fairness and independence are not affected, to strengthen business coordination among Data Property Rights registration, data quality evaluation, value evaluation, etc., and provide full-process services to the market. When data circulation service institutions provide services, they shall accept the registration certificate issued under this Guide. Without legitimate reason, they shall not conduct duplicate review or duplicate charge. ## Chapter 4 Registration Types **Article 32. Types.** Data Property Rights registration includes initial registration, transfer registration, change registration, renewal registration, and deregistration. **Article 33. Initial registration.** Initial registration means the first registration of Data Property Rights over specific data with a registration institution. To apply for initial registration, the applicant shall submit an initial registration application form (see template in Annex 1), supporting materials of the applicant's identity, supporting materials of the lawful acquisition of Data Property Rights, data samples, and data description, among other materials. For the same data, other types of registration can only be conducted after initial registration is completed. Other registration types shall in principle be handled by the registration institution that handled the initial registration. **Article 34. Transfer registration.** Where a transferor has completed initial registration and holds the Right to Hold Data, the Right to Use Data, and the Right to Operate Data, and intends to transfer all or part of the Data Property Rights to a transferee without retaining the transferred portion, the transferor and the transferee shall jointly apply for transfer registration. To apply for transfer registration, the applicant shall submit a transfer registration application form (see template in Annex 2), the transfer contract, and the Data Property Rights registration certificate, among other materials. If the registration institution accepts and approves the transfer registration, it shall adjust the transferor's Data Property Rights registration certificate accordingly. **Article 35. Change registration.** Where matters such as the rights-holder, data source, or rights type do not involve major changes, but the following circumstances arise, the applicant may apply for change registration: (I) Changes in applicant identity information, such as name, legal representative, or address; (II) Errors in or changes to the data description information, data time-span, or similar matters. To apply for change registration, the applicant shall submit a change registration application form (see template in Annex 3), the Data Property Rights registration certificate, and supporting materials for the change content. **Article 36. Renewal registration.** From six months before the expiration of the validity period of the Data Property Rights registration certificate through the day before expiration, the applicant may apply to the registration institution for renewal registration. Where the validity period of the Data Property Rights registration certificate expires and renewal registration is not applied for, the registration certificate automatically becomes invalid. To apply for renewal registration, the applicant shall submit a renewal registration application form (see template in Annex 4) and the Data Property Rights registration certificate. **Article 37. Deregistration.** Under the following circumstances, the registration institution shall deregister registered Data Property Rights: (I) The applicant applies for deregistration; (II) The Data Property Rights of the original rights-holder have been extinguished due to data destruction or similar reasons; (III) Deregistration should be conducted in accordance with the outcome of objection handling; (IV) Other circumstances stipulated by laws and regulations. To apply for deregistration, the applicant shall submit a deregistration application form (see template in Annex 5), the Data Property Rights registration certificate, and other materials required by the registration institution. Where the registration institution finds that the registration certificate should be deregistered, it may deregister on its own initiative and notify the original applicant in writing. ## Chapter 5 Legal Liability **Article 38. Liability of registration institutions.** Registration institutions are liable in accordance with the law for the accuracy of registration results. Where a registration institution or its staff engages in any of the following conduct, with relatively minor circumstances, the provincial-level data administration authority of the institution's domicile shall order rectification within a time limit and suspend the institution from publishing registration information on the National Data Property Rights Registration Service System. Where circumstances are serious or rectification is refused, the institution shall be removed from the National Data Property Rights Registration Institution Catalogue. Where a violation constitutes a crime, criminal liability shall be borne in accordance with the law: (I) Registering an application that does not meet registration requirements or registering erroneously, due to intent or gross negligence; (II) Tampering with, damaging, or forging Data Property Rights registration information and registration certificates; (III) Disclosing Data Property Rights registration materials, registration information, etc., and thereby harming national security, the public interest, or others' lawful rights and interests; (IV) Other illegal or non-compliant conduct. Where the registration institution engages in the above conduct and causes harm to others, it shall bear liability for damages in accordance with the law. After bearing liability, the registration institution may, in accordance with the law, seek recourse against other responsible parties. **Article 39. Liability of registration applicants.** Where a registration applicant engages in any of the following conduct that causes harm to others, the applicant shall bear civil liability for damages in accordance with the law; where a crime is constituted, the applicant shall bear corresponding liability in accordance with the law: (I) Obtaining registration by deception, including concealment of true circumstances and provision of false materials; (II) Intentionally seeking improper benefit through duplicate registration; (III) Harming national security, the public interest, or others' lawful rights and interests; (IV) Other illegal or non-compliant conduct. **Article 40. Liability of data administration authority staff.** Staff of data administration authorities who, in administering Data Property Rights registration activities, abuse power, neglect duty, or engage in malpractice for personal gain shall bear corresponding penalties or administrative sanctions in accordance with the law; where a crime is constituted, criminal liability shall be borne in accordance with the law. ## Chapter 6 Supplementary Provisions **Article 41. Coordination with other registrations.** Before this Guide takes effect, for data registrations of other types that have been completed and where the matters reviewed are consistent with the requirements of this Guide, the registration institution may, in light of specific circumstances, simplify the review procedure and preserve the relevant materials. **Article 42. Meaning of "or more" and "or less".** As used in this Guide, the terms "or more" (以上) and "or less" (以内) include the cited number. ## Annexes The Trial Guide attaches six annexes, summarized here rather than translated verbatim: - **Annex 1 — Initial Registration Application Form.** Fields: applicant identity, contact information, business information; data information (name, overview, sector under GB/T 4754, source, geographic and temporal range, update frequency, data volume, data form, use restrictions); rights configuration. - **Annex 2 — Transfer Registration Application Form.** Fields: data name, original certificate number; transferor and transferee identity, contact, and address; content of rights transferred. - **Annex 3 — Change Registration Application Form.** Fields: data name, certificate number; applicant identity; change matter (before/after content). - **Annex 4 — Renewal Registration Application Form.** Fields: data name, certificate number; applicant identity; renewal matter (renewal period, rights types being renewed). - **Annex 5 — Deregistration Application Form.** Fields: data name, certificate number; applicant identity; reason for deregistration. - **Annex 6 — Data Property Rights Registration Certificate Sample and Coding Rules.** The certificate code is 15 digits, consisting of: fixed identifier (2 digits — "SJ"), region (2 digits — per PRC administrative-division codes), registration institution (1 digit), code-issuance date (6 digits — YYYY-MM), and serial number (4 digits, capped at 9999 per month). Total positions: 15. --- ## GB/T 44297—2024 Data Items of Video and Image Information for Public Security - Chinese title: GB/T 44297—2024 公共安全视频图像信息数据项 - Abbreviation: GB/T 44297—2024 - Hierarchy: standard - Issuing body: Standardization Administration of China (SAC) and State Administration for Market Regulation (SAMR), proposed by Ministry of Public Security (MPS) - Adopted: 2024-08-23 - Effective: 2024-08-23 - Status: effective - URL: https://datacompliancechina.com/laws/gbt-44297-public-security-video-data-items/ - Markdown: https://datacompliancechina.com/laws/gbt-44297-public-security-video-data-items.md ### Summary GB/T 44297—2024 is the national recommended standard that specifies the data items used in public-security video image information systems — the underlying field-level schema that camera systems, video platforms, and analysis tools use to describe and exchange video and image data. It applies to data exchange in networked public-security video applications. The standard catalogs more than twenty top-level data-item groups — covering camera information, system/platform information, equipment status, video clips, images, file objects, persons of interest, vehicles of interest, non-motor vehicles, items, scenes, events, regions, motion targets, subscriptions, feature vectors, organized data libraries, and real-time matching against reference lists — plus a set of normative code tables (Appendix D) used to encode the field values. The standard is technical reference material for system integrators and data engineers operating public-security video systems. Cross-reference to the *Administrative Regulation for Public Security Video Image Information Systems* (State Council Decree No. 799) and the *Facial Recognition Technology Application Measures* (CAC + MPS Decree No. 19), which set the legal duties; this standard tells operators what field-level data to capture and exchange in order to meet those duties. ### Full text This entry is a reference pointer to a recommended national standard, not a translation. GB/T 44297—2024 is a technical specification — its substantive content is a catalogue of data-item attributes (name, identifier, format, code tables) used by public-security video systems for inter-system data exchange. The standard runs to 130 pages and is structured around appendices containing 44 code tables (Appendix D), region-code rules (Appendix C), and full data-item examples (Appendix E). For the regulatory and compliance context that frames this technical standard, see the [Administrative Regulation for Public Security Video Image Information Systems](/laws/public-security-video-image-system-regulations/) and the [Facial Recognition Technology Application Measures](/laws/facial-recognition-technology-application-measures/). > *DCC has not reproduced the standard text. The standard is published by the Standardization Administration of China; it is available through SAC's official channels and through the standards portal at www.sac.gov.cn.* --- ## Measures on the Standard Contract for the Outbound Transfer of Personal Information - Chinese title: 个人信息出境标准合同办法 - Abbreviation: SCC Measures - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2023-02-22 - Effective: 2023-06-01 - Status: effective - URL: https://datacompliancechina.com/laws/personal-info-standard-contract-measures/ - Markdown: https://datacompliancechina.com/laws/personal-info-standard-contract-measures.md ### Summary The second of CAC's three cross-border transfer pathways: signing a CAC-prescribed Standard Contract with the overseas recipient and filing it with the provincial CAC. Used by handlers below the Security Assessment thresholds. The Measures establish eligibility criteria, the filing procedure, ongoing obligations after filing, and the CAC's right to invalidate the contract on the recipient side. The Standard Contract template itself is annexed. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC). **Document No.:** Decree No. 13 of the Cyberspace Administration of China. **Adopted at the 11th executive meeting of the CAC in 2023 on February 22, 2023. Effective June 1, 2023.** --- **Article 1.** For the purposes of protecting personal information rights and interests, and regulating outbound transfer of personal information, the Measures on the Standard Contract for Outbound Transfer of Personal Information (the "Measures") are enacted in accordance with the Personal Information Protection Law of the People's Republic of China and other laws and administrative regulations of the People's Republic of China. **Article 2.** Any personal information handler who enters into a standard contract for the outbound transfer of personal information outside the People's Republic of China (the "Standard Contract") with a foreign recipient shall apply the Measures. **Article 3.** When conducting any outbound transfer of personal information by means of concluding the Standard Contract, the personal information handler shall stick to the combination of autonomous contracting with record-filing management, the protection of interests with security risk prevention, and the ensurance of security and free flow of personal information. **Article 4.** Any personal information handler transferring personal information abroad by entering into the Standard Contract shall meet all of the following conditions: (1) it is not a critical information infrastructure operator; (2) it processes the personal information of less than 1 million individuals; (3) it has cumulatively transferred abroad the personal information of less than 100,000 individuals since January 1 of the previous year; and (4) it has cumulatively transferred abroad the sensitive personal information of less than 10,000 individuals since January 1 of the previous year. Where there are other relevant provisions in any laws, administrative regulations or rules of the Cyberspace Administration of China, such provisions shall apply. When using the Standard Contract for outbound transfer of personal information, the personal information handler shall not use methods such as quantity splitting of the personal information that is required by law to undergo the outbound security assessment. **Article 5.** Prior to the outbound transfer of personal information, the personal information handler shall conduct a personal information protection impact assessment, with the focus of the following: (1) the legality, legitimacy and necessity of the purpose, scope and method of the processing personal information by the personal information handler and the foreign recipient; (2) the volume, scope, category, and sensitivity of personal information to be transferred abroad, and the risks to the personal information rights and interests that may be caused by the outbound transfer of personal information; (3) the obligations that the foreign recipient promises to undertake, and whether the management and technical measures and capabilities of the foreign recipient to perform the obligations can ensure the security of the personal information to be transferred abroad; (4) risk of tampering, damage, leakage, loss and abuse after outbound transfer of personal information, and whether the channels for individuals to exercise their personal information rights and interests are accessible and smooth; (5) the impact of policies and regulations for the protection of personal information on the performance of the Standard Contract in the country or region where the foreign recipient is located; and (6) other factors that may affect the security of outbound transfer of personal information. **Article 6.** The Standard Contract shall be concluded in strict accordance with the Annex of the Measures. The Cyberspace Administration of China may adjust the Annex in light of actual circumstances. The personal information handler may agree on other terms with the foreign recipient, provided that such terms do not conflict with the Standard Contract. The outbound transfer of personal information shall not be carried out until the Standard Contract enters into force. 10 **Article 7.** The personal information handler shall, within 10 working days after the Standard Contract enters into effect, apply for filing with the cyberspace administration at the provincial level. The following materials shall be submitted for the record-filing: (1)the Standard Contract; and (2) the personal information protection impact assessment report. The personal information handler shall be responsible for the authenticity of the record-filing materials. **Article 8.** Where any of the following circumstances occurs during the validity period of the Standard Contract, the personal information handler shall conduct personal information protection impact assessment again, supplement or re-sign the Standard Contract, and conduct relevant record-filing formalities: (1) the purpose, scope, category, sensitivity, method and storage location of personal information transferred abroad, or the purpose and method of personal information processing by the foreign recipient has changed, or the retention period of personal information located abroad is extended; (2) the personal information rights and interests will be affected by the changes in the policies and regulations on personal information protection in the country or region where the foreign recipient is located; or (3) other circumstances that may affect the personal information rights and interests. **Article 9.** The cyberspace administration and its personnel shall keep confidential the personal privacy, personal information, trade secrets, confidential business information, etc. that they have accessed in performing their duties in accordance with the law, and shall not disclose them, illegally provide them to others, or illegally use them. **Article 10.** Any organization or individual may report to the cyberspace administration at the provincial level or above if it finds that any personal information handler has engaged in outbound transfer of personal information in violation of the Measures. **Article 11.** Where the cyberspace administration at the provincial level or above finds that there are relatively high risks in the outbound transfer of personal information, or that a personal information security incident has occurred, it may interview the personal information handler in accordance with the law. The personal information handler shall make rectifications and eliminate hidden dangers as required. **Article 12.** Any violation of the Measures shall be punished in accordance with the Personal Information Protection Law of the People's Republic of China, and other laws and regulations; where a crime is constituted, criminal responsibility shall be investigated according to the law. ____________________ ______________________________ __________________________ _____ _________________ ________________________ ______________________________ __________________________ _____ _________________ ____ __ __ _________ “ ” “ ” “ ” “ ” “ ” “ ” “ ” “ ” “ ” “ ” 30 __________________________________________ “ ” (1) (2) (3) (4) “ ” (1) (2) (3) __________________________ _____________ __ __ __ Article 13 The Measures shall enter into force on June 1, 2023. For the outbound transfer of personal information that has already happened before the Measures takes effect, if it is found that any such transfer is not in compliance with the Measures, rectification shall be completed within 6 months upon the effective date of the Measures. Annex: Standard Contract for Outbound Transfer of Personal Information Formulated by the Cyberspace Administration of China In order to ensure that the activity of processing Personal Information by the Foreign Recipient meets the standards of Personal Information protection stipulated by the Relevant Laws and Regulations of the People's Republic of China, and to specify the rights and obligations of the Personal Information Handler and the Foreign Recipient, the Parties hereby enter into this Contract upon negotiation. Personal Information Handler: _______________________________ Address: ___________________________________________________ Contact Information: _________________________ Contact person: __________ Position: __________ Foreign Recipient: __________________________________________ Address: ___________________________________________________ Contact Information: _________________________ Contact person: __________ Position: __________ The Personal Information Handler and the Foreign Recipient will carry out the activities concerning the outbound transfer of Personal Information in accordance with this Contract. The Parties [have entered into] / [agreed to enter into] a commercial contract to further the commercial acts related to such activities, namely [description of commercial contract] on [MM/DD/YY]. The major body of this Contract is drafted in accordance with the requirements of the Measures on the Standard Contract for Outbound Transfer of Personal Information. Other agreements between the parties, if any, may be specified in Appendix II. The Appendix forms an integrated part of this Contract. Article 1Definitions In this Contract, unless the context otherwise requires: 1. "Personal Information Handler" refers to any organization or individual that independently decides the purpose and method of the Personal Information processing activities and transfers Personal Information outside the territory of the People's Republic of China. 2. "Foreign Recipient" refers to an organization or individual outside the territory of the People's Republic of China that receives Personal Information from the Personal Information Handler. 3. Personal Information Handler or Foreign Recipient are referred to individually as a "Party", and collectively as the "Parties". 4. "Personal Information Subject" refers to a natural person identified by or associated with the Personal Information. 5. "Personal Information" refers to all kinds of information related to identified or identifiable natural persons that are electronically or otherwise recorded, excluding information that has been anonymized. 6. "Sensitive Personal Information" refers to the Personal Information that , once leaked or illegally used, is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety, including biometric recognition, religious belief, specific identity, medical health, financial account, personal whereabouts, and the Personal Information of minors under the age of 14. 7. "Regulatory Authority" refers to the Cyberspace Administration of the People's Republic of China at the provincial level or above. 8. "Relevant Laws and Regulations" refer to the laws and regulations of the People's Republic of China, such as the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Civil Code of the People's Republic of China, Civil Procedure Law of the People's Republic of China, and Measures on the Standard Contract for Outbound Transfer of Personal Information. 9. The meanings of other terms not defined in the Contract are in line with those stipulated in the Relevant Laws and Regulations. Article 2Obligations of the Personal Information Handler The Personal Information Handler shall perform the following obligations: 1. Process Personal Information in accordance with the Relevant Laws and Regulations. The Personal Information to be transferred abroad shall be limited to the minimum scope required for the purpose of processing. 2. Inform the Personal Information Subject of matters such as the name and contact information of the Foreign Recipient, the purpose of processing, method of processing, type of Personal Information, retention periods, and the methods and procedures for the Personal Information Subject to exercise his/her rights specified in Appendix I "Description of the Outbound Transfer of Personal Information". Where Sensitive Personal Information is transferred abroad, the Personal Information Subject shall be informed of the necessity of the outbound transfer of Sensitive Personal Information and the impact on the rights and interests of the Personal Information Subject, unless otherwise provided in the laws and administrative regulations that such notification is not require 3. If Personal Information is transferred abroad based on the consent of the individual, the separate consent of the Personal Information Subject shall be obtained. Where the Personal Information involves that of a minor under the age of 14, the separate consent of the minor's parent or any other guardian, shall be obtained. Where written consent is required by laws and administrative regulations, the written consent shall be obtained. 4. Inform the Personal Information Subject that the Personal Information Handler and the Foreign Recipient have agreed that the Personal Information Subject is a third-party beneficiary under this Contract, and if the Personal Information Subject fails to raise an express rejection within thirty days, the Personal Information Subject shall be entitled to act as a third-party beneficiary in accordance with the Contract. 5. Make reasonable efforts to ensure that the Foreign Recipient has taken the following technical and organizational measures to perform its obligations under this Contract (taking into account potential Personal Information security risks that may be caused by the purpose of Personal Information processing, the type, scale, scope and sensitivity of the Personal Information, the scale and frequency of the transfer, the period of the outbound transfer of Personal Information, the period of retention by the Foreign Recipient, and other matters that may lead to a Personal Information security risk): (such as encryption, anonymization, de-identification, access control or other technical and organizational measures) 6. Provide copies of Relevant Laws and Regulations and technical standards to the Foreign Recipient upon request. 7. Reply to inquiries from the Regulatory Authority about the Foreign Recipient's processing activities. 8. Carry out a Personal Information Protection Impact Assessment in accordance with the Relevant Laws and Regulations regarding the proposed transfer of Personal Information to the Foreign Recipient. The assessment shall focus on the following matters: (1) the legality, legitimacy and necessity of the purpose, scope and method of processing Personal Information by the Personal Information Handler and Foreign Recipient; (2) the scale, scope, type, and sensitivity of Personal Information to be transferred overseas, and the risks to Personal Information that may be caused by the outbound transfer of Personal Information; (3) the obligations that the Foreign Recipient promises to undertake, and whether the organizational and technical measures and capabilities to perform the obligations can guarantee the security of the Personal Information to be transferred abroad; (4) risk of Personal Information being tampered with, destroyed, leaked, lost, illegally used, etc. after the outbound transfer, and whether there are channels for individuals to smoothly exercise Personal Information rights and interests etc.; (5) in accordance with Article 4 hereof, to evaluate whether the performance of this Contract will be affected by the local policies and regulations with respect to protection of Personal Information; and (6) other matters that may affect the security of outbound transfer of Personal Information. The Personal Information Protection Impact Assessment Report shall be kept for at least three years. 9. Provide a copy of this Contract to the Personal Information Subject upon the Personal Information Subject 's request. If trade secrets or confidential business information are involved, the relevant contents of the copy of this Contract may be appropriately redacted, provided that such redaction will not affect the understanding of the Personal Information Subject. 10. Assume a burden of proof for the performance of obligations under this Contract. 11. In accordance with Relevant Laws and Regulations, provide the Regulatory Authority with all information as described in Article 3.11, including all compliance audit results. Article 3Obligations of the Foreign Recipient The Foreign Recipient shall perform the following obligations: 1. Process the Personal Information in accordance with Appendix I "Description of the Outbound Transfer of Personal Information". Where the Foreign Recipient processes the Personal Information in a way beyond the purpose and method of the Personal Information processing, and types of the Personal Information as agreed, it shall obtain the separate consent of the Personal Information Subject in advance if the processing of Personal Information is based on the consent of the Personal Information Subject; where the Personal Information of a minor under the age of 14 is involved, the separate consent of the minor's parent,or any other guardian, shall be obtained. 2. Where the Foreign Recipient is contracted by the Personal Information Handler to process Personal Information, the Foreign Recipient shall process the Personal Information in accordance with the agreement with the Personal Information Handler and shall not process the Personal Information in a way beyond the purpose or method of the Personal Information processing. 3. Provide a copy of this Contract to the Personal Information Subject upon the Personal Information Subject's request. If trade secrets or other confidential business information are involved, relevant parts of this Contract may be appropriately redacted, provided that such redaction will not affect the understanding of the Personal Information Subject. 4. Process the Personal Information in a manner that has the least impact on the rights and interests of the Personal Information Subject. 5. The retention period of Personal Information shall be the minimum period necessary for achieving the purpose of processing. Upon expiry of the retention period, the Personal Information (including all back-up copies) shall be deleted. Where the processing of Personal Information is contracted by the Personal Information Handler, and the personal information processing agreement fails to become effective, becomes null and void, or is cancelled or terminated, the Personal Information being processed shall be returned to the Personal Information Handler or deleted, and a written statement shall be provided to the Personal Information Handler. If it is technically difficult to delete the Personal Information, the processing of the Personal Information, other than the storage and any necessary measures taken for security protection, shall be ceased. 6. Ensure the security of Personal Information processing in the following ways: (1) take technical and organizational measures including but not limited to those listed in Article 2.5 of this Contract and carry out regular inspections to ensure the security of Personal Information; and (2) ensure that the personnel authorized to process Personal Information perform their confidentiality obligations and establish access control permissions of minimum authorization. 7. In the event that Personal information is or may be tampered with, destroyed, leaked, lost, illegally used, provided or accessed without authorization, the Foreign Recipient shall: (1) promptly take appropriate measures to mitigate the adverse impact on the Personal Information Subject; (2) immediately notify the Personal Information Handler and report to the Regulatory Authority in accordance with the Relevant Laws and Regulations. The notice shall contain the following contents: i. the type of Personal Information to which the tampering with, destruction, leakage, loss, illegal use, unauthorized provision or access occurs or may occur, the cause of such event or potential event, and the potential harm; ii. remedial measures that have been taken; iii. measures that can be taken by the Personal Information Subject to mitigate harm; and iv. contact information of the person, or team, in charge of handling the situation. (3) where the Relevant Laws and Regulations require the notification of the Personal Information Subject, the content of the notice shall include the foregoing contents in Article 3.7. (2) above; where the processing of Personal Information is contracted by the Personal Information Handler, the Personal Information Handler shall notify the Personal Information Subject; (4) record and retain all the situations thereof relating to the occurrence or potential occurrence of tampering, destruction, leakage, loss, illegal use, unauthorized provision or access, including all remedial measures taken. 8. The Foreign Recipient may provide Personal Information to the third party located outside the territory of the People's Republic of China only, if all of the following requirements are met: (1) there is a necessity from the business perspective; (2) the Personal Information Subject has been informed of such third party's name, contact information, the purpose of processing, method of processing, type of Personal Information, retention periods, and the methods and procedures for the Personal Information Subject to exercise his/her rights. Where Sensitive Personal Information is provided to such third party, the Personal Information Subject should also be informed of the necessity of the outbound transfer of Sensitive Personal Information and the impact on the rights and interests of the Personal Information Subject. However, unless otherwise provided by laws and administrative regulations that such notification is not required; (3) Where the processing of Personal Information is based on the consent of the Personal Information Subject, the separate consent of the Personal Information Subject shall be obtained; where the Personal Information of a minor under the age of 14 is involved, the separate consent of the minor's parent, or any other guardian, shall be obtained. Where written consent is required by laws and administrative regulations, such written consent shall be obtained; (4) enter into a written agreement with the third party to ensure that the processing of Personal Information by the third party meets the standards for protection of Personal Information required by the Relevant Laws and Regulations of the People's Republic of China, and the Foreign Recipient will assume the liability for the infringement of Personal Information Subject's rights due to the provision of Personal Information to the third party located outside the territory of the People's Republic of China; (5) provide a copy of the above agreement to the Personal Information Subject upon the Personal Information Subject's request. If trade secrets or other confidential business information are involved, relevant parts of the agreement may be appropriately redacted provided that such redaction will not affect the understanding of the Personal Information Subject. 9. Where the Foreign Recipient is contracted by the Personal Information Handler to process Personal Information, and the Foreign Recipient intends to sub-contract the processing to a third party, the Foreign Recipient shall obtain the consent of the Personal Information Handler in advance and shall ensure that the sub-contractor will not process Personal Information in a way beyond the purpose and method of the processing as specified in Appendix I "Description of the Outbound Transfer of Personal Information", and shall monitor the Personal Information processing activities of the third party. 10. When making use of Personal Information for automated decision-making, the Foreign Recipient shall ensure the transparency of decision-making and fair and impartial results, and shall not carry out unreasonable or differential treatment of the Personal Information Subject in terms of transaction conditions, such as transaction price. Where automated decision-making is used for pushing information and commercial marketing to the Personal Information Subject, the Foreign Recipient shall also provide the Personal Information Subject with options that are not specific to the individuals' characteristics, or a convenient way for the Personal Information Subject to reject the automated decision-making. 11. Undertake to provide the Personal Information Handler with all necessary information required to comply with the obligations under this Contract, provide the Personal Information Handler access to review the necessary data documents, and files, or conduct a compliance audit of the processing activities under this Contract, and the Foreign Recipient shall facilitate the compliance audit conducted by the Personal Information Handler. 12. Maintain an accurate record of the Personal Information processing activities carried out for at least 3 years and provide the relevant records and documents to the Regulatory Authority directly or through the Personal Information Handler, as required by the Relevant Laws and Regulations. 13. Agree to be subject to supervision by the Regulatory Authority during an enforcement procedure related to supervising the implementation of this Contract, including but not limited to responding to inquiries and inspections by the Regulatory Authority, following the actions taken or decisions made by the Regulatory Authority, and providing written confirmation that necessary measures have been taken etc. Article 4The Impact of Personal Information Protection Policies and Regulations in the Foreign Recipient's Country or Region on the Performance of this Contract 1. The Parties warrant that they have exercised reasonable care when entering into this Contract and are not aware of Personal Information protection polices and regulations in the Foreign Recipient's country or region (including any requirements on providing Personal Information or authorizing public authorities to access Personal Information) that would have an impact on the Foreign Recipient's performance of its obligations under this Contract. 2. The Parties declare that, when making the warranties in Article 4.1, they have conducted the assessment in conjunction with the following circumstances: (1) the specific circumstances of outbound transfer, including the purpose of processing the Personal Information, the types, scale, scope and sensitivity of the Personal Information transferred, the scale and frequency of transfer, the period of the outbound transfer of Personal Information and the retention period of the Foreign Recipient, the previous experience of the Foreign Recipient with respect to outbound transfer and processing of similar Personal Information, whether any Personal Information security incident had occurred to the Foreign Recipient and whether such incident was timely and effectively handled, whether the Foreign Recipient has received any request to provide Personal Information to the public authority of the country or region where it is located and how the Foreign Recipient has responded to such request; (2) the Personal Information protection policies and regulations of the country or region where the Foreign Recipient is located, including the following elements: i. the existing Personal Information protection laws, regulations and generally applicable standards of the country or region; ii. the regional or global organizations of Personal Information protection that the country or region accedes to, and binding international commitments made by the country or region; and iii. the mechanisms for Personal Information protection implemented in the country or region, such as whether there are supervision and enforcement authorities and relevant judicial authorities responsible for protecting Personal Information. (3) the Foreign Recipient's security management system and technical capabilities. 3. The Foreign Recipient warrants that it has used its best efforts to provide the Personal Information Handler with the necessary relevant information for the assessment under Article 4.2. 4. The Parties shall keep a record of any such assessment carried out under Article 4.2 as well as the assessment results. 5. Where the Foreign Recipient is unable to perform this Contract due to any change in the policies and regulations on Personal Information protection of the country or region where the Foreign Recipient is located (including any change of laws or mandatory measures in the country or region where the Foreign Recipient is located), the Foreign Recipient shall notify the Personal Information Handler immediately after being aware of the aforesaid change. 6. If the Foreign Recipient receives a request for provision of Personal Information under this Contract from a governmental authority or judicial authority in the country or region where the Foreign Recipient is located, it shall promptly notify the Personal Information Handler. Article 5Rights of the Personal Information Subject The Parties agree that the Personal Information Subject shall be entitled to the following rights as a third-party beneficiary under this Contract. 1. The Personal Information Subject, in accordance with Relevant Laws and Regulations, has the right to know and to make decisions on the processing of the Personal Information, the right to restrict or refuse processing of the Personal Information Subject's Personal Information by others, the right to request access to, copy, correct, supplement or delete the Personal Information, and the right to request others to explain the rules for the processing of the Personal Information Subject's Personal Information. 2. When the Personal Information Subject requests to exercise the above-mentioned rights regarding their Personal Information that has been transferred abroad, the Personal Information Subject may request the Personal Information Handler to take appropriate measures for the realization of those rights, or directly make the request to the Foreign Recipient. If the Personal Information Handler is unable to realize those rights, it shall notify the Foreign Recipient and request the Foreign Recipient to assist in the realization. 3. The Foreign Recipient shall, as notified by the Personal Information Handler or requested by the Personal Information Subject, realize the rights that the Personal Information Subject is entitled to within a reasonable period and in accordance with the Relevant Laws and Regulations. The Foreign Recipient shall inform the Personal Information Subject about the relevant information which shall be true, accurate and complete, in an obvious way and using clear and understandable language. 4. If the Foreign Recipient intends to refuse the request of the Personal Information Subject, it shall inform the Personal Information Subject the reasons of the refusal, as well as the channels for the Personal Information Subject to raise complaints with the relevant Regulatory Authority and seek judicial remedies. 5. The Personal Information Subject, as a third-party beneficiary to this Contract, has the right to claim against one or both of the Personal Information Handler and the Foreign Recipient in accordance with this Contract and require them to perform the following clauses under this Contract relating to the rights of the Personal Information Subject: (1) Article 2, except for Articles 2.5, 2.6 and 2.7; (2) Article 3, except for Articles 3.7(2) and 3.7(4), 3.9, 3.11, 3.12 and 3.13; (3) Article 4, except for Articles 4.5 and 4.6; (4) Article 5; (5) Article 6; (6) Article 8.2 and 8.3; and (7) Article 9.5. The above agreement shall not affect the rights and interests of the Personal Information Subject in accordance with the Personal Information Protection Law of the People's Republic of China. Article 6Remedies 1. The Foreign Recipient shall identify a contact person who is authorized to respond to enquiries or complaints concerning the processing of Personal Information, and it shall promptly deal with any enquiries or complaints from the Personal Information Subject. The Foreign Recipient shall notify the Personal Information Handler of the contact information and shall inform the Personal Information Subject of the contact information in a manner which is easy to understand, by separate notice or announcement on its website. To be specific: Contact person and contact information (office phone number or email address). 2. If a dispute arises between either Party and the Personal Information Subject with respect to the performance of this Contract, such Party shall notify the other Party and the Parties shall cooperate to resolve the dispute. 3. If the dispute cannot be resolved amicably and the Personal Information Subject exercises the rights as a third-party beneficiary in accordance with Article 5, the Foreign Recipient shall accept that the Personal Information Subject may safeguard his/her rights through either of the following means: (1) lodging a complaint with the Regulatory Authority; and (2) bringing a lawsuit to the court specified in Article 6.5. 4. The Parties agree that when the Personal Information Subject exercises the rights as a third-party beneficiary with respect to a dispute under this Contract, if the Personal Information Subject chooses to apply the Relevant Laws and Regulations of the People's Republic of China, such choice shall prevail. 5. The parties agree that if the Personal Information Subject exercises the rights as a third-party beneficiary with respect to a dispute under this Contract, the Personal Information Subject may file a lawsuit with a competent court in accordance with the Civil Procedure Law of the People's Republic of China. 6. The Parties agrees that the choices made by the Personal Information Subject to safeguard his/her rights will not impair the rights of the Personal Information Subject to seek remedies in accordance with other laws and regulations. Article 7Termination of the Contract 1. If the Foreign Recipient breaches the obligations specified in this Contract or the Foreign Recipient is unable to perform this Contract due to a change in the policies and regulations on Personal Information protection in the Foreign Recipient's country or region (including amendment to the laws or adoption of compulsory measures in the Foreign Recipient's country or region), the Personal Information Handler may suspend the provision of Personal Information to the Foreign Recipient until the breach is corrected or the Contract is terminated. 2. In case of any of the following circumstances, the Personal Information Handler shall be entitled to terminate this Contract and notify the Regulatory Authority where necessary: (1) where the Personal Information Handler has suspended the provision of Personal Information to the Foreign Recipient for more than one month in accordance with Article 7.1; (2) the Foreign Recipient's compliance with this Contract will violate the laws and regulations of its own country or region; (3) the Foreign Recipient seriously or persistently breaches the obligations under this Contract; (4) the Foreign Recipient or the Personal Information Handler have breached this Contract pursuant to a final decision of a competent court or the regulatory body supervising the Foreign Recipient; and The Foreign Recipient may also terminate this Contract in case of sub-paragraph (1), (2) or (4) of above. 3. The Contract may be terminated upon mutual agreement by the Parties, provided that such termination shall not exempt the Parties from the obligations of protecting Personal Information during the processing of the Personal Information. 4. If the Contract is terminated, the Foreign Recipient shall promptly return or delete the Personal Information (including all back-up copies) received hereunder and provide the Personal Information Handler with a written statement. If it is technically difficult to delete the Personal Information, any processing of the Personal Information, other than the storage and taking necessary security protection measures, shall be ceased. Article 8Liability for Breach of the Contract 1. Each Party shall be liable to the other Party for any damage as a result of its breach of this Contract. 2. Each Party shall bear civil liabilities to the Personal Information Subject if its breach of this Contract infringes the rights of the Personal Information Subject, without prejudice to the administrative, criminal or other legal liabilities that shall be assumed by the Personal Information Handler under the Relevant Laws and Regulations. 3. The Parties shall assume joint and several liability in accordance with the law. The Personal Information Subject shall have the right to request each Party or the Parties to assume liability. When the liability assumed by one Party exceeds the liability such Party shall be assumed, it shall have the right to claim against the other Party accordingly. Article 9Miscellaneous 1. If this Contract conflicts with any other legal documents existing between the Parties, the provisions of this Contract shall prevail. -2. The formation, validity, performance and interpretation of this Contract and any dispute between the Parties arising from this Contract shall be governed by the Relevant Laws and Regulations of the People's Republic of China. -3. All notices shall be promptly transmitted or posted by electronic mail, cable, telex, facsimile (confirmation copy sent by airmail), or registered airmail to (specify address _________________________ or such other address as may be substituted for such address by written notice). Receipt of any notice under this Contract shall be deemed to have been received ________ days after its postmark-date in the case of registered airmail and ________ working days after dispatch in the case of e-mail, cable, telex or facsimile transmission. -4. Any dispute arising from this Contract between the Parties, the Personal Information Handler and the Foreign Recipient, as well as a claim by either Party against the other for recovery of compensation already paid to the Personal Information Subject, shall be resolved by the Parties through negotiation; if such negotiation fails, either Party may adopt any of the following methods to resolve the dispute (check the box for the chosen arbitration institution, if arbitration is required):1 □ □ □ □ □ ___________ ____________ 2 __ __ ______________ ____________ ____ __ __ ________________ ____ __ __ GB/T 35273 GB/T 35273 (1) Arbitration. The dispute shall be submitted to: China International Economic and Trade Arbitration Commission China Maritime Arbitration Commission Beijing Arbitration Commission (Beijing International Arbitration Center) Shanghai International Arbitration Center Other arbitration institutions that are members of the Convention on the Recognition and Enforcement of Foreign Arbitral Awards The arbitration shall be conducted in ________ (the place of arbitration) in accordance with its arbitration rules then in force. (2) Litigation. Submit the dispute to a Chinese court with jurisdiction in accordance with the applicable laws. -5. This Contract shall be interpreted in accordance with Relevant Laws and Regulations and shall not be interpreted in a manner inconsistent with the rights and obligations set forth in Relevant Laws and Regulations. -6. This Contract shall be executed in _________ originals, and the Parties, the Personal Information Handler and the Foreign Recipient, shall each hold _________ original(s), with equal legal effect. This contract is signed at (place). This Contract is made and entered into by and between the Personal Information Handler and the Foreign Recipient at _________. Personal Information Handler: ______________________________________ (Seal) Legal Representative/Proxy: ______________________ (Signature or Seal) Date: ______________________ Foreign Recipient: ______________________________________ (Seal) Legal Representative/Proxy: ______________________ (Signature or Seal) Date: ______________________ Appendix I Description of the Outbound Transfer of Personal Information The details of the outbound transfer of Personal Information under this Contract are as follows: -1. Purpose of processing: -2. Method of processing: -3. The scale of Personal Information to be transferred abroad: -4. Type of Personal Information to be transferred abroad (see the types in the Information Security Technologies - Personal Information Security Specifications (GB/T 35273) and relevant standards): -5. Type of Sensitive Personal Information to be transferred abroad (where applicable, see the types in the Information Security Technologies - Personal Information Security Specifications of GB/T 35273 and relevant standards): -6. The Foreign Recipient transfers Personal Information only to the following third parties outside the People's Republic of China (if applicable): -7. Method of transfer: -8. Retention period after the cross-border transfer: From [MM/DD/YY] to [MM/DD/YY] -9. Storage location after the outbound transfer: -10. Other matters (to be filled in as appropriate): Appendix II Other Terms as Agreed by the Parties (If Necessary). Note: this translation work is presented by Shihui Partners, translated by Jing Lu, Jeanette Wang and Raymond Wang and reviewed by Ian Read. ## Annex Standard Contract for Outbound Transfer of Personal Information --- ## Personal Information Protection Law of the People's Republic of China - Chinese title: 中华人民共和国个人信息保护法 - Abbreviation: PIPL - Hierarchy: law - Issuing body: National People's Congress Standing Committee - Adopted: 2021-08-20 - Effective: 2021-11-01 - Status: effective - URL: https://datacompliancechina.com/laws/pipl/ - Markdown: https://datacompliancechina.com/laws/pipl.md ### Summary PIPL is China's comprehensive personal-information protection regime. It is structured around the concept of the personal information handler — a Chinese-law term that should not be flattened to GDPR's data controller. PIPL governs consent, sensitive personal information, cross-border transfer, and the rights of individuals, with extraterritorial reach to handlers outside China that target domestic natural persons. ### Full text **Promulgated by:** Standing Committee of the National People's Congress. **Document No.:** Presidential Decree No. 91. **Adopted at the 30th Session of the Standing Committee of the 13th National People's Congress on August 20, 2021.** **Effective November 1, 2021.** --- ## Chapter 1 General Provisions **Article 1.** This Law is enacted in accordance with the Constitution to protect the rights and interests of personal information, regulate the handling of personal information and promote the reasonable use of personal information. **Article 2.** The personal information of a natural person shall be protected by law, and no organization or individual may infringe upon the personal information rights and interests of natural persons. **Article 3.** This Law shall apply to the handling of the personal information of natural persons within the territory of the People's Republic of China. This Law shall also apply to the handling of the personal information of natural persons within the territory of the People's Republic of China outside the territory of the People's Republic of China under any of the following circumstances: (I) where the purpose is to provide domestic natural persons with products or services; (II) where the activities of domestic natural persons are analyzed and evaluated; and (III) other circumstances as prescribed by laws and administrative regulations. **Article 4.** Personal information refers to all kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information handled anonymously. The handling of personal information includes the collection, storage, use, processing, transmission, provision, disclosure and deletion, etc. of personal information. **Article 5.** The handling of personal information shall follow the principles of lawfulness, legitimacy, necessity and good faith, and it is not allowed to handle personal information by misleading, fraud, coercion or otherwise. **Article 6.** The handling of personal information shall be for a definite and reasonable purpose, be directly related to the purpose of handling and shall be conducted in a way that minimizes the impact on personal rights and interests. The collection of personal information shall be limited to the minimum scope for achieving the purpose of handling and it is not allowed to excessively collect personal information. **Article 7.** The handling of personal information shall follow the principles of openness and transparency, make public the rules for handling personal information and expressly indicate the purpose, method and scope of such handling. **Article 8.** The quality of personal information shall be ensured in the handling of personal information to avoid the adverse impact on personal rights and interests caused by inaccurate or incomplete personal information. **Article 9.** A personal information handler shall be responsible for its handling of personal information and take necessary measures to ensure the security of the personal information handled. **Article 10.** No organization or individual may illegally collect, use, process or transmit the personal information of others, illegally buy or sell, provide or make public the personal information of others, or engage in the handling of personal information that endangers the national security or public interests. **Article 11.** The State establishes a sound personal information protection system, prevents and punishes the infringement upon personal information rights and interests, strengthens the publicity and education on personal information protection, and promotes the formation of a good environment in which the government, enterprises, relevant social organizations and the public jointly participate in personal information protection. **Article 12.** The State actively participates in the development of international rules for personal information protection, promotes the international exchange and cooperation in personal information protection, and promotes the mutual recognition of the rules and standards for personal information protection with other countries, regions and international organizations. ## Chapter 2 Rules for Handling Personal Information ### Section 1 General Provisions **Article 13.** Only under any of the following circumstances may a personal information handler handle personal information: (I) where the consent of the individual concerned is obtained; (II) where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract concluded in accordance with the law; (III) where it is necessary for the performance of statutory duties or statutory obligations; (IV) where it is necessary for the response to a public health emergency or for the protection of the life, health and property safety of a natural person in an emergency; (V) where such acts as news reporting and supervision by public opinions are carried out for the public interest, and the handling of personal information is within a reasonable scope; (VI) where it is necessary to handle the personal information disclosed by the individual concerned or other personal information that has been legally disclosed within a reasonable scope in accordance with the provisions of this Law; and (VII) other circumstances prescribed by laws and administrative regulations. The handling of personal information shall be subject to the consent of the individual concerned in accordance with other relevant provisions of this Law, however, the consent of the individual concerned is not required under the circumstances set forth in Items (II) to (VII) of the preceding paragraph. **Article 14.** Where the handling of personal information is based on the consent of the individual concerned, such consent shall be given by the individual concerned in a voluntary and explicit manner in the condition of full knowledge. Where laws and administrative regulations provide that the handling of personal information shall be subject to the separate consent or written consent of the individual concerned, such provisions shall prevail. Where the purpose or method of handling personal information or the type of personal information to be handled changes, the consent of the individual concerned shall be obtained again. **Article 15.** Where the handling of personal information is based on the consent of the individual concerned, the individual is entitled to withdraw his/her consent. The personal information handler shall provide a convenient method for the individual to withdraw his/her consent. Withdrawal of consent by the individual concerned does not affect the validity of any personal information handling activity conducted based on the consent of the individual before such withdrawal. **Article 16.** A personal information handler shall not refuse to provide products or services for an individual on the grounds that the individual does not agree to handle his/her personal information or withdraws his/her consent, unless the handling of personal information is necessary for providing products or services. **Article 17.** Prior to the handling of an individual's personal information, the personal information handler shall truthfully, accurately and completely inform the individual of the following matters in a conspicuous manner and in clear and understandable language: (I) the title or name and contact information of the personal information handler; (II) the purpose and method of handling personal information, and the type and retention period of the handled personal information; (III) the method and procedure for the individual to exercise the rights provided for in this Law; and (IV) other matters that shall be informed in accordance with the provisions of laws and administrative regulations. Where any of the matters specified in the preceding paragraph is changed, the individual shall be notified of such change. Where a personal information handler informs individuals of the matters specified in the first Paragraph by formulating rules on handling personal information, such rules shall be open to the public for easy access and storage. **Article 18.** A personal information handler is allowed not to inform the individual concerned of the matters prescribed in Paragraph 1 of the preceding article if there are circumstances in which the personal information should be kept confidential as required by laws or administrative regulations or does not need to be informed. Where it is unable to timely inform the individual concerned in an emergency for the purpose of protecting the life, health and property safety of natural persons, the personal information handler shall timely inform the individual after the elimination of the emergency. **Article 19.** Unless otherwise stipulated by laws and administrative regulations, the retention period of personal information shall be the minimum period necessary for achieving the purpose of handling. **Article 20.** Where two or more personal information handlers jointly determine the purpose and method of handling personal information, their respective rights and obligations shall be agreed upon. However, such agreement shall not affect an individual's request to any of the personal information handlers to exercise the rights stipulated in this law. Where personal information handlers who jointly handle personal information, thus infringing upon personal information rights and interests and causing damage shall bear joint and several liability in accordance with the law. **Article 21.** Where a personal information handler entrusts others with the handling of personal information, it shall agree with the agent on the purpose, time limit and method of entrusted handling, type of personal information and protection measures, as well as the rights and obligations of both parties, and supervise the personal information handling activities of the agent. The agent shall handle personal information as agreed and shall not handle personal information beyond the agreed purpose and method of handling ; where the entrustment contract is not effective, invalid, revoked or terminated, the agent shall return personal information to the personal information handler or delete it, and shall not retain it. Without the consent of the personal information handler, the agent shall not re-entrust others with the handling of personal information. **Article 22.** Where a personal information handler needs to transfer personal information due to merger, division, dissolution or declaration of bankruptcy, etc., it shall inform the individual concerned of the name and contact information of the recipient. The recipient shall continue to fulfill its obligations as a personal information handler. Where the recipient changes the original purpose and method of handling, it shall obtain the consent of the individual concerned anew in accordance with this Law. **Article 23.** Where a personal information handler provides other personal information handlers with the personal information of an individual it handles, it shall inform the individual of the name and contact information of the recipient, purpose and method of handling and type of personal information, and shall obtain the individual's separate consent. The recipient shall handle personal information within the scope of the above purpose and method of handling and type of personal information. It shall obtain the consent of the individual anew in accordance with this Law in case of changes in the original purpose and method of handling. **Article 24.** Where a personal information handler makes use of personal information to make automatic decision, it shall ensure the transparency of the decision-making and the fairness and impartiality of the results, and shall not impose unreasonable discriminatory treatment on individuals in respect of the transaction price and transaction conditions. Information pushing and commercial marketing to an individual through automated decision- making shall be accompanied by options that do not target the individual's personal characteristics, or convenient rejection ways shall be provided to the individual. Where a decision is made through automatic decision-making that has a significant impact on an individual's rights and interests, the individual shall have the right to require the personal information handler to make an explanation and reject the decision made by the personal information handler only through automatic decision- making. **Article 25.** A personal information handler shall not make public the personal information of an individual it handles, except with the individual's separate consent. **Article 26.** The image capturing, and personal identification equipment installed in public places shall be necessary for maintaining public security, comply with the relevant provisions of the State, and conspicuous prompting signs shall be set up. An individual's personal image and personal identification information collected may only be used for the purpose of maintaining public security and shall not be used for any other purpose, except with the individual's separate consent. **Article 27.** A personal information handler may, within a reasonable scope, handle the personal information that is disclosed by the individual concerned himself/herself or other personal information that has been legally publicized, unless the individual expressly refuses such handling. A personal information handler shall obtain the consent of an individual in accordance with the provisions of this Law if the handling of the individual's disclosed personal information has a major impact on the rights and interests of the individual. ### Section 2 Rules for Handling Sensitive Personal Information **Article 28.** Sensitive personal information refers to the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14. Only for a specific purpose and sufficient necessity, and strict protection measures have been taken, may a personal information handler handle sensitive personal information. **Article 29.** The handling of sensitive personal information of an individual shall be subject to the individual's separate consent; where laws and administrative regulations provide that the handling of sensitive personal information shall be subject to the written consent, such provisions shall prevail. **Article 30.** For the sensitive personal information of an individual, the personal information handler shall, in addition to the matters specified in Paragraph 1 of Article 17 hereof, inform the individual of the necessity of handling his/her sensitive personal information and the impact on his/her personal rights and interests, except for the circumstances that may be exempted from informing the individual of such information in accordance with this Law. **Article 31.** To handle the personal information of a minor under the age of 14, a personal information handler shall obtain the consent of the minor's parents or other guardians. To handle the personal information of minors under the age of 14, a personal information handler shall formulate specialized rules for handling personal information. **Article 32.** Where laws and administrative regulations provide that the handling of sensitive personal information shall be subject to the relevant administrative license or other restrictions, such provisions shall prevail. ### Section 3 Special Provisions on Handling Personal Information by State Organs **Article 33.** This Law shall apply to the activities of a State organ to handle personal information; where there are special provisions in this Section, such provisions shall apply. **Article 34.** A State organ shall handle personal information for the purpose of performing its statutory duties in accordance with the authority and procedures prescribed by laws and administrative regulations and shall not exceed the scope and limit necessary for the performance of its statutory duties. **Article 35.** A State organ handling personal information for the purpose of performing its statutory duties shall perform its obligation of informing in accordance with this Law, except for the circumstances stipulated in Paragraph 1 of Article 18 hereof, or the informing will hinder the State organ from performing its statutory duties. **Article 36.** The personal information handled by a State organ shall be stored within the territory of the People's Republic of China; where it is necessary to provide such information to an overseas party, a security evaluation shall be conducted. Relevant authorities may be required to provide support and assistance for the security evaluation. **Article 37.** Where organizations with functions of administering public affairs as authorized by laws and regulations handle personal information for the purpose of performing their statutory duties, the provisions of this Law on handling personal information by State organs shall apply. ## Chapter 3 Rules for Cross-border Provision of Personal Information **Article 38.** Where a personal information handler really needs to provide personal information outside the territory of the People's Republic of China due to business or other needs, it shall meet any of the following conditions: (I) it shall pass the security evaluation organized by the Cyberspace Administration of China in accordance with the provisions of Article 40 hereof; (II) it shall have been certified by a specialized agency for protection of personal information in accordance with the provisions of the Cyberspace Administration of China; (III) it shall enter into a contract with the overseas recipient under the standard contract formulated by the Cyberspace Administration of China, specifying the rights and obligations of both parties; and (IV) it shall meet other conditions prescribed by laws, administrative regulations or the Cyberspace Administration of China. Where the international treaties or agreements concluded or acceded to by the People's Republic of China contain provisions on the conditions for provision of personal information outside the territory of the People's Republic of China, such provisions may prevail. The personal information handler shall take necessary measures to ensure that the activities of handling personal information by the overseas recipient meet the standards for protection of personal information as prescribed herein. **Article 39.** To provide the personal information of an individual to an overseas recipient outside the territory of the People's Republic of China, the personal information handler shall inform the individual of such matters as the name of the overseas recipient, contact information, purpose and method of handling, type of personal information and the method and procedure for the individual to exercise the rights stipulated herein against the overseas recipient, and shall obtain the individual's separate consent. **Article 40.** Critical information infrastructure operators and personal information handlers whose quantity of handling of personal information reaches that as prescribed by the Cyberspace Administration of China ("CAC") shall store personal information collected and generated within the territory of the People's Republic of China within the territory of the People's Republic of China. Where it is necessary to provide such information and data to an overseas party, such provision shall pass the security evaluation organized by the CAC; where the laws, administrative regulations and the provisions of the CAC stipulate that security evaluation is not required, such stipulation shall prevail. **Article 41.** The competent authorities of the People's Republic of China shall, in accordance with the relevant laws and the international treaties and agreements concluded or acceded to by the People's Republic of China or under the principles of equality and mutual benefit, handle the requests made by foreign judicial or law enforcement authorities for providing the personal information stored within the territory of China. Without the approval of the competent authorities of the People's Republic of China, no personal information handler may provide the personal information stored within the territory of the People's Republic of China to foreign judicial or law enforcement authorities. **Article 42.** Where an overseas organization or individual engages in the personal information handling activities infringing upon the personal information rights and interests of citizens of the People's Republic of China or endangering the national security and public interests of the People's Republic of China, the CAC may include such organization or individual in the list of subjects to whom provision of personal information is restricted or prohibited, announce the same, and take measures such as restricting or prohibiting provision of personal information to such organization or individual. **Article 43.** Where any country or region takes discriminatory prohibitive, restrictive or other similar measures against the People's Republic of China in terms of protection of personal information, the People's Republic of China may take reciprocal measures against such country or region as the case may be. ## Chapter 4 Rights of Individuals in Activities of Handling Personal Information **Article 44.** An individual has the right to know and make decisions on the handling of his/her personal information, and the right to restrict or refuse others to handle his/her personal information, unless otherwise provided for by laws and administrative regulations. **Article 45.** An individual is entitled to consult or copy his/her personal information from a personal information handler, except for the circumstances stipulated in Paragraph 1 of Article 18 and Article 35 hereof. Where an individual requests to consult or copy his/her personal information, the personal information handler shall provide such information in a timely manner. Where an individual requests to transfer his/her personal information to a personal information handler designated by him/her, which meets the conditions stipulated by the CAC, the personal information handler shall provide a way for the transfer. **Article 46.** Where an individual finds that his/her personal information is inaccurate or incomplete, he/she is entitled to request the personal information handler to make corrections or supplements. Where an individual requests for corrections or supplements to his/her personal information, the personal information handler shall make verification and make corrections or supplements to such information in a timely manner. **Article 47.** Under any of the following circumstances, a personal information handler shall take the initiative to delete personal information; if the personal information handler fails to delete such information, the individual concerned is entitled to request the deletion of such information: (I) where the purpose of handling has been achieved, it is impossible to achieve such purpose, or it is no longer necessary to achieve such purpose; (II) where the personal information handler ceases to provide products or services, or the storage period has expired; (III) where the individual withdraws his/her consent; (IV) where the personal information handler handles personal information in violation of laws, administrative regulations or the agreement; or (V) other circumstances stipulated by laws and administrative regulations. Where the storage period as stipulated by laws and administrative regulations does not expire, or the deletion of personal information is difficult to be realized technically, the personal information handler shall stop the handling other than storage and necessary security protection measures. **Article 48.** Individuals are entitled to request a personal information handler to explain its handling rules for personal information. **Article 49.** Where a natural person dies, his/her close relatives may, for the purpose of their own lawful and legitimate interests, exercise such rights as consulting, copying, correcting and deleting the relevant personal information of the deceased as prescribed in this Chapter, unless otherwise arranged by the deceased prior to his/her death. **Article 50.** A personal information handler shall establish a convenient mechanism for accepting and handling applications from individuals to exercise their rights. If an individual's request for exercising his/her rights is rejected, the reasons shall be stated. Where the personal information handler refuses an individual's request for exercising his/her rights, the individual may file a lawsuit with a people's court in accordance with the law. ## Chapter 5 Obligations of Personal Information Handlers **Article 51.** A personal information handler shall, according to the purpose and method of handling personal information, types of personal information, impacts on personal rights and interests and possible security risks, take the following measures to ensure the compliance of personal information handling activities with provisions of laws and administrative regulations and prevent unauthorized access and divulgence, falsification and loss of personal information: (I) formulating internal management systems and operating procedures; (II) implementing category-based management of personal information; (III) taking corresponding technical security measures such as encryption and de-identification; (IV) reasonably determining the authority to handle personal information and conducting security education and training for relevant employees on a regular basis; (V) formulating and organizing the implementation of emergency plans for personal information security incidents; and (VI) other measures stipulated by laws and administrative regulations. **Article 52.** Where the quantity of personal information handled reaches that specified by the CAC, the personal information handler shall designate a person in charge of personal information protection to be responsible for supervising the activities of handling of personal information and the adopted protection measures. The personal information handler shall make public the contact information of the person in charge of personal information protection and submit the name and contact information of the person in charge of personal information protection to the authorities performing duties of personal information protection. **Article 53.** Any personal information handler outside the territory of the People's Republic of China as prescribed in Paragraph 2 of Article 3 hereof shall establish a special agency or designate a representative within the territory of the People's Republic of China to be responsible for handling matters relating to personal information protection, and submit the name and contact information of the relevant agency or the representative to the authorities performing duties of personal information protection. **Article 54.** A personal information handler shall regularly conduct compliance audits on its handling of personal information in accordance with laws and administrative regulations. **Article 55.** Under any of the following circumstances, a personal information handler shall conduct an impact assessment on personal information protection beforehand and keep a record of the handling: (I) handling sensitive personal information; (II) making use of personal information to make automatic decision-making; (III) entrusting others to handle personal information, providing other personal information handlers with personal information and publicizing personal information; (IV) providing personal information to overseas parties; or (V) other personal information handling activities that have significant impact on personal rights and interests. **Article 56.** An impact assessment on personal information protection shall include the following contents: (I) whether the purpose and method of handling personal information are lawful, legitimate, and necessary; (II) impact on personal rights and interests and security risks; and (III) whether the protection measures taken are lawful, effective and commensurate with the degree of risks. The report on personal information protection impact assessment and records of handling shall be kept for at least three years. **Article 57.** Where personal information has been or may be divulged, tampered with or lost, the personal information handler shall immediately take remedial measures and notify the authorities performing duties of personal information protection and the individuals concerned. The notice shall include the following matters: (I) the types, reasons and possible harm of the information that has been involved or may be involved in the divulgence, tampering with or loss of personal information; (II) the remedial measures taken by the personal information handler and the measures that can be taken by the individuals to mitigate harm; and (III) the contact information of the personal information handler. Where the personal information handler has taken measures to effectively avoid harm caused by divulgence, tampering with or loss of information, the personal information handler may opt not to notify the individuals concerned; if the authorities performing duties of personal information protection believe that harm may be caused, they may require the personal information handler to notify the individuals concerned. **Article 58.** Any personal information handler that provides important Internet platform services with a large number of users and complicated business type shall perform the following obligations: (I) establishing a sound compliance system for personal information protection in accordance with the provisions of the State and setting up an independent agency mainly composed of external members to supervise personal information protection; (II) following the principles of openness, fairness and impartiality, formulating platform rules specifying the standards for the handling of personal information by product or service providers on the platform and their obligations to protect personal information; (III) ceasing to provide services to product or service providers on the platform that handle personal information in serious violation of laws and administrative regulations; and (IV) regularly releasing social responsibility reports on personal information protection for social supervision. **Article 59.** The agent that accepts the entrustment of a personal information handler to handle personal information shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information handled and assist the personal information handler to perform the obligations stipulated in this Law. ## Chapter 6 Authorities Performing Duties of Personal Information Protection **Article 60.** The CAC is responsible for coordinating the protection of personal information and relevant supervision and administration work. Relevant departments of the State Council are responsible for protecting, supervising and administering the protection of personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations. The duties of relevant departments of local people's governments at or above the county level in protecting, supervising and administering the protection of personal information shall be determined in accordance with relevant provisions of the State. The departments mentioned in the preceding two paragraphs are collectively referred to as the authorities performing duties of personal information protection. **Article 61.** Authorities performing duties of personal information protection shall perform the following duties of personal information protection: (I) carrying out publicity and education on personal information protection, and guiding and supervising personal information handlers to protect personal information; (II) accepting and handling complaints and reports related to personal information protection; (III) organizing the evaluation of applications and other organizations on the protection of personal information, and disclosing the evaluation results; (IV) investigating and handling illegal personal information handling activities; and (V) other duties stipulated by laws and administrative regulations. **Article 62.** The CAC shall make overall planning and coordinate relevant authorities to promote the following work of personal information protection in accordance with this Law: (I) formulating specific rules and standards for personal information protection; (II) formulating specialized rules and standards for personal information protection for small personal information handlers, handling sensitive personal information and new technologies and applications such as face recognition and artificial intelligence; (III) supporting the research, development and popularization of secure and convenient electronic identity authentication technologies, and promoting the development of public services for network identity authentication; (IV) promoting the development of a socialized service system for personal information protection, and supporting relevant organizations in carrying out evaluation and authentication services on personal information protection; and (V) improving the mechanism for complaints and whistleblowing reports on personal information protection. **Article 63.** Authorities performing duties of personal information protection may take the following measures when performing such duties: (I) inquiring the parties concerned and investigating the circumstances relating to personal information handling activities; (II) consulting and copying contracts, records, account books and other relevant materials relating to personal information handling ; activities of the parties concerned; (III) carrying out on-site inspection and investigation of personal information handling activities suspected of violating laws; and (IV) checking the equipment and articles relating to personal information handling activities; and the equipment and articles that are proved to be used for illegal personal information handling activities may be seized or detained upon written reports to and approval by the person chiefly in charge of the authority concerned. The parties concerned shall provide assistance and cooperation in ; the performance of duties of personal information protection by the authorities concerned in accordance with the law and shall not refuse or obstruct such performance. **Article 64.** Where authorities performing duties of personal information protection find in their performance of such duties that there are high risks in personal information handling activities or personal information security incidents have occurred, they may, according to prescribed authority and procedures, have an interview with the legal representative or person chiefly in charge of the personal information handler concerned, or require such handler to entrust a specialized agency to conduct a compliance audit on its personal information handling activities. The personal information handler shall take measures to make rectification and eliminate hidden dangers as required. Where authorities performing duties of personal information protection find in their performance of such duties that illegal handling of personal information is suspected of constituting crimes, they shall timely refer the case to the public security authorities for handling in accordance with the law. **Article 65.** Any organization or individual shall have the right to complain or report illegal personal information handling activities to the authorities performing duties of personal information protection. The said authorities receiving such complaints or reports shall timely handle them in accordance with the law and notify the complainants or reporters of the handling results. Authorities performing duties of personal information protection shall make public the contact information for accepting complaints or reports. ## Chapter 7 Legal Liability **Article 66.** In the event that personal information is handled in violation of the provisions of this Law, or that personal information is handled without performing the obligation of protecting personal information as stipulated in this Law, the authorities performing duties of personal information protection shall order the party concerned to make corrections, give a warning to it and confiscate its illegal gains. Any application that illegally handles personal information shall be ordered to suspend or terminate the provision of services; if it refuses to make corrections, a fine of not more than 1 million yuan shall be imposed on it concurrently; and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the person directly in charge and other directly liable persons. For any illegal act specified in the preceding paragraph with serious circumstances, the authorities performing duties of personal information protection at or above the provincial level shall order the party concerned to make corrections, confiscate its illegal gains, and impose a fine of not more than 50 million yuan or not more than 5% of its turnover of the previous year on it, and may also order it to suspend relevant business or suspend business for rectification, and inform the relevant competent authorities to revoke the relevant business permit or business license; a fine of not less than 100,000 yuan but not more than 1 million yuan shall be imposed on the person directly in charge and other directly liable persons, and a decision may be made to prohibit the said persons from acting as directors, supervisors, senior executives and persons-in-charge of personal information protection of relevant enterprises within a certain period of time. **Article 67.** Any illegal act specified in this Law shall be recorded in the credit archives in accordance with the provisions of relevant laws and administrative regulations and shall be disclosed to the public. **Article 68.** Where a State organ fails to perform its obligation of protecting personal information as stipulated in this Law, its superior organ or the authorities performing duties of personal information protection shall order it to make corrections; and impose sanctions on the person directly in charge and other directly liable persons in accordance with the law. Where any staff member of the authorities performing duties of personal information protection neglects his/her duty, abuses his/her power, plays favoritism and commits irregularities, which does not constitute a crime, sanctions shall be imposed on him/her in accordance with the law. **Article 69.** Where the handling of personal information infringes upon personal information rights and interests and causes damage, the personal information handler concerned shall bear liability for damages and other tort liabilities if it cannot prove that it is not at fault. The liability for damages specified in the preceding paragraph shall be determined based on the losses thus suffered by the individual concerned or the benefits thus obtained by the personal information handler; if the losses thus suffered by the individual concerned or the benefits thus obtained by the personal information handler are difficult to be determined, the amount of damages shall be determined in accordance with the actual circumstances. **Article 70.** Where any personal information handler handles personal information in violation of this Law, which infringes upon the rights and interests of a large number of individuals, the People's Procuratorate, the consumer organizations specified by law and the organizations determined by the CAC may bring a lawsuit to a people's court in accordance with the law. **Article 71.** Where any violation of the provisions hereof constitutes a violation of public security administration, a public security administrative punishment shall be imposed in accordance with the law; and if a crime is constituted, criminal liability shall be investigated in accordance with the law. ## Chapter 8 Supplementary Provisions **Article 72.** This Law shall not apply to the handling of personal information by a natural person for his or her personal or family affairs. Where there are legal provisions on the handling of personal information in the statistical and archive administration organized and implemented by the people's governments at all levels and the relevant departments thereof, such provisions shall apply. **Article 73.** For the purposes of this Law, the following terms shall have the following meanings: (I) "Personal information handler " refers to an organization or individual that independently determines the handling purpose and method in the handling of personal information. (II) "Automatic decision-making" refers to the activities of automatically analyzing and evaluating an individual's behavior habits, hobbies or economic, health or credit status through computer programs and making decisions. (III) "De-identification" refers to the process in which personal information is handled so that it is impossible to identify certain natural persons without the aid of additional information. (IV) "Anonymization" refers to the process in which personal information is handled so that it is impossible to identify certain natural persons and that it cannot be recovered. **Article 74.** This Law shall come into force as of November 1, 2021 2021. --- ## Provisions of the Supreme People's Court on Several Issues Concerning the Application of Law in the Trial of Civil Cases Involving the Use of Facial Recognition Technology to Process Personal Information - Chinese title: 最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定 - Abbreviation: FRT Judicial Interpretation - Hierarchy: judicial - Issuing body: Supreme People's Court - Adopted: 2021-06-08 - Effective: 2021-08-01 - Status: effective - URL: https://datacompliancechina.com/laws/facial-recognition-judicial-interpretation/ - Markdown: https://datacompliancechina.com/laws/facial-recognition-judicial-interpretation.md ### Summary The Supreme People's Court's interpretation of how civil courts should apply law in cases involving facial recognition. Defines what counts as 'processing facial information', enumerates conduct that infringes personality rights, addresses consent validity (mandatory consent through a service agreement is not valid), and sets out remedies and burden-of-proof allocation. Issued before PIPL took effect but designed to interoperate with PIPL's sensitive-personal-information regime. ### Full text **Promulgated by:** Supreme People's Court. **Document No.:** Fa Shi [2021] No. 15. **Adopted at the 1841st Meeting of the Judicial Committee of the Supreme People's Court on June 8, 2021. Effective August 1, 2021.** --- **Article 1.** These Provisions shall apply to civil cases arising from the use of facial recognition technologies by information processors to process facial information or process facial information generated on the basis of facial recognition technologies in violation of laws, administrative regulations or the agreement between both parties. The processing of facial information includes the collection, storage, use, processing, transmission, provision and disclosure of facial information. For the purpose of these Provisions, facial information is the "biometric information" as specified in Article 1034 of the Civil Code. **Article 2.** Where an information processor falls under any of the following circumstances in the processing of facial information, the People's Court shall determine that it is an infringement upon the personality rights and interests of a natural person: (I) using facial recognition technologies to verify, recognize or analyze faces in such business places or public places as hotels, shopping malls, banks, stations, airports, stadiums and gymnasiums or entertainment venues in violation of laws and administrative regulations; (II) failing to disclose the rules for the processing of facial information or to clearly indicate the processing purpose, method and scope; (III) where the processing of facial information is subject to an individual's consent, the sole consent of the natural person or his/her guardian is not obtained, or the written consent of the natural person or his/her guardian is not obtained in accordance with laws and administrative regulations; (IV) violating the purpose, method and scope of the processing of facial information as expressly indicated by the information processor or agreed between both parties; (V) failing to take due technical measures or other necessary measures to ensure the security of facial information it collects and stores, which results in the disclosure, falsification or loss of facial information; (VI) providing facial information to others in violation of the provisions of laws and administrative regulations or the agreement between both parties; (VII) processing facial information in violation of public order and good customs; and (VIII) other circumstances under which facial information is processed in violation of the principles of legality, legitimacy and necessity. **Article 3.** When determining that an information processor shall bear civil liability for its infringement upon the personality rights and interests of a natural person, the People's Court shall apply Article 998 of the Civil Code and, in light of the specific circumstances of the case, comprehensively consider whether the victim is a minor, the notification of consent, the necessity for information processing and other factors. **Article 4.** Under any of the following circumstances, if the information processor defends itself on the ground that it has obtained the consent of the natural person or his/her guardian, the People's Court shall not support such defense: (I) where the information processor requires the natural person to agree to process his/her facial information before providing a product or service, unless the processing of such facial information is necessary for providing the product or service; (II) where the information processor requires the natural person to agree to process his/her facial information by bundling such consent with any other authorization; or (III) other circumstances under which the information processor forces or forces in a disguised manner a natural person to agree to process his/her facial information. **Article 5.** Under any of the following circumstances, if the information processor claims that it shall not bear any civil liability, the People's Court shall support such claim according to law: (I) where the processing of facial information is necessary for responding to a public health emergency or for protecting the life, health and property safety of a natural person; (II) where the facial recognition technology is used in public places in accordance with the relevant provisions of the State for the purpose of maintaining public security; (III) where the facial information is processed within a reasonable scope to carry out such activities as news reporting and supervision by public opinions for the public interest; (IV) where the facial information is reasonably processed within the scope agreed by the natural person or his/her guardian; or (V) other circumstances as prescribed by laws and administrative regulations. **Article 6.** Where a party concerned requests the information processor to bear civil liability, the People's Court shall determine the burden of proof of both parties in accordance with Article 64 of the Civil Procedure Law, Articles 90 and 91 of the Interpretation of the Supreme People's Court on the Application of the Civil Procedure Law of the People's Republic of China, and the Several Provisions of the Supreme People's Court on Evidence in Civil Procedures. Where the information processor claims that its conduct falls under the circumstances as prescribed in Paragraph 1 of Article 1035 of the Civil Code, it shall bear the burden of proof for the facts on which such conduct is based. Where the information processor claims that it shall not bear civil liability, it shall bear the burden of proof to the extent that its conduct falls under the circumstances as prescribed in Article 5 hereof. **Article 7.** Where several information processors, when processing facial information, infringe upon the personality rights and interests of a natural person, and the natural person claims that the multiple information processors shall bear tort liability based on the degree of fault and the extent of damage caused, the People's Court shall uphold such claim; where the corresponding circumstances as prescribed in Article 1168, Paragraph 1 of Article 1169, Article 1170 and Article 1171 of the Civil Code are met, and the natural person claims that the multiple information processors shall bear joint and several liability, the People's Court shall uphold such claim. Where an information processor, when processing facial information by using network services, infringes upon the personality rights and interests of a natural person, Articles 1195, 1196 and 1197 of the Civil Code and other provisions shall apply. **Article 8.** Where an information processor, when processing facial information, infringes upon the personality rights and interests of a natural person, and the natural person claims compensation for property damage in accordance with Article 1182 of the Civil Code, the People's Court shall uphold such claim according to law. The reasonable expenses paid by the natural person in order to stop the infringement may be determined as property losses as prescribed in Article 1182 of the Civil Code. Reasonable expenses include reasonable expenses incurred to the natural person or his/her agent for investigation and collection of evidence on the infringement. The People's Court may, at the request of the party concerned and in light of the specific circumstances of the case, include the reasonable attorney's fees into the scope of compensation. **Article 9.** Where a natural person has evidence to prove that an information processor is committing or will commit any act infringing upon his/her right to privacy or other rights and interests of personality by using a facial recognition technology, and that his/her legitimate rights and interests will be damaged irreparably if such act is not stopped in time, and he/she applies to a People's Court for taking measures to order the information processor to stop the relevant act, the People's Court may, as the case may be, issue an injunction against the infringement upon the personality right in accordance with the law. **Article 10.** Where a property service enterprise or any other building manager uses facial recognition as the only means of authentication for owners or property users to enter or leave the property service area, and an owner or property user who disagrees on such means requests it to provide other reasonable means of authentication, the People's Court shall uphold such request according to law. For a property service enterprise or any other building manager falls under any of the circumstances specified in Article 2 hereof, if a party concerned claims that the property service enterprise or the building manager shall bear tort liability, the People's Court shall uphold such claim according to law. **Article 11.** In the event that an information processor adopts standard terms to enter into a contract with a natural person, requiring the natural person to grant it such rights as unlimited, irrevocable or sub-authorizable authorization to process facial information, if the natural person claims to confirm the invalidity of the standard terms in accordance with Article 497 of the Civil Code, the People's Court shall uphold such claim according to law. **Article 12.** Where an information processor, in violation of the agreement, processes facial information of a natural person and the natural person claims that the information processor shall bear the liability for breach of contract, the People's Court shall uphold such claim according to law. If the natural person filing the said claim requests the information processor to delete facial information, the People's Court shall uphold such request according to law; where the information processor defends itself on the ground that both parties fail to make an agreement on the deletion of facial information, the People's Court shall not uphold such defense. **Article 13.** Where disputes arise in relation to the processing of facial information by the same information processor, which infringes upon the personality rights and interests of natural persons, and multiple victims sue separately in the same People's Court, the People's Court may, with the consent of the parties, consolidate the trials of the cases. **Article 14.** Where the processing of facial information by an information processor complies with the relevant provisions of Article 55 of the Civil Procedure Law, Article 47 of the Law on the Protection of Consumers' Rights and Interests or other laws on civil public interest lawsuits, and the authorities and relevant organizations specified by the law institute civil public interest lawsuits, the People's Court shall accept such case. **Article 15.** These Provisions shall apply to the circumstance where, after the death of a natural person, the information processor processes his/her facial information in violation of the provisions of laws or administrative regulations or the agreement between both parties, and the close relative of the deceased requests the information processor to bear civil liability in accordance with Article 994 of the Civil Code. **Article 16.** These Provisions shall come into force as of August 1, 2021. These Provisions shall not apply to the circumstance where an information processor's use of facial recognition technologies to process facial information or processes facial information generated by facial recognition technologies has occurred prior to the effectiveness of these Provisions. --- ## Background and official commentary (SPC drafting team) *This section summarizes the Supreme People's Court drafting team's article "Understanding and Application of the Provisions on Several Issues Concerning the Application of Law in the Trial of Civil Cases Involving the Use of Facial Recognition Technology to Process Personal Information" (authors: Guo Feng, Chen Longye, Jia Yuhui, Zhang Yin; Supreme People's Court; August 20, 2021). It is an authoritative drafters' commentary, not part of the binding text. Summarized by DCC for reference.* ### Why the interpretation was issued The drafting team explains that as facial recognition spread into everyday life — from smart-city projects to phone unlocking — abuse of the technology became a prominent personal-information problem: stores using "contactless" recognition to collect customers' faces without consent and profile their gender, age and mood; property-management companies making face scanning the only way to enter a residential compound; and apps and platforms compelling users to hand over face data, with face information even sold openly online and used to break facial-verification systems for fraud. Because facial information is biometric information — the most socially exposed and easily collected of the biometric categories, and unique and unalterable — its leakage can gravely endanger personal and even public safety. Drafted before PIPL took effect, the interpretation rests on the Civil Code, the Cybersecurity Law, the Consumer Protection Law, the E-Commerce Law and the Civil Procedure Law, and was coordinated throughout with the NPC Standing Committee Legislative Affairs Commission and the CAC. ### The four drafting principles 1. **People-centered** — respond to the public's pressing concern about the misuse of facial recognition and strengthen protection of personality rights and interests through unified adjudication rules. 2. **Problem-oriented** — the interpretation restricts the *abuse*, not the *use*, of facial recognition, targeting the principal abuse scenarios (unauthorized remote/contactless recognition in business and public premises, compulsory face scanning by property management, and apps that force users to surrender face data). 3. **Strict fidelity to existing law** — drafted before PIPL, it makes full use of the Civil Code and reserves an interface to future legislation by using formulations such as "in violation of laws and administrative regulations," neither overstepping nor leaving gaps. 4. **Strengthened protection with balanced interests** — it foregrounds protection of facial-information and personality interests (defining infringing conduct, liability, burden of proof and the scope of property loss) while balancing values through refined exemptions, a "dynamic-system" approach, and non-retroactivity, so as to reconcile individual and public interests and the punishment of infringement with the healthy development of the digital economy. ### Key clarifications - **Scope (Article 1).** The interpretation covers civil cases where an information processor, in violation of laws, administrative regulations or the parties' agreement, uses facial recognition to process facial information *or* processes facial information generated by facial recognition (capturing back-end processors that did not themselves run the recognition). It applies only between equal civil subjects — not to administrative cases arising from state organs' performance of statutory duties — and is not limited to a single type of right or liability (it reaches tort and contract liability, and personal-information, portrait, privacy, reputation and property interests). Article 15 extends it to a deceased person's close relatives under Civil Code Article 994. - **Definition of "facial information."** The drafters adopt "facial information" as a species of the "biometric information" in Civil Code Article 1034 and the "sensitive personal information" of the (then-draft) PIPL, informed by GB/T 35273-2020 and comparative regimes such as the GDPR. It covers both the facial-feature data generated by the algorithm and the original facial images captured. - **Typical infringing conduct (Article 2).** Using remote, contactless facial recognition to collect faces without consent in business and public venues (hotels, malls, banks, stations, airports, stadiums, entertainment venues) is the paradigm abuse. The commentary distinguishes three modes — *verification* (1:1 matching to confirm a claimed identity), *identification* (1:N matching to single out a person), and *analysis* (predicting age, health, emotion, attention, etc., which can enable discrimination and harm dignity) — and explains that, absent a contrary legal provision, all three require the *separate* consent of the individual or guardian. - **Public-interest exemption (Article 5).** This is read together with Article 2: under Civil Code Article 1036, an information processor bears no liability for conduct reasonably carried out to protect the public interest or an individual's lawful rights and interests; Article 5 refines this to cover the use of facial recognition in public venues "for the maintenance of public security in accordance with relevant State provisions," consistent with the legislative spirit of (draft) PIPL Article 27. --- ## Provisions on Promoting and Regulating Cross-border Data Flows - Chinese title: 促进和规范数据跨境流动规定 - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2023-11-28 - Effective: 2024-03-22 - Status: effective - URL: https://datacompliancechina.com/laws/cross-border-data-flows-provisions/ - Markdown: https://datacompliancechina.com/laws/cross-border-data-flows-provisions.md ### Summary The 2024 Cross-border Data Flow Provisions are CAC's relaxation package on outbound data transfer. They introduce thresholds and exemptions for the security assessment, standard contract, and certification pathways, plus a free trade zone (FTZ) negative-list mechanism. For overseas counsel, this is the regulation that practically determines whether a routine cross-border transfer needs to clear formal CAC review or not. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC). **Document No.:** Decree No. 16 of the Cyberspace Administration of China. **Adopted at the 26th executive meeting in 2023 of the CAC on November 28, 2023.** **Promulgated and effective March 22, 2024.** Zhuang Rongwen, Minister of CAC. --- **Article 1.** In order to protect data security, protect personal information rights and interests, and promote the orderly and free flow of data in accordance with the law, these Provisions are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and other relevant laws and regulations for the implementation of systems for provision of data abroad, such as security assessment for data to be provided abroad, the standard contract for provision of personal information abroad and personal information protection authentication. **Article 2.** Data handlers shall identify and declare important data in accordance with relevant provisions. If the data have not been informed or publicly announced as important data by relevant departments or regions, data handlers are not required to declare security assessment for cross-border provision of the data as important data. **Article 3.** To provide the data collected and generated in such activities as international trade, cross-border transport, academic cooperation, transnational manufacturing and marketing, which do not contain personal information or important data, to overseas parties, it is exempted from declaring security assessment for data to be provided abroad, concluding a standard contract for personal information to be provided abroad or passing authentication for protection of personal information. **Article 4.** Where a data handler provides personal information collected and generated abroad to overseas parties after being provided to China for processing, and no domestic personal information or important data is introduced in the process of processing, the data handler is exempted from declaring security assessment for data to be provided abroad, concluding a standard contract for personal information to be provided abroad or passing authentication for protection of personal information. **Article 5.** A data handler providing personal information abroad may be exempted from declaring security assessment for data to be provided abroad, concluding a standard contract for personal information to be provided abroad or passing authentication for protection of personal information if it satisfies any of the following conditions: 1. Where it is really necessary to provide personal information abroad for the purpose of concluding or performing a contract to which an individual concerned is a party, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservation, visa handling and examination services; 2. Where it is really necessary to provide employees' personal information abroad for the purpose of conducting cross-border human resources management in accordance with the employment rules and regulations formulated in accordance with the law and collective contracts concluded in accordance with the law; 3. Where it is really necessary to provide personal information abroad in an emergency to protect the life, health and property safety of a natural person; or 4. Where a data handler other than a critical information infrastructure operator provides abroad the personal information (excluding sensitive personal information) of not more than 100,000 persons accumulatively as of January 1 of the current year. For the purpose of the preceding paragraph, "personal information provided abroad" does not include important data. **Article 6.** Under the framework of the national system for classified and hierarchical protection of data, pilot free trade zones may, at their own discretion, formulate lists of data that need to be included in the scope of administration of security assessment for providing data abroad, the standard contract for providing personal information abroad and authentication for personal information protection (hereinafter referred to as the "negative list" in short), which shall be filed with the national cyberspace administration and the national data administration for the record upon approval by the cyberspace administration at the provincial level. Any data handler in a pilot free trade zone providing overseas parties with any data not included in the negative list may be exempted from declaring a security assessment for providing data abroad, concluding a standard contract for providing personal information abroad or passing authentication for personal information protection. **Article 7.** To provide data abroad, any data handler shall declare security assessment for providing data abroad to the national cyberspace administration through the cyberspace administration authority at the provincial level at its locality if it satisfies either of the following condition: 1. Where a critical information infrastructure operator provides personal information or important data abroad; or 2. Where any data handler other than a critical information infrastructure operator provides important data abroad or, as of January 1 of the current year, provides personal information (excluding sensitive personal information) of not less than 1 million people or sensitive personal information of not less than 10,000 people in aggregate to overseas parties. Where the circumstance falls under the provisions of Article 3, 4, 5 1 1 or 6 hereof, such provisions shall apply. **Article 8.** Where any data handler other than a critical information infrastructure operator provides abroad the 1 personal information (excluding sensitive personal information) of not less than 100,000 but not more than 1 million persons, or the sensitive personal information of not 100 more than 10,000 persons, accumulatively as of January 1 of the current year, it shall conclude a standard contract with 1 overseas recipients for provision of personal information abroad or go through the authentication on protection of personal information in accordance with the law. Where the circumstance falls under the provisions of Article 3, 4, 5 or 6 hereof, such provisions shall apply. **Article 9.** The result of security assessment for providing data abroad remains valid for three years, commencing from the 3 date of issuance of the assessment result. Where it is necessary to continue providing the data abroad and there is no circumstance requiring re-declaration for security assessment for the data abroad upon expiry of the period of validity, the data handler may, within 60 workdays by the expiry of the period of validity, apply to the national cyberspace administration through the local cyberspace administration at the provincial level for extending the period 60 of validity of the assessment result. Upon approval by the national cyberspace administration, the period of validity of the assessment result may be extended by three years. 3 **Article 10.** To provide personal information abroad, a data handler shall, in accordance with laws and administrative regulations, perform obligations such as notification, obtaining individual consent and conducting assessment of impact of personal information protection. **Article 11.** Any data handler providing data abroad shall abide by the provisions of laws and regulations, perform data security protection obligations, and take technical and other necessary measures to ensure the security of data to be provided abroad. If a data security incident occurs or may occur, the data handler shall take remedial measures, and report to the cyberspace administration at the provincial level or above and other competent authorities in a timely manner. **Article 12.** Local cyberspace administrations shall strengthen guidance and supervision over the cross-border provision of data by data handlers, improve the security assessment system for data to be provided abroad, and optimize the assessment process; they shall also strengthen the whole- chain and full-range regulation before the event, during the event and after the event, and require the data handler to make rectifications and eliminate hidden dangers if it is found that there are relatively high risks in the data to be provided abroad or that a data security incident has occurred; and the data handler shall be investigated for legal liability according to the law if it refuses to make rectifications or the accident has caused serious consequences. **Article 13.** In case of any discrepancy between these Provisions and the relevant provisions such as the Security Assessment Measures for Data Provision Abroad (Decree No. 11 of the Cyberspace Administration of China) promulgated 11 on July 7, 2022 and the Measures on Standard Contracts for 2023 2 22 Cross-border Provision of Personal Information (Decree No. 13 of the Cyberspace Administration of China) promulgated on February 22, 2023, these Provisions shall prevail. 13 **Article 14.** These Provisions shall come into force as of the date of promulgation. --- ## Regulation on Network Data Security Management - Chinese title: 网络数据安全管理条例 - Hierarchy: regulation - Issuing body: State Council - Adopted: 2024-08-30 - Effective: 2025-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/network-data-security-regulations/ - Markdown: https://datacompliancechina.com/laws/network-data-security-regulations.md ### Summary The Network Data Security Management Regulation is the State Council's overarching implementing regulation for the three foundational data-protection statutes (CSL, DSL, PIPL). It consolidates network-data security obligations, important-data identification and classification, cross-border transfer rules, security-incident reporting, and operator obligations for large data handlers and internet platforms. Promulgated as State Council Decree No. 790. ### Full text **Promulgated by:** State Council. **Document No.:** Decree No. 790 of the State Council. **Adopted at the 40th executive meeting of the State Council on August 30, 2024.** **Promulgated September 24, 2024. Effective January 1, 2025.** Premier Li Qiang. --- ## Chapter I General Provisions **Article 1.** In order to regulate network data handling activities, ensure the security of network data, promote the reasonable and effective use of network data in accordance with the law, protect the legitimate rights and interests of individuals and organizations, and safeguard national security and public interests, this Regulation is enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Law of the People's Republic of China on the Protection of Personal Information and other relevant laws. **Article 2.** This Regulation applies to network data handling activities and the supervision and administration of security thereof carried out within the territory of the People's Republic of China. This Regulation also applies to the activities outside the territory of the People's Republic of China to handle the personal information of natural persons within the territory of the People's Republic of China, which conform to the circumstances prescribed in the second paragraph of Article 3 of the Law of the People's Republic of China on the Protection of Personal Information. Any network data handling activities outside the territory of the People's Republic of China that damage the national security, public interests or the legitimate rights and interests of citizens and organizations of the People's Republic of China shall be investigated for legal liability in accordance with the law. **Article 3.** Network data security management shall be carried out by adhering to the leadership of the Communist Party of China, implementing the overall concept of national security, and promoting the development and utilization of network data and ensuring the security of network data on an overall basis. **Article 4.** The State encourages the innovative application of network data in various industries and fields, strengthens the development of the capacity for protection of network data security, supports the innovation of technologies, products and services relating to network data, carries out publicity, education and talent training for network data security, and promotes the development and utilization of network data and the industrial development. **Article 5.** The State protects network data by category and by grade, according to the importance of network data in economic and social development, as well as the extent of the damage caused to national security, public interests or the legitimate rights and interests of individuals and organizations by network data once the network data are tampered with, destroyed, divulged, illegally acquired or illegally utilized. **Article 6.** The State actively participates in the development of international rules and standards relating to network data security to promote international exchange and cooperation. **Article 7.** The State supports relevant industry organizations in developing codes of conduct for network data security pursuant to their articles of association, strengthening industry self-regulation, guiding their members to strengthen network data security protection, improving the level of network data security protection and promoting the healthy development of the industry. ## Chapter II General Rules **Article 8.** No individual or organization may use network data to engage in any illegal activities or engage in any illegal network data handling activities such as stealing or acquiring network data by other illegal means, illegally selling or illegally providing network data to others. No individual or organization may provide any program or tool specially used for the illegal activities as mentioned in the preceding Paragraph; any individual or organization who is fully aware that a person engages in the illegal activities mentioned in the preceding Paragraph shall not provide the person with Internet access, server hosting, network storage, communication transmission and other technical support or with advertising and promotion, payment and settlement and other assistance. **Article 9.** Network data handlers shall, in accordance with the provisions of laws and administrative regulations and the mandatory requirements of national standards, and on the basis of classified protection of cyber security, strengthen the protection of network data security, establish and perfect the system of network data security management, and take technical measures such as encryption, backup, access control and security authentication as well as other necessary measures to protect network data from being falsified, destroyed, divulged or illegally acquired or used, dispose of network data security incidents, prevent illegal and criminal activities aiming at and using network data, and assume primary responsibility for the security of the network data handled by them. **Article 10.** Network products and services provided by a network data handler shall comply with the compulsory requirements of the relevant national standards; in the case of any risk such as security defect or bug discovered to be associated with a network product or service, the network data handler shall take remedial measures forthwith, notify users in a timely manner and report the same to the relevant competent authority in accordance with the provisions; in the case of any harm to the national security or public interest, the network data handler shall also report the same to the relevant competent authority within 24 hours. 24 **Article 11.** Network data handlers shall establish and perfect their emergency response plan for network data security incidents. In the case of a network data security incident, the network data handler shall activate its emergency response plan forthwith, with measures taken to prevent the expansion of the harm and to eliminate the potential security hazard and report the same to the competent authority as required. Where a network data security incident causes harm to the legitimate rights and interests of individuals or organizations, the network data handler shall promptly notify the interested parties of the security incident, risks, harm consequences, remedial measures taken and so on by means of telephone calls, text messages, instant messaging tools, e-mails, announcements or otherwise; where laws and administrative regulations provide that such notification may not be made, such provisions shall prevail. When finding any clue of suspected crime during its handling of a network data security incident, the network data handler shall report the case to the public security organ or State security organ as required and cooperate in the detection, investigation and handling of the case. **Article 12.** When providing other network data handlers with personal information and important data or entrusts other network data handlers to process personal information and important data, a network data handler shall, by contract or otherwise, agree with the network data recipient on the processing purpose, method and scope as well as the security protection obligations of the network data recipient, and supervise the network data recipient's performance of such obligations. Records of the personal information and important data provided to other network data handlers or the processing of such personal information and important data upon entrustment shall be kept for at least three years. The network data recipient shall perform its obligations of network data security protection, and process personal information and 3 important data according to the agreed purpose, method and scope. Where two or more network data handlers jointly decide on the purpose and method of the handling of personal information and important data, they shall agree upon their respective rights and obligations. **Article 13.** Where network data handlers carry out network data processing activities that affect or may affect national security, they shall undergo a national security review in accordance with relevant national regulations. **Article 14.** Where a network data handler needs to transfer network data due to merger, demerger, dissolution or bankruptcy, the network data recipient shall continue to perform its network data security protection obligations. **Article 15.** A State organ that entrusts others to build, operate and maintain its e-government system, or to store and handle government data shall go through strict approval procedures in accordance with the relevant provisions of the State, specify the entrusted party's authority for processing network data and protection responsibilities, among others, and supervise the entrusted party's performance of network data security protection obligations. **Article 16.** A network data handler that provides services for state agencies or critical information infrastructure operators, or participates in the construction, operation and maintenance of other public infrastructure or public service systems, shall perform its obligation of network data security protection and provide secure, stable and continuous services in accordance with the provisions of laws and regulations and contractual stipulations. Without the consent of the entrusting party, the network data handler as referred to in the preceding paragraph shall not access, obtain, retain, use, divulge or provide others with network data, nor shall it conduct association analysis of network data. **Article 17.** An information system providing services to State organs shall strengthen network data security management to ensure network data security according to the management requirements for e-government system mutatis mutandis. **Article 18.** When accessing and collecting network data by using automatic tools, network data handlers shall assess the impact of such access on network services and shall not illegally invade into others' networks or interfere with the normal operation of network services. **Article 19.** A network data handler providing generative artificial intelligence services shall strengthen its security management of training data and training data handling activities and take effective measures to prevent and dispose of network data security risks. **Article 20.** A network data handler providing products and services to the public shall subject itself to social supervision and shall establish a convenient channel for complaining and reporting about network data security, make public the ways to complain and report and other information, and promptly accept and handle complaints and reports about network data security. ## Chapter III Protection of Personal Information **Article 21.** Prior to handling personal information, if a network data handler informs individuals according to the law by formulating rules for handling personal information, such rules shall be publicly displayed in a centralized manner, easily accessible and put in an eye-catching position, and the content shall be definite, specific, clear and understandable, including but not limited to the following: (1) the title or name and contact information of the network data handler; (2) the purpose, method and type of handling of personal information, as well as the necessity of handling of sensitive personal information and the impact of handling on individuals' rights and interests; (3) the retention period of personal information and the method for handling such information upon expiration; If it is difficult to determine the retention period, the method for determining the retention period shall be specified; and (4) Methods and channels etc. for individuals to access, reproduce, transfer, correct, supplement, delete and restrict handling of personal information, to deregister accounts and withdraw their consents. When informing individuals of the purpose, method and type of personal information to be collected and provided to other network data handlers, as well as the information of the network data recipient in accordance with the provisions of the preceding paragraph, the network data handler shall state such information in the form of a checklist, among others. Where handling the personal information of minors under the age of 14, the network data handler shall also develop special rules for handling personal information. **Article 22.** Where the handling of personal information of an individual is subject to the individual's consent, the network data handler shall comply with the following provisions: (1) It shall not collect personal information beyond the scope and shall not obtain the individual's consent by means of misleading, fraud or coercion, etc. if the collection of personal information is necessary for the provision of products or services to the individual. (2) It shall obtain the individual's separate consent if the individual's sensitive personal information such as biometric information, religious belief, specific identity, medical health information, financial accounts and whereabouts is handled. (3) It shall obtain the consent of the individual's parents or other guardians if the personal information of the individual who is under the age of 14 is handled. (4) It shall not handle personal information beyond the purpose, method, type and period of storage agreed by the individual for handling of his/her personal information; (5) It shall not frequently ask for consent after the individual has explicitly expressed disagreement with the handling of his/her personal information; and (6) It shall obtain the individual's consent again if the purpose, method or type of handling of the individual's personal information changes. Where laws and administrative regulations provide that the handling of sensitive personal information is subject to written consent, such provisions shall prevail. **Article 23.** Where an individual requests to access, copy, correct, supplement, delete or restrict the handling of his/her personal information, or where an individual deregisters his/her account or withdraws his/her consent, the network data handler shall accept the request in a timely manner and provide convenient methods and channels to support the individual in exercising his/her rights, and shall not set up unreasonable conditions to restrict the individual's reasonable request. **Article 24.** Where it is impossible to avoid the collection of unnecessary personal information by using automatic collection technology or an individual's personal information without obtaining his/her consent according to the law, or an individual deregisters his/her account, the network data handler shall delete or anonymize the personal information. Where the storage period as prescribed by laws and administrative regulations has not expired, or it is difficult to delete or anonymize the personal information technically, the network data handler shall cease the handling other than storing such information and taking necessary security protection measures. **Article 25.** For the request of an individual for transfer of personal information that meets the following conditions, the network data handler shall provide channels for the network data handler designated by the individual to access or obtain relevant personal information: (1) where the true identity of the person making the request can be verified; (2) where the personal information requested for transfer is the personal information that the individual has agreed to provide or has been collected on the basis of a contract; (3) where the transfer of personal information is technically feasible; and (4) where the transfer of personal information does not damage the legitimate rights and interests of others. If the number of requests for transfer of personal information significantly exceeds a reasonable range, the network data handler may charge necessary fees based on the costs of transferring personal information. **Article 26.** Where an overseas network data handler who handles the personal information of domestic natural persons establishes a special agency or designates a representative within the territory of the People's Republic of China in accordance with Article 53 of the Law of the People's Republic of China on the Protection of Personal Information, it shall submit such information as the name and contact information of the agency or the representative to the local cyberspace administration of the city divided into districts, and the local cyberspace administration shall promptly notify the competent authority at the same level. **Article 27.** A network data handler shall periodically conduct compliance audits, either on its own or by commissioning a specialized agency, of its handling of personal information in compliance with laws and administrative regulations. **Article 28.** A network data handler handling the personal information of more than 10 million individuals shall also 1000 comply with the provisions governing network data handlers handling important data (hereinafter referred to as the "handlers of important data" in short) as specified in Articles 30 and 32 hereof. ## Chapter IV Security of Important Data **Article 29.** The national data security work coordination mechanism arranges and coordinates the relevant departments in formulating catalogs of important data and strengthens the protection of important data. All regions and departments shall, under the system for data classification and hierarchical protection, determine the specific catalogs of important data of their respective regions, departments as well as related industries and fields, and focus on protection of network data included in the catalogs. Network data handlers shall identify and declare important data in accordance with the relevant provisions of the State. For data that is confirmed as important data, the relevant region and department shall promptly notify network data handlers or publicly announce the same. Network data handlers shall perform their responsibility of network data security protection. The State encourages network data handlers to use technologies and products such as data labels and identifiers to improve important data security management. **Article 30.** Handlers of important data shall specify the person in charge of network data security and the management body for network data security. The management body for network data security shall perform the following responsibilities of network data security protection: (1) formulating and implementing network data security management systems and operation procedures as well as emergency response plans for network data security incidents; (2) organizing activities such as network data security risk monitoring, risk assessment, emergency drills, publicity, education and training on a regular basis, and promptly disposing of network data security risks and incidents; and (3) accepting and handling complaints and reports about network data security. The person in charge of network data security shall have professional knowledge of network data security and relevant management experience and shall be a member of the management team of the network data handler, with the right to directly report the situation of network data security to the relevant competent authority. Network data handlers that control important data of specific type and scale specified by the relevant competent authority shall conduct security background review of the person in charge of network data security and personnel in key positions and strengthen the training for the relevant personnel. When conducting such review, they may apply for assistance from the public security authorities and State security authorities. **Article 31.** Handlers of important data shall conduct risk assessment prior to providing, entrusting others to handle or jointly handling important data, except for the performance of statutory duties or obligations. The risk assessment shall focus on assessing the following aspects: (1) whether the provision, entrusted handling, and joint handling of network data, as well as the purpose, method or scope of handling of network data by network data recipients are legal, proper and necessary; (2) the risk that the network data provided, entrusted for handling or jointly handled may be tampered with, destroyed, divulged, illegally obtained or illegally used, and the risk to national security, public interests, or the legitimate rights and interests of individuals and organizations; (3) the integrity and compliance of network data recipients; (4) whether the requirements on network data security set forth in the relevant contract concluded or to be concluded with a network data recipient can effectively constrain the network data recipient to perform its obligations for network data security protection; (5) whether the technical and management measures taken or to be taken can effectively prevent the risks that network data may be tampered with, destroyed, divulged, illegally obtained or illegally used; and (6) other assessment contents specified by the relevant competent authority. **Article 32.** Where the security of important data may be affected due to merger, demerger, dissolution or bankruptcy of a handler of important data, the handler of important data shall take measures to ensure the security of network data, and report its important data disposal plan and the title or name and contact information of the recipient to the competent authority at or above the provincial level; if the competent authority is not specified, the handler of important data shall report to the coordination mechanism for data security at or above the provincial level. **Article 33.** Handlers of important data shall conduct risk assessment of their network data handling activities on an annual basis and submit risk assessment reports to the competent authorities at or above the provincial level, which shall in turn promptly notify the cyberspace administration and the public security organ at the same level. The risk assessment report shall include the following aspects: (1) basic information of the network data handler, information of the management body for network data security, and the name and contact information of the person in charge of network data security; (2) the purpose, type, quantity, method, scope, storage period and storage location etc. of the important data handled as well as the information on network data handling activities carried out, excluding the contents of network data themselves, (3) management systems for network data security and the implementation thereof, technical measures such as encryption, backup, label identification, access control, security authentication and other necessary measures and the effectiveness thereof; (4) network data security risks discovered, network data security incidents that have occurred and the handling thereof; (5) risk assessment of the provision, entrusted handling and joint handling of important data; (6) cross-border transmission of network data; and (7) other information to be reported as specified by the competent authority. The risk assessment report submitted by the service provider of a large network platform that handles important data shall include, in addition to the information specified in the preceding paragraph, an adequate description of the network data security of key businesses and supply chains. For a handler of important data whose important data handling activities might endanger the national security, the competent authority at or above the provincial level shall order it to take measures such as making rectifications or ceasing the handling of important data. The handler of important data shall take measures forthwith as required. ## Chapter V Cross-border Security Management of Network Data **Article 34.** The state cyberspace administration shall make overall planning and coordinate with the relevant authorities to establish a special work mechanism of national data cross- border security management, develop upon study relevant policies for national network data cross-border security management, and coordinate the handling of major matters relating to network data cross-border security. **Article 35.** A network data handler may transmit personal information abroad if it meets any of the following conditions: (1) having passed the security assessment for data cross-border transmission organized by the state cyberspace administration; (2) having been certified by a specialized agency in respect of the protection of personal information in accordance with the provisions of the state cyberspace administration; (3) meeting the provisions on standard contract for cross-border transmission of personal information as developed by the state cyberspace administration; (4) necessary to provide personal information abroad in order to conclude or perform a contract to which it is a party; (5) necessary to provide personal information of employees abroad under the employment rules and regulations formulated in accordance with the law and collective contracts concluded in accordance with the law; (6) necessary to provide personal information abroad in order to perform statutory duties or obligations; (7) necessary to provide personal information abroad in order to protect the life, health and property security of natural persons in an emergency; and (8) other conditions provided for in laws, administrative regulations or by the state cyberspace administration. **Article 36.** Where the international treaties or agreements concluded or acceded to by the People's Republic of China have provisions on conditions for provision of personal information outside the territory of the People's Republic of China, among others, such provisions may prevail. **Article 37.** Where it is necessary to provide important data generated or collected by a network data handler during its operation within the territory of the People's Republic of China to overseas parties, such provision shall pass the security assessment for data cross-border transmission organized by the state cyberspace administration. If a network data handler identifies and declares important data according to relevant provisions of the State, which have not been notified by the relevant region or department or have not been announced to the public as important data, no security assessment is required for cross-border transmission of such data as important data. **Article 38.** After passing the security assessment for data cross-border transmission, the provision of personal information and important data abroad by the network data handler shall not beyond the purpose, method, scope, type and scale etc. of the data to be transmitted abroad as specified at the time of the assessment. **Article 39.** The State takes measures to prevent and deal with cross-border security risks and threats to network data. No individual or organization may provide programs or tools etc. specially designed to destroy or avoid technical measures and shall not provide a person with technical support or assistance if he/it is fully aware of such activities as destroying or avoiding technical measures committed by the person. ## Chapter VI Obligations of Network Platform Service Providers **Article 40.** Network platform service providers shall specify the network data security protection obligations of third-party product and service providers accessing their platforms through platform rules, contracts or otherwise, and urge third- party product and service providers to strengthen network data security management. The provisions of the preceding paragraph apply to the manufacturers of equipment such as smart terminals pre-installed with applications. Where a third-party product or service provider carries out network data handling activities in violation of laws, administrative regulations, platform rules or contracts, causing damage to users, the network platform service provider, the third-party product or service provider, the manufacturer of equipment such as smart terminals pre-installed with applications shall assume corresponding liability in accordance with the law. The State encourages insurance companies to develop liability insurance products for damage caused to network data and encourages network platform service providers and manufacturers of equipment such as smart terminals pre-installed with applications to take out insurance. **Article 41.** Network platform service providers providing application distribution service shall establish application verification rules and carry out relevant verification of network data security. Where it is found that the applications to be distributed or distributed do not comply with the provisions of laws, administrative regulations or the mandatory requirements of national standards, measures such as warning, no distribution, suspension or termination of distribution shall be taken. **Article 42.** Network platform service providers pushing information to individuals in an automatic decision -making manner shall set up a personalized recommendation closing option that is easy to understand, access and operate, and provide users with such functions as refusing to receive pushed information and deleting user tags targeted at their personal characteristics. **Article 43.** The State promotes the development of public services for network identity authentication and popularizes and applies such services under the principles of government guidance and user voluntariness. Network platform service providers are encouraged to support users in using the national network identity authentication public services for registration and verification of their identity information. **Article 44.** Large network platform service providers shall release annual social responsibility reports on personal information protection, and the contents of such reports shall include but not be limited to the measures for personal information protection and the effects thereof, the acceptance of applications for the exercise of rights by individuals, and the performance of duties by the supervision body for personal information protection which is mainly composed of external members. **Article 45.** Where the service provider of a large network platform provides cross-border network data, it shall comply with the administrative requirements of the State on cross- border data security management and improve the relevant technical and administrative measures to prevent cross- border security risks of network data. **Article 46.** The service provider of a large network platform shall not engage in the following activities by using network data, algorithms and platform rules: (1) handling network data generated by users on the platform by misleading, fraud, coercion or other means; (2) restricting users' access to or use of network data generated on the platform without justified reasons; (3) giving unreasonable differential treatment to users, which damages the legitimate rights and interests of users; and (4) other activities prohibited by laws and administrative regulations. ## Chapter VII Supervision and Administration **Article 47.** The state cyberspace administration is responsible for the overall planning and coordination of network data security and relevant supervision and administration. Public security authorities and national security authorities shall, pursuant to the provisions of relevant laws, administrative regulations and this Regulation, assume the responsibility for supervising and administering network data security ex officio, and prevent and crack down on illegal and criminal activities which endanger network data security in accordance with the law. The national data management body shall perform corresponding responsibilities for network data security in its specific work of data management. Local regions and their departments shall be responsible for the network data collected and generated during their work and for the network data security. **Article 48.** All competent authorities concerned shall assume the responsibility for supervising and administering the network data security of their respective industries and fields, designate the agencies responsible for the protection of network data security of their respective industries and fields, develop and organize the implementation of emergency response plans for network data security incidents in their respective industries and fields on an overall basis, regularly organize the assessment of network data security risks of their respective industries and fields, supervise and inspect the performance by network data handlers of their obligations of protecting network data security, and guide and urge network data handlers to promptly rectify existing potential risks. **Article 49.** The state cyberspace administration shall coordinate with the competent authorities concerned to promptly summarize, study and determine, share and release information relating to network data security risks, and strengthen the sharing of network data security information, the monitoring and early warning of network data security risks and threats, and the emergency response to network data security incidents. **Article 50.** The competent authorities concerned may take the following measures to supervise and inspect network data security: (1) requiring a network data handler and its relevant personnel to explain the items under supervision and inspection; (2) consulting and copying documents and records relating to network data security; (3) inspecting the operation of network data security measures; (4) inspecting the equipment and articles relating to network data handling activities; and (5) taking other necessary measures as prescribed by laws and administrative regulations. The network data handler shall cooperate in the supervision and inspection of network data security conducted by competent authorities in accordance with the law. **Article 51.** When carrying out the supervision and inspection of network data security, the competent authorities concerned shall be objective and fair, and shall not charge any fees from the entity under inspection. During the supervision and inspection of network data security, the competent authorities concerned shall not access or collect business information that is not related to network data security, and the information obtained may only be used as necessary for the purpose of maintaining network data security and should not be used for any other purpose. Where finding that there are relatively high security risks in the network data handling activities of a network data handler, the competent authorities concerned may, according to its prescribed authority and procedures, require the network data handler to suspend relevant services, modify platform rules, and improve technical measures to eliminate potential security risks of network data. **Article 52.** When carrying out supervision and inspection of network data security, the competent authorities concerned shall strengthen coordination and cooperation with each other and information communication, and reasonably determine the frequency and methods of inspection, so as to avoid unnecessary inspection and cross and repeated inspection. The compliance audit in respect of personal information protection, risk assessment for important data, security assessment for cross-border transfer of important data and so on shall be connected more closely to avoid repeated assessment and audit. Where the contents of risk assessment and cybersecurity grade assessment for important data overlap, the relevant results can be mutually admissible. **Article 53.** The competent authorities concerned and their staff members shall keep confidential, in accordance with the law, the network data such as personal privacy, personal information, trade secrets and confidential business information that they have accessed in the performance of their responsibility, and shall not disclose or illegally provide the same to others. **Article 54.** The state cyberspace administration may, in concert with the competent authorities concerned, take corresponding necessary measures in accordance with the law against any overseas organization or individual who engages in network data handling activities that endanger the national security or public interests of the People's Republic of China or infringe upon the personal information rights and interests of the citizens of the People's Republic of China. ## Chapter VIII Legal Liability **Article 55.** For violation of Article 12, Articles 16-20, Article 22, Paragraphs 1 and 2 of Article 40, Article 41 and Article 42 hereof, the competent authorities in charge of cyberspace, telecommunications and public security, etc. shall, ex officio, order the violator to make rectification, give a warning to the violator, and confiscate the illegal income of the violator. In case of refusal to make rectification or serious circumstances, the violator shall be subject to a fine of not more than 1 million yuan, and may be ordered to suspend relevant business, cease operation for rectification, or have the relevant business permit or business license revoked, and the 100 person directly in charge and other directly liable persons shall be subject to a fine of not less than 10,000 yuan but not more than 100,000 yuan. **Article 56.** For violation of Article 13 hereof, the competent authorities in charge of cyberspace, telecommunications, public security, national security, etc. shall, ex officio, order the violator to make rectification, give a warning to the violator, impose a fine of not less than 100,000 yuan but not more than 1 million yuan concurrently on the violator, and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan concurrently on the person directly in charge and other directly liable persons; in case of refusal to make rectification or serious circumstances, the violator shall be subject to a fine of not less than 1 million yuan but not more than 10 million yuan, and may be ordered to suspend relevant business, cease operation for rectification, or have the relevant business permit or business license revoked, and the person directly in charge and other directly liable persons shall be subject to a fine of not less than 100,000 yuan but not more than 1 million yuan. **Article 57.** For violation of Paragraph 2 of Article 29, Paragraphs 2 and 3 of Article 30, Article 31 and Article 32 hereof, the competent authorities in charge of cyberspace, telecommunications and public security, etc. shall, ex officio, order the violator to make rectification, give a warning to the violator, impose a fine of not less than 50,000 yuan but not more than 500,000 yuan concurrently on the violator, and impose a fine of not less than 10,000 yuan but not more than 5 50 100,000 yuan concurrently on the person directly in charge and other directly liable persons; in case of refusal to make rectification or serious consequences such as massive data 1 leakage are caused, the violator shall be subject to a fine of not less than 500,000 yuan but not more than 2 million yuan, 10 and may be ordered to suspend relevant business, cease operation for rectification, or have the relevant business permit or business license revoked, and the person directly in charge and other directly liable persons shall be subject to a fine of not less than 50,000 yuan but not more than 200,000 yuan. **Article 58.** For violation of other relevant provisions hereof, the violator shall be prosecuted for legal liability by the competent authority concerned in accordance with the Cybersecurity Law of the People's Republic of China, Data Security Law of the People's Republic of China, Law of the People's Republic of China on the Protection of Personal Information and other applicable laws. **Article 59.** A network data handler who voluntarily eliminates or mitigates the harmful consequences of its illegal acts, commits minor illegal acts and makes rectification in a timely manner without causing harmful consequences, or commits illegal acts for the first time with minor harmful consequences and makes rectification in a timely manner, shall be subject to a lighter or mitigated administrative penalty or be exempted from administrative penalty in accordance with the Law of the People's Republic of China on Administrative Penalties. **Article 60.** For a state agency that fails to perform its obligations of network data security protection set forth herein, its superior authority or the competent authority concerned shall order it to make rectification and impose disciplinary actions on the person directly in charge and other directly liable persons in accordance with the law. **Article 61.** Whoever violates this Regulation, with damage to others caused, shall be subject to the civil liability pursuant to the law; if the violation of public security administration is constituted, a penalty for public security administration shall be imposed pursuant to the law; and if a crime is constituted, criminal liability shall be investigated pursuant to the law. ## Chapter IX Supplementary Provisions **Article 62.** The following terms as used herein shall have the following meanings: (1) "Network data" refers to various electronic data handled and generated through networks. (2) "Network data handling activities" refer to the collection, storage, use, processing, transmission, provision, disclosure and deletion of network data. (3) "Network data handler" refers to an individual or organization that independently determines the handling purpose and handling method in network data handling activities. (4) "Important data" refers to the data in a specific field, group or region or with a certain precision and scale, which, once tampered with, destroyed, divulged, illegally obtained or illegally used, may directly endanger national security, economic operation, social stability, public health and security. (5) "Entrusted handling" refers to the network data handling activities carried out by any individual or organization entrusted by a network data handler according to the agreed purpose and method. (6) "Joint handling" refers to the network data handling activities in which two or more network data handlers jointly determine the handling purpose and handling method for network data. (7) "Separate consent" refers to that an individual specifically gives specific and clear consent with respect to a specific handling of his/her personal information. (8) "Large network platform" refers to a network platform with more than 50 million registered users or more than 10 million monthly active users, complex business types, and network data handling activities having a significant impact on national security, economic operation, national welfare and people's livelihood, etc. **Article 63.** The network data handling activities in respect of core data shall be carried out in accordance with the relevant regulations of the State. This Regulation does not apply to the handling of personal information by natural persons due to personal or family affairs. The provisions of the Law of the People's Republic of China on Guarding State Secrets and other laws and administrative regulations shall apply to the network data handling activities involving state secrets or work secrets. **Article 64.** This Regulation shall come into force on January 1, 2025 2025. --- ## Measures for Network Data Security Risk Assessment - Chinese title: 网络数据安全风险评估办法 - Abbreviation: Network Data Risk Assessment Measures - Hierarchy: rule - Issuing body: Cyberspace Administration of China; Ministry of Industry and Information Technology; Ministry of Public Security - Adopted: 2026-06-01 - Effective: 2026-08-20 - Status: effective - URL: https://datacompliancechina.com/laws/network-data-security-risk-assessment-measures/ - Markdown: https://datacompliancechina.com/laws/network-data-security-risk-assessment-measures.md - Source URL: https://mp.weixin.qq.com/s/ypoiNq_5IxGtLw8o9pg9xQ ### Summary The first dedicated, cross-sector implementing rule for the annual network-data risk-assessment obligation created by the Network Data Security Management Regulation (State Council Decree No. 790). Jointly issued by the CAC, MIIT and the Ministry of Public Security as Order No. 24, it requires every important-data handler to conduct a risk assessment each year — and again whenever a material change in the security status of important data may adversely affect security — to retain the report for at least three years, and to submit it to the competent authority within 20 working days; general-data handlers are encouraged to assess at least once every three years. It builds the regime for third-party assessment institutions: voluntary certification, a ban on sub-entrustment, a no-more-than-three-consecutive-years rotation rule, and confidentiality and deletion duties. Regulators may compel a certified-institution assessment after a high-risk finding or a breach involving important data or large-scale personal information, and may order an important-data handler to stop processing important data where activities endanger national security or the public interest. Adopted June 1, 2026; promulgated June 18, 2026; effective August 20, 2026. ### Full text **Promulgated by:** Cyberspace Administration of China, Ministry of Industry and Information Technology, and Ministry of Public Security. **Document No.:** Order No. 24. **Reviewed and adopted at the 12th office affairs meeting of the Cyberspace Administration of China in 2026 on June 1, 2026, and promulgated with the consent of the Ministry of Industry and Information Technology and the Ministry of Public Security. Promulgated June 18, 2026. Effective August 20, 2026.** Zhuang Rongwen, Director of the Cyberspace Administration of China. Li Lecheng, Minister of Industry and Information Technology. Wang Xiaohong, Minister of Public Security. --- **Article 1.** These Measures are formulated in accordance with the Data Security Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Regulation on Network Data Security Management and other laws and regulations, in order to regulate network data security risk assessment activities, safeguard network data security, and promote the lawful, reasonable and effective use of network data. **Article 2.** These Measures shall be observed in carrying out network data security risk assessment within the territory of the People's Republic of China. For the purposes of these Measures, "network data security risk assessment" (hereinafter "risk assessment") refers to activities such as risk identification, risk analysis and risk evaluation conducted with respect to the security of network data and network data handling activities. **Article 3.** Under the guidance of the national data security work coordination mechanism, the national cyberspace administration, together with the telecommunications, public security and other relevant departments of the State Council, shall establish a special working mechanism for network data security risk assessment to guide and supervise risk assessment work. **Article 4.** The relevant competent authorities shall, in accordance with the principle of "whoever is in charge of the business is in charge of the business data and is in charge of data security," regularly organize risk assessments in their respective industries and fields; shall, as needed for their work, inspect the conduct of risk assessment by network data handlers that handle important data in their respective industries and fields (hereinafter "important data handlers"); and shall, by the end of January each year, submit their annual risk-assessment inspection plans to the national cyberspace administration. The national cyberspace administration shall, through the national data security work coordination mechanism, share and coordinate the plans with the telecommunications, public security, national security and other relevant departments of the State Council, so as to avoid unnecessary inspections and overlapping or duplicative inspections. The relevant competent authorities shall not charge fees to the important data handlers they inspect. **Article 5.** Important data handlers shall carry out a risk assessment each year. Where a material change in the security status of important data may adversely affect data security, a risk assessment shall be promptly carried out of the part that has changed and its impact. Network data handlers that handle general data (hereinafter "general data handlers") are encouraged to carry out a risk assessment at least once every three years. **Article 6.** Risk assessment work shall be carried out in accordance with the relevant requirements of the Data Security Law of the People's Republic of China and the Regulation on Network Data Security Management, and with reference to the relevant national standards for data security risk assessment. Where the relevant competent authority has other provisions on risk assessment work in its industry or field, those provisions shall prevail. **Article 7.** A network data handler may carry out a risk assessment on its own or by entrusting a third-party assessment institution (hereinafter "assessment institution"). Where a network data handler carries out a risk assessment on its own, it shall designate a dedicated person to be responsible for it. Where a network data handler entrusts an assessment institution to carry out a risk assessment, it shall, by concluding a contract or other legally effective document, clarify the rights and obligations of both parties. **Article 8.** Relevant assessment institutions are encouraged to obtain certification. The certification of assessment institutions shall be carried out in accordance with the relevant provisions of the Regulations of the People's Republic of China on Certification and Accreditation. **Article 9.** Under the guidance of the national data security work coordination mechanism, the national cyberspace administration and the telecommunications, public security and other relevant departments of the State Council shall actively promote the development of network data security risk assessment services and cultivate assessment institutions. **Article 10.** In carrying out a risk assessment, an assessment institution shall comply with laws and regulations, make risk judgments in a fair and objective manner, and be responsible for the authenticity, validity and completeness of the risk assessment report it issues. **Article 11.** An assessment institution shall not sub-entrust the risk assessment to another institution. **Article 12.** The same assessment institution and its affiliated institutions shall not carry out the annual risk assessment for the same network data handler for more than three consecutive times. **Article 13.** Where, in the course of a risk assessment, an assessment institution discovers that a network data handling activity presents a major data security risk, it shall promptly notify the network data handler. **Article 14.** An assessment institution and its staff shall, in accordance with the law, keep confidential the data, trade secrets, confidential business information and the like obtained in the course of a risk assessment, and shall not divulge or unlawfully provide the same to others; and shall, after the conclusion of the risk assessment, promptly delete the relevant information or properly dispose of it as agreed in the contract. **Article 15.** An important data handler carrying out an annual risk assessment shall prepare a risk assessment report in accordance with the law and the provisions of the relevant competent authority. Where the relevant competent authority has no provisions on the risk assessment report, the report may be prepared with reference to the relevant national standards for data security risk assessment. The risk assessment report shall be retained for at least three years. A general data handler may prepare a risk assessment report with reference to the requirements of the preceding paragraph. **Article 16.** An important data handler shall, within 20 working days after completing its annual risk assessment, submit the risk assessment report to the relevant competent authority as required. Where the competent authority is not clear, it shall submit the report to the provincial-level cyberspace administration or the national cyberspace administration. The relevant competent authority shall make public the channels and contact information for submitting risk assessment reports, promptly receive the risk assessment reports submitted by important data handlers, and, within 10 working days from the date of receipt of a risk assessment report, notify the cyberspace administration at the same level. The national cyberspace administration shall consolidate the relevant reports and share them with the telecommunications, public security, national security and other relevant departments of the State Council. The cyberspace administrations, telecommunications authorities, public security organs, national security organs and other relevant departments at or above the provincial level may inspect and verify the authenticity and accuracy of the risk assessment reports of important data handlers, and the important data handlers shall cooperate with such inspection and verification. **Article 17.** Where, in the course of verifying risk assessment reports, conducting supervision and inspection, or other work, the cyberspace administrations, telecommunications authorities, public security organs and other relevant departments at or above the provincial level discover that a network data handler falls under any of the following circumstances, they may require it to entrust a certified assessment institution to carry out a risk assessment: (1) the network data handling activity presents a relatively high security risk that may endanger national security or the public interest; (2) a network data security incident has occurred, resulting in the leakage or theft of important data or large-scale personal information; (3) other circumstances prescribed by the relevant department. With respect to the same network data security incident or risk, a network data handler shall not be repeatedly required to entrust an assessment institution to carry out a risk assessment. **Article 18.** Where a network data handler entrusts an assessment institution to carry out a risk assessment as required by the relevant department, it shall perform the following obligations: (1) provide the assessment institution with the necessary support for carrying out the risk assessment, including providing the risk assessment personnel with the necessary rights to access network data facilities, network data, systems and operation logs; (2) complete the risk assessment within the prescribed time; where the circumstances are complex, the time may be appropriately extended upon approval by the relevant department; (3) after completing the risk assessment, submit the risk assessment report issued by the assessment institution to the relevant department; the risk assessment report shall be signed by the principal person in charge of the assessment institution and the person in charge of the risk assessment, and shall bear the official seal of the institution; (4) rectify the problems discovered in the risk assessment as required by the relevant department, and, within 15 working days after completing the rectification, submit a rectification report to the relevant department. A network data handler shall not, by any means, require or suggest that an assessment institution issue a false or improper risk assessment report. **Article 19.** Where, in organizing a risk assessment, the relevant department discovers that the important data handling activities of an important data handler may endanger national security or the public interest, it shall, in accordance with its duties, order the important data handler to rectify; with respect to an important data handler that refuses to rectify or fails to meet the rectification requirements, the department may take measures such as requiring it to cease handling important data. **Article 20.** The relevant competent authorities shall strengthen risk information sharing and coordinated disposal, promptly dispose of the security risks and problems discovered in risk assessments, and promptly report in accordance with relevant provisions. **Article 21.** Any organization or individual has the right to complain to, or report to, the relevant department any illegal activity in a risk assessment, and the department receiving the complaint or report shall promptly handle it in accordance with the law. **Article 22.** Where the cyberspace administrations, telecommunications authorities, public security organs, national security organs or other relevant departments at or above the provincial level discover that a network data handler has failed to carry out a risk assessment as required, they shall handle the matter in accordance with the Data Security Law of the People's Republic of China, the Regulation on Network Data Security Management and other relevant laws and administrative regulations. Where an assessment institution is found to have carried out a risk assessment in violation of these Measures, the relevant department shall handle the matter in accordance with the law. **Article 23.** The risk assessment of a network data handler that handles core data shall be carried out in accordance with relevant national provisions. Where technical measures such as the encryption of important data are involved, a commercial cryptography application security assessment shall be carried out in accordance with the requirements of the national laws and administrative regulations on cryptography. **Article 24.** Risk assessment activities involving state secrets or work secrets shall be carried out in accordance with the Law of the People's Republic of China on Guarding State Secrets and other laws and administrative regulations as well as national secrecy provisions. **Article 25.** These Measures shall come into force on August 20, 2026. --- ## Guide to the Filing of the Standard Contract for Outbound Transfer of Personal Information (First Edition) - Chinese title: 个人信息出境标准合同备案指南(第一版) - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2023-05-30 - Effective: 2023-05-30 - Status: effective - URL: https://datacompliancechina.com/laws/personal-info-standard-contract-filing-guide/ - Markdown: https://datacompliancechina.com/laws/personal-info-standard-contract-filing-guide.md ### Summary CAC's procedural guide accompanying the SCC Measures. Specifies the filing materials required, where to file (provincial CAC), online filing system mechanics, materials acceptance and review timeline, and standardized templates for the power of attorney, the letter of commitment, the Standard Contract itself, and the Personal Information Protection Impact Assessment Report. Read together with the SCC Measures for the operational filing path. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC). **Issued by CAC on May 30, 2023. Effective the same day.** --- **I.** Scope of Application Where a personal information handler provides personal information abroad by concluding a standard contract, all of the following circumstances shall be met concurrently: (I) It shall not be a critical information infrastructure operator; 100 (II) The number of people whose personal information is processed by it shall be less than one million; (III) The number of people whose personal information has been provided abroad accumulatively shall be less than 100,000 since January 1 of the previous year; and (IV) The number of people whose sensitive personal information has been provided abroad accumulatively shall be less than 10,000 since January 1 of the previous year. Where laws, administrative regulations or the Cyberspace Administration of China ("CAC") stipulates otherwise, such provisions shall prevail. Personal information handlers shall not take such means as quantity splitting to provide overseas personal information that should pass exit security assessment according to law by entering into a Standard Contract. The following circumstances are deemed as acts of outbound transfer of personal information: (I) where a personal information handler transfers or stores abroad the personal information collected and generated in its domestic operation; (II) where the personal information collected and generated by a personal information handler is stored domestically but can be inquired, retrieved, downloaded and exported by overseas institutions, organizations or individuals; and (III) other acts of outbound transfer of personal information as prescribed by the CAC. 10 II . Methods of Filing A personal information handler shall, within ten working days from the effective date of a Standard Contract, file the Standard Contract with the local provincial cyberspace administration for the record by serving written materials attached with the electronic version thereof. **III.** Filing Process The filing process for a Standard Contract includes such steps as material submission, inspection and verification of materials, feedback on filing results, supplementation or re-filing, etc. 1 (I) Submission of Materials To file a Standard Contract, a personal information handler shall submit the following materials (see Appendix I for requirements): 1. 1. photocopy of the unified social credit code certificate; 2. 2. photocopy of the identity document of the legal representative; 3. 3. photocopy of the identity document of the handling person; 4. 2 4. power of attorney to the handling person (see Appendix II for the template); 5. 3 5. letter of commitment (see Appendix III for the template); 6. 4 6. Standard Contract (see Appendix IV for the template); and 7. 5 7. Personal Information Protection Impact Assessment Report (see Appendix V for the template). (II) Check of Materials and Feedback on Filing Results The provincial cyberspace administration shall, within 15 working days upon receipt of the materials, complete the check of the materials and notify the personal information handler of the filing results. The filing results are divided into Passed and Failure. The provincial cyberspace administration will issue a filing number to the personal information handler if the filing is passed, otherwise, the personal information handler will receive a notice on unsuccessful filing and the reasons therefor. Where personal information handler is required to supplement and perfect materials, the personal information handler shall supplement and perfect the materials and submit them again within ten working days. (III) Supplementation or Re-filing Within the validity period of the Standard Contract, the personal information handler shall re-conduct an impact assessment of personal information protection, supplement or enter into a Standard Contract anew and perform relevant filing formalities under any of the following circumstances: 1. 1. where the purpose, scope, category, sensitivity, method and storage location of provision of personal information overseas or the overseas recipient's purpose or method to process personal information has changed, or the overseas storage period of personal information is to be extended; 2. 2. where the rights and interests of personal information may be affected by changes in the policies and regulations on personal information protection of the country or region where the overseas recipient is located; or 3. 15 3. any other circumstance that may affect the rights and interests of personal information. To conclude a supplemental Standard Contract within the term of the Standard Contract, the personal information handler shall submit supplementary materials to the local provincial cyberspace administration; a Standard Contract re-concluded shall be filed anew. The time limit for the check of the supplemented or re-filed materials is 15 working days. The personal information handler shall be responsible for the authenticity of the materials submitted by it. In case of false materials submitted, the filing shall be deemed as failure and the corresponding legal liability will be investigated in accordance with the law. bzht@cac.gov.cn 010-55627565 **IV.** Contact Details for Consultation and Whistleblowing E-mail: bzht@cac.gov.cn Tel.: 010- 55627565 Appendices: 1. Requirements for Filing Materials for a Standard Contract for Outbound Transfer of Personal Information 2. Power of Attorney for a Handler (Template) 3. Letter of Commitment (Template) 4. Standard Contract for Outbound Transfer of Personal Information (Template) 5. Personal Information Protection Impact Assessment Report (Template) --- ## Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues Concerning the Application of Law in Handling Criminal Cases of Infringing upon Citizens' Personal Information - Chinese title: 最高人民法院、最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释 - Abbreviation: PI Criminal Interpretation - Hierarchy: judicial - Issuing body: Supreme People's Court; Supreme People's Procuratorate - Adopted: 2017-05-08 - Effective: 2017-06-01 - Status: effective - URL: https://datacompliancechina.com/laws/pi-infringement-criminal-interpretation/ - Markdown: https://datacompliancechina.com/laws/pi-infringement-criminal-interpretation.md ### Summary The principal judicial interpretation governing the crime of infringing upon citizens' personal information under Article 253a of the Criminal Law. It defines 'citizens' personal information', clarifies what constitutes 'providing' and 'illegally obtaining' such information, and sets quantitative thresholds for 'serious circumstances' and 'particularly serious circumstances' (e.g., 50 items of tracking, communication-content, credit-reporting or property information; 500 items of accommodation, communication-record, health or transaction information; 5,000 items of other personal information). It also addresses corporate liability, sentencing for related network crimes, and the determination of fines. ### Full text **Promulgated by:** Supreme People's Court; Supreme People's Procuratorate. **Document No.:** Fa Shi [2017] No. 10. **Adopted at the 1712th Meeting of the Judicial Committee of the Supreme People's Court on March 20, 2017 and at the 63rd Meeting of the Twelfth Procuratorial Committee of the Supreme People's Procuratorate on April 26, 2017. Effective June 1, 2017.** --- In order to punish, in accordance with the law, criminal activities that infringe upon citizens' personal information, and to protect the security of citizens' personal information and their lawful rights and interests, the following interpretation on several issues concerning the application of law in handling such criminal cases is hereby given pursuant to the relevant provisions of the Criminal Law of the People's Republic of China and the Criminal Procedure Law of the People's Republic of China: **Article 1.** "Citizens' personal information" as prescribed in Article 253a of the Criminal Law refers to various kinds of information recorded electronically or by other means that can, alone or in combination with other information, identify a specific natural person or reflect the activities of a specific natural person, including a person's name, identification-document number, communication and contact information, address, account passwords, property status, whereabouts and tracks, and the like. **Article 2.** Violating the provisions of laws, administrative regulations or departmental rules concerning the protection of citizens' personal information shall be determined as "violating the relevant provisions of the State" as prescribed in Article 253a of the Criminal Law. **Article 3.** Providing citizens' personal information to a specific person, as well as publishing citizens' personal information through an information network or other channels, shall be determined as "providing citizens' personal information" as prescribed in Article 253a of the Criminal Law. Providing to others, without the consent of the person from whom the information was collected, citizens' personal information that was lawfully collected falls under "providing citizens' personal information" as prescribed in Article 253a of the Criminal Law, except where the information has been processed such that a specific individual cannot be identified and the information cannot be restored. **Article 4.** Obtaining citizens' personal information by purchase, receipt, exchange or other means in violation of the relevant provisions of the State, or collecting citizens' personal information in the course of performing duties or providing services, falls under "obtaining citizens' personal information by other illegal methods" as prescribed in the third paragraph of Article 253a of the Criminal Law. **Article 5.** Where citizens' personal information is illegally obtained, sold or provided under any of the following circumstances, it shall be determined as "serious circumstances" as prescribed in Article 253a of the Criminal Law: (I) selling or providing whereabouts and tracks information that is used by another person to commit a crime; (II) selling or providing information to another person while knowing or having reason to know that the person uses citizens' personal information to commit a crime; (III) illegally obtaining, selling or providing 50 or more items of whereabouts and tracks information, communication content, credit-reporting information, or property information; (IV) illegally obtaining, selling or providing 500 or more items of accommodation information, communication records, health and physiological information, transaction information, or other citizens' personal information that may affect personal or property safety; (V) illegally obtaining, selling or providing 5,000 or more items of citizens' personal information other than those prescribed in items (III) and (IV); (VI) where the quantity does not reach the standards prescribed in items (III) through (V), but the aggregate reaches the relevant quantity standard when calculated in the corresponding proportion; (VII) where the illegal gains amount to RMB 5,000 or more; (VIII) selling or providing to others citizens' personal information obtained in the course of performing duties or providing services, where the quantity or amount reaches more than half of the standards prescribed in items (III) through (VII); (IX) where the person has previously been subject to criminal punishment for infringing upon citizens' personal information, or has been subject to administrative punishment within two years, and again illegally obtains, sells or provides citizens' personal information; or (X) other circumstances that are serious. Where any of the acts prescribed in the preceding paragraph is committed under any of the following circumstances, it shall be determined as "particularly serious circumstances" as prescribed in the first paragraph of Article 253a of the Criminal Law: (I) causing serious consequences such as the death, serious injury, mental disorder, or kidnapping of the victim; (II) causing major economic losses or an adverse social impact; (III) where the quantity or amount reaches ten or more times the standards prescribed in items (III) through (VIII) of the preceding paragraph; or (IV) other circumstances that are particularly serious. **Article 6.** Where, for the purpose of lawful business operations, citizens' personal information other than those prescribed in items (III) and (IV) of the first paragraph of Article 5 of this Interpretation is illegally purchased or received under any of the following circumstances, it shall be determined as "serious circumstances" as prescribed in Article 253a of the Criminal Law: (I) gaining a profit of RMB 50,000 or more by using illegally purchased or received citizens' personal information; (II) where the person has previously been subject to criminal punishment for infringing upon citizens' personal information, or has been subject to administrative punishment within two years, and again illegally purchases or receives citizens' personal information; or (III) other circumstances that are serious. Where any of the acts prescribed in the preceding paragraph is committed and the purchased or received citizens' personal information is illegally sold or provided, the standards for conviction and sentencing prescribed in Article 5 of this Interpretation shall apply. **Article 7.** Where an entity commits the crime prescribed in Article 253a of the Criminal Law, the persons directly in charge and other directly responsible persons shall be convicted and punished in accordance with the standards for conviction and sentencing for the corresponding natural-person crime prescribed in this Interpretation, and a fine shall be imposed on the entity. **Article 8.** Where a website or communication group is established for the purpose of carrying out illegal and criminal activities of illegally obtaining, selling or providing citizens' personal information, and the circumstances are serious, the person shall be convicted and punished for the crime of illegally using an information network in accordance with the provisions of Article 287a of the Criminal Law; where the act also constitutes the crime of infringing upon citizens' personal information, the person shall be convicted and punished for the crime of infringing upon citizens' personal information. **Article 9.** Where a network service provider refuses to perform the information-network security management obligations prescribed by laws and administrative regulations, and after being ordered by the regulatory authority to take corrective measures still refuses to make corrections, thereby causing the leakage of users' citizens' personal information and serious consequences, the provider shall be convicted and punished for the crime of refusing to perform information-network security management obligations in accordance with the provisions of Article 286a of the Criminal Law. **Article 10.** Where a person commits the crime of infringing upon citizens' personal information, the circumstances do not fall under "particularly serious circumstances", and the offender is a first-time offender who has returned all illegal gains and has shown genuine remorse, the case may be determined to be a minor circumstance, and the offender may not be prosecuted or may be exempted from criminal punishment; where it is genuinely necessary to impose a penalty, a lenient punishment shall be imposed. **Article 11.** Where citizens' personal information is illegally obtained and subsequently sold or provided, the number of items of citizens' personal information shall not be counted repeatedly. Where the same citizens' personal information is separately sold or provided to different entities or individuals, the number of items of citizens' personal information shall be calculated cumulatively. The number of items of citizens' personal information obtained in batches shall be determined directly on the basis of the quantity seized, except where there is evidence proving that the information is untrue or duplicated. **Article 12.** With respect to the crime of infringing upon citizens' personal information, a fine shall be imposed in accordance with the law, taking into comprehensive consideration the degree of harm of the crime, the amount of illegal gains, the defendant's prior criminal record, and the attitude of confession and remorse. The amount of the fine shall generally be not less than one time but not more than five times the illegal gains. **Article 13.** This Interpretation shall come into force as of June 1, 2017. --- ## Explanation of Common Terms in the Field of Data (First Batch) - Chinese title: 数据领域常用名词解释(第一批) - Abbreviation: Data Terms Batch 1 - Hierarchy: rule - Issuing body: National Data Administration - Adopted: 2024-12-30 - Effective: 2024-12-30 - Status: effective - URL: https://datacompliancechina.com/laws/common-data-terms-batch-1/ - Markdown: https://datacompliancechina.com/laws/common-data-terms-batch-1.md ### Summary The first installment of official terminology explanations issued by the National Data Administration. Establishes authoritative Chinese government definitions for 40 foundational data-field concepts including data, primary data, data resources, data elements, data products and services, data assets, data handling, data handler, commissioned data handler, data circulation, data transaction, data governance, data security, public data, digital industrialization, industrial digitalization, metadata, structured/semi-structured/unstructured data, privacy-protective computation (secure multi-party computing, federated learning, trusted execution environment, cryptographic computing), and blockchain. ### Full text **Promulgated by:** National Data Administration. Issued by the National Data Administration on December 30, 2024 by the Drafting Expert Team for Explanation of Terms in the Field of Data. Effective December 30, 2024. --- > *Editor's Note — DCC.* The National Data Administration (国家数据局) released this first batch of standardized term explanations on December 30, 2024 as part of building consensus on data-field vocabulary. The 40 terms below establish official Chinese government definitions for foundational data-economy concepts. We have preserved the official bilingual translation as-is; minor stylistic spacing in the source ("Semi- structured", "Non- structured") has been corrected. ## Background In order to promote the building of consensus, with the strong support of all walks of life, we have carefully studied and developed the *Explanation of Common Terms in the Field of Data (First Batch)*. We will subsequently make iterative improvement in light of practice and development needs and welcome the continuous attention of the community. — Drafting Expert Team for Explanation of Terms in the Field of Data, December 30, 2024 ## Annex: Explanation of Common Terms in the Field of Data (First Batch) **1. 数据.** "Data" refer to any recording of information in an electronic or other form. Data are referred to as primary data, derived data, data resources, data products and services, data assets, data elements, etc., under different perspectives. **2. 原始数据.** "Primary data" refer to the data that are first generated or collected at the source and have not been processed. **3. 数据资源.** "Data resources", a general term for data with potential for value creation, usually refer to a collection of data recorded and saved in electronic form, readable by machine, and available for social reuse. **4. 数据要素.** "Data elements" refer to the data resources that are invested into production and business activities and participate in value creation. **5. 数据产品和服务.** "Data products and services" refer to the data processing products and data services that are formed on the basis of data processing and can meet specific needs. **6. 数据资产.** "Data assets" refer to the data resources that are legally owned or controlled by specific subjects, can be measured in monetary terms, and can bring about economic benefits or social benefits. **7. 数据要素市场化配置.** "Market-oriented allocation of data elements" refers to the allocation of data as a new type of production element under the market mechanism, in order to establish a more open, safe and efficient data circulation environment and continuously release the value of data elements. **8. 数据处理.** "Data handling" includes the collection, storage, use, processing, transmission, provision and publication of data. **9. 数据处理者.** "Data handler" refers to an individual or organization that independently determines the purpose and method of handling in the data handling activities. **10. 受托数据处理者.** "Commissioned data handler" refers to an individual or organization that receive a commission from others to handle data. **11. 数据流通.** "Data circulation" refers to the process of the flow of data between different subjects, including data opening, sharing, transaction, exchange, etc. **12. 数据交易.** "Data transaction" refers to a transaction between a supplier and a demander in respect of data, in which data in a specific form is taken as subject matter and currency or other equivalent is taken as consideration. **13. 数据治理.** "Data governance" refers to the process of improving the quality, security and compliance of data and promoting the effective use of data, including organizational data governance, industry data governance, social data governance, etc. **14. 数据安全.** "Data security" refers to ensuring that data are in a state of effective protection and lawful use by taking necessary measures, as well as having the ability to maintain a continuous state of security. **15. 公共数据.** "Public data" refer to the data generated in the process of legally performing their duties or providing public services by the Party and government organs at all levels, enterprises and public institutions. **16. 数字产业化.** "Digital industrialization" refers to the process of transforming digital technologies, such as mobile communication and artificial intelligence, into digital products and services and the transformation of data into resources and elements to form new digital industries, new business forms and new models. **17. 产业数字化.** "Industrial digitalization" refers to the process in which traditional agriculture, industry, service industry and other industries apply digital technologies, collect and integrate data and mine the value of data resources to improve the efficiency of business operation, reduce the costs of production and operation, reconstruct the thinking and cognition, completely rebuild the mode of organization and management, systematically reform the process of production and operation, and constantly improve the total factor productivity. **18. 数字经济高质量发展.** "The high-quality development of the digital economy" refers to the new stage of the development of the digital economy, in which the reform of market-oriented allocation of data elements is the main line and the goal of making the digital economy stronger, better and larger by improving the basic data system and digital infrastructure in a coordinated manner, comprehensively promoting the deep integration of digital technologies and real economy, and continuously improving the governance capacity and level of international cooperation of the digital economy, is achieved. **19. 数字消费.** "Digital consumption" refers to the consumption activities and consumption patterns that are formed with digital technologies and application support, which include not only the consumption of digital intelligence technologies, products and services, but also the digitalization and intelligence of consumption contents, channels and environment, and the new consumption pattern with deep integration of online and offline. **20. 产业互联网.** "Industrial Internet" refers to the process in which digital technologies and data elements are used to promote the data integration of the whole industry chain, enable the digitalized, network-based and intelligent development of the industry, promote the reorganization and reform of business processes, organizational structures and production modes etc., achieve the collaborative transformation of upstream and downstream of the industry chain, integrate online and offline development, reduce costs and increase efficiency and achieve high-quality development of the whole industry, and thus form a new system of industrial collaboration, resource allocation and value creation. **21. 城市全域数字化转型.** "Citywide digital transformation" refers to the new mode of high-quality urban development in which cities reconstruct technical frameworks, reform urban management process and deeply integrate industries with cities by comprehensively deepening the data integration, development and utilization as the main line and comprehensively using digital technologies and institutional innovation tools, so as to promote the efficiency improvement in all areas of digital transformation, the all-round enhancement of support capability, and the optimization of the whole ecological process of transformation. **22. 东数西算工程.** The "East Data and West Computing" project is a key project whereby data and demands arising from economic activities in eastern regions are computed and processed in western regions under overall planning for data center in terms of layout, network, electricity power, energy consumption, computing power and data, etc. For such business scenarios as the training and reasoning of artificial intelligence models and machine learning, eastern businesses may be relocated to areas with abundant wind, water, and electricity in western regions to achieve coordinated development of the eastern and western regions by way of "East Data and West Computing". Accelerating the construction of the "East Data and West Computing" project will effectively stimulate the innovation vitality of data elements, speed up the process of digital industrialization and industrial digitization, generate new technologies, new industries, new types of business and new models, and support high-quality economic development. **23. 高速数据网.** "High-speed data network" refers to the provision of data transmission services with flexible bandwidth, security, reliability and efficient transmission by relying on network virtualization, software definition network (SDN) and other technologies for data circulation and utilization scenarios. **24. 全国一体化算力网.** "Integrated national computing power network" refers to digital infrastructure, which takes information network technology as carrier, to promote a high proportion of various computing power resources nationwide and large-scale integrated scheduling and operation. As the 2.0 version of the "East Data and West Computing" project, it has four typical characteristics: intensification, integration, synergy and value. **25. 元数据.** "Metadata" refer to the data that define and describe specific data, which provide information about the structure, characteristics and relationships of data, and help to organize, search, understand and manage data. **26. 结构化数据.** "Structured data" refer to a data representation form in which the structure of each record that is a collection of data elements is consistent and can be effectively described with a relational model. **27. 半结构化数据.** "Semi-structured data" refer to a form of data structure that does not conform to the structure of the data model associated with relational databases or other forms of data tables but contains relevant tags to separate semantic elements and hierarchies of records and fields. **28. 非结构化数据.** "Non-structured data" refer to the data that does not have a predefined model or is not organized in a predefined manner. **29. 数据分析.** "Data analysis" refers to the process of sorting, studying, reasoning and summarizing data with specific techniques and methods, so as to extract useful information, find rules and form conclusions from the data. **30. 数据挖掘.** "Data mining" refers to a means of data analysis, which is the process of mining information or value hidden in data with statistical analysis, machine learning, pattern recognition, expert system and other technologies. **31. 数据可视化.** "Data visualization" refers to the process of clearly and effectively conveying the useful information contained in the data by statistical charts, graphs, maps and other graphic means, so as to facilitate better understanding and analysis of data by data users. **32. 数据仓库.** "Data warehouse" refers to a database that is used for permanent storage of data after data preparation. **33. 数据湖.** "Data lake" refers to a highly expandable data storage architecture, which is specially used for the storage of large amounts of original data and derived data from various sources and existing in different formats, including structured, semi- structured and unstructured data. **34. 湖仓一体.** "The integration of lake and warehouse" refers to a new and open storage architecture, which connects the data warehouse and the data lake, and integrates the high performance and management capability of the data warehouse with the flexibility of the data lake, in which the bottom layer supports multiple data types and can realize the mutual sharing of the data, and the upper layer can access through a uniform encapsulated interface and can support real-time query and analysis at the same time. **35. 隐私保护计算.** "Privacy-protective computation" refers to a type of information technology used to analyze and compute data on the premise that the data provider will not divulge the original data, in order to ensure that data "may be available but may not be visible" in each link of the whole process of data flow including data generation, storage, computation, application and destruction etc. The common technical schemes of privacy-protective computing include secure multi-party computing, federated learning, trusted execution environment, cryptographic computing and so on. The common underlying technologies include confusion circuit, inadvertent transmission, secret sharing, homomorphic encryption and so on. **36. 安全多方计算.** "Secure multi-party computing" refers to that in a distributed network, multiple participating entities respectively hold secret data, and they want to use these data as inputs to jointly complete the computation on a certain function, while each participating entity is required to obtain no input information from other participating entities except the computation result and information that is expected to be disclosed. Secure multi-party computing mainly studies the problem of secure multi-party collaborative computation without a trusted third party. **37. 联邦学习.** "Federated learning" refers to a mode in which multiple participants exchange intermediate computation results in a manner of protecting private data, so as to cooperate to complete a machine learning task, on the premise that their original private data do not go out of the trusted domain defined by the data provider. **38. 可信执行环境.** "Trusted execution environment" refers to a software running environment that is built to ensure the confidentiality, integrity, authenticity and non-repudiation of data and codes relating to security-sensitive applications based on hardware-level isolation and secure boot mechanism. **39. 密态计算.** "Cryptographic computing" refers to that by making comprehensive use of cryptography, trusted hardware and system security related technologies, data in the computation process can be used and invisible, and computation results can be kept in cryptographic state, so as to support the construction of complex combination computation, achieve computation full-link security, and prevent data leakage and abuse. **40. 区块链.** "Blockchain" is a new database software integrated with distributed network, encryption technology, smart contract and other technologies, which has the characteristics of multi-centrality, consensus trusted, tamper-proof and traceability etc. and is mainly used to solve the trust and security problems in the process of data flow. --- ## Reply of the Research Office of the Supreme People's Procuratorate on the Solicitation of Opinions Concerning the Application of Law in the Crime of Infringing upon Citizens' Personal Information - Chinese title: 最高人民检察院法律政策研究室关于侵犯公民个人信息罪有关法律适用问题征求意见的复函 - Abbreviation: SPP PI Crime Reply - Hierarchy: judicial - Issuing body: Research Office of the Supreme People's Procuratorate - Adopted: 2018-01-01 - Effective: 2018-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/spp-pi-crime-reply-letter/ - Markdown: https://datacompliancechina.com/laws/spp-pi-crime-reply-letter.md ### Summary A short reply letter (Fa Yan [2018] No. 11) addressing whether 'citizens' personal information' under Article 253a of the Criminal Law is confined to the personal information of Chinese nationals. It concludes that the term covers not only the personal information of Chinese citizens but also that of foreign nationals and stateless persons, reasoning from the wording of the statute, legislative intent (equal protection), and judicial practice (excluding foreigners would let offenders escape punishment and be unworkable in mixed-data cases). ### Full text **Promulgated by:** Research Office of the Supreme People's Procuratorate. **Document No.:** Fa Yan [2018] No. 11. **Issued in 2018. Effective in 2018.** --- To the Research Office of the Supreme People's Procuratorate: Your Office's Letter Soliciting Opinions on Issues Concerning the Application of Law in the Crime of Infringing upon Citizens' Personal Information (Gao Jian Yan Han Zi [2018] No. 1) has been received. Upon study, we agree in principle that "citizens' personal information" as prescribed in Article 253a of the Criminal Law includes not only the personal information of Chinese citizens, but also the personal information of foreign citizens and other stateless persons. The principal considerations are as follows: (1) In terms of the statutory wording, Article 253a of the Criminal Law provides for "citizens' personal information" and does not limit it to "the personal information of citizens of the People's Republic of China"; therefore, "citizens' personal information" here should not be restricted to the personal information of Chinese citizens. (2) In terms of legislative intent, the information of foreigners and stateless persons should receive equal protection under the Criminal Law in the same manner as the information of Chinese citizens. (3) In terms of judicial practice, excluding the personal information of foreign nationals and stateless persons from the protection of the Criminal Law would let crimes go unpunished. In particular, where a case of infringing upon citizens' personal information involves both the personal information of Chinese citizens and that of foreign citizens and stateless persons, punishing only the portion involving the personal information of Chinese citizens would be neither reasonable nor workable. --- ## Basic Medical and Health Care and Health Promotion Law of the People's Republic of China - Chinese title: 中华人民共和国基本医疗卫生与健康促进法 - Abbreviation: Basic Health Care Law - Hierarchy: law - Issuing body: Standing Committee of the National People's Congress - Adopted: 2019-12-28 - Effective: 2020-06-01 - Status: effective - URL: https://datacompliancechina.com/laws/basic-medical-health-care-promotion-law/ - Markdown: https://datacompliancechina.com/laws/basic-medical-health-care-promotion-law.md - Source URL: https://wsjkw.nx.gov.cn/zfxxgk_279/zcfg/202109/t20210906_3006970.html ### Summary China's foundational health-sector statute, enacted by the NPCSC on 28 December 2019 and effective from 1 June 2020, establishes the architecture of the national health-care system across 10 chapters and 110 articles — covering basic medical and public-health services, health-care institutions, medical personnel, drug supply, health promotion, funding, and supervision. For data-compliance purposes the central provision is Article 92, which lays down a sector-specific protection regime for citizens' personal health information (公民个人健康信息) that operates as an overlay on PIPL: it prohibits any organisation or individual from unlawfully collecting, using, processing, or transmitting such information, or from unlawfully buying, selling, providing, or disclosing it. Article 102 makes disclosure of personal health information by medical personnel a disciplinary offence, and Articles 101 and 105 attach administrative and public-security penalties to inadequate information-security systems and unlawful data handling. Overseas counsel advising on health-data projects, clinical-trial data transfers, or digital-health deployments in China should read this law alongside PIPL and the Cybersecurity Law to identify the full stack of obligations. ### Full text **Promulgated by:** Standing Committee of the National People's Congress. **Presidential Decree No. 38.** **Adopted at the Fifteenth Session of the Standing Committee of the Thirteenth National People's Congress on December 28, 2019. Effective June 1, 2020.** --- ## Chapter I General Provisions **Article 1.** This Law is formulated in accordance with the Constitution in order to develop the cause of medical care, health care and health promotion, ensure that citizens enjoy basic medical and health-care services, improve citizens' health, and advance the building of a Healthy China. **Article 2.** This Law applies to activities of medical care, health care, health promotion, and the supervision and administration thereof. **Article 3.** The cause of medical care, health care and health promotion shall adhere to a people-centred approach and serve the health of the people. Medical care and health-care undertakings shall adhere to the principle of public interest. **Article 4.** The State and society respect and protect citizens' right to health. The State implements the Healthy China Strategy, promotes healthy living, optimises health services, improves health protection, develops healthy environments, grows health industries, and raises citizens' health levels across the full life cycle. The State establishes a health-education system, guarantees citizens' right to receive health education, and improves citizens' health literacy. **Article 5.** Citizens are entitled, in accordance with law, to obtain basic medical and health-care services from the State and society. The State establishes a basic medical and health-care system, builds and improves the medical and health-care service system, and protects and realises citizens' right to obtain basic medical and health-care services. **Article 6.** People's governments at all levels shall place the people's health in a strategically priority position for development, incorporate health concepts into all policies, adhere to prevention as the priority, improve the health-promotion work system, organise and implement health-promotion plans and actions, promote nationwide fitness, establish a health-impact assessment system, and incorporate improvement of citizens' major health indicators into government performance assessments. The whole of society shall jointly care about and support the development of medical care, health care and health promotion. **Article 7.** The State Council and local people's governments at all levels shall lead the work of medical care, health care and health promotion. The health administration department of the State Council shall be responsible for coordinating national medical care, health care and health-promotion work. Other relevant departments of the State Council shall be responsible for related medical care, health care and health-promotion work within their respective scopes of duties. Health administration departments of local people's governments at or above the county level shall be responsible for coordinating medical care, health care and health-promotion work within their respective administrative regions. Other relevant departments of local people's governments at or above the county level shall be responsible for related medical care, health care and health-promotion work within their respective scopes of duties. **Article 8.** The State shall strengthen basic medical science research, encourage innovation in medical science and technology, support the development of clinical medicine, promote the conversion and application of medical science and technology achievements, advance the integration of medical care and health care with information technology, promote appropriate medical and health-care technologies, and improve the quality of medical and health-care services. The State shall develop medical education, improve a medical education system adapted to the needs of the development of the medical care and health-care sector, and vigorously cultivate medical and health-care personnel. **Article 9.** The State shall vigorously develop traditional Chinese medicine (TCM), adhere to equal emphasis on TCM and Western medicine and the integration of inheritance with innovation, and give full play to the unique role of TCM in the medical care, health care and health-promotion sector. **Article 10.** The State shall rationally plan and allocate medical and health-care resources, focus on primary-level institutions, and take multiple measures to give priority support to the development of medical and health-care institutions below the county level so as to improve their medical and health-care service capacity. **Article 11.** The State shall increase fiscal investment in the medical care, health care and health-promotion sector, and through increasing transfer payments and other means, give priority support to the development of medical care and health-care undertakings in revolutionary base areas, areas inhabited by ethnic minorities, border areas and economically underdeveloped areas. **Article 12.** The State shall encourage and support citizens, legal persons, and other organisations to participate in the medical care, health care and health-promotion sector through lawfully establishing institutions, making donations, providing sponsorship, and other means, so as to meet citizens' diverse, differentiated and personalised health needs. Citizens, legal persons, and other organisations that donate property for the medical care, health care and health-promotion sector shall enjoy tax incentives in accordance with law. **Article 13.** Organisations and individuals that have made outstanding contributions to the medical care, health care and health-promotion sector shall be commended and rewarded in accordance with State regulations. **Article 14.** The State shall encourage and support international exchanges and cooperation in the field of medical care, health care and health promotion. International exchanges and cooperation activities in medical care, health care and health promotion shall comply with laws and regulations and safeguard national sovereignty, security, and the public interest of society. ## Chapter II Basic Medical and Health-Care Services **Article 15.** "Basic medical and health-care services" refers to services for disease prevention, diagnosis, treatment, nursing, and rehabilitation that are necessary to maintain human health, commensurate with the level of economic and social development, equitably accessible to citizens, and provided using appropriate medicines, appropriate technologies, and appropriate equipment. Basic medical and health-care services include basic public-health services and basic medical services. Basic public-health services are provided by the State free of charge. **Article 16.** The State shall take measures to ensure that citizens have access to safe and effective basic public-health services, control health risk factors, and raise the level of disease prevention and control. The national basic public-health service programme shall be determined jointly by the health administration department of the State Council together with the finance department of the State Council, the TCM administration department, and other relevant departments. People's governments of provinces, autonomous regions, and municipalities directly under the central government may supplement the national basic public-health service programme by specifying additional basic public-health service programmes for their administrative regions and shall report such programmes to the health administration department of the State Council for filing. **Article 17.** The State Council and people's governments of provinces, autonomous regions, and municipalities directly under the central government may incorporate services targeted at key areas, key diseases, and specific groups of people into the basic public-health service programme and organise their implementation. Local people's governments at or above the county level shall carry out special prevention and control work targeting major diseases and principal health risk factors in their administrative regions. **Article 18.** People's governments at or above the county level shall provide basic public-health services by establishing specialised public-health institutions, primary-level medical and health-care institutions, and hospitals, or by purchasing services from other medical and health-care institutions. **Article 19.** The State shall establish and improve an emergency public-health response system for sudden incidents, formulate and improve emergency plans, and organise and conduct emergency public-health work such as medical rescue, epidemiological investigations, and psychological support in response to sudden incidents so as to effectively control and eliminate harm. **Article 20.** The State shall establish a communicable-disease prevention and control system, formulate and implement plans for the prevention and treatment of communicable diseases, strengthen communicable-disease surveillance and early warning, adhere to prevention as the priority and combine prevention with treatment, implement joint prevention and control, community-based prevention and control, source prevention and control, and comprehensive governance, block transmission routes, protect susceptible populations, and reduce the harm caused by communicable diseases. Any organisation and individual shall accept and cooperate with investigations, inspections, sample collections, isolation treatment, medical observation, and other measures lawfully taken by medical and health-care institutions to prevent, control, and eliminate the harm of communicable diseases. **Article 21.** The State shall implement a vaccination system and strengthen immunisation planning work. Residents have the right and obligation to receive planned immunisation vaccines in accordance with law. The government shall provide planned immunisation vaccines to residents free of charge. **Article 22.** The State shall establish a prevention and management system for non-communicable chronic diseases, conduct surveillance, investigation, and comprehensive prevention and intervention regarding non-communicable chronic diseases and their causative risk factors, promptly identify high-risk groups, and provide diagnosis and treatment, early intervention, follow-up management, and health-education services to patients and high-risk groups. **Article 23.** The State shall strengthen occupational health protection. People's governments at or above the county level shall formulate occupational disease prevention and treatment plans, establish and improve occupational health working mechanisms, strengthen occupational health supervision and administration, and raise the overall capacity and standard of occupational disease prevention and treatment. Employing units shall control occupational disease risk factors, adopt comprehensive governance measures including engineering controls, personal protective equipment, and health management, and improve working environments and conditions. **Article 24.** The State shall develop maternal and child health-care undertakings, establish and improve the maternal and child health-care service system, provide health-care and common-disease prevention and treatment services to women and children, and protect the health of women and children. The State shall take measures to provide citizens with pre-marital health care, antenatal and perinatal health care, and other services, promote reproductive health, and prevent birth defects. **Article 25.** The State shall develop health-care undertakings for the elderly. The State Council and people's governments of provinces, autonomous regions, and municipalities directly under the central government shall incorporate health management and common-disease prevention for the elderly into basic public-health service programmes. **Article 26.** The State shall develop disability-prevention and disabled-persons' rehabilitation undertakings, improve the disability-prevention and disabled-persons' rehabilitation and support system, and take measures to provide basic rehabilitation services for persons with disabilities. People's governments at or above the county level shall give priority to rehabilitation work for children with disabilities, and shall integrate rehabilitation with education. **Article 27.** The State shall establish and improve a pre-hospital emergency-care system to provide timely, standardised, and effective emergency services to patients in critical condition. Health administration departments, Red Cross organisations, and other relevant departments and organisations shall actively carry out first-aid training and popularise first-aid knowledge; medical and health-care personnel and persons who have received first-aid training are encouraged to actively participate in first-aid services in public places. Public places shall be equipped with necessary first-aid equipment and facilities as required. Emergency-care centres (stations) shall not refuse or delay providing emergency services to patients in critical condition on the grounds of non-payment. **Article 28.** The State shall develop mental health undertakings, build and improve the mental health service system, maintain and promote citizens' psychological health, and prevent and treat mental disorders. The State shall take measures to strengthen the construction of the psychological health service system and talent pool, promote effective integration of psychological health education, psychological assessment, psychological counselling, and psychotherapy services, establish public-interest psychological assistance hotlines for the public, and strengthen psychological health services for key groups including minors, persons with disabilities, and the elderly. **Article 29.** Basic medical services shall be provided mainly by government-funded medical and health-care institutions. Medical and health-care institutions established by social forces are encouraged to provide basic medical services. **Article 30.** The State shall advance the implementation of a tiered diagnosis and treatment system for basic medical services, guide non-emergency patients to first seek treatment at primary-level medical and health-care institutions, implement a system of first-treating physician responsibility and referral review responsibility, and progressively establish a mechanism with primary-level first treatment, two-way referrals, separate management of acute and chronic conditions, and top-down linkage, which shall be integrated with the basic medical insurance system. Local people's governments at or above the county level shall, according to medical and health-care needs in their administrative regions, integrate government-funded medical and health-care resources within the region, and establish medical consortia and other coordinated and linked medical-service cooperation mechanisms suited to local conditions. Medical and health-care institutions established by social forces are encouraged to participate in medical-service cooperation mechanisms. **Article 31.** The State shall advance the implementation of family-doctor contracted services at primary-level medical and health-care institutions, establish family-doctor service teams, sign agreements with residents, and provide basic medical and health-care services according to residents' health status and medical needs. **Article 32.** Citizens who receive medical and health-care services are entitled in accordance with law to informed consent regarding their condition, diagnosis and treatment plan, medical risks, medical costs, and other matters. Where surgery, special examinations, or special treatment need to be carried out, medical and health-care personnel shall promptly explain to the patient the medical risks, alternative treatment options, and other matters, and obtain the patient's consent; where it is not possible or appropriate to explain to the patient, explanations shall be given to the patient's close relatives, and their consent shall be obtained. Where laws provide otherwise, those provisions shall apply. Clinical trials of medicines and medical devices and other medical research shall comply with medical ethics norms, undergo ethics review in accordance with law, and obtain informed consent. **Article 33.** Citizens who receive medical and health-care services shall be treated with respect. Medical and health-care institutions and medical and health-care personnel shall care for and show concern to patients, treat all patients equally, respect patients' personal dignity, and protect patients' privacy. Citizens who receive medical and health-care services shall comply with the diagnosis and treatment system and the order of medical and health-care services, and shall respect medical and health-care personnel. ## Chapter III Medical and Health-Care Institutions **Article 34.** The State shall establish and improve a medical and health-care service system covering both urban and rural areas, with complementary functions and continuous coordination, composed of primary-level medical and health-care institutions, hospitals, specialised public-health institutions, and other entities. The State shall strengthen the construction of county-level hospitals, township health centres, village clinics, community health service centres (stations), and specialised public-health institutions, and shall establish and improve rural medical and health-care service networks and urban community health-care service networks. **Article 35.** Primary-level medical and health-care institutions shall primarily provide basic medical and health-care services including prevention, health care, health education, and disease management; establishing health records for residents; diagnosis and treatment of common and frequently occurring diseases and rehabilitation and nursing for some diseases; receiving patients transferred from hospitals; and referring to hospitals patients whose conditions exceed the institutions' service capacity. Hospitals shall primarily provide medical and health-care services including disease diagnosis and treatment — especially for critically ill, severely ill, and difficult-to-treat patients — medical treatment and emergency response for sudden incidents, and health education; and shall carry out medical education, training of medical and health-care personnel, medical science research, and guidance on the work of primary-level medical and health-care institutions. Specialised public-health institutions shall primarily provide public-health services including prevention and control of communicable diseases, non-communicable chronic diseases, occupational diseases, and endemic diseases; health education; maternal and child health care; mental health; pre-hospital emergency care; blood collection and supply; food-safety risk monitoring and assessment; and birth-defect prevention and treatment. **Article 36.** Medical and health-care institutions at all levels and of all types shall divide labour and collaborate, providing citizens with all-round and full-life-cycle medical and health-care services covering prevention, health care, treatment, nursing, rehabilitation, and palliative care. People's governments at all levels shall take measures to support medical and health-care institutions in establishing cooperation mechanisms with elderly-care institutions, children's welfare institutions, and community organisations so as to provide safe and convenient medical and health services to the elderly and orphaned or disabled children. **Article 37.** People's governments at or above the county level shall formulate and implement plans for medical and health-care service systems, rationally allocate medical and health-care resources, and establish medical and health-care institutions to ensure that citizens can obtain basic medical and health-care services. When the government establishes medical and health-care institutions, it shall take into account the population, level of economic and social development, medical and health-care resources, health risk factors, morbidity, prevalence, and emergency medical needs of the administrative region. **Article 38.** To establish a medical institution, the following conditions shall be met, and approval or filing procedures shall be completed in accordance with relevant State regulations: (1) there is a name, organisational structure, and premises that comply with requirements; (2) there are funds, facilities, equipment, and medical and health-care personnel commensurate with its business activities; (3) there are corresponding rules and regulations; (4) it is able to independently bear civil liability; and (5) other conditions prescribed by laws and administrative regulations. Medical institutions shall obtain a practice licence in accordance with law. Forging, altering, buying, selling, renting out, or lending a medical institution practice licence is prohibited. The specific conditions and configuration of medical and health-care institutions at all levels and of all types shall comply with the standards for medical and health-care institutions formulated by the health administration department of the State Council. **Article 39.** The State shall implement classified management of medical and health-care institutions. The medical and health-care service system shall be anchored in non-profit medical and health-care institutions as the main body, with profit-making medical and health-care institutions as a supplement. Government-funded non-profit medical and health-care institutions shall play a leading role in basic medical and health-care undertakings and ensure the fair accessibility of basic medical and health-care services. Medical and health-care institutions established or co-established with government funds or donated assets shall not be set up as profit-making medical and health-care institutions. Medical and health-care institutions shall not rent out or contract out medical departments to outside parties. Non-profit medical and health-care institutions shall not distribute or covertly distribute profits to investors or founders. **Article 40.** Government-funded medical and health-care institutions shall adhere to their public-interest nature; all revenues and expenditures shall be incorporated into budgetary management; and they shall be rationally established and their scale controlled in accordance with medical and health-care service system plans. The State shall encourage government-funded medical and health-care institutions to cooperate with social forces to establish non-profit medical and health-care institutions. Government-funded medical and health-care institutions shall not jointly invest with other organisations to establish medical and health-care institutions that lack independent legal-person status, and shall not cooperate with social capital to establish profit-making medical and health-care institutions. **Article 41.** The State shall take multiple measures to encourage and guide social forces to lawfully establish medical and health-care institutions, and shall support and regulate medical and health-care institutions established by social forces in carrying out various forms of cooperation with government-funded medical and health-care institutions in medical services, discipline building, and personnel training. Medical and health-care institutions established by social forces shall enjoy the same rights as government-funded medical and health-care institutions in respect of designation as basic medical insurance providers, key specialty construction, scientific research and education, grade evaluation, access to specific medical technologies, and professional title assessment for medical and health-care personnel. Social forces may choose to establish non-profit or profit-making medical and health-care institutions. Non-profit medical and health-care institutions established by social forces shall, in accordance with regulations, enjoy the same policies as government-funded medical and health-care institutions regarding taxes, fiscal subsidies, and the use of land, water, electricity, gas, and heat, and shall accept supervision and administration in accordance with law. **Article 42.** The State shall, on the basis of established medical and health-care institutions, rationally plan and establish national medical centres and national and provincial regional medical centres to treat difficult and serious illnesses, conduct research to overcome major medical challenges, and train high-level medical and health-care personnel. **Article 43.** Medical and health-care institutions shall comply with laws, regulations, and rules, establish and improve internal quality management and control systems, and bear responsibility for the quality of medical and health-care services. Medical and health-care institutions shall carry out examinations, prescribe medicines, and provide diagnosis and treatment in a rational manner in accordance with clinical diagnostic and treatment guidelines, clinical technical operating standards, industry standards, and medical ethics norms; shall strengthen the prevention of medical and health-care safety risks; shall optimise service processes; and shall continuously improve the quality of medical and health-care services. **Article 44.** The State shall implement classified management of the clinical application of medical and health-care technologies, and shall apply strict management to medical and health-care technologies that present high technical difficulty or high medical risk and that require a high level of service capacity and professional technical competence. Medical and health-care institutions engaging in the clinical application of medical and health-care technologies shall ensure that such application is commensurate with their functions and tasks, and shall follow the principles of science, safety, standardisation, effectiveness, and economy, and comply with ethics. **Article 45.** The State shall establish a modern hospital management system characterised by clear rights and responsibilities, scientific management, sound governance, efficient operation, and effective supervision. Hospitals shall formulate charters, establish and improve legal-person governance structures, and improve medical and health-care service capacity and operational efficiency. **Article 46.** Medical and health-care institutions' premises are public places for the provision of medical and health-care services; no organisation or individual shall disrupt order therein. **Article 47.** The State shall improve medical risk-sharing mechanisms, encourage medical institutions to participate in medical liability insurance or to establish medical risk funds, and encourage patients to participate in medical accident insurance. **Article 48.** The State shall encourage medical and health-care institutions to continuously improve technologies, equipment, and services in prevention, health care, diagnosis, treatment, nursing, and rehabilitation, and shall support the development of medical and health-care technologies suited to primary-level and remote areas. **Article 49.** The State shall advance the informatisation of health coverage for all, promote the application and development of big health-care data, artificial intelligence (AI), and other technologies, accelerate the construction of medical and health-care information infrastructure, formulate technical standards for the collection, storage, analysis, and application of health-care data, and use information technology to promote the universalisation and sharing of quality medical and health-care resources. People's governments at or above the county level and their relevant departments shall take measures to advance the application of information technology in the medical and health-care sector and in medical education, and support the exploration of new models and new forms of medical and health-care services. The State shall take measures to advance medical and health-care institutions' establishment and improvement of medical and health-care information exchange and information-security systems, apply information technology to provide telemedicine services, and build an integrated online and offline medical service model. **Article 50.** When sudden incidents such as natural disasters, accident disasters, public-health events, and social-security events occur that seriously threaten the lives and health of the people, medical and health-care institutions and medical and health-care personnel shall follow the dispatch of government departments and participate in public-health emergency response and medical rescue. Those who become ill, disabled, or die as a result of their participation shall receive work-related injury benefits, consolation benefits, commendation for martyrs, or other relevant treatment in accordance with regulations. ## Chapter IV Medical and Health-Care Personnel **Article 51.** Medical and health-care personnel shall carry forward the noble professional spirit of revering life, saving the dying and healing the wounded, willingness to contribute selflessly, and boundless love; shall comply with industry norms and uphold medical ethics; and shall strive to improve their professional level and service quality. Medical and health-care industry organisations, medical and health-care institutions, and medical colleges and universities shall strengthen medical ethics education for medical and health-care personnel. **Article 52.** The State shall formulate plans for the cultivation of medical and health-care personnel, establish mechanisms for cultivating medical and health-care personnel that are adapted to industry characteristics and social needs and for balancing supply and demand, improve the education system covering medical college education, post-graduation education, and continuing education, establish and improve systems for standardised training of resident physicians and specialist physicians, and build a medical and health-care team of appropriate scale, rational structure, and balanced distribution. The State shall strengthen the cultivation and employment of general practitioners. General practitioners shall primarily provide diagnosis and treatment of common and frequently occurring diseases, referrals, prevention, health care, and rehabilitation, as well as chronic disease management, health management, and other services. **Article 53.** The State shall implement a system of practice registration for physicians, nurses, and other medical and health-care personnel in accordance with law. Medical and health-care personnel shall obtain corresponding professional qualifications in accordance with law. **Article 54.** Medical and health-care personnel shall follow the rules of medical science, comply with relevant clinical diagnostic and treatment technical standards and operational standards as well as medical ethics norms, use appropriate technologies and medicines, carry out rational diagnosis and treatment tailored to the patient's illness, and shall not subject patients to over-treatment. Medical and health-care personnel shall not exploit their positions to solicit or unlawfully receive property or seek other improper benefits. **Article 55.** The State shall establish and improve personnel, remuneration, and reward systems that reflect the characteristics of the medical and health-care sector, embody the professional characteristics and the value of the technical labour of medical and health-care personnel. Medical and health-care personnel engaged in communicable-disease prevention and treatment, radiation medicine, and mental health work, as well as those working in other special posts, shall be paid appropriate allowances in accordance with State regulations. Standards for such allowances shall be adjusted regularly. **Article 56.** The State shall establish a system requiring medical and health-care personnel to periodically provide medical and health-care services at primary-level institutions and in remote and difficult areas. The State shall adopt measures such as targeted tuition-free training, pairing-up assistance, and rehiring of retirees to strengthen the construction of medical and health-care teams at primary-level institutions and in remote and difficult areas. Practising physicians seeking promotion to associate senior technical positions shall have accumulated experience of at least one year providing medical and health-care services at medical and health-care institutions at or below the county level or at paired-up institutions. Medical and health-care personnel working at primary-level institutions and in remote and difficult areas shall receive preferential treatment in respect of salary and allowances, professional title assessment, career development, education and training, and commendation and awards. The State shall strengthen the construction of rural medical and health-care teams, establish a career development mechanism linking counties, townships, and villages, and improve the multi-channel supplementary compensation mechanism and retirement policies for rural medical and health-care personnel. **Article 57.** The whole of society shall care about and respect medical and health-care personnel, maintain a good and safe order of medical and health-care services, and jointly build a harmonious doctor-patient relationship. Medical and health-care personnel's personal safety and personal dignity shall be inviolable, and their lawful rights and interests are protected by law. Any organisation or individual is prohibited from threatening or endangering the personal safety of medical and health-care personnel or infringing upon their personal dignity. The State shall take measures to safeguard the practice environment for medical and health-care personnel. ## Chapter V Drug Supply and Security **Article 58.** The State shall improve the drug supply and security system, establish work coordination mechanisms, and ensure the safety, effectiveness, and accessibility of medicines. **Article 59.** The State shall implement the essential medicines system, select an appropriate number of essential medicine varieties, and meet the basic medication needs for disease prevention and treatment. The State shall publish the essential medicines catalogue and shall dynamically adjust it based on clinical drug application practices, changes to drug standards, and new drugs coming to market. Essential medicines shall be incorporated into the basic medical insurance medicines catalogue on a priority basis as required. The State shall improve the supply capacity for essential medicines, strengthen quality supervision of essential medicines, and ensure that essential medicines are equitably accessible and rationally used. **Article 60.** The State shall establish and improve a clinical-demand-oriented drug review and approval system, and shall support the research, development, and production of urgently needed clinical medicines, paediatric medicines, and medicines for preventing and treating rare diseases and major diseases, so as to meet disease prevention and treatment needs. **Article 61.** The State shall establish and improve a full-process traceability system covering the research and development, production, distribution, and use of medicines, strengthen drug administration, and ensure drug quality. **Article 62.** The State shall establish and improve a drug price monitoring system, conduct cost and price surveys, strengthen drug price supervision and inspection, and investigate and deal with illegal acts such as price monopolies, price fraud, and unfair competition in accordance with law, so as to maintain orderly drug pricing. The State shall strengthen the management and guidance of classified drug procurement. Bidders participating in drug procurement tenders shall not bid at prices below cost, and shall not engage in bid-rigging through fraud, collusion, abuse of market dominant position, or other means. **Article 63.** The State shall establish central and local two-level pharmaceutical reserves to guarantee emergency needs in the event of major disasters, epidemics, and other sudden incidents. **Article 64.** The State shall establish and improve a drug supply-and-demand monitoring system, promptly collect and summarise and analyse drug supply-and-demand information, and regularly publish information on drug production, distribution, and use. **Article 65.** The State shall strengthen the administration of medical devices, improve medical device standards and norms, and raise the level of safety and effectiveness of medical devices. The health administration department of the State Council and health administration departments of people's governments of provinces, autonomous regions, and municipalities directly under the central government shall, based on the advancement, suitability, and accessibility of technologies, compile plans for the configuration of large medical equipment so as to promote the rational configuration and full sharing of medical equipment within regions. **Article 66.** The State shall strengthen the protection and development of Chinese medicine (zhongyao), fully reflect the characteristics and advantages of Chinese medicine, and give full play to its role in prevention, health care, medical treatment, and rehabilitation. ## Chapter VI Health Promotion **Article 67.** People's governments at all levels shall strengthen health-education work and the cultivation of relevant professional personnel, establish a system for releasing core information on health knowledge and skills, popularise health science knowledge, and provide the public with scientific and accurate health information. Medical and health-care institutions, educational institutions, sports institutions, publicity institutions, community-level self-governing organisations, and social organisations shall carry out the promotion and popularisation of health knowledge. Medical and health-care personnel shall provide health education to patients when providing medical and health-care services. News media shall carry out public-interest publicity on health knowledge. The promotion of health knowledge shall be scientific and accurate. **Article 68.** The State shall incorporate health education into the national education system. Schools shall implement health education through multiple forms, popularise health knowledge, scientific fitness knowledge, and first-aid knowledge and skills, raise students' awareness of active disease prevention, cultivate students' good hygiene habits and healthy behavioural habits, and reduce and address students' negative health conditions such as myopia and obesity. Schools shall, as required, offer physical education and health courses, and organise students to conduct radio calisthenics, eye-exercise routines, physical fitness training, and other activities. Schools shall, as required, be equipped with school doctors and shall establish and improve infirmaries, health rooms, and similar facilities. Education administration departments of people's governments at or above the county level shall, as required, incorporate the level of students' physical fitness and health into school assessment systems. **Article 69.** Citizens are the primary persons responsible for their own health; they shall establish and practise the health management concept of taking responsibility for their own health, proactively learn health knowledge, improve health literacy, and strengthen health management. Advocating that family members care for each other and form healthy lifestyles suited to their own and their families' characteristics. Citizens shall respect the health rights and interests of others and shall not harm others' health or the public interests of society. **Article 70.** The State shall organise surveys and statistics on residents' health status, conduct physical fitness monitoring, evaluate health outcomes, and formulate and improve health-related laws, regulations, policies, and plans on the basis of evaluation results. **Article 71.** The State shall establish a system for monitoring, surveying, and risk-assessing diseases and health risk factors. People's governments at or above the county level and their relevant departments shall organise research on health risk factors targeting principal health problems, and formulate comprehensive prevention and control measures. The State shall strengthen the prevention and control of environmental problems affecting health, organise research on the impact of environmental quality on health, and take measures to prevent and control diseases related to environmental problems. **Article 72.** The State shall vigorously conduct patriotic health campaigns, encourage and support the conduct of mass hygiene and health activities such as Patriotic Health Month, rely on and mobilise the public to control and eliminate health risk factors, improve environmental hygiene conditions, and build healthy cities, healthy townships and villages, and healthy communities. **Article 73.** The State shall establish a scientific and rigorous system for the supervision and administration of food and drinking-water safety, and raise the level of safety. **Article 74.** The State shall establish a nutritional status monitoring system, implement nutrition intervention plans for economically underdeveloped areas and key groups of people, carry out nutrition improvement actions for minors and the elderly, advocate healthy dietary habits, and reduce the risk of diseases caused by unhealthy diets. **Article 75.** The State shall develop nationwide fitness undertakings, improve a nationwide fitness public-service system covering both urban and rural areas, strengthen the construction of public sports facilities, organise, support, and conduct nationwide fitness activities, strengthen nationwide fitness guidance services, and popularise scientific fitness knowledge and methods. The State shall encourage work units to open their sports venues and facilities to the public. **Article 76.** The State shall formulate and implement health work plans for minors, women, the elderly, persons with disabilities, and other groups, and shall strengthen health services for key groups of people. The State shall promote long-term care support and encourage the development of long-term care insurance. **Article 77.** The State shall improve the system for the hygiene administration of public places. Health and other administration departments of people's governments at or above the county level shall strengthen hygiene supervision of public places. Information on the hygiene supervision of public places shall be disclosed to the public in accordance with law. Operating entities of public places shall establish and improve and rigorously implement hygiene administration systems, ensuring that their operating activities continuously comply with the State's hygiene requirements for public places. **Article 78.** The State shall take measures to reduce the harm of smoking to citizens' health. Smoking shall be controlled in public places, and supervision and enforcement shall be strengthened. Tobacco product packaging shall bear warnings explaining the hazards of smoking. The sale of tobacco and alcohol to minors is prohibited. **Article 79.** Employing units shall create environments and conditions conducive to health for their employees, rigorously implement relevant provisions on occupational safety and health, and actively organise employees to carry out fitness activities, so as to protect employees' health. The State shall encourage employing units to carry out health-guidance work for their employees. The State shall advocate for employing units to regularly organise health check-ups for their employees. Where laws and regulations make provisions on health check-ups, those provisions shall apply. ## Chapter VII Funding Security **Article 80.** People's governments at all levels shall faithfully fulfil their responsibilities for developing medical care, health care and health promotion, establish an investment mechanism for medical care, health care and health-promotion undertakings that is commensurate with economic and social development, fiscal conditions, and health indicators, incorporate medical care, health care and health-promotion expenditures into the budgets of their respective levels of government, and use such funds mainly, as prescribed, for the protection of basic medical services, public-health services, and basic medical protection, and for the construction and operational development of government-funded medical and health-care institutions. **Article 81.** People's governments at or above the county level shall strengthen the supervision and administration of funds through budgets, audits, supervision and law enforcement, social supervision, and other means. **Article 82.** Basic medical service costs shall be paid mainly by basic medical insurance funds and by individuals. The State shall in accordance with law raise basic medical insurance funds through multiple channels, and shall progressively improve sustainable financing mechanisms for basic medical insurance and adjustment mechanisms for the level of insurance protection. Citizens have the right and obligation to participate in basic medical insurance in accordance with law. Employing units and employees shall pay employees' basic medical insurance premiums in accordance with State regulations. Urban and rural residents shall pay urban and rural residents' basic medical insurance premiums in accordance with regulations. **Article 83.** The State shall establish a multi-level medical security system anchored in basic medical insurance, supplemented by commercial health insurance, medical assistance, employees' mutual medical aid, medical charity services, and other mechanisms. The State shall encourage the development of commercial health insurance to meet the diverse health protection needs of the people. The State shall improve the medical assistance system to ensure that eligible persons in difficulty obtain basic medical services. **Article 84.** The State shall establish and improve negotiation mechanisms between basic medical insurance management agencies and contracted designated medical and health-care institutions, scientifically and rationally determine payment standards and payment methods for basic medical insurance funds, guide medical and health-care institutions to carry out rational diagnosis and treatment, promote the orderly flow of patients, and improve the efficiency of use of basic medical insurance funds. **Article 85.** The scope of basic medical insurance fund payments shall be formulated by the medical security administration department of the State Council and shall solicit the opinions of the health administration department, the TCM administration department, the drug regulatory department, the finance department, and other relevant departments of the State Council. People's governments of provinces, autonomous regions, and municipalities directly under the central government may, in accordance with relevant State regulations, supplement the specific items and standards of basic medical insurance fund payments within their administrative regions, and shall report such information to the medical security administration department of the State Council for filing. The medical security administration department of the State Council shall organise evidence-based medicine and economic assessments of the basic medical insurance medicines catalogue, diagnostic and treatment items, and medical service facility standards incorporated into the scope of payments, and shall solicit opinions from the health administration department, the TCM administration department, the drug regulatory department, the finance department, and other relevant parties of the State Council. The results of such assessments shall serve as a basis for adjusting the scope of basic medical insurance fund payments. ## Chapter VIII Supervision and Administration **Article 86.** The State shall establish and improve a comprehensive medical and health-care supervision and administration system that combines institutional self-governance, industry self-regulation, government supervision and administration, and social supervision. Health administration departments of local people's governments at or above the county level shall implement localised and whole-industry supervision and administration of the medical and health-care sector. **Article 87.** Medical security administration departments of people's governments at or above the county level shall raise the capacity and level of medical security supervision, strengthen supervision and administration over medical service activities and medical costs falling within the scope of basic medical insurance fund payments, and ensure the rational use and security of basic medical insurance funds. **Article 88.** People's governments at or above the county level shall organise health, medical security, drug supervision and administration, development and reform, finance, and other departments to establish communication and consultation mechanisms, strengthen the integration of systems and the coordination of work, and improve the efficiency of use of medical and health-care resources and the level of protection. **Article 89.** People's governments at or above the county level shall regularly report on basic medical care, health care and health-promotion work to the people's congress at the same level or its standing committee, and accept supervision in accordance with law. **Article 90.** Where relevant departments of people's governments at or above the county level fail to fulfil their responsibilities related to medical care, health care and health promotion, the people's government at the same level or the relevant department of the people's government at a higher level shall conduct a regulatory interview (yuetan) with their principal responsible persons. Where a local people's government fails to fulfil its responsibilities related to medical care, health care and health promotion, the people's government at a higher level shall conduct a regulatory interview (yuetan) with its principal responsible persons. The departments and local people's governments that are subject to regulatory interviews shall immediately take measures to make rectifications. The circumstances of the regulatory interviews and the rectifications shall be incorporated into the work assessment and evaluation records of the relevant departments and local people's governments. **Article 91.** Health administration departments of local people's governments at or above the county level shall establish a performance assessment system for medical and health-care institutions and shall organise assessments of medical and health-care institutions' service quality, medical technologies, and use of medicines and medical equipment. Assessments shall incorporate the participation of industry organisations and the public. Assessment results shall be made available to the public in an appropriate manner and shall serve as an important basis for evaluating medical and health-care institutions and for health supervision. **Article 92.** The State protects citizens' personal health information and ensures the security of citizens' personal health information. No organisation or individual shall unlawfully collect, use, process, or transmit citizens' personal health information, or unlawfully buy, sell, provide, or disclose citizens' personal health information. **Article 93.** Health administration departments and medical security administration departments of people's governments at or above the county level shall establish a credit records system for medical and health-care institutions, personnel, and others, incorporate such records into the national credit information sharing platform, and implement joint disciplinary measures in accordance with State regulations. **Article 94.** Health administration departments of local people's governments at or above the county level and health supervision institutions entrusted by them shall carry out administrative law enforcement in the areas of medical care and health care and other areas within their administrative regions in accordance with law. **Article 95.** Health administration departments of people's governments at or above the county level shall actively cultivate medical and health-care industry organisations, give play to their role in medical care, health care and health-promotion work, and support their participation in formulating industry management norms and technical standards, and in evaluating, assessing, and reviewing medical and health care. **Article 96.** The State shall establish mechanisms for the prevention and handling of medical disputes, properly handle medical disputes, and maintain medical order. **Article 97.** The State shall encourage citizens, legal persons, and other organisations to conduct social supervision over medical care, health care and health-promotion work. Any organisation and individual has the right to complain about or report acts that violate the provisions of this Law to the health administration departments of people's governments at or above the county level and other relevant departments. ## Chapter IX Legal Liability **Article 98.** Where local people's governments at all levels, health administration departments of people's governments at or above the county level, and other relevant departments violate the provisions of this Law by abusing their powers, neglecting their duties, or engaging in misconduct for personal gain, the directly responsible supervisors and other directly responsible persons shall be given sanctions in accordance with law. **Article 99.** Where any person violates the provisions of this Law by engaging in practice without obtaining a medical institution practice licence, the health administration department of the people's government at or above the county level shall order the cessation of practice activities, confiscate illegal gains, medicines, and medical devices, and impose a fine of five to twenty times the amount of the illegal gains; where the illegal gains are less than CNY 10,000, the fine shall be calculated on the basis of CNY 10,000. Where any person violates the provisions of this Law by forging, altering, buying, selling, renting out, or lending a medical institution practice licence, the health administration department of the people's government at or above the county level shall order rectification, confiscate illegal gains, and impose a fine of five to fifteen times the amount of the illegal gains; where the illegal gains are less than CNY 10,000, the fine shall be calculated on the basis of CNY 10,000; in serious cases, the medical institution practice licence shall be revoked. **Article 100.** Where any entity commits any of the following acts in violation of the provisions of this Law, the health administration department of the people's government at or above the county level shall order rectification, confiscate illegal gains, and impose a fine of two to ten times the amount of the illegal gains; where the illegal gains are less than CNY 10,000, the fine shall be calculated on the basis of CNY 10,000; the directly responsible supervisors and other directly responsible persons shall be given sanctions in accordance with law: (1) a government-funded medical and health-care institution jointly invests with another organisation to establish a medical and health-care institution lacking independent legal-person status; (2) a medical and health-care institution rents out or contracts out medical departments to outside parties; or (3) a non-profit medical and health-care institution distributes or covertly distributes profits to investors or founders. **Article 101.** Where a medical and health-care institution or other entity violates the provisions of this Law in that its medical information-security system and protective measures are inadequate, resulting in the leakage of medical information, or its medical quality management and medical technology management systems and safety measures are inadequate, the health and other administration departments of the people's government at or above the county level shall order rectification, issue a warning, and impose a fine of CNY 10,000 to CNY 50,000; in serious cases, the relevant practice activities may be ordered to be suspended, and the directly responsible supervisors and other directly responsible persons shall be held legally liable in accordance with law. **Article 102.** Where medical and health-care personnel commit any of the following acts in violation of the provisions of this Law, the health administration department of the people's government at or above the county level shall impose administrative penalties in accordance with the relevant provisions of laws and administrative regulations concerning the administration of licensed physicians, nurses, and the prevention and handling of medical disputes: (1) exploiting their position to solicit or unlawfully receive property or seek other improper benefits; (2) disclosing citizens' personal health information; or (3) failing to fulfil their notification obligations as required or violating medical ethics norms in the course of conducting medical research or providing medical and health-care services. Where persons referred to in the preceding paragraph are personnel of government-funded medical and health-care institutions, sanctions shall be imposed on them in accordance with law. **Article 103.** Where a bidder participating in drug procurement tenders violates the provisions of this Law by bidding at a price below cost, or by engaging in bidding through fraud, collusion, abuse of market dominant position, or other means, the medical security administration department of the people's government at or above the county level shall order rectification and confiscate illegal gains; where the bidder is awarded the contract, the contract award shall be invalid, and a fine of 0.5% to 1% of the value of the contract project shall be imposed, and a fine equal to 5% to 10% of the fine imposed on the entity shall be imposed on the legal representative, principal responsible person, directly responsible supervisors, and other responsible persons; in serious cases, the bidder's qualification to participate in drug procurement tenders for two to five years shall be cancelled and publicised. **Article 104.** Where any person violates the provisions of this Law by fraudulently obtaining basic medical insurance benefits through fraud, forging certification materials, or other means; or where a basic medical insurance management agency, medical institution, pharmaceutical distribution entity, or other entity fraudulently obtains basic medical insurance fund disbursements through fraud, forging certification materials, or other means, the medical security administration department of the people's government at or above the county level shall impose administrative penalties in accordance with the relevant provisions of the laws and administrative regulations on social insurance. **Article 105.** Where any person violates the provisions of this Law by disrupting the order of medical and health-care institutions' premises, threatening or endangering the personal safety of medical and health-care personnel, infringing upon the personal dignity of medical and health-care personnel, unlawfully collecting, using, processing, or transmitting citizens' personal health information, or unlawfully buying, selling, providing, or disclosing citizens' personal health information, and such conduct constitutes a violation of public security administration, public security administration penalties shall be imposed in accordance with law. **Article 106.** Where any violation of the provisions of this Law constitutes a crime, criminal liability shall be pursued in accordance with law; where personal injury or property damage is caused, civil liability shall be borne in accordance with law. ## Chapter X Supplementary Provisions **Article 107.** The meanings of the following terms used in this Law: (1) "Major health indicators" refers to per-capita life expectancy, maternal mortality rate, infant mortality rate, and mortality rate of children under five, among others. (2) "Medical and health-care institutions" refers to primary-level medical and health-care institutions, hospitals, and specialised public-health institutions, among others. (3) "Primary-level medical and health-care institutions" refers to township health centres, community health service centres (stations), village clinics, infirmaries, out-patient departments, and clinics, among others. (4) "Specialised public-health institutions" refers to disease prevention and control centres, specialised disease prevention and treatment institutions, health education institutions, emergency-care centres (stations), and blood stations, among others. (5) "Medical and health-care personnel" refers to practising physicians, practising assistant physicians, registered nurses, pharmacists (pharmaceutical technicians), laboratory technicians, imaging technicians, and rural doctors and other health professionals. (6) "Essential medicines" refers to medicines that meet the basic medication needs for disease prevention and treatment, are adapted to the current basic national conditions and support capacity, have appropriate dosage forms and reasonable prices, can be secured in supply, and are equitably accessible. **Article 108.** Provinces, autonomous regions, municipalities directly under the central government, and prefecture-level cities and autonomous prefectures may, in light of actual conditions, formulate specific measures for the development of medical care, health care and health-promotion undertakings in their localities. **Article 109.** Medical care, health care and health-promotion work of the Chinese People's Liberation Army and the Chinese People's Armed Police Force shall be governed by management measures formulated by the State Council and the Central Military Commission in accordance with this Law. **Article 110.** This Law shall enter into force on June 1, 2020. --- ## Explanation of Common Terms in the Field of Data (Second Batch) - Chinese title: 数据领域常用名词解释(第二批) - Abbreviation: Data Terms Batch 2 - Hierarchy: rule - Issuing body: National Data Administration - Adopted: 2025-03-29 - Effective: 2025-03-29 - Status: effective - URL: https://datacompliancechina.com/laws/common-data-terms-batch-2/ - Markdown: https://datacompliancechina.com/laws/common-data-terms-batch-2.md ### Summary The second installment of official terminology explanations issued by the National Data Administration, continuing the consensus-building effort that began with the First Batch in December 2024. The 20 terms in this batch focus on data property rights vocabulary (Data Property Rights, Data Property Rights Registration, Right to Hold Data, Right to Use Data, Right to Operate Data, derived data, enterprise data); data trading institutions and market structure (data trading institution, on-exchange data trading, off-exchange data trading, data trading matching, data third-party professional service institution); the data industry and data labeling sub-industry; trusted data space and data use control; data infrastructure; and computing-power scheduling and pooling. DCC translation, cross-checked against the glossary for consistency with the public-data property-rights registration documents. ### Full text **Promulgated by:** National Data Administration. Issued by the National Data Administration on March 29, 2025 by the Drafting Expert Team for Explanation of Terms in the Field of Data. Effective March 29, 2025. --- > *DCC translation. The National Data Administration (国家数据局) released this second batch of standardized term explanations on March 29, 2025, continuing the consensus-building effort that began with the [First Batch](/laws/common-data-terms-batch-1/) of December 30, 2024. The 20 terms in this batch focus on data property rights vocabulary, data trading institutions and market structure, the data industry and data-labeling sub-industry, trusted data spaces, data infrastructure, and computing-power scheduling and pooling. Translated against [DCC's bilingual glossary](/glossary), with terminology aligned to the public-data property-rights registration documents and the First Batch translations where shared concepts appear.* ## Background In order to build broad consensus, with the strong support of all walks of life, we have carefully studied and developed the *Explanation of Common Terms in the Field of Data (Second Batch)*. We will continue to iteratively improve the term explanations in light of practical needs and development requirements, and welcome the continuous attention of the community. — Drafting Expert Team for Explanation of Terms in the Field of Data, March 29, 2025 ## Annex: Explanation of Common Terms in the Field of Data (Second Batch) **1. 数据产权 (Data Property Rights).** "Data Property Rights" refer to the property rights enjoyed by a rights-holder over specific data, including the Right to Hold Data, the Right to Use Data, the Right to Operate Data, and so on. **2. 数据产权登记 (Data Property Rights Registration).** "Data Property Rights Registration" refers to the act of a Data Property Rights registration institution reviewing, in accordance with unified rules, the authenticity, compliance, and accuracy of the source, description, content, and other aspects of data, recording information such as the attribution of data rights, and issuing a registration certificate. **3. 数据持有权 (Right to Hold Data).** "Right to Hold Data" refers to the right of a rights-holder to hold lawfully acquired data, either by itself or through another person it entrusts. Its purpose is to prevent others from illegally or in violation of regulations stealing, tampering with, leaking, or destroying data held by the rights-holder. **4. 数据使用权 (Right to Use Data).** "Right to Use Data" refers to the right of a rights-holder to use data — through methods such as processing, aggregation, and analysis — to optimize production and operations, provide social services, form derived data, and the like. Generally speaking, the Right to Use Data is the right of a rights-holder to use data for internal use, on the premise of not providing the data externally. **5. 数据经营权 (Right to Operate Data).** "Right to Operate Data" refers to the right of a rights-holder to provide data externally — for consideration or without consideration — through methods such as transfer, licensing, capital contribution, or the creation of security interests. **6. 衍生数据 (Derived data).** "Derived data" refer to data formed when a data handler, in respect of data over which it enjoys the Right to Use Data, achieves substantive changes to the content, form, structure, or other aspects of the data — through methods such as the application of specialized knowledge for processing, model analysis, and extraction of key information — thereby significantly enhancing the value of the data, while protecting the legitimate rights and interests of all parties. **7. 企业数据 (Enterprise data).** "Enterprise data" refer to data formed by enterprises in the course of production and operation activities, or lawfully acquired and held by enterprises. **8. 数据交易机构 (Data trading institution).** "Data trading institution" refers to a specialized institution that provides data trading services to data suppliers and data demanders. **9. 数据场内交易 (On-exchange data trading).** "On-exchange data trading" refers to the act of a data supplier and a data demander concluding a data transaction through a data trading institution. **10. 数据场外交易 (Off-exchange data trading).** "Off-exchange data trading" refers to the act of a data supplier and a data demander concluding a data transaction without going through a data trading institution. **11. 数据交易撮合 (Data trading matching).** "Data trading matching" refers to the act of helping a data supplier and a data demander conclude a data transaction. **12. 数据第三方专业服务机构 (Data third-party professional service institution).** "Data third-party professional service institution" refers to a specialized organization that, in order to promote the compliant and efficient conduct of data trading activities, provides third-party services such as data integration, quality evaluation, data brokerage, compliance certification, security audit, data notarization, data insurance, data custody, asset evaluation, dispute mediation, risk assessment, talent training, and consulting services. **13. 数据产业 (Data industry).** "Data industry" refers to the emerging industry formed by using modern information technology to develop products or services from data resources and to promote their circulation and application, including data collection and aggregation, computing and storage, circulation and trading, development and utilization, security governance, and the construction of data infrastructure. **14. 数据标注产业 (Data labeling industry).** "Data labeling industry" refers to the emerging industry that processes data through screening, cleaning, classification, annotation, marking, quality inspection, and similar processing. **15. 数字产业集群 (Digital industry cluster).** "Digital industry cluster" refers to a new form of industrial organization characterized mainly by being driven by data elements, empowered by digital technology, supported by digital platforms, developed through industrial integration, and built on a shared cluster ecosystem. **16. 可信数据空间 (Trusted data space).** "Trusted data space" refers to a data circulation and utilization infrastructure that, based on consensus rules, connects multiple participating subjects to enable the sharing and joint use of data resources. It is the application ecosystem for the co-creation of data-element value, and an important carrier supporting the construction of a nationally integrated data market. A trusted data space must possess three core capabilities: trusted data control, resource interaction, and value co-creation. **17. 数据使用控制 (Data use control).** "Data use control" refers to the use of technical means to exert control over the transmission, storage, use, and destruction of data — for example, by using smart-contract technology to translate the data-use-control intent of the data-rights subject into machine-readable smart-contract terms — thereby resolving the precondition issue of data controllability and enabling control over factors such as the time, location, subjects, conduct, and objects of the use of data assets. **18. 数据基础设施 (Data infrastructure).** "Data infrastructure", from the perspective of unlocking the value of data elements, refers to a new category of infrastructure that provides data collection, aggregation, transmission, processing, circulation, utilization, operation, and security services to society. It is an organic whole that integrates hardware, software, model algorithms, standards and specifications, mechanism design, and similar elements. **19. 算力调度 (Computing-power scheduling).** "Computing-power scheduling" is, in essence, the scheduling of computing tasks. It matches computing-power resources to user business needs and dispatches the relevant business, data, and applications to the matched computing-power resource pool for computation, thereby achieving the rational utilization of computing resources. **20. 算力池化 (Computing-power pooling).** "Computing-power pooling" refers to the unified registration and management of various heterogeneous and geographically dispersed computing-power resources and equipment — through key technologies such as computing-power virtualization and application containerization — so as to enable on-demand application and use of computing resources within large-scale clusters. --- ## Measures for the Certification of the Cross-border Provision of Personal Information - Chinese title: 个人信息出境认证办法 - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) and State Administration for Market Regulation (SAMR) - Adopted: 2025-07-21 - Effective: 2026-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/cross-border-pi-certification-measures/ - Markdown: https://datacompliancechina.com/laws/cross-border-pi-certification-measures.md ### Summary The third of CAC's three cross-border transfer pathways — PI Protection Certification — finally given its own dedicated rules effective January 1, 2026. Joint issuance with SAMR (which administers the certification body accreditation regime). Establishes who can be certified, eligibility thresholds, what certification covers, and the relationship to the Security Assessment and Standard Contract pathways. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC) and State Administration for Market Regulation (SAMR). **Document No.:** Order No. 20 of CAC and SAMR (jointly). **Adopted at the 17th executive meeting of the CAC in 2025 on July 21, 2025. Effective January 1, 2026.** --- **Article 1.** In order to protect personal information rights and interests, regulate certification activities for the cross-border provision of personal information, and promote the efficient and secure cross-border flow of personal information, these Measures are formulated in accordance with the Personal Information Protection Law of the People’s Republic of China, the Regulations on the Administration of Network Data Security, the Regulations of the People’s Republic of China on Certification and Accreditation, and other laws and regulations. **Article 2.** Where a personal information processor provides personal information to outside the territory of the People’s Republic of China by means of personal information protection certification, these Measures shall apply. **Article 3.** For the purposes of these Measures, certification of cross-border provision of personal information refers to the conformity assessment activities conducted, in accordance with Item (2) of Paragraph 1 of Article 38 of the Personal Information Protection Law of the People’s Republic of China, by professional certification bodies that have lawfully obtained personal information protection certification qualifications, to attest that personal information processing activities such as the provision of personal information by personal information processors to outside the territory of the People’s Republic of China conform to relevant laws, administrative regulations, departmental rules, standards, and technical specifications. **Article 4.** The National level cyberspace administration department, together with the National level data administration department and other relevant departments, shall formulate relevant standards and technical specifications for the certification of cross-border provision of personal information. The State Administration for Market Regulation, together with the National level cyberspace administration department, shall formulate personal information protection certification rules and unified certification certificates and marks. 1 1 10 100 1 **Article 5.** Where a personal information processor provides personal information to outside the territory by means of certification of cross-border provision of personal information, it shall simultaneously meet the following conditions: (1) It is not an operator of critical information infrastructure; (2) Since January 1 of the current year, it has cumulatively provided abroad personal information of 100,000 persons or more but less than 1,000,000 persons (excluding sensitive personal information), or sensitive personal information of less than 10,000 persons. The personal information provided abroad as referred to in the preceding paragraph does not include important data. Where laws, administrative regulations, or the National level cyberspace administration department provide otherwise, such provisions shall prevail. Personal information processors shall not adopt means such as quantity splitting to provide, by means of certification of cross-border provision of personal information, to outside the territory personal information that, according to law, shall be provided abroad only after passing a security assessment for data export. **Article 6.** Prior to applying for certification to provide personal information abroad, personal information processors shall perform the obligations of notification, obtaining separate consent of individuals, conducting personal information protection impact assessment, etc., in accordance with the provisions of laws and administrative regulations. The personal information protection impact assessment shall focus on evaluating the following: (1) The legality, legitimacy, and necessity of the purposes, scope, methods, etc., of personal information processing by the personal information processor and the overseas recipient; (2) The scale, scope, types, and sensitivity of the personal information to be exported, and the risks that the cross-border provision of personal information may pose to national security, public interests, and personal information rights and interests; (3) Whether the obligations the overseas recipient undertakes to assume, and the management and technical measures and capabilities to perform such obligations, can ensure the security of the personal information provided abroad; (4) The risks of personal information being tampered with, damaged, leaked, lost, illegally used, etc., after being provided abroad, and whether the channels for safeguarding personal information rights and interests are smooth; (5) The impact of personal information protection policies and regulations of the country or region where the overseas recipient is located on the security of the personal information provided abroad and the personal information rights and interests; (6) Other matters that may affect the security of cross-border provision of personal information. **Article 7.** Where a personal information processor provides personal information abroad by means of certification, it shall apply to a professional certification body for certification of cross-border provision of personal information. Where a personal information processor outside the territory of the People’s Republic of China applies for certification of cross-border provision of personal information, the application shall be assisted by its specially established institution or designated representative within the territory. **Article 8.** Professional certification bodies shall carry out certification activities for cross-border provision of personal information in accordance with basic certification norms and personal information protection certification rules. Where certification requirements are met, professional certification bodies shall promptly issue certification certificates. The validity period of a certification certificate shall be three years. Where the certificate needs to continue to be used upon expiry, the personal information processor shall file an application for certification six months prior to the expiration of the validity period. 5 **Article 9.** Professional certification bodies shall, within five working days after issuing certification certificates or after the status of certification certificates changes, submit relevant information on certification certificates for cross-border provision of personal information to the National level Certification and Accreditation Information Public Service Platform, including the certification certificate number, the name of the certified personal information processor, the scope of certification, and information on changes in certificate status, etc. The State Administration for Market Regulation and the National level cyberspace administration department shall establish a mechanism for sharing certification information. **Article 10.** Where professional certification bodies discover that a certified personal information processor has circumstances such as inconsistency between the cross-border provision of personal information and the certification scope, and is no longer in conformity with certification requirements, they shall suspend its use until revoking the relevant certification certificate. Where the National level cyberspace administration department and relevant departments discover, in the course of supervision and administration over personal information protection, that a certified personal information processor has the circumstances set out in the preceding paragraph, professional certification bodies shall cooperate to suspend its use until revoking the relevant certification certificate. The circumstances set out in the preceding two paragraphs shall be published via the National level Certification and Accreditation Information Public Service Platform. **Article 11.** Where, in the course of carrying out certification activities, professional certification bodies discover that cross-border provision of personal information violates laws, administrative regulations, or relevant national provisions, they shall promptly report to the National level cyberspace administration department and relevant departments. **Article 12.** Professional certification bodies that carry out certification for cross-border provision of personal information shall, within ten working days from the date on which they are approved by the State Administration for Market Regulation to obtain personal information protection certification qualifications, complete filing procedures with the National level cyberspace administration department. When handling filing, the following materials shall be submitted: (1) The circumstances of the obtained certification qualifications in the field of personal information protection; (2) The professional work circumstances engaged in the field of data security and personal information protection during the past three years; (3) Security background check materials of the personnel of the professional certification body; (4) Implementation rules and work plan for personal information protection certification; (5) Mechanisms for preventing personal information security risks; (6) Continuous supervision mechanisms regarding the conformity of the certified personal information processor’s cross-border provision of personal information with certification standards; (7) Complaint handling and dispute resolution mechanisms; (8) Other materials required to be submitted. Professional certification bodies shall be responsible for the authenticity of the filed materials. Upon receipt of the filing materials submitted by the professional certification bodies, the National level cyberspace administration department, together with the National level data administration department, shall review the filing materials. Where the materials are complete, filing shall be completed within thirty working days and made public; where the materials are incomplete, filing shall not be completed, and the professional certification body shall be notified within thirty working days with reasons explained. **Article 13.** The State Administration for Market Regulation and the National level cyberspace administration department shall supervise certification activities for cross-border provision of personal information, conduct regular or ad hoc inspections, carry out spot checks on certification processes and certification results, and conduct spot checks and evaluations of professional certification bodies. **Article 14.** State organs, professional certification bodies, and other institutions engaged in certification activities and their staff shall, in accordance with law, keep confidential the personal privacy, personal information, trade secrets, and confidential business information that they become aware of in the performance of their duties, and shall not disclose, illegally provide to others, or illegally use such information. **Article 15.** Where any organization or individual discovers that a certified personal information processor provides personal information abroad in violation of these Measures, they may lodge complaints or report to professional certification bodies, cyberspace administration departments, and relevant departments. **Article 16.** Where cyberspace administration departments at the provincial level or above and relevant departments discover that the certified personal information processor’s cross-border personal information activities pose significant risks or that personal information security incidents have occurred, they may, in accordance with law, conduct interviews with the certified personal information processor. The certified personal information processor shall make rectifications as required and eliminate hidden dangers. **Article 17.** Where these Measures are violated, disposition shall be made in accordance with the Personal Information Protection Law of the People’s Republic of China, the Regulations on the Administration of Network Data Security, the Regulations of the People’s Republic of China on Certification and Accreditation, and other laws and regulations; where a crime is constituted, criminal liability shall be pursued according to law. **Article 18.** Where relevant provisions on certification of cross-border provision of personal information formulated prior to the implementation of these Measures are inconsistent with these Measures, these Measures shall prevail. **Article 19.** These Measures shall come into force on January 1, 2026. --- ## Administrative Measures for Personal Information Protection Compliance Audits - Chinese title: 个人信息保护合规审计管理办法 - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2024-05-20 - Effective: 2025-05-01 - Status: effective - URL: https://datacompliancechina.com/laws/personal-info-audit-measures/ - Markdown: https://datacompliancechina.com/laws/personal-info-audit-measures.md ### Summary These Measures implement the compliance-audit obligation in PIPL Article 54. Self-audit is required at least every two years for handlers of more than 10 million people's personal information; CAC-directed audits by a third-party specialized agency are triggered by significant risk, large-scale infringement, or major security incidents. The Measures are accompanied by a 27-section Guidelines annex that lays out exactly what auditors should examine — effectively a regulator-issued checklist for personal-information compliance. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC). **Document No.:** Decree No. 18 of the Cyberspace Administration of China. **Adopted at the 15th executive meeting of the CAC on May 20, 2024.** **Promulgated February 12, 2025. Effective May 1, 2025.** Zhuang Rongwen, Minister of CAC. The Measures consist of 20 articles followed by a 27-section Guidelines annex. The annex (sections I through XXVII) sets out exactly what an auditor — whether in-house or a third-party specialized agency — should examine, item by item. For overseas compliance teams, the annex functions as a regulator-published checklist for personal-information protection. --- **Article 1.** In order to regulate the personal information protection compliance audits and protect personal information rights and interests, these Measures are enacted in accordance with the Personal Information Protection Law of the People's Republic of China, the Regulation on Network Data Security Management and other laws and administrative regulations. **Article 2.** These Measures shall apply to the personal information protection compliance audits conducted within the territory of the People's Republic of China. For the purpose of these Measures, the term "personal information protection compliance audits" refer to the supervision activities that examine and evaluate whether the personal information handling activities of a personal information handler comply with laws and administrative regulations. **Article 3.** To conduct the personal information protection compliance audits by itself, a personal information handler shall have its internal body or a specialized agency entrusted thereby regularly audit the compliance of its handling of personal information with laws and administrative regulations. **Article 4.** Any personal information handler handling the 1000 personal information of more than 10 million people shall carry out the personal information protection compliance audits at least once every two years. **Article 5.** For a personal information handler who falls under any of the following circumstances, the cyberspace administration of China and other authorities performing responsibilities of personal information protection (hereinafter collectively referred to as the "protection authorities" in short) may require the personal information handler to entrust a specialized agency with the compliance audit of its personal information handling activities: (1) Where its personal information handling activities involve relatively large risks such as serious impact on personal rights and interests or serious lack of security measures; (2) Where its personal information handling activities may infringe upon the rights and interests of many people; or (3) Where a personal information security incident occurs, resulting in the divulgence, tampering with, loss or damage of the personal information of more than one million people or the sensitive personal information of more than 100,000 people. For the same personal information security incident or risk, it is not allowed to repeatedly require the personal information handler 100 concerned to entrust a specialized agency with the personal information protection compliance audits. 10 **Article 6.** Any personal information handler who conducts the personal information protection compliance audits on its own or entrusts a specialized agency to conduct the personal information protection compliance audits as required by the protection authorities shall be governed by the Guidelines for the Personal information protection compliance audits attached hereto mutatis mutandis. **Article 7.** Relevant specialized agencies shall have the capability to conduct personal information protection compliance audits and have auditors, premises, facilities and funds commensurate with their services. Relevant specialized agencies are encouraged to pass the certification. The certification of specialized agency shall be carried out in accordance with the relevant provisions of the Regulations of the People's Republic of China on Certification and Accreditation. **Article 8.** A personal information handler conducting the personal information protection compliance audits as required by the protection authorities shall provide necessary support to the specialized agency concerned for the normal personal information protection compliance audits and bear the audit fees. **Article 9.** A personal information handler conducting the personal information protection compliance audits as required by the protection authorities shall select a specialized agency as required by the protection authorities and complete the personal information protection compliance audits within the prescribed time limit; where the circumstance is complicated, the time limit may be extended appropriately upon approval from the protection authorities. **Article 10.** A personal information handler conducting personal information protection compliance audits as required by the protection authorities shall submit the compliance audit report in respect of personal information protection issued by the specialized agency concerned to the protection authorities after the completion of the compliance audit. The compliance audit report on personal information protection shall be signed by the principal of the specialized agency and the person in charge of compliance audit of the specialized agency, the official seal of the specialized agency stamped therewith. **Article 11.** A personal information handler conducting personal information protection compliance audits as required by the protection authorities shall shall make corrections to the problems discovered during the compliance audit as required by the protection authorities and submit a rectification report to the protection authorities within 15 workdays from the completion of rectification. 15 **Article 12.** A personal information handler handling the 100 personal information of more than 1 million people shall designate a person in charge of personal information protection to be responsible for the compliance audit of its personal information protection. Any personal information handler that provides important Internet platform services, has a huge number of users and complicated business types shall establish an independent body mainly composed of external members to supervise the personal information protection compliance audits. **Article 13.** When engaging in the personal information protection compliance audits, a specialized agency shall abide by laws and regulations, act in good faith, make professional judgment on compliance audit in a impartial and objective manner, and keep confidential the personal information, trade secrets and confidential business information obtained in fulfilling its responsibilities of personal information protection compliance audits in accordance with the law, shall not disclose or illegally provide the same to others, and shall delete relevant information in a timely manner after the completion of the compliance audit. **Article 14.** A specialized agency shall not sub-entrust other agency with the personal information protection compliance audits. **Article 15.** The same specialized agency and its affiliates and the same person-in-charge of compliance audit shall not conduct the personal information protection compliance audits for the same audit object for more than three consecutive times. **Article 16.** The protection authorities shall supervise and inspect the personal information protection compliance audits conducted by personal information handlers. **Article 17.** Any organization or individual is entitled to complain about or blow whistle on any illegal activity during the personal information protection compliance audits to the protection authorities. The protection authorities receiving such complaint or report shall promptly handle it in accordance with the law and inform the complainant or whistleblower of the handling results. **Article 18.** Any personal information handler or specialized agency that violates the provisions hereof shall be punished in accordance with the Personal Information Protection Law of the People's Republic of China, the Regulation on Network Data Security Management and other relevant laws and regulations; any criminal offence, if constituted, shall be investigated for criminal liability in accordance with the law. **Article 19.** These Measures shall not apply to the personal information protection compliance audits carried out by state organs and organizations authorized by laws and regulations to exercise functions of administration of public affairs. **Article 20.** These Measures shall come into force as of May 1, 2025 2025. Annex: Guidelines for Personal Information Protection Compliance Audits **I.** These Guidelines are enacted in accordance with the Personal Information Protection Law of the People's Republic of China, the Regulation on Network Data Security Management and other relevant laws and administrative regulations. **II.** The following matters shall be examined as focus in conducting the compliance audit on the legal basis for handling an individual's personal information: (1) Whether the individual's consent has been obtained if the handling of the individual's personal information is based on the individual's consent, and whether the consent is voluntarily and explicitly given by the individual under the premise of full knowledge; (2) Whether the individual's consent has been re-obtained if the purpose and method of the handling of the individual's personal information or the type of personal information to be handled changes based on the individual's consent to handle personal information; (3) Whether the individual's separate consent or written consent has been obtained in accordance with laws and administrative regulations for the handling of the individual's personal information based on the individual's consent; and (4) Whether the handling of the individual's personal information is not subject to the consent of the individual as stipulated in laws and administrative regulations in the event that the individual's consent is not obtained. **III.** The following matters shall be examined as focus in conducting the compliance audit on the rules for handling an individual's personal information: (1) Whether the title or name and contact information of the personal information handler are informed of in a truthful, accurate and complete manner; (2) Whether the personal information collected and the handling method and type of such information are set out in an easily accessible form such as a list; (3) Whether the information is directly relating to the purpose of handling and the method with minimum impact on individual rights and interests is adopted; (4) Whether the retention period of personal information or the method for determining the retention period, the method for handling upon expiration of the retention period, and the retention period determined as the minimum time necessary to achieve the purpose of handling are specified; and (5) Whether the ways and methods for people to access, copy, transfer, correct, supplement, delete and restrict the handling of personal information, deregister accounts and withdraw consent are specified. **IV.** The following matters shall be examined as focus in conducting the compliance audit on the performance by a personal information handler of the obligation to inform the rules for handling an individua's personal information: (1) Whether the personal information handler informs the individual of the rules for handling his/her personal information in an eye-catching manner and in clear and understandable wording in a truthful, accurate and complete manner prior to the handling of his/her personal information; (2) Whether the size, font and color of the informed text are convenient for the individual to completely read the informed matters; (3) Whether the informing obligation has been performed to the individual by marking, explanation or other means offline; (4) Whether the text information is provided online or the informing obligation has been performed to the individual by appropriate means; (5) Whether the individual has been informed of the changes in a timely manner in the case of changes to the rules for handling his/her personal information; and (6) Whether the individual falls within the circumstances in which confidentiality shall be maintained or it is unnecessary to inform the individual in accordance with laws and administrative regulations if it is not required to inform the individual whose personal information is handled. **V.** The following matters shall be examined as focus in conducting the compliance audit on the personal information jointly handled by a personal information handler and any other personal information handlers: (1) Whether the respective rights and obligations are agreed upon; (2) The mechanism for protection of personal information rights and interests; (3) The mechanism for reporting personal information security incidents; and (4) Other rights and obligations to be agreed upon as stipulated by laws and administrative regulations. **VI.** The following matters shall be examined as focus in conducting the compliance audit on the handling of personal information entrusted by a personal information handler: (1) Whether the personal information handler has conducted the personal information protection impact assessment prior to entrusting its handling of personal information; (2) Whether the contract concluded between the personal information handler and the party entrusted has agreed on the purpose, duration, and method of the entrusted handling, type of personal information and protection measures, as well as the rights and obligations of both parties; and (3) Whether the personal information handler has supervised the personal information handling activities of the party entrusted by means of regular inspection, etc. **VII.** Where a personal information handler needs to transfer personal information due to reasons such as merger, reorganization, demerger, dissolution or declaration of bankruptcy, the audit shall focus on whether the personal information handler has informed the individual of the name and contact information of the recipient. **VIII.** The following matters shall be examined as focus in conducting the compliance audit of a personal information handler who provides an individual's personal information handled by it to any other personal information handler: (1) Whether the individual's consent for handling his/her personal information is obtained if such consent is required; (2) Whether the individual is informed of the name and contact information of the recipient, purpose and method of the handling and types of personal information, unless the information shall be kept confidential, or it is unnecessary to be informed as stipulated by laws and administrative regulations; and (3) Whether personal information protection impact assessment has been conducted beforehand. **IX.** The following matters shall be examined as focus in conducting the compliance audit on the handling of an individual's personal information by a personal information handler using automatic decision -making: (1) The transparency of automatic decision -making and whether the automatic decision -making results are fair and impartial; (2) Whether the individual is informed beforehand of the type and possible impact of the handling under automatic decision -making; (3) Whether personal information protection impact assessment has been conducted beforehand; (4) Whether a protection mechanism is provided for users so that the individual can refuse in a convenient way the decisions made under automatic decision -making methods that have a significant impact on personal rights and interests, and whether the personal information handler is required to explain the decisions made under automatic decision -making methods that have a significant impact on personal rights and interests of users; (5) For information push or commercial marketing to people, whether options not tailored to personal characteristics are also provided, or whether a convenient method for refusing automatic decision -making service is provided; (6) Whether effective measures have been taken to prevent automatic decision -making from giving unreasonable differential treatment to people in terms of transaction conditions according to consumers' preferences, transaction habits and so on; and (7) Other matters that may affect the transparency of automatic decision -making and the fairness and impartiality of the results thereof. **X.** The following matters shall be examined as focus in conducting the compliance audit on a personal information handler who disclosure an individual's personal information based on the individual's consent: (1) Whether the personal information handler has obtained the sole consent of the individual before disclosing the personal information it handled, and whether such authorization is true and valid, and whether such personal information is disclosed against the individual's will; and (2) Whether the personal information handler has conducted personal information protection impact assessment prior to the disclosure of the individual's personal information. **XI.** A personal information handler who installs image- collecting and personal identification equipment in public places shall examine the legality of the image-collecting and personal information identification equipment and the use of the personal information collected as focus. The examination shall include but not be limited to: (1) Whether the handling of personal information collected is necessary for maintaining public security; whether the handling of personal information collected is for business purposes; (2) Whether a conspicuous prompting sign is set up; and (3) Whether an individual's sole consent has been obtained if the individual's personal image and identification information collected by the personal information handler are used for purposes other than maintaining public security. **XII.** In conduct the compliance audit on a personal information handler's handling of disclosed personal information, whether the personal information handler has committed any of the following illegality or irregularity shall be examined as focus: (1) Sending commercial information that is irrelevant to the purpose of disclosure to the e-mail, mobile phone numbers etc. contained in the disclosed personal information; (2) Using disclosed personal information to engage in cyber- violence, disseminating rumors and false information online and other activities; (3) Handling disclosed personal information that the individual concerned explicitly refuses to do so; (4) Failure to obtain the individual's consent where there is significant impact on the individual's rights and interests; and (5) Exceeding the reasonable scope of the scale or time of collection, retention or handling of disclosed personal information or the purpose of use thereof. **XIII.** The following matters shall be examined as focus in conducting the compliance audit on a personal information handler's handling of sensitive personal information: (1) When handling an individual's personal information based on his/her consent, whether the individual's sole consent has been obtained beforehand for the handling of his/her sensitive personal information such as biometric information, religious belief, specific identity, medical health, financial accounts and whereabouts; (2) When handling personal information of a minor under the age of 14 based on his/her consent, whether consent of the minor's parents or other guardians is obtained beforehand; (3) Whether the purpose, method or scope of handling sensitive personal information is legitimate, justifiable and necessary; (4) Whether a personal information protection impact assessment has been conducted beforehand; (5) Whether the individual has been informed of the necessity to handle his/her sensitive personal information and the impact on his/her personal rights and interests, unless the confidentiality shall be maintained, or it is not necessary to be informed as stipulated by laws and administrative regulations; (6) Whether written consent has been obtained for the handling of which a written consent is required as stipulated by laws and administrative regulations; and (7) Whether the restrictive provisions of laws and administrative regulations on the handling of sensitive personal information are complied with. **XIV.** The following matters shall be examined in conducting the compliance audit on a personal information handler's handling of the personal information of minors under the age of 14: (1) Whether specialized rules have been formulated for handling personal information; (2) Whether the minors and their guardians have been informed of the purpose, method and necessity of the handling of the personal information of minors, the type of personal information to be handled and the adopted protection measures, etc., unless it is not necessary to be informed as stipulated by laws and administrative regulations; and (3) Whether there is the practice of compulsorily requiring minors or their guardians to agree to handle unnecessary personal information in handling personal information based on the consent of the individual concerned. **XV.** The following matters shall be examined as focus in conducting the compliance audit on a personal information handler's provision of personal information abroad: (1) Whether the provision of personal information abroad by a critical information infrastructure operator has been subject to the security assessment organized by the national cyberspace administration authority, unless it is otherwise provided for in laws, administrative regulations or by the national cyberspace administration authority; (2) Whether the provision of personal information (excluding sensitive personal information) of more than 1 million people or sensitive personal information of more than 10,000 people in total abroad by a data handler other than a critical information infrastructure operator as of January 1 of the current year has 1 1 been subject to the security assessment organized by the national cyberspace administration authority, unless it is otherwise provided 100 for in laws, administrative regulations or by the national cyberspace administration authority; 1 -(3) Whether the provision of personal information (excluding sensitive personal information) of more than 100,000 people but less than 1 million people or sensitive personal information of less than 10,000 people in total abroad by a data handler other than a critical information infrastructure operator as stipulated by the national cyberspace administration authority has been certified in terms of personal information protection in accordance with the provisions of the national cyberspace administration authority, or a contract has been entered into with the overseas recipient in accordance with the standard contract developed by the national 10 cyberspace administration authority and filed for record with the local cyberspace administration authority at the provincial level, or 100 other conditions stipulated by laws, administrative regulations or by 1 the national cyberspace administration authority are met; (4) In the case of the provision of personal information stored within the territory of the People's Republic of China to foreign judicial or law enforcement authorities, whether such provision has been approved by the competent authority of the People's Republic of China; and (5) Whether the personal information is provided to any organization or person included in the list of organizations or persons to whom personal information provision is restricted or prohibited. **XXI.** The following matters shall be examined as focus in conducting the compliance audit on the protection of the right to delete personal information: (1) Whether the purpose of personal information handling has been achieved, cannot be achieved or it is no longer necessary to achieve the purpose of personal information handling; (2) Whether the personal information handler has ceased to provide products or services, or whether the individual concerned has deregistered his/her account; (3) Whether the retention period has expired; (4) Whether the individual concerned withdraws his/her consent; (5) Whether the personal information handler handled personal information in violation of laws, administrative regulations or the agreement; and (6) Whether the personal information handler has ceased handling other than storing and adopting necessary security measures if the storage period for the personal information that shall be deleted has not expired as prescribed by laws and administrative regulations, or it is difficult to delete the personal information technically. **XVII.** The following matters shall be examined as focus in conducting the compliance audit on the protection of the rights of individuals in personal information handling activities carried out by a personal information handler: (1) Whether a convenient mechanism for accepting and handling applications for individuals to exercise their rights has been established; (2) Whether the response to an individual's application for exercise of his/her rights is timely made; and whether the individual has been notified of the handling opinions or the execution results in a timely, complete and accurate manner; and (3) Whether the reasons have be stated to an individual in the case of refusal of the individual's request for exercise of his/her rights. **XVIII.** A personal information handler shall respond to the applications filed by individuals and explain its rules on handling personal information, and evaluate the following contents in conducting the compliance audit: (1) Whether the personal information handler has provided convenient ways and channels to accept and deal with individuals' requests for the interpretation of its rules on handling personal information; and (2) Whether the personal information handler has explained its personal information handling rules in plain language within a reasonable period of time after receiving the request of an individual. **XIX.** A personal information handler shall, in accordance with the provisions of laws and administrative regulations, formulate an internal management system and operating procedures, specify its organizational structure and job responsibilities, establish a workflow, and improve its internal control system, so as to ensure the compliance and security of its handling of personal information. In conducting the compliance audit, the personal information handler's internal management system and operating procedures for the protection of personal information shall be examined as focus, including but not limited to: (1) Whether the guidelines, objectives and principles of personal information protection are in compliance with laws and administrative regulations; (2) Whether the organizational structure, staffing, code of conduct and management responsibilities for the protection of personal information adapt to the responsibilities to be performed for personal information protection; (3) Whether personal information has been classified according to the type, source, sensitivity and purpose of personal information; (4) Whether an emergency response mechanism for personal information security incidents has been established; (5) Whether a personal information protection impact assessment system and a compliance audit system have been established; (6) Whether a smooth process for accepting complaints and whistleblowing about personal information protection has been established; (7) Whether the authority to handle and operate personal information has been reasonably set; (8) Whether a security education and training program on personal information protection has been formulated and implemented; (9) Whether a performance evaluation system has been established for the person in charge of personal information protection and the relevant personnel; (10) Whether a responsibility system has been established for dealing with personal information illegalities; and (11) Other matters as prescribed by laws and administrative regulations. **XX.** A personal information handler shall adopt technical security measures appropriate for the scale and type of the personal information handled by it and evaluate the effectiveness of the technical measures adopted by it. The evaluation shall include but not be limited to: (1) whether it has adopted corresponding technical security measures to realize the confidentiality, completeness and availability of personal information; (2) Whether it has adopted technical security measures such as encryption and de-identification to ensure that the identifiability of personal information is eliminated or reduced without the use of additional information; and (3) Whether the technical security measures adopted can reasonably determine the operation authority of relevant personnel to consult, copy and transmit personal information to reduce the risks of unauthorized access and abuse of personal information in the processing. **XXI.** The following matters shall be evaluated as focus in conducting the compliance audit on the formulation and implementation of an education and training plan by a personal information handler: (1) Whether the personal information handler has provided the corresponding security education and training for its management personnel, technical personnel, operators and all staff as planned, and assessed the awareness and skills of relevant personnel for personal information protection; and (2) Whether the content, method, object and frequency etc. of the training can meet the needs of personal information protection. **XXII.** The following matters shall be examined as focus in conducting the compliance audit on the performance of responsibilities by the person in charge of personal information protection designated by a personal information handler: (1) Whether the person in charge of personal information protection has the relevant work experience and professional knowledge and is familiar with the relevant laws and administrative regulations on personal information protection; (2) Whether the person in charge of personal information protection has specific and clear responsibilities, and whether he/she is authorized to coordinate the internal departments and personnel concerned of the personal information handler; (3) Whether the person in charge of personal information protection has the right to put forward relevant opinions and suggestions prior to the decision of significant matters relating to the handling of personal information; (4) Whether the person in charge of personal information protection has the right to stop the non-compliance in the handling of personal information within the personal information handler and to take necessary corrective measures; and (5) Whether the personal information handler has disclosed the contact information of the person in charge of personal information protection and submitted the name and contact information of the person in charge of personal information protection to the protection authorities. **XXIII.** In conducting the compliance audit on the personal information protection impact assessment conducted by a personal information handler, the examination shall be focused on the implementation of the impact assessment and assessment contents: (1) Whether the personal information handler has conducted the personal information protection impact assessment before its handling of personal information that has a significant impact on personal rights and interests in accordance with the provisions of laws and administrative regulations; (2) Whether the personal information handler has conducted lawful, proper and necessary assessment of the purpose and method of its handling of personal information; (3) Whether the personal information handler has conducted assessment of the impact on personal rights and interests and security risks; and (4) Whether the personal information handler has conducted assessment of the legality and effectiveness of the protection measures taken and the said measures' adaptability to its risk degree. **XXIV.** A personal information handler shall develop an emergency plan for personal information security incidents. In conducting the compliance audit, the comprehensiveness, effectiveness and executability of the emergency plan shall be evaluated, including but not limited to the following contents: (1) Whether the personal information handler has made a systematic assessment and forecast of the personal information security risks it faces in light of its business practices; (2) Whether the general requirements, basic strategies, organizational structure, personnel, technology and material support, command and disposal procedures, and emergency and supporting measures etc. are sufficient to respond to the forecasted risks; and (3) whether the personal information handler has provided training on the emergency plan for the relevant personnel and regularly conducted drills of the emergency plan. **XXV.** The following matters shall be examined as focus in conducting the compliance audit on a personal information handler's emergency response to and handling of personal information security incidents: (1) Whether the personal information handler has timely found out the impact, scope and possible hazards of a personal information security incident, analyzed and determined the causes of incidents, and put forward measures and plans for preventing the expansion of the damage in accordance with the emergency plan and operating procedures; (2) Whether the personal information handler has established notification channels to timely notify the protection authorities and people of the occurrence of a security incident in accordance with the relevant provisions; and (3) Whether the personal information handler has taken corresponding measures to minimize the potential losses and risks of harm caused by a personal information security incident. **XXVI.** The following matters shall be examined as focus in conducting the compliance audit of the platform rules formulated by a personal information handler that provides important Internet platform services, has a huge number of users and has complicated business types: (1) Whether the platform rules contravene any laws or administrative regulations; (2) The effectiveness of the personal information protection provisions of the platform rules, and whether the rights and obligations of the platforms, products or service providers in the platform to protect personal information are reasonably defined; and (3) the implementation of the platform rules, and whether it has been verified through sampling or otherwise that the platform rules have been effectively implemented. **XXVII.** In conducting the compliance audit on the social responsibility report on personal information protection issued by a personal information handler that provides important Internet platform services, has a huge number of users and has complicated business types, the disclosure of the following contents of the social responsibility report shall be examined as focus: (1) The organizational structure and internal management of personal information protection; (2) The development of personal information protection capability. (3) The measures taken for personal information protection and the effects thereof; (4) Acceptance of applications filed by individuals for exercise of rights; (5) The performance of responsibilities by the independent supervision body; (6) The handling of a serious personal information security incident; (7) Popularization and publicity of science and public welfare activities that promote social co-governance of personal information protection; and (8) Other matters prescribed by laws and administrative regulations. --- ## Official Q&A — CAC explanation of the Measures *Source: Cyberspace Administration of China, "A responsible official of the Cyberspace Administration of China answers reporters' questions on the Measures for the Administration of Personal Information Protection Compliance Audits," February 14, 2025. Government press material; translated by DCC for reference.* **Q1. What is the background to the Measures?** Personal information is now widely collected and used by enterprises, institutions and even individuals, and the tension between protecting and using personal information is increasingly acute. To consolidate the primary responsibility of personal information handlers and strengthen risk control and supervision of processing activities, PIPL and the Network Data Security Management Regulation both provide for compliance audits. To give effect to those requirements, the CAC formulated the Measures, which refine the rules on how audits are conducted, how audit bodies are selected, how often audits occur, and the obligations of handlers and professional bodies — aiming to give handlers a systematic, targeted and operable framework that raises the lawfulness of processing activities and protects personal-information rights and interests. **Q2. What do China's laws and regulations already provide on compliance audits?** PIPL Article 54 requires handlers to periodically audit their compliance with laws and administrative regulations. PIPL Article 64 allows the departments performing personal-information-protection duties, on finding significant risk or a personal-information security incident, to interview the legal representative or principal responsible person, or to require the handler to engage a professional body to audit. Article 27 of the Network Data Security Management Regulation requires network-data handlers to periodically audit — themselves or through a professional body. These provisions establish two situations: (i) handler self-audit; and (ii) department-required audit entrusted to a professional body. **Q3. What are the main contents of the Measures?** (i) the conditions for self-audit and for department-required entrusted audit, the selection of the audit body, and audit frequency; (ii) the obligations of audited handlers — providing necessary support for and bearing the cost of an entrusted audit, completing it within a set time, submitting the audit report and rectifying; (iii) the obligations of professional bodies — having the requisite capability, complying with law, and the rule that the same professional body and its affiliates, or the same audit lead, may not audit the same object more than three consecutive times; and (iv) supervision by the departments, a complaint/report channel for unlawful conduct in audits, and the legal liability of handlers and professional bodies that breach the Measures. **Q4. When must a handler conduct a compliance audit?** Two situations. Self-audit: handlers must periodically audit their compliance; a handler processing the personal information of more than 10 million people must conduct an audit at least once every two years, while other handlers set a reasonable frequency for themselves. Department-required audit: where a department performing personal-information-protection duties finds significant risk, possible infringement of the rights of numerous individuals, or a personal-information security incident, it may require the handler to engage a professional body to audit. **Q5. How does a handler select an audit body?** For a self-audit, a handler may use an internal body or entrust a professional body; the Measures impose no mandatory requirement on the method, on whether to use a professional body, or on which body to choose. Where there is significant risk, possible infringement of numerous individuals' rights, or a security incident, the department may require the handler to entrust a professional body. **Q6. What requirements do the Measures place on professional bodies?** A professional body must reach fair and objective conclusions and offer audit recommendations; its report is an important reference for the supervising department. The Measures require a professional body to: (i) have the capability to conduct audits — audit personnel, premises, facilities and funding commensurate with the service; (ii) comply with law, act with integrity, exercise fair and objective professional judgment, keep confidential the personal information, trade secrets and confidential business information obtained, refrain from disclosing or unlawfully providing it, and delete it promptly after the audit; (iii) not sub-entrust the audit to another body; and (iv) observe the "no more than three consecutive audits of the same object" rule. **Q7. How are professional bodies managed?** On a voluntary, market-based basis, through certification and accreditation. Certification of professional bodies follows the Regulations of the PRC on Certification and Accreditation. A body with the capability and the commensurate personnel, premises, facilities and funding may voluntarily apply for service-capability certification. **Q8. What must a handler do when the audit is department-required?** (i) Ensure the audit proceeds — provide the professional body with the necessary support and bear the audit cost; (ii) select the professional body as required and complete the audit within the set time, which, in complex cases, may be appropriately extended with the department's approval; and (iii) submit the audit report and rectify — after completing the audit, submit the professional body's report to the department, rectify the problems identified as required, and submit a rectification report within 15 working days of completing rectification. **Q9. How do the Personal Information Protection Compliance Audit Guidelines apply?** The Guidelines distill the key points of the personal-information laws and administrative regulations and refine them from an audit perspective, making it easier for handlers to review and evaluate whether their processing complies. A handler conducting a self-audit, or engaging a professional body at a department's request, should refer to the Guidelines. --- ## Cybersecurity Review Measures - Chinese title: 网络安全审查办法 - Hierarchy: rule - Issuing body: CAC + 12 ministries (NDRC, MIIT, MPS, MSS, MOF, MOFCOM, PBOC, NRTA, CSRC, SSA, SCA) - Adopted: 2021-11-16 - Effective: 2022-02-15 - Status: effective - URL: https://datacompliancechina.com/laws/cybersecurity-review-measures/ - Markdown: https://datacompliancechina.com/laws/cybersecurity-review-measures.md ### Summary The 2021 update to the cybersecurity review regime, expanded after the Didi enforcement action. Applies to (i) CIIO procurement of network products/services that may affect national security, and (ii) network platforms holding personal information of more than one million users when seeking an overseas listing. Sets the procedure, factors considered, and outcomes (no-action, conditional approval, prohibition). ### Full text **Promulgated by:** CAC + 12 ministries (NDRC, MIIT, MPS, MSS, MOF, MOFCOM, PBOC, NRTA, CSRC, SSA, SCA). **Document No.:** Decree No. 8 of the Cyberspace Administration of China. **Adopted at the 20th executive meeting of the CAC in 2021 on November 16, 2021. Effective February 15, 2022.** --- **Article 1.** The present Measures are enacted in accordance with the State Security Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China and the Security Protection Regulations for Critical Information Infrastructure, in order to ensure the supply chain security of critical information infrastructure, safeguard network security and data security, and maintain national security. **Article 2.** The purchase of network products and services by critical information infrastructure operator and the data processing activities carries out online platform operators, which affects or may affect national security, shall be subject to cybersecurity review in accordance with the present Measures. **Article 3.** Cybersecurity review shall be conducted under the principle of combining cybersecurity risk prevention with the promotion of the application of advanced technologies, fairness and transparency of the process with the protection of intellectual property rights, ex ante review with continuous regulation, and corporate commitment with social supervision, in terms of the security of products and services as well as data processing activities, potential risks to the national security, etc. **Article 4.** Under the leadership of the Central Cyberspace Affairs Commission, the Cyberspace Administration of China establishes a working mechanism for the cybersecurity review of the State, in concert with the National Development and Reform Commission of the People's Republic of China, the Ministry of Industry and Information Technology of the People's Republic of China, the Ministry of Public Security of the People's Republic of China, the Ministry of State Security of the People's Republic of China, the Ministry of Finance of the People's Republic of China, the Ministry of Commerce of the People's Republic of China, the People's Bank of China, the State Administration for Market Regulation, the State Administration of Radio and Television, the China Securities Regulatory Commission, the National Administration of State Secrets Protection, and the State Cryptography Administration. The Office of Cybersecurity Review, located in the Cyberspace Administration of China ("CAC"), is responsible for developing relevant rules and regulations on cybersecurity review and organizing cybersecurity review. **Article 5.** To purchase network products or services, a critical information infrastructure operator shall prejudge any possible risks to national security after such products or services are put into use. It shall declare any network product or service that affects or may affect national security to the Office of Cybersecurity Review for cybersecurity review. The authority for protection of critical information infrastructure may develop pre-judgment guidelines for the industry or field concerned. **Article 6.** For the procurement activity declared for cybersecurity review, the critical information infrastructure operator shall require the product or service provider to cooperate in the cybersecurity review by virtue of the procurement document, agreement or otherwise, including undertaking not to take advantage of the provision of the product or service to illegally obtain user data, illegally control and manipulate user equipment, and not to suspend product supply or necessary technical support services without justifiable reasons. **Article 7.** To go public abroad, an online platform operator who possesses the personal information of more than 1 million users shall declare to the Office of Cybersecurity Review for cybersecurity review. IPO **Article 8.** To file an application for cybersecurity review, the operator shall submit the following materials: (I) A written declaration; (II) An analysis report concerning the impact or possible impact on national security; (III) The procurement document, agreement, contract to be entered into or IPO materials to be submitted, etc.; and (IV) other materials necessary for cybersecurity reviews. **Article 9.** The Office of Cybersecurity Review shall, within ten working days upon receipt of the declaration materials for review in conformity with the provisions of Article 8 hereof, determine whether the review is required and notify the party in writing thereof. **Article 10.** Cybersecurity review shall focus on the assessment of national security risk factors of the relevant object or situation: (I) Risks of illegal control, interference or destruction of critical information infrastructure brought about by the use of products and services; (II) The harm caused by supply interruption of products and services to the business continuity of critical information infrastructure; (III) Security, openness, transparency and diversity of sources of products and services, reliability of supply channels, and risks of supply interruption due to political, diplomatic, trade or other factors; (IV) Information on compliance with Chinese laws, administrative regulations and departmental rules by product and service providers; (V) Risks of theft, disclosure, damage, illegal use or cross-border transfer of core data, important data or large amounts of personal information; (VI) Risks of influence, control or malicious use of critical information infrastructure, core data, important data or large amounts of personal information by foreign governments after overseas listing; and (VII) Other factors that may endanger critical information infrastructure security and national data security. **Article 11.** Where the Office of Cybersecurity Review deems it necessary to conduct a cybersecurity review, it shall complete the preliminary review within 30 working days from the date when it issues a written notice to the party, including the formation of review findings and suggestions and sending review findings and suggestions to members of the cybersecurity review working mechanism and relevant authorities for their comments. If the case is complicated, the said time limit may be extended by 15 working days. 15 **Article 12.** Members of the cybersecurity review working mechanism and relevant authorities shall give a written reply within 15 working days upon receipt of the review findings and suggestions. If a unanimous agreement is reached among the members of the cybersecurity review working mechanism and relevant authorities, the Office of Cybersecurity Review shall notify the Operator of the review findings in writing. In case of disagreement, the case shall be handled under the special review procedures, and the party shall be notified of the same. **Article 13.** Where a case is handled under the special review procedures, the Office of Cybersecurity Review shall listen to the opinions of relevant authorities and organizations, conduct in-depth analysis and evaluation, form a review finding and suggestions again, seek opinions from members of the cybersecurity review working mechanism and relevant authorities, report the same to the Central Cyberspace Affairs Commission for approval under procedures, and form a review finding and notify the party thereof in writing. **Article 14.** The special review procedures shall generally be completed within 90 working days and the time limit may be extended for complicated cases. **Article 15.** Where the Office of Cybersecurity Review requires supplementary materials, the party and the product or service provider shall do so accordingly. The time for submission of such supplementary materials will not be included in the review period. **Article 16.** Where a member of the cybersecurity review working mechanism believes that a network product or service or data processing activity affects or may affect national security, the Office of Cybersecurity Review shall report the same to the Central Cyberspace Affairs Commission for approval under procedures, and then conduct review in accordance with the present Measures. In order to prevent risks, the party shall take measures to prevent and mitigate risks during the review in accordance with the requirements of the cybersecurity review. **Article 17.** Relevant agencies and personnel involved in the cybersecurity review shall strictly protect intellectual property rights, and shall have confidentiality obligations for the trade secrets, personal information, undisclosed materials submitted by the party, product and service providers as well as other undisclosed information known in the review. Without the consent of the information provider, it is not allowed to disclose such information to unrelated parties or use such information for any purpose other than the review without the consent of the information provider. **Article 18.** Where the party or the network product or service provider believes that a review officer is not objective and impartial or fails to bear confidentiality obligations for the information accessed during the review, it may report the same to the Office of Cybersecurity Review or the relevant authority. **Article 19.** The party shall urge the product or service provider to fulfill its commitments made during the cybersecurity review. The Office of Cybersecurity Review shall strengthen ex ante, interim and ex post supervision by means of accepting reports or otherwise. **Article 20.** Any party in violation of the present Measures shall be punished in accordance with the provisions of the Cybersecurity Law of the People's Republic of China and the Data Security Law of the People's Republic of China. **Article 21.** For the purpose of the present Measures, the term "network products and services" mainly refers to core network equipment, important communication products, high-performance computers and servers, mass storage devices, large databases and application software, cybersecurity equipment, cloud computing services, and other network products and services that have a significant impact on the security of critical information infrastructure. **Article 22.** Where any state secret is involved, the relevant confidentiality provisions of the State shall apply. Where the State has other provisions on data security review and foreign investment security review, such provisions shall be complied with at the same time. **Article 23.** The present Measures shall come into force on February 15, 2022, simultaneously repealing the Cybersecurity Review Measures (issued under Decree No. 6 of the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection and the State Cryptography Administration) promulgated on April 13, 2020. --- ## Cybersecurity Standards Practice Guide — Sensitive Personal Information Identification Guide (v1.0, September 2024) - Chinese title: 网络安全标准实践指南 — 敏感个人信息识别指南 (v1.0-202409) - Abbreviation: TC260 Sensitive PI Guide - Hierarchy: standard - Issuing body: Secretariat of the National Information Security Standardization Technical Committee (TC260) - Effective: 2024-09-01 - Status: effective - URL: https://datacompliancechina.com/laws/tc260-sensitive-pi-identification-guide/ - Markdown: https://datacompliancechina.com/laws/tc260-sensitive-pi-identification-guide.md ### Summary TC260's September 2024 practice guide for identifying sensitive personal information under PIPL Article 28. Sets out a four-rule identification framework — damage to personal dignity, to personal safety, to property safety, and aggregation effects — and lists eight common categories of sensitive personal information with illustrative examples in Appendix A. The guide is not a mandatory standard; it is advisory practice guidance issued by the TC260 Secretariat to help organizations operationalize PIPL's sensitive-PI regime. Practical reference for handlers performing the PIPIA required by PIPL Article 55(I) before processing sensitive personal information. ### Full text > *DCC summary, not a translation.* TC260's practice guide explicitly prohibits unauthorized translation. The structured summary below is DCC's own paraphrase of the guide's framework, written for overseas compliance teams who need to understand how Chinese regulators expect handlers to identify "sensitive personal information" as that term is defined in PIPL Article 28. ## Why this guide matters PIPL Article 28 defines sensitive personal information as personal information that, if leaked or unlawfully used, would readily harm a natural person's dignity or threaten their personal or property safety. The statute provides a non-exhaustive list — biometric identification, religious belief, specific identity, medical health, financial account, and whereabouts and tracks information, as well as personal information of minors under 14. The TC260 guide does what the statute does not: it gives handlers a structured method for *applying* this definition. For overseas compliance teams whose Chinese subsidiaries or vendors handle personal information at scale, this is the framework Chinese regulators will reference when deciding whether the strict handling rules for sensitive personal information (separate consent under Article 29, intensified PIPIA under Article 55, notice obligations under Article 30) attach to a given dataset. ## The four-rule identification framework The guide directs handlers to apply four rules in sequence. **Rule 1 — Statutory criteria.** Information is sensitive personal information if leakage or unlawful use would readily lead to any of: - Damage to the natural person's dignity. The guide notes that "doxxing" (人肉搜索), unauthorized account access, telecom fraud, reputational damage, and discriminatory differential treatment all fall in this category — and that discriminatory differential treatment often turns on the disclosure of specific identity, religious belief, sexual orientation, or specific disease/health information. - Harm to the natural person's safety. The guide gives whereabouts and trajectory data as the canonical example. - Harm to the natural person's property safety. The guide gives financial-account information as the canonical example. **Rule 2 — Default-category check.** A handler should identify information in the eight common categories enumerated in Section 4 (set out below) and treat any such information as sensitive by default. The guide notes that a handler with substantive evidence that a particular dataset *does not* meet the Rule 1 conditions may elect not to treat it as sensitive — but this is an explicit override of the default, not a discretionary judgment. **Rule 3 — Aggregation analysis.** Single-item identification is not enough. The handler must also assess the *aggregate* effect of combining multiple ordinary personal-information items. If the combined dataset would meet Rule 1's conditions in the aggregate, it should be treated as sensitive personal information in the aggregate. **Rule 4 — Statutory carve-outs prevail.** Where law or administrative regulation specifies that information is sensitive personal information, that designation governs. ## The eight common categories The guide enumerates eight categories of common sensitive personal information, with illustrative examples in Appendix A. 1. **Biometric identification information** — including face, voiceprint, gait, fingerprint, palmprint, eye-print, ear-print, iris, and gene information. Cross-reference to dedicated national standards: GB/T 40660 (general biometric), GB/T 41819 (facial recognition data), GB/T 41807 (voiceprint data), GB/T 41773 (gait data), GB/T 41806 (gene identification data). 2. **Religious-belief information** — religion practiced, religious organizations joined, positions held within religious organizations, religious activities participated in, special religious customs. 3. **Specific-identity information** — identity that materially affects personal dignity and social evaluation, or that is otherwise unsuitable for public disclosure. The guide emphasizes identity information that could prompt social discrimination. 4. **Medical health information** — information related to physical or mental injury, illness, disability, illness risk, or privacy. The guide subdivides this into (a) health-status information (symptoms, medical history, family medical history, infectious-disease history, examination reports, fertility information) and (b) information generated in the course of medical services (medical records, hospital admission records, doctor's orders, surgical and anesthesia records, nursing records, medication records, examination data, examination reports). 5. **Financial-account information** — bank, securities, fund, insurance, and housing-fund account numbers and passwords; payment account numbers, bank-card track data, payment-token information derived from account data, and personal income detail. 6. **Whereabouts and tracks information** — continuous precise-location trajectory data, vehicle trajectory data, personal activity-trajectory data. Service-fulfillment context — for example, delivery drivers and couriers performing service tasks — is carved out by note. 7. **Personal information of minors under 14**. 8. **Other sensitive personal information** — including (per the appendix) precise-location information collected via mobile-device fine-location permission, ID-card photographs, sexual orientation, sexual activity, credit reporting information, criminal-record information, and images or video showing private body parts. ## Key application notes from Appendix A - *Precise location* requires the mobile-device fine-location permission to be invoked; rough-IP-derived location information is not by itself precise-location information. Continuous precise-location capture can constitute trajectory information. - *Health-related but ordinary* metrics — weight, height, blood type, blood pressure, lung capacity — fall outside the sensitive category if not associated with an actual disease or medical visit. - *Criminal-record information* refers specifically to records maintained by Chinese state organs (charge, sentence, etc.). - *Gene identification data*, *facial recognition data*, *voiceprint*, *gait*, and *gene* each have their own dedicated national-standard data-security requirements; the TC260 guide is a higher-level identification reference and does not displace those data-specific standards. ## How to use this in compliance practice For overseas compliance teams operating in China: - **Treat the eight categories as the working list.** Any data fitting one of the eight categories should default to sensitive-PI handling — separate consent, written consent where required, intensified PIPIA, and the additional notice obligations of PIPL Article 30. - **Run the aggregation check.** Even where individual fields are ordinary personal information, an aggregate dataset that exposes whereabouts, financial profile, health status, or other Rule 1 vectors should be classified up. - **Document the assessment.** PIPL Article 55 requires PIPIA before processing sensitive personal information; the PIPIA report is the natural place to record the Rule 1–Rule 4 analysis with reference to the guide. Retain for three years (PIPL Article 56). - **Recognize the guide's status.** TC260 practice guides are not mandatory standards. But Chinese regulators reference them as the operational gloss on the statutory definition, and handlers who deviate from the guide's framework should expect to justify the deviation. --- — *Cybersecurity Standards Practice Guide: Sensitive Personal Information Identification Guide* (v1.0, September 2024), issued by the Secretariat of the National Information Security Standardization Technical Committee (TC260). DCC summary based on the published guide. For the source document, see [www.tc260.org.cn](https://www.tc260.org.cn/). --- ## Data Security Law of the People's Republic of China - Chinese title: 中华人民共和国数据安全法 - Abbreviation: DSL - Hierarchy: law - Issuing body: National People's Congress Standing Committee - Adopted: 2021-06-10 - Effective: 2021-09-01 - Status: effective - URL: https://datacompliancechina.com/laws/dsl/ - Markdown: https://datacompliancechina.com/laws/dsl.md ### Summary The Data Security Law is the second of China's three foundational data statutes (alongside CSL and PIPL). It governs all data processing activities — not just personal information — and establishes the data classification and grading regime, the 'important data' and 'national core data' categories, security obligations for data handlers, the cross-border transfer restrictions on important data, and the prohibition on providing data to foreign judicial or enforcement bodies without approval. ### Full text **Promulgated by:** National People's Congress Standing Committee. **Document No.:** Order of the President No. 84. **Adopted at the 29th Session of the Standing Committee of the 13th National People's Congress on June 10, 2021. Effective September 1, 2021.** --- ## Chapter 1 General Provisions **Article 1.** In order to regulate data handling activities, ensure data security, promote data exploitation and use, protect the lawful rights and interests of individuals and organizations, and safeguard national sovereignty, security and development interests, this Law is enacted. **Article 2.** This Law shall apply to data handling activities carried out within the territory of the People's Republic of China and to the security regulation thereof. Where data handling activities are carried out outside the territory of the People's Republic of China, which damage the national security or public interest of the People's Republic of China or the lawful rights and interests of citizens or organizations, legal liability shall be investigated in accordance with the law. **Article 3.** For the purposes of this Law, the term "data (records)" refers to any record of information made electronically or by other means. Data handling includes the collection, storage, use, processing, transmission, provision and disclosure of data, among others. Data security refers to the state of effective protection and lawful use of data achieved by taking necessary measures, and the capacity to ensure that such a state of continuous security is maintained. **Article 4.** In maintaining data security, the overall national security concept shall be upheld, a sound data security governance system shall be established and improved, and the capacity for safeguarding data security shall be enhanced. **Article 5.** The central national security leadership body shall be responsible for decision-making and deliberation and coordination with respect to national data security work, shall study, formulate and guide the implementation of the national data security strategy and relevant major guidelines and policies, shall overall plan and coordinate major matters and important tasks of national data security, and shall establish a data security coordination mechanism at the National level. **Article 6.** Each region and each department shall be responsible for the data (records) collected and generated in the course of its work in its respective region and department, and for the security of such data. Departments in charge of industries and sectors such as industry, telecommunications, transport, finance, natural resources, health, education and science and technology shall undertake data security regulatory responsibilities for their respective industries and sectors. Public security organs, state security organs and others shall, in accordance with this Law and relevant Laws and Administrative Regulations, undertake data security regulatory responsibilities within the scope of their respective duties. The national cyberspace administration shall, in accordance with this Law and relevant Laws and Administrative Regulations, be responsible for overall planning and coordination of network data security and related regulatory work. **Article 7.** The State shall protect the rights and interests of individuals and organizations related to data (records), encourage the lawful, reasonable and effective exploitation and use of data (records), ensure the lawful, orderly and free flow of data (records), and promote the development of the digital economy in which data (records) are a key factor of production. **Article 8.** In carrying out data handling activities, Laws and Administrative Regulations shall be observed, social morality and ethics shall be respected, business ethics and professional ethics shall be observed, honesty and good faith shall be maintained, data security protection obligations shall be performed, social responsibilities shall be assumed, and national security and public interest shall not be jeopardized, nor shall the lawful rights and interests of individuals or organizations be harmed. **Article 9.** The State shall support the dissemination and popularization of knowledge on data security, raise the awareness and level of the whole society in protecting data security, and promote the joint participation of relevant departments, industry organizations, research institutions, enterprises and individuals in data security protection work, so as to form a sound environment in which the whole society jointly maintains data security and promotes development. **Article 10.** Relevant industry organizations shall, in accordance with their articles of association, formulate in accordance with the law codes of conduct for data security and group standards, strengthen self-discipline in their industries, guide their members in strengthening data security protection, improve data security protection standards, and promote the sound development of their industries. **Article 11.** The State shall actively conduct international exchanges and cooperation in the fields of data security governance and data exploitation and use, participate in the formulation of international rules and standards related to data security, and promote the secure and free cross-border flow of data (records). **Article 12.** Any individual or organization shall have the right to lodge complaints or reports with the relevant competent departments against acts that violate the provisions of this Law. The departments receiving complaints or reports shall handle them in a timely manner in accordance with the law. The relevant competent departments shall keep confidential the relevant information of the complainants and informants and protect their lawful rights and interests. ## Chapter 2 Data Security and Development **Article 13.** The State shall coordinate development and security, and shall adhere to the promotion of data security through data exploitation and use and industrial development, and the safeguarding of data exploitation and use and industrial development through data security. **Article 14.** The State shall implement a big data strategy, promote the construction of data infrastructure, and encourage and support innovative applications of data (records) in all industries and fields. People's governments at or above the provincial level shall incorporate the development of the digital economy into the national economic and social development plans at their respective levels, and may, as needed, formulate digital economy development plans. **Article 15.** The State shall support the exploitation and use of data (records) to improve the level of intelligence of public services. In providing intelligent public services, the needs of the elderly and persons with disabilities shall be fully taken into account, so as to avoid creating obstacles to the daily life of the elderly and persons with disabilities. **Article 16.** The State shall support research into data exploitation and use and data security technologies, encourage the promotion of technologies and commercial innovation in the fields of data exploitation and use and data security, and cultivate and develop systems of products and industries for data exploitation and use and data security. **Article 17.** The State shall promote the development of systems of standards for data exploitation and use technologies and for data security. The administrative department of standardization under the State Council and the relevant departments under the State Council shall, according to their respective functions, organize the formulation and timely revision of standards related to data exploitation and use technologies, products and data security. The State shall support enterprises, social organizations and educational and research institutions in participating in standard-setting. **Article 18.** The State shall promote the development of services such as data security testing and appraisal and certification, and shall support professional institutions engaging in data security testing and appraisal, certification and other such services in carrying out service activities in accordance with the law. The State shall support relevant departments, industry organizations, enterprises, educational and research institutions and relevant professional institutions in carrying out cooperation in data security risk appraisal, prevention and handling. **Article 19.** The State shall establish and improve a data trading governance scheme, regulate data trading activities, and foster a data trading market. **Article 20.** The State shall support educational and research institutions and enterprises in conducting education and training related to data exploitation and use technologies and data security, cultivate, through multiple means, professionals in data exploitation and use technologies and data security, and promote the exchange of such professionals. ## Chapter 3 Data Security Regime **Article 21.** The State shall establish a data tiered protection regime, under which data (records) shall be accorded classified and tiered protection according to the importance of such data (records) to economic and social development and the degree of harm that may be caused to national security or public interest or to the lawful rights and interests of individuals and organizations if such data (records) are tampered with, destroyed, leaked, or illegally obtained or illegally used. The data security coordination mechanism at the National level shall coordinate relevant departments in formulating catalogues of significant data and shall strengthen the protection of significant data. Data (records) related to national security, the lifelines of the national economy, critical livelihoods of the people and major public interest shall fall under national core datasets and shall be subject to a more stringent management regime. Each region and each department shall, in accordance with the data tiered protection regime, determine specific catalogues of significant data for its respective region, department and related industries and sectors, and shall provide key protection for data (records) included in the catalogues. **Article 22.** The State shall establish a centralized, unified, efficient and authoritative mechanism for data security risk appraisal, reporting, information sharing and monitoring and early warning. The data security coordination mechanism at the National level shall coordinate relevant departments in strengthening efforts to obtain, analyze, assess and provide early warnings of data security risk information. **Article 23.** The State shall establish a data security contingency system. In the event of a data security incident, the relevant competent departments shall, in accordance with the law, initiate contingency plans, take corresponding emergency response measures, prevent the expansion of harm, eliminate security hazards, and promptly release to the public warning information relevant to the public. **Article 24.** The State shall establish a data security review framework and conduct national security reviews for data handling activities that affect or might affect national security. Security review decisions lawfully made shall be final decisions. **Article 25.** The State shall, in accordance with the law, impose export control on data (records) that fall under controlled items and relate to safeguarding national security and interests and performing international obligations. **Article 26.** Where any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People's Republic of China in respect of investment, trade or other matters related to data (records) and data exploitation and use technologies, the People's Republic of China may, based on actual circumstances, adopt reciprocal measures against such country or region. ## Chapter 4 Obligations for Data Security Protection **Article 27.** Those carrying out data handling activities shall, in accordance with the provisions of Laws and Administrative Regulations, establish and improve a data security management system covering the whole process, organize and carry out data security education and training, and adopt corresponding technical and other necessary measures to ensure data security. Those carrying out data handling activities by using the Internet and other information networks shall perform the above-mentioned data security protection obligations on the basis of the multilevel cybersecurity protection regime. Handlers of significant data shall designate persons in charge of data security and establish a management body, and shall implement data security protection responsibilities. **Article 28.** Data handling activities and research and development of new data technologies shall be conducive to promoting economic and social development, improving the well-being of the people, and conforming to social morality and ethics. **Article 29.** In carrying out data handling activities, risk monitoring shall be strengthened. Where risks such as data security defects and vulnerabilities are discovered, remedial measures shall be taken immediately; where a data security incident occurs, handling measures shall be taken immediately, users shall be promptly informed in accordance with the provisions, and reports shall be made to the relevant competent departments. **Article 30.** Handlers of significant data shall, in accordance with the provisions, periodically carry out risk appraisal of their data handling activities and shall submit risk appraisal reports to the relevant competent departments. Risk appraisal reports shall include such contents as the types and quantities of significant data handled, the circumstances of data handling activities, the data security risks faced, and the measures taken to address such risks. **Article 31.** The outbound security management of significant data collected and generated in the course of operations within the territory of the People's Republic of China by operators of critical information infrastructure shall be governed by the provisions of the Cybersecurity Law of the People's Republic of China; the measures for outbound security management of significant data collected and generated in the course of operations within the territory of the People's Republic of China by other data handlers shall be formulated by the national cyberspace administration in conjunction with the relevant departments under the State Council. **Article 32.** Any organization or individual collecting data (records) shall adopt lawful and proper means and shall not steal or obtain data (records) by other illegal means. Where Laws or Administrative Regulations contain provisions on the purposes and scope of the collection and use of data (records), data (records) shall be collected and used within the purposes and scope prescribed by such Laws and Administrative Regulations. **Article 33.** Institutions engaging in data trading intermediary services, when providing services, shall require data providers to explain the sources of the data (records), shall verify the identities of both parties to the transaction, and shall retain verification and transaction records. **Article 34.** Where Laws or Administrative Regulations provide that administrative licences shall be obtained for the provision of services related to data handling, service providers shall obtain such licences in accordance with the law. **Article 35.** Where public security organs or state security organs, for the purpose of lawfully safeguarding national security or investigating crimes, need to obtain data (records), they shall do so in accordance with the relevant provisions of the State, after undergoing strict approval procedures and in accordance with the law, and the relevant organizations and individuals shall cooperate. **Article 36.** The competent authorities of the People's Republic of China shall, in accordance with relevant Laws and the international treaties and agreements to which the People's Republic of China is a party or in which it participates, or on the basis of the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement authorities for the provision of data (records). Without the approval of the competent authorities of the People's Republic of China, organizations and individuals within the territory shall not provide data (records) stored within the territory of the People's Republic of China to foreign judicial or law enforcement authorities. ## Chapter 5 Security and Openness of Government Data **Article 37.** The State shall vigorously promote the development of e-government, improve the scientificity, accuracy and timeliness of government data (records), and enhance the capacity to use data (records) to serve economic and social development. **Article 38.** Where State organs, for the purpose of performing their statutory duties, need to collect and use data (records), they shall do so within the scope of their statutory duties and in accordance with the conditions and procedures prescribed by Laws and Administrative Regulations; data such as personal privacy, personal information, trade secrets and confidential business information learned in the course of performing their duties shall be kept confidential in accordance with the law and shall not be divulged or illegally provided to others. **Article 39.** State organs shall, in accordance with the provisions of Laws and Administrative Regulations, establish and improve data security management systems, implement data security protection responsibilities, and ensure the security of government data (records). **Article 40.** Where State organs entrust others with the construction and maintenance of e-government systems or the storage and processing of government data (records), they shall undergo strict approval procedures and shall supervise the entrusted parties in performing the corresponding data security protection obligations. The entrusted parties shall, in accordance with the provisions of Laws and Administrative Regulations and the contractual agreements, perform data security protection obligations, and shall not retain, use, divulge or provide government data (records) to others without authorization. **Article 41.** State organs shall, in accordance with the principles of justice, fairness and convenience for the people, disclose government data (records) in a timely and accurate manner in accordance with the provisions, except where such data (records) are not to be disclosed in accordance with the law. **Article 42.** The State shall formulate catalogues for the openness of government data (records), establish a unified, standardized, interconnected and secure and controllable platform for the openness of government data (records), and promote the openness and use of government data (records). **Article 43.** The provisions of this Chapter shall apply to data handling activities carried out by organizations authorized by Laws and Regulations to manage public affairs functions for the purpose of performing their statutory duties. ## Chapter 6 Legal Liability **Article 44.** Where, in the course of performing data security regulatory responsibilities, the relevant competent departments discover that data handling activities involve relatively high security risks, they may, in accordance with the prescribed powers and procedures, conduct interviews with the relevant organizations and individuals, and may require the relevant organizations and individuals to take measures to make rectifications and eliminate hidden dangers. **Article 45.** Where organizations or individuals carrying out data handling activities fail to perform the data security protection obligations prescribed in Articles 27, 29 and 30 of this Law, the relevant competent departments shall order them to make corrections, issue a warning, and may impose a fine of not less than 50,000 yuan but not more than 500,000 yuan; and a fine of not less than 10,000 yuan but not more than 100,000 yuan may be imposed on the persons directly in charge and other directly responsible persons; where they refuse to make corrections or where serious consequences such as the leakage of a large amount of data (records) are caused, a fine of not less than 500,000 yuan but not more than 2,000,000 yuan shall be imposed, and they may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have their business licences revoked, and a fine of not less than 50,000 yuan but not more than 200,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons. Where the management regime for national core datasets is violated and national sovereignty, security and development interests are jeopardized, the relevant competent departments shall impose a fine of not less than 2,000,000 yuan but not more than 10,000,000 yuan and, depending on the circumstances, may order the suspension of relevant business, suspension of operations for rectification, revocation of relevant business permits or revocation of business licences; where a crime is constituted, criminal liability shall be investigated in accordance with the law. **Article 46.** Where significant data are provided overseas in violation of the provisions of Article 31 of this Law, the relevant competent departments shall order corrections to be made, issue a warning, and may impose a fine of not less than 100,000 yuan but not more than 1,000,000 yuan, and a fine of not less than 10,000 yuan but not more than 100,000 yuan may be imposed on the persons directly in charge and other directly responsible persons; where the circumstances are serious, a fine of not less than 1,000,000 yuan but not more than 10,000,000 yuan shall be imposed, and they may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have their business licences revoked, and a fine of not less than 100,000 yuan but not more than 1,000,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons. **Article 47.** Where an institution engaging in data trading intermediary services fails to perform the obligations prescribed in Article 33 of this Law, the relevant competent departments shall order it to make corrections, confiscate its unlawful gains and impose a fine of not less than one time but not more than ten times the amount of the unlawful gains; where there are no unlawful gains or the unlawful gains are less than 100,000 yuan, a fine of not less than 100,000 yuan but not more than 1,000,000 yuan shall be imposed, and it may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have its business licence revoked; and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons. **Article 48.** Where the provisions of Article 35 of this Law are violated by refusing to cooperate in the retrieval of data (records), the relevant competent departments shall order corrections to be made, issue a warning, and impose a fine of not less than 50,000 yuan but not more than 500,000 yuan, and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons. Where the provisions of Article 36 of this Law are violated by providing data (records) to foreign judicial or law enforcement authorities without the approval of the competent authorities, the relevant competent departments shall issue a warning and may impose a fine of not less than 100,000 yuan but not more than 1,000,000 yuan, and a fine of not less than 10,000 yuan but not more than 100,000 yuan may be imposed on the persons directly in charge and other directly responsible persons; where serious consequences are caused, a fine of not less than 1,000,000 yuan but not more than 5,000,000 yuan shall be imposed, and they may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have their business licences revoked, and a fine of not less than 50,000 yuan but not more than 500,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons. **Article 49.** Where State organs fail to perform the data security protection obligations prescribed by this Law, the persons directly in charge and other directly responsible persons shall be given sanctions in accordance with the law. **Article 50.** Where State functionaries performing data security regulatory responsibilities commit dereliction of duty, abuse of power or engage in malpractices for personal gain, they shall be given sanctions in accordance with the law. **Article 51.** Where data (records) are stolen or obtained by other illegal means, or data handling activities are carried out to exclude or restrict competition, or the lawful rights and interests of individuals or organizations are harmed, punishment shall be imposed in accordance with the provisions of relevant Laws and Administrative Regulations. **Article 52.** Where the provisions of this Law are violated and damage is caused to others, civil liability shall be borne in accordance with the law. Where violations of the provisions of this Law constitute acts violating public security administration, public security administration penalties shall be imposed in accordance with the law; where a crime is constituted, criminal liability shall be investigated in accordance with the law. ## Chapter 7 Supplementary Provisions **Article 53.** Data handling activities involving State secrets shall be governed by the provisions of the Law of the People's Republic of China on Guarding State Secrets and other Laws and Administrative Regulations. Data handling activities carried out in statistics and archival work, and data handling activities involving personal information, shall also comply with the provisions of relevant Laws and Administrative Regulations. **Article 54.** The measures for the protection of military data security shall be formulated separately by the Central Military Commission in accordance with this Law. **Article 55.** This Law shall enter into force as of September 1, 2021. --- ## Regulations on the Protection of Minors in Cyberspace - Chinese title: 未成年人网络保护条例 - Hierarchy: regulation - Issuing body: State Council - Adopted: 2023-09-20 - Effective: 2024-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/minors-online-protection-regulations/ - Markdown: https://datacompliancechina.com/laws/minors-online-protection-regulations.md ### Summary Implementing regulation for the protection of minors under PIPL and CSL. Covers age-appropriate content, online education, addiction-prevention regimes for video games and short videos, sensitive personal information of minors (under 14), parental consent mechanisms, and platform obligations for products targeting or accessible to minors. ### Full text **Promulgated by:** State Council. **Document No.:** Decree No. 766 of the State Council. **Adopted at the 15th executive meeting of the State Council on September 20, 2023. Effective January 1, 2024.** --- ## Chapter 1 General Provisions **Article 1.** In order to create a cyber environment conducive to the physical and mental health of minors and safeguard the legitimate rights and interests of minors, this Regulation is enacted in accordance with the Law of the People's Republic of China on the Protection of Minors, the Cybersecurity Law of the People's Republic of China, the Law of the People's Republic of China on the Protection of Personal Information and other laws. **Article 2.** The protection of minors in cyberspace shall be subject to the leadership of the Communist Party of China, the guidance of the socialist core values and the principle of benefiting minors to the most, be in line with the physical and mental health development of minors and the law and characteristics of cyberspace, and be subject to social co-governance. **Article 3.** The Cyberspace Administration of China ("CAC") is responsible for the overall coordination of the protection of minors in cyberspace and effectively protecting minors in cyberspace ex officio. The state press and publication and film authorities as well as the department of education, telecommunications, public security, civil affairs, culture and tourism, health, market regulation, and radio and television etc. under the State Council shall effectively protect minors in cyberspace ex officio. Local people's governments at or above the county level and their relevant departments shall effectively protect minors in cyberspace ex officio. **Article 4.** The Communist Youth Leagues, the Women's Federations, the Trade Unions, the Disabled Persons' Federations, the Working Committees for the Care of the Next Generation, the Youth Federations, the Students' Federations, the Young Pioneers' Federations, and other people's organizations, relevant social organizations, and grass-roots mass organizations of self-governance shall assist the relevant authorities in effectively protecting minors in cyberspace and safeguarding the legitimate rights and interests of minors. **Article 5.** Schools and families shall educate and guide minors to participate in activities that are conducive to their physical and mental health and to access internet space in a scientific, civilized, safe and reasonable manner, so as to prevent and intervene in minors' addiction to the cyberspace. **Article 6.** Providers of cyber products and services, personal information handlers, manufacturers and sellers of intelligent terminal products shall abide by laws, administrative regulations and the relevant provisions of the State, respect social moralities, follow business ethics, act in good faith, fulfill the obligation of protecting minors in cyberspace, and assume social responsibilities. **Article 7.** Providers of cyber products and services, personal information handlers, manufacturers and sellers of intelligent terminal products shall accept the supervision of the government and the public, cooperate with the relevant authorities in carrying out the supervision and inspection involving the protection of minors in cyberspace in accordance with the law, establish convenient, reasonable and effective channels for complaints and whistleblowing, publicize the channels and methods for complaints and whistleblowing in an obvious way, and promptly accept and handle public complaints and whistleblowing. **Article 8.** Any organization or individual discovering any violation of the provisions hereof may make a complaint or whistleblowing to the administrations of cyberspace, press and publication, film, education, telecommunications, public security, civil affairs, culture and tourism, health, market supervision and administration, radio and television and other sectors. The administration that receives a complaint or whistleblowing shall promptly handle the case in accordance with the law or refer the case that does not fall under its responsibility to the competent administration. **Article 9.** Cyber-related industrial organizations shall intensify industrial self-regulation, formulate relevant industrial norms on the protection of minors in cyberspace, instruct their members to fulfill the obligation of protecting minors in cyberspace, and strengthen the protection of minors in cyberspace. **Article 10.** News media shall publicize the laws, regulations, policy measures, typical cases and relevant knowledge on the protection of minors in cyberspace in the form of news reports, feature columns (programs), public service advertisements, etc., conduct supervision by public opinions over any infringement upon the legitimate rights and interests of minors, and guide the whole of society to jointly participate in the protection of minors in cyberspace. **Article 11.** The State encourages and supports the strengthening of scientific research, talent cultivation, and international exchange and cooperation in the field of the protection of minors in cyberspace. **Article 12.** Organizations and individuals that make outstanding contributions to the protection of minors in cyberspace shall be commended and rewarded in accordance with the relevant provisions of the State. ## Chapter 2 Promotion of Cyber Literacy **Article 13.** The education department of the State Council shall incorporate cyber literacy education into schools' quality-oriented education, and, in concert with the Cyberspace Administration of China, formulate indicators for assessing minors' cyber literacy. Education authorities shall guide and support schools in carry outing the cyber literacy education for minors, and foster minors' cybersecurity awareness, civilization quality, behavioral habits, and protection skills with focus on the formation of cyber moral awareness, the cultivation of the concept of rule of law in cyberspace, the building of cyber capacity, and the protection of personal and property safety, among others. **Article 14.** People's governments at or above the county level shall make scientific planning and reasonable distribution, promote the balanced and coordinated development of non-profit internet access services, strengthen the construction of public cultural facilities that provide non-profit internet access services, and improve the conditions for minors to access the internet. Local people's governments at or above the county level shall provide students with quality cyber literacy education courses by equipping primary and secondary schools with guidance teachers with corresponding professional capacity, purchasing services by the government, or encouraging primary and secondary schools to purchase the relevant services on their own. **Article 15.** Schools, communities, libraries, cultural centers, youth and children's palaces and other places that provide minors with internet access service facilities shall provide minors with internet access guidance and a safe and healthy internet access environment by arranging for professionals, recruiting volunteers or otherwise, installing software designed to protect minors in cyberspace, or taking other technical measures for the protection of the security of the minors. **Article 16.** Schools shall include the improvement of students' cyber literacy into their education and teaching activities, reasonably use the internet to carry out teaching activities, establish a sound management system for students' internet access at school, standardize and manage intelligent terminal products brought by minor students to school in accordance with the law, help students form good internet surfing habits, cultivate students' awareness of cybersecurity and rule of law in cyberspace , and enhance students' ability to obtain, analyze and judge information online. **Article 17.** Guardians of minors shall strengthen the building of family education and family style, improve their own cyber literacy, regulate their own use of the internet, and strengthen the education, demonstration, guidance and supervision of minors' use of the internet. **Article 18.** The State encourages and supports the research and development, production and use of software to protect minors in cyberspace, intelligent terminal products, minor modes, special zones for minors and other cyber technologies, products and services that specifically target at minors and adapt to the laws and characteristics of the physical and mental health development of minors, strengthens the building and transformation of barrier-free environment in cyberspace, and promotes minors to broaden their horizons, cultivate their sentiments and improve their qualities. **Article 19.** Software designed to protect minors in cyberspace and intelligent terminal products specifically provided for minors to use shall have the functions of effectively identifying illegal information and information that may affect the physical and mental health of minors, protecting minors' personal information rights and interests, preventing minors from becoming addicted to the internet space, and facilitating guardians' performance of guardianship responsibilities. In concert with the relevant departments of the State Council, the Cyberspace Administration of China shall, in light of the needs for protecting minors in cyberspace, clarify the relevant technical standards or requirements for software designed to protect minors in cyberspace and intelligent terminal products specifically provided for minors to use, and guide and supervise cyber-related industrial organizations to evaluate the use effects of software designed to protect minors in cyberspace and intelligent terminal products specifically provided for minors to use pursuant to the relevant technical standards and requirements. Manufacturers of intelligent terminal products shall install software designed to protect minors in cyberspace before the products leave the factory or inform users of the installation channels and methods in a noticeable way. Sellers of intelligent terminal products shall, prior to the sale of the products, inform users of the information about the installation of software designed to protect minors in cyberspace as well as installation channels and methods in a noticeable way. The guardians of minors shall reasonably use and guide minors to use software for protection in cyberspace and intelligent terminal products, etc., and create a favorable family environment for use cyberspace. **Article 20.** A cyber platform service provider with a large number of minor users or with a significant impact on the group of minors shall perform the following obligations: 1. At the stages of design, research and development and operation of cyber platform services, fully consider the characteristics of the physical and mental development of minors and regularly assess the impact of the protection of minors in cyberspace; 2. Provide minor modes or special zones for minors to facilitate minors in obtaining products or services on the platform that are conducive to their physical and mental health; 3. Establish a sound compliance system for protection of minors in cyberspace in accordance with the provisions of the State, and establish an independent body mainly composed of external members to supervise the protection of minors in cyberspace; 4. Follow the principles of openness, fairness, and impartiality, formulate specific platform rules, specify the obligation of product or service providers on the platform to protect minors in cyberspace, and remind, in an eye-catching way, minor users of their legal rights to be protected in cyberspace and the remedies against any cyber infringement; 5. Stop providing services to any product or service provider on the platform that violates laws or administrative regulations, seriously harms the physical and mental health of minors or infringes upon other legitimate rights and interests of minors; and 6. release a special report on social responsibility for the protection of minors in cyberspace each year and accept social supervision. The specific measures for identifying a cyber platform service provider with a large number of minor users or with a significant impact on the group of minors as mentioned in the preceding paragraph shall be separately formulated by the Cyberspace Administration of China in concert with the relevant authorities. ## Chapter 3 Regulation of Information in Cyberspace **Article 21.** The State encourages and supports the production, reproduction, release, dissemination and promotion of socialist core values and advanced socialist culture, revolutionary culture and fine traditional Chinese culture, founds the Chinese nation community consciousness, cultivates minors' feelings for home and country and good morality, guides minors to develop good living habits and behavioral habits and creates a clear and bright cyberspace and a good cyber ecology which are conducive to the healthy growth of minors. **Article 22.** No organization or individual may produce, reproduce, release or disseminate cyber information that propagates obscenity, pornography, violence, cult, superstition, gambling, lures self-harm and suicide, terrorism, separatism, extremism and other contents that endanger the physical and mental health of minors. No organization or individual may produce, reproduce, release, disseminate or possess pornographic minor-related information in cyberspace. **Article 23.** For any cyber product or service containing information that may affect the physical and mental health of minors, such as information that may cause or induce minors to imitate unsafe acts, to commit acts in violation of social morality, to produce extreme emotions or to develop bad hobbies, the organization or individual that produces, reproduces, releases or disseminates such information shall give a conspicuous reminder before displaying such information. The Cyberspace Administration of China shall, in conjunction with the state authority of press and publication and the authority of film as well as the departments of education, telecommunications, public security, culture and tourism, and radio and television under the State Council, determine the specific types and scope of information that may affect the physical and mental health of minors as well as judgment criteria and prompt measures on the basis of the provisions of the preceding paragraph. **Article 24.** No organization or individual may produce, reproduce, release or disseminate the information that may affect the physical and mental health of minors as prescribed in Paragraph 1 of Article 23 hereof in the cyber products and services specially targeting minors. Providers of cyber products and services shall not present the information that may affect the physical and mental health of minors as prescribed in Paragraph 1 of Article 23 hereof at an eye-catching position of products or services or in key links that are likely to attract users' attention, such as homepage, pop-up window and hot search. Providers of cyber products and services shall not carry out commercial marketing to minors in an automatic decision -making manner. **Article 25.** No organization or individual may send, push to minors, or induce or force minors to have access to the information containing the content that endangers or may affect the physical and mental health of minors. **Article 26.** No organization or individual may insult, slander, threaten or maliciously damage minors' image or commit any other cyberbullying in such forms as text, pictures, audio and video via the internet. Providers of cyber products and services shall establish sound mechanisms for early warning, prevention, identification, monitoring and handling of cyberbullying, set up functions and channels that facilitate minors and their guardians in keeping records of cyberbullying and exercise the right of notification, and provide convenience for minors to set up options for protection from cyberbullying information, such as shielding unfamiliar users, the availability of information released by minors themselves, prohibition from reposting or commenting on information released by minors themselves, and prohibition from sending information to minors themselves. Providers of cyber products and services shall establish a sound cyberbullying information characterization database, optimize the relevant algorithmic models, and strengthen the identification and monitoring of cyberbullying information by combining technical means such as artificial intelligence and big data and manual review. **Article 27.** No organization or individual may organize, instigate, coerce, lure, deceive or assist minors to commit illegal or criminal acts on the internet in such forms as text, pictures, audio and video. **Article 28.** The providers of online education cyber products and services targeting minors shall, in accordance with laws, administrative regulations and the relevant provisions of the State, provide corresponding products and services in light of the physical and mental development characteristics and cognitive abilities of minors at different age stages. **Article 29.** Providers of cyber products and services shall strengthen the management of the information released by users, and take effective measures to prevent the production, reproduction, release or transmission of the information in violation of Article 22, Article 24, Article 25, Paragraph 1 of Article 26 or Article 27 hereof. If any information is found in violation of the aforesaid provisions, the transmission of relevant information shall be forthwith ceased, and measures such as deletion, shielding or disconnection shall be taken to prevent the information from spreading. Relevant records shall be kept, and a report shall be made to authorities of cyberspace administration and public security, and measures such as warning, function restriction, service suspension and account closure shall be taken against the users who produce, reproduce, release or transmit the aforesaid information. Where The provider of a cyber product or service discovers that a user releasees or transmits the information specified in Paragraph 1 of Article 23 hereof but fails to give a noticeable prompt, it shall give a prompt or notify the user to give a prompt; if no prompt is given, the information shall not be transmitted. **Article 30.** Where the authorities of cyberspace administration, press and publication, and film, as well as the departments of education, telecommunications, public security, culture and tourism, and radio and television under the State Council discover any information in violation of Article 22, Article 24, Article 25, Paragraph 1 of Article 26 or Article 27 hereof, or discover any information specified in Paragraph 1 of Article 23 hereof for which no noticeable prompt is given, they shall require the cyber product or service provider to handle the case in accordance with Article 29 hereof; if the above information is from abroad, they shall notify the relevant organizations in accordance with the law to take technical measures and other necessary measures to block the transmission thereof. ## Chapter 4 Protection of Personal Information in Cyberspace **Article 31.** Cyber service providers that provide minors with information release, instant messaging and other services shall require the minors or their guardians to provide the real identity information of the minors in accordance with the law. If the minors or their guardians refuse to provide the real identity information of the minors, cyber service providers shall not provide relevant services for the minors. Online live-streaming service providers shall establish a dynamic verification mechanism for the real identity information of an online live-streaming uploader and shall not provide online live-streaming uploading services for minor users who do not conform to the legal provisions. **Article 32.** Personal information handlers shall strictly abide by the provisions of the Cyberspace Administration of China and relevant authorities on the scope of necessary personal information for cyber products and services, and shall not compel minors or their guardians to consent to non-necessary personal information processing, nor shall they refuse minors to use their basic functional services because the minors or their guardians do not agree to handle non-necessary personal information of minors or withdraw their consent. **Article 33.** Guardians of minors shall educate and guide minors to enhance the awareness and ability of personal information protection, master the scope of personal information, and understand the risks of personal information security, and guide minors to exercise their rights of access to, reproduction, correction, supplementation and deletion in the activities of processing personal information, so as to protect minors' personal information rights and interests. **Article 34.** Where a minor or his/her guardian requests to access, reproduce, correct, supplement or delete the personal information of the minor in accordance with the law, the personal information handler shall abide by the following provisions: 1. Provide convenient methods and channels to support the minor or his/her guardian to access the types and quantity of the personal information of the minor, with no restrictions on the reasonable requests of the minor or his/her guardian imposed; 2. Provide convenient functions to support the minor or his/her guardian to copy, correct, supplement and delete the personal information of the minor, with no unreasonable conditions imposed; and 3. Timely accept and handle the applications filed by the minor or his/her guardian for access, reproduction, correction, supplementation or deletion of the personal information of the minor, and notify the applicant in writing of reasons if the request of the minor or his/her guardian to exercise the rights is rejected. Where the request of a minor or his/her guardian for transfer of the personal information of the minor in accordance with the law meets the conditions prescribed by the Cyberspace Administration of China, the personal information handler shall provide channels for transfer. **Article 35.** Where the personal information of minors is or may be divulged, tampered with or lost, the personal information handler shall forthwith activate its emergency plan for personal information security incidents, take remedial measures, timely report the case to the cyberspace administration and other authorities, and inform the affected minors and their guardians of the incidents by mail, letter, telephone, push information and other means in accordance with relevant provisions of the State. Where it is difficult for the personal information handler to inform one by one, it shall take reasonable and effective ways to release the relevant warning information in a timely manner, unless otherwise provided by laws and administrative regulations. **Article 36.** A personal information handler shall strictly set the information access authority for its staff under the principle of minimal authorization and control the scope of access to the personal information of minors. The access of a staff member to the personal information of minors shall be examined and approved by the relevant person-in-charge or the manager authorized thereby, the access information shall be recorded, and technical measures shall be taken to avoid illegal processing of the personal information of minors. **Article 37.** A personal information handler shall conduct by itself or entrust a specialized agency to conduct audit of its compliance with laws and administrative regulations in the processing of the personal information of minors every year, and report the audit information to the cyberspace administration and other authorities in a timely manner. **Article 38.** Upon discovering that the private information of minors or the personal information released by minors via internet involves private information, a cyber service provider shall timely give a prompt and take necessary protection measures such as stopping the transmission to prevent the information from spreading. Where a cyber service provider finds that a minor may be harmed through the private information of the minor, it shall immediately take necessary measures to keep relevant records and report the case to the public security authority. ## Chapter 5 Prevention and Control of Internet Addiction **Article 39.** The prevention and intervention of minors' internet addiction shall be carried out in compliance with laws, administrative regulations and relevant provisions of the State. Authorities of education, health, market regulation etc. shall supervise and administer the agencies engaging in prevention and intervention of minors' internet addiction ex officio. **Article 40.** Schools shall strengthen the guidance and training for teachers to improve their ability to early identify and intervene in minor students' internet addiction. For a minor student who is inclined to be addicted to the internet, schools shall inform their guardians in a timely manner, jointly educate and guide the minor student, and help him/her resume normal study and life. **Article 41.** Guardians of minors shall guide minors to use the internet in a safe and reasonable manner, pay attention to minors' access to internet as well as their relevant physiological conditions, psychological conditions and behavioral habits, prevent minors from accessing the cyber information that endangers or may affect their physical and mental health, reasonably arrange time for minors to access internet, and prevent and intervene in minors' internet addiction. **Article 42.** Providers of cyber products and services shall establish a sound system of addiction prevention, shall not provide minors with products and services that induce their addiction, shall timely modify contents, functions and rules that may cause minors to become addicted to the internet, and shall make public the work of addiction prevention each year to accept social supervision. **Article 43.** Providers of cyber services such as games, live-streaming, audio and video, and social contact in cyberspace shall, in light of the characteristics of the use of their services by minors of different ages and by adhering to the principles of integration, friendliness, practicality and effectiveness, set the mode for minors, provide corresponding services in terms of the period, duration, function and content of use in accordance with the relevant provisions and standards of the State, and provide time management, authority management, consumption management and other functions for guardians to fulfill their guardianship duties in an eye-catching and convenient way. **Article 44.** Providers of cyber services such as games, live-streaming, audio and video, and social contact in cyberspace shall take measures to reasonably restrict the amount of single consumption and daily accumulative consumption of minors of different ages in the use of their services, and shall not provide minors with paid services that do not match their capacity for civil conduct. **Article 45.** Providers of cyber services such as games, live-streaming, audio and video, and social contact in cyberspace shall take measures to prevent and resist adverse value trends such as prioritizing traffic, and shall not establish online communities, chat groups or topics with the themes of fund-raising for support groups, voting or ranking, or quantity control and rating, nor shall they induce minors to participate in online activities such as fund-raising for support groups, voting or ranking, or quantity control and rating, and shall prevent and stop their users from inducing minors to commit the aforesaid activities. **Article 46.** Online game service providers shall verify the real identity information of minor users by necessary means such as the unified electronic identity authentication system for minors for online games. Providers of cyber products and services shall not provide minors with the service of game account rental. **Article 47.** Online game service providers shall establish sound game rules to prevent minors from becoming addicted to the online games and shall prevent minors from having access to game content or game functions that may affect their physical and mental health. Online game service providers shall implement the requirements of reminding of age appropriateness, classify game products by assessing the types, content, functions and other elements of game products in light of the physical and mental development characteristics and cognitive abilities of minors at different ages, clarify the age stages of minor users for which game products are suitable, and give prominent reminders in user downloading, registration, login interfaces and other positions. **Article 48.** The authorities of press and publication, education, health, culture and tourism, radio and television, and cyberspace administration etc. shall regularly carry out publicity and education on the prevention of minors' internet addiction, supervise and inspect the performance of their obligations of preventing minors' internet addiction by providers of cyber products and services, and guide families, schools and social organizations to cooperate with each other and take scientific and reasonable measures to prevent and intervene in minors' internet addiction. The press and publication authority of the State shall take the lead in organizing the prevention and control of minors' addiction to online games, and shall, in concert with the relevant authorities, formulate administrative provisions on the time periods, hours and upper consumption limits for the provision of online game services to minors. The authorities of health and education shall, ex officio, guide the relevant medical and health institutions and institutions of higher education etc. to conduct basic research on mental disorders and psychological and behavioral problems caused by minors' internet addiction, as well as application research such as screening and assessment, diagnosis, prevention and intervention. **Article 49.** Any organization or individual shall not intervene in minors' internet addiction or infringe upon the legitimate rights and interests of minors by maltreatment, force or other means harming the physical and mental health of minors. ## Chapter 6 Legal Liability **Article 50.** Where the local people's governments at all levels and the relevant authorities at or above the county level, in violation of this Regulation, fail to perform their duties of protecting minors in cyberspace, the superior authorities shall order them to make corrections; in case of refusal to make corrections or serious circumstances, the responsible leaders and directly liable persons shall be punished in accordance with the law. **Article 51.** Where schools, communities, libraries, cultural centers, youth and children's palaces, etc. fail to perform their duties of protecting minors in cyberspace, in violation of this Regulation, the authorities of education, culture and tourism et. shall, ex officio, order them to make corrections; in case of refusal to make corrections or serious circumstances, the responsible leaders and directly liable persons shall be punished in accordance with the law. **Article 52.** Where the guardians of minors fail to perform the guardianship duties specified herein or infringe upon the legitimate rights and interests of the minors, the residents' committees, villagers' committees or women's federations at the places where the minors reside, the guardians' employers, primary and secondary schools, kindergartens and other entities that have close contact with minors shall criticize and educate the guardians, exhort them to stop infringement or urge them to accept the guidance in respect of family education in accordance with the law. **Article 53.** For any violation of Article 7, Paragraph 3 of Article 19 or Paragraph 2 of Article 38 hereof, the authorities of cyberspace, press and publication, film, education, telecommunications, public security, civil affairs, culture and tourism, market regulation, and radio and television etc. shall, ex officio, order the offender to make corrections; in case of refusal to make corrections or serious circumstances, a fine of not less than 50,000 yuan but not more than 500,000 yuan shall be imposed on the offender, and the person directly in charge and other directly liable persons shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan. **Article 54.** For any violation of Paragraph 1 of Article 20 hereof, the authorities of cyberspace, press and publication, telecommunications, public security, culture and tourism, and radio and television etc. shall, ex officio, order the offender to make corrections, give a warning to the offender, and confiscate illegal income of the offender; in case of refusal to make corrections, a fine of not more than 1 million yuan shall be imposed concurrently on the offender, and the person directly in charge and other directly liable persons shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan. For any violation of Items 1 and 5, Paragraph 1 of Article 20 hereof, with serious circumstances, the authorities of cyberspace, press and publication, telecommunications, public security, culture and tourism, and radio and television etc. at or above the provincial level shall, ex officio, order the offender to make corrections, confiscate illegal income of the offender, and impose a fine of not more than 50 million yuan or not more than 5% of the turnover of the previous year on the offender, and may order the offender to suspend the relevant business or suspend the business for rectification, and notify the authorities concerned to revoke the relevant business permit or business license in accordance with the law; they may also impose a fine of not less than 100,000 yuan but not more than 1 million yuan on the person directly in charge and other directly liable persons, and may decide to prohibit them from serving as directors, supervisors, senior executives or persons in charge of the protection of minors of the relevant enterprises within a certain period of time. **Article 55.** For any violation of Article 24 or Article 25 hereof, the authorities of cyberspace, press and publication, film, telecommunications, public security, culture and tourism, market regulation, and radio and television etc. shall, ex officio, order the offender to make corrections within a time limit and give a warning to the offender, confiscate illegal income of the offender, and may impose a fine of not more than 100,000 yuan on the offender. In case of refusal to make corrections or serious circumstances, the offender shall be ordered to suspend the relevant business, or suspend business, or have the relevant business permit or business license revoked. If the illegal income is more than 1 million yuan, a fine of not less than one time but not more than ten times the illegal income shall be imposed on the offender. If there is no illegal income or the illegal income is less than 1 million yuan, a fine of not less than 100,000 yuan but not more than 1 million yuan shall be imposed on the offender. **Article 56.** For any violation of Paragraph 2 and Paragraph 3 of Article 26, Article 28, Paragraph 1 of Article 29, Paragraph 2 of Article 31, Article 36, Paragraph 1 of Article 38, Articles 42 to 45, Paragraph 2 of Article 46, or Article 47 hereof, the authorities of cyberspace, press and publication, film, education, telecommunications, public security, culture and tourism, or radio and television etc. shall, ex officio, order the offender to make rectifications, give a warning to the offender, confiscate illegal gains of the offender, impose a fine of not less than one time but not more than ten times the illegal gains concurrently if the illegal gains exceed 1 million yuan or a fine of not less than 100,000 yuan but not more than 1 million concurrently if there are no illegal gains or the illegal gains are less than 1 million yuan, and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan on the person directly in charge and other persons directly held liable; in case of refusal to make rectifications or serious circumstances, the authorities of cyberspace, press and publication, film, education, telecommunications, public security, culture and tourism, or radio and television etc. may order it to suspend relevant business, suspend its operation for rectification, close its website, or revoke its relevant business permit or business license. **Article 57.** Where the provider of a cyber product or service violates this Regulation and is subject to such punishment as website closure, revocation of the relevant business permit or business license, it shall not re-apply for the relevant permit within five years, and its directly responsible executive and other directly liable persons shall not engage in cyber product or service business of the same type within five years. **Article 58.** Whoever, in violation of this Regulation, infringes upon the legitimate rights and interests of any minor and causes any damage to the minor, shall bear civil liability according to law; in the case of violation of public security administration, the offender shall be given an administration punishment for public security according to law; in the case of a crime, criminal liability shall be pursued according to law. ## Chapter 7 Supplementary Provisions **Article 59.** For the purpose of this Regulation, "intelligent terminal products" refer to mobile phones, computers and other cyber terminal products which can be connected to the internet, have an operating system and for which users can install application software on their own. **Article 60.** This Regulation shall come into force on 1 January 2024. --- ## Drug Administration Law of the People's Republic of China (2019 Revision) - Chinese title: 中华人民共和国药品管理法(2019修订) - Abbreviation: Drug Administration Law - Hierarchy: law - Issuing body: National People's Congress Standing Committee - Adopted: 2019-08-26 - Effective: 2019-12-01 - Status: effective - URL: https://datacompliancechina.com/laws/drug-administration-law/ - Markdown: https://datacompliancechina.com/laws/drug-administration-law.md ### Summary The Drug Administration Law is China's foundational statute governing the research, manufacture, distribution, and use of drugs. The 2019 revision overhauled the regime around the marketing authorization holder (MAH) system, under which the holder bears full-lifecycle responsibility for a drug's safety, efficacy, and quality controllability. Although the law is predominantly product- and market-regulation in character, it contains discrete data-compliance touchpoints: a national drug traceability system, a pharmacovigilance and adverse-reaction reporting and monitoring regime, extensive production, inspection, and purchase-and-sale recordkeeping duties, and the use of clinical-trial and real-world data to support drug approvals. These provisions impose data integrity, retention, and reporting obligations on MAHs, manufacturers, distributors, and medical institutions. ### Full text **Promulgated by:** Standing Committee of the National People's Congress. **Document No.:** Presidential Order No. 31. **Adopted at the 7th Session of the Standing Committee of the 6th National People's Congress on September 20, 1984; first revised at the 20th Session of the Standing Committee of the 9th National People's Congress on February 28, 2001; first amended in accordance with the Decision on Amending Seven Laws Including the Marine Environment Protection Law of the People's Republic of China adopted at the 6th Session of the Standing Committee of the 12th National People's Congress on December 28, 2013; second amended in accordance with the Decision on Amending the Drug Administration Law of the People's Republic of China adopted at the 14th Session of the Standing Committee of the 12th National People's Congress on April 24, 2015; second revised at the 12th Session of the Standing Committee of the 13th National People's Congress on August 26, 2019.** **Effective December 1, 2019.** --- ## Chapter 1 General Provisions **Article 1.** This Law is formulated in order to strengthen drug administration, ensure drug quality, safeguard the safety of drug use and the lawful rights and interests of the public, and protect and promote public health. **Article 2.** This Law shall apply to the research, manufacture, distribution, use of drugs, and the supervision and administration thereof within the territory of the People's Republic of China. For the purposes of this Law, "drug" means a substance used for the prevention, treatment, or diagnosis of human diseases, intended to purposefully regulate human physiological functions, and prescribed with indications or functions and major uses, usage, and dosage, including Chinese medicine, chemical drugs, and biological products, among others. **Article 3.** Drug administration shall be centered on people's health, adhere to the principles of risk management, whole-process control, and joint social governance, establish a scientific and strict supervision and administration system, comprehensively improve drug quality, and ensure the safety, efficacy, and accessibility of drugs. **Article 4.** The State shall develop modern medicine and traditional medicine and give full play to their roles in prevention, medical treatment, and health care. The State shall protect wild medicinal-material resources and varieties of Chinese medicine, and encourage the cultivation of authentic, region-specific (daodi) Chinese medicinal materials. **Article 5.** The State shall encourage the research and creation of new drugs, and protect the lawful rights and interests of citizens, legal persons, and other organizations in researching and developing new drugs. **Article 6.** The State shall implement a marketing authorization holder (MAH) system for drug administration. The marketing authorization holder shall, in accordance with the law, be responsible for the safety, efficacy, and quality controllability of a drug throughout the entire process of the drug's research, manufacture, distribution, and use. **Article 7.** Those engaged in the research, manufacture, distribution, and use of drugs shall comply with laws, regulations, rules, standards, and norms, and ensure that information for the entire process is true, accurate, complete, and traceable. **Article 8.** The drug regulatory authority under the State Council shall take charge of nationwide drug supervision and administration. The relevant departments under the State Council shall, within their respective scopes of responsibility, be responsible for the supervision and administration of matters relating to drugs. The drug regulatory authority under the State Council shall cooperate with the relevant departments under the State Council in implementing the State's drug-industry development plans and industrial policies. The drug regulatory authorities of the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government shall be responsible for drug supervision and administration within their respective administrative regions. The departments of districted-city-level and county-level people's governments that undertake drug supervision and administration responsibilities (hereinafter referred to as drug regulatory authorities) shall be responsible for drug supervision and administration within their respective administrative regions. The relevant departments of local people's governments at or above the county level shall, within their respective scopes of responsibility, be responsible for the supervision and administration of matters relating to drugs. **Article 9.** Local people's governments at or above the county level shall be responsible for drug supervision and administration within their respective administrative regions, shall provide unified leadership, organization, and coordination of drug supervision and administration as well as the response to drug-safety emergencies within their respective administrative regions, and shall establish and improve drug supervision and administration work mechanisms and information-sharing mechanisms. **Article 10.** People's governments at or above the county level shall incorporate drug-safety work into their respective plans for national economic and social development, include the funding for drug-safety work in their respective government budgets, strengthen the building of drug supervision and administration capacity, and provide safeguards for drug-safety work. **Article 11.** The specialized drug technical institutions established or designated by drug regulatory authorities shall undertake the review, inspection, verification, monitoring and evaluation, and other work required for the implementation of drug supervision and administration in accordance with the law. **Article 12.** The State shall establish and improve a drug traceability system. The drug regulatory authority under the State Council shall formulate unified drug traceability standards and norms, advance the interconnection and sharing of drug traceability information, and achieve drug traceability. The State shall establish a pharmacovigilance system to monitor, identify, assess, and control adverse drug reactions and other harmful reactions related to drug use. **Article 13.** People's governments at all levels and their relevant departments, drug industry associations, and others shall strengthen drug-safety publicity and education, and carry out work to popularize knowledge of drug-safety laws and regulations and other matters. The news media shall conduct public-interest publicity of knowledge of drug-safety laws and regulations and other matters, and exercise public-opinion supervision over drug-related illegal acts. Publicity and reporting concerning drugs shall be comprehensive, scientific, objective, and fair. **Article 14.** Drug industry associations shall strengthen industry self-discipline, establish and improve industry norms, advance the building of an industry integrity system, and guide and urge members to carry out drug manufacture, distribution, and other activities in accordance with the law. **Article 15.** People's governments at or above the county level and their relevant departments shall, in accordance with the relevant provisions of the State, commend and reward entities and individuals that have made outstanding contributions in the research, manufacture, distribution, use, and supervision and administration of drugs. ## Chapter 2 Drug Research and Registration **Article 16.** The State shall support drug innovation that is oriented toward clinical value and has clear or special efficacy against human diseases, shall encourage the research and development of new drugs that have new treatment mechanisms, treat diseases that seriously endanger life or rare diseases, or have multi-target systemic regulatory and intervention functions on the human body, and shall promote the technological progress of drugs. The State shall encourage the use of modern science and technology and traditional Chinese-medicine research methods to carry out scientific and technological research and drug development of Chinese medicine, establish and improve a technical evaluation system that conforms to the characteristics of Chinese medicine, and promote the inheritance and innovation of Chinese medicine. The State shall take effective measures to encourage the research and innovation of drugs for children, support the development of new varieties, dosage forms, and specifications of drugs for children that conform to children's physiological characteristics, and give priority to the review and approval of drugs for children. **Article 17.** Those engaged in drug research activities shall comply with the Good Laboratory Practice for Non-clinical Drug Studies and the Good Clinical Practice for Drugs, and ensure that the entire process of drug research continuously conforms to statutory requirements. The Good Laboratory Practice for Non-clinical Drug Studies and the Good Clinical Practice for Drugs shall be formulated by the drug regulatory authority under the State Council jointly with the relevant departments under the State Council. **Article 18.** Those carrying out non-clinical drug studies shall comply with the relevant provisions of the State, have personnel, premises, equipment, instruments, and management systems suitable for the research project, and ensure the authenticity of the relevant data, materials, and samples. **Article 19.** Those carrying out drug clinical trials shall, in accordance with the provisions of the drug regulatory authority under the State Council, truthfully submit relevant data, materials, and samples such as the research methods, quality indicators, and the results of pharmacological and toxicological tests, and obtain the approval of the drug regulatory authority under the State Council. The drug regulatory authority under the State Council shall, within sixty working days from the date of acceptance of a clinical-trial application, decide whether to grant approval and notify the clinical-trial sponsor; where no notification is given upon the expiration of the time limit, approval shall be deemed to have been granted. Where a bioequivalence trial is to be conducted, a filing shall be made with the drug regulatory authority under the State Council. Drug clinical trials shall be carried out at clinical-trial institutions that possess the corresponding conditions. Drug clinical-trial institutions shall be subject to filing administration, and the specific measures shall be jointly formulated by the drug regulatory authority under the State Council and the health authority under the State Council. **Article 20.** Those carrying out drug clinical trials shall comply with ethical principles, formulate a clinical-trial protocol, and obtain the review and approval of an ethics committee. The ethics committee shall establish an ethical-review work system, ensure that the ethical-review process is independent, objective, and fair, supervise the standardized conduct of drug clinical trials, safeguard the lawful rights and interests of subjects, and protect the public interest of society. **Article 21.** When conducting a drug clinical trial, the subject or the subject's guardian shall be truthfully informed and given an explanation of the purpose and risks of the clinical trial and other detailed matters, an informed-consent form voluntarily signed by the subject or the subject's guardian shall be obtained, and effective measures shall be taken to protect the lawful rights and interests of the subject. **Article 22.** During a drug clinical trial, where a safety problem or other risk is discovered, the clinical-trial sponsor shall promptly adjust the clinical-trial protocol, suspend or terminate the clinical trial, and report to the drug regulatory authority under the State Council. Where necessary, the drug regulatory authority under the State Council may order the adjustment of the clinical-trial protocol or the suspension or termination of the clinical trial. **Article 23.** Where a drug undergoing a clinical trial is used to treat a disease that seriously endangers life and for which there is as yet no effective means of treatment, and medical observation indicates that benefit may be obtained and ethical principles are met, such drug may, upon review and informed consent, be used at the institution conducting the clinical trial for other patients with the same condition. **Article 24.** Drugs to be marketed within the territory of China shall be approved by the drug regulatory authority under the State Council and obtain a drug registration certificate; however, this shall not apply to Chinese medicinal materials and prepared slices of Chinese crude drugs that are not subject to approval administration. The catalogue of varieties of Chinese medicinal materials and prepared slices of Chinese crude drugs subject to approval administration shall be formulated by the drug regulatory authority under the State Council jointly with the traditional Chinese medicine authority under the State Council. An application for drug registration shall provide true, sufficient, and reliable data, materials, and samples to prove the safety, efficacy, and quality controllability of the drug. **Article 25.** For a drug applied for registration, the drug regulatory authority under the State Council shall organize pharmaceutical, medical, and other technical personnel to conduct a review, examining the safety, efficacy, and quality controllability of the drug as well as the applicant's capabilities for quality management, risk prevention and control, and liability compensation; where the conditions are met, a drug registration certificate shall be issued. When approving a drug, the drug regulatory authority under the State Council shall review and approve the chemical active pharmaceutical ingredient together with the drug, review the relevant excipients and the packaging materials and containers in direct contact with the drug together with the drug, and verify the quality standards, manufacturing processes, labels, and package inserts of the drug together with the drug. For the purposes of this Law, "excipients" means the shaping agents and additives used in the manufacture of drugs and the dispensing of prescriptions. **Article 26.** For drugs used to treat diseases that seriously endanger life and for which there is as yet no effective means of treatment, as well as drugs urgently needed for public health, where existing data from drug clinical trials show efficacy and can predict their clinical value, conditional approval may be granted, and the relevant matters shall be stated in the drug registration certificate. **Article 27.** The drug regulatory authority under the State Council shall improve the drug review and approval work system, strengthen capacity building, establish and improve mechanisms for communication and exchange and expert consultation, optimize the review and approval process, and improve the efficiency of review and approval. The review conclusions and bases for drugs approved for marketing shall be made public in accordance with the law and subject to social supervision. Trade secrets learned of during review and approval shall be kept confidential. **Article 28.** Drugs shall conform to national drug standards. Where the drug quality standards verified by the drug regulatory authority under the State Council are higher than the national drug standards, the verified drug quality standards shall be applied; where there are no national drug standards, the verified drug quality standards shall be conformed to. The Pharmacopoeia of the People's Republic of China and the drug standards promulgated by the drug regulatory authority under the State Council shall be the national drug standards. The drug regulatory authority under the State Council shall, jointly with the health authority under the State Council, organize a pharmacopoeia commission to be responsible for the formulation and revision of national drug standards. The drug inspection institutions established or designated by the drug regulatory authority under the State Council shall be responsible for calibrating national drug reference standards and reference substances. **Article 29.** The name of a drug listed in the national drug standards shall be the generic name of the drug. A name that has already been used as a generic name of a drug shall not be used as a drug trademark. ## Chapter 3 Marketing Authorization Holders **Article 30.** A marketing authorization holder means an enterprise or drug research institution, among others, that has obtained a drug registration certificate. A marketing authorization holder shall, in accordance with the provisions of this Law, bear responsibility for the non-clinical study, clinical trial, manufacture and distribution, post-marketing study, and adverse-reaction monitoring as well as the reporting and handling thereof, of the drug. Other entities and individuals engaged in the research, manufacture, distribution, storage, transportation, and use of drugs shall bear corresponding responsibilities in accordance with the law. The legal representative and principal responsible person of a marketing authorization holder shall bear overall responsibility for drug quality. **Article 31.** A marketing authorization holder shall establish a drug quality assurance system and assign dedicated personnel to be independently responsible for drug quality management. A marketing authorization holder shall conduct regular reviews of the quality management systems of the entrusted drug manufacturing enterprises and drug distribution enterprises, and supervise their continuous possession of quality assurance and control capabilities. **Article 32.** A marketing authorization holder may manufacture drugs by itself or may entrust the manufacture to a drug manufacturing enterprise. Where a marketing authorization holder manufactures drugs by itself, it shall obtain a drug manufacturing license in accordance with the provisions of this Law; where it entrusts the manufacture, it shall entrust a qualified drug manufacturing enterprise. The marketing authorization holder and the entrusted manufacturing enterprise shall conclude an entrustment agreement and a quality agreement, and strictly perform the obligations stipulated in the agreements. The drug regulatory authority under the State Council shall formulate guidelines for drug entrusted-manufacture quality agreements to guide and supervise the marketing authorization holder and the entrusted manufacturing enterprise in performing their drug quality assurance obligations. Blood products, narcotic drugs, psychotropic drugs, toxic drugs for medical use, and drug-category precursor chemicals shall not be manufactured under entrustment; except as otherwise provided by the drug regulatory authority under the State Council. **Article 33.** A marketing authorization holder shall establish drug marketing-release procedures, review the drugs released from the factory by the drug manufacturing enterprise, and release them only after they are signed off by the qualified person for quality. Drugs that do not conform to the national drug standards shall not be released. **Article 34.** A marketing authorization holder may sell by itself the drugs for which it has obtained a drug registration certificate, or may entrust a drug distribution enterprise to sell them. A marketing authorization holder that engages in drug retail activities shall obtain a drug distribution license. Where a marketing authorization holder sells drugs by itself, it shall possess the conditions prescribed in Article 52 of this Law; where it entrusts the sale, it shall entrust a qualified drug distribution enterprise. The marketing authorization holder and the entrusted distribution enterprise shall conclude an entrustment agreement and strictly perform the obligations stipulated in the agreement. **Article 35.** Where a marketing authorization holder, drug manufacturing enterprise, or drug distribution enterprise entrusts the storage or transportation of drugs, it shall assess the quality-assurance capability and risk-management capability of the entrusted party, conclude an entrustment agreement with it stipulating the drug quality responsibilities, operating procedures, and other contents, and supervise the entrusted party. **Article 36.** Marketing authorization holders, drug manufacturing enterprises, drug distribution enterprises, and medical institutions shall establish and implement a drug traceability system, provide traceability information in accordance with the provisions, and ensure drug traceability. **Article 37.** A marketing authorization holder shall establish an annual reporting system and shall, each year, report to the drug regulatory authority of the people's government of the province, autonomous region, or municipality directly under the Central Government, in accordance with the provisions, on the manufacture and sales, post-marketing study, risk management, and other circumstances of its drugs. **Article 38.** Where a marketing authorization holder is an overseas enterprise, an enterprise legal person within the territory of China designated by it shall perform the obligations of the marketing authorization holder, and shall bear joint and several liability with the marketing authorization holder. **Article 39.** Enterprises manufacturing prepared slices of Chinese crude drugs shall perform the relevant obligations of a marketing authorization holder, implement whole-process management of the manufacture and sale of prepared slices of Chinese crude drugs, establish a traceability system for prepared slices of Chinese crude drugs, and ensure that prepared slices of Chinese crude drugs are safe, effective, and traceable. **Article 40.** Upon approval by the drug regulatory authority under the State Council, a marketing authorization holder may transfer the drug marketing authorization. The transferee shall possess the capabilities for quality management, risk prevention and control, and liability compensation to safeguard the safety, efficacy, and quality controllability of the drug, and shall perform the obligations of a marketing authorization holder. ## Chapter 4 Drug Manufacture **Article 41.** Those engaged in drug manufacturing activities shall be approved by the drug regulatory authority of the people's government of the province, autonomous region, or municipality directly under the Central Government in their locality and obtain a drug manufacturing license. Without a drug manufacturing license, no drug shall be manufactured. A drug manufacturing license shall indicate its valid period and manufacturing scope, and shall be re-examined and reissued upon expiration. **Article 42.** Those engaged in drug manufacturing activities shall possess the following conditions: (1) having pharmaceutical technical personnel, engineering technical personnel, and corresponding skilled technical workers who have been qualified in accordance with the law; (2) having factory premises, facilities, and a sanitary environment suitable for drug manufacture; (3) having an institution, personnel, and necessary instruments and equipment capable of quality management and quality inspection of the drugs manufactured; and (4) having rules and regulations to ensure drug quality, and conforming to the requirements of the Good Manufacturing Practice for Drugs formulated by the drug regulatory authority under the State Council pursuant to this Law. **Article 43.** Those engaged in drug manufacturing activities shall comply with the Good Manufacturing Practice for Drugs, establish and improve a drug manufacturing quality management system, and ensure that the entire process of drug manufacture continuously conforms to statutory requirements. The legal representative and principal responsible person of a drug manufacturing enterprise shall bear overall responsibility for the drug manufacturing activities of the enterprise. **Article 44.** Drugs shall be manufactured in accordance with the national drug standards and the manufacturing processes verified by the drug regulatory authority. Manufacturing and inspection records shall be complete and accurate and shall not be fabricated. Prepared slices of Chinese crude drugs shall be processed in accordance with the national drug standards; where the national drug standards do not so provide, they shall be processed in accordance with the processing norms formulated by the drug regulatory authority of the people's government of the province, autonomous region, or municipality directly under the Central Government. The processing norms formulated by the drug regulatory authority of the people's government of the province, autonomous region, or municipality directly under the Central Government shall be filed with the drug regulatory authority under the State Council. Those that do not conform to the national drug standards, or that are not processed in accordance with the processing norms formulated by the drug regulatory authority of the people's government of the province, autonomous region, or municipality directly under the Central Government, shall not be released from the factory or sold. **Article 45.** The raw materials and excipients required for manufacturing drugs shall conform to pharmaceutical requirements and the relevant requirements of the Good Manufacturing Practice for Drugs. When manufacturing drugs, the suppliers of raw materials, excipients, and the like shall be reviewed in accordance with the provisions, so as to ensure that the raw materials, excipients, and the like purchased and used conform to the requirements prescribed in the preceding paragraph. **Article 46.** The packaging materials and containers in direct contact with drugs shall conform to pharmaceutical requirements and to standards for safeguarding human health and safety. The use of substandard packaging materials and containers in direct contact with drugs shall be ordered to be stopped by the drug regulatory authority. **Article 47.** A drug manufacturing enterprise shall conduct quality inspection of drugs. Drugs that do not conform to the national drug standards shall not be released from the factory. A drug manufacturing enterprise shall establish factory-release procedures for drugs, specifying the standards and conditions for factory release. Those that meet the standards and conditions may be released only after being signed off by the qualified person for quality. **Article 48.** Drug packaging shall be suitable for the requirements of drug quality and shall be convenient for storage, transportation, and medical use. Chinese medicinal materials to be shipped shall be packaged. On each package, the product name, place of origin, date, and supply unit shall be indicated, and a quality-conformity mark shall be attached. **Article 49.** Drug packaging shall, in accordance with the provisions, be printed or affixed with a label and accompanied by a package insert. The label or package insert shall indicate the drug's generic name, ingredients, specifications, marketing authorization holder and its address, manufacturing enterprise and its address, approval number, product batch number, manufacturing date, valid period, indications or functions and major uses, usage, dosage, contraindications, adverse reactions, and precautions. The text on the label and package insert shall be clear, and matters such as the manufacturing date and valid period shall be conspicuously marked and easily identifiable. The labels and package inserts of narcotic drugs, psychotropic drugs, toxic drugs for medical use, radioactive drugs, drugs for external use, and over-the-counter drugs shall be printed with the prescribed marks. **Article 50.** Personnel in direct contact with drugs in marketing authorization holders, drug manufacturing enterprises, drug distribution enterprises, and medical institutions shall undergo health examinations each year. Those suffering from infectious diseases or other diseases that may contaminate drugs shall not engage in work involving direct contact with drugs. ## Chapter 5 Drug Distribution **Article 51.** Those engaged in drug wholesale activities shall be approved by the drug regulatory authority of the people's government of the province, autonomous region, or municipality directly under the Central Government in their locality and obtain a drug distribution license. Those engaged in drug retail activities shall be approved by the drug regulatory authority of the local people's government at or above the county level in their locality and obtain a drug distribution license. Without a drug distribution license, no drug shall be distributed. A drug distribution license shall indicate its valid period and distribution scope, and shall be re-examined and reissued upon expiration. When a drug regulatory authority implements drug distribution licensing, in addition to the conditions prescribed in Article 52 of this Law, it shall also follow the principle of facilitating drug purchases by the public. **Article 52.** Those engaged in drug distribution activities shall possess the following conditions: (1) having licensed pharmacists or other pharmaceutical technical personnel who have been qualified in accordance with the law; (2) having business premises, equipment, storage facilities, and a sanitary environment suitable for the drugs distributed; (3) having a quality management institution or personnel suitable for the drugs distributed; and (4) having rules and regulations to ensure drug quality, and conforming to the requirements of the Good Supply Practice for Drugs formulated by the drug regulatory authority under the State Council pursuant to this Law. **Article 53.** Those engaged in drug distribution activities shall comply with the Good Supply Practice for Drugs, establish and improve a drug distribution quality management system, and ensure that the entire process of drug distribution continuously conforms to statutory requirements. The State shall encourage and guide drug retail chain operation. The headquarters of an enterprise engaged in drug retail chain operation activities shall establish a unified quality management system and perform management responsibilities for the operating activities of its affiliated retail enterprises. The legal representative and principal responsible person of a drug distribution enterprise shall bear overall responsibility for the drug distribution activities of the enterprise. **Article 54.** The State shall implement a system of classified administration of prescription drugs and over-the-counter drugs. The specific measures shall be formulated by the drug regulatory authority under the State Council jointly with the health authority under the State Council. **Article 55.** Marketing authorization holders, drug manufacturing enterprises, drug distribution enterprises, and medical institutions shall purchase drugs from marketing authorization holders or enterprises qualified for drug manufacture or distribution; however, this shall not apply to the purchase of Chinese medicinal materials that are not subject to approval administration. **Article 56.** When purchasing drugs, a drug distribution enterprise shall establish and implement an incoming-goods inspection and acceptance system, and verify the drug conformity certificates and other markings; those that do not conform to the prescribed requirements shall not be purchased or sold. **Article 57.** When a drug distribution enterprise purchases and sells drugs, it shall have true and complete purchase-and-sale records. The purchase-and-sale records shall indicate the drug's generic name, dosage form, specifications, product batch number, valid period, marketing authorization holder, manufacturing enterprise, purchasing or selling unit, purchase or sale quantity, purchase or sale price, purchase or sale date, and other contents prescribed by the drug regulatory authority under the State Council. **Article 58.** When a drug distribution enterprise retails drugs, it shall be accurate and shall correctly explain the usage, dosage, and precautions; the dispensing of prescriptions shall be checked, and the drugs listed in a prescription shall not be altered or substituted without authorization. Prescriptions with incompatible combinations or excessive dosages shall be refused for dispensing; where necessary, dispensing may proceed only after the prescribing physician makes corrections or re-signs. When a drug distribution enterprise sells Chinese medicinal materials, it shall indicate the place of origin. Licensed pharmacists or other pharmaceutical technical personnel who have been qualified in accordance with the law shall be responsible for the enterprise's drug management, prescription review and dispensing, guidance on rational drug use, and other work. **Article 59.** A drug distribution enterprise shall formulate and implement a drug storage system, and take necessary measures such as refrigeration, anti-freezing, moisture-proofing, insect prevention, and rodent prevention to ensure drug quality. An inspection system shall be implemented for the receipt and dispatch of drugs. **Article 60.** Urban and rural trade-fair markets may sell Chinese medicinal materials, except as otherwise provided by the State Council. **Article 61.** Marketing authorization holders and drug distribution enterprises that sell drugs via networks shall comply with the relevant provisions of this Law on drug distribution. The specific administrative measures shall be formulated by the drug regulatory authority under the State Council jointly with the health authority under the State Council and other departments. Drugs subject to special administration by the State, such as vaccines, blood products, narcotic drugs, psychotropic drugs, toxic drugs for medical use, radioactive drugs, and drug-category precursor chemicals, shall not be sold via networks. **Article 62.** A provider of a third-party platform for online drug trading shall, in accordance with the provisions of the drug regulatory authority under the State Council, file with the drug regulatory authority of the people's government of the province, autonomous region, or municipality directly under the Central Government in its locality. The third-party platform provider shall, in accordance with the law, review the qualifications and the like of the marketing authorization holders and drug distribution enterprises applying to operate on the platform, ensure that they conform to statutory requirements, and manage the drug distribution conduct occurring on the platform. Where the third-party platform provider discovers that a marketing authorization holder or drug distribution enterprise operating on the platform has committed an act in violation of the provisions of this Law, it shall promptly stop such act and immediately report to the drug regulatory authority of the county-level people's government in its locality; where it discovers a serious illegal act, it shall immediately stop providing online trading platform services. **Article 63.** Newly discovered medicinal materials and medicinal materials introduced from abroad may be sold only after approval by the drug regulatory authority under the State Council. **Article 64.** Drugs shall be imported through ports where drug importation is permitted, and the enterprise importing the drugs shall file with the drug regulatory authority in the locality of the port. The customs shall handle customs-clearance formalities on the basis of the imported-drug customs-clearance form issued by the drug regulatory authority. Without an imported-drug customs-clearance form, the customs shall not release the drugs. The drug regulatory authority in the locality of the port shall notify the drug inspection institution to conduct spot-check inspection of imported drugs in accordance with the provisions of the drug regulatory authority under the State Council. The ports where drug importation is permitted shall be proposed by the drug regulatory authority under the State Council jointly with the General Administration of Customs and submitted to the State Council for approval. **Article 65.** Where a medical institution needs to import a small quantity of drugs due to urgent clinical needs, it may, upon approval by the drug regulatory authority under the State Council or by the people's government of a province, autonomous region, or municipality directly under the Central Government authorized by the State Council, import them. The imported drugs shall be used for specific medical purposes within the designated medical institution. Small quantities of drugs carried into the country by individuals for personal use shall be handled in accordance with the relevant provisions of the State. **Article 66.** The import and export of narcotic drugs and psychotropic drugs within the scope prescribed by the State shall require an import permit or export permit issued by the drug regulatory authority under the State Council. **Article 67.** The import of drugs with uncertain efficacy, severe adverse reactions, or that otherwise endanger human health is prohibited. **Article 68.** Before sale or upon import of the following drugs, the drug regulatory authority under the State Council shall designate a drug inspection institution to conduct inspection; drugs that have not been inspected or that fail inspection shall not be sold or imported: (1) drugs sold for the first time within the territory of China; (2) biological products prescribed by the drug regulatory authority under the State Council; and (3) other drugs prescribed by the State Council. ## Chapter 6 Pharmaceutical Affairs Administration of Medical Institutions **Article 69.** A medical institution shall be equipped with licensed pharmacists or other pharmaceutical technical personnel who have been qualified in accordance with the law, to be responsible for the institution's drug management, prescription review and dispensing, guidance on rational drug use, and other work. Non-pharmaceutical technical personnel shall not directly engage in pharmaceutical technical work. **Article 70.** When purchasing drugs, a medical institution shall establish and implement an incoming-goods inspection and acceptance system, and verify the drug conformity certificates and other markings; those that do not conform to the prescribed requirements shall not be purchased or used. **Article 71.** A medical institution shall have premises, equipment, storage facilities, and a sanitary environment suitable for the drugs it uses, formulate and implement a drug storage system, and take necessary measures such as refrigeration, anti-freezing, moisture-proofing, insect prevention, and rodent prevention to ensure drug quality. **Article 72.** A medical institution shall adhere to the principles of safe, effective, economical, and rational drug use, follow the guiding principles for the clinical application of drugs, clinical diagnosis and treatment guidelines, and drug package inserts for rational drug use, and review the appropriateness of physicians' prescriptions and medication orders. Other drug-using units other than medical institutions shall comply with the provisions of this Law concerning the use of drugs by medical institutions. **Article 73.** When licensed pharmacists or other pharmaceutical technical personnel who have been qualified in accordance with the law dispense prescriptions, they shall conduct checks, and the drugs listed in a prescription shall not be altered or substituted without authorization. Prescriptions with incompatible combinations or excessive dosages shall be refused for dispensing; where necessary, dispensing may proceed only after the prescribing physician makes corrections or re-signs. **Article 74.** Where a medical institution prepares pharmaceutical preparations, it shall be approved by the drug regulatory authority of the people's government of the province, autonomous region, or municipality directly under the Central Government in its locality and obtain a medical-institution preparation license. Without a medical-institution preparation license, no pharmaceutical preparation shall be prepared. A medical-institution preparation license shall indicate its valid period and shall be re-examined and reissued upon expiration. **Article 75.** Where a medical institution prepares pharmaceutical preparations, it shall have facilities, management systems, inspection instruments, and a sanitary environment capable of ensuring the quality of the preparations. Where a medical institution prepares pharmaceutical preparations, it shall do so in accordance with the verified processes, and the raw materials, excipients, packaging materials, and the like required shall conform to pharmaceutical requirements. **Article 76.** Pharmaceutical preparations prepared by a medical institution shall be varieties that are clinically needed by the institution but not supplied on the market, and shall be approved by the drug regulatory authority of the people's government of the province, autonomous region, or municipality directly under the Central Government in its locality; however, this shall not apply where the law provides otherwise for the preparation of Chinese-medicine preparations. Pharmaceutical preparations prepared by a medical institution shall undergo quality inspection in accordance with the provisions; those that pass shall be used within the institution on the basis of a physician's prescription. Upon approval by the drug regulatory authority under the State Council or by the drug regulatory authority of the people's government of a province, autonomous region, or municipality directly under the Central Government, pharmaceutical preparations prepared by a medical institution may be transferred for use among designated medical institutions. Pharmaceutical preparations prepared by a medical institution shall not be sold on the market. ## Chapter 7 Post-Marketing Administration of Drugs **Article 77.** A marketing authorization holder shall formulate a post-marketing risk management plan for drugs, proactively carry out post-marketing studies of drugs, further confirm the safety, efficacy, and quality controllability of drugs, and strengthen the continuous management of marketed drugs. **Article 78.** For a drug granted conditional approval, the marketing authorization holder shall take corresponding risk management measures and complete the relevant studies as required within the prescribed time limit; where the studies are not completed as required upon the expiration of the time limit or it cannot be proved that the benefits outweigh the risks, the drug regulatory authority under the State Council shall handle the matter in accordance with the law, up to and including cancellation of the drug registration certificate. **Article 79.** Changes in the drug manufacturing process shall be subject to classified administration according to the degree of risk and impact on the safety, efficacy, and quality controllability of the drug. Those constituting major changes shall be approved by the drug regulatory authority under the State Council, and other changes shall be filed or reported in accordance with the provisions of the drug regulatory authority under the State Council. A marketing authorization holder shall, in accordance with the provisions of the drug regulatory authority under the State Council, comprehensively assess and verify the impact of changes on the safety, efficacy, and quality controllability of the drug. **Article 80.** A marketing authorization holder shall carry out post-marketing adverse-reaction monitoring of drugs, proactively collect and track and analyze information on suspected adverse drug reactions, and promptly take risk-control measures for drugs with identified risks. **Article 81.** Marketing authorization holders, drug manufacturing enterprises, drug distribution enterprises, and medical institutions shall regularly examine the quality, efficacy, and adverse reactions of the drugs they manufacture, distribute, or use. Where suspected adverse reactions are discovered, they shall promptly report to the drug regulatory authority and the health authority. The specific measures shall be formulated by the drug regulatory authority under the State Council jointly with the health authority under the State Council. For drugs confirmed to have caused serious adverse reactions, the drug regulatory authority under the State Council or the drug regulatory authority of the people's government of a province, autonomous region, or municipality directly under the Central Government shall, in light of the actual circumstances, take emergency control measures such as stopping the manufacture, sale, and use, and shall organize an appraisal within five days and make an administrative handling decision in accordance with the law within fifteen days from the date on which the appraisal conclusion is made. **Article 82.** Where a drug has a quality problem or other safety hazard, the marketing authorization holder shall immediately stop the sale, notify the relevant drug distribution enterprises and medical institutions to stop the sale and use, recall the drugs already sold, promptly make the recall information public, and where necessary immediately stop the manufacture, and report the drug recall and handling situation to the drug regulatory authority and the health authority of the people's government of the province, autonomous region, or municipality directly under the Central Government. Drug manufacturing enterprises, drug distribution enterprises, and medical institutions shall cooperate. Where a marketing authorization holder fails to recall drugs that it is required by law to recall, the drug regulatory authority of the people's government of the province, autonomous region, or municipality directly under the Central Government shall order it to recall them. **Article 83.** A marketing authorization holder shall periodically conduct post-marketing evaluation of the safety, efficacy, and quality controllability of marketed drugs. Where necessary, the drug regulatory authority under the State Council may order the marketing authorization holder to conduct a post-marketing evaluation or may directly organize a post-marketing evaluation. Where, upon evaluation, a drug is found to have uncertain efficacy, severe adverse reactions, or otherwise endanger human health, its drug registration certificate shall be cancelled. Drugs whose drug registration certificate has been cancelled shall not be manufactured, imported, sold, or used. Drugs whose drug registration certificate has been cancelled, drugs that have exceeded their valid period, and the like shall be destroyed under the supervision of the drug regulatory authority, or shall be subject to other harmless-treatment measures in accordance with the law. ## Chapter 8 Drug Prices and Advertising **Article 84.** The State shall improve the drug procurement administration system, monitor drug prices, conduct cost-price surveys, strengthen the supervision and inspection of drug prices, investigate and punish in accordance with the law drug-price violations such as price monopolies and price gouging, and maintain order in drug prices. **Article 85.** For drugs subject to market-adjusted pricing in accordance with the law, marketing authorization holders, drug manufacturing enterprises, drug distribution enterprises, and medical institutions shall set prices in accordance with the principles of fairness, reasonableness, good faith, and consistency of quality and price, and provide reasonably priced drugs to drug users. Marketing authorization holders, drug manufacturing enterprises, drug distribution enterprises, and medical institutions shall comply with the provisions of the drug-price authority under the State Council on drug-price administration, set and mark drug retail prices, and refrain from acts such as excessive profiteering, price monopolies, and price fraud. **Article 86.** Marketing authorization holders, drug manufacturing enterprises, drug distribution enterprises, and medical institutions shall, in accordance with the law, provide the drug-price authority with materials such as the actual purchase-and-sale prices and purchase-and-sale quantities of their drugs. **Article 87.** A medical institution shall provide patients with a price list of the drugs used, truthfully publish the prices of its commonly used drugs in accordance with the provisions, and strengthen the management of rational drug use. The specific measures shall be formulated by the health authority under the State Council. **Article 88.** Marketing authorization holders, drug manufacturing enterprises, drug distribution enterprises, and medical institutions are prohibited from giving or accepting kickbacks or other improper benefits in the purchase and sale of drugs. Marketing authorization holders, drug manufacturing enterprises, drug distribution enterprises, or their agents are prohibited from giving, under any name, property or other improper benefits to the responsible persons, drug procurement personnel, physicians, pharmacists, and other relevant personnel of medical institutions that use their drugs. The responsible persons, drug procurement personnel, physicians, pharmacists, and other relevant personnel of medical institutions are prohibited from accepting, under any name, property or other improper benefits given by marketing authorization holders, drug manufacturing enterprises, drug distribution enterprises, or their agents. **Article 89.** Drug advertisements shall be approved by the advertising review authority designated by the people's government of the province, autonomous region, or municipality directly under the Central Government in the locality of the advertiser; those that have not been approved shall not be released. **Article 90.** The content of drug advertisements shall be true and lawful, shall be based on the drug package insert verified by the drug regulatory authority under the State Council, and shall not contain false content. Drug advertisements shall not contain assertions or guarantees of efficacy or safety; nor shall they make recommendations or attestations using the name or image of a state organ, scientific research unit, academic institution, industry association, or expert, scholar, physician, pharmacist, patient, or the like. Non-drug advertisements shall not contain any publicity relating to drugs. **Article 91.** Where this Law does not provide for drug prices and advertising, the provisions of the Price Law of the People's Republic of China, the Anti-Monopoly Law of the People's Republic of China, the Anti-Unfair Competition Law of the People's Republic of China, the Advertising Law of the People's Republic of China, and the like shall apply. ## Chapter 9 Drug Reserve and Supply **Article 92.** The State shall implement a drug reserve system and establish a two-tier drug reserve at the central and local levels. In the event of a major disaster, epidemic, or other emergency, drugs may be requisitioned on an emergency basis in accordance with the provisions of the Emergency Response Law of the People's Republic of China. **Article 93.** The State shall implement an essential-drugs system, select an appropriate number of varieties of essential drugs, strengthen the organization of their manufacture and reserve, improve the supply capacity of essential drugs, and meet the basic drug-use needs for disease prevention and treatment. **Article 94.** The State shall establish a drug supply-and-demand monitoring system, promptly collect and aggregate and analyze information on the supply and demand of drugs in short supply, provide early warning of drugs in short supply, and take response measures. **Article 95.** The State shall implement a list-administration system for drugs in short supply. The specific measures shall be formulated by the health authority under the State Council jointly with the drug regulatory authority under the State Council and other departments. Where a marketing authorization holder ceases the manufacture of a drug in short supply, it shall report to the drug regulatory authority under the State Council or to the drug regulatory authority of the people's government of a province, autonomous region, or municipality directly under the Central Government in accordance with the provisions. **Article 96.** The State shall encourage the research, development, and manufacture of drugs in short supply, and give priority to the review and approval of drugs in short supply that are urgently needed clinically and new drugs for the prevention and treatment of major infectious diseases, rare diseases, and other diseases. **Article 97.** For drugs in short supply, the State Council may restrict or prohibit their export. Where necessary, the relevant departments under the State Council may take measures such as organizing manufacture, price intervention, and expanding imports to safeguard drug supply. Marketing authorization holders, drug manufacturing enterprises, and drug distribution enterprises shall safeguard the manufacture and supply of drugs in accordance with the provisions. ## Chapter 10 Supervision and Administration **Article 98.** The manufacture (including preparation, the same below), sale, and use of counterfeit drugs and substandard drugs are prohibited. A drug shall be a counterfeit drug under any of the following circumstances: (1) the ingredients contained in the drug do not conform to the ingredients prescribed by the national drug standards; (2) a non-drug is passed off as a drug, or one drug is passed off as another drug; (3) the drug has deteriorated; or (4) the indications or functions and major uses indicated for the drug exceed the prescribed scope. A drug shall be a substandard drug under any of the following circumstances: (1) the content of the drug's ingredients does not conform to the national drug standards; (2) the drug is contaminated; (3) the drug's valid period is not indicated or has been altered; (4) the drug's product batch number is not indicated or has been altered; (5) the drug has exceeded its valid period; (6) preservatives or excipients have been added to the drug without authorization; or (7) the drug otherwise does not conform to drug standards. It is prohibited to manufacture or import drugs without obtaining drug-approval documents; it is prohibited to use active pharmaceutical ingredients, packaging materials, and containers that have not been reviewed and approved in accordance with the provisions to manufacture drugs. **Article 99.** Drug regulatory authorities shall, in accordance with the provisions of laws and regulations, conduct supervision and inspection of activities such as drug research, manufacture, and distribution and the use of drugs by drug-using units; where necessary, they may conduct extended inspections of the entities and individuals that provide products or services for the research, manufacture, distribution, and use of drugs, and the relevant entities and individuals shall cooperate and shall not refuse or conceal. Drug regulatory authorities shall implement key supervision and inspection of high-risk drugs. Where there is evidence proving that a safety hazard may exist, the drug regulatory authority shall, in light of the supervision and inspection situation, take measures such as admonition, regulatory interview, ordering rectification within a time limit, and suspending manufacture, sale, use, or import, and promptly make public the inspection and handling results. When conducting supervision and inspection, a drug regulatory authority shall present its credentials, and shall keep confidential the trade secrets learned of during the supervision and inspection. **Article 100.** A drug regulatory authority may, according to the needs of supervision and administration, conduct spot-check inspection of drug quality. Spot-check inspection shall be sampled in accordance with the provisions, and no fees shall be charged; samples shall be purchased. The required expenses shall be defrayed in accordance with the provisions of the State Council. For drugs and their relevant materials for which there is evidence proving that they may endanger human health, the drug regulatory authority may seal up or seize them and make an administrative handling decision within seven days; where the drugs need to be inspected, it shall make an administrative handling decision within fifteen days from the date of issuance of the inspection report. **Article 101.** The drug regulatory authorities of the State Council and of the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government shall periodically publish the results of drug-quality spot-check inspections; where a publication is improper, a correction shall be made within the scope of the original publication. **Article 102.** Where a party has an objection to a drug-inspection result, it may, within seven days from the date of receipt of the drug-inspection result, apply for re-inspection to the original drug inspection institution or to a drug inspection institution established or designated by the drug regulatory authority at the next higher level, or may directly apply for re-inspection to a drug inspection institution established or designated by the drug regulatory authority under the State Council. The drug inspection institution accepting the re-inspection shall make a re-inspection conclusion within the time prescribed by the drug regulatory authority under the State Council. **Article 103.** Drug regulatory authorities shall inspect the compliance of marketing authorization holders, drug manufacturing enterprises, drug distribution enterprises, non-clinical drug safety evaluation research institutions, drug clinical-trial institutions, and the like with the Good Manufacturing Practice for Drugs, the Good Supply Practice for Drugs, the Good Laboratory Practice for Non-clinical Drug Studies, the Good Clinical Practice for Drugs, and the like, and supervise their continuous conformity with statutory requirements. **Article 104.** The State shall establish a professionalized and specialized contingent of drug inspectors. Inspectors shall be familiar with drug laws and regulations and possess drug-related professional knowledge. **Article 105.** Drug regulatory authorities shall establish drug-safety credit files for marketing authorization holders, drug manufacturing enterprises, drug distribution enterprises, non-clinical drug safety evaluation research institutions, drug clinical-trial institutions, and medical institutions, recording the issuance of licenses, the results of routine supervision and inspection, the investigation and punishment of illegal acts, and the like, and shall make them public in accordance with the law and update them promptly; for those with bad credit records, the frequency of supervision and inspection shall be increased, and joint punishment may be implemented in accordance with the provisions of the State. **Article 106.** Drug regulatory authorities shall publish their email addresses and telephone numbers, accept inquiries, complaints, and reports, and respond, verify, and handle them promptly in accordance with the law. For reports verified to be true, rewards shall be given to the informants in accordance with the relevant provisions. Drug regulatory authorities shall keep the information of informants confidential and protect the lawful rights and interests of informants. Where an informant reports the entity at which the informant works, that entity shall not retaliate against the informant by terminating or altering the labor contract or by other means. **Article 107.** The State shall implement a system of unified publication of drug-safety information. The overall situation of national drug safety, drug-safety risk warning information, major drug-safety incidents and the investigation and handling information thereof, and other information determined by the State Council as requiring unified publication shall be uniformly published by the drug regulatory authority under the State Council. Where the impact of drug-safety risk warning information and of major drug-safety incidents and the investigation and handling information thereof is limited to a specific region, it may also be published by the relevant drug regulatory authority of the people's government of the province, autonomous region, or municipality directly under the Central Government. The above information shall not be released without authorization. The publication of drug-safety information shall be timely, accurate, and comprehensive, with necessary explanations, so as to avoid misleading. No entity or individual shall fabricate or disseminate false drug-safety information. **Article 108.** People's governments at or above the county level shall formulate emergency response plans for drug-safety incidents. Marketing authorization holders, drug manufacturing enterprises, drug distribution enterprises, medical institutions, and the like shall formulate their respective drug-safety incident handling plans, and organize and carry out training and emergency drills. In the event of a drug-safety incident, the people's government at or above the county level shall immediately organize and carry out response work in accordance with the emergency response plan; the relevant entities shall immediately take effective measures to handle it and prevent the harm from expanding. **Article 109.** Where a drug regulatory authority fails to promptly discover systemic drug-safety risks or fails to promptly eliminate drug-safety hazards within its supervision and administration area, the people's government at the same level or the drug regulatory authority of the people's government at the next higher level shall conduct a regulatory interview of its principal responsible person. Where a local people's government fails to perform its drug-safety responsibilities or fails to promptly eliminate regional major drug-safety hazards, the people's government at the next higher level or the drug regulatory authority of the people's government at the next higher level shall conduct a regulatory interview of its principal responsible person. The departments and local people's governments subject to regulatory interview shall immediately take measures to rectify their drug supervision and administration work. The regulatory-interview situation and the rectification situation shall be incorporated into the appraisal and assessment records of the drug supervision and administration work of the relevant departments and local people's governments. **Article 110.** Local people's governments and their drug regulatory authorities shall not, by means such as requiring drug inspection or approval, restrict or exclude drugs manufactured by marketing authorization holders or drug manufacturing enterprises from outside their local areas from entering their local areas. **Article 111.** Drug regulatory authorities and the specialized drug technical institutions they establish or designate shall not participate in drug manufacturing or distribution activities, and shall not, in their name, recommend, supervise the manufacture of, or supervise the sale of drugs. The staff of drug regulatory authorities and of the specialized drug technical institutions they establish or designate shall not participate in drug manufacturing or distribution activities. **Article 112.** Where the State Council has other special administrative provisions on narcotic drugs, psychotropic drugs, toxic drugs for medical use, radioactive drugs, drug-category precursor chemicals, and the like, such provisions shall apply. **Article 113.** Where a drug regulatory authority discovers that a drug-related illegal act is suspected of constituting a crime, it shall promptly transfer the case to the public security organ. For cases in which, in accordance with the law, criminal liability need not be pursued or criminal punishment is exempted, but administrative liability shall be pursued, the public security organ, the people's procuratorate, and the people's court shall promptly transfer the case to the drug regulatory authority. Where a public security organ, people's procuratorate, or people's court requests a drug regulatory authority, an ecological-environment authority, or another department to provide assistance such as inspection conclusions and identification opinions and harmless treatment of the drugs involved in a case, the relevant department shall promptly provide such assistance. ## Chapter 11 Legal Liability **Article 114.** Where a violation of the provisions of this Law constitutes a crime, criminal liability shall be pursued in accordance with the law. **Article 115.** Where a drug is manufactured or sold without obtaining a drug manufacturing license, a drug distribution license, or a medical-institution preparation license, the offender shall be ordered to close down, the drugs unlawfully manufactured or sold and the unlawful gains shall be confiscated, and a fine of not less than fifteen times but not more than thirty times the value of the drugs unlawfully manufactured or sold (including drugs already sold and not yet sold, the same below) shall be imposed; where the value is less than RMB 100,000, it shall be calculated as RMB 100,000. **Article 116.** Where a counterfeit drug is manufactured or sold, the drugs unlawfully manufactured or sold and the unlawful gains shall be confiscated, the offender shall be ordered to suspend production or business for rectification, the drug-approval documents shall be revoked, and a fine of not less than fifteen times but not more than thirty times the value of the drugs unlawfully manufactured or sold shall be imposed; where the value is less than RMB 100,000, it shall be calculated as RMB 100,000; where the circumstances are serious, the drug manufacturing license, drug distribution license, or medical-institution preparation license shall be revoked, the corresponding applications of the offender shall not be accepted for ten years, and where the marketing authorization holder is an overseas enterprise, the import of its drugs shall be prohibited for ten years. **Article 117.** Where a substandard drug is manufactured or sold, the drugs unlawfully manufactured or sold and the unlawful gains shall be confiscated, and a fine of not less than ten times but not more than twenty times the value of the drugs unlawfully manufactured or sold shall be imposed; where the value of the drugs unlawfully manufactured or wholesaled is less than RMB 100,000, it shall be calculated as RMB 100,000, and where the value of the drugs unlawfully retailed is less than RMB 10,000, it shall be calculated as RMB 10,000; where the circumstances are serious, the offender shall be ordered to suspend production or business for rectification, up to and including the revocation of the drug-approval documents, drug manufacturing license, drug distribution license, or medical-institution preparation license. Where the prepared slices of Chinese crude drugs manufactured or sold do not conform to drug standards but do not yet affect safety and efficacy, the offender shall be ordered to make corrections within a time limit and be given a warning; a fine of not less than RMB 100,000 but not more than RMB 500,000 may be imposed. **Article 118.** Where a counterfeit drug is manufactured or sold, or a substandard drug is manufactured or sold under serious circumstances, the legal representative, principal responsible person, the directly responsible person in charge, and other responsible persons shall have the income obtained from the entity during the period of the illegal act confiscated, be fined not less than 30 percent but not more than three times the income obtained, be prohibited for life from engaging in drug manufacturing and distribution activities, and may be detained by the public security organ for not less than five days but not more than fifteen days. The raw materials, excipients, packaging materials, and production equipment used by the manufacturer specifically for manufacturing counterfeit drugs or substandard drugs shall be confiscated. **Article 119.** Where a drug-using unit uses a counterfeit drug or substandard drug, it shall be punished in accordance with the provisions on selling a counterfeit drug or retailing a substandard drug; where the circumstances are serious, and the legal representative, principal responsible person, the directly responsible person in charge, and other responsible persons hold practice certificates as medical and health personnel, their practice certificates shall also be revoked. **Article 120.** Where a person knows or should know that a drug is a counterfeit drug, a substandard drug, or a drug prescribed in items (1) through (5) of paragraph 1 of Article 124 of this Law, and provides for it convenient conditions such as storage and transportation, all storage and transportation income shall be confiscated, and a fine of not less than one time but not more than five times the unlawful income shall be imposed; where the circumstances are serious, a fine of not less than five times but not more than fifteen times the unlawful income shall also be imposed; where the unlawful income is less than RMB 50,000, it shall be calculated as RMB 50,000. **Article 121.** A decision to punish a counterfeit drug or substandard drug shall, in accordance with the law, state the quality-inspection conclusion of the drug inspection institution. **Article 122.** Where a license or drug-approval document is forged, altered, leased, lent, or unlawfully traded, the unlawful gains shall be confiscated, and a fine of not less than one time but not more than five times the unlawful gains shall be imposed; where the circumstances are serious, a fine of not less than five times but not more than fifteen times the unlawful gains shall also be imposed, the drug manufacturing license, drug distribution license, medical-institution preparation license, or drug-approval document shall be revoked, and the legal representative, principal responsible person, the directly responsible person in charge, and other responsible persons shall be fined not less than RMB 20,000 but not more than RMB 200,000, prohibited for ten years from engaging in drug manufacturing and distribution activities, and may be detained by the public security organ for not less than five days but not more than fifteen days; where the unlawful gains are less than RMB 100,000, they shall be calculated as RMB 100,000. **Article 123.** Where false certificates, data, materials, or samples are provided, or other means are used, to fraudulently obtain a clinical-trial permit, drug manufacturing permit, drug distribution permit, medical-institution preparation permit, drug registration, or other permit, the relevant permit shall be revoked, the corresponding applications of the offender shall not be accepted for ten years, and a fine of not less than RMB 500,000 but not more than RMB 5,000,000 shall be imposed; where the circumstances are serious, the legal representative, principal responsible person, the directly responsible person in charge, and other responsible persons shall be fined not less than RMB 20,000 but not more than RMB 200,000, prohibited for ten years from engaging in drug manufacturing and distribution activities, and may be detained by the public security organ for not less than five days but not more than fifteen days. **Article 124.** Where any of the following acts is committed in violation of the provisions of this Law, the drugs unlawfully manufactured, imported, or sold, the unlawful gains, and the raw materials, excipients, packaging materials, and production equipment specifically used for the unlawful manufacture shall be confiscated, the offender shall be ordered to suspend production or business for rectification, and a fine of not less than fifteen times but not more than thirty times the value of the drugs unlawfully manufactured, imported, or sold shall be imposed; where the value is less than RMB 100,000, it shall be calculated as RMB 100,000; where the circumstances are serious, the drug-approval documents shall be revoked, up to and including the revocation of the drug manufacturing license, drug distribution license, or medical-institution preparation license, and the legal representative, principal responsible person, the directly responsible person in charge, and other responsible persons shall have the income obtained from the entity during the period of the illegal act confiscated, be fined not less than 30 percent but not more than three times the income obtained, be prohibited for ten years up to and including for life from engaging in drug manufacturing and distribution activities, and may be detained by the public security organ for not less than five days but not more than fifteen days: (1) manufacturing or importing drugs without obtaining drug-approval documents; (2) using drug-approval documents obtained by deceptive means to manufacture or import drugs; (3) using active pharmaceutical ingredients that have not been reviewed and approved to manufacture drugs; (4) selling drugs without inspection where inspection is required; (5) manufacturing or selling drugs prohibited from use by the drug regulatory authority under the State Council; (6) fabricating manufacturing or inspection records; or (7) making major changes in the drug manufacturing process without approval. Where the drugs prescribed in items (1) through (3) of the preceding paragraph are sold, or where a drug-using unit uses the drugs prescribed in items (1) through (5) of the preceding paragraph, punishment shall be imposed in accordance with the provisions of the preceding paragraph; where the circumstances are serious, and the legal representative, principal responsible person, the directly responsible person in charge, and other responsible persons of the drug-using unit hold practice certificates as medical and health personnel, their practice certificates shall also be revoked. Where a small quantity of drugs that have been lawfully marketed overseas is imported without approval, and the circumstances are relatively minor, the punishment may be mitigated or exempted in accordance with the law. **Article 125.** Where any of the following acts is committed in violation of the provisions of this Law, the drugs unlawfully manufactured or sold, the unlawful gains, and the packaging materials and containers shall be confiscated, the offender shall be ordered to suspend production or business for rectification, and a fine of not less than RMB 500,000 but not more than RMB 5,000,000 shall be imposed; where the circumstances are serious, the drug-approval documents, drug manufacturing license, and drug distribution license shall be revoked, and the legal representative, principal responsible person, the directly responsible person in charge, and other responsible persons shall be fined not less than RMB 20,000 but not more than RMB 200,000 and prohibited for ten years up to and including for life from engaging in drug manufacturing and distribution activities: (1) carrying out a drug clinical trial without approval; (2) using packaging materials or containers in direct contact with drugs that have not been reviewed to manufacture drugs, or selling such drugs; or (3) using labels or package inserts that have not been verified. **Article 126.** Except as otherwise provided in this Law, where a marketing authorization holder, drug manufacturing enterprise, drug distribution enterprise, non-clinical drug safety evaluation research institution, drug clinical-trial institution, or the like fails to comply with the Good Manufacturing Practice for Drugs, the Good Supply Practice for Drugs, the Good Laboratory Practice for Non-clinical Drug Studies, the Good Clinical Practice for Drugs, or the like, it shall be ordered to make corrections within a time limit and be given a warning; where corrections are not made upon the expiration of the time limit, a fine of not less than RMB 100,000 but not more than RMB 500,000 shall be imposed; where the circumstances are serious, a fine of not less than RMB 500,000 but not more than RMB 2,000,000 shall be imposed, the offender shall be ordered to suspend production or business for rectification, up to and including the revocation of the drug-approval documents, drug manufacturing license, drug distribution license, and the like, the non-clinical drug safety evaluation research institution, drug clinical-trial institution, or the like shall not carry out non-clinical drug safety evaluation studies or drug clinical trials for five years, and the legal representative, principal responsible person, the directly responsible person in charge, and other responsible persons shall have the income obtained from the entity during the period of the illegal act confiscated, be fined not less than 10 percent but not more than 50 percent of the income obtained, and be prohibited for ten years up to and including for life from engaging in drug manufacturing, distribution, and other activities. **Article 127.** Where any of the following acts is committed in violation of the provisions of this Law, the offender shall be ordered to make corrections within a time limit and be given a warning; where corrections are not made upon the expiration of the time limit, a fine of not less than RMB 100,000 but not more than RMB 500,000 shall be imposed: (1) carrying out a bioequivalence trial without filing; (2) where, during a drug clinical trial, a safety problem or other risk is discovered, and the clinical-trial sponsor fails to promptly adjust the clinical-trial protocol, suspend or terminate the clinical trial, or fails to report to the drug regulatory authority under the State Council; (3) failing to establish and implement a drug traceability system in accordance with the provisions; (4) failing to submit the annual report in accordance with the provisions; (5) failing to file or report changes in the drug manufacturing process in accordance with the provisions; (6) failing to formulate a post-marketing risk management plan for drugs; or (7) failing to carry out post-marketing studies or post-marketing evaluation of drugs in accordance with the provisions. **Article 128.** Except where punishment shall be imposed as for counterfeit drugs or substandard drugs in accordance with the law, where drug packaging is not, in accordance with the provisions, printed or affixed with a label or accompanied by a package insert, or the label or package insert does not, in accordance with the provisions, indicate the relevant information or is not printed with the prescribed marks, the offender shall be ordered to make corrections and be given a warning; where the circumstances are serious, the drug registration certificate shall be revoked. **Article 129.** Where, in violation of the provisions of this Law, a marketing authorization holder, drug manufacturing enterprise, drug distribution enterprise, or medical institution fails to purchase drugs from a marketing authorization holder or an enterprise qualified for drug manufacture or distribution, it shall be ordered to make corrections, the drugs unlawfully purchased and the unlawful gains shall be confiscated, and a fine of not less than two times but not more than ten times the value of the drugs unlawfully purchased shall be imposed; where the circumstances are serious, a fine of not less than ten times but not more than thirty times the value shall also be imposed, and the drug-approval documents, drug manufacturing license, drug distribution license, or medical-institution practice license shall be revoked; where the value is less than RMB 50,000, it shall be calculated as RMB 50,000. **Article 130.** Where, in violation of the provisions of this Law, a drug distribution enterprise fails to keep records in accordance with the provisions when purchasing and selling drugs, fails to correctly explain the usage, dosage, and other matters when retailing drugs, or fails to dispense prescriptions in accordance with the provisions, it shall be ordered to make corrections and be given a warning; where the circumstances are serious, the drug distribution license shall be revoked. **Article 131.** Where, in violation of the provisions of this Law, a provider of a third-party platform for online drug trading fails to perform the obligations of qualification review, reporting, stopping the provision of online trading platform services, and the like, it shall be ordered to make corrections, the unlawful gains shall be confiscated, and a fine of not less than RMB 200,000 but not more than RMB 2,000,000 shall be imposed; where the circumstances are serious, it shall be ordered to suspend business for rectification and be fined not less than RMB 2,000,000 but not more than RMB 5,000,000. **Article 132.** Where a drug for which a drug registration certificate has been obtained is imported but the filing is not made, in accordance with the provisions, with the drug regulatory authority in the locality of the port where drug importation is permitted, the offender shall be ordered to make corrections within a time limit and be given a warning; where corrections are not made upon the expiration of the time limit, the drug registration certificate shall be revoked. **Article 133.** Where, in violation of the provisions of this Law, a medical institution sells on the market the pharmaceutical preparations it has prepared, it shall be ordered to make corrections, the preparations unlawfully sold and the unlawful gains shall be confiscated, and a fine of not less than two times but not more than five times the value of the preparations unlawfully sold shall be imposed; where the circumstances are serious, a fine of not less than five times but not more than fifteen times the value shall also be imposed; where the value is less than RMB 50,000, it shall be calculated as RMB 50,000. **Article 134.** Where a marketing authorization holder fails to carry out adverse-drug-reaction monitoring or to report suspected adverse drug reactions in accordance with the provisions, it shall be ordered to make corrections within a time limit and be given a warning; where corrections are not made upon the expiration of the time limit, it shall be ordered to suspend production or business for rectification and be fined not less than RMB 100,000 but not more than RMB 1,000,000. Where a drug distribution enterprise fails to report suspected adverse drug reactions in accordance with the provisions, it shall be ordered to make corrections within a time limit and be given a warning; where corrections are not made upon the expiration of the time limit, it shall be ordered to suspend production or business for rectification and be fined not less than RMB 50,000 but not more than RMB 500,000. Where a medical institution fails to report suspected adverse drug reactions in accordance with the provisions, it shall be ordered to make corrections within a time limit and be given a warning; where corrections are not made upon the expiration of the time limit, it shall be fined not less than RMB 50,000 but not more than RMB 500,000. **Article 135.** Where a marketing authorization holder, after being ordered by the drug regulatory authority of the people's government of the province, autonomous region, or municipality directly under the Central Government to recall drugs, refuses to recall them, it shall be fined not less than five times but not more than ten times the value of the drugs that should be recalled; where the value is less than RMB 100,000, it shall be calculated as RMB 100,000; where the circumstances are serious, the drug-approval documents, drug manufacturing license, and drug distribution license shall be revoked, and the legal representative, principal responsible person, the directly responsible person in charge, and other responsible persons shall be fined not less than RMB 20,000 but not more than RMB 200,000. Where a drug manufacturing enterprise, drug distribution enterprise, or medical institution refuses to cooperate with a recall, it shall be fined not less than RMB 100,000 but not more than RMB 500,000. **Article 136.** Where a marketing authorization holder is an overseas enterprise, and the enterprise legal person within the territory of China designated by it fails to perform the relevant obligations in accordance with the provisions of this Law, the provisions of this Law concerning the legal liability of marketing authorization holders shall apply. **Article 137.** Where any of the following acts is committed, a heavier punishment shall be imposed within the range of punishment prescribed in this Law: (1) passing off other drugs with narcotic drugs, psychotropic drugs, toxic drugs for medical use, radioactive drugs, or drug-category precursor chemicals, or passing off the above-mentioned drugs with other drugs; (2) manufacturing or selling counterfeit drugs or substandard drugs whose main users are pregnant or parturient women or children; (3) the biological products manufactured or sold being counterfeit drugs or substandard drugs; (4) manufacturing or selling counterfeit drugs or substandard drugs, causing personal injury consequences; (5) re-offending in manufacturing or selling counterfeit drugs or substandard drugs after having been dealt with; or (6) refusing or evading supervision and inspection, forging, destroying, or concealing relevant evidentiary materials, or using sealed-up or seized articles without authorization. **Article 138.** Where a drug inspection institution issues a false inspection report, it shall be ordered to make corrections and be given a warning, and the institution shall be fined not less than RMB 200,000 but not more than RMB 1,000,000; the directly responsible person in charge and other directly responsible persons shall be given sanctions of demotion, removal from office, or dismissal in accordance with the law, the unlawful gains shall be confiscated, and a fine of not more than RMB 50,000 shall be imposed; where the circumstances are serious, its inspection qualification shall be revoked. Where the inspection results issued by a drug inspection institution are untrue and cause losses, it shall bear corresponding compensation liability. **Article 139.** The administrative penalties prescribed in Articles 115 through 138 of this Law shall be decided by the drug regulatory authority of the people's government at or above the county level in accordance with the division of responsibilities; where a permit is revoked or a license is revoked, the decision shall be made by the department that originally granted the approval or issued the license. **Article 140.** Where a marketing authorization holder, drug manufacturing enterprise, drug distribution enterprise, or medical institution employs personnel in violation of the provisions of this Law, the drug regulatory authority or the health authority shall order the dismissal of such personnel and impose a fine of not less than RMB 50,000 but not more than RMB 200,000. **Article 141.** Where a marketing authorization holder, drug manufacturing enterprise, drug distribution enterprise, or medical institution gives or accepts kickbacks or other improper benefits in the purchase and sale of drugs, or where a marketing authorization holder, drug manufacturing enterprise, drug distribution enterprise, or agent gives property or other improper benefits to the responsible persons, drug procurement personnel, physicians, pharmacists, or other relevant personnel of a medical institution that uses its drugs, the market regulatory authority shall confiscate the unlawful gains and impose a fine of not less than RMB 300,000 but not more than RMB 3,000,000; where the circumstances are serious, the business license of the marketing authorization holder, drug manufacturing enterprise, or drug distribution enterprise shall be revoked, and the drug regulatory authority shall revoke the drug-approval documents, drug manufacturing license, or drug distribution license. Where a marketing authorization holder, drug manufacturing enterprise, or drug distribution enterprise bribes a State functionary in the research, manufacture, or distribution of drugs, the legal representative, principal responsible person, the directly responsible person in charge, and other responsible persons shall be prohibited for life from engaging in drug manufacturing and distribution activities. **Article 142.** Where the responsible persons, procurement personnel, or other relevant personnel of a marketing authorization holder, drug manufacturing enterprise, or drug distribution enterprise accept property or other improper benefits given by another marketing authorization holder, drug manufacturing enterprise, drug distribution enterprise, or agent in the purchase and sale of drugs, the unlawful gains shall be confiscated and punishment shall be given in accordance with the law; where the circumstances are serious, they shall be prohibited for five years from engaging in drug manufacturing and distribution activities. Where the responsible persons, drug procurement personnel, physicians, pharmacists, or other relevant personnel of a medical institution accept property or other improper benefits given by a marketing authorization holder, drug manufacturing enterprise, drug distribution enterprise, or agent, the health authority or the institution itself shall impose sanctions and confiscate the unlawful gains; where the circumstances are serious, their practice certificates shall also be revoked. **Article 143.** Where, in violation of the provisions of this Law, false drug-safety information is fabricated or disseminated, constituting an act in violation of public-security administration, the public security organ shall impose a public-security administration punishment in accordance with the law. **Article 144.** Where a marketing authorization holder, drug manufacturing enterprise, drug distribution enterprise, or medical institution, in violation of the provisions of this Law, causes harm to drug users, it shall bear compensation liability in accordance with the law. Where harm is suffered due to a drug-quality problem, the victim may claim compensation for losses from the marketing authorization holder or the drug manufacturing enterprise, or may claim compensation for losses from the drug distribution enterprise or the medical institution. Upon receipt of the victim's compensation claim, the recipient shall implement a first-liability system and make advance compensation; after making advance compensation, it may seek recovery in accordance with the law. Where a counterfeit drug or substandard drug is manufactured, or a drug known to be a counterfeit drug or substandard drug is nonetheless sold or used, the victim or the victim's close relatives may, in addition to claiming compensation for losses, also claim payment of compensation amounting to ten times the price or three times the losses; where the additional compensation amount is less than RMB 1,000, it shall be RMB 1,000. **Article 145.** Where a drug regulatory authority or a specialized drug technical institution established or designated by it participates in drug manufacturing or distribution activities, its competent authority at the higher level shall order it to make corrections and confiscate the unlawful income; where the circumstances are serious, the directly responsible person in charge and other directly responsible persons shall be given sanctions in accordance with the law. Where the staff of a drug regulatory authority or of a specialized drug technical institution established or designated by it participate in drug manufacturing or distribution activities, they shall be given sanctions in accordance with the law. **Article 146.** Where a drug regulatory authority or a drug inspection institution established or designated by it unlawfully charges inspection fees in drug supervision and inspection, the relevant government department shall order the return of the fees, and the directly responsible person in charge and other directly responsible persons shall be given sanctions in accordance with the law; where the circumstances are serious, its inspection qualification shall be revoked. **Article 147.** Where, in violation of the provisions of this Law, a drug regulatory authority commits any of the following acts, the relevant permit shall be revoked, and the directly responsible person in charge and other directly responsible persons shall be given sanctions in accordance with the law: (1) approving a drug clinical trial where the conditions are not met; (2) issuing a drug registration certificate for a drug that does not meet the conditions; or (3) issuing a drug manufacturing license, drug distribution license, or medical-institution preparation license to an entity that does not meet the conditions. **Article 148.** Where, in violation of the provisions of this Law, a local people's government at or above the county level commits any of the following acts, the directly responsible person in charge and other directly responsible persons shall be given a sanction of recording a demerit or recording a serious demerit; where the circumstances are serious, they shall be given a sanction of demotion, removal from office, or dismissal: (1) concealing, falsely reporting, belatedly reporting, or failing to report a drug-safety incident; (2) failing to promptly eliminate regional major drug-safety hazards, causing an especially serious drug-safety incident to occur within its administrative region, or causing major drug-safety incidents to occur consecutively; or (3) ineffectively performing its duties, causing serious adverse effects or major losses. **Article 149.** Where, in violation of the provisions of this Law, a drug regulatory or other authority commits any of the following acts, the directly responsible person in charge and other directly responsible persons shall be given a sanction of recording a demerit or recording a serious demerit; where the circumstances are relatively serious, they shall be given a sanction of demotion or removal from office; where the circumstances are serious, they shall be given a sanction of dismissal: (1) concealing, falsely reporting, belatedly reporting, or failing to report a drug-safety incident; (2) failing to promptly investigate and punish discovered drug-safety violations; (3) failing to promptly discover systemic drug-safety risks, or failing to promptly eliminate drug-safety hazards within the supervision and administration area, causing serious effects; or (4) otherwise failing to perform drug supervision and administration duties, causing serious adverse effects or major losses. **Article 150.** Where drug supervision and administration personnel abuse their power, engage in malpractice for personal gain, or neglect their duties, they shall be given sanctions in accordance with the law. Where there is dereliction of duty or malfeasance in investigating and punishing counterfeit-drug and substandard-drug violations, the directly responsible person in charge and other directly responsible persons of the drug regulatory authority shall be given heavier sanctions in accordance with the law. **Article 151.** The value prescribed in this Chapter shall be calculated on the basis of the marked price of the drugs unlawfully manufactured or sold; where there is no marked price, it shall be calculated on the basis of the market price of drugs of the same category. ## Chapter 12 Supplementary Provisions **Article 152.** The administration of the cultivation, collection, and breeding of Chinese medicinal materials shall be carried out in accordance with the provisions of the relevant laws and regulations. **Article 153.** The administrative measures for medicinal materials customarily used by the people in particular regions shall be formulated by the drug regulatory authority under the State Council jointly with the traditional Chinese medicine authority under the State Council. **Article 154.** The specific measures for the implementation of this Law by the Chinese People's Liberation Army and the Chinese People's Armed Police Force shall be formulated by the State Council and the Central Military Commission pursuant to this Law. **Article 155.** This Law shall come into force on December 1, 2019. --- ## Measures for the Administration of National Cybersecurity Incident Reporting - Chinese title: 国家网络安全事件报告管理办法 - Abbreviation: Incident Reporting Measures - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2025-09-11 - Effective: 2025-11-01 - Status: effective - URL: https://datacompliancechina.com/laws/cybersecurity-incident-reporting-measures/ - Markdown: https://datacompliancechina.com/laws/cybersecurity-incident-reporting-measures.md - Source URL: https://www.cac.gov.cn/2025-09/15/c_1759583017717009.htm ### Summary Issued by the CAC on September 11, 2025 and effective November 1, 2025, these Measures establish a unified national workflow for cybersecurity incident reporting, triggered whenever an incident is graded 'relatively significant' or above under the annexed Classification Guidelines (which track GB/T 20986-2023). Reporting clocks are calibrated by operator type: critical information infrastructure (CII) operators must report within one hour, central and state organs within two hours, and all other network operators within four hours, with tighter escalation windows for major and especially major incidents. Each report must cover eight specified elements — including, for ransomware, the ransom amount and payment deadline — and a comprehensive 30-day summary report is required after incident handling concludes; the 12387 hotline serves as the central intake. Article 11 creates an explicit safe harbour for operators that prepared adequately, responded under their emergency plan, and reported in good time, while Article 10 subjects late, false, or concealed reporting that causes serious harm to heavier penalties for both the entity and responsible individuals — a combination that overseas counsel should factor into incident-response playbooks for any China-nexus operation. ### Full text **Promulgated by:** Cyberspace Administration of China. **Document No.:** (none assigned) **Issued September 11, 2025. Effective November 1, 2025.** --- **Article 1.** These Measures are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Security Protection Regulations for Critical Information Infrastructure, and other laws and regulations, in order to regulate the administration of cybersecurity incident reporting and to control in a timely manner the losses and harm caused by cybersecurity incidents. **Article 2.** Network operators that build or operate networks within the territory of the People's Republic of China, or that provide services through networks, shall report cybersecurity incidents in accordance with these Measures when such incidents occur. **Article 3.** The national cyberspace administration authorities shall be responsible for the overall coordination of the administration of cybersecurity incident reporting nationwide. Provincial cyberspace administration authorities shall be responsible for the overall coordination of the administration of cybersecurity incident reporting within their respective administrative regions. **Article 4.** When a network operator discovers or learns of a cybersecurity incident involving its own entity, it shall assess the incident in accordance with the Guidelines for the Classification of Cybersecurity Incidents (see the Annex). Where the incident is classified as a relatively significant or above-level cybersecurity incident, it shall be reported following the procedures set out below: Where the incident involves critical information infrastructure (CII), the network operator shall report to the protection authority and the public security authority as soon as possible and no later than one hour. Where the incident is a major or especially major cybersecurity incident, the protection authority shall, upon receiving the report, report to the national cyberspace administration authorities and the State Council public security department as soon as possible and no later than thirty minutes. Where the network operator is one of the various departments of the central Party and State organs or their directly affiliated units, it shall report to the cyberspace-administration body of its own department in a timely manner and no later than two hours. Where the incident is a major or especially major cybersecurity incident, the cyberspace-administration body of the relevant department shall, upon receiving the report, report to the national cyberspace administration authorities as soon as possible and no later than one hour. Upon receiving the report, the national cyberspace administration authorities shall promptly notify the relevant departments. All other network operators shall report to the provincial cyberspace administration authorities of their locality in a timely manner and no later than four hours. Where the incident is a major or especially major cybersecurity incident, the provincial cyberspace administration authorities shall, upon receiving the report, report to the national cyberspace administration authorities as soon as possible and no later than one hour, and shall simultaneously notify the relevant departments at the same level. Where the relevant industry sector has specific provisions of its own, the network operator shall also report in accordance with the requirements of the industry competent authority or supervisory department. Where suspected illegal or criminal conduct is involved, the network operator shall report the case to the public security authority in a timely manner. **Article 5.** A network operator shall, by means of contracts or other instruments, require organizations or individuals that provide it with cybersecurity, system operations and maintenance, or similar services to report cybersecurity incidents discovered during monitoring to the network operator in a timely manner, and to assist it in reporting cybersecurity incidents in accordance with these Measures. **Article 6.** Social organizations and individuals are encouraged to report relatively significant or above-level cybersecurity incidents of which they have knowledge. **Article 7.** When reporting a cybersecurity incident, the following information shall be included: (1) The name of the affected entity and basic information on the affected system or facility; (2) The time, location, type, and grade of the cybersecurity incident, the impact and harm already caused, and the measures taken and their effects; for ransomware attacks, the report shall also include the amount, method, and date of the ransom demanded; (3) The trend in how the situation is developing and the further impact and harm that may be caused; (4) A preliminary analysis of the cause of the cybersecurity incident; (5) Clues for traceability investigation, including but not limited to information about the possible attacker, the attack path, and the vulnerabilities exploited; (6) The further response measures proposed and any request for support; (7) The status of on-site preservation relating to the cybersecurity incident; and (8) Any other matters that should be reported. Where the cause, impact, or development trend of a cybersecurity incident cannot be determined within the prescribed time, the information under items (1) and (2) above may be reported first, with the remaining information to be submitted as a supplement in a timely manner. Where important new developments arise after a cybersecurity incident has been reported, or where the investigation makes stage-by-stage progress, the affected entity shall report such developments in a timely manner. **Article 8.** After incident handling for a cybersecurity incident has concluded, the network operator shall, within thirty days, conduct a comprehensive analysis and summary of the cause of the relevant incident, the emergency response measures taken, the harm caused, accountability, rectification and improvement, and lessons learned, shall prepare an incident handling summary report, and shall submit that report through the original reporting channel. **Article 9.** The cyberspace administration authorities shall establish the 12387 cybersecurity incident reporting hotline, as well as a website, email, fax, and other channels, to receive cybersecurity incident reports in a unified manner. **Article 10.** Where a network operator fails to report a cybersecurity incident in accordance with these Measures, the relevant competent authority shall impose penalties in accordance with the applicable laws and administrative regulations. Where late reporting, missed reporting, false reporting, or concealed reporting of a cybersecurity incident by a network operator results in serious harmful consequences, heavier penalties shall be imposed on the network operator and the responsible individuals in accordance with law. Where a department that bears responsibility for cybersecurity incident reporting fails to report a cybersecurity incident in accordance with these Measures, the liability of the relevant entity and personnel shall be pursued in accordance with the applicable laws and administrative regulations and the cybersecurity work accountability system. **Article 11.** Where a cybersecurity incident occurs and the network operator has taken reasonable and necessary protective measures, has handled the incident in accordance with its emergency response plan, has effectively reduced the impact and harm of the cybersecurity incident, and has reported in a timely manner in accordance with these Measures, the liability of the relevant entity and personnel may, taking into account the circumstances, be mitigated or not pursued. **Article 12.** For the purposes of these Measures, "cybersecurity incident" refers to an incident in which networks and information systems, or the data and business applications therein, are harmed as a result of human causes, network attacks, network vulnerabilities and security risks, software or hardware defects or failures, force majeure, or other factors, and which has a negative impact on national, social, or economic interests. For the purposes of these Measures, "network operator" refers to the owner, administrator, or service provider of a network. The Guidelines for the Classification of Cybersecurity Incidents referred to in these Measures are formulated with reference to the national standard Guidelines for the Classification of Cybersecurity Incidents — Information Security Technology (GB/T 20986-2023) and provide quantitative grading indicators for the relevant incidents by means of a finite enumeration. **Article 13.** Reports of cybersecurity incidents involving State secrets shall be handled in accordance with the relevant provisions of the competent departments. **Article 14.** These Measures shall come into force on November 1, 2025. --- ## Regulation on the Supervision and Administration of Medical Devices (2024 Revision) - Chinese title: 医疗器械监督管理条例(2024修订) - Abbreviation: Medical Devices Regulation - Hierarchy: regulation - Issuing body: State Council - Adopted: 2000-01-04 - Effective: 2025-01-20 - Status: effective - URL: https://datacompliancechina.com/laws/medical-devices-supervision-regulation/ - Markdown: https://datacompliancechina.com/laws/medical-devices-supervision-regulation.md ### Summary The Regulation on the Supervision and Administration of Medical Devices is the State Council's foundational administrative regulation governing the research, manufacture, distribution, and use of medical devices on a risk-based, full-lifecycle basis. For data-compliance purposes it mandates the unique device identification (UDI) system to achieve device traceability (Article 38), requires registrants to build and operate product traceability and recall systems (Articles 20, 62), and establishes the adverse-event monitoring regime with a dedicated information network and mandatory reporting to monitoring technical institutions (Chapter V). It also requires registration applicants to ensure submitted data is lawful, authentic, accurate, complete, and traceable, and requires device-use records (including implant and large-equipment parameters) to be preserved in patient medical records and use archives. ### Full text **Promulgated by:** State Council. **Promulgated by Order No. 276 of the State Council of the People's Republic of China on January 4, 2000.** **Revised and adopted at the 39th Executive Meeting of the State Council on February 12, 2014.** **First amended in accordance with the Decision of the State Council on Amending the Regulation on the Supervision and Administration of Medical Devices on May 4, 2017.** **Revised and adopted at the 119th Executive Meeting of the State Council on December 21, 2020.** **Second amended in accordance with the Decision of the State Council on Amending and Repealing Certain Administrative Regulations on December 6, 2024.** **Current version effective January 20, 2025.** --- ## Chapter 1 General Provisions **Article 1.** This Regulation is formulated in order to ensure the safety and effectiveness of medical devices, safeguard human health and life safety, and promote the development of the medical device industry. **Article 2.** This Regulation shall apply to the research, manufacture, distribution and use of medical devices, as well as the supervision and administration thereof, within the territory of the People's Republic of China. **Article 3.** The drug regulatory department of the State Council shall be responsible for the supervision and administration of medical devices nationwide. The relevant departments of the State Council shall, within their respective scopes of responsibility, be responsible for the supervision and administration related to medical devices. **Article 4.** Local people's governments at or above the county level shall strengthen leadership over the supervision and administration of medical devices within their administrative regions, organize and coordinate the supervision and administration of medical devices and the response to emergencies within their administrative regions, strengthen capacity building for the supervision and administration of medical devices, and provide safeguards for the work of medical device safety. The departments responsible for drug regulation under the local people's governments at or above the county level shall be responsible for the supervision and administration of medical devices within their administrative regions. The relevant departments of the local people's governments at or above the county level shall, within their respective scopes of responsibility, be responsible for the supervision and administration related to medical devices. **Article 5.** The supervision and administration of medical devices shall follow the principles of risk management, full-process control, scientific regulation, and joint social governance. **Article 6.** The State shall implement classified management of medical devices according to their degree of risk. Class I comprises medical devices with a low degree of risk, whose safety and effectiveness can be ensured through routine management. Class II comprises medical devices with a moderate degree of risk, which require strict control and management to ensure their safety and effectiveness. Class III comprises medical devices with a relatively high degree of risk, which require special measures of strict control and management to ensure their safety and effectiveness. In evaluating the degree of risk of a medical device, factors such as the intended purpose, structural features, and method of use of the medical device shall be considered. The drug regulatory department of the State Council shall be responsible for formulating the classification rules and classification catalogue of medical devices, and shall, in light of the situation of the manufacture, distribution and use of medical devices, promptly analyze and evaluate changes in the risk of medical devices and adjust the classification rules and classification catalogue. In formulating and adjusting the classification rules and classification catalogue, it shall fully solicit the opinions of medical device registrants, filing persons, manufacturing and distribution enterprises, as well as use entities and industry organizations, and shall refer to international practices in the classification of medical devices. The classification rules and classification catalogue of medical devices shall be made public. **Article 7.** Medical device products shall comply with the mandatory national standards for medical devices; where there is no mandatory national standard, they shall comply with the mandatory industry standards for medical devices. **Article 8.** The State shall formulate plans and policies for the medical device industry, incorporate medical device innovation into development priorities, give priority to the review and approval of innovative medical devices, support the clinical promotion and use of innovative medical devices, and promote the high-quality development of the medical device industry. The drug regulatory department of the State Council shall cooperate with the relevant departments of the State Council in implementing the State's plans for the medical device industry and its guiding policies. **Article 9.** The State shall improve the medical device innovation system, support basic research and applied research on medical devices, promote the popularization and application of new medical device technologies, and provide support in such respects as the establishment of science and technology projects, financing, credit, bidding and procurement, and medical insurance. The State shall support enterprises in establishing or jointly forming research institutions, encourage enterprises to cooperate with institutions of higher learning, scientific research institutes, medical institutions and others in carrying out research and innovation of medical devices, strengthen the protection of intellectual property rights in medical devices, and enhance the capacity for independent innovation of medical devices. **Article 10.** The State shall strengthen the informatization of the supervision and administration of medical devices, improve the level of online government services, and provide convenience for administrative licensing, filing and the like of medical devices. **Article 11.** Medical device industry organizations shall strengthen industry self-discipline, advance the building of a credit system, urge enterprises to carry out manufacturing and distribution activities in accordance with the law, and guide enterprises to be honest and trustworthy. **Article 12.** Entities and individuals that have made outstanding contributions to the research and innovation of medical devices shall be commended and rewarded in accordance with relevant State provisions. ## Chapter 2 Registration and Filing of Medical Device Products **Article 13.** Class I medical devices shall be subject to product filing administration, and Class II and Class III medical devices shall be subject to product registration administration. Medical device registrants and filing persons shall strengthen full-lifecycle quality management of medical devices, and shall bear liability in accordance with the law for the safety and effectiveness of medical devices throughout the entire process of research, manufacture, distribution and use. **Article 14.** For the filing of Class I medical device products and the application for registration of Class II and Class III medical device products, the following materials shall be submitted: (I) product risk analysis materials; (II) product technical requirements; (III) product inspection reports; (IV) clinical evaluation materials; (V) product instructions for use and sample labels; (VI) quality management system documents related to the research and manufacture of the product; (VII) other materials necessary to prove the safety and effectiveness of the product. The product inspection report shall comply with the requirements of the drug regulatory department of the State Council, and may be a self-inspection report of the medical device registration applicant or filing person, or an inspection report issued by a qualified medical device inspection institution as entrusted. Where the circumstances of exemption from clinical evaluation prescribed in Article 24 of this Regulation are met, clinical evaluation materials may be exempted from submission. The medical device registration applicant or filing person shall ensure that the materials submitted are lawful, authentic, accurate, complete and traceable. **Article 15.** For the filing of Class I medical device products, the filing person shall submit the filing materials to the department responsible for drug regulation under the people's government of the city divided into districts where it is located. An overseas filing person that exports Class I medical devices to China shall, through an enterprise legal person within China designated by it, submit the filing materials to the drug regulatory department of the State Council, together with documents certifying that the competent authority of the country (or region) where the filing person is located permits the medical device to be marketed and sold. For innovative medical devices that have not been marketed overseas, the document certifying that the competent authority of the country (or region) where the filing person is located permits the medical device to be marketed and sold need not be submitted. The filing is completed once the filing person submits to the department responsible for drug regulation the filing materials that comply with the provisions of this Regulation. The department responsible for drug regulation shall, within 5 working days from the date of receipt of the filing materials, make the relevant filing information public through the online government service platform of the drug regulatory department of the State Council. Where any matter set forth in the filing materials changes, an alteration of the filing shall be made to the original filing department. **Article 16.** To apply for registration of a Class II medical device product, the registration applicant shall submit the registration application materials to the drug regulatory department of the people's government of the province, autonomous region or municipality directly under the Central Government where it is located. To apply for registration of a Class III medical device product, the registration applicant shall submit the registration application materials to the drug regulatory department of the State Council. An overseas registration applicant that exports Class II or Class III medical devices to China shall, through an enterprise legal person within China designated by it, submit the registration application materials to the drug regulatory department of the State Council, together with documents certifying that the competent authority of the country (or region) where the registration applicant is located permits the medical device to be marketed and sold. For innovative medical devices that have not been marketed overseas, the document certifying that the competent authority of the country (or region) where the registration applicant is located permits the medical device to be marketed and sold need not be submitted. The drug regulatory department of the State Council shall make provisions on the procedures and requirements for the registration review of medical devices, and shall strengthen supervision and guidance over the registration review work of the drug regulatory departments of the people's governments of provinces, autonomous regions and municipalities directly under the Central Government. **Article 17.** The drug regulatory department that accepts a registration application shall review the safety and effectiveness of the medical device, as well as the quality management capacity of the registration applicant to ensure the safety and effectiveness of the medical device. The drug regulatory department that accepts a registration application shall, within 3 working days from the date of accepting the registration application, transfer the registration application materials to the technical review institution. The technical review institution shall, upon completing the technical review, submit its review opinion to the drug regulatory department that accepted the registration application as the basis for approval. Where the drug regulatory department that accepts a registration application considers it necessary to conduct an inspection of the quality management system when organizing the technical review of the medical device, it shall organize an inspection of the quality management system. **Article 18.** The drug regulatory department that accepts a registration application shall make a decision within 20 working days from the date of receipt of the review opinion. Where the conditions are met, registration shall be granted and a medical device registration certificate shall be issued; where the conditions are not met, registration shall not be granted and the reasons shall be stated in writing. The drug regulatory department that accepts a registration application shall, within 5 working days from the date on which registration of the medical device is granted, make the relevant registration information public through the online government service platform of the drug regulatory department of the State Council. **Article 19.** For medical devices urgently needed for the treatment of rare diseases, diseases that seriously endanger life and for which there is no effective means of treatment, and the response to public health events, the drug regulatory department that accepts a registration application may make a decision of conditional approval, and shall set forth the relevant matters in the medical device registration certificate. Where a particularly major public health emergency or other emergency that seriously threatens public health occurs, the competent health department of the State Council and the disease prevention and control department of the State Council shall, according to the needs of preventing and controlling the event, put forward a proposal for the emergency use of a medical device, which may, upon the organization of demonstration and consent by the drug regulatory department of the State Council, be used on an emergency basis within a certain scope and time limit. **Article 20.** A medical device registrant or filing person shall perform the following obligations: (I) establish a quality management system commensurate with the product and keep it in effective operation; (II) formulate post-market research and risk control plans and ensure their effective implementation; (III) carry out adverse-event monitoring and re-evaluation in accordance with the law; (IV) establish and implement product traceability and recall systems; (V) other obligations prescribed by the drug regulatory department of the State Council. The enterprise legal person within China designated by an overseas medical device registrant or filing person shall assist the registrant or filing person in performing the obligations prescribed in the preceding paragraph. **Article 21.** Where the design, raw materials, manufacturing process, scope of application, method of use and the like of a registered Class II or Class III medical device product undergo substantive changes that may affect the safety and effectiveness of the medical device, the registrant shall apply to the original registration department for alteration of registration formalities; where other changes occur, filing or reporting shall be made in accordance with the provisions of the drug regulatory department of the State Council. **Article 22.** The medical device registration certificate shall be valid for 5 years. Where renewal of registration is needed upon expiry of the validity period, an application for renewal of registration shall be filed with the original registration department 6 months before the expiry of the validity period. Except where the circumstances prescribed in the third paragraph of this Article exist, the drug regulatory department that receives an application for renewal of registration shall make a decision to grant renewal before the expiry of the validity period of the medical device registration certificate. Where no decision is made within the time limit, renewal shall be deemed granted. Under any of the following circumstances, renewal of registration shall not be granted: (I) the application for renewal of registration is not filed within the prescribed time limit; (II) the mandatory standard for the medical device has been revised, and the medical device for which renewal of registration is applied cannot meet the new requirements; (III) for a conditionally approved medical device, the matters set forth in the medical device registration certificate have not been completed within the prescribed time limit. **Article 23.** For a newly researched and developed medical device that has not yet been included in the classification catalogue, the applicant may directly apply for product registration in accordance with the provisions of this Regulation on the registration of Class III medical device products, or may determine the product category in accordance with the classification rules and apply for product registration or conduct product filing in accordance with the provisions of this Regulation after applying to the drug regulatory department of the State Council for confirmation of the category. Where direct application for registration of a Class III medical device product is made, the drug regulatory department of the State Council shall determine the category according to the degree of risk, and promptly include the medical device for which registration is granted in the classification catalogue. Where confirmation of category is applied for, the drug regulatory department of the State Council shall, within 20 working days from the date of accepting the application, determine the category of the medical device and notify the applicant. **Article 24.** Clinical evaluation shall be conducted for the registration and filing of medical device products; however, under any of the following circumstances, clinical evaluation may be exempted: (I) the working mechanism is clear, the design is finalized, the manufacturing process is mature, a marketed medical device of the same variety has been used clinically for many years without any record of serious adverse events, and the routine use is not changed; (II) the safety and effectiveness of the medical device can otherwise be proven through non-clinical evaluation. The drug regulatory department of the State Council shall formulate guidelines for the clinical evaluation of medical devices. **Article 25.** Clinical evaluation of a medical device may, according to such circumstances as product characteristics, clinical risks and existing clinical data, prove the safety and effectiveness of the medical device by conducting clinical trials, or by analyzing and evaluating clinical literature and clinical data of medical devices of the same variety. In accordance with the provisions of the drug regulatory department of the State Council, clinical trials shall be conducted for medical devices whose safety and effectiveness cannot be confirmed on the basis of existing clinical literature and clinical data when clinical evaluation is conducted. **Article 26.** Clinical trials of medical devices shall be conducted in clinical trial institutions that meet the corresponding conditions in accordance with the requirements of the good clinical practice for medical device clinical trials, and shall be filed with the drug regulatory department of the people's government of the province, autonomous region or municipality directly under the Central Government where the sponsor of the clinical trial is located. The drug regulatory department that accepts the filing of a clinical trial shall notify the drug regulatory department and the competent health department at the same level in the place where the clinical trial institution is located of the filing. Clinical trial institutions for medical devices shall be subject to filing administration. The conditions that clinical trial institutions for medical devices shall meet, the measures for filing administration, and the good clinical practice for clinical trials shall be formulated and published by the drug regulatory department of the State Council in conjunction with the competent health department of the State Council. The State shall support medical institutions in conducting clinical trials, incorporate the evaluation of clinical trial conditions and capabilities into the grading and accreditation of medical institutions, and encourage medical institutions to conduct clinical trials of innovative medical devices. **Article 27.** Where a clinical trial of a Class III medical device poses a relatively high risk to the human body, it shall be approved by the drug regulatory department of the State Council. In approving a clinical trial, the drug regulatory department of the State Council shall comprehensively analyze the conditions such as equipment and professional personnel of the institution proposed to undertake the medical device clinical trial, the degree of risk of the medical device, the implementation plan of the clinical trial, and the report on the comparative analysis of clinical benefit and risk, and shall make a decision within 60 working days from the date of accepting the application and notify the sponsor of the clinical trial. Where no notification is given within the time limit, consent shall be deemed to have been given. Where the conduct of a clinical trial is granted, the drug regulatory department and the competent health department of the people's government of the province, autonomous region or municipality directly under the Central Government where the clinical trial institution is located shall be notified. The catalogue of Class III medical devices whose clinical trials pose a relatively high risk to the human body shall be formulated, adjusted and published by the drug regulatory department of the State Council. **Article 28.** In conducting a clinical trial of a medical device, ethical review shall be conducted in accordance with provisions, the subject shall be informed in detail of the purpose and use of the trial and the risks that may arise, and the written informed consent of the subject shall be obtained; where the subject is a person without capacity for civil conduct or with limited capacity for civil conduct, the written informed consent of his or her guardian shall be obtained in accordance with the law. In conducting a clinical trial, no fees related to the clinical trial may be charged to the subject in any form. **Article 29.** For a medical device undergoing a clinical trial for the treatment of a disease that seriously endangers life and for which there is no effective means of treatment, where medical observation indicates that the patient may benefit, the device may, upon ethical review and informed consent, be used free of charge within the institution conducting the medical device clinical trial for other patients with the same condition, and its safety data may be used for the medical device registration application. ## Chapter 3 Manufacture of Medical Devices **Article 30.** Engaging in the manufacturing activities of medical devices shall meet the following conditions: (I) having a manufacturing site, environmental conditions, manufacturing equipment and professional technical personnel commensurate with the medical devices to be manufactured; (II) having an institution or full-time inspection personnel capable of conducting quality inspection of the medical devices to be manufactured, as well as inspection equipment; (III) having a management system to ensure the quality of medical devices; (IV) having after-sales service capabilities commensurate with the medical devices to be manufactured; (V) complying with the requirements set forth in the product research and manufacturing process documents. **Article 31.** To engage in the manufacture of Class I medical devices, a filing shall be made with the department responsible for drug regulation under the people's government of the city divided into districts where it is located, and the filing is completed upon submission of the relevant materials that meet the conditions prescribed in Article 30 of this Regulation. Where a medical device filing person manufactures Class I medical devices by itself, it may, when conducting product filing in accordance with Article 15 of this Regulation, simultaneously submit the relevant materials that meet the conditions prescribed in Article 30 of this Regulation, and the manufacturing filing is thereby completed. **Article 32.** To engage in the manufacture of Class II or Class III medical devices, an application for a manufacturing license shall be filed with the drug regulatory department of the people's government of the province, autonomous region or municipality directly under the Central Government where it is located, together with the relevant materials that meet the conditions prescribed in Article 30 of this Regulation and the registration certificate of the medical devices to be manufactured. The drug regulatory department that accepts an application for a manufacturing license shall review the application materials, conduct an inspection in accordance with the requirements of the good manufacturing practice for medical devices formulated by the drug regulatory department of the State Council, and make a decision within 20 working days from the date of accepting the application. Where the prescribed conditions are met, the license shall be granted and a medical device manufacturing license shall be issued; where the prescribed conditions are not met, the license shall not be granted and the reasons shall be stated in writing. The medical device manufacturing license shall be valid for 5 years. Where renewal is needed upon expiry of the validity period, renewal formalities shall be handled in accordance with the legal provisions on administrative licensing. **Article 33.** The good manufacturing practice for medical devices shall make explicit provisions on matters affecting the safety and effectiveness of medical devices, such as the design and development, manufacturing equipment conditions, raw material procurement, manufacturing process control, product release, and the institutional setup and staffing of enterprises. **Article 34.** A medical device registrant or filing person may manufacture medical devices by itself, or may entrust an enterprise that complies with the provisions of this Regulation and possesses the corresponding conditions to manufacture medical devices. Where the manufacture of medical devices is entrusted, the medical device registrant or filing person shall be responsible for the quality of the entrusted medical devices, strengthen the management of the manufacturing conduct of the entrusted manufacturing enterprise, and ensure that it manufactures in accordance with statutory requirements. The medical device registrant or filing person shall sign an entrustment agreement with the entrusted manufacturing enterprise, specifying the rights, obligations and responsibilities of both parties. The entrusted manufacturing enterprise shall organize manufacture in accordance with laws and regulations, the good manufacturing practice for medical devices, mandatory standards, product technical requirements and the entrustment agreement, be responsible for its manufacturing conduct, and accept the supervision of the entrusting party. High-risk implantable medical devices shall not be manufactured under entrustment; the specific catalogue shall be formulated, adjusted and published by the drug regulatory department of the State Council. **Article 35.** Medical device registrants, filing persons and entrusted manufacturing enterprises shall, in accordance with the good manufacturing practice for medical devices, establish and improve a quality management system commensurate with the medical devices manufactured and ensure its effective operation; they shall organize manufacture strictly in accordance with the registered or filed product technical requirements, and ensure that the medical devices leaving the factory comply with the mandatory standards and the registered or filed product technical requirements. Medical device registrants, filing persons and entrusted manufacturing enterprises shall periodically conduct self-inspections of the operation of the quality management system, and submit self-inspection reports in accordance with the provisions of the drug regulatory department of the State Council. **Article 36.** Where the manufacturing conditions of a medical device change and no longer comply with the requirements of the medical device quality management system, the medical device registrant, filing person or entrusted manufacturing enterprise shall immediately take rectification measures; where the safety and effectiveness of the medical device may be affected, it shall immediately stop manufacturing activities and report to the original manufacturing license or manufacturing filing department. **Article 37.** Medical devices shall use generic names. Generic names shall comply with the medical device naming rules formulated by the drug regulatory department of the State Council. **Article 38.** The State shall, according to the categories of medical device products, implement the unique device identification system for medical devices step by step, so as to achieve the traceability of medical devices. The specific measures shall be formulated by the drug regulatory department of the State Council in conjunction with the relevant departments of the State Council. **Article 39.** Medical devices shall have instructions for use and labels. The content of the instructions for use and labels shall be consistent with the relevant registered or filed content, and shall be authentic and accurate. The instructions for use and labels of medical devices shall indicate the following matters: (I) generic name, model and specifications; (II) the name, address and contact information of the medical device registrant, filing person, or entrusted manufacturing enterprise; (III) date of manufacture, period of use or expiry date; (IV) product performance, main structure and scope of application; (V) contraindications, precautions and other content requiring warning or notice; (VI) installation and use instructions or illustrations; (VII) maintenance and care methods, and conditions and methods for special transportation and storage; (VIII) other content required to be indicated by the product technical requirements. Class II and Class III medical devices shall also indicate the medical device registration certificate number. Medical devices used by consumers themselves shall also have special instructions for safe use. ## Chapter 4 Distribution and Use of Medical Devices **Article 40.** Engaging in the distribution activities of medical devices shall require business premises and storage conditions commensurate with the scale and scope of business, as well as a quality management system and a quality management institution or personnel commensurate with the medical devices distributed. **Article 41.** To engage in the distribution of Class II medical devices, the distribution enterprise shall make a filing with the department responsible for drug regulation under the people's government of the city divided into districts where it is located and submit the relevant materials that meet the conditions prescribed in Article 40 of this Regulation. In accordance with the provisions of the drug regulatory department of the State Council, Class II medical devices whose safety and effectiveness are not affected by the distribution process may be exempted from distribution filing. **Article 42.** To engage in the distribution of Class III medical devices, the distribution enterprise shall apply to the department responsible for drug regulation under the people's government of the city divided into districts where it is located for a distribution license and submit the relevant materials that meet the conditions prescribed in Article 40 of this Regulation. The department responsible for drug regulation that accepts an application for a distribution license shall review the application materials, organize an inspection where necessary, and make a decision within 20 working days from the date of accepting the application. Where the prescribed conditions are met, the license shall be granted and a medical device distribution license shall be issued; where the prescribed conditions are not met, the license shall not be granted and the reasons shall be stated in writing. The medical device distribution license shall be valid for 5 years. Where renewal is needed upon expiry of the validity period, renewal formalities shall be handled in accordance with the legal provisions on administrative licensing. **Article 43.** Where a medical device registrant or filing person distributes the medical devices it has registered or filed, it need not handle a medical device distribution license or filing, but shall comply with the distribution conditions prescribed in this Regulation. **Article 44.** To engage in the distribution of medical devices, the enterprise shall, in accordance with laws and regulations and the requirements of the good distribution practice for medical devices formulated by the drug regulatory department of the State Council, establish and improve a quality management system commensurate with the medical devices distributed and ensure its effective operation. **Article 45.** Medical device distribution enterprises and use entities shall purchase medical devices from medical device registrants, filing persons, and manufacturing and distribution enterprises with lawful qualifications. When purchasing medical devices, they shall verify the qualifications of the suppliers and the certification documents of conformity of the medical devices, and establish an incoming inspection record system. Distribution enterprises engaged in the wholesale business of Class II and Class III medical devices and the retail business of Class III medical devices shall also establish a sales record system. The matters to be recorded include: (I) the name, model, specifications and quantity of the medical device; (II) the manufacturing batch number, period of use or expiry date, and date of sale of the medical device; (III) the names of the medical device registrant, filing person, and entrusted manufacturing enterprise; (IV) the name, address and contact information of the supplier or purchaser; (V) the number of the relevant licensing certification document and the like. Incoming inspection records and sales records shall be authentic, accurate, complete and traceable, and shall be preserved for the period prescribed by the drug regulatory department of the State Council. The State shall encourage the use of advanced technical means for record-keeping. **Article 46.** Those engaged in the online sale of medical devices shall be medical device registrants, filing persons or medical device distribution enterprises. Operators engaged in the online sale of medical devices shall notify the department responsible for drug regulation under the people's government of the city divided into districts where they are located of the relevant information on their online sale of medical devices, except for the distribution of Class I medical devices and the Class II medical devices prescribed in the second paragraph of Article 41 of this Regulation. E-commerce platform operators that provide services for the online trading of medical devices shall conduct real-name registration of the medical device operators that join the platform, review their distribution licenses, filing status, and the product registration and filing status of the medical devices they distribute, and manage their distribution conduct. Where an e-commerce platform operator discovers that a medical device operator that has joined the platform has committed an act in violation of the provisions of this Regulation, it shall promptly stop it and immediately report to the department responsible for drug regulation under the people's government of the city divided into districts where the medical device operator is located; where it discovers a serious illegal act, it shall immediately stop providing online trading platform services. **Article 47.** The transportation and storage of medical devices shall comply with the requirements indicated in the instructions for use and labels of the medical devices; where there are special requirements for environmental conditions such as temperature and humidity, corresponding measures shall be taken to ensure the safety and effectiveness of the medical devices. **Article 48.** Medical device use entities shall have storage sites and conditions commensurate with the varieties and quantities of medical devices in use. Medical device use entities shall strengthen the technical training of their staff, and use medical devices in accordance with the requirements of the product instructions for use and technical operating procedures. Where a medical device use entity is equipped with large medical equipment, it shall comply with the planning for the allocation of large medical equipment formulated by the competent health department of the State Council, be commensurate with its functional positioning and clinical service needs, have the corresponding technical conditions, supporting facilities and professional technical personnel with the corresponding qualifications and capabilities, and obtain a license for the allocation of large medical equipment upon the approval of the competent health department of the people's government at or above the provincial level. The measures for the administration of the allocation of large medical equipment shall be formulated by the competent health department of the State Council in conjunction with the relevant departments of the State Council. The catalogue of large medical equipment shall be proposed by the competent health department of the State Council in consultation with the relevant departments of the State Council, and shall be implemented after being submitted to and approved by the State Council. **Article 49.** For reusable medical devices, medical device use entities shall handle them in accordance with the provisions on disinfection and management formulated by the competent health department of the State Council. Single-use medical devices shall not be reused; used ones shall be destroyed and recorded in accordance with relevant State provisions. The catalogue of single-use medical devices shall be formulated, adjusted and published by the drug regulatory department of the State Council in conjunction with the competent health department of the State Council. Inclusion in the catalogue of single-use medical devices shall have sufficient evidentiary grounds that reuse is not possible. Medical devices whose safety and effectiveness can be ensured by reuse shall not be included in the catalogue of single-use medical devices. For medical devices whose safety and effectiveness can be ensured by reuse following improvements in design, manufacturing process, disinfection and sterilization technology and the like, they shall be adjusted out of the catalogue of single-use medical devices and reuse shall be permitted. **Article 50.** For medical devices that require periodic inspection, testing, calibration, care and maintenance, medical device use entities shall conduct inspection, testing, calibration, care and maintenance in accordance with the requirements of the product instructions for use and keep records, and shall promptly conduct analysis and assessment to ensure that the medical devices are in good condition and to safeguard the quality of use; for large medical devices with a long period of use, a use archive shall be established for each unit, recording matters such as its use, maintenance, transfer, and actual time of use. The period for preserving records shall not be less than 5 years after the expiry of the prescribed period of use of the medical device. **Article 51.** Medical device use entities shall properly preserve the original materials for the purchase of Class III medical devices, and ensure that the information is traceable. For the use of large medical devices as well as implantable and interventional medical devices, information such as the name and key technical parameters of the medical device, as well as the necessary information closely related to the quality and safety of use, shall be recorded in the medical records and other relevant records. **Article 52.** Where it is discovered that a medical device in use poses a safety hazard, the medical device use entity shall immediately stop using it and notify the medical device registrant, filing person or other institution responsible for product quality to carry out repair; medical devices that still fail to meet the safety standards for use after repair shall not continue to be used. **Article 53.** For in vitro diagnostic reagents for which there is no product of the same variety marketed within China, qualified medical institutions may, according to the clinical needs of their own entities, develop them themselves and use them within their own entities under the guidance of licensed physicians. The specific administrative measures shall be formulated by the drug regulatory department of the State Council in conjunction with the competent health department of the State Council. **Article 54.** The department responsible for drug regulation and the competent health department shall, in accordance with their respective responsibilities, separately conduct supervision and administration of the quality of medical devices in the use stage and of the medical device use conduct. **Article 55.** Medical device distribution enterprises and use entities shall not distribute or use medical devices that have not been registered or filed in accordance with the law, that lack certification documents of conformity, or that are expired, ineffective or obsolete. **Article 56.** Where medical device use entities transfer medical devices in use between one another, the transferring party shall ensure that the transferred medical devices are safe and effective, and shall not transfer medical devices that are expired, ineffective, obsolete, or that fail inspection. **Article 57.** Imported medical devices shall be medical devices that have been registered or filed in accordance with the provisions of Chapter 2 of this Regulation. Imported medical devices shall have instructions for use and labels in Chinese. The instructions for use and labels shall comply with the provisions of this Regulation and the requirements of the relevant mandatory standards, and the instructions for use shall set forth the place of origin of the medical device as well as the name, address and contact information of the enterprise legal person within China designated by the overseas medical device registrant or filing person. Where there are no Chinese instructions for use or Chinese labels, or the instructions for use or labels do not comply with the provisions of this Article, importation shall not be permitted. Where a medical institution imports a small quantity of Class II or Class III medical devices due to urgent clinical needs, importation may be made upon the approval of the drug regulatory department of the State Council or the people's government of the province, autonomous region or municipality directly under the Central Government authorized by the State Council. The imported medical devices shall be used within the designated medical institution for specific medical purposes. The importation of expired, ineffective, obsolete and other used medical devices is prohibited. **Article 58.** The entry-exit inspection and quarantine institutions shall conduct inspection of imported medical devices in accordance with the law; those that fail inspection shall not be imported. The drug regulatory department of the State Council shall promptly notify the national entry-exit inspection and quarantine department of the registration and filing status of imported medical devices. The entry-exit inspection and quarantine institution at the port of entry shall promptly notify the department responsible for drug regulation under the people's government of the city divided into districts where it is located of the customs clearance status of imported medical devices. **Article 59.** Enterprises exporting medical devices shall ensure that the medical devices they export comply with the requirements of the importing country (or region). **Article 60.** The content of medical device advertisements shall be authentic and lawful, shall be based on the medical device instructions for use registered with or filed with the department responsible for drug regulation, and shall not contain false, exaggerated or misleading content. To publish a medical device advertisement, the content of the advertisement shall, before publication, be reviewed by the advertisement review authority determined by the people's government of the province, autonomous region or municipality directly under the Central Government, and a medical device advertisement approval number shall be obtained; without review, it shall not be published. For medical devices whose manufacture, importation, distribution and use the drug regulatory department of the people's government at or above the provincial level has ordered to be suspended, advertisements involving such medical devices shall not be published during the period of suspension. The measures for the review of medical device advertisements shall be formulated by the market regulatory department of the State Council. ## Chapter 5 Handling of Adverse Events and Recall of Medical Devices **Article 61.** The State shall establish a medical device adverse-event monitoring system to promptly collect, analyze, evaluate and control medical device adverse events. **Article 62.** Medical device registrants and filing persons shall establish a medical device adverse-event monitoring system, be equipped with adverse-event monitoring institutions and personnel commensurate with their products, proactively carry out adverse-event monitoring of their products, and, in accordance with the provisions of the drug regulatory department of the State Council, report to the medical device adverse-event monitoring technical institution on the investigation, analysis, evaluation, product risk control and the like. Medical device manufacturing and distribution enterprises and use entities shall assist medical device registrants and filing persons in carrying out adverse-event monitoring of the medical devices they manufacture, distribute or use; upon discovering a medical device adverse event or a suspected adverse event, they shall report to the medical device adverse-event monitoring technical institution in accordance with the provisions of the drug regulatory department of the State Council. Other entities and individuals that discover a medical device adverse event or a suspected adverse event shall have the right to report to the department responsible for drug regulation or the medical device adverse-event monitoring technical institution. **Article 63.** The drug regulatory department of the State Council shall strengthen the construction of the information network for medical device adverse-event monitoring. Medical device adverse-event monitoring technical institutions shall strengthen the monitoring of medical device adverse-event information and proactively collect adverse-event information; upon discovering an adverse event or receiving a report of an adverse event, they shall promptly verify it, conduct investigation, analysis and assessment where necessary, report to the department responsible for drug regulation and the competent health department, and put forward handling suggestions. Medical device adverse-event monitoring technical institutions shall publish their contact information to facilitate the reporting of medical device adverse events by medical device registrants, filing persons, manufacturing and distribution enterprises, use entities and others. **Article 64.** The department responsible for drug regulation shall, according to the results of the assessment of medical device adverse events, promptly take control measures such as issuing warning information and ordering the suspension of manufacture, importation, distribution and use. The drug regulatory department of the people's government at or above the provincial level shall, in conjunction with the competent health department at the same level and the relevant departments, organize the prompt investigation and handling of medical device adverse events causing sudden or mass serious injuries or deaths, and organize the strengthening of monitoring of medical devices of the same kind. The department responsible for drug regulation shall promptly notify the competent health department at the same level of the relevant situation concerning adverse-event monitoring at medical device use entities. **Article 65.** Medical device registrants, filing persons, manufacturing and distribution enterprises, and use entities shall cooperate with the investigations of medical device adverse events conducted by medical device adverse-event monitoring technical institutions, the departments responsible for drug regulation, and the competent health departments. **Article 66.** Under any of the following circumstances, a medical device registrant or filing person shall proactively carry out re-evaluation of a marketed medical device: (I) there is a change in the understanding of the safety and effectiveness of the medical device in light of the development of scientific research; (II) the results of medical device adverse-event monitoring and assessment indicate that the medical device may have defects; (III) other circumstances prescribed by the drug regulatory department of the State Council. A medical device registrant or filing person shall, according to the re-evaluation results, take corresponding control measures, improve the marketed medical device, and handle the alteration of registration or filing in accordance with provisions. Where the re-evaluation results indicate that the marketed medical device cannot ensure safety and effectiveness, the medical device registrant or filing person shall proactively apply for cancellation of the medical device registration certificate or cancellation of the filing; where the medical device registrant or filing person does not apply for cancellation of the medical device registration certificate or cancellation of the filing, the department responsible for drug regulation shall cancel the medical device registration certificate or cancel the filing. The drug regulatory department of the people's government at or above the provincial level shall, according to such circumstances as medical device adverse-event monitoring and assessment, carry out re-evaluation of marketed medical devices. Where the re-evaluation results indicate that a marketed medical device cannot ensure safety and effectiveness, the medical device registration certificate shall be canceled or the filing shall be canceled. The department responsible for drug regulation shall promptly make public the cancellation of medical device registration certificates and the cancellation of filings. Medical devices whose registration certificates have been canceled or whose filings have been canceled shall not continue to be manufactured, imported, distributed or used. **Article 67.** Where a medical device registrant or filing person discovers that a medical device manufactured does not comply with the mandatory standards or the registered or filed product technical requirements, or has other defects, it shall immediately stop manufacture, notify the relevant distribution enterprises, use entities and consumers to stop distribution and use, recall the medical devices already marketed and sold, take remedial, destruction and other measures, record the relevant situation, publish the relevant information, and report the recall and handling of the medical devices to the department responsible for drug regulation and the competent health department. Where a medical device entrusted manufacturing enterprise or distribution enterprise discovers that a medical device it manufactures or distributes is in any of the circumstances prescribed in the preceding paragraph, it shall immediately stop manufacture or distribution, notify the medical device registrant or filing person, and record the cessation of manufacture or distribution and the notification. Where the medical device registrant or filing person considers that the medical device is one that needs to be recalled in accordance with the provisions of the preceding paragraph, it shall immediately recall it. Where a medical device registrant, filing person, entrusted manufacturing enterprise or distribution enterprise fails to carry out a recall or stop manufacture or distribution in accordance with the provisions of this Article, the department responsible for drug regulation may order it to carry out the recall or stop manufacture or distribution. ## Chapter 6 Supervision and Inspection **Article 68.** The State shall establish a professional and specialized inspector system to strengthen the supervision and inspection of medical devices. **Article 69.** The department responsible for drug regulation shall strengthen the supervision and inspection of the research, manufacture and distribution activities of medical devices as well as the quality of medical devices in the use stage, and shall conduct key supervision and inspection of the following matters: (I) whether manufacture is organized in accordance with the registered or filed product technical requirements; (II) whether the quality management system is kept in effective operation; (III) whether the manufacturing and distribution conditions continuously comply with statutory requirements. Where necessary, the department responsible for drug regulation may conduct extended inspection of other relevant entities and individuals that provide products or services for the research, manufacture, distribution, use and other activities of medical devices. **Article 70.** In supervision and inspection, the department responsible for drug regulation shall have the following powers: (I) to enter the site to conduct inspection and take samples; (II) to consult, copy, seal up and seize relevant contracts, invoices, account books and other relevant materials; (III) to seal up and seize medical devices that do not meet statutory requirements, parts and components and raw materials used illegally, as well as tools and equipment used for the illegal manufacture and distribution of medical devices; (IV) to seal up sites where medical device manufacturing and distribution activities are conducted in violation of the provisions of this Regulation. In conducting supervision and inspection, law-enforcement certificates shall be presented, and the commercial secrets of the inspected entity shall be kept confidential. The relevant entities and individuals shall cooperate with supervision and inspection, provide relevant documents and materials, and shall not conceal, refuse or obstruct. **Article 71.** The competent health department shall strengthen supervision and inspection of the medical device use conduct of medical institutions. When conducting supervision and inspection, it may enter the medical institution and consult and copy relevant archives, records and other relevant materials. **Article 72.** Where there is a hidden hazard to product quality and safety in the process of medical device manufacture and distribution that is not promptly eliminated through measures, the department responsible for drug regulation may take such measures as admonition, responsibility interview, and ordering rectification within a time limit. For medical devices that have caused harm to the human body or for which there is evidence proving that they may endanger human health, the department responsible for drug regulation may take emergency control measures such as ordering the suspension of manufacture, importation, distribution and use, and issue safety warning information. **Article 73.** The department responsible for drug regulation shall strengthen spot-check inspection of the medical devices manufactured, distributed and used by medical device registrants, filing persons, manufacturing and distribution enterprises, and use entities. No inspection fees or any other fees shall be charged for spot-check inspection, and the necessary expenses shall be incorporated into the budget of the government at the same level. The drug regulatory department of the people's government at or above the provincial level shall promptly issue medical device quality bulletins according to the conclusions of spot-check inspection. The competent health department shall supervise and assess the use status of large medical equipment; upon discovering irregular use as well as excessive examination, excessive treatment and the like related to large medical equipment, it shall immediately correct it and handle it in accordance with the law. **Article 74.** Where the department responsible for drug regulation fails to promptly discover systemic risks to medical device safety, or fails to promptly eliminate hidden hazards to medical device safety within its supervision and administration area, the people's government at the same level or the department responsible for drug regulation under the people's government at the higher level shall conduct an interview with its principal person in charge. Where a local people's government fails to perform its responsibilities for medical device safety, or fails to promptly eliminate regional major hidden hazards to medical device safety, the people's government at the higher level or the department responsible for drug regulation under the people's government at the higher level shall conduct an interview with its principal person in charge. The interviewed department and local people's government shall immediately take measures to rectify the supervision and administration of medical devices. **Article 75.** The qualification accreditation of medical device inspection institutions shall be subject to unified administration in accordance with relevant State provisions. Only inspection institutions accredited by the certification and accreditation regulatory department of the State Council in conjunction with the drug regulatory department of the State Council may conduct inspection of medical devices. Where the department responsible for drug regulation needs to conduct inspection of medical devices in its law-enforcement work, it shall entrust a qualified medical device inspection institution to conduct the inspection and pay the relevant expenses. Where a party has an objection to the inspection conclusion, it may, within 7 working days from the date of receipt of the inspection conclusion, file an application for re-inspection with the department that conducted the spot-check inspection or the department responsible for drug regulation at the next higher level, and the department that accepts the application for re-inspection shall randomly determine a re-inspection institution from the list of re-inspection institutions to conduct the re-inspection. The medical device inspection institution undertaking the re-inspection work shall make a re-inspection conclusion within the time prescribed by the drug regulatory department of the State Council. The re-inspection conclusion shall be the final inspection conclusion. The re-inspection institution and the initial inspection institution shall not be the same institution; where there is only one qualified inspection institution for the relevant inspection item, the undertaking department or personnel shall be changed for the re-inspection. The list of re-inspection institutions shall be published by the drug regulatory department of the State Council. **Article 76.** For medical devices that may contain harmful substances, or that have had their design, raw materials and manufacturing process altered without authorization and pose hidden safety hazards, and that cannot be inspected according to the inspection items and inspection methods prescribed in the national standards and industry standards for medical devices, the medical device inspection institution may use supplementary inspection items and inspection methods approved by the drug regulatory department of the State Council to conduct the inspection; the inspection conclusions arrived at using the supplementary inspection items and inspection methods may serve as the basis for the department responsible for drug regulation to determine the quality of medical devices. **Article 77.** The market regulatory department shall, in accordance with the provisions of relevant laws and administrative regulations on advertising administration, conduct supervision and inspection of medical device advertisements, and investigate and deal with illegal acts. **Article 78.** The department responsible for drug regulation shall, through the online government service platform of the drug regulatory department of the State Council, promptly publish, in accordance with the law, routine supervision and administration information such as the licensing, filing, spot-check inspection, and investigation and handling of illegal acts of medical devices. However, the commercial secrets of the parties shall not be divulged. The department responsible for drug regulation shall establish credit archives for medical device registrants, filing persons, manufacturing and distribution enterprises, and use entities, increase the frequency of supervision and inspection of those with bad credit records, and strengthen punishment for breach of trust in accordance with the law. **Article 79.** The department responsible for drug regulation and other departments shall publish the contact information of their own entities and accept consultations, complaints and reports. Upon receiving a consultation related to the supervision and administration of medical devices, the department responsible for drug regulation and other departments shall promptly reply; upon receiving a complaint or report, they shall promptly verify, handle and reply. The consultations, complaints and reports and their replies, verification and handling shall be recorded and preserved. Where a report concerning the research, manufacture, distribution or use conduct of medical devices is verified to be true upon investigation, the department responsible for drug regulation and other departments shall reward the whistleblower. The relevant departments shall keep the whistleblower confidential. **Article 80.** Where the drug regulatory department of the State Council formulates, adjusts or amends the catalogues prescribed in this Regulation and the norms related to the supervision and administration of medical devices, it shall publicly solicit opinions; and shall, by means of hearings, demonstration meetings and the like, hear the opinions of experts, medical device registrants, filing persons, manufacturing and distribution enterprises, use entities, consumers, industry associations and relevant organizations. ## Chapter 7 Legal Liability **Article 81.** Under any of the following circumstances, the department responsible for drug regulation shall confiscate the illegal gains, the medical devices illegally manufactured or distributed, and the tools, equipment, raw materials and other articles used for illegal manufacture or distribution; where the value of the medical devices illegally manufactured or distributed is less than RMB 10,000, a fine of not less than RMB 50,000 but not more than RMB 150,000 shall be imposed concurrently; where the value is RMB 10,000 or more, a fine of not less than 15 times but not more than 30 times the value shall be imposed concurrently; where the circumstances are serious, it shall order the suspension of production and business, shall not accept the medical device licensing applications filed by the relevant responsible persons and entities within 10 years, confiscate from the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity the income obtained from the entity during the period of the illegal act, and impose on them a fine of not less than 30% but not more than 3 times the income obtained, and permanently prohibit them from engaging in the manufacturing and distribution activities of medical devices: (I) manufacturing or distributing Class II or Class III medical devices for which no medical device registration certificate has been obtained; (II) engaging in the manufacturing activities of Class II or Class III medical devices without a license; (III) engaging in the distribution activities of Class III medical devices without a license. Where the circumstance under item (I) of the preceding paragraph exists and the circumstances are serious, the original certificate-issuing department shall revoke the medical device manufacturing license or the medical device distribution license. **Article 82.** Where large medical equipment is allocated and used without authorization in the absence of a license, the competent health department of the people's government at or above the county level shall order the cessation of use, give a warning, and confiscate the illegal gains; where the illegal gains are less than RMB 10,000, a fine of not less than RMB 50,000 but not more than RMB 100,000 shall be imposed concurrently; where the illegal gains are RMB 10,000 or more, a fine of not less than 10 times but not more than 30 times the illegal gains shall be imposed concurrently; where the circumstances are serious, the applications for licenses for the allocation of large medical equipment filed by the relevant responsible persons and entities shall not be accepted within 5 years, the income obtained from the entity during the period of the illegal act shall be confiscated from the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity, a fine of not less than 30% but not more than 3 times the income obtained shall be imposed on them, and sanctions shall be given in accordance with the law. **Article 83.** Where false materials are provided or other fraudulent means are adopted in applying for medical device administrative licensing, the administrative licensing shall not be granted; where the administrative licensing has been obtained, the department that made the administrative licensing decision shall revoke the administrative licensing, confiscate the illegal gains and the medical devices illegally manufactured, distributed or used, and shall not accept the medical device licensing applications filed by the relevant responsible persons and entities within 10 years; where the value of the medical devices illegally manufactured, distributed or used is less than RMB 10,000, a fine of not less than RMB 50,000 but not more than RMB 150,000 shall be imposed concurrently; where the value is RMB 10,000 or more, a fine of not less than 15 times but not more than 30 times the value shall be imposed concurrently; where the circumstances are serious, it shall order the suspension of production and business, confiscate from the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity the income obtained from the entity during the period of the illegal act, impose on them a fine of not less than 30% but not more than 3 times the income obtained, and permanently prohibit them from engaging in the manufacturing and distribution activities of medical devices. Where relevant medical device licensing certificates are forged, altered, bought, sold, leased or lent, the original certificate-issuing department shall confiscate or revoke them and confiscate the illegal gains; where the illegal gains are less than RMB 10,000, a fine of not less than RMB 50,000 but not more than RMB 100,000 shall be imposed concurrently; where the illegal gains are RMB 10,000 or more, a fine of not less than 10 times but not more than 20 times the illegal gains shall be imposed concurrently; where an act in violation of public security administration is constituted, the public security organ shall impose public security administration punishment in accordance with the law. **Article 84.** Under any of the following circumstances, the department responsible for drug regulation shall make a public announcement of the names of the entity and product to the public, and order rectification within a time limit; where rectification is not made within the time limit, it shall confiscate the illegal gains and the medical devices illegally manufactured or distributed; where the value of the medical devices illegally manufactured or distributed is less than RMB 10,000, a fine of not less than RMB 10,000 but not more than RMB 50,000 shall be imposed concurrently; where the value is RMB 10,000 or more, a fine of not less than 5 times but not more than 20 times the value shall be imposed concurrently; where the circumstances are serious, the income obtained from the entity during the period of the illegal act shall be confiscated from the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity, a fine of not less than 30% but not more than 2 times the income obtained shall be imposed on them, and they shall be prohibited from engaging in the manufacturing and distribution activities of medical devices within 5 years: (I) manufacturing or distributing Class I medical devices that have not been filed; (II) engaging in the manufacture of Class I medical devices without filing; (III) distributing Class II medical devices that should be filed but have not been filed; (IV) the filed materials do not meet the requirements. **Article 85.** Where false materials are provided at the time of filing, the department responsible for drug regulation shall make a public announcement of the names of the filing entity and product to the public, and confiscate the illegal gains and the medical devices illegally manufactured or distributed; where the value of the medical devices illegally manufactured or distributed is less than RMB 10,000, a fine of not less than RMB 20,000 but not more than RMB 50,000 shall be imposed concurrently; where the value is RMB 10,000 or more, a fine of not less than 5 times but not more than 20 times the value shall be imposed concurrently; where the circumstances are serious, it shall order the suspension of production and business, confiscate from the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity the income obtained from the entity during the period of the illegal act, impose on them a fine of not less than 30% but not more than 3 times the income obtained, and prohibit them from engaging in the manufacturing and distribution activities of medical devices within 10 years. **Article 86.** Under any of the following circumstances, the department responsible for drug regulation shall order rectification, and confiscate the medical devices illegally manufactured, distributed or used; where the value of the medical devices illegally manufactured, distributed or used is less than RMB 10,000, a fine of not less than RMB 20,000 but not more than RMB 50,000 shall be imposed concurrently; where the value is RMB 10,000 or more, a fine of not less than 5 times but not more than 20 times the value shall be imposed concurrently; where the circumstances are serious, it shall order the suspension of production and business, up to the revocation by the original certificate-issuing department of the medical device registration certificate, medical device manufacturing license, or medical device distribution license, confiscate from the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity the income obtained from the entity during the period of the illegal act, impose on them a fine of not less than 30% but not more than 3 times the income obtained, and prohibit them from engaging in the manufacturing and distribution activities of medical devices within 10 years: (I) manufacturing, distributing or using medical devices that do not comply with the mandatory standards or do not comply with the registered or filed product technical requirements; (II) failing to organize manufacture in accordance with the registered or filed product technical requirements, or failing to establish a quality management system and keep it in effective operation in accordance with the provisions of this Regulation, thereby affecting the safety and effectiveness of the product; (III) distributing or using medical devices without certification documents of conformity, or that are expired, ineffective or obsolete, or using medical devices that have not been registered in accordance with the law; (IV) refusing to recall after being ordered to recall by the department responsible for drug regulation, or refusing to stop manufacture, importation or distribution of medical devices after being ordered to stop or suspend manufacture, importation or distribution by the department responsible for drug regulation; (V) entrusting an enterprise that does not possess the conditions prescribed in this Regulation to manufacture medical devices, or failing to manage the manufacturing conduct of the entrusted manufacturing enterprise; (VI) importing expired, ineffective, obsolete and other used medical devices. **Article 87.** Where a medical device distribution enterprise or use entity has performed the incoming inspection and other obligations prescribed in this Regulation, has sufficient evidence to prove that it did not know that the medical devices it distributed or used were medical devices in the circumstances prescribed in item (I) of the first paragraph of Article 81, item (I) of Article 84, and items (I) and (III) of Article 86 of this Regulation, and can truthfully explain the source of its incoming goods, the medical devices it distributed or used that do not meet statutory requirements shall be confiscated, and the administrative punishment may be exempted. **Article 88.** Under any of the following circumstances, the department responsible for drug regulation shall order rectification, and impose a fine of not less than RMB 10,000 but not more than RMB 50,000; where rectification is refused, a fine of not less than RMB 50,000 but not more than RMB 100,000 shall be imposed; where the circumstances are serious, it shall order the suspension of production and business, up to the revocation by the original certificate-issuing department of the medical device manufacturing license or medical device distribution license, confiscate from the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity the income obtained from the entity during the period of the illegal act, impose on them a fine of not less than 30% but not more than 2 times the income obtained, and prohibit them from engaging in the manufacturing and distribution activities of medical devices within 5 years: (I) the manufacturing conditions change and no longer comply with the requirements of the medical device quality management system, and rectification, cessation of manufacture, or reporting is not carried out in accordance with the provisions of this Regulation; (II) manufacturing or distributing medical devices whose instructions for use or labels do not comply with the provisions of this Regulation; (III) failing to transport or store medical devices in accordance with the requirements indicated in the medical device instructions for use and labels; (IV) transferring medical devices in use that are expired, ineffective, obsolete, or that fail inspection. **Article 89.** Under any of the following circumstances, the department responsible for drug regulation and the competent health department shall, in accordance with their respective responsibilities, order rectification and give a warning; where rectification is refused, a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed; where the circumstances are serious, it shall order the suspension of production and business, up to the revocation by the original certificate-issuing department of the medical device registration certificate, medical device manufacturing license, or medical device distribution license, and impose a fine of not less than RMB 10,000 but not more than RMB 30,000 on the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity: (I) failing to submit a self-inspection report of the quality management system as required; (II) purchasing medical devices from a supplier without lawful qualifications; (III) the medical device distribution enterprise or use entity failing to establish and implement the medical device incoming inspection record system in accordance with the provisions of this Regulation; (IV) a distribution enterprise engaged in the wholesale business of Class II and Class III medical devices and the retail business of Class III medical devices failing to establish and implement the sales record system in accordance with the provisions of this Regulation; (V) the medical device registrant, filing person, manufacturing or distribution enterprise, or use entity failing to carry out medical device adverse-event monitoring in accordance with the provisions of this Regulation, failing to report adverse events as required, or refusing to cooperate with the adverse-event investigations conducted by the medical device adverse-event monitoring technical institution, the department responsible for drug regulation, or the competent health department; (VI) the medical device registrant or filing person failing to formulate post-market research and risk control plans and ensure their effective implementation in accordance with provisions; (VII) the medical device registrant or filing person failing to establish and implement the product traceability system in accordance with provisions; (VIII) the medical device registrant, filing person, or distribution enterprise engaged in the online sale of medical devices failing to notify the department responsible for drug regulation in accordance with provisions; (IX) for medical devices that require periodic inspection, testing, calibration, care and maintenance, the medical device use entity failing to conduct inspection, testing, calibration, care and maintenance in accordance with the requirements of the product instructions for use and keep records, and to promptly conduct analysis and assessment to ensure that the medical devices are in good condition; (X) the medical device use entity failing to properly preserve the original materials for the purchase of Class III medical devices. **Article 90.** Under any of the following circumstances, the competent health department of the people's government at or above the county level shall order rectification and give a warning; where rectification is refused, a fine of not less than RMB 50,000 but not more than RMB 100,000 shall be imposed; where the circumstances are serious, a fine of not less than RMB 100,000 but not more than RMB 300,000 shall be imposed, the relevant medical device use activities shall be ordered to be suspended, up to the revocation by the original certificate-issuing department of the practice license, the relevant responsible personnel shall be ordered in accordance with the law to suspend their practice activities for not less than 6 months but not more than 1 year, up to the revocation by the original certificate-issuing department of the practice certificates of the relevant personnel, the income obtained from the entity during the period of the illegal act shall be confiscated from the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity, a fine of not less than 30% but not more than 3 times the income obtained shall be imposed on them, and sanctions shall be given in accordance with the law: (I) for reusable medical devices, the medical device use entity failing to handle them in accordance with the provisions on disinfection and management; (II) the medical device use entity reusing single-use medical devices, or failing to destroy used single-use medical devices in accordance with provisions; (III) the medical device use entity failing to record the information of large medical devices as well as implantable and interventional medical devices in the medical records and other relevant records in accordance with provisions; (IV) the medical device use entity failing to immediately stop using and notify for repair upon discovering that a medical device in use poses a safety hazard, or continuing to use a medical device that still fails to meet the safety standards for use after repair; (V) the medical device use entity using large medical equipment irregularly, failing to safeguard the quality and safety of medical care. **Article 91.** Where medical devices are imported in violation of relevant laws and administrative regulations on the inspection of import and export commodities, the entry-exit inspection and quarantine institution shall handle it in accordance with the law. **Article 92.** Where an e-commerce platform operator that provides services for the online trading of medical devices, in violation of the provisions of this Regulation, fails to perform management obligations such as conducting real-name registration of the medical device operators that join the platform, reviewing their licensing, registration and filing status, stopping and reporting illegal acts, and stopping the provision of online trading platform services, the department responsible for drug regulation shall impose punishment in accordance with the provisions of the E-Commerce Law of the People's Republic of China. **Article 93.** Where a clinical trial is conducted without filing the medical device clinical trial institution, the department responsible for drug regulation shall order the cessation of the clinical trial and rectification; where rectification is refused, the clinical trial data shall not be used for product registration or filing, a fine of not less than RMB 50,000 but not more than RMB 100,000 shall be imposed, and a public announcement shall be made to the public; where serious consequences are caused, it shall be prohibited from conducting clinical trials of medical devices in the relevant specialty within 5 years, a fine of not less than RMB 100,000 but not more than RMB 300,000 shall be imposed, and the competent health department shall confiscate from the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity the income obtained from the entity during the period of the illegal act, impose on them a fine of not less than 30% but not more than 3 times the income obtained, and give sanctions in accordance with the law. Where the sponsor of a clinical trial conducts a clinical trial without filing, the department responsible for drug regulation shall order the cessation of the clinical trial, impose a fine of not less than RMB 50,000 but not more than RMB 100,000 on the sponsor of the clinical trial, and make a public announcement to the public; where serious consequences are caused, a fine of not less than RMB 100,000 but not more than RMB 300,000 shall be imposed. The clinical trial data shall not be used for product registration or filing, and the medical device registration applications filed by the relevant responsible persons and entities shall not be accepted within 5 years. Where the sponsor of a clinical trial conducts a clinical trial of a Class III medical device that poses a relatively high risk to the human body without approval, the department responsible for drug regulation shall order the immediate cessation of the clinical trial, impose a fine of not less than RMB 100,000 but not more than RMB 300,000 on the sponsor of the clinical trial, and make a public announcement to the public; where serious consequences are caused, a fine of not less than RMB 300,000 but not more than RMB 1,000,000 shall be imposed. The clinical trial data shall not be used for product registration, the medical device clinical trial and registration applications filed by the relevant responsible persons and entities shall not be accepted within 10 years, the income obtained from the entity during the period of the illegal act shall be confiscated from the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity, and a fine of not less than 30% but not more than 3 times the income obtained shall be imposed on them. **Article 94.** Where a medical device clinical trial institution conducts a medical device clinical trial without complying with the good clinical practice for clinical trials, the department responsible for drug regulation shall order rectification or the immediate cessation of the clinical trial, and impose a fine of not less than RMB 50,000 but not more than RMB 100,000; where serious consequences are caused, it shall be prohibited from conducting clinical trials of medical devices in the relevant specialty within 5 years, and the competent health department shall confiscate from the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity the income obtained from the entity during the period of the illegal act, impose on them a fine of not less than 30% but not more than 3 times the income obtained, and give sanctions in accordance with the law. **Article 95.** Where a medical device clinical trial institution issues a false report, the department responsible for drug regulation shall impose a fine of not less than RMB 100,000 but not more than RMB 300,000; where there are illegal gains, the illegal gains shall be confiscated; it shall be prohibited from conducting clinical trials of medical devices in the relevant specialty within 10 years; and the competent health department shall confiscate from the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity the income obtained from the entity during the period of the illegal act, impose on them a fine of not less than 30% but not more than 3 times the income obtained, and give sanctions in accordance with the law. **Article 96.** Where a medical device inspection institution issues a false inspection report, the competent department that granted its qualification shall revoke its inspection qualification, shall not accept the qualification accreditation applications filed by the relevant responsible persons and entities within 10 years, and shall impose a fine of not less than RMB 100,000 but not more than RMB 300,000; where there are illegal gains, the illegal gains shall be confiscated; the income obtained from the entity during the period of the illegal act shall be confiscated from the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity, a fine of not less than 30% but not more than 3 times the income obtained shall be imposed on them, and sanctions shall be given in accordance with the law; those who are dismissed shall be prohibited from engaging in medical device inspection work within 10 years. **Article 97.** Where the provisions of this Regulation on the administration of medical device advertisements are violated, punishment shall be imposed in accordance with the provisions of the Advertising Law of the People's Republic of China. **Article 98.** Where an enterprise legal person within China designated by an overseas medical device registrant or filing person fails to perform the relevant obligations in accordance with the provisions of this Regulation, the drug regulatory department of the people's government of the province, autonomous region or municipality directly under the Central Government shall order rectification, give a warning, and impose a fine of not less than RMB 50,000 but not more than RMB 100,000; where the circumstances are serious, a fine of not less than RMB 100,000 but not more than RMB 500,000 shall be imposed, and its legal representative, principal person in charge, the directly responsible person in charge and other responsible persons shall be prohibited from engaging in the manufacturing and distribution activities of medical devices within 5 years. Where an overseas medical device registrant or filing person refuses to perform an administrative punishment decision made in accordance with this Regulation, its medical devices shall be prohibited from importation within 10 years. **Article 99.** Where a medical device research, manufacturing or distribution entity or inspection institution, in violation of the provisions of this Regulation, uses personnel prohibited from engaging in the manufacturing and distribution activities of medical devices or in inspection work, the department responsible for drug regulation shall order rectification and give a warning; where rectification is refused, it shall order the suspension of production and business, up to the revocation of the licensing certificate. **Article 100.** Where a medical device technical review institution or a medical device adverse-event monitoring technical institution fails to perform its duties in accordance with the provisions of this Regulation, resulting in major errors in the review or monitoring work, the department responsible for drug regulation shall order rectification, circulate a notice of criticism, and give a warning; where serious consequences are caused, the legal representative, principal person in charge, the directly responsible person in charge and other responsible persons of the illegal entity shall be given sanctions in accordance with the law. **Article 101.** Where staff of the department responsible for drug regulation or other relevant departments, in violation of the provisions of this Regulation, abuse their powers, neglect their duties, or engage in malpractices for personal gain, they shall be given sanctions in accordance with the law. **Article 102.** Where a violation of the provisions of this Regulation constitutes a crime, criminal liability shall be pursued in accordance with the law; where personal injury, property damage or other damage is caused, liability for compensation shall be borne in accordance with the law. ## Chapter 8 Supplementary Provisions **Article 103.** The meanings of the following terms in this Regulation: A medical device refers to an instrument, apparatus, appliance, in vitro diagnostic reagent and calibrator, material, and other similar or related article used directly or indirectly on the human body, including the necessary computer software; its efficacy is mainly obtained by physical and other means, rather than by pharmacological, immunological or metabolic means, or even if such means participate, they only play an auxiliary role; and its purpose is: (I) the diagnosis, prevention, monitoring, treatment or alleviation of disease; (II) the diagnosis, monitoring, treatment, alleviation or functional compensation of injury; (III) the inspection, replacement, regulation or support of a physiological structure or physiological process; (IV) the support or sustaining of life; (V) the control of pregnancy; (VI) the provision of information for medical or diagnostic purposes by means of examining samples from the human body. A medical device registrant or filing person refers to an enterprise or research institution that has obtained a medical device registration certificate or handled medical device filing. A medical device use entity refers to an institution that uses medical devices to provide medical and other technical services to others, including medical institutions, blood stations, single-donor plasmapheresis stations, rehabilitation assistive device fitting institutions and the like. Large medical equipment refers to large medical devices that use complex technology, involve a large amount of capital investment, have high operating costs, have a significant impact on medical expenses, and are subject to catalogue administration. **Article 104.** Fees may be charged for the registration of medical device products. The specific fee items and standards shall be formulated separately by the finance and price departments of the State Council in accordance with relevant State provisions. **Article 105.** The administrative measures for medical devices developed by medical and health institutions in response to public health emergencies shall be formulated by the drug regulatory department of the State Council in conjunction with the competent health department of the State Council. Engaging in the storage, allocation and supply of non-profit contraceptive medical devices shall comply with the administrative measures formulated by the competent health department of the State Council in conjunction with the drug regulatory department of the State Council. The technical guiding principles for traditional Chinese medicine medical devices shall be formulated by the drug regulatory department of the State Council in conjunction with the competent department of traditional Chinese medicine of the State Council. **Article 106.** The supervision and administration of the use of medical devices by the military shall be carried out in accordance with this Regulation and relevant military provisions. **Article 107.** This Regulation shall come into force on June 1, 2021. --- ## Cybersecurity Law of the People's Republic of China (2025 Amendment) - Chinese title: 中华人民共和国网络安全法(2025 修正) - Abbreviation: CSL - Hierarchy: law - Issuing body: National People's Congress Standing Committee - Adopted: 2016-11-07 - Effective: 2017-06-01 - Status: amended - URL: https://datacompliancechina.com/laws/csl/ - Markdown: https://datacompliancechina.com/laws/csl.md ### Summary The Cybersecurity Law is the earliest of the three foundational data-protection statutes. It establishes the Multi-Level Protection Scheme (MLPS), the Critical Information Infrastructure regime, network-operator obligations, and the cybersecurity review framework. The current text incorporates the 2025 amendment, which takes effect January 1, 2026. ### Full text **Promulgated by:** Standing Committee of the National People's Congress. **Originally adopted at the 24th Session of the Standing Committee of the 12th National People's Congress on November 7, 2016.** **Amended in accordance with the Decision on Amending the Cybersecurity Law of the People's Republic of China adopted at the 18th Session of the Standing Committee of the 14th National People's Congress on October 28, 2025.** **Amendment takes effect January 1, 2026.** --- ## Chapter 1 General Provisions **Article 1.** In order to safeguard cybersecurity, maintain cyber sovereignty and national security, protect the public interest of society, protect the lawful rights and interests of citizens, legal persons and other organizations, and promote the healthy development of economic and social informatization, this Law is hereby formulated. **Article 2.** This Law shall apply to the construction, operation, maintenance and use of networks within the territory of the People's Republic of China, as well as the supervision and administration of cybersecurity. **Article 3.** Cybersecurity work shall adhere to the leadership of the Communist Party of China, implement the overall national security concept, coordinate development and security, and advance the building of a cyber power. **Article 4.** The State shall uphold equal emphasis on cybersecurity and informatization development, follow the policy of proactive utilization, scientific development, law- based administration, and ensuring security, advance the construction and interconnection of network infrastructure, encourage innovation and application of network technologies, support the cultivation of cybersecurity professionals, establish and improve a cybersecurity , and enhance cybersecurity protection capabilities. **Article 5.** The State shall formulate and continuously improve a national cybersecurity strategy, clarify the basic requirements and main objectives for safeguarding cybersecurity, and put forward cybersecurity policies, tasks and measures in key areas. **Article 6.** The State shall take measures to monitor, defend against, and address cybersecurity risks and threats originating within and outside the People's Republic of China, protect critical information infrastructure from attacks, intrusions, interference and destruction, punish cyber-related illegal and criminal activities in accordance with the law, and maintain security and order in cyberspace. **Article 7.** The State shall advocate honest and trustworthy, healthy and civilized behavior on the Internet, promote the dissemination of the core socialist values, take measures to enhance the cybersecurity awareness and capacity of the whole society, and foster a favorable environment for the joint participation of the whole society in promoting cybersecurity. **Article 8.** The State shall actively carry out international exchanges and cooperation in cyberspace governance, network technology research and development and standard- setting, combating cyber-related illegal and criminal activities, promote the building of a peaceful, secure, open and cooperative cyberspace, and establish a multilateral, democratic and transparent system of Internet governance. **Article 9.** The national cyberspace administration shall be responsible for overall coordination of cybersecurity work and relevant supervision and administration. The telecommunications authority under the State Council, public security authorities, and other relevant authorities shall, within their respective responsibilities and in accordance with this Law and relevant laws and administrative regulations, be responsible for cybersecurity protection and supervision and administration. The cybersecurity protection and supervision and administration responsibilities of the relevant departments of local people's governments at or above the county level shall be determined in accordance with relevant State provisions. **Article 10.** Network operators, when carrying out business and service activities, shall comply with laws and administrative regulations, respect social morality, observe commercial ethics, act in good faith, perform cybersecurity protection obligations, accept supervision by the government and society, and assume social responsibility. **Article 11.** Those who construct or operate networks or provide services through networks shall, in accordance with the provisions of laws and administrative regulations and the mandatory requirements under national standards, take technical and other necessary measures to ensure cybersecurity and stable operation, effectively respond to cybersecurity incidents, prevent cyber-related illegal and criminal activities, and maintain the integrity, confidentiality and availability of network data. **Article 12.** Industry organizations related to networks shall, in accordance with their charters, strengthen industry self- discipline, formulate codes of conduct for cybersecurity, guide members to strengthen cybersecurity protection, improve cybersecurity protection levels, and promote the healthy development of the industry. **Article 13.** The State shall protect the right of citizens, legal persons and other organizations to lawfully use networks, promote universal network access, enhance the level of network services, provide the society with secure and convenient network services, and ensure the lawful, orderly and free flow of network information. Any individual or organization using networks shall comply with the Constitution and laws, observe public order, respect social morality, shall not endanger cybersecurity, and shall not use networks to engage in activities that endanger national security, honor and interests, incite subversion of state power, overthrow the socialist system, incite the splitting of the State, undermine national unity, advocate terrorism or extremism, advocate ethnic hatred or ethnic discrimination, disseminate violent or obscene pornographic information, fabricate or disseminate false information to disrupt economic order and social order, or infringe upon the reputation, privacy, intellectual property rights and other lawful rights and interests of others. **Article 14.** The State shall support the research and development of network products and services conducive to the healthy growth of minors, punish in accordance with the law activities carried out via networks that harm the physical and mental health of minors, and provide a secure and healthy online environment for minors. **Article 15.** Any individual or organization shall have the right to report to the cyberspace, telecommunications, public security and other departments acts that endanger cybersecurity. The departments receiving reports shall promptly handle them in accordance with the law; if the matter does not fall within the functions of the department, it shall be promptly transferred to the department with authority to handle it. Relevant departments shall keep confidential the relevant information of the whistleblower and protect the lawful rights and interests of the whistleblower. ## Chapter 2 Support and Promotion of Cybersecurity **Article 16.** The State shall establish and improve the system of cybersecurity standards. The standardization administrative authority under the State Council and other relevant departments under the State Council shall, based on their respective responsibilities, organize the formulation and timely revision of national and industry standards related to cybersecurity management as well as the security of network products, services and operations. The State shall support enterprises, research institutions, higher education institutions, and industry organizations related to networks in participating in the formulation of national and industry standards for cybersecurity. **Article 17.** The State Council and the people’s governments of provinces, autonomous regions, and municipalities directly under the Central Government shall make overall plans, increase investment, support key cybersecurity technology industries and projects, support the research, development and application of cybersecurity technologies, promote secure and trustworthy network products and services, protect intellectual property rights in network technologies, and support enterprises, research institutions and higher education institutions in participating in national cybersecurity technology innovation projects. **Article 18.** The State shall advance the construction of a socialized service system for cybersecurity, and encourage relevant enterprises and institutions to carry out security services such as cybersecurity certification, testing and risk assessment. **Article 19.** The State shall encourage the development of technologies for the protection and utilization of network data security, promote the opening of public data resources, and advance technological innovation and economic and social development. **Article 20.** The State shall support basic theoretical research on artificial intelligence and the research and development of key technologies such as algorithms, advance the construction of infrastructure such as training data resources and computing power, improve ethical norms for artificial intelligence, strengthen risk monitoring and assessment and safety supervision, and promote the application and healthy development of artificial intelligence. The State shall support innovation in cybersecurity management methods, and use new technologies such as artificial intelligence to enhance cybersecurity protection levels. **Article 21.** People’s governments at all levels and their relevant departments shall organize regular cybersecurity publicity and education, and guide and supervise relevant entities to carry out cybersecurity publicity and education properly. Mass media shall, in a targeted manner, conduct cybersecurity publicity and education towards society. **Article 22.** The State shall support enterprises and higher education institutions, vocational schools and other education and training institutions in carrying out education and training related to cybersecurity, adopt various means to cultivate cybersecurity talents, and promote exchanges of cybersecurity talents. ## Chapter 3 Security of Network Operations ### Section 1 General Provisions **Article 23.** The State shall implement a cybersecurity multi- level protection scheme. Network operators shall, in accordance with the requirements of the cybersecurity multi- level protection scheme, perform the following security protection obligations to ensure that networks are protected from interference, damage or unauthorized access, and to prevent leakage, theft or tampering of network data: (1) formulate internal security management rules and operating procedures, designate persons responsible for cybersecurity, and implement cybersecurity protection responsibilities; (2) take technical measures to prevent behaviors endangering cybersecurity such as computer viruses, cyberattacks, and network intrusions; (3) take technical measures to monitor and record the status of network operations and cybersecurity incidents, and retain relevant network logs for not less than six months as required; (4) take measures such as data classification, backup of important data, and encryption; (5) other obligations as prescribed by laws and administrative regulations. **Article 24.** Network products and services shall meet the mandatory requirements under relevant national standards. Providers of network products and services shall not set malicious programs; upon discovering risks such as security defects and vulnerabilities in their network products or services, they shall immediately take remedial measures, promptly inform users in accordance with provisions and report to the competent authorities. Providers of network products and services shall continuously provide security maintenance for their products and services; within the prescribed period or the period agreed upon by the parties, they shall not cease to provide security maintenance. Where network products or services have functions to collect user information, their providers shall explicitly inform users and obtain consent; where personal information of users is involved, they shall also comply with this Law and relevant laws and administrative regulations regarding the protection of personal information. **Article 25.** Key network equipment and specialized cybersecurity products shall, in accordance with the mandatory requirements under relevant national standards, be sold or provided only after being certified for security by qualified institutions or passing security testing meeting the requirements. The national cyberspace administration, in conjunction with relevant departments under the State Council, shall formulate and publish catalogues of key network equipment and specialized cybersecurity products, and promote mutual recognition of security certification and security testing results to avoid repeated certification and testing. **Article 26.** When network operators handle network access, domain name registration services, procedures for fixed-line and mobile phone network access, or provide information publication, instant messaging and other services for users, they shall, when concluding agreements with users or confirming the provision of services, require users to provide real identity information. Where users do not provide real identity information, network operators shall not provide them with relevant services. The State shall implement a strategy of trustworthy network identity, support the research and development of secure and convenient electronic identity authentication technologies, and promote mutual recognition among different electronic identity authentications. **Article 27.** Network operators shall formulate contingency plans for cybersecurity incidents, and promptly address security risks such as system vulnerabilities, computer viruses, cyberattacks, and network intrusions; when incidents endangering cybersecurity occur, they shall immediately activate contingency plans, take corresponding remedial measures, and report to the competent authorities in accordance with provisions. **Article 28.** Those carrying out cybersecurity certification, testing, risk assessment and other activities, or releasing to society cybersecurity information such as system vulnerabilities, computer viruses, cyberattacks, and network intrusions, shall comply with relevant State provisions. **Article 29.** No individual or organization may engage in activities that endanger cybersecurity, such as illegal intrusion into another’s network, interference with the normal functions of another’s network, or theft of network data; no individual or organization may provide programs or tools specifically used to engage in activities that endanger cybersecurity such as intrusion into networks, interference with the normal functions and protection measures of networks, or theft of network data; and those who knowingly engage in activities that endanger cybersecurity shall not be provided with technical support, advertisement promotion, payment settlement and other assistance. **Article 30.** Network operators shall provide technical support and assistance to public security authorities and national security authorities in their lawful activities to safeguard national security and investigate crimes. **Article 31.** The State shall support cooperation among network operators in areas such as the collection, analysis, notification and emergency response of cybersecurity information, so as to improve the security of network operators. Relevant industry organizations shall establish and improve cybersecurity protection norms and collaboration mechanisms within their industries, strengthen analysis and assessment of cybersecurity risks, regularly issue risk alerts to their members, and support and assist members in responding to cybersecurity risks. **Article 32.** Information obtained by the cyberspace administration and relevant departments in performing cybersecurity protection responsibilities shall only be used for the needs of maintaining cybersecurity, and shall not be used for other purposes. ### Section 2 Security of Operations of Critical Information Infrastructure **Article 33.** The State shall, on the basis of the cybersecurity multi-level protection scheme, implement focused protection with respect to critical information infrastructure in important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other infrastructure that, once damaged, losing functionality or suffering data leakage, may seriously endanger national security, the national economy and people’s livelihood, and the public interest. The specific scope of critical information infrastructure and the measures for security protection shall be formulated by the State Council. The State shall encourage network operators outside critical information infrastructure to voluntarily participate in the system of critical information infrastructure protection. **Article 34.** In accordance with the division of responsibilities prescribed by the State Council, departments responsible for the security protection of critical information infrastructure shall respectively formulate and organize the implementation of security plans for critical information infrastructure in their respective industries and fields, and guide and supervise the security protection of the operation of critical information infrastructure. **Article 35.** The construction of critical information infrastructure shall ensure performance that supports stable and continuous operation of business, and ensure that security technical measures are planned, constructed, and used concurrently. **Article 36.** In addition to the provisions of Article 23 of this Law, operators of critical information infrastructure shall also perform the following security protection obligations: (1) establish specialized security management institutions and designate persons responsible for security management, and conduct security background checks on such persons and personnel in key positions; (2) periodically carry out cybersecurity education, technical training and competency assessments for employees; (3) implement disaster recovery backup for important systems and databases; (4) formulate contingency plans for cybersecurity incidents and conduct regular drills; (5) other obligations as prescribed by laws and administrative regulations. **Article 37.** Where operators of critical information infrastructure procure network products and services that may affect national security, they shall undergo a national security review organized by the national cyberspace administration in conjunction with relevant departments under the State Council. **Article 38.** Operators of critical information infrastructure that procure network products and services shall, in accordance with provisions, sign security and confidentiality agreements with the providers, and clarify security and confidentiality obligations and responsibilities. **Article 39.** Personal information and important data collected and generated in the course of operations by operators of critical information infrastructure within the territory of the People's Republic of China shall be stored within the territory. Where, due to business needs, it is truly necessary to provide such information and data overseas, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration in conjunction with relevant departments under the State Council; where laws or administrative regulations provide otherwise, such provisions shall govern. **Article 40.** Operators of critical information infrastructure shall, on their own or by entrusting cybersecurity service institutions, conduct at least once a year security testing and assessment of their networks’ security and potential risks, and submit the status of testing and assessment and measures for improvement to the departments responsible for the security protection of critical information infrastructure. **Article 41.** The national cyberspace administration shall coordinate relevant departments to take the following measures for the security protection of critical information infrastructure: (1) conduct spot checks and testing of the security risks of critical information infrastructure, put forward measures for improvement, and where necessary entrust cybersecurity service institutions to test and assess security risks existing in networks; (2) regularly organize operators of critical information infrastructure to conduct cybersecurity emergency drills to improve the level of responding to cybersecurity incidents and the capacity for coordination; (3) promote the sharing of cybersecurity information among relevant departments, operators of critical information infrastructure, and relevant research institutions and cybersecurity service institutions; (4) provide technical support and assistance for emergency response to cybersecurity incidents and the restoration of network functions. ## Chapter 4 Security of Network Information **Article 42.** Network operators shall keep strictly confidential the user information they collect, and establish and improve user information protection systems. Network operators, when processing personal information, shall comply with this Law and the provisions of laws and administrative regulations such as the Civil Code of the People's Republic of China and the Personal Information Protection Law of the People's Republic of China. **Article 43.** Network operators, when collecting and using personal information, shall follow the principles of legality, legitimacy and necessity, make public their rules for collection and use, explicitly inform the purposes, methods and scope of collection and use of information, and obtain the consent of the person being collected. Network operators shall not collect personal information irrelevant to the services they provide, shall not collect or use personal information in violation of laws and administrative regulations and the agreements between the parties, and shall, in accordance with laws and administrative regulations and their agreements with users, handle personal information they retain. **Article 44.** Network operators shall not divulge, tamper with or damage personal information they collect; without the consent of the person being collected, they shall not provide personal information to others. However, where personal information has been processed so that specific individuals cannot be identified and cannot be restored, the foregoing shall not apply. Network operators shall take technical and other necessary measures to ensure the security of the personal information they collect and prevent information leakage, damage or loss. When situations of personal information leakage, damage or loss occur or may occur, they shall immediately take remedial measures, promptly inform users in accordance with provisions and report to the competent authorities. **Article 45.** Where individuals find that network operators collect or use their personal information in violation of the provisions of laws and administrative regulations or the agreements between the parties, they have the right to request the network operators to delete their personal information; where they find errors in their personal information collected or stored by network operators, they have the right to request network operators to correct such information. Network operators shall take measures to delete or correct it. **Article 46.** No individual or organization may steal or obtain personal information through other illegal means, or illegally sell or illegally provide personal information to others. **Article 47.** Departments with statutory responsibilities for supervision and administration of cybersecurity and their staff shall keep strictly confidential the personal information, privacy and commercial secrets they become aware of in the course of performing their duties, and shall not divulge, sell or illegally provide them to others. **Article 48.** Any individual or organization shall be responsible for the acts of their use of networks, and shall not establish websites or communication groups used to commit fraud, teach methods of committing crimes, or manufacture or sell prohibited items or controlled items and other illegal and criminal activities, and shall not use networks to release information involving the commission of fraud, manufacture or sale of prohibited items or controlled items and other illegal and criminal activities. **Article 49.** Network operators shall strengthen the management of information published by their users; upon discovering information whose publication or transmission is prohibited by laws and administrative regulations, they shall immediately cease transmission of such information, take measures such as removal to dispose of it, prevent the spread of information, preserve relevant records, and report to the competent authorities. **Article 50.** Any individual or organization that sends electronic information or provides application software shall not set malicious programs and shall not contain information the publication or transmission of which is prohibited by laws and administrative regulations. Providers of electronic information transmission services and application download services shall perform security management obligations; where they become aware that their users engage in the acts prescribed in the preceding paragraph, they shall stop providing services, take measures such as removal to dispose of it, preserve relevant records, and report to the competent authorities. **Article 51.** Network operators shall establish systems for complaints and reports regarding network information security, publish information such as modes of complaints and reports, and promptly accept and handle complaints and reports regarding network information security. Network operators shall cooperate with supervision and inspection lawfully carried out by the cyberspace administration and relevant departments. **Article 52.** Where the national cyberspace administration and relevant departments, in the course of lawfully performing their network information security supervision and administration responsibilities, discover information whose publication or transmission is prohibited by laws and administrative regulations, they shall require network operators to cease transmission, take measures such as removal to dispose of it, and preserve relevant records; with respect to the above information originating outside the People's Republic of China, they shall notify relevant institutions to take technical and other necessary measures to block transmission. ## Chapter 5 Monitoring, Early Warning and Emergency Response **Article 53.** The State shall establish systems for cybersecurity monitoring and early warning and information notification. The national cyberspace administration shall coordinate relevant departments to strengthen the collection, analysis and notification of cybersecurity information, and uniformly release cybersecurity monitoring and early warning information in accordance with provisions. **Article 54.** Departments responsible for the security protection of critical information infrastructure shall establish and improve cybersecurity monitoring and early warning and information notification systems in their respective industries and fields, and submit cybersecurity monitoring and early warning information in accordance with provisions. **Article 55.** The national cyberspace administration shall coordinate relevant departments to establish and improve mechanisms for cybersecurity risk assessment and emergency response work, formulate contingency plans for cybersecurity incidents, and organize regular drills. Departments responsible for the security protection of critical information infrastructure shall formulate contingency plans for cybersecurity incidents in their respective industries and fields, and organize regular drills. Contingency plans for cybersecurity incidents shall classify cybersecurity incidents according to factors such as the degree of harm and scope of impact after an incident occurs, and provide corresponding emergency response measures. **Article 56.** When the risk of cybersecurity incidents increases, relevant departments of people’s governments at or above the provincial level shall, in accordance with prescribed authority and procedures and based on the characteristics of cybersecurity risks and the possible harm, take the following measures: (1) require relevant departments, institutions and personnel to promptly collect and report relevant information, and strengthen the monitoring of cybersecurity risks; (2) organize relevant departments, institutions and professionals to analyze and assess cybersecurity risk information, and forecast the likelihood of incidents, scope of impact and degree of harm; (3) release cybersecurity risk early warnings to society, and publish measures to avoid or mitigate harm. **Article 57.** Upon the occurrence of cybersecurity incidents, contingency plans for cybersecurity incidents shall be immediately activated, cybersecurity incidents shall be investigated and assessed, network operators shall be required to take technical and other necessary measures to eliminate security hazards, prevent harm from expanding, and timely release to the public warning information involving the public. **Article 58.** Where relevant departments of people’s governments at or above the provincial level discover, in the course of performing cybersecurity supervision and administration responsibilities, that networks have significant security risks or that security incidents have occurred, they may, in accordance with prescribed authority and procedures, conduct interviews with the legal representative or principal person-in-charge of the operator of the network. Network operators shall take measures as required, implement rectification, and eliminate hidden dangers. **Article 59.** Where emergencies or production safety accidents occur due to cybersecurity incidents, they shall be dealt with in accordance with relevant provisions of laws and administrative regulations such as the Emergency Response Law of the People's Republic of China and the Work Safety Law of the People's Republic of China. **Article 60.** Where, for the purpose of maintaining national security and social public order, it is necessary to address major emergent social security incidents, temporary measures such as restrictions on network communications may, upon decision or approval by the State Council, be taken within specific regions. ## Chapter 6 Legal Liability **Article 61.** Where network operators fail to perform the cybersecurity protection obligations prescribed in Articles 23 and 27 of this Law, the competent authorities shall order corrections, give warnings, and may impose a fine of not less than RMB 10,000 but not more than RMB 50,000; where they refuse to make corrections or cause consequences such as harm to cybersecurity, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed, and the person- in-charge directly responsible and other directly liable persons shall be fined not less than RMB 10,000 but not more than RMB 100,000. Where operators of critical information infrastructure fail to perform the cybersecurity protection obligations prescribed in Articles 35, 36, 38 and 40 of this Law, the competent authorities shall order corrections, give warnings, and may impose a fine of not less than RMB 50,000 but not more than RMB 100,000; where they refuse to make corrections or cause consequences such as harm to cybersecurity, a fine of not less than RMB 100,000 but not more than RMB 1,000,000 shall be imposed, and the person-in-charge directly responsible and other directly liable persons shall be fined not less than RMB 10,000 but not more than RMB 100,000. Where the acts under the preceding two paragraphs cause serious consequences that harm cybersecurity, such as leakage of a large amount of data or partial functional loss of critical information infrastructure, the competent authorities shall impose a fine of not less than RMB 500,000 but not more than RMB 2,000,000 on the operator, and shall impose a fine of not less than RMB 50,000 but not more than RMB 200,000 on the person-in-charge directly responsible and other directly liable persons; where particularly serious consequences that harm cybersecurity occur, such as the loss of main functions of critical information infrastructure, a fine of not less than RMB 2,000,000 but not more than RMB 10,000,000 shall be imposed, and a fine of not less than RMB 200,000 but not more than RMB 1,000,000 shall be imposed on the person-in- charge directly responsible and other directly liable persons. **Article 62.** Where any of the following acts is committed in violation of the first and second paragraphs of Article 24 and the first paragraph of Article 50 of this Law, the competent authorities shall order corrections and give warnings; where corrections are refused or consequences such as harm to cybersecurity are caused, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed on the operator, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person-in-charge directly responsible: (1) setting malicious programs; (2) failing to immediately adopt remedial measures for risks such as security defects and vulnerabilities existing in its products or services, or failing to promptly inform users in accordance with provisions and report to the competent authorities; (3) arbitrarily ceasing the provision of security maintenance for its products or services. Where any of the acts under items (1) and (2) of the preceding paragraph results in the consequences prescribed in the third paragraph of Article 61 of this Law, punishments shall be imposed in accordance with that paragraph. **Article 63.** Where any person sells or provides key network equipment or specialized cybersecurity products without security certification or security testing, or where such certification is not passed or such testing does not meet the requirements, in violation of Article 25 of this Law, the competent authorities shall order the cessation of sales or provision, give warnings, and confiscate illegal gains; where there are no illegal gains or such gains are less than RMB 100,000, a fine of not less than RMB 20,000 but not more than RMB 100,000 shall be imposed; where illegal gains are RMB 100,000 or more, a fine of not less than one time but not more than five times the amount of illegal gains shall be imposed; where circumstances are serious, an order may be given to suspend relevant business, suspend business for rectification, revoke relevant business permits or revoke the business license. Where laws or administrative regulations provide otherwise, such provisions shall govern. **Article 64.** Where network operators, in violation of the first paragraph of Article 26 of this Law, fail to require users to provide real identity information, or provide relevant services to users who do not provide real identity information, the competent authorities shall order corrections; where corrections are refused or circumstances are serious, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed, and an order may be given to suspend relevant business, suspend business for rectification, shut down websites or applications, revoke relevant business permits or revoke the business license, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person-in-charge directly responsible and other directly liable persons. **Article 65.** Where any person, in violation of Article 28 of this Law, carries out cybersecurity certification, testing, risk assessment and other activities, or releases to society cybersecurity information such as system vulnerabilities, computer viruses, cyberattacks, and network intrusions, the competent authorities shall order corrections, give warnings, and may impose a fine of not less than RMB 10,000 but not more than RMB 100,000; where corrections are refused or circumstances are serious, a fine of not less than RMB 100,000 but not more than RMB 1,000,000 shall be imposed, and an order may be given to suspend relevant business, suspend business for rectification, shut down websites or applications, revoke relevant business permits or revoke the business license, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person- in-charge directly responsible and other directly liable persons. Where the act under the preceding paragraph results in the consequences prescribed in the third paragraph of Article 61 of this Law, punishments shall be imposed in accordance with that paragraph. **Article 66.** Where any person, in violation of Article 29 of this Law, engages in activities that endanger cybersecurity, or provides programs or tools specifically used to engage in activities that endanger cybersecurity, or provides technical support, advertisement promotion, payment settlement and other assistance for others to engage in activities that endanger cybersecurity, and the circumstances do not constitute a crime, the public security authorities shall confiscate illegal gains and impose detention of not more than five days, and may concurrently impose a fine of not less than RMB 50,000 but not more than RMB 500,000; where circumstances are relatively serious, detention of not less than five days but not more than fifteen days shall be imposed, and a fine of not less than RMB 100,000 but not more than RMB 1,000,000 may concurrently be imposed. Where such acts are committed by an entity, the public security authorities shall confiscate illegal gains and impose a fine of not less than RMB 100,000 but not more than RMB 1,000,000 on the entity, and punish the person-in-charge directly responsible and other directly liable persons in accordance with the preceding paragraph. Personnel who, in violation of Article 29 of this Law, receive public security administrative punishment shall not engage in work in key positions of cybersecurity management and network operations within five years; personnel who receive criminal punishment shall never engage in work in key positions of cybersecurity management and network operations. **Article 67.** Where operators of critical information infrastructure, in violation of Article 37 of this Law, use network products or services that have not undergone security review or have not passed security review, the competent authorities shall order corrections within a time limit, order cessation of use, eliminate the impact on national security, and impose a fine of not less than one time but not more than ten times the procurement amount, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person-in-charge directly responsible and other directly liable persons. **Article 68.** Where any person, in violation of Article 48 of this Law, establishes websites or communication groups used to carry out illegal and criminal activities, or uses networks to publish information involving the commission of illegal and criminal activities, and the circumstances do not constitute a crime, the public security authorities shall impose detention of not more than five days, and may concurrently impose a fine of not less than RMB 10,000 but not more than RMB 100,000; where circumstances are relatively serious, detention of not less than five days but not more than fifteen days shall be imposed, and a fine of not less than RMB 50,000 but not more than RMB 500,000 may concurrently be imposed. Websites or communication groups used to carry out illegal and criminal activities shall be shut down. Where such acts are committed by an entity, the public security authorities shall impose a fine of not less than RMB 100,000 but not more than RMB 500,000 on the entity, and punish the person-in-charge directly responsible and other directly liable persons in accordance with the preceding paragraph. **Article 69.** Where network operators, in violation of Article 49 of this Law, fail to cease transmission, take measures such as removal to dispose of it, preserve relevant records, report to the competent authorities with respect to information whose publication or transmission is prohibited by laws and administrative regulations, or, in violation of Article 52 of this Law, fail to cease transmission, take measures such as removal to dispose of it, preserve relevant records in accordance with requirements of relevant departments with respect to information whose publication or transmission is prohibited by laws and administrative regulations, the competent authorities shall order corrections, give warnings and issue circulars, and may impose a fine of not less than RMB 50,000 but not more than RMB 500,000; where corrections are refused or circumstances are serious, a fine of not less than RMB 500,000 but not more than RMB 2,000,000 shall be imposed, and an order may be given to suspend relevant business, suspend business for rectification, shut down websites or applications, revoke relevant business permits or revoke the business license, and a fine of not less than RMB 50,000 but not more than RMB 200,000 shall be imposed on the person-in-charge directly responsible and other directly liable persons. Where the act under the preceding paragraph causes particularly serious impact or particularly serious consequences, the competent authorities shall impose a fine of not less than RMB 2,000,000 but not more than RMB 10,000,000, and order suspension of relevant business, suspension of business for rectification, shutting down websites or applications, revocation of relevant business permits or revocation of the business license, and impose a fine of not less than RMB 200,000 but not more than RMB 1,000,000 on the person-in-charge directly responsible and other directly liable persons. Where providers of electronic information transmission services or application download services fail to perform the security management obligations prescribed in the second paragraph of Article 50 of this Law, punishments shall be imposed in accordance with the preceding two paragraphs. **Article 70.** Where network operators commit any of the following acts in violation of this Law, the competent authorities shall order corrections; where corrections are refused or circumstances are serious, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person-in-charge directly responsible and other directly liable persons: (1) refusing or obstructing supervision and inspection lawfully carried out by relevant departments; (2) refusing to provide technical support and assistance to public security authorities and national security authorities. **Article 71.** Where any of the following acts is committed, handling and punishment shall be carried out in accordance with relevant laws and administrative regulations: (1) publishing or transmitting information prescribed in the second paragraph of Article 13 of this Law and other information the publication or transmission of which is prohibited by laws and administrative regulations; (2) infringing personal information rights and interests in violation of the third paragraph of Article 24 and Articles 43 to 45 of this Law; (3) storing personal information and important data overseas or providing personal information and important data overseas by operators of critical information infrastructure in violation of Article 39 of this Law. Where any person, in violation of Article 46 of this Law, steals or obtains personal information through other illegal means, illegally sells or illegally provides personal information to others, and the circumstances do not constitute a crime, the public security authorities shall impose punishment in accordance with relevant laws and administrative regulations. **Article 72.** Where illegal acts prescribed in this Law are committed, they shall be recorded in credit archives in accordance with relevant laws and administrative regulations, and be made public. **Article 73.** Where violations of this Law occur but circumstances for lighter, mitigated or exemption from punishment prescribed in the Administrative Penalty Law of the People's Republic of China exist, lighter, mitigated or exemption from punishment shall be applied in accordance with such provisions. **Article 74.** Where operators of government affairs networks of State organs fail to perform the cybersecurity protection obligations prescribed in this Law, their superior organs or relevant organs shall order corrections; the person-in-charge directly responsible and other directly liable persons shall be sanctioned in accordance with the law. **Article 75.** Where the cyberspace administration and relevant departments, in violation of Article 32 of this Law, use information obtained in the course of performing cybersecurity protection responsibilities for other purposes, the person-in-charge directly responsible and other directly liable persons shall be sanctioned in accordance with the law. Where staff of the cyberspace administration and relevant departments commit negligence of duty, abuse of power or engage in malpractices for personal gain, and the circumstances do not constitute a crime, they shall be sanctioned in accordance with the law. **Article 76.** Where violations of this Law cause harm to others, civil liability shall be borne in accordance with the law. Where violations of this Law constitute acts violating public security administration, public security administrative punishments shall be imposed in accordance with the law; where they constitute crimes, criminal liability shall be pursued in accordance with the law. **Article 77.** Where institutions, organizations or individuals outside the territory engage in activities that endanger the cybersecurity of the People's Republic of China, legal liability shall be pursued in accordance with the law; where serious consequences are caused, the public security department under the State Council and relevant departments may also decide to take measures such as freezing property or other necessary sanctions against such institutions, organizations or individuals. ## Chapter 7 Supplementary Provisions **Article 78.** The meanings of the following terms under this Law are: (1) Network means a system composed of computers or other information terminals and related equipment which, in accordance with certain rules and procedures, collects, stores, transmits, exchanges, and processes information. (2) Cybersecurity means, by taking necessary measures, preventing attacks, intrusions, interference, destruction and illegal use of networks as well as accidents, bringing networks into a state of stable and reliable operation, and the capability to ensure the integrity, confidentiality and availability of network data. (3) Network operator means the owner, administrator and network service provider of a network. (4) Network data means various electronic data collected, stored, transmitted, processed and generated through networks. (5) Personal information means various information recorded in electronic or other forms that can identify a natural person’s personal identity, alone or in combination with other information, including but not limited to the natural person’s name, date of birth, identification number, personal biometric information, address, telephone number, etc. **Article 79.** In addition to complying with this Law, the security protection of the operation of networks that store or process information involving State secrets shall comply with the provisions of secrecy laws and administrative regulations. **Article 80.** The security protection of military networks shall be separately prescribed by the Central Military Commission. **Article 81.** This Law shall come into force on June 1, 2017. --- ## Interim Measures for the Management of Generative Artificial Intelligence Services - Chinese title: 生成式人工智能服务管理暂行办法 - Hierarchy: rule - Issuing body: CAC + 6 ministries (NDRC, MOE, MOST, MIIT, MPS, NRTA) - Adopted: 2023-05-23 - Effective: 2023-08-15 - Status: effective - URL: https://datacompliancechina.com/laws/genai-services-interim-measures/ - Markdown: https://datacompliancechina.com/laws/genai-services-interim-measures.md ### Summary China's flagship generative-AI regulation — the first comprehensive national regulation of GenAI services anywhere in the world. Covers content compliance, training data quality, personal-information handling, security assessment and algorithm filing, real-name verification, and labeling. Applies to GenAI services provided to the Chinese public; some obligations are conditioned on consumer-facing deployment. ### Full text **Promulgated by:** CAC + 6 ministries (NDRC, MOE, MOST, MIIT, MPS, NRTA). **Document No.:** Decree No. 15 of the Cyberspace Administration of China. **Adopted at the 12th executive meeting of the CAC in 2023 on May 23, 2023. Effective August 15, 2023.** --- ## Chapter I General Provisions **Article 1.** These Measures are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Law of the People's Republic of China on Science and Technology Progress and other laws and administrative regulations to promote the healthy development and standardized application of generative artificial intelligence (GAI), safeguard national security and social public interests, and protect the legitimate rights and interests of citizens, legal persons and other organizations. **Article 2.** These Measures shall apply to the use of GAI technologies to provide the public within the territory of the People's Republic of China with services of generative text, pictures, audios, videos and other content (hereinafter referred to as "GAI services" in short). Where the State stipulates otherwise on the use of GAI services to engage in press and publication, film and television production, literary and artistic creation and other activities, such provisions shall prevail. These Measures shall not apply to trade organizations, enterprises, education and scientific research institutions, public cultural institutions and relevant specialized agencies that research, develop and apply GAI technologies but fail to provide GAI services to the public within the territory of China. **Article 3.** The State adheres to the principles of attaching equal importance to development and security and promoting the combination of innovation and governance according to the law, takes effective measures to encourage innovation and development of GAI, and implements inclusive, prudent, categorized and graded regulation for GAI services. **Article 4.** Whoever provides and uses GAI services shall abide by laws and administrative regulations, respect social morality and ethics, and comply with the following provisions: (I) upholding socialist core values, and not generating any content prohibited by laws and administrative regulations that incites subversion of the state power or the overthrow of the socialist system, endangers national security and interests, damages the national image, incites separatism, undermines national unity and social stability, propagates terrorism, extremism, ethnic hatred and discrimination, violence, pornography, and false and harmful information; (II) taking effective measures to prevent discrimination in terms of nationality, religion, country, region, gender, occupation, health, etc., in the process of algorithm design, training data selection, model generation and optimization, service provision, etc.; (III) respecting intellectual property rights and business ethics, keeping confidential trade secrets, and refraining from carrying out acts of monopoly and unfair competition with the advantages of algorithms, data and platforms, etc.; (IV) respecting others' legitimate rights and interests, refraining from endangering others' physical and mental health, refraining from infringing upon others' rights to portrait, reputation, honor, privacy or personal information; and (V) taking effective measures in the light of the characteristics of different types of services to boost the transparency of GAI services and the accuracy and reliability of contents generated. ## Chapter II Technological Development and Governance **Article 5.** We encourage innovation and application of GAI technologies in various industries and fields to generate positive, healthy, progressive and good quality content, to explore and optimize application scenarios, and to build an application ecosystem. We support trade organizations, enterprises, education and scientific research institutions, public cultural institutions, relevant specialized agencies and so on to collaborate in respect of the innovations of GAI technologies, the development of data resources, the transformation and application, and the prevention of risks, among others. **Article 6.** We encourage independent innovations in fundamental technologies of GAI algorithms, frameworks, chips and supporting software platforms, among others, carry out international exchanges and cooperation on an equal and mutually beneficial basis, and take part in formulating international rules relating to GAI. Efforts should be made to drive the development of GAI infrastructure and public training data resource platforms, to promote the collaboration and sharing of algorithm resources, to improve the efficiency of the use of algorithm resources, to push the orderly disclosure of categorized and graded public data, and to expand high-quality public training data resources. We encourage the use of secure and reliable chips, software, tools, algorithm and data resources. **Article 7.** GAI service providers (hereinafter referred to as the "Providers") shall carry out pre-training, optimization training and other training data processing activities in accordance with the law and abide by the following provisions: (I) using data and basic models from lawful sources; (II) not infringing upon the intellectual property rights involved that are owned by others in accordance with the law; (III) obtaining the content of an individual whose personal information is involved or complying with other circumstances stipulated by laws and administrative regulations; (IV) take effective measures to improve the quality of training data and to enhance the authenticity, accuracy, objectivity and diversity of training data; and (V) other relevant provisions of laws and administrative regulations such as the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China and the Personal Information Protection Law of the People's Republic of China and the relevant regulatory requirements of relevant competent authorities. **Article 8.** For data annotation during the research and development process for GAI technologies, Providers shall formulate clear, specific and operable annotation rules that meet the requirements of these Measures; they shall carry out the quality assessment of data annotation and take samples to verify the accuracy of annotation contents; moreover, they shall provide necessary training to the annotation staff, enhance such staff's awareness of respecting and abiding by the law, and supervise and guide such staff to carry out annotation work in a regulated manner. ## Chapter III Service Standards **Article 9.** A Provider shall assume its responsibility as a producer of network information contents in accordance with the law and fulfill its obligation of network information security. If personal information is involved, a Provider shall assume its responsibility as a personal information hander in accordance with the law and fulfill its obligation of protecting personal information. A Provider shall enter into a service agreement with the users registering for its GAI services (hereinafter referred to as the "Users"), specifying the rights and obligations of both parties. **Article 10.** A Provider shall specify and disclose the applicable users, occasions and purposes of its services, guide Users to acquire a scientific and rational understanding and use GAI technologies in accordance with the law, and adopt effective measures to prevent underage Users from over-relying on or addicting to GAI services. **Article 11.** A Provider shall fulfill its obligations of protection for users' input information and use records in accordance with the law, and shall not collect unnecessary personal information, illegally keep the input information and use records that can identify users' identity, or illegally provide others with the input information and use records of users. A Provider shall promptly accept and handle individuals' requests for access, reproduction, correction, supplementation and deletion of personal information in accordance with the law. **Article 12.** A Provider shall mark pictures, videos and other generated content in accordance with the Administrative Provisions on In-depth Synthesis of Internet-based Information Services. **Article 13.** A Provider shall, in the course of its services, provide safe, stable and continuous services and ensure the normal use of Users. **Article 14.** Where any illegal content is found out, the Provider concerned shall timely take such handling measures as stopping the generation or transmission, or elimination, adopt measures such as model optimization training to make rectification, and report the case to the competent authority. When finding out that a User uses GAI services to engage in illegal activities, the Provider concerned shall take handling measures in accordance with the law or as agreed, such as giving a warning, restricting functions, suspending or terminating the provision of services to the User, keep relevant records, and report the case to the competent authority. **Article 15.** A Provider shall establish a sound complaint and whistleblowing mechanism, set up convenient portals for complaints and whistleblowing, make public the handling process and time limit for feedback, timely accept and handle the public complaints and whistleblowing, and give feedback on the handling results. ## Chapter IV Supervision, Inspection and Legal Liability **Article 16.** Authorities of cyberspace, development and reform, education, science and technology, industry and information technology, public security, radio and television, press and publication and so on shall, ex officio, strengthen the administration of GAI services in accordance with the law. The relevant competent authorities of the country shall, in light of the characteristics of GAI technologies and their service application in relevant industries and fields, improve the scientific ways of regulation in line with the innovation and development, and formulate the corresponding regulatory rules or guidelines for different categories or grades. **Article 17.** Any provider of GAI services with attribute of public opinions or capable of social mobilization shall conduct security assessment in accordance with the relevant provisions of the State, and complete the formalities for algorithm filing, change or deregistration in accordance with the Administrative Provisions on the Recommendation of Internet-based Information Service Algorithms. **Article 18.** Any user who finds that GAI services do not comply with laws, administrative regulations or these Measures shall have the right to complain or blow whistle to the competent authority. **Article 19.** Relevant competent authorities shall supervise and inspect GAI services ex officio, and Providers shall cooperate in accordance with the law, explain the source, scale, type, marking rules, algorithm mechanism for the training data as required, and provide necessary technical, data and other support and assistance. The relevant institutions and personnel participating in the security assessment, supervision and inspection of GAI services shall keep confidential the state secrets, trade secrets, personal privacy and personal information that they have accessed in the performance of their duties in accordance with the law, and shall not disclose or illegally provide the same to others. **Article 20.** Where the provision of GAI services from outside the territory of the People's Republic of China to persons within the territory of the People's Republic of China is not in line with laws, administrative regulations and these Measures, the Cyberspace Administration of China shall notify the relevant authorities to take technical measures and other necessary measures to deal with the situation. **Article 21.** Any Provider in violation of these Measures shall be punished by the competent authorities in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Law of the People's Republic of China on Science and Technology Progress and other laws and administrative regulations. In the absence of such provisions in laws and administrative regulations, the competent authorities shall, ex officio, give a warning to the Provider, circulate a notice of criticism against the Provider, and order the Provider to make corrections within a time limit. If the Provider refuses to make corrections or the circumstances are serious, the competent authorities shall order the Provider to suspend the provision of relevant services. Where a violation of public security administration is constituted, the offender shall be subject to public security administration punishment in accordance with the law; if a crime is constituted, the offender shall be subject to criminal liability in accordance with the law. ## Chapter V Supplementary Provisions **Article 22.** For the purpose of these Measures, the following terms shall have the following meanings: (I) "GAI technologies" refer to models and related technologies that can generate text, pictures, audio, video and other contents. (II) "GAI service providers" refer to the organizations and individuals that provide GAI services (including providing GAI services by providing programmable interfaces or otherwise) by using GAI technologies. (III) "Users of GAI services" refer to the organizations and individuals that use the content generated with GAI services. **Article 23.** Where laws and administrative regulations stipulate that the provision of GAI services shall obtain the relevant administrative license, any Provider shall obtain such license according to the law. Foreign-invested GAI services shall be in compliance with the relevant laws and administrative regulations on foreign investment. **Article 24.** These Measures shall come into force on August 15, 2023. --- ## Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial) - Chinese title: 医疗卫生机构数据安全和个人信息保护管理办法(试行) - Abbreviation: Healthcare Data Security & PI Measures - Hierarchy: rule - Issuing body: National Health Commission, Ministry of Public Security, Cyberspace Administration of China, National Administration of Traditional Chinese Medicine, and National Disease Control and Prevention Administration - Adopted: 2026-02-12 - Effective: 2026-02-12 - Status: effective - URL: https://datacompliancechina.com/laws/healthcare-institutions-data-security-pi-measures/ - Markdown: https://datacompliancechina.com/laws/healthcare-institutions-data-security-pi-measures.md - Source URL: https://www.nhc.gov.cn/guihuaxxs/c100133/202602/ ### Summary Issued jointly in February 2026 by five agencies — the National Health Commission, Ministry of Public Security, Cyberspace Administration of China, National Administration of Traditional Chinese Medicine, and National Disease Control and Prevention Administration — this trial rule applies the Data Security Law, PIPL, and the Regulation on Network Data Security Management to healthcare institutions. The Measures establish a three-tier data classification and grading framework (core data, important data, and general data), impose full-lifecycle security management obligations (governance, personnel, operations, technology, and incident response), and set out a ten-item data security prohibition list and an eight-item personal information prohibition list covering unlawful collection, unauthorized cross-border transfers, excessive access, and misuse of facial recognition. It is the sector's primary data-compliance instrument and the reference point for overseas pharma, medtech, and hospital joint-venture operators navigating data sharing, cross-border transfers, AI deployment, and clinical research partnerships in China. ### Full text **Promulgated by:** National Health Commission, Ministry of Public Security, Cyberspace Administration of China, National Administration of Traditional Chinese Medicine, and National Disease Control and Prevention Administration. **Document No.:** 国卫规划发〔2026〕6号. **Issued on February 12, 2026. Effective on the date of issuance.** --- ## Chapter I General Provisions **Article 1.** These Measures are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Law of the People's Republic of China on Basic Healthcare and Health Promotion, the Regulation on Network Data Security Management, and other laws and administrative regulations, in order to regulate the administration of data security and personal information protection of healthcare institutions, promote the development of data and the reasonable utilization of personal information by healthcare institutions, protect the lawful rights and interests of individuals and organizations, and coordinate development and security. **Article 2.** These Measures apply to the administration of data security and personal information protection by healthcare institutions. "Data" as used in these Measures means any recording of information in electronic or other form. "Healthcare institution data" as used in these Measures means various data collected and generated by healthcare institutions, including but not limited to clinical, scientific research, management, and other operational data, as well as data generated by medical equipment. "Data processing activities" as used in these Measures include the collection, storage, use, processing, transmission, provision, and disclosure of data. Personal information is a particularly important category of data; when personal information reaches a certain degree of precision or scale, it shall be managed in accordance with the requirements for data classification and grading and incorporated into the national catalogue of important data for priority protection. **Article 3.** Under the unified deployment of the national data security work coordination mechanism, the National Health Commission, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration are responsible for the overall planning, guidance, assessment, and supervision of the administration of data security and personal information protection of healthcare institutions. Local health administrative authorities at or above the county level (including traditional Chinese medicine and disease control authorities, the same below) are responsible for the administration of data security and personal information protection of healthcare institutions within their administrative regions. Healthcare institutions are subject to supervision by health administrative authorities in accordance with the principle of territorial administration. **Article 4.** A healthcare institution bears primary responsibility for the administration of data security and personal information protection in its own institution. Healthcare institutions at or above the county level shall establish a leading group for cybersecurity and informatization work, with the institution's principal leader serving as the group head, and shall convene a data security and personal information protection meeting at least once per year to deploy data security and personal information protection work and to study and formulate relevant institutional norms. The principal leader of a healthcare institution is the first person responsible for data security and personal information protection administration of the institution; the deputy leader in charge is the directly responsible person. In accordance with the principle of "whoever administers a business must administer security" and the principle of "whoever is in charge is responsible, whoever operates is responsible, whoever uses is responsible," the respective duties of business departments and informatization departments within the institution shall be clarified, and the administration of data security and personal information protection of healthcare institutions shall be strengthened. ## Chapter II Data Classification and Grading Protection **Article 5.** In accordance with relevant laws and the requirements for data classification and grading in the healthcare sector, healthcare institution data is classified into core data, important data, and general data, and the classified and hierarchical protection system shall be implemented. Where data of different categories or grades are processed simultaneously and it is difficult to separately apply protective measures, protection shall be implemented in accordance with the requirements for the highest grade among them. **Article 6.** Provincial-level health administrative authorities shall, in accordance with the requirements for data classification and grading in the healthcare sector, organize the classification and grading of healthcare institution data within their provinces, put forward proposals for specific catalogues of important data and core data, and report them to the National Health Commission; where the catalogue changes, it shall be updated and reported in a timely manner. Where health administrative authorities at each level confirm data as important data, they shall promptly notify healthcare institutions thereof. Healthcare institutions shall periodically review their data, determine data categories, identify important data, and report to the local health administrative authority. The content of such reports shall include, but not be limited to, basic information such as the data source, category, grade, scale, purpose and method of processing, responsible party, cross-border transmission, and security protection measures, but shall not include the data content itself. **Article 7.** After the grade of healthcare institution data has been determined, the grade shall be promptly changed if any of the following circumstances arises: (1) a material change in the content of the healthcare institution data; (2) no material change in the content of the healthcare institution data, but a material change in the scale, currency, application scenarios, or processing methods of the healthcare institution data; or (3) any other circumstance requiring a change in the grade of the healthcare institution data. **Article 8.** Derived data generated from healthcare institution data through de-identification, labeling, statistical analysis, aggregation, or other processing activities shall have its data grade re-assessed and determined on the basis of the grading of the original data. ## Chapter III Full-Lifecycle Data Security Administration **Article 9.** When conducting data and personal information processing activities, healthcare institutions shall comply with laws and regulations, fulfill their corresponding data security protection obligations, adhere to the principle of equal emphasis on data security and development, and through management and technical means ensure an effective balance between data security and data application of healthcare institutions. Through carrying out the following work, among other things, healthcare institutions shall ensure that their data is continuously in a state of effective protection and lawful and compliant utilization, and shall prevent unauthorized access and the leakage, tampering, or loss of personal information: (1) Strengthening institutional safeguards. Healthcare institutions shall establish data security management systems, operating procedures, and technical norms, and shall, for data of different categories and grades, clarify specific protection requirements for each stage of collection, storage, use, processing, transmission, provision, and disclosure. (2) Strengthening personnel safeguards. Healthcare institutions shall strengthen the development of their data security management personnel team, regularly carry out data security education and training, and raise all personnel's awareness and capacity for data security and personal information protection. (3) Strengthening management safeguards. Healthcare institutions shall strictly manage day-to-day data and personal information processing activities and clarify processing permissions. They shall, by themselves or by engaging a third-party assessment agency, regularly conduct security risk assessments of the institution's data, promptly identify data security status, promptly rectify risk issues and eliminate hazards, and submit risk assessment reports to the local health administrative authority. (4) Strengthening technical safeguards. In the stages of collection, storage, use, processing, transmission, provision, disclosure, and deletion of data, healthcare institutions shall, according to different scenarios, comprehensively employ technical means such as encryption, authentication, access control, de-identification, digital watermarking, verification, and auditing to provide security protection. (5) Strengthening emergency safeguards. According to actual work conditions and the need to respond to data security incidents, healthcare institutions shall formulate and improve emergency response plans and regularly conduct drills. (6) Other measures required by laws, administrative regulations, and other provisions. **Article 10.** Healthcare institutions that process important data shall designate a person in charge of data security and a management body, implement data security protection responsibilities, conduct an annual risk assessment of their data processing activities, and submit risk assessment reports to health administrative authorities at the provincial level or above. Health administrative authorities shall promptly notify the cybersecurity authority and public security organs at the same level. Before providing, entrusting the processing of, or jointly processing important data, healthcare institutions shall conduct a risk assessment, except where such activities are carried out in performance of a statutory duty or a statutory obligation. Where a healthcare institution provides important data to, or entrusts processing of important data to, another data handler, it shall, through a contract or other means, agree with the recipient on the purpose, method, and scope of processing, as well as security protection obligations, and shall supervise the recipient's performance of its obligations. **Article 11.** When storing and processing important data, healthcare institutions shall fulfill the requirements for Multi-Level Protection Scheme (MLPS) protection at Level 3 or above. When storing and processing core data, healthcare institutions that involve critical information infrastructure (CII) shall, on the basis of the MLPS system, fulfill the requirements for the protection of critical information infrastructure; those that do not involve critical information infrastructure shall fulfill MLPS Level 4 protection requirements. Where the content of healthcare institution data changes materially and requires a change in the data grade, the institution shall promptly conduct a re-grading and re-filing of MLPS protection as appropriate. Where laws, regulations, and national provisions require the use of commercial cryptography for protection, the relevant provisions on commercial cryptography protection shall be observed. For activities involving the provision, transfer, or sharing of core data across different legal person entities, necessary security protection measures shall be taken, and the data recipient shall be informed to apply classified and hierarchical protection at the corresponding grade. Where the cumulative total from January 1 of the current year may reach 30% or more of the static total volume of such core data at the end of the previous year, a risk assessment organized by the relevant department shall be applied for through the National Health Commission. Activities involving the lawful performance of duties by state organs or internal flows within state organs or enterprises and public institutions are excepted. When processing core data, healthcare institutions shall, on the basis of the requirements for important data protection: (1) give priority to using commercial cryptography for protection; (2) give priority to using secure and trusted products and services; (3) give priority to engaging third-party assessment agencies to conduct risk assessments; (4) retain logs related to the handling and tracing of core data security incidents for no less than three years; and (5) submit personnel in key positions related to core data, and entities engaged in the construction and operation and maintenance of information systems involving core data, to national security background checks by public security organs and state security organs. **Article 12.** Healthcare institutions are supported in strengthening the security administration of data sharing and invocation, taking technical measures to periodically monitor data sharing and invocation, conducting audit analysis of operation logs for querying, downloading, modifying, and deleting data, promptly identifying non-compliant or abnormal behavior, taking corresponding response measures, and deploying authentication, threat alerting, and other security protection measures, on the premise of ensuring data security and in accordance with laws and regulations. **Article 13.** Healthcare institutions are supported in strengthening the development and utilization of data elements, on the premise of ensuring data and personal information security and in accordance with laws and regulations. Healthcare institutions shall establish and improve procedures for applications and approvals for data use, adhering to the principle of "whoever administers reviews," and shall adhere to the principle of prior application and approval, in-process supervision, and post-event review, strictly following the work procedure of approval by the business department, verification by the institution's leadership, and implementation support by the information technology department; where external provision of healthcare institution data is involved, approval shall be applied for in accordance with the relevant requirements to ensure that data activities are lawful and compliant. Healthcare institutions shall supervise the performance of security management responsibilities by data recipients. Healthcare institutions are encouraged to promote the lawful, reasonable, and effective utilization of healthcare institution data through approaches such as "raw data does not leave the domain, data is usable but invisible, and data is controllable and measurable." **Article 14.** Healthcare institutions shall, in accordance with national provisions on the development and utilization of public data resources and the specifications for authorized operation of public data resources, explore the establishment of a mechanism for classified and graded authorized operation of data, incorporate authorized operation within the scope of collective decision-making by the institution's leadership, clarify authorization conditions, operation modes, operation periods, exit mechanisms, and security management responsibilities, and authorize qualified operating institutions to carry out development, product operation, and technical services related to public data resources. **Article 15.** Where health administrative authorities and other state organs collect and use data in performing their statutory duties, they shall do so within the scope of their statutory duties and in accordance with the conditions and procedures prescribed by laws and administrative regulations. Where laws, administrative regulations, and national provisions expressly permit healthcare institutions to refuse the repeated collection of healthcare institution data by other administrative departments, healthcare institutions may refuse the relevant organization or individual from collecting healthcare institution data beyond the scope and limits necessary for the performance of statutory duties. Health administrative authorities at each level shall, in accordance with the Data Security Law of the People's Republic of China and other laws, administrative regulations, and national provisions, genuinely fulfill their sector supervision duties, strengthen centralized administration of data collection from healthcare institutions, establish and improve mechanisms for the sharing and joint use of healthcare institution data, and strengthen inter-departmental data sharing; healthcare institution data already collected by national and local health information platforms and infectious disease monitoring, warning, and emergency command platforms at each level shall, as a rule, be shared through cross-departmental sharing and exchange. Healthcare institutions shall promptly report to the local health administrative authority on the external provision of healthcare institution data. Local health administrative authorities shall, in accordance with laws and regulations, strengthen the administration of data submission by healthcare institutions, and focus on managing circumstances that violate relevant provisions, such as the repeated collection and over-scope collection of healthcare institution data. **Article 16.** Where a healthcare institution entrusts others to process, or jointly processes with others, healthcare institution data, data security responsibilities shall not change as a result of entrustment. Healthcare institutions shall, through strict approval procedures, clarify the data processing permissions and protection responsibilities of the entrusted party, and supervise the entrusted party's performance of data security protection obligations. Where cloud computing services are used to process healthcare institution data, a cloud computing service that has passed the cloud computing service security assessment shall be selected, and the requirements of these Measures shall simultaneously be observed. As a rule, health administrative authorities shall not entrust academic societies or associations with collecting data from healthcare institutions; where genuinely necessary, it shall pass the comprehensive deliberation of the data management body of the health administrative authority and be reviewed and approved by the leading group for cybersecurity and informatization work of the health administrative authority at the same level. **Article 17.** Healthcare institutions shall, in writing, agree with relevant entities involved in the construction, operation, and maintenance of their information systems, and with relevant medical equipment manufacturing and business enterprises that store healthcare institution data, on the obligations and responsibilities of each party, and shall implement a system of accountability. **Article 18.** Healthcare institutions shall, in accordance with business work needs and the principle of minimum authorization, set data processing permissions according to job responsibilities, control the range of persons who may access data, and promptly adjust permissions when personnel changes occur. **Article 19.** Important data processing activities shall record and maintain logs necessary for data security. For logs related to the handling and tracing of security incidents, the retention period shall be no less than one year; for logs related to the provision of important data to others, entrusted processing, or joint processing of important data, the retention period shall be no less than three years. **Article 20.** When healthcare institutions use new technologies such as artificial intelligence (AI) to process healthcare institution data, they shall assess the security risks brought by the use of such new technologies and take necessary technical measures to strengthen data security protection. **Article 21.** Where a healthcare institution needs to transfer or destroy healthcare institution data as a result of a merger, division, dissolution, or declaration of bankruptcy, it shall take necessary security protection measures and report the data disposal plan to the local health administrative authority in advance. Where the change causes a change in the catalogue of healthcare institution data, it shall promptly report to the local health administrative authority. **Article 22.** Healthcare institutions shall strengthen the full-lifecycle administration of healthcare institution data. Healthcare institutions and their personnel shall not engage in any of the following acts: (1) Unlawfully collecting healthcare institution data. Healthcare institutions shall strengthen the lawfulness administration of data collection, clarify the primary responsibilities of business departments and management departments in the lawfulness of data collection, and shall not collect data beyond the prescribed scope or steal or collect data through other unlawful means. (2) Unlawfully storing healthcare institution data. Important data collected and generated by healthcare institutions within the territory of China shall be stored within the territory of China, and shall be subject to security measures such as backup and encryption to strengthen storage security. (3) Unlawfully transmitting healthcare institution data. On the basis of data classification and grading, healthcare institutions shall further clarify the encrypted transmission requirements for data of different security grades, and shall not transmit core data, important data, or sensitive data through email, cloud storage, social software, or similar means. Interface security controls shall be strengthened during transmission, and preventive measures such as data de-identification, data encryption, and link encryption shall be applied to ensure security during transmission through interfaces and prevent data theft. (4) Unlawfully providing healthcare institution data outside the territory of China. Where healthcare institution data genuinely needs to be provided outside the territory of China, and falls within one of the circumstances provided in Article 7 of the Provisions on Promoting and Regulating Cross-Border Data Flows of the Cyberspace Administration of China, the healthcare institution shall first conduct a self-assessment, obtain approval by the institution's leading group for cybersecurity and informatization work or the leadership team, and report to the local health administrative authority for review and approval, after which the provincial-level cybersecurity authority shall apply to the national cybersecurity authority for a Data Export Security Assessment of healthcare institution data. Healthcare institution data collected and generated in academic cooperation activities that is provided outside the territory of China and does not contain personal information, sensitive data, or important data is exempt from the obligations to apply for a Data Export Security Assessment, enter into a Standard Contract for cross-border transfer of personal information, or obtain Personal Information Protection Certification. (5) Using healthcare institution data beyond authorized scope. Healthcare institutions shall strictly define the permissions of different personnel, strengthen the administration of application and approval procedures in the course of data use, strengthen log retention and administration, and shall not tamper with or delete logs; they shall ensure that data is used within a controlled scope and prevent unauthorized data use. Data-using departments and data users shall strictly use data in accordance with the stated purpose and scope of application, and shall be responsible for data security. Non-institutional personnel shall not perform remote operation and maintenance of information systems or medical equipment without supervision. (6) Processing healthcare institution data without authorization. Without authorization from the healthcare institution, personnel engaged in information system construction and operation and maintenance shall not process healthcare institution data. During the period of construction and operation and maintenance, data collected and generated shall not be used for other purposes without authorization; after services are completed, data shall be returned or destroyed in accordance with the agreement. Entities undertaking information system construction and operation and maintenance projects shall not subcontract or subdivide the work without approval. (7) Providing healthcare institution data without approval. Without approval from the institution's leading group for cybersecurity and informatization work or the leadership team, no department or individual may transmit undisclosed information and healthcare institution data outside the healthcare institution, or disclose it in any manner. (8) Casually disclosing healthcare institution data. Before disclosing healthcare institution data, healthcare institutions shall analyze and assess the possible impact on national security, economic and social security, the public interest, personal information security, and healthcare institution operations; data that has a significant impact shall not be disclosed. (9) Disposing of or repurposing equipment without destroying healthcare institution data. Before equipment is scrapped or repurposed, healthcare institutions shall completely erase data in accordance with the technical requirements for clearing information from electronic products; equipment shall not be directly scrapped or transferred to other use without processing. (10) Concealing healthcare institution data security incidents. When a healthcare institution experiences a data security incident, it shall immediately activate its emergency response plan, take measures to prevent the harm from expanding, eliminate security hazards, and report to the local health administrative authority and other competent authorities in accordance with prescribed requirements. ## Chapter IV Data Security Monitoring, Early Warning, and Emergency Response **Article 23.** The National Health Commission shall establish and improve a risk monitoring and early warning mechanism for data security of healthcare institutions, organize the formulation of standards and norms for monitoring and early warning of healthcare institution data security, make integrated use of technical means for monitoring and early warning of healthcare institution data security, possess capabilities for monitoring, early warning, response, and tracing, and strengthen information sharing with relevant departments. Local health administrative authorities shall establish and improve a risk monitoring and early warning mechanism for data security of healthcare institutions in their regions, organize the monitoring of data security risks in healthcare institutions, release early warning information in a timely manner in accordance with relevant provisions, and guide healthcare institutions to take responsive measures in a timely manner. Healthcare institutions shall establish mechanisms for risk monitoring, early warning, and emergency response regarding data security, obtain information on application vulnerabilities in information systems in a timely manner through channels such as the national information security vulnerability sharing platform, and prevent security risks such as the tampering, leakage, or loss of healthcare institution data through technical measures such as patch upgrades, configuration updates, and system hardening. **Article 24.** The National Health Commission shall establish and improve a mechanism for reporting and sharing information on healthcare institution data security risks, uniformly collect, analyze, assess, and report information on healthcare institution data security risks and hazards, and encourage industry organizations, security service agencies, research institutes, and others to report and share healthcare institution data security risk information. Local health administrative authorities shall promptly aggregate and analyze data security risks and hazards of healthcare institutions in their regions, and shall report to the National Health Commission risks and hazards that may cause important data or core data security incidents. Healthcare institutions shall promptly report to the local health administrative authority risks and hazards that may cause important data or core data security incidents. **Article 25.** The National Health Commission shall formulate emergency plans for data security incidents in the healthcare sector and conduct emergency drills, and shall guide emergency response work for security incidents involving important data and core data. Local health administrative authorities shall respectively organize emergency response work for healthcare institution data security incidents in their regions. Security incidents involving important data and core data shall be immediately reported to the National Health Commission, and the development of the incident and the status of response work shall be reported in a timely manner. Healthcare institutions shall formulate emergency plans for data security incidents and regularly organize drills. After a healthcare institution data security incident occurs, emergency response shall be promptly conducted in accordance with the emergency plan; security incidents involving important data and core data shall be promptly reported to the local health administrative authority, and a summary report shall be promptly prepared after the security incident has been handled. When a healthcare institution data security incident occurs, users shall be promptly notified, measures shall be taken to avoid or mitigate harm, and the local health administrative authority shall simultaneously be informed. ## Chapter V Personal Information Protection **Article 26.** Healthcare institutions shall, in accordance with the requirements of the Administrative Measures for Personal Information Protection Compliance Audits, conduct personal information protection compliance audits regularly, either by themselves or by engaging a specialized agency. **Article 27.** When a healthcare institution entrusts the processing of personal information, it shall conduct a Personal Information Protection Impact Assessment (PIPIA) in advance and enter into an entrustment agreement and a confidentiality agreement with the entrusted party, specifying the scope, purpose, duration, and method of the entrusted processing, the categories of personal information, protective measures, and the rights and obligations of both parties, and shall supervise the performance of the agreement. The entrusted party shall process personal information in accordance with the agreement and shall not process personal information beyond the agreed purpose and method of processing. Where a commission agreement does not take effect, is void, is rescinded, or is terminated, the entrusted party shall return the personal information to the healthcare institution or delete it, and shall not retain it. Without the consent of the personal information handler, the entrusted party shall not sub-entrust the processing of personal information to others. The entrusted party shall conduct pre-employment training and departure reviews for its personnel. **Article 28.** Where a healthcare institution uses new technologies such as artificial intelligence in the course of operations, and patient medical records and other personal information are involved, it must ensure the security of that personal information. **Article 29.** Healthcare institutions shall strengthen the protection of personal information. Healthcare institutions and their personnel shall not engage in any of the following acts: (1) Unlawfully processing personal information. Healthcare institutions and their personnel shall not unlawfully collect, store, use, process, transmit, provide, disclose, or delete personal information, shall not illegally buy, sell, provide, or publicly disseminate personal information, and shall not engage in personal information processing activities that endanger national security or the public interest. (2) Unlawfully collecting personal information. Healthcare institutions shall, in collecting personal information, follow the principles of lawfulness, legitimacy, necessity, and good faith, and shall not collect personal information through deceptive, fraudulent, or coercive means. (3) Collecting personal information beyond the prescribed scope. Healthcare institutions shall, in collecting personal information, have a clear and reasonable purpose, which shall be limited to the minimum scope necessary to achieve the processing purpose, and shall not excessively collect personal information. (4) Accessing personal information beyond authorized scope. Healthcare institutions shall adopt effective measures and technical means, implement strict identity authentication, and prevent the unlawful querying or retrieval of patient personal information by unrelated persons. They shall formulate authorization rules and, through a combination of scenario management and personnel management, clarify the lawful access situations in healthcare, teaching, scientific research, and public health emergencies, and shall not unlawfully access personal information; they shall strengthen the management of personal information of special groups such as pregnant and parturient women, newborns, HIV/AIDS patients, persons with mental disorders, deceased persons and their survivors, and public figures. Dynamic authorization management shall be implemented by distinguishing different positions and personnel, and the permissions of personnel who have left their positions or been transferred shall be promptly revoked. Promotion of authorization management, log archiving, digital watermarks, and other technologies for managing access permissions shall be encouraged to ensure that personal information operation traces, the time of marking operations, and the information of operating personnel are queryable and traceable. (5) Unlawfully providing personal information. Without the consent of the individual or the individual's guardian, healthcare institutions and their personnel shall not provide personal information such as an individual's name, date of birth, identity document number, biometric information, address, telephone number, or location trajectory "beyond what is necessary for work," except as otherwise provided by laws or administrative regulations, such as for responding to public health emergencies or for purposes necessary to protect the life and health of a natural person in an emergency. Information provided in the course of state organs performing their statutory duties shall not exceed the scope and limits necessary for the performance of such statutory duties. (6) Unlawfully disclosing personal information. Healthcare institutions "shall not display patients' personal names, identity document numbers, telephone numbers, or other personal information in public areas such as electronic display screens"; where genuinely necessary for business purposes, de-identification display shall be used. Without the consent of the individual, patient personal information shall not be disclosed in news reports, public lectures, social media, academic papers, scientific research, or similar contexts. Patient personal information shall not be transmitted through messaging software, social media, or similar means, and patient personal information shall not be disclosed through photography, screenshots, or similar means. (7) Unlawfully providing personal information outside the territory of China. Where a healthcare institution genuinely needs to provide personal information outside the territory of China for business or other reasons, it shall meet the conditions prescribed in Article 38 of the Personal Information Protection Law of the People's Republic of China, and shall inform the individual of the name or full name, contact information, purpose of processing, method of processing, categories of personal information, and the method and procedure for the individual to exercise relevant rights against the overseas recipient, and shall obtain the separate consent of the individual. (8) Misusing facial information. When applying facial recognition technology to verify personal identity or identify specific individuals, priority use of channels such as the national population basic information database and the national network identity authentication public service is encouraged. Where there are other non-facial-recognition technical means to achieve the same purpose or meet the same business requirements, healthcare institutions shall not use facial recognition technology as the sole verification method. Where an individual does not consent to identity verification through facial information, the healthcare institution shall provide other reasonable and convenient methods. Except as otherwise provided by laws and regulations or with the individual's separate consent, facial information shall be stored within facial recognition devices and shall not be transmitted externally via the internet. ## Chapter VI Supervision and Administration **Article 30.** Where health administrative authorities at each level discover that healthcare institution data processing activities pose significant security risks or that data security incidents have occurred, they shall urge and guide healthcare institutions to promptly handle and rectify the situation. Healthcare institutions shall promptly carry out security rectification and reinforcement, close loopholes, and eliminate risks in response to security vulnerabilities and hazards notified by health administrative authorities. Healthcare institutions shall cooperate with the investigation and verification of healthcare institution data security incidents conducted by cybersecurity authorities and public security organs. **Article 31.** Where local health administrative authorities at each level fail to fulfill the data security and personal information protection obligations prescribed in these Measures, their superior authorities shall order corrections; the directly responsible supervisors and other directly responsible personnel shall be subject to disciplinary sanctions in accordance with laws and regulations. **Article 32.** Where a healthcare institution violates the provisions of the Law of the People's Republic of China on Basic Healthcare and Health Promotion, and medical information is leaked due to inadequate medical information security systems or protective measures, the health administrative authority and other competent authorities of the people's government at or above the county level shall order corrections, issue a warning, and impose a fine; in serious cases, the relevant professional activities may be ordered to cease, and the directly responsible supervisors and other directly responsible personnel shall be held legally liable in accordance with law. Where personnel of a healthcare institution disclose citizens' personal information, the health administrative authority of the people's government at or above the county level shall impose administrative penalties in accordance with relevant laws and administrative regulations on the administration of licensed physicians, nurses, and personal information protection; personnel who are in healthcare institutions established by the government shall be subject to disciplinary sanctions in accordance with law. Where acts such as unlawfully collecting, using, processing, or transmitting citizens' personal health information, or unlawfully buying, selling, providing, or publicly disclosing citizens' personal health information, constitute a violation of public security administration, public security administration penalties shall be imposed in accordance with law. **Article 33.** Where, in violation of the provisions of the Civil Code of the People's Republic of China, a patient's privacy and personal information are disclosed, or a patient's medical records are disclosed without the patient's consent, tortious liability shall be borne. **Article 34.** In accordance with the provisions of the Data Security Law of the People's Republic of China, where health administrative authorities at each level discover, in performing their supervisory duties over healthcare institution data security, that data processing activities pose significant security risks, they may, in accordance with the prescribed authority and procedures, conduct a regulatory interview (yuetan) with the relevant healthcare institution and require the healthcare institution to take measures to rectify the situation and eliminate the hazard. Where a healthcare institution violates the Data Security Law of the People's Republic of China by failing to fulfill its prescribed data security protection obligations, or by providing important data outside the territory of China, it shall be handled pursuant to the relevant provisions of that Law. **Article 35.** In accordance with the provisions of the Personal Information Protection Law of the People's Republic of China, where health administrative authorities at each level, cybersecurity authorities, and public security organs discover, in performing their duties, that healthcare institutions pose significant risks or that personal information security incidents have occurred, they may, in accordance with the prescribed authority and procedures, conduct a regulatory interview (yuetan) with the legal representative or principal leader of the healthcare institution, or require the healthcare institution to engage a specialized agency to conduct a compliance audit of its personal information processing activities. Healthcare institutions shall take measures to rectify the situation and eliminate the hazard in accordance with the requirements. Where authorities performing duties of personal information protection, including health administrative authorities, discover violations of the Personal Information Protection Law of the People's Republic of China in performing their duties, they shall handle the matter in accordance with the relevant provisions of the Personal Information Protection Law of the People's Republic of China; where unlawful personal information processing activities are suspected to constitute a crime, the matter shall be promptly transferred to public security organs for handling in accordance with law. **Article 36.** Any organization or individual has the right to lodge complaints and reports with authorities performing duties of personal information protection, including health administrative authorities, concerning unlawful personal information processing activities. Upon receiving complaints and reports, the authorities shall handle them in a timely manner in accordance with law and inform the complainant or reporting party of the outcome. Authorities performing duties of personal information protection, including health administrative authorities, shall publish their contact details for receiving complaints and reports. ## Chapter VII Supplementary Provisions **Article 37.** Data processing activities involving state secrets or work secrets shall be governed by the provisions of the Law of the People's Republic of China on Guarding State Secrets and other relevant laws and administrative regulations. **Article 38.** Healthcare institutions may formulate corresponding implementation rules in accordance with these Measures. **Article 39.** These Measures shall be interpreted by the National Health Commission. **Article 40.** These Measures shall come into force on the date of issuance. --- ## Regulations on the Sharing of Government Data - Chinese title: 政务数据共享条例 - Hierarchy: regulation - Issuing body: State Council - Adopted: 2025-05-09 - Effective: 2025-08-01 - Status: effective - URL: https://datacompliancechina.com/laws/government-data-sharing-regulations/ - Markdown: https://datacompliancechina.com/laws/government-data-sharing-regulations.md ### Summary The first comprehensive State Council regulation specifically governing the sharing of government data across agencies. Establishes the unified national government-data sharing platform, defines responsibilities of the National Data Administration, sets data quality and security requirements, and addresses personal-information and important-data handling within the government-data context. ### Full text **Promulgated by:** State Council. **Document No.:** Decree No. 809 of the State Council. **Adopted at the 59th executive meeting of the State Council on May 9, 2025. Effective August 1, 2025.** --- ## Chapter I General Provisions **Article 1.** This Regulation is enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws in order to promote the safe, orderly and efficient sharing and utilization of government data, improve the government's digital governance capacity and the efficiency of government services and comprehensively build a digital government. **Article 2.** This Regulation apply to the government data sharing between government departments and organizations with the function of administering public affairs as authorized by laws and regulations (hereinafter collectively referred to as the "government departments") as well as the relevant security, supervision, administration and other work. **Article 3.** For the purpose of this Regulation, the term "government data" refers to all kinds of data collected and generated by government departments in the course of performing their duties in accordance with the law, excluding the data that are state secrets or work secrets. For the purpose of this Regulation, the term "government data sharing" refers to the use of the government data of other government departments or the provision of government data for other government departments by the government departments as needed for performing their duties in accordance with the law. **Article 4.** Government data sharing shall adhere to the leadership of the Communist Party of China, implement the overall concept of national security, coordinate development and security in an overall manner and follow the principles of overall coordination, unified standards, lawful sharing, reasonable use, and controllable security. **Article 5.** Those who carry out the work of government data sharing shall abide by laws and regulations and fulfill the obligation of government data security protection and may not endanger national security or public interests or damage the legitimate rights and interests of citizens, legal persons or other organizations. **Article 6.** The State shall establish a standard system for government data sharing to promote the standardization and normalization of government data sharing. **Article 7.** The State encourages management innovation, institutional innovation and technological innovation in the field of government data sharing, so as to continuously improve the efficiency, application level and security guarantee capacity of government data sharing. ## Chapter II Management System **Article 8.** People's governments at all levels shall strengthen the organization and leadership over government data sharing. The competent department of government data sharing under the State Council is responsible for coordinating the promotion of national government data sharing. The competent department of government data sharing under a local people's government at or above the county level is responsible for coordinating the promotion of government data sharing within its administrative region. All departments under the State Council are responsible for their government data sharing and coordinating and guiding the government data sharing within their respective industries and fields. **Article 9.** The competent department of government data sharing shall, in concert with other government departments, study the major matters and important work in government data sharing, summarize and promote the typical cases and experience in government data sharing and coordinate and promote the safe, orderly and efficient sharing and use of government data across levels, regions, systems, departments and businesses. **Article 10.** Government departments shall implement their primary responsibilities for government data sharing, establish and perfect their own working systems for government data sharing and organize the study and resolution of major issues in government data sharing. **Article 11.** Government departments shall specify a working body for government data sharing. The working body for government data sharing shall be responsible for the specific work of government data sharing and perform the following duties: (1) Organizing the preparation, updating and maintenance of the directory of government data of the departments; (2) Organizing to file applications for sharing their government data, organizing the examination of applications for sharing their government data and coordinating and sharing their government data; (3) Ensuring that the government data provided thereby meet the standards and specifications for government data sharing; (4) Organizing the filing or handling of applications for verification of the government data involved; (5) Establishing and perfecting the data security and personal information protection system with regard to the government data sharing in the departments and organizing security assessments of the government data sharing; and (6) Other work of the departments related to government data sharing. ## Chapter III Directory Management **Article 12.** Government data shall be subject to unified directory management. The competent department of government data sharing under the State Council shall formulate the standards and specifications for preparation of the directory of government data and organize the preparation of the national directory of government data. The competent department of government data sharing under the local people's government at or above the county level shall organize the preparation of the directory of government data within its administrative region. A government department shall, according to its own duties and in accordance with the standards and specifications for preparing the directory of government data, prepare its own directory of government data. **Article 13.** When preparing a directory of government data, a government department shall assess confidentiality risk, the impact of personal information protection, etc. in accordance with the law and obtain the approval of the department head. The directory of government data shall specify such information as the name of the data directory, data items, supplier, data format, data update frequency, sharing attribute, sharing mode, conditions for use, and data classification and grading. **Article 14.** Government data shall be classified into three categories according to the sharing attributes, namely, unconditional sharing, conditional sharing and non-shareable: (1) The government data which can be provided for sharing and use among all government departments are subject to unconditional sharing; (2) The government data which can be provided for sharing and use among relevant government departments according to certain conditions are subject to conditional sharing; and (3) The government data which cannot be provided for sharing and use among other government departments as explicitly provided by laws, administrative regulations and decisions of the State Council are non-shareable. **Article 15.** Government departments shall scientifically and reasonably determine the attributes of government data sharing and may not hinder or affect the sharing of government data by arbitrarily imposing additional conditions. For government data subject to conditional sharing, the government departments shall specify the scope of sharing, purposes of use and other conditions for sharing and use in the directory of government data. For government data that are non-shareable, the government departments shall specify the reasons in the directory of government data and specify the basis of the corresponding laws, administrative regulations and decisions of the State Council. **Article 16.** A government department shall submit the directory of government data prepared to the competent department of government data sharing at the same level for examination. The competent department of government data sharing shall, upon examination and approval, notify the government department in a unified manner. The government department shall, by reference to the directory of government data released in a unified manner, enrich the government data resources, ensure the quality of government data and share government data in accordance with the law. **Article 17.** The directory of government data shall be dynamically updated. Where the directory of government data needs to be updated correspondingly due to the adjustment to laws, administrative regulations, decisions of the State Council or the change in duties of a government department, the government department shall, within ten working days from the date of occurrence of the adjustment or change, complete the update of the directory of government data and submit the same to the competent department of government data sharing at the same level for examination. Where the updating period needs to be extended due to special reasons, upon consent by the competent department of government data sharing at the same level, an extension of five working days may be granted. The competent department of government data sharing shall, within two working days from the date of receipt of the updated directory of government data, complete the examination and release the same. ## Chapter IV Sharing and Use **Article 18.** Government departments shall establish a sound whole-process quality management system for government data, improve the quality management capability for government data and strengthen the standardized management of collection, storage, processing, transmission, sharing, use, destruction, etc. of government data. **Article 19.** Government departments shall collect government data in accordance with statutory authorities, procedures, standards and norms. Where the government data obtained through sharing are sufficient to satisfy the needs for duty performance, the government departments shall not repetitively collect data from citizens, legal persons or other organizations. Where the collection of government data involves more than one government department, the competent department of government data sharing shall clarify the government department taking the lead in the collection and designate the same as the data source department. The data source department shall strengthen coordination, cooperation and information communication with other relevant government departments, timely improve and update government data, ensure the completeness, accuracy and availability of government data and provide government data sharing services in a unified manner. **Article 20.** The competent department of government data sharing shall establish a supply and demand matching mechanism for government data sharing and clarify the workflow. A government data demand department shall, as required for performing its duties, file an application for government data sharing according to the unified directory of government data released and upon the approval of the person-in-charge of the working body for government data sharing according to the law, specifying the basis, scenario, scope of use, sharing mode, time limit for use, etc. and ensure the authenticity, legality and necessity of the application for government data sharing. A government data supply department shall, within the time limit prescribed in Article 21 hereof, review the application for government data sharing filed by the government data demand department and give a reply upon the approval of the person-in-charge of the working body for government data sharing. **Article 21.** Where the government data applied for sharing by a government data demand department are subject to unconditional sharing, the government data supply department shall give a reply within one working day from the date of receipt of the application for sharing of government data; if the government data are subject to conditional sharing, the government data supply department shall, within ten working days from the date of receipt of the application for sharing of government data, give a reply on whether to approve the sharing or not. Where the reply period needs to be extended due to special reasons, the government data supply department shall report to the competent department of government data sharing at the same level for approval and inform the government data demand department that the extension shall not exceed ten working days. If the application materials submitted by the government data demand department are incomplete, the government data supply department shall inform it of the materials to be supplemented in a one-off manner and shall not directly reject the application. Where the government data supply department disagrees on sharing, it shall state the reasons. 20 **Article 22.** The government data supply department shall share the government data within 20 working days from the date when the reply on approval for sharing is made. The government data supply department may share the government data with the government data demand department through service interface, batch exchange, file downloading or otherwise. **Article 23.** The State encourages government departments at all levels to optimize the review process for government data sharing and shorten the time for review and provision of shared government data. **Article 24.** A government department at a higher level shall, based on the needs of performing duties by the government department at a lower level and under the premise of ensuring the security of government data, timely and completely return the government data collected and generated by the business information system within the administrative region of the government at a lower level and effectively conduct system connection and business collaboration, and may not set additional restrictive conditions. After obtaining the returned government data, the government department at a lower level shall share and use the data as required for performing duties and ensure the security of the relevant government data. **Article 25.** Government departments that obtain government data through sharing shall not expand the scope of use or use such data for any other purpose directly or in a disguised manner without authorization, nor shall they provide the government data obtained to any third party without authorization. Where there is a genuine need to expand the scope of use, use the data for any other purpose or provide the data to any third party, the consent from the government data supply department shall be obtained. The competent department of government data sharing and other government departments shall take measures to prevent the risk of leakage due to the convergence and correlation of government data. **Article 26.** The competent department of government data sharing under the State Council shall establish an overall system for verification and correction of government data. Government departments shall, in accordance with their respective duties, establish verification and correction rules and provide correction channels for government data. The government data demand department shall record the use status of government data. If any government data is found to be inaccurate or incomplete, the said department shall file an application for verifying the government data with the government data supply department in a timely manner. The government data supply department shall, within ten working days from the date of receipt of the application for verifying the government data, verify, correct and provide feedback on the verification and handling results. **Article 27.** For the government data obtained by a government data demand department through sharing, if the purpose of sharing has been achieved, cannot be achieved or such data is no longer necessary to achieve the purpose of sharing, such data shall be properly disposed of as required by the government data supply department. Where a government data demand department uses the government data beyond the scope of use or the purpose of sharing without authorization or provides the government data to any third party without authorization, the competent department of government data sharing or the government data supply department shall suspend its authority of government data sharing and urge it to make rectification within a prescribed time limit. If it refuses to do so or the rectification is not made as required, the sharing may be terminated. The government data supply department shall not terminate or change the government data sharing services already provided without justifiable reasons. Where there is a genuine need to terminate or change the services, the government data supply department shall consult with the government data demand department and file with the competent department of government data sharing at the same level for the record. **Article 28.** The competent department of government data sharing shall establish and improve a dispute resolution mechanism for government data sharing. Any dispute over government data sharing between the government data demand department and the government data supply department at the same level shall be resolved through consultation; if such consultation fails, an application shall be submitted to the competent department of government data sharing at the same level for coordination and settlement under procedures. Any dispute arising from cross-level or cross-regional government data sharing shall be coordinated and settled by the common competent department of government data sharing at a higher level. In case of failure to reach an agreement upon coordination and settlement by the competent department of government data sharing, such dispute shall be reported to the people's government at the counterpart level in charge of the competent department of government data sharing for decision. **Article 29.** The competent department of government data sharing shall supervise and inspect the government data sharing and may circulate a notice on any violation of this Regulation. The government data demand department shall record the use scenario, use process, application effect, storage and destruction of the shared government data and keep relevant records for not less than three years. The competent department of government data sharing and the government data supply department may consult the relevant records of the government data demand department. Where it is otherwise provided for by laws and administrative regulations, such provisions shall prevail. ## Chapter V Platform Support **Article 30.** The State coordinates the development of data infrastructure, improves the government data security protection capability and integrates and builds an integrated national government big data system featuring unified standards, reasonable layout, collaborative management, security and reliability. The competent department of government data sharing under the State Council shall coordinate the development and management of the integrated national government big data system and is responsible for integrating and building the national government big data platform to achieve interconnection with the government data platforms of the relevant departments under the State Council and the government data platforms in various regions so as to provide platform support for government data sharing. The competent departments of government data sharing under local people's governments at or above the county level shall be responsible for the development and management of the government data platforms within their respective administrative regions and share government data with towns (streets) and villages (communities) as needed. The development and optimization of their respective government data platforms by the relevant departments of the State Council may support the government data sharing in the relevant industries and fields. Those that have not established a government data platform may share their government data through the national government big data platform. **Article 31.** The government data platforms that have been established by government departments shall be included in the integrated national government big data system. Unless otherwise stipulated by laws and administrative regulations, it is prohibited, in principle, to carry out cross-level, cross-regional, cross-system, cross-departmental or cross-business government data sharing through the newly established government data sharing and exchange system. **Article 32.** Government departments shall carry out the relevant work on government data sharing through the integrated national government big data system. **Article 33.** The State encourages and supports the application of big data, cloud computing, artificial intelligence, block chain and other new technologies in government data sharing. ## Chapter VI Supporting Measures **Article 34.** The competent department of government data sharing shall, in concert with the cyberspace, public security, state security, secrecy administration, and cryptography administration departments at the same level, promote the development of the security management system for government data sharing under the classified and graded data protection system, clarify the security responsibility subjects for all stages of government data sharing and urge the fulfillment of security management responsibilities for government data sharing under the principle of "those who manage and use data shall be responsible". Where, in the process of using the government data shared according to the law, any government data are tampered with, destroyed, divulged or illegally used, the government data demand department shall assume the responsibility of security management. **Article 35.** Government departments shall establish and improve the security management system for government data sharing, implement the primary responsibilities for security management of the government data sharing and the requirements for classified and graded management of government data and ensure the security of government data sharing. Government departments shall adopt technical measures and other necessary measures to prevent government data from being tampered with, destroyed, divulged, or illegally obtained or illegally used. Government departments shall strengthen the security risk monitoring of government data, and when a government data security incident occurs, immediately initiate the emergency plan, take corresponding emergency response measures, prevent the expansion of harm, eliminate security hazards and report the incident to the relevant competent department as required. **Article 36.** Where a government department entrusts another party to participate in the construction, operation, maintenance of a government informatization project, or storage and processing of government data, it shall perform the approval procedures in accordance with the relevant provisions of the State, specify the work specifications and standards and take necessary technical measures to supervise the entrusted party in fulfilling the corresponding obligation of government data security protection. The entrusted party shall, in accordance with the provisions of laws, administrative regulations and contractual agreements, perform the obligation of government data security protection, and shall not access, obtain, retain, use, divulge or provide others with government data without authorization. The development and management entity of a government data platform shall, in accordance with the provisions of laws, administrative regulations and the compulsory requirements of national standards, ensure the safe and stable operation of the platform and maintain the security of government data. **Article 37.** Government departments and their staff shall abide by the Personal Information Protection Law of the People's Republic of China, the Administrative Regulation on Network Data Security and other laws and administrative regulations when carrying out government data sharing activities involving personal information. Citizens, legal persons and other organizations have the right to complain or report the acts infringing upon their legitimate rights and interests in the process of government data sharing, and the government departments receiving the complaints or reports shall promptly handle them as required. **Article 38.** People's governments at or above the county level shall include the funds required for government data sharing in their budgets. People's governments at or above the county level and their relevant departments shall implement whole-process budget performance management of the funds relating to government data sharing. Government data sharing shall be taken as an important basis for determining the construction investment, operation and maintenance funds and post-project assessment results of government informatization projects. The competent department of government data sharing shall strengthen the supervision over the timeliness and quality of data sharing by the government data supply departments within its jurisdiction, the application of data by government data demand departments and security supporting measures and report the same to the people's government at the counterpart level. ## Chapter VII Legal Liability **Article 39.** Where any government data supply department violates the provisions hereof and falls under any of the following circumstances, the competent department of government data sharing at the same level shall order it to make corrections; if it refuses to make corrections or the circumstances are serious, the responsible leader and the directly liable personnel shall be punished according to the law: (1) Failing to prepare or update the directory of government data as required; (2) Hindering or affecting the sharing of government data by imposing additional conditions without authorization or by other means; (3) Failing to cooperate with the data source department in timely improvement and updating of government data; (4) Failing to give a reply to the application for sharing government data on time or failing to share government data on time without a justified reason; (5) Failing to return the government data within the administrative region of the government at a lower level, which is collected or generated by the business information system, to the government department at a lower level as required; (6) Failing to verify and correct data upon receipt of the application for verifying the government data on time; (7) Terminating or modifying the government data sharing services already provided without authorization; (8) Failing to include the government data platform that has been built in the integrated national government big data system as required; or (9) Other circumstances in violation of the provisions hereof. **Article 40.** Where any government data demand department violates the provisions hereof and falls under any of the following circumstances, the competent department of government data sharing at the same level shall order it to make corrections; if it refuses to make corrections or the circumstances are serious, the responsible leader and the directly liable personnel shall be punished according to the law: (1) Repeatedly collecting the government data that can be obtained through sharing; (2) Using the government data obtained through sharing beyond the scope of use or the purpose of sharing without authorization; (3) Providing the government data obtained through sharing to a third party without authorization; (4) Failing to properly dispose of the government data obtained through sharing as required when the purpose of sharing has been achieved, or cannot be achieved, or the data is no longer necessary to achieve the purpose of sharing; (5) Failing to keep the relevant records of government data obtained through sharing as required; (6) Failing to perform the responsibility for security management of government data obtained through sharing; or (7) Other circumstances in violation of the provisions hereof. **Article 41.** Where any competent department of government data sharing violates the provisions hereof and falls under any of the following circumstances, the people's government at the counterpart level or the competent department at a higher level shall order it to make corrections; if it refuses to make corrections or the circumstances are serious, the responsible leader and the directly liable personnel shall be punished according to the law: (1) Failing to clarify the data source department as required; (2) Failing to coordinate and handle the disputes over government data sharing as required; or (3) Other circumstances in violation of the provisions hereof. **Article 42.** Where any government department or any staff member thereof divulges, sells or illegally provides others with personal privacy, personal information, trade secrets or confidential business information that has come to its/his/her knowledge in the process of government data sharing or neglects its/his/her duties, abuses its/his/her power or plays favoritism and commits irregularities in the sharing of government data, it/he/she shall be punished according to the law; if a crime is constituted, it/he/she shall be investigated for criminal liability according to the law. ## Chapter VIII Supplementary Provisions **Article 43.** The State promotes data sharing between government departments and other state organs as required for performing their respective duties by reference to the provisions hereof. **Article 44.** The present Regulation shall come into force as of 1 August 2025. --- ## Measures for the Administration of National Health and Medical Big Data Standards, Security and Services (Trial) - Chinese title: 国家健康医疗大数据标准、安全和服务管理办法(试行) - Abbreviation: Health & Medical Big Data Measures - Hierarchy: rule - Issuing body: National Health Commission - Adopted: 2018-07-12 - Effective: 2018-07-12 - Status: effective - URL: https://datacompliancechina.com/laws/national-health-medical-big-data-measures/ - Markdown: https://datacompliancechina.com/laws/national-health-medical-big-data-measures.md - Source URL: https://www.cac.gov.cn/2018-09/15/c_1123432498.htm ### Summary Issued by the National Health Commission on 12 July 2018 (document no. 国卫规划发〔2018〕23号), these Measures declare health and medical big data a fundamental national strategic resource and establish a comprehensive governance framework across three pillars: standards management, data security, and service management. Mandatory domestic storage within PRC territory is required, and cross-border transfer of health and medical big data is subject to a security assessment and approval process. Responsible units — including hospitals, health-information platforms, and enterprises — must implement the national Multi-Level Protection Scheme (MLPS), establish electronic real-name authentication and access-control systems, maintain full-process audit trails, and report major cybersecurity incidents. The Measures predate but directly feed into the Data Security Law and the Personal Information Protection Law and remain the primary sector-specific rule governing Chinese health data. ### Full text **Promulgated by:** National Health Commission of the People's Republic of China. **Document No.:** 国卫规划发〔2018〕23号. **Adopted and promulgated on July 12, 2018. Effective July 12, 2018.** --- ## Chapter I: General Provisions **Article 1.** These Measures are formulated in accordance with the Cybersecurity Law of the People's Republic of China and other laws, regulations, and relevant State Council documents, in order to strengthen the administration of health and medical big data services, promote the development of "Internet Plus Healthcare," and give full play to the role of health and medical big data as an important foundational strategic resource of the State. **Article 2.** In respect of the health and medical data generated within the territory of the People's Republic of China by Chinese citizens, the State shall, on the basis of safeguarding citizens' right to know, right to use, and right to privacy, administer, develop, and utilise such data in a regulated manner in accordance with requirements of national strategic security and the life safety of the people. **Article 3.** Adherence to the principles of people-centeredness and innovation-driven development, orderly regulation and security with controllability, openness and integration, co-building and sharing, in order to strengthen the standards management, security management, and service management of health and medical big data. **Article 4.** For the purposes of these Measures, "health and medical big data" means data relating to health and medicine generated in the course of disease prevention and treatment, health management, and similar activities. **Article 5.** These Measures apply to the administration of health and medical big data involving health administration authorities at the county level and above, medical and health institutions of all levels and types, and relevant entities and individuals. **Article 6.** The National Health Commission, together with relevant departments, is responsible for the overall planning, guidance, assessment, and supervision of the standards management, security management, and service management of health and medical big data nationally. Health administration authorities at the county level and above, together with relevant departments, are responsible for the administration of health and medical big data within their respective administrative regions. Medical and health institutions and relevant enterprises and public institutions at all levels and of all types are the responsible units for the security and application management of health and medical big data. ## Chapter II: Standards Management **Article 7.** The standards management of health and medical big data shall follow the principles of policy guidance, enhanced supervision, classified guidance, and graded administration. **Article 8.** The National Health Commission is responsible for the overall planning and organisation of national health and medical big data standards, and for organising the formulation of a planning framework for health and medical big data standards on the basis of existing foundational and general big data standards. Provincial health administration authorities are responsible for supervising, guiding, and evaluating the application of health and medical big data standards in their respective regions. **Article 9.** The National Health Commission encourages medical and health institutions, research and educational entities, relevant enterprises, industry associations, and social organisations to participate in the formulation of health and medical big data standards. Citizens, legal persons, and other organisations may put forward proposals for the formulation or revision of standards. **Article 10.** The National Health Commission is responsible for unified organisation and implementation, for the merit-based selection of drafting units and persons responsible for health and medical big data standards, and for promoting a multi-party participation and collaboration mechanism. **Article 11.** The procedures and requirements for the drafting, review, and publication of health and medical big data standards shall be carried out in accordance with relevant national and industry rules. **Article 12.** Health administration authorities shall strengthen the guidance and supervision of the implementation of health and medical big data standards, and establish long-term management mechanisms that incentivise and promote the application and implementation of standards. **Article 13.** Health administration authorities shall establish incentive and constraint mechanisms for the production and procurement of standardised health and medical big data products, shall actively advance standardisation and assessment work, and shall link assessment results to the accreditation and evaluation of medical and health institutions. **Article 14.** The National Health Commission shall strengthen the standards system and institutional development for health and medical big data technology products and service models, shall organise assessments of the effectiveness of standards application, and shall organise revision or repeal of standards according to the results of assessments. **Article 15.** The National Health Commission shall, on the basis of the health standards management platform, dynamically manage the development and application of health and medical big data standards and shall conduct dynamic monitoring of the application of standards by medical and health institutions and enterprises and public institutions at all levels and of all types. ## Chapter III: Security Management **Article 16.** The security management of health and medical big data refers to security and management work in the multiple phases of data collection, storage, mining, application, operation, and transmission, encompassing the management of responsibilities and rights with respect to national strategic security, the life safety of the people, and the security of personal information. **Article 17.** Responsible units shall establish and improve relevant security management systems, operating procedures, and technical specifications, shall implement the "first responsibility" (yibashou) system, and shall strengthen the development of a security-protection regime. The security, management, and use of health and medical big data involving State secrets shall be carried out in accordance with relevant national secrecy regulations. **Article 18.** Responsible units shall adopt measures such as data classification, backup of important data, and encryption and authentication to ensure the security of health and medical big data, and shall establish a reliable data disaster-recovery and backup mechanism. **Article 19.** Responsible units shall, in accordance with the requirements of the national Multi-Level Protection Scheme (MLPS) for cybersecurity, construct a trustworthy cybersecurity environment. Health and medical big data centres and relevant information systems shall carry out grading, filing, assessment, and other required work. **Article 20.** Providers of products and services for systems related to health and medical big data shall comply with the State's cybersecurity review system and shall not interrupt or effectively interrupt reasonable technical support and services. **Article 21.** Responsible units shall use information relating to health and medical big data in accordance with laws and regulations, shall provide secure channels for information query and copying, and shall ensure the protection of citizens' privacy and data security. **Article 22.** Responsible units shall strictly regulate the data-access and use permissions of users at different levels; no entity or individual may use or publish health and medical big data without authorisation or in excess of the scope of authorisation. **Article 23.** Responsible units shall establish rigorous electronic real-name authentication and data access controls, shall standardise the management of audit trails for the processes of data access, use, and destruction, and shall ensure that data handling is "manageable, controllable, with full audit trails throughout the service management process, and queryable and traceable." **Article 24.** Sound mechanisms for the training of personnel responsible for the security management of health and medical big data shall be established and improved, to ensure that relevant practitioners possess the required knowledge and skills. **Article 25.** Responsible units shall establish health and medical big data security monitoring and early-warning systems and shall establish a cybersecurity notification and emergency-response coordination mechanism. Where a major cybersecurity incident occurs, it shall be reported and handled in accordance with relevant laws, regulations, and requirements. ## Chapter IV: Service Management **Article 26.** The National Health Commission is responsible for formulating relevant norms and standards for the application of health and medical big data, and for establishing an application integrity mechanism and an exit mechanism. **Article 27.** Responsible units implementing health and medical big data management and services shall, in accordance with laws, regulations, and relevant document provisions, adhere to the principles of medical ethics and protect personal privacy. **Article 28.** Responsible units shall specify the relevant management departments and posts, shall implement a management system of "unified graded authorisation, classified application management, and consistency of powers and responsibilities," and shall build corresponding health and medical big data information systems. **Article 29.** When responsible units collect health and medical big data, they shall strictly comply with relevant national and industry standards and procedures so as to achieve "unified standards, standardised terminology, and accurate content," and the information collected shall strictly undergo an information verification and final-review procedure. **Article 30.** Responsible units shall possess data storage, disaster-recovery backup, and security management conditions that meet the requirements of relevant national regulations. Health and medical big data shall be stored on secure and trusted servers within the territory of the People's Republic of China; where, due to business needs, it is genuinely necessary to provide such data to parties outside the territory, a security assessment and approval process shall be conducted. **Article 31.** When responsible units select health and medical big data service providers, they shall ensure that such providers comply with national and industry regulations and requirements and possess the capability to fulfil relevant laws and regulations. **Article 32.** Where responsible units entrust relevant organisations with the storage and operation of health and medical big data, the entrusting unit and the entrusted unit shall jointly bear management and security responsibilities. The entrusted unit shall carry out its work strictly in accordance with relevant laws and regulations and the entrustment agreement. **Article 33.** Responsible units shall, in accordance with the needs of service and management work, promptly update, screen, optimise, and maintain health and medical big data so as to ensure that information remains in the most up-to-date, continuous, effective, high-quality, and secure state. **Article 34.** Where a responsible unit undergoes changes, it shall transfer the health and medical big data under its administration in a complete and secure manner to the institution that assumes its functions, and shall not cause damage, loss, or leakage. **Article 35.** When responsible units publicly disclose health and medical big data to society, they shall comply with relevant national regulations and shall not disclose State secrets, trade secrets, or personal privacy. **Article 36.** Responsible units shall strengthen the use of and services relating to health and medical big data, and shall create the conditions for the standardised use thereof and promote online query of health and medical big data. **Article 37.** The National Health Commission is responsible, in accordance with relevant national regulations on open sharing of information resources, for establishing a working mechanism for the open sharing of health and medical big data, and for coordinating the construction of reporting system platforms, information resource catalogue systems, and sharing and exchange systems. ## Chapter V: Supervisory Administration **Article 38.** Health administration authorities shall strengthen supervisory administration, shall conduct routine inspections of all responsible units within their administrative regions, and shall guide and supervise the comprehensive utilisation of data. Medical and health institutions at all levels and of all types shall connect to the corresponding regional population health information platform and shall transmit and back up data generated by medical and health services. **Article 39.** Health administration authorities shall strengthen monitoring and assessment, shall regularly conduct stability and security assessments of health and medical big data platforms and service providers, and shall establish systems for evaluation and security review covering cybersecurity protection, system interconnection and sharing, and the protection of citizens' privacy. **Article 40.** Health administration authorities, together with relevant departments, shall establish a system of accountability for health and medical big data security management work. In respect of entities and individuals that violate the provisions of these Measures, the competent authorities shall, depending on the severity of the circumstances, conduct a regulatory interview (yuetan), order rectification, give a written admonishment, issue public criticism, or impose a sanction, or put forward a recommendation for a sanction to be imposed; where a violation constitutes a violation of law, the matter shall be referred to the judicial authorities for the pursuit of legal liability in accordance with law. ## Chapter VI: Supplementary Provisions **Article 41.** These Measures shall come into force from the date of promulgation. --- ## Measures for the Cybersecurity Management of Healthcare Institutions - Chinese title: 医疗卫生机构网络安全管理办法 - Abbreviation: Healthcare Cybersecurity Measures - Hierarchy: rule - Issuing body: National Health Commission, National Administration of Traditional Chinese Medicine, and National Disease Control and Prevention Administration - Adopted: 2022-08-08 - Effective: 2022-08-08 - Status: effective - URL: https://datacompliancechina.com/laws/healthcare-institutions-cybersecurity-measures/ - Markdown: https://datacompliancechina.com/laws/healthcare-institutions-cybersecurity-measures.md - Source URL: https://www.gov.cn/zhengce/zhengceku/2022-08/30/content_5707404.htm ### Summary Issued jointly in August 2022 by the National Health Commission (NHC), the National Administration of Traditional Chinese Medicine (NATCM), and the National Disease Control and Prevention Administration (NDCPA), these Measures translate the Cybersecurity Law and the Multi-Level Protection Scheme (MLPS) into sector-specific obligations for every healthcare institution operating a network in China. They establish a graded classification and protection framework, fix the institution as the primary responsible party for cybersecurity, and impose tailored security requirements for emerging technologies including cloud computing, IoT, internet-based diagnosis, facial recognition, and cross-border data flows. A dedicated data security chapter covers the full data lifecycle — from lawful collection through encrypted storage and transmission to irreversible destruction — with a hard data-localization rule and a requirement to submit national security review filings for processing activities that affect or may affect national security. Overseas counsel advising on digital-health investments, telemedicine joint ventures, or health-data export transactions will find these Measures to be the primary sector law governing operational cybersecurity and data security obligations for Chinese healthcare entities. ### Full text **Promulgated by:** National Health Commission, National Administration of Traditional Chinese Medicine, and National Disease Control and Prevention Administration. **Document No.:** 国卫规划发〔2022〕29号. **Adopted and promulgated on August 8, 2022. Effective upon promulgation.** --- 医疗卫生机构网络安全管理办法 第一章 总则 **Article 1.** These Measures are formulated, in order to strengthen cybersecurity management at healthcare institutions, further promote the development of "Internet Plus Health Care," give full play to the role of health and medical big data as an important foundational strategic resource of the State, and prevent cybersecurity incidents, in accordance with the Law on the Promotion of Basic Medical and Health Care, the Cybersecurity Law, the Cryptography Law, the Data Security Law, the Personal Information Protection Law, the Security Protection Regulations for Critical Information Infrastructure, the Cybersecurity Review Measures, and the Multi-Level Protection Scheme (MLPS) and other relevant laws, regulations, and standards. **Article 2.** The following principles shall be upheld: Cybersecurity serves the people and relies on the people; the integrated development of cybersecurity education, technology, and industry shall be promoted; the promotion of development and management in accordance with law shall be unified; and security controllability and open innovation shall be given equal weight. Graded protection and emphasis on key priorities shall be upheld. Priority protection shall be given to critical information infrastructure (CII), Level-3 and above networks under the Multi-Level Protection Scheme (MLPS) (hereinafter "Level-3 and above networks"), and important data and personal information security. Active defense and comprehensive protection shall be upheld. Artificial intelligence, big data analysis, and other technologies shall be fully utilized to strengthen security monitoring, situational awareness, threat notification and early warning, and emergency response; and the "three transformations and six defenses" (三化六防) cybersecurity protection measures — comprising "operationalization, systematization, and normalization" and "dynamic defense, active defense, in-depth defense, precision protection, holistic control, and joint defense and control" — shall be implemented. The principle of "whoever manages business manages security" and "whoever has jurisdiction bears responsibility, whoever operates bears responsibility, and whoever uses bears responsibility" shall be upheld; the cybersecurity accountability system shall be implemented; and the responsibilities of all parties shall be clearly defined. **Article 3.** For the purposes of these Measures, "network" means a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges, and processes information in accordance with certain rules and procedures. The "data" referred to in these Measures is network data, meaning various electronic data collected, stored, transmitted, processed, and generated through networks by healthcare institutions, including but not limited to various clinical, research, and management business data, data generated by medical devices, personal information, and data derivatives. These Measures apply to the cybersecurity management of networks operated by healthcare institutions. Primary-level healthcare institutions that have not been incorporated into a regional primary healthcare information system shall implement these Measures by analogy. **Article 4.** The National Health Commission (NHC), the National Administration of Traditional Chinese Medicine (NATCM), and the National Disease Control and Prevention Administration (NDCPA) are responsible for the overall planning, guidance, assessment, and supervision of cybersecurity work at healthcare institutions. Local health administrative departments at the county level and above (including departments responsible for traditional Chinese medicine and disease control, the same below) are responsible for guiding and supervising cybersecurity work at healthcare institutions within their respective administrative areas. Healthcare institutions bear primary responsibility for cybersecurity management at their own institutions. Each healthcare institution shall, in writing, agree with entities participating in informatization construction and relevant medical device manufacturers and distributors on the cybersecurity obligations and liability for breach of each party. 第二章 网络安全管理 **Article 5.** Each healthcare institution shall establish a leading group for cybersecurity and informatization work, with the institution's principal responsible person serving as the leader of the group; the group shall convene at least one cybersecurity working meeting per year to deploy key security tasks and implement the requirements of the Security Protection Regulations for Critical Information Infrastructure and the Multi-Level Protection Scheme (MLPS). Healthcare institutions with Level-2 and above networks shall designate a functional department responsible for cybersecurity management work, and designate positions responsible for the duties of cybersecurity supervisor and cybersecurity administrator; establish a cybersecurity management system, strengthen cybersecurity protection, and reinforce emergency response; and, on this basis, provide key protection for critical information infrastructure (CII) to prevent cybersecurity incidents. **Article 6.** Each healthcare institution shall, in accordance with the principle of "whoever has jurisdiction bears responsibility, whoever operates bears responsibility, and whoever uses bears responsibility," clearly define, during the network construction process, the management responsibilities of the jurisdiction department, operating department, informatization department, and user department for each of its networks; and shall carry out classification and rating, filing, assessment, and security construction rectification work under the Multi-Level Protection Scheme (MLPS) for the networks within its operating scope. (1) For newly constructed networks, the cybersecurity protection level shall be determined during the planning and reporting phase. Each healthcare institution shall comprehensively sort through all types of networks within the institution, in particular the basic situation regarding new-technology applications including cloud computing, the Internet of Things, blockchain, 5G, and big data, and shall scientifically determine the cybersecurity protection level of each network based on the network's functions, service scope, service objects, and data processed, in accordance with relevant standards, and shall submit the determination for review and approval by the superior competent authority. (2) Newly constructed networks put into use shall carry out MLPS filing work in accordance with laws and regulations. Level-2 and above networks shall, within ten working days after the cybersecurity protection level is determined, be filed with the public security organs by their operators, and the filing status shall be reported to the superior health administrative department; where a network is withdrawn or its security protection level changed, the filing shall be withdrawn or amended with the original public security filing organ within ten working days, and a concurrent report shall be made to the superior health administrative department. (3) A comprehensive analysis of cybersecurity protection requirements shall be conducted; an overall plan and construction proposal meeting the cybersecurity protection level requirements shall be developed in accordance with the requirement of "one center (security management center) and three-tier protection (secure communication network, secure area boundary, and secure computing environment)"; security management during the in-house development or outsourced development of information systems shall be strengthened; cybersecurity construction shall be conscientiously carried out; and security protection measures shall be fully implemented. (4) Each healthcare institution shall conduct detection and assessment of the security of its already-classified and filed networks. Level-3 and Level-4 networks shall engage a MLPS assessment institution to conduct cybersecurity level assessments at least once per year. Level-2 networks shall engage a MLPS assessment institution to conduct periodic cybersecurity level assessments; among these, networks involving the personal information of more than 100,000 persons shall conduct a cybersecurity level assessment at least once every three years, and other networks at least once every five years. Newly constructed networks shall undergo a security test before going online and into operation. (5) For problems and hidden dangers identified during level assessments, each healthcare institution shall, in light of external threat risks and in accordance with the requirements of laws, regulations, policies, and standards, formulate a cybersecurity rectification plan; carry out targeted rectification; promptly eliminate risks and hidden dangers; shore up management and technical weaknesses; and enhance security protection capability. **Article 7.** Each healthcare institution shall, by leveraging the national cybersecurity information notification mechanism, strengthen its own cybersecurity notification and early-warning capacity-building. Tertiary-grade hospitals are encouraged to explore the construction of situational awareness platforms to promptly collect, aggregate, and analyze cybersecurity information from all sources; to strengthen threat intelligence work; to organize cybersecurity threat analysis and situational assessments; and to provide timely notifications, early warnings, and responses to prevent events such as network destruction and data leakage. **Article 8.** Each healthcare institution shall establish an emergency response mechanism and, through developing and improving emergency response plans and organizing emergency drills, effectively handle security incidents such as network interruptions, cyber attacks, and data leakage, and improve the capacity to respond to cybersecurity incidents. Institutions shall actively participate in cybersecurity offense-and-defense drills to enhance protection and countermeasures capability. **Article 9.** During network operations, each healthcare institution shall annually conduct security self-inspections in various forms, including document verification, vulnerability scanning, and penetration testing, to promptly identify potential problems and hidden dangers. Security vulnerabilities identified during security self-inspections, monitoring and early warning, and security notification processes shall be conscientiously rectified and reinforced to prevent networks from operating with pre-existing flaws; and the results of security self-inspection and rectification shall be reported to the superior health administrative department as required. Self-inspection and rectification may be carried out concurrently with rectification of problems identified during level assessments. The annual security self-inspection and rectification work includes: (1) In accordance with the requirements of the superior supervisory and regulatory authority, each healthcare institution shall complete an information asset inventory, ascertain the classification, filing, and other status of its networks, compile an asset list, and organize a security self-inspection. (2) In accordance with the requirements of the superior supervisory and regulatory authority, each healthcare institution shall, based on the results of the security self-inspection, carry out rectification of identified problems and hidden dangers and submit a rectification report to the relevant supervisory and regulatory authority for the record. **Article 10.** Critical information infrastructure (CII) operators shall conduct security background checks on the heads of security management bodies and personnel in key positions. Each healthcare institution shall strengthen the management of personnel involved in network operations, including both its own internal staff and third-party personnel; shall clearly define the full-process security management for internal staff covering onboarding, training, assessment, and departure; for third-party personnel shall clearly define the application and approval process for accessing networks; and shall carry out real-name registration, personnel background checks, and the signing of confidentiality agreements to prevent security risks arising from personnel qualifications and unauthorized operations. **Article 11.** Network operations and maintenance management shall be strengthened; operational specifications and workflows shall be formulated. Physical security protection shall be strengthened; security control measures for server rooms, office environments, and operations and maintenance sites shall be improved to prevent information leakage resulting from unauthorized physical access. Remote operations and maintenance management shall be strengthened; where, due to genuine business needs, remote operations and maintenance through the internet is required, an assessment and demonstration shall be conducted and corresponding security control measures shall be taken to prevent security incidents caused by exposure of remote ports. **Article 12.** Each healthcare institution shall strengthen business continuity management and continuously monitor network operational status. For Level-3 and above networks, key link and key device redundancy backup shall be strengthened; healthcare institutions with the capability to do so shall establish application-level disaster recovery backup to prevent interruptions to key business functions. **Article 13.** When using new technologies such as big data, artificial intelligence, and blockchain to provide services, the security risks of the new technologies shall be assessed and security controls applied before going online, to achieve a balance between application and security. **Article 14.** Each healthcare institution shall standardize and strengthen the protection of medical device data and personal information as well as cybersecurity management; shall establish and improve cybersecurity management systems covering tendering and procurement, installation and commissioning, operation and use, maintenance and repair, and disposal of medical devices; shall periodically inspect or assess medical device cybersecurity; and shall take corresponding security control measures to ensure medical device cybersecurity. **Article 15.** Each healthcare institution shall, in accordance with the Cryptography Law and other relevant laws and regulations and standards and specifications for cryptographic applications, synchronously plan, construct, and operate cryptographic protection measures in the network construction process, and shall use cryptographic products and services meeting the relevant requirements. **Article 16.** Each healthcare institution shall give attention to the security management of all participants in the entire network chain; where third parties outside the institution are involved, it shall implement security management over design, construction, operation, and maintenance services, and shall procure secure network products and services to prevent third-party security incidents. **Article 17.** Each healthcare institution shall strengthen the security management of decommissioned networks; conduct risk assessments on equipment associated with decommissioned networks; promptly take measures to seal or destroy such equipment; ensure the secure disposal of data in decommissioned networks; and prevent network data leakage. 第三章 数据安全管理 **Article 18.** Each healthcare institution shall, in accordance with the provisions of relevant laws and regulations and with reference to national cybersecurity standards, fulfill its data security protection obligations; shall adhere to the equal importance of ensuring data security and development; and shall, through management and technical means, ensure an effective balance between data security and data application. Critical information infrastructure (CII) operators shall formulate critical information infrastructure security protection plans and shall establish and improve systems for data security and personal information protection. **Article 19.** A data security management organizational structure shall be established; the primary responsibilities of business departments and management departments in data security activities shall be clearly defined; through means such as security responsibility letters, the rights and responsibilities of the institution's data management departments, business departments, and informatization departments in the entire lifecycle of data security management shall be regulated; a data security accountability system shall be established; and an accountability and investigation system shall be implemented. **Article 20.** Each healthcare institution shall conduct a comprehensive annual review of its data assets and, on the basis of implementing the Multi-Level Protection Scheme (MLPS), shall establish the institution's data classification and grading standards based on the importance of the data and the degree of harm caused by its compromise. Data classification and grading shall follow the principles of legal compliance, executability, timeliness, autonomy, differentiation, and objectivity. **Article 21.** Each healthcare institution shall establish and improve data security management systems, operating procedures, and technical specifications; the management systems involved shall be revised at least once per year; it is recommended that relevant personnel sign confidentiality agreements annually. Annual data security risk assessments shall be conducted on the institution's data to keep abreast of the data security status in a timely manner. Data security education and training shall be strengthened; security awareness education and data security management system publicity and training shall be organized. Combined with the institution's actual circumstances, complete data use application and approval workflows shall be established and improved, following the principles of "whoever manages, reviews," prior application and approval, monitoring during the process, and post-process review; the work procedure requiring the consent of the business management department and approval by the healthcare institution's leadership shall be strictly executed; and the compliance of data activity processes shall be guided. **Article 22.** Each healthcare institution shall strengthen the full-lifecycle security management of data covering collection, storage, transmission, processing, use, exchange, and destruction; data lifecycle activities shall be conducted within the territory of China; where, due to genuine business needs, data must be provided to entities outside the territory, a security assessment or review shall be conducted in accordance with relevant laws, regulations, and requirements; data processing activities that affect or may affect national security shall be submitted for a national security review; and data security incidents shall be prevented. (1) Each healthcare institution shall strengthen the management of the lawfulness of data collection and shall clearly define the primary responsibilities of business departments and management departments in the lawfulness of data collection. Preventive measures such as data de-identification, data encryption, and link encryption shall be taken to prevent data leakage during the data collection process. (2) On the basis of data classification and grading, the encrypted transmission requirements for data at different security levels shall be further clarified. Interface security controls during the transmission process shall be strengthened to ensure security during transmission through interfaces and to prevent data theft. (3) Each healthcare institution shall, in accordance with relevant laws and standards, select an appropriate data storage architecture and storage media and store data within the territory of China, and shall adopt backup, encryption, and other measures to strengthen data storage security. Where data is stored on the cloud, the potential security risks shall be assessed. The data storage period shall not exceed the retention period determined by the data use rules. Access control security, data copy security, and data archiving security management during the storage process shall be strengthened. (4) Each healthcare institution shall strictly define the access rights of different personnel; shall strengthen the management of application and approval workflows during data use; shall ensure that data is used within a controllable scope; shall strengthen log retention and management; shall prevent the falsification or deletion of logs; and shall prevent unauthorized use of data. Each data-using department and each data user shall use data strictly in accordance with the purpose and scope stated in the application and shall be responsible for the security of the data. Without approval, no department or individual may transmit information data that has not been publicly disclosed outside the department or disclose it in any manner. (5) When each healthcare institution publishes or shares data, the potential security risks shall be assessed and necessary security prevention and control measures shall be taken; where data reporting is involved, the party proposing data reporting shall be responsible for interpreting the reporting requirements, determining the reporting scope and reporting rules, and ensuring that data reporting is secure and controllable. (6) When a healthcare institution conducts facial recognition or facial identification, it shall simultaneously provide a non-facial-recognition identity verification method; the institution shall not refuse a data subject's use of its basic business functions on account of the data subject's refusal to consent to the collection of facial recognition data; and facial recognition data shall not be used for purposes other than identity verification, including but not limited to assessing or predicting a data subject's work performance, financial status, health status, preferences, or interests. Each healthcare institution shall take security measures to store and transmit facial recognition data, including but not limited to encrypted storage and transmission of facial recognition data, and the use of physical or logical isolation to store facial recognition data and personal identity information separately. (7) When destroying data, a destruction method that ensures the data cannot be restored shall be used, with particular attention to the risks of data remnants and data backup. 第四章 监督管理 **Article 23.** Each healthcare institution shall actively cooperate with the supervision and management of the relevant competent supervisory and regulatory authorities, accept routine inspections of cybersecurity management, and do a good job of cybersecurity protection. **Article 24.** Each healthcare institution shall promptly rectify vulnerabilities, hidden dangers, and other problems identified by the relevant competent supervisory and regulatory authorities during inspections, and shall prevent major cybersecurity incidents. **Article 25.** Where a security incident involving the leakage, damage, or loss of personal information or data occurs, or a cybersecurity incident such as a cyber attack, intrusion, or takeover of network systems occurs, or where a network vulnerability or hidden danger is discovered or cybersecurity risk is significantly increased, each healthcare institution shall immediately activate its emergency response plan, take necessary remediation and response measures, promptly notify the relevant parties through various means such as telephone, SMS, email, or letter, and report to the relevant competent supervisory and regulatory departments as required. **Article 26.** Health administrative departments at all levels shall establish a working mechanism for the notification of cybersecurity incidents and shall promptly notify cybersecurity incidents. **Article 27.** When a cybersecurity incident occurs, each healthcare institution shall promptly report to the health administrative department and the public security organs, take measures to protect the scene and preserve relevant records, and provide technical support and assistance to the public security organs and other supervisory departments in lawfully maintaining national security and conducting investigations. 第五章 管理保障 **Article 28.** Each healthcare institution shall attach great importance to cybersecurity management work, place it on the agenda for important deliberations, and strengthen overall leadership and planning and design; shall in accordance with laws and regulations address major issues including the allocation of personnel and funds and the construction of security protection measures; and shall ensure that security protection measures for information systems are planned, constructed, and used synchronously. **Article 29.** Each healthcare institution shall strengthen business exchanges on cybersecurity, strictly implement the continuing education system for cybersecurity, and encourage management and technical positions to obtain and maintain relevant qualifications. Through organizing academic exchanges and skills competitions, cybersecurity talent shall be identified and selected; talent pools shall be established; and mechanisms for the identification, cultivation, selection, and utilization of talent shall be established and improved to provide human resources support for carrying out cybersecurity work. **Article 30.** Each healthcare institution shall ensure the allocation of funds for conducting MLPS level assessments, risk assessments, offense-and-defense drill competitions, security construction and rectification, security protection platform construction, cryptographic security system construction, operations and maintenance, and education and training. The cybersecurity budget for newly constructed informatization projects shall not be less than five percent of the project's total budget. **Article 31.** Each healthcare institution shall further improve the cybersecurity assessment and evaluation system, clarify assessment indicators, and organize assessments. Healthcare institutions with the capability to do so are encouraged to link assessment results to performance. 第六章 附则 **Article 32.** Violations of these Measures that result in personal information or data leakage, or in major cybersecurity incidents, shall be handled in accordance with the Cybersecurity Law, the Cryptography Law, the Law on the Promotion of Basic Medical and Health Care, the Data Security Law, the Personal Information Protection Law, the Security Protection Regulations for Critical Information Infrastructure, the Multi-Level Protection Scheme (MLPS), and other laws and regulations. **Article 33.** Networks involving State secrets shall be handled in accordance with relevant State regulations. **Article 34.** These Measures shall come into force on the date of promulgation. --- ## Measures for the Administration of Population Health Information (Trial) - Chinese title: 人口健康信息管理办法(试行) - Abbreviation: Population Health Information Measures - Hierarchy: rule - Issuing body: National Health and Family Planning Commission - Adopted: 2014-05-05 - Effective: 2014-05-05 - Status: effective - URL: https://datacompliancechina.com/laws/population-health-information-measures/ - Markdown: https://datacompliancechina.com/laws/population-health-information-measures.md - Source URL: http://www.cac.gov.cn/2014-08/20/c_1112064075.htm ### Summary Issued by the National Health and Family Planning Commission in May 2014 under Document No. 国卫规划发〔2014〕24号, these Measures govern the collection, storage, management, use, and security protection of population health information by all health and family-planning service institutions. The Measures define population health information, establish a 'one data point, one source' collection principle, and—crucially—prohibit the storage of population health information on servers located overseas. They impose a system of classified information utilization, trace-management for all access and modification, and a liability-investigation mechanism for breaches. As one of China's earliest sectoral health-data localization rules, these Measures remain relevant for overseas counsel advising on health-tech investment, cross-border health-data transfers, and compliance due diligence under the layered framework that now includes PIPL and the Data Security Law. ### Full text **Promulgated by:** National Health and Family Planning Commission. **Document No.:** Guo Wei Gui Hua Fa [2014] No. 24 (国卫规划发〔2014〕24号). **Issued on May 5, 2014. Effective from the date of issuance.** --- **第一条** 为规范人口健康信息的管理工作,促进人口健康信息的互联互通和共享利用,推动卫生计生事业科学发展,制定本办法。 **Article 1.** These Measures are formulated in order to standardize the administration of population health information, promote the interconnection, interoperability, and shared utilization of population health information, and advance the scientific development of health and family-planning undertakings. **第二条** 本办法适用于各级各类医疗卫生计生服务机构所涉及的人口健康信息的采集、管理、利用、安全和隐私保护工作。 **Article 2.** These Measures apply to activities involving the collection, management, utilization, security, and privacy protection of population health information by health and family-planning service institutions of all levels and types. **第三条** 本办法所称人口健康信息,是指依据国家法律法规和工作职责,各级各类医疗卫生计生服务机构在服务和管理过程中产生的人口基本信息、医疗卫生服务信息等人口健康信息。符合《中华人民共和国电子签名法》等有关法律法规规定的人口健康电子信息,与纸质文本具有同等法律效力。 **Article 3.** The term "population health information" as used in these Measures refers to basic population information, medical and health service information, and other population health information generated by health and family-planning service institutions of all levels and types in the course of service provision and administration, in accordance with the laws and regulations of the State and the institutions' respective work responsibilities. Population health electronic information that meets the requirements of the Electronic Signature Law of the People's Republic of China and other relevant laws and regulations shall have the same legal effect as paper documents. **第四条** 人口健康信息管理工作应当统筹规划、统一标准,属地管理、责权一致,保障安全、便民高效。 **Article 4.** Population health information administration work shall be guided by overall planning and unified standards; local management with aligned responsibilities and powers; and security assurance with efficiency and public convenience. **第五条** 县级以上人民政府卫生计生行政部门(含中医药行政部门,下同)是人口健康信息主管部门。国家卫生计生委负责制订全国人口健康信息发展规划和管理规范,统筹指导全国人口健康信息管理工作;县级以上地方人民政府卫生计生行政部门负责推进、指导、监督本行政区域人口健康信息管理工作。各级各类医疗卫生计生服务机构(含中医药服务机构,下同)负责人口健康信息的采集、利用、管理、安全和隐私保护,是人口健康信息管理中的责任单位。 **Article 5.** Health and family-planning administrative departments of people's governments at or above the county level (including traditional Chinese medicine administrative departments; the same applies below) are the competent authorities for population health information. The National Health and Family Planning Commission is responsible for formulating national development plans and administrative norms for population health information and for providing overall guidance on population health information administration across the country. Local health and family-planning administrative departments of people's governments at or above the county level are responsible for promoting, guiding, and supervising population health information administration within their respective administrative regions. Health and family-planning service institutions of all levels and types (including traditional Chinese medicine service institutions; the same applies below) are responsible for the collection, utilization, management, security, and privacy protection of population health information, and are the responsible units in population health information administration. **第六条** 责任单位采集、利用、管理人口健康信息应当按照法律法规的规定,遵循医学伦理原则,保证信息安全,保护个人隐私。 **Article 6.** Responsible units shall, in collecting, utilizing, and managing population health information, comply with the provisions of laws and regulations, observe the principles of medical ethics, ensure information security, and protect personal privacy. **第七条** 责任单位应当根据本单位人口健康信息采集、利用和管理的情况,设立相应的人口健康信息管理部门和岗位职责,建立完善的人口健康信息质量控制管理制度,建立或利用相应的信息系统。严格执行相关标准和程序,做到标准统一、术语规范、内容准确。 **Article 7.** Responsible units shall, in accordance with the circumstances of their collection, utilization, and management of population health information, establish corresponding population health information management departments and define their duties, develop a sound quality-control management system for population health information, and establish or make use of corresponding information systems. Relevant standards and procedures shall be strictly observed so as to achieve unified standards, standardized terminology, and accurate content. **第八条** 责任单位应当按照"一数一源、最少够用"的原则采集人口健康信息,所采集的信息应当符合业务应用和管理要求,保证服务和管理对象在本单位信息系统中身份标识的唯一性,基本数据项的一致性,所采集的信息应当严格实行信息复核程序,避免重复采集、多头采集。 **Article 8.** Responsible units shall collect population health information in accordance with the principle of "one data point, one source, and the minimum necessary." The information collected shall meet the requirements of business operations and administration; shall ensure the uniqueness of identity identifiers of service and management subjects within the unit's information systems and the consistency of basic data items; and shall be strictly subject to information verification procedures in order to avoid duplicative collection and multi-channel collection. **第九条** 人口健康信息实行分级存储。责任单位按照国家统一规划,负责存储、管理工作中产生的人口健康信息,应当具备符合国家有关规定要求的数据存储、容灾备份和管理条件,建立可靠的人口健康信息容灾备份工作机制,定期进行备份和恢复检测,确保数据能够及时、完整、准确恢复,实现长期保存和历史数据的归档管理。 **Article 9.** Population health information shall be stored according to a classified storage system. In accordance with unified national planning, responsible units that store and manage population health information generated in the course of their work shall possess data storage, disaster-recovery backup, and management capacities that meet the requirements of relevant national regulations; shall establish reliable disaster-recovery backup mechanisms for population health information; shall conduct regular backup and recovery tests; shall ensure that data can be recovered promptly, completely, and accurately; and shall achieve long-term preservation and archival management of historical data. **第十条** 责任单位应当结合服务和管理工作需要,及时更新与维护人口健康信息,确保信息处于最新、连续、有效状态。不得将人口健康信息在境外的服务器中存储,不得托管、租赁在境外的服务器。 **Article 10.** Responsible units shall, in conjunction with the needs of service and management work, update and maintain population health information in a timely manner to ensure that information remains current, continuous, and valid. Population health information shall not be stored on servers located outside the territory of the People's Republic of China, and servers located outside the territory shall not be hosted or leased for such purpose. **第十一条** 委托其他机构存储、运维人口健康信息的,委托单位承担人口健康信息的管理和安全责任。受委托的存储、运维机构应当严格按照委托协议做好人口健康信息管理的技术支持,禁止超权限采集、开发和利用人口健康信息。 **Article 11.** Where a responsible unit entrusts another institution with the storage and operation and maintenance of population health information, the entrusting unit shall bear the management and security responsibility for the population health information. The entrusted storage and operation-and-maintenance institution shall provide technical support for the management of population health information strictly in accordance with the entrustment agreement, and is prohibited from collecting, developing, or utilizing population health information beyond the scope of the authorization. **第十二条** 责任单位发生变更时,应当将所管理的人口健康信息完整、安全地移交给主管部门或承接延续其职能的机构管理,不得造成人口健康信息的损毁、丢失。 **Article 12.** When a responsible unit undergoes a change, it shall transfer all population health information under its management completely and securely to the competent authority or to the institution that assumes and continues its functions. Such transfer shall not result in the damage or loss of population health information. **第十三条** 人口健康信息的利用实行分类管理,逐步实现互联共享。人口健康信息的利用应当以提高医学研究、科学决策和便民服务水平为目的。依法应当向社会公开的信息应当及时主动公开;涉及保密信息和个人隐私信息,不得对外提供。 **Article 13.** The utilization of population health information shall be subject to classified management, with the goal of progressively achieving interconnection and sharing. The utilization of population health information shall aim to improve the level of medical research, scientific decision-making, and public services. Information that shall be disclosed to the public in accordance with law shall be proactively disclosed in a timely manner; information involving classified information or personal privacy information shall not be provided to external parties. **第十四条** 责任单位应当建立人口健康信息综合利用工作制度,授权利用有关信息。利用单位或者个人不得超出授权范围利用和发布人口健康信息。 **Article 14.** Responsible units shall establish a system for the comprehensive utilization of population health information and shall authorize the utilization of relevant information. Units or individuals utilizing such information shall not use or publish population health information beyond the scope of the authorization. **第十五条** 责任单位应当为服务和管理对象提供其人口健康个案信息的查询和复制服务,并提供安全的信息查询和复制渠道。 **Article 15.** Responsible units shall provide service and management subjects with query and copying services for their individual population health information, and shall provide secure channels for such query and copying. **第十六条** 责任单位应当做好人口健康信息安全和隐私保护工作,按照国家信息安全等级保护制度要求,加强建设人口健康信息相关系统安全保障体系,制定安全管理制度、操作规程和技术规范,保障人口健康信息安全。利用单位和个人应当按照授权要求,做好所涉及的人口健康信息安全和隐私保护工作。 **Article 16.** Responsible units shall properly perform population health information security and privacy protection work, strengthen the construction of security assurance systems for population health information-related systems in accordance with the requirements of the national information security multi-level protection scheme, formulate security management systems, operating procedures, and technical specifications, and ensure data security for population health information. Units and individuals utilizing such information shall, in accordance with authorization requirements, properly perform security and privacy protection work in relation to the population health information involved. **第十七条** 涉及国家秘密的人口健康信息系统应当按照国家涉密信息管理的要求进行分级保护,杜绝泄密。 **Article 17.** Population health information systems involving State secrets shall be subject to classified protection in accordance with the requirements of State classified information management, so as to prevent any disclosure of secrets. **第十八条** 责任单位应当建立痕迹管理制度,任何建立、修改和访问人口健康信息的用户,都应当通过严格的实名身份鉴别和授权控制,做到其行为可管理、可控制、可追溯。 **Article 18.** Responsible units shall establish a trace-management system. Any user who creates, modifies, or accesses population health information shall be subject to strict real-name identity authentication and authorization controls, so that their conduct is manageable, controllable, and traceable. **第十九条** 人口健康信息相关系统的信息技术产品和服务提供者应当遵守国家有关信息安全审查制度,不得中断或者以其他方式中断合理的技术支持与服务,并应当为人口健康信息在不同系统间的迁移、交互、共享提供安全与便利条件。 **Article 19.** Providers of information technology products and services for population health information-related systems shall comply with the national information security review system, shall not interrupt or otherwise discontinue reasonable technical support and services, and shall provide secure and convenient conditions for the migration, interoperability, and sharing of population health information across different systems. **第二十条** 卫生计生行政部门应当加强对本行政区域内各责任单位人口健康信息管理工作的日常监督检查,对本行政区域内各责任单位人口健康信息综合利用工作的指导监督,提高精细化人口健康服务和管理能力。 **Article 20.** Health and family-planning administrative departments shall strengthen routine supervision and inspection of the population health information administration work of all responsible units within their respective administrative regions; shall provide guidance and supervision over the comprehensive utilization of population health information by responsible units within their administrative regions; and shall enhance the capacity for refined population health service and management. **第二十一条** 卫生计生行政部门建立通报制度。相关单位和个人在人口健康信息利用、人口健康信息系统建设维护和技术支持等过程中,违反本办法规定造成不良后果的,主管部门或责任单位应当对其予以通报;情节严重、违反国家法律法规的,依照国家有关法律法规追究其法律责任。 **Article 21.** Health and family-planning administrative departments shall establish a notification system. Where relevant units or individuals violate the provisions of these Measures in the course of utilizing population health information, constructing and maintaining population health information systems, or providing technical support, and thereby cause adverse consequences, the competent authority or responsible unit shall issue a notification against them; where the circumstances are serious and constitute a violation of national laws and regulations, legal liability shall be pursued in accordance with relevant national laws and regulations. **第二十二条** 卫生计生行政部门建立人口健康信息管理工作责任追究制度。对于违反本办法规定的主管部门和责任单位,上级主管部门应当视情节轻重予以督导整改、通报批评、提出给予行政处分的建议;构成犯罪的,依法追究刑事责任。 **Article 22.** Health and family-planning administrative departments shall establish a system of liability investigation for population health information administration work. Where a competent authority or responsible unit violates the provisions of these Measures, the superior competent authority shall, depending on the severity of the circumstances, order rectification through supervision, issue a public criticism notification, or recommend the imposition of an administrative sanction; where a crime is constituted, criminal liability shall be pursued in accordance with law. **第二十三条** 本办法自印发之日起施行。 **Article 23.** These Measures shall come into force on the date of issuance. --- ## Shenzhen Health Data Management Measures - Chinese title: 深圳市卫生健康数据管理办法 - Abbreviation: Shenzhen Health Data Measures - Hierarchy: rule - Issuing body: Shenzhen Municipal Health Commission - Adopted: 2023-11-16 - Effective: 2024-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/shenzhen-health-data-management-measures/ - Markdown: https://datacompliancechina.com/laws/shenzhen-health-data-management-measures.md - Source URL: https://wjw.sz.gov.cn/xxgk/zcfggfxwj/mybh_5/content/post_11009298.html ### Summary Shenzhen's 2023 local rule operationalizes the Shenzhen Special Economic Zone Data Regulations specifically for the health sector, establishing a unified municipal health data platform (the Shenzhen Municipal Health Data Center) and a 'one-data-one-source' collection principle. The Measures introduce a five-tier health data classification — general health data, public health data, personal health data, sensitive personal health data, and data processing — and impose differentiated notice-and-consent, access-control, security, and retention rules that track PIPL's risk-proportionate approach. A dedicated chapter on data sharing and openness sets out consent-gated sharing of personal health data, unconditional sharing of basic public health information, and a three-tier public openness framework (unconditional / conditional / not open), with explicit prohibition on re-identification of shared data. Overseas counsel advising multinational hospitals, diagnostics companies, health-tech platforms, or life-sciences firms with Shenzhen operations must understand these Measures: they impose MLPS filing requirements, domestic-server storage for health data, six specific transmission-security measures including mandatory use of nationally certified cryptographic algorithms, and an annual data-security audit cycle — obligations that layer on top of PIPL and the DSL. ### Full text **Promulgated by:** Shenzhen Municipal Health Commission. **Document No.:** 深卫健规〔2023〕3号. **Issued on November 16, 2023. Effective January 1, 2024. Valid for five years.** --- ## 深圳市卫生健康数据管理办法 深卫健规〔2023〕3号 为了规范卫生健康数据活动,保障数据安全,保护个人和组织的合法权益,促进卫生健康数据有序流动和开放共享,我委制定了《深圳市卫生健康数据管理办法》,现予以印发,请遵照执行。 深圳市卫生健康委员会 2023年11月16日 --- ### 第一章 总则 **第一条** 为了规范卫生健康数据活动,保障数据安全,维护个人和组织的合法权益,促进卫生健康数据有序流动和开放共享,根据《中华人民共和国个人信息保护法》《中华人民共和国数据安全法》《深圳经济特区医疗条例》《深圳经济特区健康条例》《深圳经济特区数据条例》等法律法规规定,结合本市卫生健康工作实际,制定本办法。 **第二条** 本市辖区范围内卫生健康行政部门、医疗卫生机构及其工作人员开展的卫生健康数据处理活动及其监督管理适用本办法。涉及国家秘密的数据处理活动,按照国家有关规定执行。 **第三条** 本办法中下列用语的含义: (一)卫生健康数据,是指在疾病防治、健康管理、医学教学和科研、医疗管理、行业管理等过程中产生的与卫生健康相关的数据。 (二)卫生健康公共数据,是指在依法履行公共管理职责或者提供公共服务过程中收集或者产生的,以一定形式记录、保存的卫生健康数据。 (三)卫生健康个人数据,是指依法收集或者产生的,载有可识别特定自然人信息的卫生健康数据,不包括匿名化处理后的数据。 (四)卫生健康敏感个人数据,是指一旦泄露或者非法使用,容易导致自然人的人格尊严受到侵害或者人身、财产安全受到危害的卫生健康个人数据,以及不满十四周岁未成年人的卫生健康个人数据。 (五)数据处理,是指数据的收集、存储、使用、加工、传输、提供、公开、删除等行为。 **第四条** 市卫生健康行政部门依法负责全市卫生健康数据处理的管理工作,统筹规划、指导、评估、监督全市卫生健康数据处理活动,建立健全卫生健康数据治理体系、管理制度和标准规范,在职责范围内组织开展卫生健康数据处理活动,推动卫生健康数据开放共享。区卫生健康行政部门依法负责辖区内卫生健康数据处理的管理工作,在职责范围内组织开展卫生健康数据处理活动,推动卫生健康数据开放共享。 **第五条** 医疗卫生机构依法负责本单位卫生健康数据处理的管理工作,建立完善本单位卫生健康数据管理制度,开展卫生健康数据处理活动。 **第六条** 本办法第四条、第五条规定的单位(以下统称责任单位)应当按照分类应用、分级授权、权责一致的原则对卫生健康数据处理活动进行规范管理,履行数据安全保护义务,不得损害国家利益、公共利益以及其他组织或者个人的合法权益,并符合合法、正当、必要、安全的要求。 ### 第二章 数据处理的一般规定 **第七条** 市卫生健康行政部门依托城市大数据中心组织建设、运营、维护深圳市卫生健康数据中心(以下简称市卫生健康数据中心)。市卫生健康数据中心按照"一数一源"原则,收集、存储全市卫生健康数据。 **第八条** 责任单位应当明确本单位卫生健康数据管理的分管负责人和责任部门,并配备专职或者兼职工作人员,建立健全本单位数据管理制度。 **第九条** 市卫生健康行政部门组织编制并公布全市卫生健康公共数据资源目录,制定卫生健康数据标准、安全和处理等相关规范,按照有关规定对卫生健康数据实行分类分级及安全管理,并将卫生健康公共数据资源纳入深圳市公共数据资源目录体系管理,规范卫生健康公共数据共享目录和开放目录。 **第十条** 卫生健康行政部门为履行法定职责处理卫生健康个人数据的,应当在处理前集中公告个人数据处理规则;个人数据处理规则未规定的,应当依法向个人告知。 医疗卫生机构处理卫生健康个人数据的,应当在处理前依法向个人进行告知,并取得个人或者其监护人的明确同意,涉及卫生健康个人敏感数据的,应当取得单独同意。 法律、行政法规另有规定的除外。 **第十一条** 责任单位为应对突发公共卫生事件,或者紧急情况下为保护自然人的生命健康和财产安全需要处理卫生健康个人数据的,应当按照最小必要原则,在法律法规规定的范围内进行数据处理,不得用于其他用途。 未经个人或者其监护人同意,责任单位及其工作人员不得公开其姓名、出生日期、身份证件号码、生物识别信息、住址、电话号码、电子邮箱、健康信息、行踪信息等信息,因应对突发公共卫生事件需要且经匿名化处理的除外。 **第十二条** 责任单位进行卫生健康数据处理时,应当按照有关规定实施合规审计。开展涉及人的生命科学和生物医学研究的卫生健康数据处理活动,应当按照有关规定进行伦理审查。 **第十三条** 责任单位按规定委托相关单位开展卫生健康数据处理活动的,应当与被委托单位签订委托协议和保密协议,明确委托数据处理的目的、期限、处理方式、涉及的数据范围和种类、委托结束后的数据删除、数据安全保护措施和责任、违约责任等双方权利义务,并应当明确未经责任单位同意,被委托单位不得将数据处理转委托第三方处理。责任单位应当对被委托单位开展数据活动进行监督。 ### 第三章 数据收集、传输和存储 **第十四条** 责任单位收集卫生健康数据时,应当根据工作需要,明确数据收集的目的、范围、期限、处理规则、安全管理措施等。责任单位应当真实、准确、按时、完整收集卫生健康数据,加强数据质量控制。 **第十五条** 责任单位在收集、存储卫生健康个人数据时,应当依法告知当事人数据收集和存储的必要性、目的、范围、期限、处理规则以及对个人权益的影响,并按规定取得当事人同意,且不得违反法律法规规定和双方的约定。责任单位不得在法律、行政法规规定的范围外收集、存储可识别个人身份的人脸、指纹、虹膜等生物识别信息。 **第十六条** 责任单位应当对数据传输、存储采取下列安全防护措施: (一)对涉及工作秘密、商业秘密、知识产权和个人信息以及其他敏感信息等数据采用国密算法进行加密; (二)采用由密码技术支持的网络传输通道保护机制,保障通信网络数据传输的完整性、机密性,并具备应急恢复能力; (三)数据存储在境内安全可信的服务器上,选取安全性能、防护级别与其安全等级相匹配的存储载体; (四)建立可靠的数据容灾备份机制,保证数据的有效归档、恢复和使用; (五)对身份鉴别、安全策略、异地备份、系统恢复等重要操作实行安全审计; (六)法律、法规、规章和网络安全部门、卫生健康行政部门等规定的其他措施。 **第十七条** 医疗卫生机构应当按照深圳市居民电子健康档案管理规范要求,在本机构信息系统中为实名就医的个人建立身份标识唯一、基本数据项一致的居民电子健康档案,记录为其提供的健康服务信息,并按照全市统一的接口规范、数据标准和质量控制等要求,依法依规将数据录入或者上传至卫生健康信息化平台,实现居民电子健康档案联网管理。 使用电子病历系统的医疗卫生机构还应当依法将患者的电子病历数据上传至卫生健康信息化平台实现联网管理。 **第十八条** 鼓励产生卫生健康数据的企事业单位、科研机构等其他单位将卫生健康数据按照规范传输至市卫生健康数据中心。 ### 第四章 数据使用、加工和删除 **第十九条** 责任单位应当制定本辖区、本单位数据使用、加工的权限管理制度,责任单位工作人员应当在权限范围内使用、加工数据。 **第二十条** 责任单位应当建立电子实名认证和数据访问控制制度,防止数据泄露或者被非法使用。数据的访问日志应当保存6个月以上,对居民电子健康档案、医学证明文件、归档电子病历以及其他医学文书的数据访问日志应当保存3年以上。 **第二十一条** 医疗卫生机构为居民提供预防保健、健康管理、临床诊疗、互联网诊疗等医疗卫生服务时,经个人或者其监护人同意,可以依法查阅其居民电子健康档案。符合下列情形之一的,医疗卫生机构可以依法查阅个人电子病历: (一)个人或者其监护人单独同意; (二)为居民提供医疗卫生服务时,查阅其在本机构以及属于同一法人单位的医疗机构的电子病历; (三)为应对突发公共卫生事件,或者紧急情况下为保护自然人的生命健康所必需; (四)法律、行政法规规定的其他情形。 **第二十二条** 医疗卫生机构基于个人同意查阅居民电子健康档案和个人电子病历的,应当由个人或其监护人在充分知情的前提下自愿、单独同意。个人或者其监护人可以选择下列同意方式: (一)同意医疗卫生机构为个人提供本次卫生健康服务时查阅; (二)同意医疗卫生机构为个人提供卫生健康服务时均可以查阅。 医疗卫生机构取得前款规定的个人同意的,个人或者其监护人有权撤回其同意,医疗卫生机构应当提供便捷的撤回同意的方式。个人撤回同意的,不影响撤回前基于个人同意已进行的个人信息处理活动的效力。 **第二十三条** 医疗卫生机构在查阅居民电子健康档案或者个人电子病历时,不得违规进行拍照、录像、截屏、复制和本地保存等操作,不得用于卫生健康以外的目的。法律、行政法规另有规定的除外。 **第二十四条** 责任单位在委托、授权数据使用、加工时,应当对数据安全进行评估,并采取下列安全措施,保障数据安全: (一)根据数据使用、加工的实际需要,制定并执行符合最小必要原则的数据提取方案; (二)采取必要措施保障数据安全; (三)及时清理、删除提取过程所产生的中间数据; (四)保留数据使用过程中的申请、审批和删除记录; (五)其他必要的安全措施。 **第二十五条** 对数据加工过程中临时保存的数据,以及保存或者使用期限届满后的数据,责任单位应当采用无法还原的方式及时进行删除,并验证数据删除操作的可信性,重点关注数据残留风险及数据备份风险。法律、法规另有规定的除外。数据删除的审批流程、操作记录等资料应当存档保存。 **第二十六条** 按照"谁使用、谁负责、谁解释"的原则,由数据使用者负责卫生健康数据使用的对外解释。数据使用者应当收集数据使用过程中出现的问题,并积极与数据提供者协商处理。 ### 第五章 数据共享和开放 **第二十七条** 责任单位应当建立卫生健康公共数据的共享对接机制,在卫生健康公共数据共享目录范围内,应有关国家机关、事业单位、医疗卫生单位等公共管理和服务机构的申请,依法共享卫生健康公共数据,并做好登记和管理。 **第二十八条** 责任单位应当要求卫生健康公共数据共享申请单位列明申请的数据字段,明确数据使用的依据、目的、范围、方式、期限等,并要求其按照规定加强共享数据使用管理,不得超出使用范围、期限或者用于其他目的。责任单位依据规定的共享条件以及申请单位履行职责的需要进行审核,核定应用业务场景、用数单位、所需数据、共享模式、截止时间等要素,按照最小授权原则,确保卫生健康公共数据按需、安全共享。 **第二十九条** 责任单位共享数据涉及卫生健康个人数据的,应当取得个人或者其监护人的单独同意,因履行法定职责或者法定义务所必需、应对突发公共卫生事件或者紧急情况下为保护自然人的生命健康和财产安全所必需等法律、行政法规另有规定的除外。申请单位应当配合责任单位取得申请共享的个人数据所涉个人或者其监护人作出的单独同意的资料。 **第三十条** 申请共享卫生健康公共数据涉及卫生健康个人数据的,责任单位应当要求申请单位提供以下资料: (一)收集处理卫生健康个人数据的法律、法规、规章等依据; (二)提供明确的所需共享数据的人员名单; (三)数据接收方的名称、联系方式、处理目的、处理方式和个人信息的种类; (四)限于实现处理目的所必要的最小范围、采取对个人权益影响最小的方式等个人信息保护措施。 申请单位无法明确共享数据人员名单的,责任单位可以提供卫生健康公共数据共享查询接口,按照最小必要原则与申请单位协商确定涉及个人的范围和触发数据共享查询的条件,以确定共享数据人员名单。 **第三十一条** 责任单位应当在卫生健康个人数据共享前,通过短信、电话、网络、微信等方式,向数据所涉及个人或者其监护人发送信息告知数据接收方的名称、联系方式、处理目的和处理方式和个人信息的种类。 **第三十二条** 国家机关、事业单位申请共享卫生健康公共数据的,由卫生健康行政部门通过城市大数据中心的公共数据共享平台,按照规定提供共享。 **第三十三条** 区卫生健康行政部门、市属医疗卫生单位申请共享卫生健康公共数据的,由市卫生健康行政部门通过市卫生健康信息化平台,按照规定提供共享。区属医疗卫生单位申请共享卫生健康公共数据的,由区卫生健康行政部门通过区卫生健康信息化平台,按照规定提供共享。 **第三十四条** 责任单位应当规范数据共享管理,对不能通过公共数据共享平台或者卫生健康信息化平台共享卫生健康公共数据的,应当按照法律、法规等规定提供数据共享,并履行个人信息保护职责。 **第三十五条** 下列卫生健康公共数据不予共享: (一)除法律、行政法规另有规定外,涉及工作秘密、商业秘密、知识产权的数据; (二)除法律、行政法规另有规定外,共享后可能危害国家安全、公共安全、经济安全、社会稳定、公众健康或者公共利益的数据; (三)法律、法规规定的其他不予共享的数据。 **第三十六条** 卫生健康行政部门通过公共数据共享平台无条件共享基本医疗卫生服务目录、收费价格、医疗卫生公共信用信息、医疗卫生相关证照和其他依法应当主动公开的卫生健康公共数据。 **第三十七条** 公安机关、司法、人力资源社会保障部门、医疗保障部门、保险等部门,因办理案件或者社会保险审核等需要,直接向数源责任单位提出卫生健康数据需求的,责任单位应当依法予以提供。 **第三十八条** 卫生健康公共数据开放坚持公平有序、安全可控、分类管理的原则,不得侵害国家利益、公共利益和个人、组织的合法权益。 **第三十九条** 责任单位应当向成年居民本人、未成年人的监护人开放居民电子健康档案和电子病历,提供在线查询、复制、更新、使用、授权等功能,并通过电子签名、数字水印等技术保障数据防篡改、防泄露、可追溯。 **第四十条** 责任单位通过公共数据开放平台向社会提供可机器读取的卫生健康公共数据,按照向社会开放条件分为无条件开放、有条件开放和不予开放三类。 无条件开放的卫生健康公共数据,是指应当无条件向自然人、法人和非法人组织开放的公共数据。 有条件开放的卫生健康公共数据,是指按照特定方式向自然人、法人和非法人组织平等开放的卫生健康公共数据。 不予开放的卫生健康公共数据,是指涉及国家安全、商业秘密和个人隐私,或者法律、法规等规定不得开放的公共数据。 **第四十一条** 责任单位开放卫生健康数据时,应当评估可能带来的安全风险,并采取必要的安全防控措施。 **第四十二条** 任何组织和个人不得以再识别或者推断个人身份为目的对共享和开放的卫生健康数据进行数据处理。 ### 第六章 安全和监管 **第四十三条** 责任单位应当严格落实数据安全主体责任,制定数据安全管理制度和数据安全应急预案,定期开展数据安全测评、风险评估和应急演练,保障卫生健康数据安全。 **第四十四条** 责任单位应当按照国家网络安全等级保护制度要求,构建可信的网络安全环境,加强卫生健康数据相关系统安全保障体系建设,开展网络安全定级、备案、测评等工作,提升关键信息基础设施和重要信息系统的安全防护能力。 **第四十五条** 责任单位应当建立安全预警和信息报告制度,加强日常检查和监测预警,及时发现数据泄露等异常情况。发生数据安全事件的,责任单位应当立即启动应急预案,采取补救措施,按照规定及时向数据主管部门和上一级卫生健康行政部门报告,并依法及时告知相关组织或者个人。 **第四十六条** 卫生健康行政部门应当加强对卫生健康数据处理活动的监督,对责任单位的数据报送情况、数据质量、数据应用等进行检查评估。 **第四十七条** 医疗卫生机构应当建立健全数据安全管理制度,结合工作实际细化数据安全操作规程和技术规范,涉及的管理制度每年至少修订一次,与数据管理工作人员每年度签署保密协议。 **第四十八条** 责任单位及其工作人员违反本办法规定的,依据《中华人民共和国数据安全法》《中华人民共和国个人信息保护法》《深圳经济特区数据条例》《深圳经济特区医疗条例》《深圳经济特区健康条例》等规定予以处理。 ### 第七章 附 则 **第四十九条** 本办法自2024年1月1日起施行,有效期五年。 --- ## English Translation *Translator's note: This is an original translation produced for Data Compliance China. Glossary terms follow the DCC canonical glossary: 卫生健康数据 → health data; 个人信息/个人数据 → personal information / personal data; 公共数据 → public data; 数据安全 → data security; 数据处理 → data processing; 分类分级 → data classification and grading; 最小必要 → minimum necessary; 单独同意 → separate consent.* **Promulgated by:** Shenzhen Municipal Health Commission. **Document No.:** 深卫健规〔2023〕3号. **Issued on November 16, 2023. Effective January 1, 2024. Valid for five years.** --- ### Chapter I — General Provisions **Article 1.** These Measures are formulated in order to regulate health data activities, safeguard data security, protect the lawful rights and interests of individuals and organizations, and promote the orderly flow and open sharing of health data, in accordance with the Personal Information Protection Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Shenzhen Special Economic Zone Medical Ordinance, the Shenzhen Special Economic Zone Health Ordinance, the Shenzhen Special Economic Zone Data Regulations, and other laws and regulations, and in light of the actual conditions of health work in this Municipality. **Article 2.** These Measures apply to health data processing activities carried out by health administrative departments and medical and health institutions within the administrative area of this Municipality and their staff, and to the supervision and administration thereof. Data processing activities involving State secrets shall be handled in accordance with relevant State regulations. **Article 3.** The following terms as used in these Measures have the meanings set out below: (1) "Health data" means data related to health care generated in the course of disease prevention and control, health management, medical education and scientific research, medical administration, and industry administration. (2) "Public health data" means health data collected or generated in the course of lawfully performing public administration duties or providing public services, recorded and preserved in a certain form. (3) "Personal health data" means health data lawfully collected or generated that carries information capable of identifying a specific natural person, and excludes data that has undergone anonymization. (4) "Sensitive personal health data" means personal health data that, once leaked or unlawfully used, is likely to result in infringement of a natural person's personal dignity or harm to that person's personal safety or property safety, and also includes personal health data pertaining to minors under the age of fourteen. (5) "Data processing" means the collection, storage, use, processing, transmission, provision, disclosure, deletion, and other handling of data. **Article 4.** The municipal health administrative department shall, in accordance with law, be responsible for the administration of health data processing throughout the Municipality, shall make overall plans for, guide, evaluate, and supervise health data processing activities throughout the Municipality, shall establish and improve the health data governance system, management system, and standards and norms, shall organize health data processing activities within the scope of its duties, and shall promote the open sharing of health data. District health administrative departments shall, in accordance with law, be responsible for the administration of health data processing within their respective jurisdictions, shall organize health data processing activities within the scope of their duties, and shall promote the open sharing of health data. **Article 5.** Medical and health institutions shall, in accordance with law, be responsible for the administration of health data processing of their respective institutions, shall establish and improve their data management systems, and shall conduct health data processing activities. **Article 6.** The entities referred to in Articles 4 and 5 of these Measures (hereinafter collectively referred to as "responsible entities") shall regulate the management of health data processing activities in accordance with the principles of classified application, graded authorization, and correspondence between rights and responsibilities; shall perform data security protection obligations; shall not harm national interests, public interests, or the lawful rights and interests of other organizations or individuals; and shall comply with the requirements of lawfulness, legitimacy, necessity, and security. ### Chapter II — General Provisions on Data Processing **Article 7.** The municipal health administrative department shall organize the construction, operation, and maintenance of the Shenzhen Municipal Health Data Center (hereinafter referred to as the "Municipal Health Data Center") by leveraging the urban big data center. The Municipal Health Data Center shall collect and store health data throughout the Municipality in accordance with the "one-data-one-source" principle. **Article 8.** A responsible entity shall designate a responsible officer and a responsible department for health data management within the entity, shall assign full-time or part-time staff, and shall establish and improve its internal data management system. **Article 9.** The municipal health administrative department shall organize the compilation and publication of the catalogue of public health data resources for the entire Municipality, formulate standards and norms for health data, data security, and data processing, implement data classification and grading and security management in accordance with relevant regulations, incorporate public health data resources into the Shenzhen municipal public data resources catalogue management system, and regulate the health public data sharing catalogue and openness catalogue. **Article 10.** Where a health administrative department processes personal health data in order to perform its statutory duties, it shall publicly announce the personal data processing rules in advance; where a matter is not covered by the personal data processing rules, it shall notify the individual in accordance with law. Where a medical and health institution processes personal health data, it shall give notice to the individual in accordance with law before processing, and shall obtain the explicit consent of the individual or that person's guardian; where sensitive personal health data is involved, separate consent shall be obtained. Except where otherwise provided by laws and administrative regulations. **Article 11.** Where a responsible entity processes personal health data in order to respond to a public health emergency, or in urgent circumstances to protect the life, health, and property safety of a natural person, it shall process the data in accordance with the minimum necessary principle and within the scope prescribed by laws and regulations, and shall not use the data for other purposes. Without the consent of the individual or that person's guardian, a responsible entity and its staff shall not disclose such person's name, date of birth, identity document number, biometric information, address, telephone number, email address, health information, whereabouts information, or other information, except where anonymization has been carried out as needed to respond to a public health emergency. **Article 12.** A responsible entity shall implement a compliance audit when carrying out health data processing, in accordance with relevant regulations. Where health data processing activities involve life-science and biomedical research relating to human beings, an ethics review shall be conducted in accordance with relevant regulations. **Article 13.** Where a responsible entity entrusts a related entity to carry out health data processing activities in accordance with regulations, it shall enter into an entrustment agreement and a confidentiality agreement with the entrusted entity, specifying the purpose, duration, method, scope and type of data involved, deletion of data upon termination of the entrustment, data security protection measures and liability, liability for breach of contract, and other rights and obligations of both parties; the agreement shall specify that the entrusted entity may not sub-entrust the data processing to a third party without the consent of the responsible entity. The responsible entity shall supervise the data activities conducted by the entrusted entity. ### Chapter III — Data Collection, Transmission, and Storage **Article 14.** When collecting health data, a responsible entity shall, based on the needs of the work, clarify the purpose, scope, duration, processing rules, and security management measures for data collection. A responsible entity shall collect health data in a truthful, accurate, timely, and complete manner, and shall strengthen data quality control. **Article 15.** When collecting and storing personal health data, a responsible entity shall give notice to the individuals concerned in accordance with law of the necessity, purpose, scope, duration, processing rules, and impact on personal rights and interests of the data collection and storage, and shall obtain the consent of the individuals concerned in accordance with regulations, and shall not act in violation of the provisions of laws and regulations and the agreement between the parties. A responsible entity shall not collect or store facial, fingerprint, iris, or other biometric information capable of identifying a specific individual beyond the scope prescribed by laws and administrative regulations. **Article 16.** A responsible entity shall adopt the following security protection measures for data transmission and storage: (1) Encrypt data involving work secrets, trade secrets, intellectual property rights, personal information, and other sensitive information using nationally certified cryptographic algorithms; (2) Employ a network transmission channel protection mechanism supported by cryptographic technology to ensure the integrity and confidentiality of data transmission over communication networks and to maintain emergency recovery capability; (3) Store data on secure and trusted domestic servers, selecting storage media whose security performance and protection level match their security classification; (4) Establish a reliable data disaster-recovery and backup mechanism to ensure the effective archiving, recovery, and use of data; (5) Implement security auditing for important operations such as identity authentication, security policy implementation, off-site backup, and system recovery; (6) Other measures required by laws, regulations, rules, and network security authorities, health administrative departments, and other competent bodies. **Article 17.** Medical and health institutions shall, in accordance with the Shenzhen Municipal Residents' Electronic Health Records Management Specifications, establish, within their institutional information systems, residents' electronic health records with unique identity identifiers and consistent basic data items for individuals who receive services under their real names, record the health service information provided to such individuals, and, in accordance with the Municipality's unified interface specifications, data standards, and quality control requirements, lawfully upload or enter data into the health information platform to enable networked management of residents' electronic health records. Medical and health institutions that use an electronic medical records system shall also lawfully upload patients' electronic medical records data to the health information platform to achieve networked management. **Article 18.** Enterprises and public institutions, scientific research institutions, and other entities that generate health data are encouraged to transmit health data to the Municipal Health Data Center in accordance with specifications. ### Chapter IV — Data Use, Processing, and Deletion **Article 19.** A responsible entity shall formulate a system for managing data use and processing permissions within its jurisdiction or institution, and the staff of a responsible entity shall use and process data only within the scope of their permissions. **Article 20.** A responsible entity shall establish a system for electronic real-name authentication and data access control to prevent data leakage or unlawful use. Access logs for data shall be retained for not less than six months; access logs for residents' electronic health records, medical certificates, archived electronic medical records, and other medical documents shall be retained for not less than three years. **Article 21.** When a medical and health institution provides preventive health care, health management, clinical diagnosis and treatment, Internet-based medical treatment, or other medical and health services to residents, it may, upon consent of the individual or that person's guardian, lawfully access the resident's electronic health record. Where any of the following circumstances applies, a medical and health institution may lawfully access an individual's electronic medical record: (1) The individual or that person's guardian gives separate consent; (2) When providing medical and health services to a resident, accessing that resident's electronic medical record at the institution and at medical institutions that belong to the same legal-person entity; (3) Where access is necessary to respond to a public health emergency or, in urgent circumstances, to protect the life and health of a natural person; or (4) Other circumstances prescribed by laws and administrative regulations. **Article 22.** Where a medical and health institution accesses a resident's electronic health record or an individual's electronic medical record on the basis of the individual's consent, the individual or that person's guardian shall give consent voluntarily and separately, on the premise of full awareness. The individual or that person's guardian may choose one of the following modes of consent: (1) Consent for the medical and health institution to access the record when providing this particular health service to the individual; or (2) Consent for the medical and health institution to access the record whenever providing health services to the individual. Where a medical and health institution has obtained the consent provided for in the preceding paragraph, the individual or that person's guardian has the right to withdraw consent, and the medical and health institution shall provide a convenient means to withdraw consent. Withdrawal of consent by the individual does not affect the validity of personal information processing activities that were carried out on the basis of consent prior to the withdrawal. **Article 23.** When a medical and health institution accesses a resident's electronic health record or an individual's electronic medical record, it shall not take photographs, make recordings, take screenshots, copy, or save data locally in violation of regulations, and shall not use the data for purposes other than health care. Except where otherwise provided by laws and administrative regulations. **Article 24.** When a responsible entity entrusts or authorizes data use or processing, it shall conduct a data security assessment and adopt the following security measures to safeguard data security: (1) Formulate and implement a data extraction plan that complies with the minimum necessary principle, based on the actual needs of the data use or processing; (2) Take necessary measures to safeguard data security; (3) Promptly clean up and delete intermediate data generated during the extraction process; (4) Retain records of applications, approvals, and deletions arising in the course of data use; and (5) Other necessary security measures. **Article 25.** For data temporarily stored in the course of data processing, and for data whose retention or use period has expired, the responsible entity shall delete the data in a timely manner using a method that cannot be reversed, verify the reliability of the data deletion operation, and pay particular attention to risks of residual data and risks associated with data backups. Except where otherwise provided by laws and regulations. Documentation of the approval process and operation records for data deletion shall be archived and preserved. **Article 26.** In accordance with the principle of "whoever uses it is responsible for it and interprets it," the data user shall be responsible for providing external explanations of health data use. Data users shall collect problems that arise in the course of data use and shall actively negotiate with data providers to address them. ### Chapter V — Data Sharing and Openness **Article 27.** A responsible entity shall establish a mechanism for connecting to and sharing public health data; within the scope of the public health data sharing catalogue, it shall, upon application by relevant State organs, public institutions, medical and health units, and other entities performing public administration and service functions, share public health data in accordance with law, and shall maintain proper records and administration. **Article 28.** A responsible entity shall require entities applying to share public health data to specify the requested data fields and to clarify the legal basis, purpose, scope, method, and duration of data use, and shall require the applicant entities to strengthen the management of shared data use in accordance with regulations, and not to use the data beyond its permitted scope or duration or for other purposes. The responsible entity shall conduct a review based on the prescribed sharing conditions and the needs of the applicant entity in performing its duties, and shall determine elements including the applicable business scenario, the data-using entity, the required data, the sharing mode, and the expiry date; in accordance with the principle of minimum authorization, the responsible entity shall ensure that public health data is shared on an as-needed and secure basis. **Article 29.** Where data to be shared by a responsible entity involves personal health data, separate consent from the individual or that person's guardian shall be obtained, except where laws or administrative regulations otherwise provide, such as where processing is necessary for the performance of statutory duties or statutory obligations, or is necessary to respond to a public health emergency or to protect the life, health, and property safety of a natural person in urgent circumstances. The applying entity shall cooperate with the responsible entity in obtaining the separate consent given by the individuals or their guardians in respect of the personal data applied for sharing. **Article 30.** Where an application to share public health data involves personal health data, the responsible entity shall require the applying entity to provide the following materials: (1) The legal basis under laws, regulations, or rules for collecting and processing personal health data; (2) A specific list of the individuals whose data is to be shared; (3) The name, contact information, processing purpose, processing method, and type of personal information of the data recipient; and (4) Personal information protection measures, including limiting the scope to the minimum necessary to achieve the processing purpose and adopting the method that has the least impact on personal rights and interests. Where the applying entity is unable to identify a specific list of individuals, the responsible entity may provide a query interface for the public health data sharing platform, and shall, in accordance with the minimum necessary principle, negotiate with the applying entity to determine the scope of individuals involved and the conditions triggering a shared-data query, so as to establish the list of individuals whose data is to be shared. **Article 31.** Before sharing personal health data, a responsible entity shall send information by text message, telephone, network, WeChat, or other means to the individuals whose data is involved or to their guardians, notifying them of the name, contact information, processing purpose, processing method, and type of personal information of the data recipient. **Article 32.** Where State organs or public institutions apply to share public health data, the health administrative department shall provide the sharing through the public data sharing platform of the urban big data center, in accordance with regulations. **Article 33.** Where district-level health administrative departments or municipal-affiliated medical and health units apply to share public health data, the municipal health administrative department shall provide the sharing through the municipal health information platform, in accordance with regulations. Where district-affiliated medical and health units apply to share public health data, the district health administrative department shall provide the sharing through the district health information platform, in accordance with regulations. **Article 34.** Responsible entities shall regulate data sharing administration; where public health data cannot be shared through the public data sharing platform or the health information platform, sharing shall be provided in accordance with laws, regulations, and other applicable provisions, and personal information protection duties shall be fulfilled. **Article 35.** The following public health data shall not be shared: (1) Except where otherwise provided by laws and administrative regulations, data involving work secrets, trade secrets, or intellectual property rights; (2) Except where otherwise provided by laws and administrative regulations, data that, if shared, may endanger national security, public security, economic security, social stability, public health, or the public interest; and (3) Other data that laws or regulations prescribe shall not be shared. **Article 36.** Health administrative departments shall, through the public data sharing platform, share unconditionally the catalogue of basic medical and health services, service fees and charges, public credit information relating to medical and health care, medical and health-related licenses and certificates, and other public health data that shall be proactively disclosed in accordance with law. **Article 37.** Where public security organs, judicial bodies, human resources and social security departments, medical security departments, insurance institutions, and other departments need, for the purpose of handling cases or auditing social insurance, to request health data directly from the source responsible entity, the responsible entity shall provide such data in accordance with law. **Article 38.** The openness of public health data shall adhere to the principles of fairness and order, security and controllability, and classified management, and shall not harm national interests, public interests, or the lawful rights and interests of individuals and organizations. **Article 39.** Responsible entities shall make residents' electronic health records and electronic medical records accessible to adult residents themselves and to the guardians of minors, providing functions including online inquiry, copying, updating, use, and authorization, and shall use technologies such as electronic signatures and digital watermarks to ensure that data is tamper-proof, leak-proof, and traceable. **Article 40.** Responsible entities shall provide machine-readable public health data to the public through the public data openness platform. According to the conditions for public access, such data is divided into three categories: unconditionally open, conditionally open, and not open. Unconditionally open public health data refers to public data that shall be made unconditionally available to natural persons, legal persons, and unincorporated organizations. Conditionally open public health data refers to public health data that is made available equally to natural persons, legal persons, and unincorporated organizations in a specified manner. Public health data that is not open refers to public data that involves national security, trade secrets, or personal privacy, or that laws or regulations prescribe shall not be made open. **Article 41.** When making health data open, a responsible entity shall assess the security risks that may arise and shall adopt necessary security prevention and control measures. **Article 42.** No organization or individual shall process shared or open health data with the purpose of re-identifying or inferring the identity of individuals. ### Chapter VI — Security and Supervision **Article 43.** A responsible entity shall strictly implement its primary responsibility for data security, formulate data security management systems and data security emergency response plans, and regularly conduct data security assessments, risk assessments, and emergency drills to safeguard health data security. **Article 44.** A responsible entity shall, in accordance with the requirements of the national Multi-Level Protection Scheme for cybersecurity, build a trusted cybersecurity environment, strengthen the construction of a security protection system for health data-related systems, carry out cybersecurity classification, filing, and evaluation work, and enhance the security protection capabilities of critical information infrastructure and important information systems. **Article 45.** A responsible entity shall establish a security warning and information reporting system, strengthen routine inspections and monitoring and early warning, and promptly detect data leakage and other abnormal situations. In the event of a data security incident, the responsible entity shall immediately activate the emergency response plan, take remedial measures, and report to the data competent department and the superior health administrative department in a timely manner in accordance with regulations, and shall promptly notify the relevant organizations or individuals in accordance with law. **Article 46.** Health administrative departments shall strengthen supervision of health data processing activities, and shall conduct inspections and evaluations of responsible entities' data reporting, data quality, and data application. **Article 47.** Medical and health institutions shall establish and improve data security management systems, refine data security operational procedures and technical specifications based on actual work conditions, revise the relevant management systems at least once a year, and sign confidentiality agreements with data management staff on an annual basis. **Article 48.** Where a responsible entity or its staff violates the provisions of these Measures, the matter shall be handled in accordance with the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Shenzhen Special Economic Zone Data Regulations, the Shenzhen Special Economic Zone Medical Ordinance, the Shenzhen Special Economic Zone Health Ordinance, and other applicable provisions. ### Chapter VII — Supplementary Provisions **Article 49.** These Measures shall come into force on January 1, 2024, and shall remain valid for five years. --- ## Administrative Measures for Data Security in the Field of Industry and Information Technology (Trial) - Chinese title: 工业和信息化领域数据安全管理办法(试行) - Abbreviation: Industrial Data Security Measures - Hierarchy: rule - Issuing body: Ministry of Industry and Information Technology - Adopted: 2022-12-08 - Effective: 2023-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/miit-industrial-data-security-measures/ - Markdown: https://datacompliancechina.com/laws/miit-industrial-data-security-measures.md ### Summary These Measures are the principal sector-specific framework implementing the Data Security Law within the industry, telecommunications and radio-spectrum fields administered by MIIT. They establish a three-tier data classification (general / important / core data), filing of important- and core-data catalogues, full-lifecycle security obligations, cross-border transfer controls, monitoring and incident-response duties, and a testing/certification/assessment regime. Issued as MIIT Cyber Security [2022] No. 166 and effective January 1, 2023. ### Full text **Promulgated by:** Ministry of Industry and Information Technology. **Document No.:** MIIT Cyber Security [2022] No. 166. **Issued December 8, 2022. Effective January 1, 2023.** --- ## Chapter I General Provisions **Article 1.** These Measures are formulated in accordance with the Data Security Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the National Security Law of the People's Republic of China, the Civil Code of the People's Republic of China and other laws and regulations, in order to regulate data processing activities in the field of industry and information technology, strengthen data security management, ensure data security, promote data development and utilization, protect the legitimate rights and interests of individuals and organizations, and safeguard national security and development interests. **Article 2.** Data processing activities carried out within the territory of the People's Republic of China in the field of industry and information technology, and the security supervision thereof, shall comply with the requirements of relevant laws, administrative regulations and these Measures. **Article 3.** Data in the field of industry and information technology include industrial data, telecommunications data and radio data, among others. Industrial data refers to data generated and collected by the various industries and fields of industry in the course of research and development design, production and manufacturing, business management, operation and maintenance, platform operation and other processes. Telecommunications data refers to data generated and collected in the course of telecommunications business operation activities. Radio data refers to radio frequency, station (site) and other radio-wave parameter data generated and collected in the course of carrying out radio business activities. A data processor in the field of industry and information technology refers to the various types of entities in the field of industry and information technology that independently determine the processing purpose and processing method in data processing activities, including industrial enterprises, software and information technology service enterprises, telecommunications business operators that have obtained a telecommunications business operation license, and entities using radio frequencies or stations (sites). Data processors in the field of industry and information technology may, according to the industry and field to which they belong, be classified as industrial data processors, telecommunications data processors, radio data processors, and the like. Data processing activities include but are not limited to the collection, storage, use, processing, transmission, provision and disclosure of data. **Article 4.** Under the overall coordination of the national data security work coordination mechanism, the Ministry of Industry and Information Technology shall be responsible for supervising and guiding the industry and information technology authorities of the provinces, autonomous regions, municipalities directly under the Central Government and cities specifically designated in the State plan, and the Xinjiang Production and Construction Corps, as well as the communications administrations and radio regulatory agencies of the provinces, autonomous regions and municipalities directly under the Central Government (hereinafter collectively referred to as the local industry regulatory authorities), in carrying out data security supervision, and in supervising and administering data processing activities and security protection in the field of industry and information technology. The local industry regulatory authorities shall be respectively responsible for supervising and administering the data processing activities and security protection of industrial, telecommunications and radio data processors in their respective regions. The Ministry of Industry and Information Technology and the local industry regulatory authorities are collectively referred to as the industry regulatory authorities. The industry regulatory authorities shall, in accordance with relevant laws and administrative regulations, cooperate with relevant departments in carrying out work related to data security supervision in accordance with the law. **Article 5.** The industry regulatory authorities shall encourage data development and utilization and research on data security technology, support the promotion of data security products and services, cultivate data security enterprises, research and service institutions, develop the data security industry, enhance data security assurance capabilities, and promote the innovative application of data. Where data processors in the field of industry and information technology research, develop and use new data technologies, products and services, this shall be conducive to promoting economic and social development and the development of the industry, and shall conform to social morality and ethics. **Article 6.** The industry regulatory authorities shall advance the development of a system of standards for data development and utilization and data security in the field of industry and information technology, and organize the formulation, revision, promotion and application of relevant standards. ## Chapter II Data Classification and Grading Management **Article 7.** The Ministry of Industry and Information Technology shall organize the formulation of standards and specifications for data classification and grading, identification and determination of important data and core data, and graded data protection in the field of industry and information technology, guide the conduct of data classification and grading management work, and formulate specific catalogues of important data and core data for the industry and implement dynamic management thereof. The local industry regulatory authorities shall respectively organize the conduct of data classification and grading management and the identification of important data and core data in the field of industry and information technology in their respective regions, determine specific catalogues of important data and core data for their respective regions and report them to the Ministry of Industry and Information Technology; where the catalogues change, they shall promptly report the updates. Data processors in the field of industry and information technology shall regularly sort out their data, identify important data and core data in accordance with relevant standards and specifications, and form their own specific catalogues. **Article 8.** According to industry requirements, characteristics, business needs, data sources and uses, and other factors, the classification categories of data in the field of industry and information technology include but are not limited to research and development data, production and operation data, management data, operation and maintenance data, and business service data. According to the degree of harm caused to national security, the public interest, or the legitimate rights and interests of individuals or organizations when data is tampered with, destroyed, leaked, or illegally obtained or used, data in the field of industry and information technology is divided into three grades: general data, important data and core data. Data processors in the field of industry and information technology may further subdivide the categories and grades of data on this basis. **Article 9.** Data whose degree of harm meets one of the following conditions is general data: (I) it causes relatively minor impact on the public interest or the legitimate rights and interests of individuals or organizations, with little adverse social impact; (II) the number of affected users and enterprises is relatively small, the affected production and living area is relatively small, and the duration is relatively short, with little impact on enterprise operations, industry development, technological progress and the industrial ecosystem; (III) other data not included in the catalogue of important data or core data. **Article 10.** Data whose degree of harm meets one of the following conditions is important data: (I) it poses a threat to politics, territory, military affairs, economy, culture, society, science and technology, electromagnetics, networks, ecology, resources, nuclear safety, or the like, or affects key fields related to national security such as overseas interests, biology, space, the polar regions, the deep sea, and artificial intelligence; (II) it causes serious impact on the development, production, operation and economic interests of the field of industry and information technology; (III) it causes a major data security incident or production safety accident, causing serious impact on the public interest or the legitimate rights and interests of individuals or organizations, with significant adverse social impact; (IV) the cascading effect it triggers is significant, the scope of impact involves multiple industries, regions or multiple enterprises within an industry, or the duration of impact is long, causing serious impact on industry development, technological progress and the industrial ecosystem; (V) other important data determined through assessment by the Ministry of Industry and Information Technology. **Article 11.** Data whose degree of harm meets one of the following conditions is core data: (I) it poses a serious threat to politics, territory, military affairs, economy, culture, society, science and technology, electromagnetics, networks, ecology, resources, nuclear safety, or the like, or seriously affects key fields related to national security such as overseas interests, biology, space, the polar regions, the deep sea, and artificial intelligence; (II) it causes a major impact on the field of industry and information technology and its important backbone enterprises, critical information infrastructure, important resources, and the like; (III) it causes major damage to industrial production and operation, the operation and service of telecommunications networks and the Internet, the conduct of radio business, and the like, resulting in large-scale work stoppages and production halts, large-scale interruption of radio business, large-scale network and service paralysis, or loss of a large amount of business processing capacity; (IV) other core data determined through assessment by the Ministry of Industry and Information Technology. **Article 12.** Data processors in the field of industry and information technology shall file their catalogues of important data and core data with the industry regulatory authority of their region. The filing content includes but is not limited to the source, category, grade, scale, carrier, processing purpose and method, scope of use, responsible entity, external sharing, cross-border transmission, security protection measures, and other basic information of the data, but does not include the data content itself. The local industry regulatory authority shall complete the review within twenty working days after the data processor in the field of industry and information technology submits the filing application; where the filing content meets the requirements, it shall be filed, and the filing status shall be simultaneously reported to the Ministry of Industry and Information Technology; where filing is not granted, the filing applicant shall be promptly given feedback together with an explanation of the reasons. The filing applicant shall submit the filing application again within fifteen working days after receiving the feedback. Where the filing content undergoes a major change, the data processor in the field of industry and information technology shall complete the filing modification procedures within three months of the change. A major change refers to a change of more than 30% in the scale of a certain category of important data or core data (such as the number of data entries or the total storage volume), or a change in other filing content. ## Chapter III Full-Lifecycle Data Security Management **Article 13.** Data processors in the field of industry and information technology shall bear primary responsibility for the security of data processing activities, implement graded protection for all types of data, and where data of different grades are processed simultaneously and it is difficult to take protective measures separately, shall implement protection in accordance with the requirements for the highest grade among them, so as to ensure that data is continuously in a state of effective protection and lawful utilization: (I) establish a full-lifecycle data security management system, and, for data of different grades, formulate specific graded protection requirements and operating procedures for the collection, storage, use, processing, transmission, provision, disclosure and other stages of data; (II) assign data security management personnel as needed, with overall responsibility for the security supervision and administration of data processing activities, and assist the industry regulatory authorities in carrying out their work; (III) reasonably determine the operating authority for data processing activities, and strictly implement personnel authority management; (IV) formulate contingency plans and conduct emergency drills as needed to respond to data security incidents; (V) regularly carry out data security education and training for practitioners; (VI) other measures prescribed by laws and administrative regulations. Processors of important data and core data in the field of industry and information technology shall also: (I) establish a data security work system covering the relevant departments of their own organization, clarify the person responsible for data security and the management body, and establish a normalized communication and collaboration mechanism. The legal representative or principal person in charge of the organization is the primary person responsible for data security, and the member of the leadership team in charge of data security is the directly responsible person; (II) clarify the key positions and position responsibilities for data processing, and require personnel in key positions to sign a data security responsibility statement, the content of which includes but is not limited to data security position responsibilities, obligations, penalty measures and points for attention; (III) establish internal registration, approval and other work mechanisms, strictly manage the processing activities of important data and core data, and retain records thereof. **Article 14.** Data processors in the field of industry and information technology shall follow the principles of legality and legitimacy in collecting data, and shall not steal data or collect data by other illegal means. In the course of data collection, corresponding security measures shall be taken according to the data security grade, the management of personnel and equipment collecting important data and core data shall be strengthened, and the source, time, type, quantity, frequency, flow direction, and the like, of collection shall be recorded. Where important data and core data are obtained through indirect channels, the data processor in the field of industry and information technology shall, by signing relevant agreements, letters of undertaking and the like with the data provider, clarify the legal responsibilities of both parties. **Article 15.** Data processors in the field of industry and information technology shall store data in accordance with the methods and periods prescribed by laws and administrative regulations and agreed with users. Where important data and core data are stored, verification technology, cryptographic technology and other measures shall be adopted for secure storage, and data disaster recovery backup and storage media security management shall be implemented, with data recovery tests conducted regularly. **Article 16.** Where data processors in the field of industry and information technology use data for automated decision-making, they shall ensure the transparency of the decision-making and the fairness and reasonableness of the results. Where important data and core data are used or processed, access control shall also be strengthened. Where data processors in the field of industry and information technology provide data processing services involving the operation of telecommunications business, they shall obtain a telecommunications business operation license in accordance with relevant laws and administrative regulations. **Article 17.** Data processors in the field of industry and information technology shall formulate security strategies and take protective measures according to the type, grade and application scenario of the data transmitted. Where important data and core data are transmitted, measures such as verification technology, cryptographic technology, secure transmission channels or secure transmission protocols shall be adopted. **Article 18.** Where data processors in the field of industry and information technology provide data externally, they shall clarify the scope, category, conditions, procedures, and the like, of the provision. Where important data and core data are provided, a data security agreement shall be signed with the data recipient, the data security protection capability of the data recipient shall be verified, and necessary security protection measures shall be taken. **Article 19.** Data processors in the field of industry and information technology shall, before disclosing data, analyze and assess the possible impact on national security and the public interest, and shall not disclose data where a major impact exists. **Article 20.** Data processors in the field of industry and information technology shall establish a data destruction system, clarify the objects, rules, procedures and technical requirements for destruction, and record and retain records of destruction activities. Where individuals or organizations request destruction in accordance with legal provisions, contractual agreements, and the like, the data processor in the field of industry and information technology shall destroy the corresponding data. After destroying important data and core data, a data processor in the field of industry and information technology shall not recover the destroyed data for any reason or in any manner; where this causes a change in the filing content, the filing modification procedures shall be completed. **Article 21.** Where laws and administrative regulations require domestic storage of important data and core data collected and generated by data processors in the field of industry and information technology within the territory of the People's Republic of China, such data shall be stored within the territory; where it is truly necessary to provide such data overseas, a data export security assessment shall be conducted in accordance with the law. The Ministry of Industry and Information Technology shall, in accordance with relevant laws and the international treaties and agreements concluded or acceded to by the People's Republic of China, or on the principle of equality and reciprocity, handle requests from foreign industrial, telecommunications and radio law-enforcement agencies for the provision of data in the field of industry and information technology. Without the approval of the Ministry of Industry and Information Technology, data processors in the field of industry and information technology shall not provide data in the field of industry and information technology stored within the territory of the People's Republic of China to foreign industrial, telecommunications or radio law-enforcement agencies. **Article 22.** Where a data processor in the field of industry and information technology needs to transfer data due to merger, reorganization, bankruptcy, or the like, it shall clarify the data transfer plan and notify the affected users by telephone, text message, email, announcement and other means. Where a change in the filing content of important data or core data is involved, the filing modification procedures shall be completed. **Article 23.** Where data processors in the field of industry and information technology entrust others to carry out data processing activities, they shall, by signing contracts and agreements and the like, clarify the data security responsibilities and obligations of the entrusting party and the entrusted party. Where the processing of important data and core data is entrusted, the data security protection capability and qualifications of the entrusted party shall be verified. Except as otherwise provided by laws and administrative regulations, the entrusted party shall not provide the data to a third party without the consent of the entrusting party. **Article 24.** Where core data is provided, transferred or entrusted for processing across entities, the data processor in the field of industry and information technology shall assess the security risks, take necessary security protection measures, and report to the Ministry of Industry and Information Technology after review by the industry regulatory authority of its region. The Ministry of Industry and Information Technology shall conduct the review in accordance with relevant provisions. **Article 25.** Data processors in the field of industry and information technology shall, in the course of full-lifecycle data processing, record logs of data processing, authority management, personnel operations, and the like. The log retention period shall be not less than six months. ## Chapter IV Data Security Monitoring, Early Warning and Emergency Management **Article 26.** The Ministry of Industry and Information Technology shall establish a data security risk monitoring mechanism, organize the formulation of data security monitoring and early-warning interfaces and standards, plan and develop technical means for data security monitoring and early warning in an overall manner, form capabilities for monitoring, early warning, disposal and traceability, and strengthen information sharing with relevant departments. The local industry regulatory authorities shall respectively develop data security risk monitoring and early-warning mechanisms for their respective regions, organize the conduct of data security risk monitoring, promptly release early-warning information in accordance with relevant provisions, and notify the data processors in the field of industry and information technology in their respective regions to promptly take responsive measures. Data processors in the field of industry and information technology shall carry out data security risk monitoring, promptly investigate security hazards, and take necessary measures to prevent data security risks. **Article 27.** The Ministry of Industry and Information Technology shall establish a data security risk information reporting and sharing mechanism, uniformly collect, analyze, assess and notify data security risk information, and encourage security service institutions, industry organizations, scientific research institutions, and the like, to carry out the reporting and sharing of data security risk information. The local industry regulatory authorities shall respectively collect and analyze data security risks in their respective regions, and promptly report to the Ministry of Industry and Information Technology risks that may cause major or more serious security incidents. Data processors in the field of industry and information technology shall promptly report to the industry regulatory authority of their region risks that may cause relatively major or more serious security incidents. **Article 28.** The Ministry of Industry and Information Technology shall formulate a contingency plan for data security incidents in the field of industry and information technology, and organize and coordinate the emergency response to security incidents involving important data and core data. The local industry regulatory authorities shall respectively organize the conduct of emergency response to data security incidents in their respective regions. For security incidents involving important data and core data, they shall immediately report to the Ministry of Industry and Information Technology, and promptly report on the development and disposal of the incident. After a data security incident occurs, a data processor in the field of industry and information technology shall promptly carry out emergency response in accordance with the contingency plan; for security incidents involving important data and core data, it shall report to the industry regulatory authority of its region at the first opportunity, form a summary report within the prescribed period after the disposal of the incident is completed, and report on the disposal of data security incidents to the industry regulatory authority of its region annually. A data processor in the field of industry and information technology shall, for data security incidents that occur and may harm the legitimate rights and interests of users, promptly inform the users and provide measures to mitigate the harm. **Article 29.** The Ministry of Industry and Information Technology shall entrust relevant industry organizations to establish channels for complaints and reports of data security violations in the field of industry and information technology; the local industry regulatory authorities shall respectively establish mechanisms or channels for complaints and reports of data security violations in their respective regions, accept and handle complaints and reports in accordance with the law, and carry out law-enforcement investigations as needed. Data processors in the field of industry and information technology are encouraged to establish user complaint-handling mechanisms. ## Chapter V Data Security Testing, Certification and Assessment Management **Article 30.** The Ministry of Industry and Information Technology shall guide and encourage institutions with corresponding qualifications to carry out industry data security testing and certification work in accordance with relevant standards. **Article 31.** The Ministry of Industry and Information Technology shall formulate an industry data security assessment management system and carry out the management of assessment institutions. It shall formulate industry data security assessment specifications and guide assessment institutions in carrying out data security risk assessments, export security assessments, and the like. The local industry regulatory authorities shall respectively be responsible for organizing the conduct of data security assessment work in their respective regions. Processors of important data and core data in the field of industry and information technology shall, on their own or by entrusting a third-party assessment institution, conduct a risk assessment of their data processing activities at least once a year, promptly rectify risk issues, and submit risk assessment reports to the industry regulatory authority of their region. ## Chapter VI Supervision and Inspection **Article 32.** The industry regulatory authorities shall supervise and inspect the implementation by data processors in the field of industry and information technology of the requirements of these Measures. Data processors in the field of industry and information technology shall cooperate with the supervision and inspection of the industry regulatory authorities. **Article 33.** The Ministry of Industry and Information Technology shall, under the guidance of the national data security work coordination mechanism, carry out work related to data security review in the field of industry and information technology. **Article 34.** Staff of the industry regulatory authorities and the data security assessment institutions entrusted by them shall strictly keep confidential the personal information, commercial secrets, and the like, that they become aware of in the performance of their duties, and shall not disclose them or illegally provide them to others. ## Chapter VII Legal Liability **Article 35.** Where the industry regulatory authorities, in performing their data security supervision and administration duties, discover that data processing activities involve relatively major security risks, they may, in accordance with the prescribed authority and procedures, conduct interviews with the data processor in the field of industry and information technology, and require it to take measures to make rectifications and eliminate hidden dangers. **Article 36.** Where there is conduct in violation of these Measures, the industry regulatory authorities shall, in accordance with relevant laws and regulations and according to the degree of seriousness of the circumstances, impose administrative penalties such as confiscation of illegal gains, fines, suspension of business, suspension of business for rectification, and revocation of business licenses; where a crime is constituted, criminal liability shall be pursued in accordance with the law. ## Chapter VIII Supplementary Provisions **Article 37.** Central enterprises shall supervise and guide their subordinate enterprises in fulfilling territorial management requirements in the work of filing catalogues of important data and core data, risk assessment of cross-entity processing of core data, risk information reporting, annual data security incident disposal reports, and risk assessment of important data and core data; they shall also comprehensively sort out and summarize the data security situation of the enterprise group headquarters and subordinate companies, and promptly report it to the Ministry of Industry and Information Technology. **Article 38.** Where data processing activities involving personal information are carried out, the provisions of relevant laws and administrative regulations shall also be complied with. **Article 39.** Data processing activities involving military affairs, State secrets, and the like, shall be carried out in accordance with relevant State provisions. **Article 40.** The specific measures for the processing of government affairs data in the field of industry and information technology shall be separately prescribed by the Ministry of Industry and Information Technology. **Article 41.** Data security management in the fields of national defense science, technology and industry and tobacco shall be the responsibility of the State Administration of Science, Technology and Industry for National Defense and the State Tobacco Monopoly Administration, and the specific systems shall be separately formulated with reference to these Measures. **Article 42.** These Measures shall come into force on January 1, 2023. --- ## Civil Code — Personality Rights Book, Chapter on Privacy and Protection of Personal Information - Chinese title: 中华人民共和国民法典 · 人格权编 · 隐私权和个人信息保护章 - Abbreviation: Civil Code (PI Chapter) - Hierarchy: law - Issuing body: National People's Congress - Adopted: 2020-05-28 - Effective: 2021-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/civil-code-personal-info/ - Markdown: https://datacompliancechina.com/laws/civil-code-personal-info.md ### Summary Articles 1032–1039 of the Civil Code's Personality Rights Book establish the civil-law foundation for privacy and personal-information protection in China. The chapter defines the right of privacy, the scope of personal information, principles for handling, statutory defenses, individuals' rights of access and correction, processor obligations, and confidentiality duties of State organs. Civil-law remedies under this chapter operate alongside the public-law PIPL regime — neither displaces the other. ### Full text **Adopted at the 3rd Session of the 13th National People's Congress on May 28, 2020. Effective January 1, 2021.** The Civil Code is China's first codified civil law. Articles 1032 through 1039 appear in Book IV (Personality Rights), Chapter VI (Right to Privacy and Protection of Personal Information). These eight articles provide the civil-law underpinning for personal-information protection in China — they sit alongside PIPL rather than being superseded by it. --- ## Chapter 6 Right to Privacy and Protection of Personal Information **Article 1032.** A natural person shall enjoy the right of privacy. No organization or individual may infringe upon the privacy of any other person by spying, invading and harassing, disclosing or disclosing the relevant information or by any other means. Privacy is a natural person's private life peace and do not want to know for others private space, private activities, private information. **Article 1033.** Unless otherwise prescribed by the law or specifically agreed by the rights holders, no organization or individual may carry out any of the following acts: 1. disturbing the private peace of others by means of telephone, text message, instant messaging tools, e-mails, leaflets, etc.; (II) Entering, shooting or peeping into the private spaces of others' houses or hotel rooms; (III) Photographing, peeping, eavesdropping, or making public the private activities of others; (IV) taking photos of or peeping at private parts of others' bodies; (V) Dealing with the confidential information of others; (VI) infringing upon the privacy of others by other means. **Article 1034.** The personal information of a natural person shall be protected by the law. Personal information refers to all kinds of information recorded by electronic or otherwise that can be used to independently identify or be combined with other information to identify specific natural persons, including the natural persons' names, dates of birth, ID numbers, biometric information, addresses, telephone numbers, e-mail addresses, health information, whereabouts, etc. For the confidential information included in personal information, the provisions on privacy rights shall apply; if no provisions are available, the provisions on personal information protection shall apply. **Article 1035.** The handling of personal information shall be subject to the principle of legitimacy, rightfulness and necessity, shall not involve excessive handling and shall meet the following conditions: 1. unless otherwise provided by laws or administrative regulations, with the consent of the natural person or the guardian thereof; and (II) rules on disclosure of processing information; (III) to expressly state the purpose, method and scope of information treatment; (IV) The provision of the laws and administrative regulations and the agreement of both parties shall not be violated. Personal information processing includes the collection, storage, use, processing, transmission, provision and disclosure of Personal information, etc. **Article 1036.** Where the handling of personal information falls under any of the following circumstances, the actor concerned shall not bear civil liability: 1. Acts performed reasonably within the scope agreed by the natural person or his or her guardian; (II) Deal reasonably with the information made public by the natural person himself or herself or other information that has been legally made public, unless the natural person explicitly refuses to do so or deals with the circumstance where such information infringes upon his or her major interests; and (III) Other reasonable acts performed to protect the public interests or the legitimate rights and interests of the natural persons. **Article 1037.** A natural person may consult or copy his/her personal information with any information processor in accordance with the law; if any error is found in the information, the natural person has the right to raise an objection and request the information processor to take necessary measures such as corrections in a timely manner. Where a natural person discovers that an information processor has processed his/her personal information in violation of the provisions of laws and administrative regulations or the agreement between both parties, he/she shall have the right to request that the information processor promptly delete the information. **Article 1038.** Information processors shall not divulge or tamper with personal information collected or stored by them; without the consent of a natural person, information processors shall not illegally provide personal information of such person to others, except for information that has been processed and cannot be identified with specific persons and cannot be restored. An information processor shall take technical measures and other necessary measures to ensure the security of the personal information it collects and stores and to prevent the information from being divulged, tampered with or lost; where personal information has been or may be divulged, tampered with or lost, it shall take remedial measures in a timely manner, inform the natural person concerned in accordance with the provisions and report the case to the relevant competent department. **Article 1039.** State organs, statutory agencies with administrative functions and their staff shall keep confidential the privacy and personal information of natural persons that come into their knowledge during the performance of duties, and shall not divulge the same or illegally provide the same to others. --- ## Measures for the Administration of Data Security in the Business Fields of the People's Bank of China - Chinese title: 中国人民银行业务领域数据安全管理办法 - Abbreviation: PBOC Data Security Measures - Hierarchy: rule - Issuing body: People's Bank of China - Adopted: 2025-04-02 - Effective: 2025-06-30 - Status: effective - URL: https://datacompliancechina.com/laws/pboc-data-security-measures/ - Markdown: https://datacompliancechina.com/laws/pboc-data-security-measures.md ### Summary Promulgated as PBOC Order [2025] No. 3 and effective June 30, 2025, these Measures are the People's Bank of China's departmental rule on data security across the business fields it supervises. They build a full-lifecycle security regime for business data — covering classification and grading (general / important / core data and a sensitivity dimension), management and technical requirements for collection, storage, use, processing, transmission, provision, cross-border transfer, public disclosure and deletion, and risk and incident management. Data processors (financial institutions and other PBOC-approved institutions) must inventory their data, designate security officers for important data, conduct annual risk assessments, and report security incidents, with penalties keyed to Article 45 of the Data Security Law. ### Full text **Promulgated by:** People's Bank of China. **Document No.:** PBOC Order [2025] No. 3. **Adopted at the 5th Executive Meeting of the People's Bank of China on April 2, 2025. Promulgated May 1, 2025. Effective June 30, 2025.** --- ## Promulgation Order The Measures for the Administration of Data Security in the Business Fields of the People's Bank of China, having been deliberated and adopted at the 5th Executive Meeting of the People's Bank of China on April 2, 2025, are hereby promulgated and shall come into force as of June 30, 2025. Governor Pan Gongsheng May 1, 2025 --- # Measures for the Administration of Data Security in the Business Fields of the People's Bank of China ## Chapter 1 General Provisions **Article 1.** In order to regulate the security administration of data in the business fields of the People's Bank of China and to promote its development and utilization, these Measures are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Law of the People's Republic of China on the People's Bank of China, the Regulations on the Administration of Network Data Security and other laws and administrative regulations. **Article 2.** These Measures shall apply to the carrying out, within the territory of the People's Republic of China, of processing activities relating to data in the business fields of the People's Bank of China and the security supervision and administration thereof. Where other competent authorities have provisions, such provisions shall also be complied with in accordance with the law. The "business fields of the People's Bank of China" as used in these Measures means the business fields for which the People's Bank of China undertakes supervision and administration responsibilities pursuant to laws and administrative regulations and the decisions of the CPC Central Committee and the State Council. "Data in the business fields of the People's Bank of China" as used in these Measures means network data not involving State secrets that is generated and collected within the business fields of the People's Bank of China (hereinafter referred to as business data). "Data processors" as used in these Measures means financial institutions as well as other institutions established or recognized upon the approval of the People's Bank of China. **Article 3.** Business data security work shall follow the principle of "whoever administers the business administers the business data, and whoever administers the business data administers the data security." The People's Bank of China bears the responsibility for guiding and supervising business data security. Data processors shall perform data security protection obligations, guard against risks such as the tampering, damage or leakage of business data or its unlawful acquisition or unlawful use, safeguard national security, the public interest and the lawful rights and interests of individuals and organizations, respect social morality and ethics, observe commercial ethics and professional ethics, and ensure the lawful, orderly and free flow of business data. **Article 4.** Under the overall coordination of the national data security work coordination mechanism, the People's Bank of China and its branches shall carry out business data security supervision and administration work in accordance with these Measures, and strengthen collaboration and cooperation as well as information communication on data security supervision and administration with other relevant competent authorities. The relevant financial industry associations shall strengthen self-discipline administration, formulate codes of conduct and group standards for business data security in accordance with the law, and guide their members to strengthen business data security protection. **Article 5.** Data processors are encouraged to actively carry out innovative applications of business data security, to promote, on the premise of ensuring security and compliance, the efficient circulation, development and utilization of business data, and to promote outstanding innovative achievements throughout the industry. ## Chapter 2 Classification and Grading of Business Data and Overall Requirements **Article 6.** The People's Bank of China shall be responsible for formulating the relevant norms and standards for the classified and graded protection of business data, guiding the classified and graded protection of business data, and organizing the compilation of the catalogue of important data in the business fields of the People's Bank of China and implementing dynamic management thereof. **Article 7.** Data processors shall establish and improve a system and operating procedures for the classification and grading of business data. The implementation of business data classification and grading shall follow the system and procedures, and the classification and grading results shall undergo internal approval procedures. **Article 8.** Data processors shall establish a business data resource catalogue and properly classify business data respectively from the aspects of business relevance, sensitivity and availability: (I) identifying, for each data item, whether it is personal information, whether it is collected or generated externally, the list of information systems storing such data item, and the associated business categories. (II) carrying out sensitivity classification according to the degree of harm caused to the lawful rights and interests of individuals or organizations or to the public interest where business data is leaked or unlawfully acquired or unlawfully used. The sensitivity of structured data items of business data shall be identified one by one; the sensitivity of unstructured data items of business data shall preferentially be identified according to the highest sensitivity identified among the divisible structured data items. Sensitive personal information, customer business information that may involve commercial secrets, and business information for which the scope of awareness should be strictly controlled within the business fields of the People's Bank of China shall be identified as high-sensitivity data items. (III) defining differentiated recovery point objectives (RPOs) for information systems according to the degree of impact on the normal operation of business caused after business data is tampered with or damaged, which shall be deemed the availability classification of business data. **Article 9.** In accordance with relevant State provisions, business data shall be divided into three grades: general data, important data and core data. Important data means data in specific fields, of specific groups, in specific regions, or reaching a certain degree of precision and scale, that, once tampered with, damaged, leaked, or unlawfully acquired or unlawfully used, may directly endanger national security, economic operation, social stability, and public health and safety. Core data means important data that has a relatively high degree of coverage of, or reaches a relatively high degree of precision, a relatively large scale or a certain depth with respect to, a field, group or region, and that, once unlawfully used or shared, may directly affect political security. The People's Bank of China shall organize the determination of the specific catalogue of important data in accordance with relevant State provisions, and data processors shall accurately identify and declare whether the full set of business data stored by their institution constitutes important data or core data, and complete and report the content of the specific catalogue of important data. The People's Bank of China shall consolidate and form the specific catalogue of important data, and after it is examined and approved by the national data security work coordination mechanism, shall determine the processors of important data and inform them of their corresponding important data. Except where separately specified, the protection obligations for important data set out in these Measures shall apply to core data. **Article 10.** Data processors shall update the business data resource catalogue at least once a year, completely and accurately recording the data items stored in information systems and the corresponding identification content. **Article 11.** Data processors shall earnestly perform the responsibility for business data security protection, clarify the responsibilities of the relevant internal departments for business data security protection, equip themselves with data security professionals commensurate with their business scope and service scale, and refine the rules and procedures for rewards and punishments in business data security protection. Data processors that provide products or services to the public shall establish convenient channels for complaints and reports, and promptly accept and handle complaints and reports relating to business data security. Processors of important data shall designate a security officer and a management institution for business data. The management institution shall earnestly perform the various responsibilities already specified by laws and administrative regulations. The business data security officer shall satisfy the conditions already specified as required by laws and administrative regulations, and shall be ensured to be able to effectively perform data security protection obligations and shall have the right to directly report the business data security situation to the People's Bank of China. **Article 12.** Data processors shall establish and improve a full-process business data security management system, clarify differentiated security protection measures in light of the classification and grading of business data, formulate operating procedures for business data processing activities and internal approval and authorization procedures relating to business data security, and clarify the retention requirements for records of operational implementation and approval authorization. Where data items of different sensitivities are processed within the same business data processing activity and it is difficult to adopt differentiated security protection measures, the security protection measures corresponding to the high-sensitivity data items shall be adopted. **Article 13.** Data processors shall, according to the division of duties among positions, formulate an annual training plan for business data security, and shall organize relevant education and training each year for the personnel participating in business data processing activities. The training content shall include the systems and standards relating to business data security, common knowledge of risk prevention, position responsibilities, protection measures and emergency response requirements for incidents. ## Chapter 3 Full-Process Business Data Security Management Requirements **Article 14.** Data processors shall strictly administer the privileged accounts, such as database administrator accounts of the information systems relating to the processing of business data, and the privileges of various business processing accounts, and shall immediately adjust privileges upon personnel changes. Data processors shall conclude confidentiality agreements with personnel whose accounts may use high-sensitivity data items. Where a data processor stores core data, it shall conduct security background checks on the business data security officer and the key-position personnel who may use core data. **Article 15.** Data processors shall adopt the following security protection management measures when collecting business data: (I) except in the situation of collecting business data that has been disclosed on one's own initiative or has otherwise been lawfully disclosed, when collecting business data, the consent of the individual or the authorization of the organization shall be obtained in accordance with laws and administrative regulations and the relevant provisions of the People's Bank of China, and the corresponding notification obligation shall be fulfilled. (II) where business data that has not yet been disclosed is collected other than directly from the individual or organization, the obligation of the data provider to ensure the lawfulness and authenticity of the source of the business data shall be specified in the contract or agreement. Where the data provider has not obtained the written consent of the individual or the written authorization of the organization, it shall also be required to produce the necessary supporting materials evidencing that the source of the business data is lawful and compliant and that the data is authentic. (III) where business data is collected by means of manual entry, necessary verification measures shall be taken to ensure the accuracy of the business data entry, and the original vouchers for the collection of business data shall be retained in accordance with relevant management requirements. (IV) in principle, original personal biometric information such as images shall not be collected. Where it is genuinely necessary to collect it, the relevant requirement scenarios shall be uniformly and normatively administered. (V) collection and subsequent business data processing activities shall be carried out in accordance with the processing purposes, methods, scope and security protection obligations agreed in the contract or agreement with the data provider. **Article 16.** Data processors shall, according to business needs, clarify the retention period of business data. Except for the performance of statutory duties or statutory obligations, high-sensitivity data items shall in principle not be stored on terminal devices or mobile media; where storage is genuinely necessary, the data processor shall uniformly and normatively administer the relevant requirement scenarios. **Article 17.** In business data use activities, data processors shall in principle not adopt an export method when using high-sensitivity data items, and shall in principle adopt only a verification method when using data items used for identity authentication. Where it is genuinely necessary to use high-sensitivity data items by an export method or to use data items used for identity authentication by other methods, the data processor shall uniformly and normatively administer the relevant requirement scenarios. Except where displaying to an individual the business data relating to that individual at the individual's request, and except as needed for the performance of statutory duties or statutory obligations, data processors shall in principle de-identify high-sensitivity data items before displaying them. Where display without de-identification is genuinely necessary, the data processor shall uniformly and normatively administer the relevant requirement scenarios. **Article 18.** Data processors shall examine whether the purpose of business data processing (加工) is consistent with the agreement under which the business data was collected; where business data needs to be used for training, they shall examine the authenticity, accuracy, objectivity and diversity of the training business data; where business data needs to be labeled, they shall examine, on a sampling basis, the reasonableness and accuracy of the labeling; where model evaluation and incentive rules need to be established, they shall examine whether the evaluation and incentive rules respect social morality and ethics and observe commercial ethics and professional ethics. In business data processing activities, where a data processor processes high-sensitivity data items, it shall further clarify the security protection measures to be adopted and perform internal approval procedures; where automated decision-making services are provided to individuals based on data items generated from such processing, the data processor shall, in an appropriate manner, explain to the individuals the purpose of processing, the categories of personal information used for the processing, and the processing rules. **Article 19.** Where a new data item generated by a business data processing activity is assessed to be of significantly lower sensitivity than the data item used for the processing, the data processor may, in accordance with the procedures, lower its sensitivity identification, so as to promote lawful and compliant development and utilization. Where a new data item generated by a business data processing activity is assessed to be of significantly higher sensitivity than the data item used for the processing, the data processor shall raise its sensitivity identification and strengthen business data security protection. **Article 20.** Except where transmitting to an individual the business data relating to that individual at the individual's request, data processors shall in principle not use Internet information services such as email, instant messaging and online file storage, or mobile media, to transmit high-sensitivity data items. Where there is a genuine need, the data processor shall uniformly and normatively administer the relevant requirement scenarios. **Article 21.** For business data provision activities required for conducting business, data processors shall verify the identity of the data recipient and adopt the following security protection management measures: (I) for business data provision activities involving personal information, an assessment shall be made of whether the requirements of laws and administrative regulations are complied with. For other business data provision activities, an assessment shall be made of whether the agreement to keep commercial secrets is complied with. (II) where the provision of business data to another data processor involves personal information and important data, the respective data security protection obligations of each party, the security protection measures to be adopted, the purpose, method and scope of data provision, the permitted data storage period, the restrictions on providing the data to third parties, and the obligation to notify of data security incidents shall be specified in the contract or agreement, and the performance by the data recipient of its agreed obligations shall be supervised. (III) business data cleaning and conversion shall be carried out as agreed, the authenticity of the provided data shall be necessarily examined, and the data recipient shall not be misled. (IV) except in cases of entrusted processing, high-sensitivity data items shall in principle not be provided to other data processors by an export method, and data items used for identity authentication shall in principle be provided by a verification method. Where it is genuinely necessary to provide high-sensitivity data items by an export method or to use data items used for identity authentication by other methods, the data processor shall uniformly and normatively administer the relevant requirement scenarios. **Article 22.** Before providing important data to another data processor, or entrusting another data processor with the processing thereof, or jointly processing it, a data processor shall conduct a risk assessment in accordance with laws and administrative regulations and the relevant provisions of the People's Bank of China, focusing on assessing the lawfulness and legitimacy of the data recipient's data processing purposes and methods, the reasonableness of the need for the list of data items, the potential security risks of the data activities, the integrity and law-abidingness of the data recipient, the completeness of the content of the contract or agreement, and the security protection measures to be adopted. Except for the performance of statutory duties or statutory obligations, where a data processor provides core data to another data processor in a situation reaching that prescribed by the State, it shall, before providing the business data, undergo a risk assessment carried out by the national data security work coordination mechanism via report by the People's Bank of China. Data processors shall not evade the foregoing obligations by means such as splitting or conversion. Where a processor of important data may affect the security of important data due to merger, division, dissolution, bankruptcy or the like, it shall, in accordance with the requirements of laws and administrative regulations, report in advance to the People's Bank of China or the provincial branch of the People's Bank of China at the place of its domicile a disposal plan for the important data, and shall explain in the plan the update of the content of the important data catalogue, the name and contact information of the data recipient, and other matters. **Article 23.** Where a data processor adopts technologies such as privacy-enhancing computing (隐私计算) to promote the integration and innovative application of business data, it shall implement the requirements of items (I) through (III) of Article 21 of these Measures, and shall confirm that data processors other than its own institution cannot use the unencrypted original data, and that conducting correlation analysis with other data integration and innovative application activities cannot leak information beyond the agreed scope. **Article 24.** Where a data processor provides data to outside the territory of the People's Republic of China due to business or other needs, and a situation prescribed by the national cyberspace authority exists, it shall strictly comply with the relevant provisions thereof; where laws and administrative regulations and the relevant provisions of the People's Bank of China contain domestic storage requirements, the business data shall also be stored simultaneously within the territory of the People's Republic of China. Where a situation requiring the declaration of a data export security assessment or the carrying out of protection certification or the like as prescribed by the national cyberspace authority is met, the data processor shall not adopt means such as splitting or conversion of business data to evade the relevant obligations. **Article 25.** The People's Bank of China shall, in accordance with relevant laws and the international treaties and agreements concluded or acceded to by the People's Republic of China, or on the principle of equality and reciprocity, handle requests from foreign financial law-enforcement authorities for the provision of business data. **Article 26.** Data processors shall review the purpose, list of data items, channels, time limits and de-identification of business data public disclosure activities, analyze and assess the possible adverse impacts, examine the lawfulness and authenticity of the business data, and disclose business data through the official channels specified by their institution. Where disclosure through other channels is genuinely necessary, the security protection measures to be adopted shall be specified and internal approval procedures performed. In business data processing activities, data processors shall not disclose data items used for identity authentication, and shall in principle de-identify other high-sensitivity data items before disclosing them. Where disclosure without de-identification is genuinely necessary, the data processor shall uniformly and normatively administer the relevant requirement scenarios. **Article 27.** Data processors shall, in accordance with laws and administrative regulations and the relevant provisions of the People's Bank of China, proactively delete business data where the processing purpose has been achieved, the processing purpose cannot be achieved, it is no longer necessary for achieving the processing purpose, or the agreed retention period has expired, and similar situations. Where the deletion of business data is technically difficult to achieve, the data processor shall cease business data processing activities other than storage and the adoption of necessary security protection measures, and shall conduct a review at least once a year to confirm that the relevant business data cannot be used. **Article 28.** Where a data processor entrusts the processing of business data, in addition to implementing the requirements of item (II) of Article 21 of these Measures, it shall also specify in the contract or agreement the important matters that the entrusted party is required to report, the implementation method and time-limit requirements for the transmission and deletion of business data after the completion of the entrusted processing matters, the obligation to cooperate with the institution's supervision of its entrusted processing activities, and other matters, and shall supervise the entrusted party's performance by means such as periodic assessment. For entrusted processing activities involving core data, the data processor shall conduct due diligence on the entrusted party in advance and further strengthen its supervision thereof. Data processors shall incorporate business data entrusted processing activities into their business or information technology outsourcing management system, and strengthen risk management. Where the People's Bank of China has expressly required that a business not be carried out in the form of outsourcing, the relevant business data shall not be entrusted for processing. ## Chapter 4 Full-Process Business Data Security Technical Requirements **Article 29.** Data processors shall strengthen access control, adopt effective technical measures to control the data-use privileges of business data processing accounts, clarify the use scenarios of privileged accounts, and strengthen internal approval and authorization when they are used. When a privileged account is used to perform manual operations such as adding, deleting or modifying business data, prior approval and ex post review shall be carried out one by one. Before a privileged account is used to carry out automated operations, the correctness and security of the operation shall be necessarily checked. Data processors shall strengthen security authentication, ensure the strength of the authentication passwords of business data processing accounts and privileged accounts, limit the number of retries after authentication failure, and accounts that may use high-sensitivity data items shall support multi-factor authentication or secondary authorization confirmation, and a re-authentication mechanism shall be established for situations such as timeout exit and changes in the access communication address. **Article 30.** Data processors shall standardize log recording, clarify the information to be logged for business data processing activities, and meet the needs of data security risk tracing and incident handling. The high-sensitivity data items recorded in the logs of business data processing activities shall in principle be de-identified. Where processing without de-identification is genuinely necessary, the data processor shall uniformly and normatively administer the relevant requirement scenarios. Data processors shall incorporate the logs of business data processing activities into the classified and graded management of business data, and implement security protection requirements. Data processors shall retain the logs of business data processing activities for at least six months; for the logs of business data processing activities relating to information systems storing important data, they shall be retained for at least one year; for the logs of business data processing activities relating to information systems storing core data, they shall be retained for at least three years. Records such as the logs of business data processing activities for the provision to another data processor, or the entrusted processing, of personal information and important data shall be retained for at least three years. **Article 31.** Data processors shall preferentially collect business data by means of direct entry or interaction between information systems. Where business data is collected by means of direct entry, the identity of the person entering the data shall be verified; where high-sensitivity data items are collected by means of interaction between information systems, the identity of the data provider shall be verified. Data processors shall adopt technical measures such as cross-verification of associated information to ensure, to the greatest extent possible, the accuracy of the business data collected. Where a data processor collects business data from another data processor by means of an automated tool, it shall comply with the latter's control rules for data collection, shall not interfere with the normal operation of network services, and shall not infringe upon the lawful operating rights and interests of other institutions' network services. **Article 32.** Data processors shall adopt the following security protection measures with respect to business data storage activities: (I) effectively isolating the development and testing environment of information systems from the production environment. (II) information systems storing important data shall meet the requirements of Level 3 of cybersecurity multi-level protection, and information systems storing core data shall meet the requirements of Level 4 of cybersecurity multi-level protection or the requirements for critical information infrastructure protection, and secure and trustworthy network products and services shall be preferentially procured. (III) in principle, high-sensitivity data items shall be stored encrypted; where storage without encryption is genuinely necessary, the data processor shall uniformly and normatively administer the relevant requirement scenarios. Where the People's Bank of China has special provisions on the use of commercial cryptography to protect business data storage, such provisions shall be implemented. (IV) promptly assessing and adjusting the business data storage capacity. In accordance with the data recovery point objectives of information systems, properly performing redundant backups of production-environment business data, and periodically verifying, as required by the People's Bank of China, the availability of the redundantly backed-up business data. Assessing whether the backup technical measures have the capability to guard against risks such as the production-environment business data and the redundantly backed-up business data being tampered with or damaged simultaneously, and strengthening security protection measures accordingly. **Article 33.** Data processors shall clarify the de-identification processing strategy for high-sensitivity data items, and earnestly reduce the risk that de-identified business data can still be re-identified to a specific individual or organization. Data processors shall establish a security control strategy for terminal devices and clarify the requirements for security protection measures. When business data is displayed or printed, technical measures shall be taken to identify the business processing account currently using the business data and the time of use. Except where the security protection measures of the development and testing environment and the production environment are completely identical, where production-environment data items are used in the development and testing environment, internal approval procedures shall be performed and de-identification carried out. **Article 34.** Data processors shall establish a risk assessment and control strategy for business data processing algorithms, and clarify the prevention or mitigation measures corresponding to risks such as interpretability and vulnerability, as well as the alternative plan for when the use of a processing algorithm to carry out automated decision-making is ceased. **Article 35.** Data processors shall adopt the following security protection measures with respect to business data transmission activities: (I) preferentially adopting technologies such as dedicated lines and virtual private networks to strengthen the security protection of business data transmission. (II) improving access control and security isolation strategies, and strengthening admission control for the relevant terminal devices. (III) in principle, high-sensitivity data items shall be transmitted encrypted to other data processors, other data centers or the Internet. Where transmission without encryption is genuinely necessary, the data processor shall uniformly and normatively administer the relevant requirement scenarios. Where the People's Bank of China has special provisions on the use of commercial cryptography to protect business data transmission, such provisions shall be implemented. (IV) promptly assessing and adjusting the transmission carrying capacity of communication lines, and strengthening the redundant backup of communication lines and the relevant software and hardware equipment. **Article 36.** Data processors shall dynamically maintain the list of front-end gateways and application programming interfaces (APIs) through which their institution provides business data, and shall carry out security testing before the front-end gateways and APIs are changed and put into production, and immediately take remedial measures upon discovering risks or hidden dangers. Where a data processor provides business data by adopting technologies such as privacy-enhancing computing, it shall establish a technical risk assessment and control strategy, and clarify the response measures for risks such as security being unverifiable and performance being unacceptable. **Article 37.** Data processors shall formulate control rules on whether the business data disclosed by their institution may be collected by automated tools, and shall adopt necessary technical measures to ensure that the disclosed business data is not tampered with. **Article 38.** Data processors shall clarify the destruction strategy for business data storage media, and standardize the destruction implementation method and process supervision procedures. ## Chapter 5 Business Data Security Risk and Incident Management **Article 39.** Data processors shall strengthen risk monitoring of business data processing activities, effectively identify the following risks and immediately take remedial measures: (I) the existence of information whose publication or transmission is prohibited by laws and administrative regulations. (II) the existence of malicious programs such as computer viruses, Trojans and ransomware, or defects such as data security vulnerabilities or low authentication password strength. (III) failure of the security protection measures for high-sensitivity data items. (IV) abnormal business data processing activities. (V) insufficient carrying capacity for business data transmission or storage. **Article 40.** Data processors shall strengthen risk monitoring of business data leakage, the unlawful peddling of business data, the processing of business data by impersonating the identity of their institution, and other negative public opinion concerning business data security relating to their institution, and shall immediately verify and dispose of relevant risks upon discovery. **Article 41.** Where the People's Bank of China and its branches notify of risks such as data security defects or vulnerabilities relating to business data, the data processor shall immediately verify and dispose of them, and provide accurate feedback on the situation in a timely manner as required by the notification. Data processors are encouraged to provide the People's Bank of China and its branches with business data security risk intelligence of industry-sharing value. **Article 42.** Processors of important data shall, on their own or by entrusting a third-party assessment institution, conduct a risk assessment of business data once a year, and shall submit the risk assessment report for the previous year to the People's Bank of China or the provincial branch of the People's Bank of China at the place of their domicile before January 15 each year. In addition to the content already specified by laws and administrative regulations as subject to assessment, the risk assessment report shall also include the personnel training and routine management relating to the information systems storing important data, the implementation of the position responsibilities relating to business data, the cybersecurity multi-level protection evaluation and rectification, the implementation of protection measures, the risk monitoring and incident handling for the year, and other assessment content required by the People's Bank of China. **Article 43.** Data processors shall, in accordance with the incident-grading requirements of the National Cybersecurity Incident Contingency Plan and taking into account the scope and degree of impact, clarify the grading standards corresponding to business data security incidents: (I) the standards for grading incidents of tampering with or damage to business data shall take into account factors such as the data recovery point objectives of information systems, the duration of inability to provide services normally, the number of affected business transactions and the amounts involved, the number of affected individuals or organizations, and the data items of different sensitivities lost and their corresponding scale. (II) the standards for grading business data leakage incidents shall take into account factors such as the number of affected individuals or organizations, and the data items of different sensitivities leaked and their corresponding scale. (III) security incidents involving the leakage, tampering or damage of core data or important data shall be graded as particularly major incidents and major incidents, respectively. **Article 44.** Data processors shall properly grade business data security incidents, and upon the occurrence of a business data security incident, shall immediately take disposal measures, promptly notify users in accordance with provisions, and timely, accurately and completely report the incident situation as required by the People's Bank of China. Where a data recipient or an entrusted party of entrusted processing experiences a data security incident relating to the business data provided by the data processor, the data processor shall conduct an investigation and assessment, urge the relevant institution to immediately take remedial measures, and report to the relevant competent authority. Processors of important data shall conduct an emergency response drill for business data security incidents at least once a year, and other data processors shall conduct an emergency response drill for business data security incidents at least once every three years. **Article 45.** Data processors shall, against the security protection measure requirements set out in laws and administrative regulations and these Measures, as well as the implementation of their institution's internal management systems and operating procedures relating to business data security, conduct a business data security compliance audit at least once every three years; processors of important data shall conduct a compliance audit relating to important data security at least once a year. After a major or particularly major incident occurs, a special audit shall be conducted. The audit shall focus on whether the business data resource catalogue is updated in a timely manner, whether the account privilege management of the relevant information systems is rigorous, whether the contracts or agreements relating to business data processing activities are complete, whether the security protection measures for high-sensitivity data items are effective, whether the management responsibilities for entrusted parties of entrusted data processing are implemented, whether the front-end gateways and APIs are continuously and securely maintained, whether data security risk monitoring is effective, whether the disposal of data security risks and incidents is timely, whether data export is compliant, whether the handling of data security complaints is timely, and similar matters. **Article 46.** Data processors shall strengthen the management of the business data privileges used by risk-assessment personnel and audit personnel, and adopt necessary measures to ensure the business data security of the implementation process. The high-sensitivity data items recorded in risk assessment reports and audit reports relating to business data shall be de-identified. Where a data processor entrusts a third-party assessment institution or audit institution to carry out risk assessment or audit work relating to business data, it shall specify in the contract or agreement its data security protection obligations and corresponding responsibilities, and designate personnel of its institution to participate throughout the process. Where accounting and audit services are involved, the relevant business data security protection shall be further strengthened in accordance with the requirements of the national cyberspace authority and the financial authority. ## Chapter 6 Legal Liability **Article 47.** Where the People's Bank of China and its branches discover that the business data processing activities of a data processor present relatively major security risks, they may conduct interviews with it and require it to take measures for rectification; where they discover clues of business data processing activities that affect or may affect national security, they may require the data processor to undergo a national security review in accordance with relevant State provisions. The People's Bank of China and its branches may, in accordance with their duties, carry out law-enforcement inspections of the implementation by data processors of their data security protection obligations relating to business data, and may, where necessary, jointly carry out law-enforcement inspections with other relevant competent authorities. **Article 48.** Where the People's Bank of China and its branches discover that a data processor has not performed obligations such as data export security assessment or protection certification in its business data processing activities, they shall transfer the relevant case information to the cyberspace authority at the same level and cooperate with it in the handling thereof. **Article 49.** Where a data processor has not performed the data security protection obligations prescribed by these Measures and any of the following situations exists, the People's Bank of China and its branches shall impose a penalty in accordance with Article 45 of the Data Security Law of the People's Republic of China: (I) failing to establish and improve a full-process business data security management system in accordance with the corresponding provisions of laws and administrative regulations. (II) failing to organize and carry out business data security education and training in accordance with the corresponding provisions of laws and administrative regulations. (III) failing to adopt corresponding technical measures and other necessary measures to ensure business data security in accordance with the corresponding provisions of laws and administrative regulations. (IV) where a processor of important data has not designated a business data security officer and management institution. (V) failing to effectively monitor business data security risks. (VI) failing to immediately take remedial measures upon discovering business data security risks. (VII) failing to immediately take disposal measures upon the occurrence of a business data security incident, failing to promptly notify users, or failing to report the incident situation as required. (VIII) where a processor of important data has not conducted a risk assessment of business data once a year, or has not submitted the risk assessment report as required. **Article 50.** Where the People's Bank of China and its branches discover that a data processor carries out business data processing activities that exclude or restrict competition, or that harm the lawful rights and interests of individuals or organizations, they shall handle the matter in accordance with relevant laws and administrative regulations; where it falls within the administrative duties of other relevant competent authorities, they shall transfer the relevant case information and cooperate with them in the handling thereof. **Article 51.** Where the People's Bank of China and its branches discover that the business data processing activities carried out by a data processor are suspected of constituting an act in violation of public security administration or constituting a crime, they shall transfer the relevant case information to the public security organ, national security organ or other relevant competent authority at the same level, and cooperate with them in the handling thereof. **Article 52.** Where a data processor experiences a business data security incident that causes harmful consequences, if it can prove that its institution has adopted data security protection measures in accordance with provisions and has immediately taken remedial measures, it shall be given a lighter or mitigated administrative penalty. Where a data processor actively provides data security risk intelligence and assists in the timely discovery of major business data security risks, its conduct of failing to perform data security protection obligations but not yet causing harmful consequences shall be given a lighter or mitigated administrative penalty. **Article 53.** Where staff of the People's Bank of China and its branches engage in dereliction of duty, abuse of power or malpractice for personal gain in the course of the security supervision and administration of business data processing activities, they shall be sanctioned in accordance with the law. ## Chapter 7 Supplementary Provisions **Article 54.** Definitions of terms: (I) Data item means the most basic and indivisible unit describing the structure of network data. (II) Structured data item means a data item with a predefined abstract description of the data type, usually referring to a data item designated by a single field of a two-dimensional logical table of a database. (III) Unstructured data item means a data item not suitable to be presented by a two-dimensional logical table of a database, such as images, video, audio and document files. (IV) Terminal device means computer terminals, mobile smart terminals, audio-video and multimedia equipment, and other dedicated terminal devices used by a data processor in business data processing activities. (V) Export method means an operating method in data use or provision activities by which business data that originally has strict access-privilege control and access logging is converted into a document file without strict access control or without access logging. (VI) Verification method means an operating method in business data use or provision activities by which, after verification and validation, only whether there is a match with the stored business data is fed back. (VII) Uniform and normative administration means that a data processor centrally enumerates, in its institution's systems or operating procedures, the situations in which the principle-based compliance requirements set out in these Measures are not implemented, and explains the necessity of retaining such situations, the corresponding security protection measures to be adopted, and the necessary internal approval procedures to be performed. **Article 55.** The People's Bank of China shall be responsible for the interpretation of these Measures. **Article 56.** These Measures shall come into force as of June 30, 2025. --- ## Measures for the Administration of Data Security in the Energy Industry (Trial) - Chinese title: 能源行业数据安全管理办法(试行) - Hierarchy: rule - Issuing body: National Energy Administration - Adopted: 2025-12-08 - Effective: 2026-07-01 - Status: effective - URL: https://datacompliancechina.com/laws/energy-industry-data-security-measures/ - Markdown: https://datacompliancechina.com/laws/energy-industry-data-security-measures.md ### Summary Issued by the National Energy Administration as a departmental normative document (Doc. No. Guo Neng Fa Gui Hua Gui [2025] No. 108) on December 8, 2025, effective July 1, 2026, with a five-year term. These trial measures implement the Data Security Law within the energy sector. They define 'energy industry data' (data collected and generated in energy activities — planning, design, construction, production, storage and transport, consumption, and research) and establish the three-tier classification of general, important, and core data. The measures assign supervisory roles to the National Energy Administration, provincial energy authorities, and central energy enterprises; set out catalog-reporting duties for important and core data; and impose graduated protection requirements keyed to Multi-Level Protection Scheme (MLPS) levels — Level 3 or above for important data, and Level 4 (or CII protection) for core data. They also require annual risk assessments for important-data processors, cross-border security assessment for outbound important data, risk-assessment thresholds for core-data transfers (the 30% annual cumulative volume trigger), and a monitoring, early-warning, and emergency-response regime with a one-working-day reporting deadline for major incidents. ### Full text **Promulgated by:** National Energy Administration. **Document Number:** Guo Neng Fa Gui Hua Gui [2025] No. 108. **Date of Issue:** December 8, 2025. **Effective Date:** July 1, 2026. **Legal Effect Level:** Departmental normative document. **To all relevant entities:** In order to implement the Data Security Law of the People's Republic of China and other laws and regulations, our Administration has formulated the *Measures for the Administration of Data Security in the Energy Industry (Trial)*, which are hereby issued and shall take effect on July 1, 2026. National Energy Administration December 8, 2025 --- ## Chapter 1 General Provisions **Article 1.** These Measures are formulated in accordance with the Data Security Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Energy Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Network Data Security Management Regulations, and other laws and regulations, in order to regulate data processing activities in the energy industry, strengthen data security management, prevent data security risks, promote the development and utilization of data, protect the lawful rights and interests of individuals and organizations, and safeguard national security and development interests. **Article 2.** These Measures shall apply to the carrying out of data processing activities in the energy industry within the territory of the People's Republic of China and to the security supervision and administration thereof. Where energy data processors carry out energy industry data processing activities involving State secrets, or matters that constitute State secrets after being aggregated and correlated by them, they shall comply with the provisions of the Law of the People's Republic of China on Guarding State Secrets and other laws and administrative regulations. **Article 3.** The term "data" as used in these Measures means any record of information in electronic or other form. The term "energy industry data" as used in these Measures means data collected and generated in the course of carrying out energy activities. Energy activities mainly include energy-related planning, design, construction, production, storage and transport, consumption, scientific research, and the like. Data related to energy activities such as urban gas, heat supply, and filling stations shall comply with the provisions of the relevant competent authorities. The term "energy data processor" as used in these Measures means all types of entities in the energy industry that carry out energy industry data processing activities. Energy industry data processing activities include the collection, storage, use, processing, transmission, provision, disclosure, deletion, and the like, of energy industry data. The term "data security" as used in these Measures means ensuring, by taking necessary measures, that energy industry data is in a state of effective protection and lawful utilization, as well as the capability to ensure a continuous state of security. **Article 4.** Based on the importance, precision, scale, security risk, and the like, of the data, energy industry data is divided into three levels: general, important, and core. Energy industry important data means energy industry data of a specific field, specific group, specific region, or reaching a certain precision and scale, that, once leaked or tampered with, damaged, or destroyed, may directly endanger national security, economic operation, social stability, public health, and safety. Energy industry data that affects only the organization itself or individual citizens shall generally not be treated as energy industry important data. Energy industry core data means energy industry important data that has a relatively high coverage of a field, group, or region, or reaches a relatively high precision, relatively large scale, or certain depth, and that, once illegally used or shared, may directly affect political security. It mainly includes: data concerning key fields of national security; data concerning the lifelines of the national economy, important aspects of people's livelihood, and major public interests; and other energy industry data determined through assessment. Energy industry general data means energy industry data other than energy industry important data and energy industry core data. **Article 5.** Energy data processors are encouraged to actively carry out innovative applications of energy industry data, and to promote the development and utilization of data while ensuring security and compliance. ## Chapter 2 Basic Responsibilities for Energy Industry Data Security **Article 6.** Under the overall coordination of the national data security work coordination mechanism, the National Energy Administration shall be responsible for the supervision and administration of energy industry data security; supervise and guide the energy competent authorities of provinces, autonomous regions, municipalities directly under the Central Government, and the Xinjiang Production and Construction Corps (hereinafter referred to as provincial energy competent authorities) in carrying out data security supervision and administration; supervise and guide the energy enterprises administered by the State-owned Assets Supervision and Administration Commission of the State Council (hereinafter referred to as central energy enterprises) and the nationwide energy industry associations guided and supervised by the National Energy Administration in performing the responsibilities and obligations of energy data processors in accordance with laws and regulations; organize the formulation and release of standards and norms for the classification and grading of energy industry data; review and determine the catalog of energy industry important data; put forward recommendations on the catalog of core data to the relevant authorities and implement dynamic management thereof; and strengthen the building of monitoring, early-warning, and emergency-response capabilities for energy industry data security. **Article 7.** Provincial energy competent authorities shall be responsible for the supervision and administration of energy industry data processing activities and security protection in their respective regions; supervise and guide energy data processors in their regions (including subsidiaries and controlled enterprises at all levels of central energy enterprises in the region) in performing the responsibilities and obligations of energy data processors in accordance with laws and regulations; in accordance with the standards and norms for the classification and grading of energy industry data, compile and submit, with annual updates, the catalog of energy industry important data for their regions; and carry out energy industry data security monitoring and early warning, information reporting, formulation of emergency plans, emergency response, and other work in their regions. **Article 8.** Energy data processors shall perform their data security protection responsibilities and obligations in accordance with laws and regulations. Processors of energy industry important data and energy industry core data shall bear principal responsibility for their own data security; they shall designate a data security officer and a management body. The legal representative or principal person-in-charge of the entity is the primary person responsible for data security, and the leader in charge of data security is the directly responsible person. Central energy enterprises shall be responsible for the supervision and administration of the data processing activities and security protection of their subsidiaries and controlled enterprises at all levels. **Article 9.** Energy data processors shall, in accordance with the standards and norms for the classification and grading of energy industry data, identify and compile their entity's catalog of energy industry important data, and submit the catalog of important data as required by the provincial energy competent authority of the place where the data carrier is located. The catalogs of energy industry important data compiled by subsidiaries and controlled enterprises at all levels of central energy enterprises shall be submitted separately as required by the provincial energy competent authority of the place where the data carrier is located and by the headquarters of the central energy enterprise. The content submitted in the catalog of important data shall include, but not be limited to, data field information such as the category, level, scale, precision, source, carrier, scope of application, external sharing, cross-border transmission, security status, and responsible entity of the data, but shall not include the data content itself. **Article 10.** Provincial energy competent authorities and central energy enterprises shall be respectively responsible for compiling and reviewing the catalog of energy industry important data of their regions and their enterprises, and submitting it to the National Energy Administration. For data confirmed through procedures as energy industry important data or energy industry core data, the provincial energy competent authorities and central energy enterprises shall promptly inform the energy data processors. **Article 11.** Where, since the last submission of the catalog of important data, a material change occurs in the level, responsible-entity situation, data processing situation, or data security situation of energy industry important data or core data, the energy data processor shall, within three months, re-submit the catalog of important data through the prescribed procedure. ## Chapter 3 Energy Industry Data Protection Requirements **Article 12.** When carrying out data processing activities, energy data processors shall establish and improve data security management systems, and clarify the management requirements for each stage of the data lifecycle; and shall regularly organize education and training on energy industry data security knowledge and skills. Processors of energy industry important data and energy industry core data shall establish a data security work system, strengthen personnel and funding support, and cooperate with the relevant authorities in carrying out supervision and inspection. **Article 13.** Where energy industry data processing activities are carried out using the Internet or other information networks, the requirements of systems such as cybersecurity multi-level protection, critical information infrastructure security protection, cryptographic protection, and secrecy protection shall be implemented. Information networks that store and process energy industry important data shall implement Level 3 or above cybersecurity multi-level protection requirements. For information networks that store and process energy industry core data, where critical information infrastructure is involved, the critical information infrastructure security protection requirements shall be implemented on the basis of the cybersecurity multi-level protection scheme; where critical information infrastructure is not involved, Level 4 cybersecurity multi-level protection requirements shall be implemented. Where laws, regulations, and relevant State provisions require the use of commercial cryptography for protection, the relevant provisions on commercial cryptography protection shall also be complied with. **Article 14.** Processors of energy industry important data shall, on their own or by entrusting a third-party assessment institution with risk-assessment capabilities, carry out a risk assessment of their data processing activities at least once a year, promptly rectify risk problems, and submit risk assessment reports as required by the provincial energy competent authority. Provincial energy competent authorities and central energy enterprises shall submit the data security risk assessment status of their regions and their enterprises to the National Energy Administration on an annual basis. The risk assessment report shall accurately and clearly describe the main content of the assessment activities, specifically including, but not limited to, the basic information of the data processor, the basic situation of the assessment team, the situation of the data processing activities carried out and the evaluation of their compliance, the types and quantities of energy industry important data processed, the data security risks faced and the response measures, the conclusions of the risk assessment, and rectification recommendations, and other elements. **Article 15.** Energy industry data security risk assessment shall focus on assessing the following content: (I) the basic situation of the identification and determination of energy industry important data and core data, the security state in which they are located, and risk analysis; (II) whether the data processing activities are lawful, legitimate, and necessary; (III) the situation regarding the data security officer, management body, position staffing, and performance of responsibilities; (IV) the establishment and implementation of the whole-process data security management system and safeguard mechanism; (V) the management, education, and training of personnel involved in data processing activities; (VI) the implementation of the national data classification and grading protection system, and the implementation of protection requirements for energy industry important data and core data; (VII) the building and application of data security technical protection capabilities; (VIII) data security cases and incidents that have occurred and their handling, as well as the implementation of data security risk monitoring and early-warning work; (IX) where data provision, transfer, entrusted processing, or joint processing is involved, the security safeguard capabilities, responsibility and obligation constraints, and performance of the data recipient; (X) other relevant matters involving data security. **Article 16.** Processors of energy industry important data shall, at the stages of collection, storage, use, processing, transmission, provision, disclosure, deletion, and the like, of important data, comprehensively apply technical means such as encryption, authentication, certification, de-identification, verification, and auditing to carry out security protection. **Article 17.** Processors of energy industry important data shall, in accordance with business needs and the principle of least authorization, set data processing permissions based on position responsibilities, control the scope of access to important data, and promptly adjust permissions when personnel changes occur. **Article 18.** Processors of energy industry important data shall strengthen security management and control over data sharing and invocation, take technical measures to regularly monitor data sharing and invocation, and deploy security protection measures such as risk isolation, authentication and authorization, and threat alerts. **Article 19.** Where the processing of energy industry important data is entrusted to another party or is jointly carried out with another party, the entrusting party shall inform the entrusted party of the data level in advance, and data security responsibility shall not change as a result of the entrustment. The entrusting party shall strictly examine and approve and clarify the data processing permissions and protection responsibilities of the entrusted party, and supervise the entrusted party in performing its data security protection obligations. The entrusted party shall perform its data security protection obligations in accordance with the provisions of laws and regulations and the contractual stipulations, and shall not, without authorization, retain, use, leak, or provide energy industry important data to others. Where the processing of energy industry important data involves the use of cloud computing services, cloud computing services that have passed the cloud computing service security assessment may be selected, and the relevant requirements of these Measures shall be complied with. **Article 20.** Without the approval of the entrusting party, information system construction and operation-and-maintenance projects involving energy industry important data shall not be subcontracted or sub-subcontracted. Without the express authorization of the entrusting party, personnel engaged in the construction and operation and maintenance of information systems involving energy industry important data shall not process the important data of the entrusting party. Data collected or generated during the construction and operation and maintenance of information systems involving energy industry important data shall not be used for other purposes, and shall, after the service is completed, be handled as agreed with the entrusting party or promptly deleted. **Article 21.** Energy industry important data processing activities shall record and maintain the logs necessary for safeguarding data security. Where security incident handling or traceability is involved, the relevant logs shall be retained for not less than one year. Where the provision to others, entrusted processing, or joint processing of energy industry important data is involved, the relevant logs shall be retained for not less than three years. When processors of energy industry important data organize a data security risk assessment, they shall carry out audit analysis of the logs of key operations such as data query, download, modification, and deletion, and shall take corresponding handling measures upon discovering violations or abnormal behavior. **Article 22.** Where a processor of energy industry important data needs to transfer or destroy energy industry important data due to merger, division, dissolution, declaration of bankruptcy, or the like, it shall take necessary security protection measures and report the data handling plan in advance to the provincial energy competent authority. Where a change in the catalog of important data is thereby caused, it shall promptly file a report with the provincial energy competent authority of the place where the data carrier is located. **Article 23.** Where energy industry important data collected and generated within the territory of China truly needs to be provided overseas, the energy data processor shall, in accordance with laws and regulations, apply for a data export security assessment. **Article 24.** Where a processor of energy industry core data provides, transfers, or shares core data across different legal-person entities, it shall take necessary security protection measures and inform the data recipient to carry out classification and grading protection according to the corresponding level. Where the cumulative amount from January 1 of the current year may reach 30% or more of the total static volume of such core data as of the end of the previous year, a risk assessment shall be organized by the relevant authorities upon submission by the National Energy Administration; where it does not reach 30%, the provincial energy competent authority shall put forward a preliminary assessment opinion and submit it to the National Energy Administration to carry out the assessment. Energy industry core data involved in the lawful performance of duties by State organs, or in the internal flow within a State organ or an enterprise or public institution, shall be excepted. **Article 25.** On the basis of implementing the above protection requirements for energy industry important data, processors of energy industry core data may take the following measures to strengthen the protection of energy industry core data: (I) give priority to using commercial cryptography for protection; (II) give priority to using secure and trustworthy products and services; (III) give priority to using third-party assessment institutions to carry out risk assessments; (IV) for logs involving the handling and traceability of core data security incidents, retain them for not less than three years; (V) for relevant personnel in key positions, and entities engaged in the construction and operation and maintenance of information systems involving core data, submit them to the public security authorities and national security authorities for national security background review in accordance with laws and regulations. **Article 26.** Where data of different categories and levels is processed simultaneously and it is difficult to take protective measures separately, protection shall be implemented in accordance with the requirements for the highest level among them, so as to ensure that the data set as a whole is continuously in a state of effective protection and lawful utilization. ## Chapter 4 Energy Industry Data Security Monitoring, Early Warning, and Emergency Response **Article 27.** Provincial energy competent authorities and central energy enterprises shall respectively strengthen the building of energy industry data security monitoring, early-warning, and emergency-response capabilities in their regions and their enterprises; guide data processors in their regions and the subsidiaries and controlled enterprises at all levels of central energy enterprises in carrying out risk monitoring, incident handling, and reporting; strengthen research and assessment of energy industry data security risks arising from new technologies and new applications; and strengthen the capability to monitor energy industry data security risks that may be triggered by the aggregation and correlation of data from public channels. **Article 28.** Where an energy data processor discovers risks such as data security defects or vulnerabilities, it shall immediately take remedial measures; where a data security incident occurs, it shall immediately take handling measures, promptly inform the relevant users in accordance with provisions, and report to the provincial energy competent authority. Among them, the subsidiaries and controlled enterprises at all levels of central energy enterprises shall simultaneously report to the headquarters of the central energy enterprise. The content of risk monitoring and early warning shall include: the basic situation of the risk, the harm and degree that may be caused, the evolution and development trend of the risk, the scope that may be affected, countermeasure recommendations for handling the risk, and other matters that should be reported. The content of the incident situation report shall include: the time of occurrence of the incident, a brief account of the incident, the harm and impact caused, the measures already taken, recommendations for the next-step countermeasures, and other matters that should be reported. **Article 29.** When an energy industry data security incident occurs in a region or an enterprise, the provincial energy competent authority or the central energy enterprise shall, in accordance with the level of the incident, activate the emergency plan in accordance with the law, take corresponding emergency response measures to prevent the harm from expanding and eliminate security hazards, and promptly release warning information relevant to the public to society. **Article 30.** Where a provincial energy competent authority or a central energy enterprise discovers a major or particularly major energy industry data security risk or incident that may directly endanger national security, economic operation, social stability, public health, and safety, or that directly affects political security, it shall, within one working day after discovering or learning of it, report the relevant situation to the National Energy Administration, and submit follow-up reports as required. In urgent circumstances, it may report promptly by telephone, and subsequently submit a supplementary written report. The National Energy Administration shall be responsible for reporting the relevant situation to the relevant authorities as prescribed. **Article 31.** After completing the emergency-response work for a major or particularly major energy industry data security incident, the provincial energy competent authority or the central energy enterprise shall promptly summarize and distill its experience, form a handling-situation report within 3 working days and a summary report within 10 working days, and submit them respectively to the National Energy Administration. The National Energy Administration shall be responsible for submitting the summary report to the relevant authorities as prescribed. ## Chapter 5 Supervision and Inspection and Legal Liability **Article 32.** The National Energy Administration and provincial energy competent authorities shall, in accordance with the relevant provisions of the Network Data Security Management Regulations, carry out supervision and inspection of energy industry data security work. **Article 33.** Where, in performing their data security supervision and administration duties, the National Energy Administration or a provincial energy competent authority discovers that a data processing activity poses a relatively large security risk, it may, in accordance with the prescribed authority and procedures, conduct interviews with the relevant energy data processor, require it to take rectification measures to eliminate hidden dangers, and promptly transfer problem leads to the relevant competent authorities. **Article 34.** For conduct in violation of the provisions of these Measures, the relevant competent authorities shall handle and punish it in accordance with the provisions of the Data Security Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Network Data Security Management Regulations, and other laws and regulations; where a crime is constituted, the matter shall be transferred to the judicial authorities for pursuit of criminal liability in accordance with the law. ## Chapter 6 Supplementary Provisions **Article 35.** Where data processing activities involving personal information are carried out, the provisions of the relevant laws and regulations shall also be complied with. **Article 36.** These Measures shall be interpreted by the National Energy Administration. **Article 37.** These Measures shall take effect on July 1, 2026, with a term of validity of 5 years. --- ## Provisions on the Administration of Algorithmic Recommendation Services for Internet Information Services - Chinese title: 互联网信息服务算法推荐管理规定 - Hierarchy: rule - Issuing body: CAC, MIIT, MPS, SAMR - Adopted: 2021-11-16 - Effective: 2022-03-01 - Status: effective - URL: https://datacompliancechina.com/laws/algorithmic-recommendation-provisions/ - Markdown: https://datacompliancechina.com/laws/algorithmic-recommendation-provisions.md ### Summary The first comprehensive Chinese regulation of recommendation algorithms. Establishes the algorithm filing regime, requires opt-out mechanisms, regulates personalized pricing and targeted advertising, sets special protections for minors and the elderly, and bans practices like price discrimination based on user characteristics. Applies to all algorithmic recommendation services available to the Chinese public. ### Full text **Promulgated by:** CAC, MIIT, MPS, SAMR. **Document No.:** Decree No. 9 of the Cyberspace Administration of China. **Adopted at the 20th executive meeting of the CAC in 2021 on November 16, 2021. Effective March 1, 2022.** --- ## Chapter I General Provisions **Article 1.** These Provisions are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Administrative Measures on Internet Information Services and other laws and administrative regulations, in order to regulate Internet information service algorithm recommendation activities, promote socialist core values, safeguard national security and social public interests, protect the legitimate rights and interests of citizens, legal persons and other organizations, and facilitate the healthy and orderly development of Internet information services. **Article 2.** These Provisions apply to the application of algorithm recommendation technologies to provide Internet information services (hereinafter referred to as "algorithm recommendation services") within the territory of the People's Republic of China. Where it is otherwise provided for in laws and administrative regulations, such provisions shall prevail. For the purpose of the preceding paragraph, the term "application of algorithm recommendation technologies" refers to the use of algorithmic technologies such as generation and synthesis, personalized push, sorting and selection, retrieval and filtering, scheduling decision-making, etc. to provide information to users. **Article 3.** The Cyberspace administration of China is responsible for coordinating the governance of national algorithm recommendation services and the relevant supervision and administration and the departments of telecommunications, public security and market regulation, etc. under the State Council are in charge of the supervision and administration of algorithm recommendation services ex officio. Local cyberspace administrations are responsible for coordinating the governance of algorithm recommendation services and the relevant supervision and administration within their respective administrative regions, and local authorities of telecommunications, public security and market regulation, etc. are in charge of the supervision and administration of algorithm recommendation services ex officio within their respective administrative regions. **Article 4.** Algorithm recommendation services shall be provided in compliance with laws and regulations, with respect for social morality and ethics, business ethics and professional ethics, and under the principles of impartiality, fairness, openness and transparency, scientificity and reasonableness, honesty and good faith. **Article 5.** Relevant trade associations are encouraged to strengthen industry self-regulation, establish sound industry standards, industry guidelines and self-regulatory management systems, and urge and guide algorithm recommendation service providers to formulate and improve codes of service, provide services in accordance with the law and accept social supervision. ## Chapter II Codes of Information Service **Article 6.** Algorithm recommendation service providers shall adhere to the mainstream value orientation, optimize the algorithm recommendation service mechanism, actively spread positive energy and Promote the application of algorithms to the positive effect. Algorithm recommendation service providers shall not take advantage of algorithm recommendation services to engage in activities prohibited by laws and administrative regulations, such as endangering the national security and public interests, disturbing the economic order and social order and infringing upon the legitimate rights and interests of others, and shall not take advantage of algorithm recommendation services to disseminate information prohibited by laws and administrative regulations. Instead, algorithm recommendation service providers shall take measures to prevent and reject the dissemination of adverse information. **Article 7.** Algorithm recommendation service providers shall fulfill their responsibilities as subjects for algorithm security, establish and improve the management systems and technical measures for algorithm mechanism and principle review, scientific and technological ethics review, user registration, information release review, data security and personal information protection, anti-telecommunications and Internet fraud, security assessment and monitoring, and security incident emergency response, formulate and disclose the relevant rules for algorithm recommendation services, and be equipped with professional staff and technical support appropriate to the scale of the algorithm recommendation service. **Article 8.** Algorithm recommendation service providers shall regularly review, evaluate and verify the principle, models, data and application results of algorithm mechanisms, and shall not set up any algorithm model in violation of laws and regulations or ethics and morals, such as inducing users to be addicted to or over-consumed. **Article 9.** Algorithm recommendation service providers shall strengthen information security management, establish and improve a feature database for identifying illegal and bad information, and improve entry standards, rules and procedures. If it is found that the synthetic information is generated by an algorithm without any noticeable mark, the information shall not be transmitted again until the noticeable mark has been made. Where any illegal information is found, the transmission thereof shall be immediately stopped, and measures such as deletion shall be taken to prevent the information from spreading. The relevant records shall be kept and a report shall be made to the cyberspace administration and the relevant authorities. Adverse information, if found, shall be handled in accordance with the relevant provisions on ecological governance of network information contents. **Article 10.** Algorithm recommendation service providers shall strengthen the management of user models and user labels, and improve the rules on points of interest recorded into user models and user label management, and shall not record illegal and harmful information keywords into the points of interest of users or use them as user labels to push information. **Article 11.** Algorithm recommendation service providers shall strengthen the ecological management of layout and pages for algorithm recommendation services, establish and improve the mechanism for manual intervention and user self-selection, and actively present the information in line with the mainstream value orientation on the first screen of the homepage, the most searched, selection, ranking, pop-up windows and other key links. **Article 12.** Algorithm recommendation service providers are encouraged to comprehensively apply strategies such as content duplication removal and dispersal intervention, and optimize the transparency and interpretability of rules on retrieval, list, selection, pushing and display, so as to avoid adverse impact on users and prevent and reduce disputes. **Article 13.** To provide internet news information services, an algorithm recommendation service provider shall obtain the license for such services in accordance with the law, carry out editing and releasing services, reposting services and transmission platform services of internet news information in a regulated manner, and shall not generate or synthesize false news information or transmit news information released by entities not within the scope prescribed by the State. **Article 14.** Algorithm recommendation service providers shall not falsely register accounts, illegally trade accounts, manipulate user accounts or make false likes, comments or forwarding by taking advantage of algorithms, nor shall they block information, overly recommend, manipulate lists or search results ranking, control the most searched or selections by taking advantage of algorithms to intervene in information presentation or to have any act of influencing network public opinions or circumventing supervision and administration. **Article 15.** Algorithm recommendation service providers shall not impose unreasonable restrictions on other Internet information service providers or hinder or disrupt the normal operation of the internet information services legally provided by them by taking advantage of algorithms to conduct any monopoly or unfair competition. ## Chapter III Protection of Users' Rights and Interests **Article 16.** Algorithm recommendation service providers shall inform users of the information on their provision of algorithm recommendation services in a noticeable way, and publicize the basic principles, purposes and main operating mechanisms of algorithm recommendation services in a proper way. **Article 17.** Algorithm recommendation service providers shall provide users with options not based on their personal characteristics or provide users with the option of closing algorithm recommendation services in a convenient manner. If users opt to close algorithm recommendation services, the algorithm recommendation service providers shall forthwith cease to provide relevant services. Algorithm recommendation service providers shall provide users with the function of selecting or deleting user tags based on their personal characteristics used for algorithm recommendation services. Where the application of algorithms by an algorithm recommendation service provider has a significant impact on the rights and interests of users, the said provider shall give explanations in accordance with the law and assume the corresponding liability. **Article 18.** Algorithm recommendation service providers providing services to minors shall fulfill their obligation of protecting minors online in accordance with the law, and facilitate minors to obtain information beneficial to their physical and mental health by developing modes suitable for minors, providing services suitable for the characteristics of minors or otherwise. Algorithm recommendation service providers shall not push to minors any information that may affect the physical and mental health of minors, such as those that may cause minors to imitate unsafe behaviors and behaviors violating social morality or induce minors to have bad habits, nor shall they induce minors to indulge in the Internet by making use of algorithm recommendation services. **Article 19.** Algorithm recommendation service providers providing services to the elderly shall safeguard the rights and interests of the elderly in accordance with the law, take into full account the needs of the elderly for travel, medical treatment, consumption and affairs handling, provide intelligent services suitable for the elderly in accordance with the relevant provisions of the State, and monitor, identify and deal with telecommunications and Internet fraud information in accordance with the law to facilitate the elderly in safely using algorithm recommendation services. **Article 20.** Algorithm recommendation service providers providing workers with job scheduling services shall protect the legitimate rights and interests of the workers such as labor remuneration, rest and vacation, and establish and improve relevant algorithms for platform order distribution, composition and payment of remuneration, working hours, rewards and punishments, etc. **Article 21.** Algorithmic recommendation service providers selling goods or providing services to consumers shall protect the rights of consumers to fair transactions, and shall not, according to the preferences, transaction habits and other characteristics of consumers commit illegal acts such as unreasonable differential treatment in transaction price and other transaction conditions by taking advantage of the algorithms. **Article 22.** Algorithm recommendation service providers shall set up a convenient and effective portal for user complaints, public complaints and reports, clarify the processing process and time limit for feedback, and promptly accept, process and feedback the processing results. ## Chapter IV Supervision and Administration **Article 23.** Cyberspace administrations shall, in concert with relevant authorities of telecommunications, public security and market regulation, etc., establish a hierarchical and classified security management system for algorithms, and implement hierarchical and classified management of algorithm recommendation service providers according to the public opinion attribute or social mobilization ability of algorithm recommendation services, content category, user scale, importance of data processed by algorithm recommendation technologies, and degree of intervention in user behaviors. **Article 24.** An algorithm recommendation service provider with public opinion attribute or social mobilization ability shall, within ten working days from the date of provision of services, fill in such information as the service provider's name, service form, application field, algorithm type, algorithm self-assessment report and content to be disclosed via the internet information service algorithm record-filing system to go through record-filing formalities. Where the record-filing information of an algorithm recommendation service provider changes, the said provider shall go through formalities for change within ten working days from the date of change. Where an algorithm recommendation service provider terminates services, it shall go through formalities for deregistration of record-filing within 20 working days from the date of termination of services and make proper arrangements. **Article 25.** The Cyberspace Administration of China and the cyberspace administrations of provinces, autonomous regions and municipalities directly under the Central Government shall, within 30 working days upon receipt of the record-filing materials submitted by the record-filing applicants, grant record-filing, issue record-filing numbers and make public the record-filing; if the materials are incomplete, record-filing shall not be granted, and the record-filing applicant shall be notified, with reasons stated, within 30 working days. **Article 26.** An algorithm recommendation service provider that has completed record-filing shall indicate its record-filing number and provide links to the publicized information in a prominent position of its website or application through which it provides services to the public. **Article 27.** Algorithm recommendation service providers with public opinion attribute or social mobilization ability shall carry out security assessment in accordance with the relevant provisions of the State. **Article 28.** Cyberspace administrations shall, in concert with relevant authorities of telecommunications, public security and market regulation, etc., carry out security assessment and supervision and inspection of algorithm recommendation services in accordance with the law, and timely put forward rectification opinions for the problems found and order rectification within a time limit. Algorithm recommendation service providers shall keep web logs in accordance with the law, cooperate with cyberspace administrations and relevant authorities of telecommunications, public security and market regulation, etc. in security assessment and supervision and inspection, and provide necessary technical and data support and assistance. **Article 29.** Relevant agencies and personnel participating in security assessment and supervision and inspection of algorithm recommendation services shall keep confidential personal privacy, personal information and trade secrets known in performing their duties in accordance with the law, and shall not disclose or illegally provide the same to others. **Article 30.** Any organization or individual that finds any violation of these Provisions may complain or report to cyberspace administrations and other relevant authorities. Authorities that receive such complaints or reports shall promptly deal with them in accordance with the law. ## Chapter V Legal Liability **Article 31.** With respect to any algorithm recommendation service provider who violates the provisions of Article 7, Article 8, Paragraph 1 of Article 9, Article 10, Article 14, Article 16, Article 17, Article 22, Article 24 or Article 26 hereof, if there are relevant provisions in laws and administrative regulations, such provisions shall prevail; in the absence of relevant provisions in laws and administrative regulations, cyberspace administrations and relevant authorities of telecommunications, public security and market regulation, etc. shall, ex officio, give a warning to the said provider, circulate a notice of criticism and order it to make corrections within a time limit; if the said provider refuses to make corrections or the circumstances are serious, it shall be ordered to suspend information updating and imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan. In the case of a violation of public security administration, the said provider shall be subject to punishment for public security administration in accordance with the law; in the case of a crime, the said provider shall be investigated for criminal liability in accordance with the law. **Article 32.** With respect to any algorithm recommendation service provider who violates the provisions of Article 6, Paragraph 2 of Article 9, Article 11, Article 13, Article 15, Article 18, Article 19, Article 20, Article 21, Article 27 and Paragraph 2 of Article 28 hereof, the cyberspace administration and the relevant authorities of telecommunications, public security and market supervision, etc. shall, ex officio, deal with the case in accordance with the provisions of the relevant laws, administrative regulations and departmental rules. **Article 33.** With respect to any algorithm recommendation service provider with the attribute of public opinions or the ability to mobilize the public who has obtained record-filing by concealing relevant information, providing false materials or other improper means, the Cyberspace Administration of China and the cyberspace administration of the province, autonomous region or centrally-administered municipality concerned shall revoke its record-filing, give it a warning or circulate a notice of criticism; if the circumstances are serious, it shall be ordered to suspend information updating and imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan. Where an algorithm recommendation service provider with the attribute of public opinions or the ability to mobilize the public fails to go through the formalities for deregistration of record-filing as required in Paragraph 3 of Article 24 hereof upon termination of services, or is subject to administrative penalties such as being ordered to close down its website or having its business permit or business license revoked due to serious violations, the Cyberspace Administration of China and the cyberspace administration of the province, autonomous region or centrally-administered municipality concerned shall deregister its record-filing. ## Chapter VI Supplementary Provisions **Article 34.** These Provisions shall be interpreted by the Cyberspace Administration of China in conjunction with the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation. **Article 35.** These Provisions shall come into force as of March 1, 2022. --- ## Provisions on the Administration of Medical Records of Medical Institutions (2013) - Chinese title: 医疗机构病历管理规定(2013年版) - Abbreviation: Medical Records Provisions - Hierarchy: rule - Issuing body: National Health and Family Planning Commission and State Administration of Traditional Chinese Medicine - Adopted: 2013-11-20 - Effective: 2014-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/medical-records-administration-provisions/ - Markdown: https://datacompliancechina.com/laws/medical-records-administration-provisions.md - Source URL: https://www.gov.cn/gongbao/content/2014/content_2600084.htm ### Summary These Provisions, jointly issued by the National Health and Family Planning Commission and the State Administration of Traditional Chinese Medicine in November 2013 and effective from 1 January 2014, govern the creation, custody, access, copying, sealing, and retention of medical records (病历) in all medical institutions. Patients and their authorized agents, as well as deceased patients' statutory heirs, have a right to copy specified categories of their medical records; public security, judicial, insurance, and medical-malpractice appraisal bodies may access records on production of prescribed credentials. Outpatient records must be retained for at least 15 years and inpatient records for at least 30 years from the last visit or discharge. Medical institutions and their staff are strictly prohibited from leaking patients' medical record materials for any non-medical, non-teaching, or non-research purpose, making this instrument a foundational rule on health-data privacy that overseas counsel should read alongside PIPL Article 28 (sensitive personal information) and the Civil Code personal information chapter when advising on patient-data sharing, cross-border transfers of health data, or secondary use of clinical records in China. ### Full text **Promulgated by:** National Health and Family Planning Commission and State Administration of Traditional Chinese Medicine. **Document No.:** Guo Wei Yi Fa [2013] No. 31 (国卫医发〔2013〕31号). **Adopted and promulgated on November 20, 2013. Effective January 1, 2014.** --- **Article 1.** These Provisions are formulated in order to strengthen the administration of medical records of medical institutions, safeguard the quality and safety of medical care, and protect the lawful rights and interests of both medical institutions and patients. **Article 2.** A medical record (病历) refers to the totality of written materials, symbols, charts, images, tissue sections, and other information generated by medical personnel in the course of medical activities, and includes outpatient (including emergency) medical records and inpatient medical records. A medical record becomes a medical case archive (病案) upon archiving. **Article 3.** These Provisions apply to the administration of medical records by medical institutions of all levels and types. **Article 4.** Medical records may be distinguished, according to their format, as paper medical records and electronic medical records. Electronic medical records have the same legal effect as paper medical records. **Article 5.** A medical institution shall establish and improve a medical record administration system, set up a medical case management department or appoint dedicated (or part-time) personnel, responsible for the administration of medical records and medical case archives. A medical institution shall establish a system of regular inspection, evaluation, and feedback on the quality of medical records. The medical affairs department of the medical institution is responsible for the quality management of medical records. **Article 6.** Medical institutions and their medical personnel shall strictly protect patients' privacy and shall not disclose patients' medical record materials for any purpose other than medical treatment, teaching, or research. **Article 7.** A medical institution shall establish a numbering system for outpatient (including emergency) medical records and inpatient medical records, and shall assign each patient a unique identification number. A medical institution that has established electronic medical records shall associate the medical record identification number with the patient's identity document number, so that the medical record may be retrieved using either the identification number or the identity document number. Outpatient (including emergency) medical records and inpatient medical records shall be marked with page numbers or electronic page numbers. **Article 8.** Medical personnel shall write medical records in accordance with the requirements of the Basic Norms for Medical Record Writing, the Basic Norms for Traditional Chinese Medicine Medical Record Writing, the Basic Norms for Electronic Medical Records (Trial), and the Basic Norms for Traditional Chinese Medicine Electronic Medical Records (Trial). **Article 9.** Inpatient medical records shall be arranged in the following order: temperature chart, physician's order sheet, admission record, progress notes, pre-operative discussion record, surgical consent form, anesthesia consent form, pre-anesthesia visit record, surgical safety checklist, surgical instrument count record, anesthesia record, operative record, post-anesthesia visit record, post-operative progress notes, nursing records for critically (or seriously) ill patients, discharge record, death record, blood transfusion treatment informed consent form, special examination (special treatment) consent form, consultation record, critical (serious) illness notification, pathology materials, auxiliary examination reports, and medical imaging examination materials. Medical case archives shall be filed and retained in the following order: inpatient case archive cover sheet, admission record, progress notes, pre-operative discussion record, surgical consent form, anesthesia consent form, pre-anesthesia visit record, surgical safety checklist, surgical instrument count record, anesthesia record, operative record, post-anesthesia visit record, post-operative progress notes, discharge record, death record, death case discussion record, blood transfusion treatment informed consent form, special examination (special treatment) consent form, consultation record, critical (serious) illness notification, pathology materials, auxiliary examination reports, medical imaging examination materials, temperature chart, physician's order sheet, and nursing records for critically (or seriously) ill patients. **Article 10.** Outpatient (including emergency) medical records shall in principle be kept by the patient. Where a medical institution has established an outpatient (including emergency) medical record archive or has established outpatient (including emergency) electronic medical records, the outpatient (including emergency) medical records may be kept by the medical institution with the consent of the patient or the patient's legal representative. Inpatient medical records shall be kept by the medical institution. **Article 11.** Where outpatient (including emergency) medical records are kept by the patient, the medical institution shall promptly deliver examination and laboratory results to the patient for safekeeping. **Article 12.** Where outpatient (including emergency) medical records are kept by the medical institution, the medical institution shall, within 24 hours of receiving examination and laboratory results, incorporate or record such results into the outpatient (including emergency) medical record, and shall file the outpatient (including emergency) medical record on the first working day following the conclusion of each medical encounter. **Article 13.** During a patient's hospitalization, inpatient medical records shall be kept uniformly by the ward in which the patient is located. Where it is necessary for medical or operational reasons to take inpatient medical records off the ward, dedicated personnel designated by the ward shall be responsible for transporting and keeping the records. A medical institution shall, within 24 hours of receiving examination and laboratory results and related materials for an inpatient, incorporate or record such materials into the inpatient medical record. After the patient is discharged, inpatient medical records shall be uniformly preserved and managed by the medical case management department or dedicated (or part-time) personnel. **Article 14.** Medical institutions shall administer medical records strictly; no person may alter medical records without authorization; forgery, concealment, destruction, seizure, or theft of medical records is strictly prohibited. **Article 15.** No institution or individual other than medical personnel providing medical treatment services to the patient, and departments or personnel authorized by the health administration authority, the traditional Chinese medicine administration authority, or the medical institution to be responsible for medical case administration or medical administration, may examine a patient's medical records without authorization. **Article 16.** Other medical institutions and medical personnel who need to examine or borrow medical records for scientific research or teaching purposes shall submit an application to the medical institution at which the patient received treatment, and may examine or borrow the records only after approval and completion of the relevant procedures. Records shall be returned immediately after examination; borrowed medical records shall be returned within three working days. Examined medical record materials may not be taken off the premises of the medical institution at which the patient received treatment. **Article 17.** A medical institution shall accept applications from the following persons and institutions to copy or examine medical record materials, and shall provide medical record copying or examination services in accordance with the applicable rules: (1) the patient personally, or the patient's authorized agent; and (2) the statutory heir of a deceased patient, or such heir's agent. **Article 18.** A medical institution shall designate a department or dedicated (or part-time) personnel to accept applications to copy medical record materials. Upon accepting an application, the medical institution shall require the applicant to provide relevant supporting documents and shall review the formal requirements of the application materials: (1) where the applicant is the patient personally, a valid identity document of the patient shall be provided; (2) where the applicant is the patient's agent, valid identity documents of both the patient and the agent, together with legally prescribed documentary proof of the agency relationship between the agent and the patient and a power of attorney, shall be provided; (3) where the applicant is the statutory heir of a deceased patient, a death certificate of the patient, a valid identity document of the statutory heir of the deceased patient, and legally prescribed documentary proof of the relationship between the deceased patient and the statutory heir shall be provided; and (4) where the applicant is the agent of the statutory heir of a deceased patient, a death certificate of the patient, valid identity documents of both the statutory heir of the deceased patient and the agent, legally prescribed documentary proof of the relationship between the deceased patient and the statutory heir, legally prescribed documentary proof of the agency relationship between the agent and the statutory heir, and a power of attorney shall be provided. **Article 19.** A medical institution may copy for an applicant the following medical record materials from outpatient (including emergency) medical records and inpatient medical records: temperature chart, physician's order sheet, inpatient record (admission record), surgical consent form, anesthesia consent form, anesthesia record, operative record, nursing records for critically (or seriously) ill patients, discharge record, blood transfusion treatment informed consent form, special examination (special treatment) consent form, pathology report, laboratory report and other auxiliary examination reports, and medical imaging examination materials. **Article 20.** Where public security, judicial, human resources and social security, insurance authorities, or authorities responsible for medical malpractice technical appraisal request to review, examine, or copy medical record materials for the purposes of handling a case, lawfully conducting professional technical appraisal, auditing or arbitrating medical insurance claims, or auditing commercial insurance claims, the medical institution may, upon the case handler's presentation of the following supporting documents, provide some or all of the patient's medical records as needed: (1) legally prescribed proof issued by the relevant administrative authority, judicial authority, insurer, or authority responsible for medical malpractice technical appraisal to retrieve the medical records; (2) a valid identity document of the case handler personally; and (3) a valid work credential of the case handler personally (which must correspond to the relevant administrative authority, judicial authority, insurer, or authority responsible for medical malpractice technical appraisal). Where an insurer requests to review, examine, or copy medical record materials for the purposes of commercial insurance auditing, the insurer shall additionally provide a copy of the insurance contract and legally prescribed documentary proof of the consent of the patient personally or the patient's agent; where the patient has died, a copy of the insurance contract and legally prescribed documentary proof of the consent of the deceased patient's statutory heir or such heir's agent shall be provided. Contracts or laws providing otherwise shall govern. **Article 21.** Where a medical record has not yet been completed as required by the Basic Norms for Medical Record Writing and the Basic Norms for Traditional Chinese Medicine Medical Record Writing, and the applicant requests to copy the medical record, the completed portions of the medical record may be copied first; once the medical record has been completed by the medical personnel in accordance with the applicable rules, the newly completed portion may then be copied. **Article 22.** After a medical institution accepts an application to copy medical record materials, the designated department or dedicated (or part-time) personnel shall notify the medical case management department or dedicated (or part-time) personnel to deliver the medical record materials to be copied to the designated location within the prescribed time, and to carry out the copying in the presence of the applicant; after the copied medical record materials have been confirmed as accurate by both the applicant and the medical institution, the official seal of the medical institution shall be affixed. **Article 23.** A medical institution may charge a cost fee for copying medical record materials in accordance with applicable rules. **Article 24.** Where sealing of a medical record is required by law, the medical record shall be jointly confirmed by the medical institution or its authorized agent and the patient or the patient's agent, and a sealed copy of the medical record shall be signed and sealed in the presence of all parties. Where the medical institution applies to seal a medical record, the medical institution shall inform the patient or the patient's agent to jointly carry out the sealing of the medical record; however, where the patient or the patient's agent refuses or declines to carry out the sealing, the medical institution may, in the presence of a notary public, confirm the medical record and have a copy of the medical record signed and sealed by the notary public. **Article 25.** The medical institution is responsible for keeping the sealed copy of the medical record. **Article 26.** The original of a sealed medical record may continue to be recorded in and used. Where a medical record has not yet been completed as required by the Basic Norms for Medical Record Writing and the Basic Norms for Traditional Chinese Medicine Medical Record Writing, and the medical record needs to be sealed, the completed portions may be sealed first; once the physician has completed the medical record in accordance with the applicable rules, the newly completed portion may then be sealed. **Article 27.** Opening a sealed medical record shall be carried out in the presence of all parties to the sealing. **Article 28.** A medical institution may process paper medical records using microfilming technology that meets archival management requirements and then preserve them. **Article 29.** Where outpatient (including emergency) medical records are kept by a medical institution, the retention period shall be no less than 15 years from the date of the patient's last visit; the retention period for inpatient medical records shall be no less than 30 years from the date of the patient's last discharge from hospital. **Article 30.** Where the name of a medical institution is changed, the medical records held by that institution shall continue to be administered by the renamed medical institution. After a medical institution is dissolved, the medical records held by that institution may be duly preserved by the provincial-level health administration authority or traditional Chinese medicine administration authority, or by an institution designated by such authorities. **Article 31.** These Provisions shall be interpreted by the National Health and Family Planning Commission. **Article 32.** These Provisions shall come into force on January 1, 2014. The Provisions on the Administration of Medical Records of Medical Institutions (Wei Yi Fa [2002] No. 193) promulgated by the former Ministry of Health and the State Administration of Traditional Chinese Medicine in 2002 are simultaneously repealed. --- ## Guide to the Classification and Grading of Energy Industry Data (2026 Edition) - Chinese title: 能源行业数据分类分级指南(2026年版) - Hierarchy: rule - Issuing body: National Energy Administration - Adopted: 2026-06-30 - Effective: 2026-07-01 - Status: effective - URL: https://datacompliancechina.com/laws/energy-industry-data-classification-grading-guide/ - Markdown: https://datacompliancechina.com/laws/energy-industry-data-classification-grading-guide.md - Source URL: https://www.nea.gov.cn/20260630/3b456b6f83144abcb989110dcfba4d7d/c.html ### Summary Issued by the National Energy Administration on June 30, 2026 and effective July 1, 2026 — the same day as the companion Measures for the Administration of Data Security in the Energy Industry (Trial) — this Guide (4 chapters, 15 articles) operationalizes the trial Measures' three-tier general/important/core classification for the energy sector. It sets classification dimensions (energy type — coal, petroleum, natural gas, nuclear, hydro, wind, solar, biomass, geothermal, ocean, electric power, hydrogen — and energy activity — planning, design, construction, production, storage and transport, consumption, research), grading rules for derived and de-sensitized data, and bright-line thresholds for identifying important and core data: precise (100m-or-better) geo-coordinates and any materials containing them for large coal mines, thermal/hydro/nuclear power stations, and 750kV-plus substations and converter stations; real-time dispatch/control instruction data for designated hydropower stations, ultra-high-voltage substations, and PipeChina's oil-and-gas dispatch control system; and electric-power consumption-data thresholds keyed to user count (10 million users triggers important-data status; 100 million users, or a special-grade important user's continuous 1-year consumption record, triggers core-data status). The National Energy Administration's accompanying press Q&A explains that the grading logic tracks the degree of harm to national security from leakage or tampering, and sets out the six post-issuance compliance duties for important/core data processors: compile and file an important-data catalogue, build a data-security management system, implement multi-level protection scheme (MLPS)/CII/cryptographic protection, run annual risk assessments, apply for risk assessment before outbound transfer of important data or cross-entity transfer of core data, and report incidents immediately. ### Full text **Promulgated by:** National Energy Administration. **Index No.:** 000019705/2026-000076. **Date of Issue:** June 30, 2026. **Effective Date:** July 1, 2026. **Legal Effect Level:** Departmental normative document, issued to implement the [Measures for the Administration of Data Security in the Energy Industry (Trial)](/laws/energy-industry-data-security-measures/). ## Chapter 1 General Provisions **Article 1.** This Guide is formulated in order to regulate data processing activities in the energy industry and strengthen the classified and hierarchical management of energy industry data, pursuant to the *Measures for the Administration of Data Security in the Energy Industry (Trial)* and other relevant provisions. **Article 2.** This Guide applies to the classification and grading of non-classified energy industry data within the territory of the People's Republic of China. Where an energy data processor carries out energy industry data processing activities involving State secrets, or matters that constitute State secrets after being aggregated and correlated by it, it shall comply with the provisions of the Law of the People's Republic of China on Guarding State Secrets and other laws and administrative regulations. The definitions of terms used in this Guide are all consistent with those in the *Measures for the Administration of Data Security in the Energy Industry (Trial)*. **Article 3.** The classification and grading of energy industry data shall follow the following principles: Clear basis. The characteristics and use of the data shall be the principal basis for classification; the importance and scale of the energy facilities or users concerned, together with the degree of potential security risk, shall be the basis for grading. Clear boundaries. All energy industry data shall have a determined category and level, with corresponding protective measures, so as to make it easy for energy data processors to determine the level of their data. The higher and stricter level shall govern. Where energy industry data involves security risks in multiple respects, its level shall be determined according to the highest degree of risk involved. Dynamic updating. Where the factors determining the level of energy industry data change, the identification rules and data levels shall be adjusted accordingly. ## Chapter 2 Rules for the Classification and Grading of Energy Industry Data **Article 4.** The dimensions for classifying energy industry data include, but are not limited to, energy type and energy activity. By energy type, the first-level classification of energy industry data is divided into: coal, petroleum, natural gas, nuclear energy, hydro energy, wind energy, solar energy, biomass energy, geothermal energy, ocean energy, electric power, hydrogen energy, and the like. By energy activity, the second-level classification of energy industry data is divided into: planning, design, construction, production, storage and transport, consumption, scientific research, and the like. Energy data processors may, based on the content and characteristics of the data, carry out third-level and fourth-level classification. **Article 5.** Based on factors such as the importance, precision, scale, and security risk of the data, energy industry data is divided into three levels: general, important, and core. **Article 6.** Derived data produced from energy industry important data or core data through processing activities such as statistical analysis, correlation, mining, or aggregation shall, where it can be restored or reconstituted into important data or core data, in principle be managed at its original level. **Article 7.** Where energy industry important data or core data, after undergoing de-sensitization treatment, can no longer be restored or reconstituted into important data or core data, core data may be downgraded to important data or general data, and important data may be downgraded to general data. ## Chapter 3 Rules for Identifying Energy Industry Important Data and Core Data **Article 8.** Coordinate data for the geographic location — at a precision better than or equal to 100 meters — of the following energy infrastructure, as well as any materials containing such coordinate data, constitute energy industry important data: - Coal mines with an annual output of 10 million tonnes or more; - Thermal power stations with a single-unit (set) capacity of 1,000,000 kW or more and a total installed capacity of 3,000,000 kW or more; - Hydropower stations (excluding pumped-storage power stations) with an installed capacity of 1,200,000 kW or more, or a total reservoir capacity of 1 billion cubic meters or more; - Nuclear power stations; - Substations (switching stations) and converter stations of 750 kV (exclusive) or above. **Article 9.** Real-time production-and-operation instruction data of the following energy infrastructure constitute energy industry important data: - Hydropower stations (excluding pumped-storage power stations) with an installed capacity of 1,200,000 kW or more, or a total reservoir capacity of 1 billion cubic meters or more; - Substations (switching stations) and converter stations of 750 kV (exclusive) or above; - The dispatch and control system of the Oil and Gas Dispatch Control Center of the China Oil & Gas Piping Network Corporation (PipeChina, 国家管网集团). **Article 10.** The following electric-power consumption data constitute energy industry important data: - Raw electric-power consumption data of special-grade important electric-power users; - Raw electric-power consumption data of Level-I and Level-II important electric-power users in the national-defense and military category; - Raw electric-power consumption data of 10 million or more electric-power users. **Article 11.** Energy industry important data meeting the following conditions constitute energy industry core data: - Raw electric-power consumption data of special-grade important electric-power users, covering a continuous period of 1 year or more; - Raw electric-power consumption data of 100 million or more electric-power users. ## Chapter 4 Supplementary Provisions **Article 12.** For the purposes of this Guide, "electric-power user" means an end consumer that receives electric-power supply from a power-supply enterprise, including individuals, enterprises, institutions, and other entities. The special-grade, Level-I, and Level-II important electric-power users referred to in this Guide shall be determined in accordance with the provisions and procedures of relevant State documents. The "materials" referred to in Article 8 of this Guide include, but are not limited to: planning materials, design drawings, construction drawings, production and operation-and-maintenance materials, and scientific research materials. **Article 13.** Apart from the data-grading identification rules expressly set out in this Guide, where other energy industry data is determined through assessment to constitute energy industry important data or core data, the National Energy Administration will issue supplementary provisions and revise this Guide in due course. **Article 14.** This Guide shall be interpreted by the National Energy Administration. **Article 15.** This Guide shall take effect on July 1, 2026. --- ## Official Q&A — NEA explanation of the Guide *Source: National Energy Administration, "A Responsible Official of the National Energy Administration Answers Reporters' Questions on the Guide to the Classification and Grading of Energy Industry Data (2026 Edition)," June 30, 2026. Government press material; translated by DCC for reference.* **Q1. What is the purpose and function of issuing the Guide?** To advance the energy industry's further implementation of the Data Security Law of the People's Republic of China, to regulate energy industry data processing activities, to strengthen the classified and hierarchical management of energy industry data, and to promote the utilization of energy industry data, the National Energy Administration formulated and issued the Guide, which together with the Measures for the Administration of Data Security in the Energy Industry (Trial) forms the basic management system for energy industry data security; further supporting systems will continue to be developed going forward. The Guide is intended to guide data processors in classifying and grading the non-classified energy industry data they hold, in precisely identifying energy industry important data and core data, and, in accordance with the requirements of the Measures for the Administration of Data Security in the Energy Industry (Trial), in strengthening the management and security protection of important data and core data. **Q2. What are the main contents of the Guide?** The Guide has 4 chapters and 15 articles in total. Chapter 1, General Provisions, sets out the purpose, basis, scope of application, and overall principles of the Guide. Chapter 2 sets out the rules for classifying and grading energy industry data, as well as the grading rules for derived data and de-sensitized data. Chapter 3 sets out the specific identification rules for energy industry important data and core data. Chapter 4, Supplementary Provisions, covers definitions, supplementary revision, the right of interpretation, and the effective date. For terms already defined in the Measures for the Administration of Data Security in the Energy Industry (Trial), the Guide maintains consistency with those definitions. **Q3. What is the basis on which the Guide divides data into important data and core data?** The basis is the degree of harm to national security that would result from the leakage or tampering of the data. On the one hand, damage to important energy infrastructure or tampering with control instructions could interrupt energy supply and thereby affect economic operation and people's livelihoods. On the other hand, energy consumption data can reflect the production and business operations of enterprises and the personal conduct of citizens, and can be used to infer the operating conditions of key sectors and personal privacy. For these reasons, the precise geographic coordinates and real-time control instructions of certain important energy infrastructure, together with energy consumption data, have been included as energy industry important data and core data. **Q4. Apart from the energy industry important data and core data specified in the Guide, may an energy data processor deal with other data it holds as it pleases?** No. First, data security is directed at non-classified data; where data held by an energy data processor constitutes a State secret, the processor shall comply with the Law of the People's Republic of China on Guarding State Secrets and other laws and administrative regulations. Second, the Guide sets out the identification rules for important data and core data within energy industry data; where an energy data processor holds important data or core data as specified by the competent authority of another industry, it shall comply with the provisions of the relevant authority. Third, where an energy data processor collects or stores personal information above a certain scale, it shall comply with the Personal Information Protection Law of the People's Republic of China, the Network Data Security Management Regulations, and other laws and regulations. Fourth, the Guide provides that "raw electric-power consumption data of 10 million or more electric-power users" is important data, and that "raw electric-power consumption data of 100 million or more electric-power users" is core data. Even where the data held by an energy data processor has not reached the scale threshold, the processor should nonetheless strengthen data protection, to prevent leaked data from being unlawfully used once it accumulates. **Q5. After the Guide is issued, what do energy data processors need to do?** Processors of energy industry important data and core data bear principal responsibility for their own data security and shall perform their data-security protection responsibilities and obligations in accordance with the Data Security Law of the People's Republic of China and the Measures for the Administration of Data Security in the Energy Industry (Trial). First, they shall identify and compile their entity's catalogue of energy industry important data against the Guide, and submit the catalogue of important data as required by the provincial energy competent authority of the place where the data carrier is located; where a material change occurs, they shall re-submit it through the prescribed procedure within three months. Second, they shall establish and improve their entity's data security management system, clarifying the management requirements for each stage of the full data lifecycle. Third, they shall adopt the necessary data-security technical measures to implement the requirements of systems such as cybersecurity multi-level protection, critical information infrastructure security protection, cryptographic protection, and secrecy protection, so as to ensure that energy industry important data and core data remain in a state of effective protection and lawful utilization. Fourth, they shall, on their own or by entrusting a third-party assessment institution with risk-assessment capability, carry out a risk assessment of their data processing activities at least once a year, promptly rectify risk problems, and submit risk assessment reports as required by the provincial energy competent authority. Fifth, where the outbound transfer of important data or the cross-entity transfer of core data is involved, they shall apply for a risk assessment as required by the relevant provisions. Sixth, where they discover risks such as data security defects or vulnerabilities, they shall immediately take remedial measures; where a data security incident occurs, they shall immediately take handling measures, promptly inform the relevant users as required, and report to the provincial energy competent authority. **Q6. Will the identification rules for energy industry important data and core data be adjusted?** Yes. In light of developments in the national security situation, the identification rules for energy industry important data and core data in the Guide will be adjusted accordingly. The National Energy Administration will continue to analyze and assess the situation and will continue to revise and improve the Guide in accordance with data-security requirements. --- — *Guide to the Classification and Grading of Energy Industry Data (2026 Edition)*, issued by the National Energy Administration, June 30, 2026, effective July 1, 2026. [Source (Chinese).](https://www.nea.gov.cn/20260630/3b456b6f83144abcb989110dcfba4d7d/c.html) Official Q&A source: [NEA press Q&A (Chinese).](https://www.nea.gov.cn/20260630/2873fa450d2e4317b33d40285b5ed576/c.html) --- ## Measures for Cybersecurity Management in the Financial Sector (Draft for Comment) - Chinese title: 金融业网络安全管理办法(征求意见稿) - Abbreviation: Financial Sector Cybersecurity Measures (Draft) - Hierarchy: draft - Issuing body: People's Bank of China; National Financial Regulatory Administration; China Securities Regulatory Commission; State Administration of Foreign Exchange - Status: draft - URL: https://datacompliancechina.com/laws/financial-sector-cybersecurity-management-measures-draft/ - Markdown: https://datacompliancechina.com/laws/financial-sector-cybersecurity-management-measures-draft.md - Source URL: https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1263328&itemId=951 ### Summary A July 3, 2026 public-consultation draft that would create a cross-financial-sector cybersecurity rulebook for financial institutions and other entities approved or recognized by China's State Council financial management departments. The draft sits on top of the Cybersecurity Law, Data Security Law, PIPL, the CII Regulations and the Network Data Security Regulation, and translates them into a financial-sector baseline: cybersecurity responsibility systems, governance structures, network operation security, MLPS, commercial cryptography, network-data and personal-information protection, emerging-technology risk management, illegal-information response, app-download security duties, and a dedicated CII layer for financial critical information infrastructure. For financial CIIOs, the draft adds identification by the State Council financial management departments, a chief cybersecurity officer, a dedicated security body and background checks, cybersecurity-review pre-judgment for network-product and service procurement, annual reporting of network products, services and cloud procurement, annual testing and risk assessment, and sector-specific incident plans and drills. It also creates a coordination frame among the PBOC, NFRA, CSRC, SAFE and the CAC/public security/cryptography authorities, with legal liability routed through the existing financial, cybersecurity, data, personal-information, CII and cryptography statutes. Public comments are due August 3, 2026. ### Full text **Released for public comment:** July 3, 2026. **Public-comment deadline:** August 3, 2026. > *DCC translation. No official English translation exists. The original Chinese > PDF released through the National Financial Regulatory Administration controls. > This is a translation of the draft text only; the separate drafting explanation > is linked below but not translated on this page.* ## Source documents - **Official consultation page:** [NFRA](https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1263328&itemId=951) - **Draft text (Chinese PDF):** [金融业网络安全管理办法(征求意见稿)](https://www.nfra.gov.cn/chinese/docfile/2026/9074df3eceb04d27bbd38e25169b72cc.pdf) - **Drafting explanation (Chinese PDF):** [《金融业网络安全管理办法(征求意见稿)》起草说明](https://www.nfra.gov.cn/chinese/docfile/2026/b3bdb763e6804029a8a49c1d9dac2338.pdf) ## Measures for Cybersecurity Management in the Financial Sector (Draft for Comment) ## Chapter I General Provisions **Article 1 (Purpose and basis).** These Measures are formulated in accordance with the *Cybersecurity Law of the People's Republic of China*, the *Data Security Law of the People's Republic of China*, the *Personal Information Protection Law of the People's Republic of China*, the *Regulations on the Security Protection of Critical Information Infrastructure*, the *Regulation on Network Data Security Management*, and other laws and administrative regulations, in order to comprehensively regulate cybersecurity management in the financial sector, safeguard financial services, and maintain financial security. **Article 2 (Scope of application).** These Measures apply to financial-sector entities that build, operate, maintain and use networks within the territory of the People's Republic of China, and to the supervision and administration of cybersecurity in the financial sector. Where other relevant competent departments have provisions, those provisions shall also be complied with in accordance with the law. Where the State has provisions on cybersecurity management for networks that store or process information involving state secrets, those provisions shall prevail. **Article 3 (General requirements for cybersecurity protection).** Financial-sector entities shall, in accordance with laws, administrative regulations, and relevant provisions of the State and the State Council financial management departments, perform cybersecurity-protection obligations and bear primary responsibility for their own cybersecurity. Financial-sector entities shall give equal weight to cybersecurity and informatization development, provide necessary resources for cybersecurity work, establish and improve a cybersecurity assurance system suited to the entity, improve cybersecurity-protection capabilities, effectively control cybersecurity risks, and prevent cyber-related unlawful and criminal activities. Financial-sector entities shall actively provide technical support and assistance to public security organs and state security organs in their lawful activities to safeguard national security and investigate crimes. **Article 4 (Industry self-regulation).** Industry associations in the financial sector shall strengthen self-regulation, formulate cybersecurity codes of conduct and association standards in accordance with the law, and guide members in strengthening cybersecurity protection. ## Chapter II Cybersecurity-Protection Obligations **Article 5 (Cybersecurity work responsibility system).** Financial-sector entities shall establish and implement a cybersecurity responsibility system in accordance with relevant State provisions, and determine the person responsible for cybersecurity. **Article 6 (Cybersecurity governance).** Financial-sector entities shall establish a cybersecurity-management organizational structure and deliberation and decision-making mechanism, designate a lead cybersecurity management department, ensure funding and staffing for the entity's cybersecurity, develop internal cybersecurity management systems and operating procedures, clarify the cybersecurity-protection duties of the entity, its branches, its subordinate legal-person entities and others, and urge implementation of cybersecurity-protection responsibilities. **Article 7 (Network operation security).** Financial-sector entities shall, in accordance with laws, administrative regulations, and relevant provisions of the State and the State Council financial management departments, carry out network operation monitoring, cybersecurity risk and incident handling and reporting, and other work; establish and improve cybersecurity incident emergency plans; and adopt corresponding technical and management measures to safeguard network operation security. **Article 8 (Multi-Level Protection Scheme).** Financial-sector entities shall, in accordance with the requirements of the State's Multi-Level Protection Scheme for cybersecurity, reasonably determine the security-protection level of their networks, perform classification and filing obligations, carry out cybersecurity MLPS assessments on schedule, and promptly rectify risks discovered in such assessments. **Article 9 (Use of commercial cryptography).** Financial-sector entities shall use commercial cryptography to protect cybersecurity in accordance with the requirements of the State's Multi-Level Protection Scheme for cybersecurity. Where the State Council financial management departments have further provisions on the use of commercial cryptography, financial-sector entities shall comply with those provisions. **Article 10 (Network data protection).** Financial-sector entities shall, in accordance with laws, administrative regulations, and relevant provisions of the State and the State Council financial management departments, strengthen the classification and grading management of network data, and adopt corresponding technical and management measures to prevent network data from being tampered with, destroyed, leaked, or unlawfully obtained or unlawfully used. **Article 11 (Protection of personal information on networks).** Financial-sector entities shall, in accordance with laws, administrative regulations, and relevant provisions of the State and the State Council financial management departments, regulate personal information processing activities and safeguard personal information security. Financial-sector entities are encouraged to use the national network identity authentication public service to carry out user identity verification. **Article 12 (Application of technological innovation).** Financial-sector entities shall, in accordance with laws, administrative regulations, and relevant provisions of the State and the State Council financial management departments, properly conduct risk management for innovative applications of information technology. **Article 13 (Prevention of unlawful and non-compliant information).** Financial-sector entities shall take measures and, in accordance with laws, administrative regulations, and relevant provisions of the State and the State Council financial management departments, strengthen management of information published on networks. Where they discover information whose publication or transmission is prohibited by laws or administrative regulations, they shall immediately stop transmitting the information, take disposal measures such as elimination, prevent the information from spreading, preserve relevant records, and report to the relevant competent department. **Article 14 (Security management of information services).** Financial-sector entities that provide application software download services to the public shall take measures and, in accordance with laws, administrative regulations and relevant State provisions, perform security-management obligations such as detecting malicious programs and unlawful or non-compliant information. Where an application software is found to contain a malicious program, or to contain information whose publication or transmission is prohibited by laws or administrative regulations, the financial-sector entity shall immediately cease providing download services, preserve relevant records, and report to the relevant competent department. **Article 15 (Identification of financial-sector critical information infrastructure).** The State Council financial management departments shall organize identification of financial-sector critical information infrastructure in accordance with the rules for identifying critical information infrastructure in the financial sector, determine the identification results, promptly notify the operators of financial-sector critical information infrastructure (hereinafter, "operators"), notify the public security department under the State Council, and copy the national cyberspace administration. Where an operator undergoes merger, division, dissolution or other such circumstances, or where a relatively major change occurs to critical information infrastructure that may affect the identification result, the operator shall promptly report the relevant circumstances in accordance with relevant provisions of the State Council financial management departments. **Article 16 (Operator organizational structure and support for duty performance).** The principal person in charge of an operator shall bear overall responsibility for the security protection of financial-sector critical information infrastructure. The operator shall designate a member of its leadership team in charge of cybersecurity to serve as chief cybersecurity officer, in charge of security-protection work for critical information infrastructure, and shall designate, for each item of critical information infrastructure, one security-management responsible person to organize implementation of security-protection work for that critical information infrastructure. An operator shall establish a dedicated security-management body and conduct security background checks on the head of the dedicated security-management body and on personnel in key positions. The dedicated security-management body shall, in accordance with relevant provisions of the State Council financial management departments, submit plans for the security protection of critical information infrastructure and summaries of cybersecurity work. **Article 17 (Supply-chain security).** Operators shall declare cybersecurity review in accordance with the State cybersecurity review provisions and the financial-industry pre-judgment guide, and shall submit annual lists of network products and services and cloud computing services procured in accordance with relevant provisions of the State Council financial management departments. Operators shall regulate the use of commercial cryptography in accordance with the relevant management provisions on the use of commercial cryptography for critical information infrastructure. **Article 18 (Risk assessment).** Operators shall, by themselves or by entrusting cybersecurity service institutions, conduct cybersecurity testing and risk assessment of critical information infrastructure at least once each year. The content shall include at least cybersecurity MLPS assessment, commercial cryptography application security assessment, implementation of systems and national standards related to the security protection of critical information infrastructure, protection of data and personal information processed by the critical information infrastructure, monitoring and handling of cybersecurity risks related to the critical information infrastructure, and implementation of improvements after emergency handling of cybersecurity incidents. Operators shall promptly rectify security problems discovered through testing and assessment, and shall annually submit testing, assessment and rectification information in accordance with relevant provisions of the State Council financial management departments. **Article 19 (Cybersecurity incident emergency plans).** Operators shall, in accordance with the national cybersecurity incident emergency plan and the financial-sector critical information infrastructure cybersecurity incident emergency plan, formulate their own emergency plans for critical information infrastructure, conduct regular drills, and regulate the reporting and handling procedures for cybersecurity incidents and major cybersecurity threats related to critical information infrastructure. ## Chapter III Coordination in Supervision and Administration **Article 20 (Principles for coordination in supervision and administration).** The State Council financial management departments shall, in accordance with laws, administrative regulations, and the decisions and arrangements of the CPC Central Committee and the State Council, and in accordance with the division of regulatory duties, be responsible within the scope of their duties for work related to cybersecurity management of financial-sector entities. The State Council financial management departments shall support and cooperate with the national cyberspace administration, the public security department under the State Council, the national cryptography administration, and other relevant competent departments in carrying out cybersecurity protection and supervision and administration work involving the financial sector in accordance with their duties. Branches and dispatched offices of the State Council financial management departments shall carry out cybersecurity supervision and administration within their jurisdictions in accordance with the division of duties of the State Council financial management departments. **Article 21 (Coordinated implementation of special cybersecurity tasks).** Where the CPC Central Committee, the State Council, or a relevant decision-making, deliberation and coordination body has already specified the division of work, the State Council financial management departments shall be responsible in accordance with that division. For matters where a particular State Council financial management department has been specified as the lead responsible department, the lead responsible department shall, on the basis of authorization and provisions in laws and regulations, further refine the division of duties among the relevant State Council financial management departments within the established framework of duties. Where neither of the foregoing circumstances applies, the State Council financial management departments shall communicate and consult, and then clarify their respective division of duties. **Article 22 (Information sharing).** The State Council financial management departments and their same-level branches and dispatched offices shall strengthen sharing of information on cybersecurity incidents, risks, situations, intelligence and the like, and, as circumstances require, consult and judge the overall risk situation involving the financial sector. **Article 23 (Cooperation with supervision and administration).** Financial-sector entities shall conscientiously accept and cooperate with all cybersecurity supervision and administration work carried out by relevant competent departments and by the State Council financial management departments and their branches and dispatched offices; provide true and complete information and materials on time; and shall not refuse or obstruct supervision and inspection lawfully implemented by relevant competent departments and by the State Council financial management departments and their branches and dispatched offices. ## Chapter IV Legal Liability **Article 24 (Handling of transmission of unlawful or non-compliant information).** Where a financial-sector entity fails, with respect to malicious programs and information whose publication or transmission is prohibited by laws or administrative regulations, to promptly stop transmission, take disposal measures such as elimination, or preserve relevant records, the State Council financial management departments and their branches and dispatched offices shall transfer the relevant case information to the relevant competent department at the same level, and cooperate with that department in handling the matter in accordance with laws and regulations. **Article 25 (Handling of failure to use commercial cryptography as required).** Where a financial-sector entity fails to use commercial cryptography to protect cybersecurity as required by the State's Multi-Level Protection Scheme for cybersecurity, or where an operator violates management provisions on the use of commercial cryptography for critical information infrastructure, the State Council financial management departments and their branches and dispatched offices shall transfer the relevant case information to the cryptography administration at the same level, and cooperate with that department in handling the matter in accordance with laws and regulations. **Article 26 (Penalties for non-cooperation with supervision and inspection).** Where a financial-sector entity refuses or obstructs cybersecurity supervision and inspection carried out by the State Council financial management departments and their branches and dispatched offices, the State Council financial management departments and their branches and dispatched offices shall impose penalties in accordance with relevant provisions of the *Law of the People's Republic of China on the People's Bank of China*, the *Commercial Bank Law of the People's Republic of China*, the *Banking Supervision Law of the People's Republic of China*, the *Insurance Law of the People's Republic of China*, the *Securities Law of the People's Republic of China*, the *Securities Investment Fund Law of the People's Republic of China*, the *Futures and Derivatives Law of the People's Republic of China*, the *Cybersecurity Law of the People's Republic of China*, the *Regulation on the Supervision and Administration of Private Investment Funds*, the *Regulations of the People's Republic of China on Foreign Exchange Administration*, and other relevant provisions. **Article 27 (Penalties for violation of other cybersecurity-protection obligations).** Where a financial-sector entity fails to perform the cybersecurity-protection obligations provided in these Measures, and the *Cybersecurity Law of the People's Republic of China*, the *Data Security Law of the People's Republic of China*, the *Personal Information Protection Law of the People's Republic of China*, the *Regulations on the Security Protection of Critical Information Infrastructure*, or the *Regulation on Network Data Security Management* already provide penalties, the State Council financial management departments and their branches and dispatched offices shall impose penalties in accordance with the provisions of those laws and administrative regulations and according to the division of regulatory duties. Where those laws and administrative regulations do not provide penalties, but other laws or administrative regulations provide penalties, penalties shall be imposed in accordance with those provisions. **Article 28 (Other legal liability).** Where a financial-sector entity fails to perform the cybersecurity-protection obligations provided in these Measures and is suspected of constituting an act violating public security administration, the matter shall be transferred to the public security organ for handling. Where a crime is constituted, the matter shall be transferred to a judicial organ for criminal liability to be pursued in accordance with the law. **Article 29 (Handling of violations by management personnel).** Where staff of the State Council financial management departments and their branches and dispatched offices neglect duties, abuse powers, or engage in favoritism or malpractice, sanctions shall be imposed in accordance with laws and regulations. Where a crime is constituted, the matter shall be transferred to a judicial organ for criminal liability to be pursued in accordance with the law. ## Chapter V Supplementary Provisions **Article 30 (Definitions).** The following terms used in these Measures have the following meanings: (1) "Financial-sector entities" refers to financial institutions and other institutions approved for establishment or recognized by the State Council financial management departments. (2) "State Council financial management departments" refers to the People's Bank of China, the National Financial Regulatory Administration, the China Securities Regulatory Commission, and the State Administration of Foreign Exchange. (3) "Key positions" refers to planning and construction, development and testing, security operation, and daily operation and maintenance positions that are directly related to the security protection of critical information infrastructure and that possess relatively comprehensive information. **Article 31 (Cybersecurity management of local financial organizations).** Local financial management institutions shall take the lead in supervising and administering the performance of cybersecurity-protection obligations by local financial organizations, and may formulate corresponding management systems with reference to these Measures and to the cybersecurity-related provisions of the State Council financial management departments. **Article 32 (Authority to interpret).** These Measures shall be interpreted by the State Council financial management departments. **Article 33 (Effective date).** These Measures shall come into force on [month] [day], 2026. --- ## Implementing Rules for Data Security Risk Assessment in the Field of Industry and Information Technology (Trial) - Chinese title: 工业和信息化领域数据安全风险评估实施细则(试行) - Hierarchy: rule - Issuing body: Ministry of Industry and Information Technology - Adopted: 2024-05-10 - Effective: 2024-06-01 - Status: effective - URL: https://datacompliancechina.com/laws/industrial-data-security-risk-assessment-rules/ - Markdown: https://datacompliancechina.com/laws/industrial-data-security-risk-assessment-rules.md ### Summary These Implementing Rules operationalize the annual risk-assessment obligation imposed on processors of important data and core data by the MIIT Industrial Data Security Measures. They prescribe the assessment scope, the eight mandatory assessment focus areas, the once-a-year cadence and one-year validity of results, triggering events for re-assessment, requirements for in-house or third-party assessment teams, reporting timelines to local regulators, and the duties and capability-certification regime for third-party assessment institutions. Issued as MIIT Cyber Security [2024] No. 82 and effective June 1, 2024. ### Full text **Promulgated by:** Ministry of Industry and Information Technology. **Document No.:** MIIT Cyber Security [2024] No. 82. **Issued May 10, 2024. Effective June 1, 2024.** --- **Article 1.** These Implementing Rules are formulated in accordance with the Data Security Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China and other laws, and in line with the relevant requirements of the Administrative Measures for Data Security in the Field of Industry and Information Technology (Trial), in order to guide data processors in the field of industry and information technology to carry out data security risk assessment in a standardized manner, improve the level of data security management, and safeguard national security and development interests. **Article 2.** These Implementing Rules apply to data security risk assessments conducted on the data processing activities of processors of important data and core data in the field of industry and information technology within the territory of the People's Republic of China. **Article 3.** The Ministry of Industry and Information Technology shall uniformly manage, supervise and guide data security risk assessment work in the field of industry and information technology, and organize the formulation, revision, promotion and application of relevant assessment standards. The industry and information technology authorities of the provinces, autonomous regions, municipalities directly under the Central Government and cities specifically designated in the State plan, and the Xinjiang Production and Construction Corps, as well as the communications administrations and radio regulatory agencies of the provinces, autonomous regions and municipalities directly under the Central Government (hereinafter collectively referred to as the local industry regulatory authorities), shall, in accordance with their respective duties, be respectively responsible for supervising and administering the data security risk assessment work carried out by processors of important industrial, telecommunications and radio data and core data in their respective regions. The Ministry of Industry and Information Technology and the local industry regulatory authorities are collectively referred to as the industry regulatory authorities. **Article 4.** Processors of important data and core data shall carry out data security risk assessments in accordance with the principles of timeliness, objectivity and effectiveness, form true, complete and accurate assessment reports, and be responsible for the assessment results. **Article 5.** Processors of important data and core data shall, in accordance with national laws and regulations, the relevant provisions of the industry regulatory authorities and the assessment standards, carry out data security risk assessment of the purpose and method, business scenarios, security safeguard measures, risk impact and other elements of their data processing activities, with the following content as the focus: (I) whether the purpose, method and scope of data processing are legal, legitimate and necessary; (II) the formulation and implementation of data security management systems, processes and strategies; (III) the data security organizational structure, position staffing and performance of duties; (IV) the development and application of data security technical protection capabilities; (V) whether the personnel involved in data processing activities are familiar with data-security-related policies and regulations, whether they possess data security knowledge and skills, and whether they have received data-security-related education and training; (VI) the scope and degree of impact on national security and the public interest in the event of a security incident in which data is tampered with, destroyed, leaked, lost, or illegally obtained or used; (VII) where data provision, entrusted processing or transfer is involved, the security safeguard capabilities, responsibilities and obligations, and performance thereof, of the data recipient or entrusted party; (VIII) where circumstances requiring the declaration of a data export security assessment as prescribed by national laws and regulations are involved, the fulfillment of the data export security assessment requirements. **Article 6.** Processors of important data and core data shall carry out a data security risk assessment at least once a year. The validity period of the assessment results is one year, calculated from the date on which the assessment report is first issued. The assessment report shall include the basic information of the data processor, the basic information of the assessment team, the categories and quantities of important data, the conduct of data processing activities, the data security risk assessment environment, as well as the analysis of data processing activities, the compliance assessment, the security risk analysis, and the assessment conclusions and response measures. Where any of the following circumstances occurs within the validity period, the processor of important data and core data shall promptly carry out a risk assessment of the part that has changed and its impact: (I) newly providing, entrusting the processing of, or transferring core data across entities; (II) a change in the security status of important data or core data that adversely affects data security, including but not limited to major adjustments to the purpose, method, scope of application and security system strategy of data processing; (III) the occurrence of a security incident involving important data or core data; (IV) a major change in the filing content of the catalogue of important data and core data; (V) other circumstances in which the industry regulatory authority requires an assessment. **Article 7.** Processors of important data and core data may carry out the assessment on their own or by entrusting a third-party assessment institution that has the capability for data security work in industry and information technology. The assessment process shall establish a professional assessment team including at least personnel for organizational management, business operation, technical assurance and security compliance, formulate a complete assessment work plan, and equip itself with effective technical testing tools. **Article 8.** Where a processor of important data and core data entrusts a third-party assessment institution to carry out a data security risk assessment, it may, by concluding a contract or other legally effective document, clarify the rights and responsibilities of both parties, provide the third-party assessment institution with the necessary materials and conditions, ensure the authenticity and completeness of the relevant materials, and confirm the assessment results. **Article 9.** For data security risks and hidden dangers discovered in the assessment, processors of important data and core data shall promptly take appropriate measures to eliminate or reduce the risks and hidden dangers. **Article 10.** Processors of important data and core data shall, within 10 working days after the completion of the assessment work, submit the assessment report to the industry regulatory authority of their region. Central enterprises shall supervise and guide their subordinate enterprises in fulfilling the territorial data security risk assessment and assessment-report submission requirements, and shall submit the consolidated assessment reports of the enterprise group headquarters and subordinate companies to the Ministry of Industry and Information Technology. The local industry regulatory authorities shall submit the assessment results of processors of important data and core data in their respective regions and fields to the Ministry of Industry and Information Technology. **Article 11.** Where a local industry regulatory authority discovers non-compliance with laws, regulations and relevant provisions, it shall promptly notify the processor of important data and core data to make corrections in accordance with the law. The local industry regulatory authorities shall, by December 25, submit to the Ministry of Industry and Information Technology the status of receipt and review of the assessment reports for the current year in their respective regions. The Ministry of Industry and Information Technology shall organize spot-check reviews of the assessment reports as appropriate. Where the provision, transfer or entrusted processing of core data across entities is involved, the local industry regulatory authority shall complete the review within 20 working days after the data processor submits the assessment report, and report it to the Ministry of Industry and Information Technology for re-examination in accordance with relevant State provisions. **Article 12.** Certification institutions that are familiar with data security work in the field of industry and information technology and meet the qualification requirements are encouraged to carry out capability certification of third-party assessment institutions. The relevant certification institutions shall be equipped with corresponding personnel and technical assurance capabilities, establish a capability certification system for third-party assessment institutions, clarify the standardized requirements for third-party assessment institutions in terms of management systems, personnel capabilities, tools and facilities, and assessment fields, track and manage the service quality of third-party assessment institutions, and supervise third-party assessment institutions in carrying out data security risk assessment work independently, impartially, objectively and scientifically. **Article 13.** Third-party assessment institutions shall perform the following obligations: (I) strictly keep confidential the State secrets, the catalogues and content of important data and core data, commercial secrets, personal privacy that they become aware of in the assessment work, as well as the confidential information agreed in the confidentiality agreement signed with the data processor; (II) carry out the assessment impartially and independently and issue the assessment report in strict accordance with national laws and regulations, the relevant provisions of the industry regulatory authorities and the assessment standards, comprehensively, accurately and objectively reflect the data security risk status of the processor of important data and core data, and provide practical and effective risk rectification suggestions and measures; (III) except with the written consent of the processor of important data and core data or as otherwise provided by laws and administrative regulations, not provide other organizations or individuals with the relevant information collected and obtained in the assessment. **Article 14.** The Ministry of Industry and Information Technology shall, according to technical capability, personnel staffing, reputation and qualifications, and other factors, select on a merit basis third-party assessment institutions that have passed capability certification, and establish a pool of data security risk assessment support institutions in the field of industry and information technology. The local industry regulatory authorities may, with reference thereto, establish pools of data security risk assessment support institutions for their respective regions. The industry regulatory authorities may, as needed for their work, on their own or by organizing institutions from the pool of data security risk assessment support institutions, carry out special risk assessments of the data processing activities of processors of important data and core data, or supervise and inspect the implementation of risk assessment work by processors of important data and core data. Processors of important data and core data shall cooperate with the special risk assessments and supervision and inspection initiated by the industry regulatory authorities, and promptly correct the relevant problems discovered in the assessment. **Article 15.** With respect to certification institutions that violate relevant State provisions on certification and accreditation, the industry regulatory authorities shall transfer the relevant leads to the market regulation authorities for handling. The industry regulatory authorities shall supervise and administer the assessment activities of third-party assessment institutions, and, with respect to third-party assessment institutions that violate laws and regulations, fail to carry out assessment activities in accordance with industry provisions and standards, or fail to perform their confidentiality obligations, conduct interviews and notifications as appropriate in accordance with the prescribed authority and procedures; the certification institutions shall, based on the notified information, suspend or even revoke the corresponding certification certificates of third-party assessment institutions that do not meet the certification requirements in accordance with the law. **Article 16.** Where there is conduct in violation of these Implementing Rules, the industry regulatory authorities shall impose administrative penalties in accordance with relevant laws and regulations and according to the degree of seriousness of the circumstances; where a crime is constituted, criminal liability shall be pursued in accordance with the law. **Article 17.** Staff of the industry regulatory authorities and the entrusted support institutions have an obligation of confidentiality with respect to the State secrets, commercial secrets, personal information, assessment work information, and the like, that they become aware of in the performance of their duties. **Article 18.** Data security risk assessments conducted on the data processing activities of processors of general data may be implemented with reference to these Implementing Rules. Data processing activities involving military affairs, State secrets, and the like, shall be carried out in accordance with relevant State provisions. **Article 19.** These Implementing Rules shall come into force on June 1, 2024. --- ## Measures for the Administration of Data Security in the Field of Natural Resources - Chinese title: 自然资源领域数据安全管理办法 - Hierarchy: rule - Issuing body: Ministry of Natural Resources - Adopted: 2024-03-22 - Effective: 2024-03-22 - Status: effective - URL: https://datacompliancechina.com/laws/natural-resources-data-security-measures/ - Markdown: https://datacompliancechina.com/laws/natural-resources-data-security-measures.md ### Summary Issued by the Ministry of Natural Resources as a departmental normative document (Doc. No. Zi Ran Zi Fa [2024] No. 57) on March 22, 2024, and effective the same day, having been approved by the national data security work coordination mechanism. These measures implement the Data Security Law for non-classified data in the natural-resources field — geographic information data (including basic geographic information and remote-sensing imagery), natural-resources survey and monitoring data (land, minerals, forests, grasslands, water, wetlands, sea areas and islands), territorial spatial planning data, and natural-resources management data (use control, asset management, cultivated-land protection, ecological restoration, real estate registration, etc.). The measures establish the three-tier general/important/core classification with six reference indicators for identifying important data, assign supervisory roles to the Ministry of Natural Resources, the National Forestry and Grassland Administration, and local industry regulators, and set out a full data-lifecycle security regime (collection, storage, use and processing, transmission, provision, disclosure, deletion). Key obligations include catalog reporting and review of important and core data, MLPS Level 3+ for important data and Level 4 / CII protection for core data, the 30% cumulative-volume risk-assessment trigger for core-data provision, in-country storage with cross-border security assessment for important data, annual risk assessment for important-data processors, and a monitoring, early-warning, and emergency-response framework. ### Full text **Promulgated by:** Ministry of Natural Resources. **Document Number:** Zi Ran Zi Fa [2024] No. 57. **Date of Issue:** March 22, 2024. **Effective Date:** March 22, 2024. **Legal Effect Level:** Departmental normative document. **Notice of the Ministry of Natural Resources on Issuing the *Measures for the Administration of Data Security in the Field of Natural Resources*.** To the natural-resources competent authorities of all provinces, autonomous regions, and municipalities directly under the Central Government; the Natural Resources Bureau of the Xinjiang Production and Construction Corps; the Shanghai Municipal Oceanic Bureau, the Fujian Provincial Department of Ocean and Fisheries, the Shandong Provincial Oceanic Bureau, and the Guangxi Zhuang Autonomous Region Oceanic Bureau; the National Forestry and Grassland Administration; the China Geological Survey and other units directly under the Ministry; all dispatched agencies; and all departments and bureaus of the Ministry: Upon the approval of the national data security work coordination mechanism and with the consent of the Ministry's leadership, the *Measures for the Administration of Data Security in the Field of Natural Resources* are hereby issued to you. Please implement them conscientiously in light of actual conditions. Ministry of Natural Resources March 22, 2024 --- ## Chapter 1 General Provisions **Article 1.** These Measures are formulated in accordance with the Data Security Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Cryptography Law of the People's Republic of China, and other laws and regulations, in order to regulate data processing activities in the field of natural resources, strengthen data security management, safeguard data security, promote the development and utilization of data, protect the lawful rights and interests of individuals and organizations, and safeguard national security and development interests. **Article 2.** Non-classified data processing activities in the field of natural resources carried out within the territory of the People's Republic of China, or carried out in the course of performing the duties of natural-resources departments overseas, and the security supervision and administration thereof, shall comply with the requirements of the relevant laws and regulations and of these Measures. **Article 3.** The term "data in the field of natural resources" as used in these Measures means data collected and generated in the course of carrying out natural-resources activities, mainly including: geographic information data such as basic geographic information and remote-sensing imagery; natural-resources survey and monitoring data on land, minerals, forests, grasslands, water, wetlands, sea areas and islands, and the like; territorial spatial planning data such as master plans, detailed plans, and special plans; and natural-resources management data on use control, asset management, cultivated-land protection, ecological restoration, development and utilization, real estate registration, and the like. The term "data processor in the field of natural resources" (hereinafter referred to as "data processor") as used in these Measures means all types of entities in the natural-resources industry that carry out data processing activities in the field of natural resources. The term "data security" as used in these Measures means ensuring, by taking necessary measures, that data is in a state of effective protection and lawful utilization, as well as the capability to ensure a continuous state of security. **Article 4.** Under the overall coordination of the national data security work coordination mechanism, the Ministry of Natural Resources shall undertake the data security supervision and administration duties for the natural-resources industry and field, and shall be responsible for supervising and guiding the natural-resources competent authorities and oceanic competent authorities of all provinces, autonomous regions, and municipalities directly under the Central Government (hereinafter collectively referred to as local industry regulators) in carrying out data security supervision and administration. The National Forestry and Grassland Administration shall specifically undertake the data security supervision and administration duties for forests and grasslands, wetlands and deserts, and the like, and shall formulate specific systems by reference to these Measures. Local industry regulators shall be respectively responsible for the supervision and administration of data processing activities and security protection in the field of natural resources in their respective regions. The Ministry of Natural Resources, the National Forestry and Grassland Administration, and local industry regulators are collectively referred to as industry regulators. Industry regulators shall incorporate data security into the Party committee's (Party leadership group's) national security responsibility system, and, in accordance with the principle that "whoever is in charge of the business is in charge of the data and is in charge of the data security," implement their responsibility to guide and supervise data security in their industry, region, and field. **Article 5.** The Ministry of Natural Resources and the National Forestry and Grassland Administration shall advance the building of standard systems for the development and utilization of data and for data security in the field of natural resources, and organize the formulation, revision, and promotion and application of relevant standards. **Article 6.** The lawful sharing, opening, development, and utilization of data in the field of natural resources are encouraged, and innovative applications of data are supported. A development model in which data development and utilization and the security industry advance in coordination shall be actively constructed, data security safeguard capabilities shall be continuously enhanced, and national security, social stability, and the rights and interests of organizations and individuals shall be safeguarded. **Article 7.** Support shall be given to carrying out regular publicity and education on data security in the field of natural resources. Various means shall be adopted to cultivate professionals in data development and utilization technology and in data security, and to promote talent exchange. ## Chapter 2 Classification and Grading Management of Data **Article 8.** The Ministry of Natural Resources shall organize the formulation of standards and norms for the classification and grading of data in the field of natural resources, the identification and determination of important data and core data, data security protection, and the like; guide the carrying out of data classification and grading management work; and compile the catalog of important data and core data for the industry and implement dynamic management thereof. The National Forestry and Grassland Administration shall, in accordance with the standards and norms for the classification and grading of data in the field of natural resources and in light of work needs, compile standards and norms for data security in the forestry and grassland field, guide the carrying out of data classification and grading work for forestry and grassland, and compile the catalog of important data and core data for forestry and grassland and implement dynamic management thereof. Local industry regulators shall, in accordance with the standards and norms for the classification and grading of data in the field of natural resources, respectively organize the carrying out of data classification and grading management and the identification and review of important data and core data in the field of natural resources in their respective regions, compile the catalog of important data and core data in the field of natural resources for their respective regions, and report it to the Ministry of Natural Resources; where the catalog changes, they shall promptly report the update. Data processors shall, in accordance with the standards and norms for the classification and grading of data in the field of natural resources, regularly sort out and fill in and report the catalog of important data and core data. **Article 9.** Based on industry characteristics and business applications, the categories of data classification in the field of natural resources include, but are not limited to, geographic information, natural-resources survey and monitoring, territorial spatial planning, natural-resources management, and the like, with specific reference to the standards and norms for the classification and grading of data in the field of natural resources. Through comprehensive analysis of the importance, precision, scale, security risk, as well as the value, availability, shareability, and openability of data in the field of natural resources, and the like, and by judging the objects affected, the degree of impact, and the scope of impact after the data is tampered with, destroyed, leaked, or illegally obtained or illegally used, the data is graded into general data, important data, and core data. Data processors may, on this basis, further subdivide the categories of data and the levels of general data. **Article 10.** Core data means important data that has a relatively high coverage of a field, group, or region, or reaches a relatively high precision, relatively large scale, or certain depth, and that, once illegally used or shared, may directly affect political security. Core data mainly includes data concerning key fields of national security, data concerning the lifelines of the national economy, important aspects of people's livelihood, and major public interests, and other data determined through assessment by the relevant State authorities. Important data means data of a specific field, specific group, specific region, or reaching a certain precision and scale, that, once leaked or tampered with, damaged, or destroyed, may directly endanger national security, economic operation, social stability, public health, and safety. General data means data other than important data and core data. In light of the characteristics of data in the field of natural resources, data that satisfies two (inclusive) or more of the following reference indicators is important data: (I) data that is produced in support of the "two unifications" duties entrusted by the CPC Central Committee and the State Council, that is irreplaceable and unique to the industry, and that, once a data security incident such as data tampering, leakage, or service interruption occurs, will affect the performance of duties by natural-resources departments and have a significant impact on the served objects nationwide; (II) data that concerns the national economy and important aspects of people's livelihood, that provides basic natural-resources data support for other industries and fields, and that, once a data security incident occurs, will have a significant impact on other industries and fields; (III) data that covers multiple provinces or even the whole country, is large in scale and high in precision, and is highly sensitive and important; (IV) data that directly affects the normal operation and service of national critical information infrastructure; (V) data that endangers national security, the national economic competitiveness, the public's receipt of public services, citizens' conditions of survival and a stable working and living environment, citizens' personal and property safety and other lawful interests, or that leads to social panic, and the like; (VI) other important natural-resources data prescribed by China's laws, regulations, and normative documents. Data that meets the indicators for important data and that concerns the lifelines of the national economy, important aspects of people's livelihood, and major public interests, and affects political security, is core data. **Article 11.** Data processors affiliated with the Ministry of Natural Resources shall file the catalog of their entity's important data and core data with the Ministry of Natural Resources; data processors affiliated with the National Forestry and Grassland Administration shall file the catalog of their entity's important data and core data with the National Forestry and Grassland Administration; and other data processors shall file the catalog of their entity's important data and core data with the industry regulator of their region. The content of the filing shall include, but not be limited to, the category, level, scale, precision, source, carrier, scope of use, external sharing, cross-border transmission, security status, and responsible-entity situation of the data, and the like, but shall not include the data content itself. Local industry regulators shall complete the review within twenty working days after the data processor submits the filing application; where the content of the filing meets the requirements, it shall be reported to the Ministry of Natural Resources for review and determination; the Ministry of Natural Resources shall complete the determination of important data within twenty working days after receiving the application, and core data shall be reported to the national data security work coordination mechanism for determination; where the content does not meet the requirements, feedback shall be promptly provided to the applying entity with an explanation of the reasons. The applying entity shall re-submit the application within fifteen working days after receiving the feedback. Where the content of the filing undergoes a material change, the data processor shall complete the change formalities within three months of the change occurring. A material change means that the data content changes such that the original level no longer applies, or that the scale of a certain category of important data or core data changes by more than 30%, and the like. ## Chapter 3 Whole-Lifecycle Data Security Management **Article 12.** Data processors shall bear principal responsibility for the security of data processing activities, and shall implement graded protection for all categories of data. Where data of different levels is processed simultaneously and it is difficult to take protective measures separately, protection shall be implemented in accordance with the requirements for the highest level among them, so as to ensure that the data is continuously in a state of effective protection and lawful utilization. (I) establish a data security management system and, for data of different levels, formulate specific graded-protection requirements and operating procedures for each stage of the data lifecycle; (II) deploy data security management personnel as needed, who shall be responsible for the overall security supervision and administration of data processing activities and assist industry regulators in carrying out their work; (III) when carrying out data processing activities using the Internet or other information networks, implement the requirements of systems such as cybersecurity multi-level protection, critical information infrastructure security protection, cryptographic protection, and secrecy protection; (IV) take corresponding technical measures and other necessary measures to safeguard data security and prevent risks such as data being tampered with, destroyed, leaked, or illegally obtained or illegally used; (V) reasonably determine the operating permissions for data processing activities, and strictly implement personnel permission management; (VI) formulate emergency plans and carry out emergency drills as needed to respond to data security incidents; (VII) regularly carry out education and training on data security knowledge and skills for practitioners; (VIII) other measures prescribed by laws, regulations, and the like. Processors of important data and core data shall, in addition: (I) establish a data security work system covering the relevant departments of their entity, clarify the data security officer and management body, and establish a normalized communication and collaboration mechanism. The legal representative or principal person-in-charge of the entity is the primary person responsible for data security; the leadership-team member in charge of data security within the leadership team is the directly responsible person; and other members bear leadership responsibility for data security work within the scope of their duties, perform data security protection obligations, and accept supervision; (II) clarify key data-processing positions and position responsibilities, and require personnel in key positions to sign a data security responsibility statement, the content of which shall include, but not be limited to, the data security position responsibilities, obligations, penalty measures, points for attention, and the like. They shall, in accordance with business work needs and the principle of least authorization, set data processing permissions based on position responsibilities, control the scope of access to important data, and promptly adjust permissions when personnel changes occur. Relevant personnel in key positions involving core data, and entities engaged in the construction and operation and maintenance of information systems, and the like, shall be submitted to the public security authorities and national security authorities for national security background review; (III) establish internal registration and approval mechanisms, strictly manage the processing activities of important data and core data, and retain records for not less than six months; (IV) at each stage of the data lifecycle, comprehensively apply technical means such as encryption, authentication, certification, de-identification, verification, and auditing to carry out security protection, and use commercial cryptography for protection as required by laws and regulations and relevant State provisions; (V) information system construction and operation-and-maintenance projects involving important data shall not be subcontracted or sub-subcontracted without the approval of the entrusting party. Construction and operation-and-maintenance personnel shall not process the important data of the entrusting party without the express authorization of the entrusting party. Data collected or generated in the course of providing the construction and operation and maintenance of information systems involving important data shall not be used for other purposes, and shall, after the service is completed, be handled as agreed with the entrusting party or promptly deleted; (VI) strengthen personnel and funding support. **Article 13.** Data processors collecting data shall follow the principles of legality and legitimacy, and shall not steal data or collect data by other illegal means. Where laws and regulations provide for the purpose and scope of data collection, the data shall be collected within the purpose and scope prescribed by laws and regulations. In the course of data collection, corresponding security measures shall be taken according to the data security level, the management of personnel and equipment collecting and producing important data and core data shall be strengthened, and records shall be made of the source, time, type, quantity, precision, region, frequency, flow direction, and the like, of the collection. Where important data and core data are obtained through indirect channels, the data processor shall, by means of signing relevant agreements, letters of commitment, and the like, with the data provider, clarify the legal responsibilities of both parties. **Article 14.** Data processors shall store data in the manner and for the period prescribed by laws and regulations, and may strengthen data storage security management and control in terms of physical and environmental security, network and communication security, equipment and computing security, application and data security, and the like, so as to safeguard the integrity, confidentiality, authenticity, and availability of stored data. For the storage of important data, Level 3 or above cybersecurity multi-level protection requirements shall be implemented. For the storage of core data, critical information infrastructure security protection requirements or Level 4 cybersecurity multi-level protection requirements shall be implemented. **Article 15.** Data processors carrying out data processing and use activities shall take management and control measures such as access control, data leakage prevention, and operation auditing, to ensure that the process is secure, compliant, controllable, and traceable, to prevent the security risks of leakage of valuable information and personal privacy in the course of data correlation mining and analysis, to clarify the relevant responsibilities in the course of data use and processing, and to ensure the legitimate processing and use of data. In the course of processing and use, corresponding measures shall be taken according to the data level to protect the security of data; the data used must be authentic and reliable, and the data source and collection process must be reviewed and verified. Where automated decision-making using data is involved, the transparency of the decision-making and the fairness and reasonableness of the results shall be ensured. For the processing and use of important data and core data, strict access control shall also be implemented, and relevant technical and management mechanisms such as data trustworthiness and controllability, log retention and auditing, risk monitoring and assessment, real-time monitoring, emergency response, and data traceability shall be established. **Article 16.** Data processors shall, according to the type, level, and application scenario of the data transmitted, formulate security strategies and take protective measures. For the transmission of important data and core data, measures such as verification technology, cryptographic technology, secure transmission channels, or secure transmission protocols shall be adopted. **Article 17.** Data processors shall provide data in a secure and orderly manner in accordance with relevant provisions, clarify the scope, category, conditions, procedures, and the like, of the provision; the data provided shall be limited to the minimum scope necessary to achieve the processing purpose of the data recipient; and the data recipient shall be informed to carry out classification and grading protection according to the corresponding level and to take necessary security protection measures. Where important data is involved, a data security agreement shall be signed with the data recipient. In the course of sharing and invocation of important data, security management and control shall be strengthened, technical measures shall be taken to regularly monitor the sharing and invocation of data, and security protection measures such as risk isolation, authentication and authorization, and threat alerts shall be deployed. Where the provision or sharing of core data is involved, necessary security protection measures shall be taken and a report shall be made to the Ministry of Natural Resources; where the cumulative amount from January 1 of the current year may reach 30% or more of the total volume, a risk assessment shall be organized by the national data security work coordination mechanism upon submission by the Ministry of Natural Resources. The lawful performance of duties by State organs, or internal flow within a unit, shall be excepted. **Article 18.** Before disclosing data, data processors shall analyze and assess the impact that may be caused on national security and the public interest; where there is a significant negative impact or risk, the data shall not be disclosed. Government departments shall observe the principles of fairness, impartiality, and convenience for the people, and shall disclose government affairs data promptly and accurately in accordance with provisions, except for data not to be disclosed in accordance with the law. **Article 19.** Data processors shall establish a data destruction system, clarify the destruction objects, rules, processes, technical requirements, and the like, and record and retain records of destruction activities. Where destruction is requested in accordance with the provisions of laws and regulations, contractual stipulations, or the like, the data processor shall destroy the corresponding data. For the destruction of important data and core data, necessary security protection measures shall be taken, and the data destruction plan shall be reported to the industry regulator in advance. Where a change in the catalog of important data and core data is thereby caused, a report shall be promptly filed with the industry regulator, and the destroyed data shall not be recovered for any reason or by any means. **Article 20.** Important data collected and generated by data processors within the territory of the People's Republic of China shall be stored within the territory; where it truly needs to be provided overseas, the data processor shall implement the relevant provisions of the State cyberspace authority on data export security assessment. **Article 21.** Where a data processor needs to transfer data due to reorganization or the like, it shall clarify the data transfer plan. Where important data is involved, necessary security protection measures shall be taken, and the data transfer plan shall be reported to the industry regulator in advance. Where a change in the catalog of important data is thereby caused, a report shall be promptly filed with the industry regulator. **Article 22.** Where a data processor entrusts another party to process data or jointly processes data with another party, data security responsibility shall not change as a result of the entrustment, and the data security responsibilities and obligations of the entrusting party and the entrusted party shall be clarified by means of signing a contract or agreement. Where important data is involved, the entrusting party shall take security as an important consideration, assess or verify the data security protection capabilities and qualifications of the entrusted party, undergo strict approval procedures, clarify the data processing permissions and protection responsibilities of the entrusted party, and supervise the entrusted party in performing its data security protection obligations. Except as otherwise provided by laws and regulations, the entrusted party shall not provide data to a third party without the consent of the entrusting party. **Article 23.** Data processors shall, in the course of whole-lifecycle data processing, record logs of data processing, permission management, personnel operations, and the like, and use commercial cryptography technology to protect the integrity of the logs. Among them, the retention period of logs for general data shall be not less than six months; where the handling and traceability of important data security incidents are involved, the relevant logs shall be retained for not less than one year; where the provision to others, entrusted processing, or joint processing of important data is involved, the relevant logs shall be retained for not less than three years; and where the handling and traceability of core data security incidents are involved, the relevant logs shall be retained for not less than three years. ## Chapter 4 Data Security Monitoring, Early Warning, and Emergency Management **Article 24.** The Ministry of Natural Resources shall, in accordance with relevant State standards and procedures, organize the establishment of a data security risk monitoring mechanism in the field of natural resources, establish a data security risk monitoring and early-warning system in the field of natural resources, classify the levels of data security risks and incidents, organize the building of technical means for data security monitoring and early warning, form capabilities for monitoring, traceability, early warning, and handling, and strengthen information sharing with relevant departments. The National Forestry and Grassland Administration shall organize the establishment of a data security risk monitoring and early-warning mechanism for forestry and grassland, classify the levels of forestry and grassland data security risks and incidents, and organize the building of technical means for forestry and grassland data monitoring and early warning. Local industry regulators shall respectively build data security monitoring and early-warning mechanisms for their regions, organize the carrying out of data security risk monitoring in the field of natural resources in their regions, promptly release early-warning information in accordance with relevant provisions, and notify data processors in their regions to promptly take response measures. Data processors shall carry out data security risk monitoring, promptly investigate security hazards, and take necessary measures to prevent data security risks. **Article 25.** The Ministry of Natural Resources shall organize and guide the carrying out of data security risk assessment and other work in the field of natural resources. The National Forestry and Grassland Administration shall organize and guide the carrying out of forestry and grassland data security risk assessment and other work. Local industry regulators shall be respectively responsible for organizing the carrying out of data security risk assessment work in the field of natural resources in their regions. Important-data processors shall, on their own or by entrusting a third-party assessment institution, carry out a risk assessment of their data processing activities at least once a year, promptly rectify risk problems, and submit risk assessment reports to the industry regulator. The risk assessment report shall include the category and quantity of important data processed, the situation of the data processing activities carried out, the data security risks faced, the response measures and their degree of effectiveness, and the like. Data processors shall retain the risk assessment report for at least three years. Core-data processors shall give priority to using third-party assessment institutions to carry out risk assessments. When data processors organize a risk assessment of important data security, they shall carry out audit analysis of the logs of key operations such as data query, download, modification, and deletion, and shall promptly take corresponding handling measures upon discovering violations or abnormal behavior. **Article 26.** The Ministry of Natural Resources shall organize the establishment of a data security risk information notification mechanism in the field of natural resources, and uniformly collect, analyze, judge, and notify data security risk information. The National Forestry and Grassland Administration shall organize the establishment of a data security risk information notification mechanism for forestry and grassland. Local industry regulators shall respectively summarize and analyze data security risks in the field of natural resources in their regions, and, based on a comprehensive judgment of the development trend, scale, degree of correlation, and actual harm of the data security risks, and the like, promptly report risks that may cause major or higher-level security incidents to the Ministry of Natural Resources. Data processors shall promptly report risks that may cause relatively large or higher-level security incidents to the industry regulator. **Article 27.** The Ministry of Natural Resources shall organize the formulation of data security incident emergency plans in the field of natural resources, and organize and coordinate the emergency-response work for important data and core data security incidents. The National Forestry and Grassland Administration shall organize the establishment of forestry and grassland data security incident emergency plans, and organize and coordinate the emergency-response work for important data and core data security incidents. Local industry regulators shall respectively organize the carrying out of data security incident emergency-response work in the field of natural resources in their regions. For security incidents involving important data and core data, a report shall be immediately made to the Ministry of Natural Resources, and the development and handling of the incident shall be promptly reported. After a data security incident occurs, data processors shall, in accordance with the emergency plan, promptly carry out emergency response; for security incidents involving important data and core data, they shall report to the industry regulator and the local public security department at the first instance, and form a summary report within one week after the handling of the incident is completed. They shall report the handling of data security incidents to the industry regulator on an annual basis. For data security incidents that may harm the lawful rights and interests of users, data processors shall promptly inform the users and provide measures to mitigate the harm. ## Chapter 5 Supervision and Inspection **Article 28.** Industry regulators shall carry out supervision and inspection of the implementation by data processors of data classification and grading protection and the requirements of these Measures. Data processors shall cooperate with the supervision and inspection of industry regulators. **Article 29.** Under the unified organization of the national data security work coordination mechanism, the Ministry of Natural Resources shall, in accordance with the law, cooperate with the relevant authorities in carrying out data security review work with respect to data processing activities in the field of natural resources that affect or may affect national security. **Article 30.** Data processors and the staff of the data security risk assessment institutions entrusted by them shall keep strictly confidential the personal information, commercial secrets, and the like, that they become aware of in performing their duties, and shall not leak them or illegally provide them to others. ## Chapter 6 Legal Liability **Article 31.** Where, in performing their data security supervision and administration duties, industry regulators discover that a data processing activity poses a relatively large security risk, they may, in accordance with the prescribed authority and procedures, conduct interviews with the data processor and require it to take rectification measures to eliminate hidden dangers. **Article 32.** For violations of the relevant provisions, handling shall be carried out in accordance with the Data Security Law of the People's Republic of China and relevant laws and regulations, and corresponding administrative penalties shall be imposed according to the seriousness of the circumstances; where a crime is constituted, criminal liability shall be pursued in accordance with the law. ## Chapter 7 Supplementary Provisions **Article 33.** Where data processing activities involving personal information are carried out, the provisions of the relevant laws and regulations shall also be complied with. **Article 34.** Data processing activities involving State secret information, or matters that constitute State secrets after data in the field of natural resources is aggregated and correlated, shall comply with the relevant secrecy provisions of the State and the Ministry. **Article 35.** Where laws and regulations provide that an administrative license shall be obtained for carrying out data processing activities, the data processor shall obtain the license in accordance with the law. **Article 36.** These Measures shall be interpreted by the Ministry of Natural Resources. **Article 37.** These Measures shall take effect on the date of issuance. --- ## Measures for the Administration of Data Security of Banking and Insurance Institutions - Chinese title: 银行保险机构数据安全管理办法 - Abbreviation: NFRA Banking & Insurance Data Security Measures - Hierarchy: rule - Issuing body: National Financial Regulatory Administration - Adopted: 2024-12-27 - Effective: 2024-12-27 - Status: effective - URL: https://datacompliancechina.com/laws/nfra-banking-insurance-data-security-measures/ - Markdown: https://datacompliancechina.com/laws/nfra-banking-insurance-data-security-measures.md ### Summary Issued by the National Financial Regulatory Administration (NFRA) as Jin Gui [2024] No. 24 and effective December 27, 2024, these Measures are the comprehensive data security rule for banking and insurance institutions. Across nine chapters they establish a data security governance structure (board, senior management, a centralized administration department and an IT technical-protection department), a four-tier classification (core / important / sensitive / other general data), and full-lifecycle management and technical-protection requirements. They also contain a dedicated chapter on personal information protection, prescribe risk monitoring and a two-hour incident reporting timeline, set out supervisory and penalty provisions under the Banking Regulation Law and Insurance Law, and append a detailed data-security incident grading scheme. They supersede the 2022 trial measures (Yin Bao Jian Ban Fa [2022] No. 118). ### Full text **Promulgated by:** National Financial Regulatory Administration. **Document No.:** Jin Gui [2024] No. 24. **Issued and effective December 27, 2024.** Supersedes the Data Security Measures for Banking and Insurance Institutions (Yin Bao Jian Ban Fa [2022] No. 118). --- ## Issuing Notice To all local financial regulatory bureaus; all policy banks, large banks, joint-stock banks, foreign-funded banks, direct banks, financial asset management companies, financial asset investment companies and wealth management companies; all insurance group (holding) companies, insurance companies, insurance asset management companies, pension management companies and specialized insurance intermediaries; all financial holding companies; and all units administered by the Administration: The Measures for the Administration of Data Security of Banking and Insurance Institutions are hereby issued to you for compliance and implementation. National Financial Regulatory Administration December 27, 2024 --- # Measures for the Administration of Data Security of Banking and Insurance Institutions ## Chapter 1 General Provisions **Article 1.** In order to regulate data processing activities in the banking and insurance industries, safeguard data security and financial security, promote the reasonable development and utilization of data, protect the lawful rights and interests of individuals and organizations, and safeguard national security and the public interest of society, these Measures are formulated in accordance with the Data Security Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Law of the People's Republic of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Insurance Law of the People's Republic of China and other laws and regulations. **Article 2.** "Banking and insurance institutions" as used in these Measures means policy banks, commercial banks, rural cooperative banks, rural credit cooperatives, financial asset management companies, enterprise group finance companies, financial leasing companies, auto finance companies, consumer finance companies, money brokerage companies, trust companies, wealth management companies, insurance companies, insurance asset management companies, and insurance group (holding) companies established within the territory of the People's Republic of China. Where data processing activities involving State secrets are carried out, the provisions of the Law of the People's Republic of China on Guarding State Secrets and other laws and administrative regulations shall apply. Where the relevant competent authorities of the State have other provisions, such provisions shall be complied with in accordance with the law. **Article 3.** "Data" as used in these Measures means any record of information by electronic or other means. Data processing means the collection, storage, use, processing (加工), transmission, provision, sharing, transfer, public disclosure, deletion, destruction and the like of data. Data security means, by taking necessary measures, managing and controlling data processing activities and data application scenarios so as to ensure that data is at all times in a state of being effectively protected and lawfully utilized, as well as the capability to ensure a continuously secure state. Data subject means the natural person identified by the data or his or her guardian, or the enterprise, government organ, public institution, social organization or other organization. Personal information means any information recorded by electronic or other means relating to an identified or identifiable natural person, excluding information that has been anonymized. Big-data platform means infrastructure for the purpose of processing such matters as the storage, computation and analysis of massive data, including platforms for statistical analysis of data and big-data processing platforms (such as data lakes and data warehouses). **Article 4.** The National Financial Regulatory Administration and its dispatched offices shall be responsible for the supervision and administration of data security in the banking and insurance industries, formulate and issue regulatory rules and systems, and supervise and inspect the performance by banking and insurance institutions of their data security protection obligations. **Article 5.** Banking and insurance institutions shall establish a data security governance system commensurate with their institution's business development objectives, establish and improve data security management systems, build a security protection mechanism covering the full data lifecycle and application scenarios, carry out data security risk assessment, monitoring and disposal, and ensure that data development and utilization activities are carried out securely and soundly. Where banking and insurance institutions carry out data processing activities using information networks such as the Internet, they shall, on the basis of the cybersecurity multi-level protection system, perform data security protection obligations. **Article 6.** Banking and insurance institutions shall, when carrying out data processing activities, comply with laws and regulations, respect social morality and ethics, observe commercial ethics and professional ethics, act in good faith, perform data security protection obligations, undertake social responsibility, shall not endanger national security, political security, economic and financial security or the public interest, and shall not harm the lawful rights and interests of individuals or organizations. **Article 7.** Banking and insurance institutions shall coordinate development and security, implement the national big-data strategy, advance the construction of data infrastructure, intensify innovative applications of data, promote the development of the digital economy with data as a key factor, enhance the intelligence level of financial services, innovate inclusive-finance service models, and strengthen the capacity to prevent and resolve risks. **Article 8.** Banking and insurance institutions shall continuously track the frontier developments in the development and utilization of emerging data and in scientific and technological development, effectively respond to the rule conflicts, social risks, and ethical and moral risks that may arise from big-data applications and scientific and technological innovation, and prevent data and technology from being misused or abused. ## Chapter 2 Data Security Governance **Article 9.** Banking and insurance institutions shall establish a data security management organizational structure covering departments such as the board of directors (council), senior management, data security overall coordination, and data security technical protection, clarify position responsibilities and working mechanisms, and implement resource guarantees. **Article 10.** Banking and insurance institutions shall establish a data security accountability system, under which the Party committee (Party leadership group) and the board of directors (council) bear principal responsibility for the data security work of the institution. The principal person-in-charge of a banking or insurance institution shall be the first person responsible for data security, and the senior management member in charge of data security shall be the directly responsible person; the responsibilities of persons-in-charge at each level shall be clarified, the situations constituting violations and the matters of accountability shall be clarified, and an accountability and disposal mechanism shall be implemented. **Article 11.** Banking and insurance institutions shall designate a centralized (归口) data security administration department as the department primarily responsible for the institution's data security work. Its main responsibilities include: (I) organizing the formulation of data security management principles, plans, systems and standards; (II) organizing the establishment and maintenance of a data catalogue, and promoting the implementation of classified and graded protection of data; (III) organizing data security assessment and review; (IV) coordinating the establishment of a data security emergency management mechanism, and organizing the carrying out of data security risk monitoring, early warning and disposal; (V) organizing data security publicity and training, and enhancing employees' awareness and skills in data security protection; (VI) establishing and maintaining an overall coordination mechanism for internal data sharing, external data introduction, external data provision and data export, taking the lead in the security management of external data suppliers, and coordinating the security requirement management of big-data applications and data sharing projects; (VII) reporting important data security matters to the Party committee (Party leadership group), the board of directors (council) and senior management; (VIII) other data security work matters requiring overall coordination. **Article 12.** Banking and insurance institutions shall, in accordance with the principle of "whoever administers the business administers the business data, and whoever administers the business data administers the data security," clarify the data security management responsibilities of each business area, and implement data security protection management requirements. **Article 13.** The risk management, internal control and compliance, and audit departments of banking and insurance institutions shall be responsible for incorporating data security into the comprehensive risk management system and the internal control evaluation system, regularly carrying out audits, supervision and inspection, and evaluation, and urging the rectification of problems and carrying out accountability. **Article 14.** The information technology department of a banking or insurance institution shall be the department primarily responsible for the technical protection of data security. Its main responsibilities include: (I) establishing a data security technical protection system, establishing a data security technical architecture and protection control baseline, and implementing technical protection measures. (II) formulating data security technical standards, norms and systems, and organizing data security technical risk assessment. (III) organizing the lifecycle security management of information systems, ensuring that data security protection measures are implemented in the requirements, development, testing, production launch, monitoring and other stages. (IV) establishing a data security technical emergency management mechanism, and organizing the carrying out of technical monitoring, early warning, notification and disposal of data security risks, so as to guard against activities endangering data security such as external attacks and internal and external destruction. (V) organizing data security technology research and application. **Article 15.** Banking and insurance institutions shall establish a sound data security culture, carry out data security education and training for all staff, enhance the awareness and level of data security protection, and foster a favorable environment in which all staff jointly safeguard data security and promote development. ## Chapter 3 Data Classification and Grading **Article 16.** Banking and insurance institutions shall formulate a data classified and graded protection system, establish a data catalogue and classification and grading norms, dynamically manage and maintain the data catalogue, and adopt differentiated security protection measures. **Article 17.** Banking and insurance institutions shall carry out classified management of the data obtained and generated in the course of the institution's business and operational management, with data types including customer data, business data, operational management data, and system operation and security management data. **Article 18.** Banking and insurance institutions shall, according to the importance and degree of sensitivity of data, divide data into core data, important data and general data. Among these, general data is subdivided into sensitive data and other general data. Core data means important data that has a relatively high degree of coverage of, or reaches a relatively high degree of precision, a relatively large scale or a certain depth with respect to, a field, group or region, and that, once unlawfully used or shared, may directly affect political security, key areas of national security, the lifelines of the national economy, important aspects of people's livelihood, or major public interests. Important data means data in specific fields, of specific groups, in specific regions, or reaching a certain degree of precision and scale, that, once leaked or tampered with or damaged, may directly endanger national security, economic operation, social stability, and public health and safety. Sensitive data means data that, once leaked or tampered with or damaged, has a certain impact on economic operation, social stability or the public interest, or causes a significant impact on the organization itself or on individual citizens. Data other than the above is other general data. **Article 19.** Banking and insurance institutions shall strengthen the time-effectiveness management of data security levels, and establish a dynamic adjustment and approval mechanism; where the business attributes, degree of importance and possible degree of harm of data change, rendering the original security level no longer applicable, a timely dynamic adjustment shall be made. ## Chapter 4 Data Security Management **Article 20.** Banking and insurance institutions shall, in accordance with the requirements of national data security and development policies and according to their own development strategy, formulate a data security protection strategy. Banking and insurance institutions shall formulate data security management measures, clarify the division of management responsibilities, establish a control mechanism covering the full lifecycle of data processing, and implement protection measures. Banking and insurance institutions shall formulate detailed security management rules for external data introduction or cooperative sharing, data export and the like. **Article 21.** Banking and insurance institutions shall establish an enterprise-level data architecture, coordinate the registration and management of enterprise-wide data assets, establish a data asset map, clarify the objects of data protection on the basis of data classification and grading, and implement security management around data processing activities. **Article 22.** When a banking or insurance institution processes data at the sensitive level or above in business activities, or carries out activities that have a relatively large impact on data subjects such as entrusted processing, joint processing, transfer, public disclosure or sharing of data, it shall conduct a data security assessment in advance. The data security assessment shall, according to the purpose, nature and scope of data processing and in accordance with the requirements of laws and regulations and ethical and moral norms, analyze the data security risks and the impact on the rights and interests of data subjects, assess the necessity and compliance of the data processing, and assess the data security risks and the effectiveness of the prevention and control measures. **Article 23.** Banking and insurance institutions shall establish an enterprise-level data service management system, formulate data service norms, establish a dedicated data service team, coordinate internal and external data processing and analysis, and implement activities such as data service requirement analysis, service development, service deployment and service monitoring. **Article 24.** Banking and insurance institutions shall, in collecting data, adhere to the principles of "lawfulness, legitimacy, necessity and good faith," clarify the purpose, methods, scope and rules of data collection and processing, and ensure the data security of the collection process and the traceability of data sources. Banking and insurance institutions shall not collect data from a data subject beyond the scope of the data subject's consent, except as otherwise provided by laws and administrative regulations. Where a banking or insurance institution collects industry data at the important level or above from another banking or insurance institution, it shall obtain the consent of the National Financial Regulatory Administration. **Article 25.** Banking and insurance institutions shall use information systems as the main channel for data collection, and restrict or reduce data collection through other channels or on a temporary basis. After a banking or insurance institution ceases a financial business or service, it shall immediately cease the relevant data collection or processing activities, except as otherwise provided by laws and administrative regulations. **Article 26.** Banking and insurance institutions shall formulate a centralized approval and management system for the procurement and cooperative introduction of external data, incorporate it into the outsourcing risk management system for overall coordination, coordinate the establishment of a management mechanism for data requirements, security assessment, collection and introduction, data operation and maintenance, registration and filing, and supervision and evaluation, investigate the authenticity and lawfulness of data sources, assess the security assurance capabilities of data providers and their data security risks, and clarify the data security responsibilities and obligations of both parties. **Article 27.** When a banking or insurance institution carries out data processing (加工) activities such as the cleaning and conversion, aggregation and integration, or analysis and mining of data at the sensitive level or above, it shall adopt anonymization, de-identification or other necessary security measures to protect the rights and interests of data subjects, except as otherwise provided by laws and administrative regulations. Where the aggregation and integration of data derives data at the sensitive level or above, or causes a change in the data security level, the security protection measures shall be promptly assessed and adjusted. **Article 28.** Banking and insurance institutions shall, in accordance with the principle of "authorization as necessary for the business," strictly implement authorization management for data at the sensitive level or above, formulate a closed-loop management mechanism for data access, and audit data access conduct. Where it is genuinely necessary to extract data from the production environment due to business needs, a strict approval procedure shall be established, and the data use or retention period shall be clarified. When carrying out data processing activities using information networks such as the Internet, banking and insurance institutions shall implement the system requirements of cybersecurity multi-level protection, critical information infrastructure security protection, and cryptography protection. **Article 29.** Banking and insurance institutions shall implement centralized security control over the sharing and use of data, clarify enterprise-level data sharing strategies, and assess the necessity, compliance and security of data sharing and use, as well as its conformity with ethical and moral norms. Banking and insurance institutions shall establish a "firewall" for data security isolation between the parent bank, insurance group or parent company and its subsidiary banks or subsidiaries, and adopt effective protection measures for shared data. Where a banking or insurance institution shares data at the sensitive level or above with its parent bank or group, or with its subsidiary banks or subsidiaries, it shall obtain the authorized consent of the data subject, except as otherwise provided by laws and administrative regulations. The provision of financial services to a data subject by a single subsidiary bank or subsidiary shall not be terminated or refused on the ground that the data subject refuses to consent to the sharing of sensitive data, except where the shared data is necessary for providing the product or service. **Article 30.** When entrusting the processing of data, a banking or insurance institution shall clarify the conditions, scenarios and methods for the external use and processing of the data involved. When entrusting the processing of data, it shall, by means of a contract or agreement, stipulate the purpose, term, processing method, data scope and protection measures of the entrusted processing, the data security responsibilities and obligations of both parties, and the manner in which the entrusted party shall return or delete the data, and shall record and audit the data processing activities, except for data that may be publicly disclosed externally. A banking or insurance institution shall require the entrusted party not to sub-entrust the processing of data to other entities, not to share data externally, not to process, train or misappropriate data, or otherwise process data to seek benefits beyond those agreed in the contract or agreement, without obtaining its consent. **Article 31.** Banking and insurance institutions shall incorporate the entrusted processing of data into the scope of information technology outsourcing management, and shall not, in the course of implementation, outsource information technology management responsibilities or the principal responsibility for data security; functions involving information technology strategic management, information technology risk management, information technology internal audit and other functions relating to the core competitiveness of information technology shall not be outsourced. Where the supply chain services involve the processing of data at the sensitive level or above, the banking or insurance institution shall strengthen the admission and security management of suppliers. **Article 32.** When a banking or insurance institution jointly processes data with a third-party institution, it shall, in accordance with the principle of "authorization as necessary for the business," formulate a plan and adopt effective management and technical protection measures to ensure data security, and shall, by means of a contract or agreement, clarify the data security responsibilities and obligations of both parties in the course of data processing. **Article 33.** Where a banking or insurance institution needs to transfer data due to merger, division, dissolution, being declared bankrupt or the like, it shall clarify the content of the data transfer, agree by means of an agreement, undertaking or the like that the data recipient shall fully assume the corresponding data security protection obligations, and inform the data subjects by means of an announcement or the like. The data transfer shall be carried out in a secure and reliable manner, and the transfer process shall be ensured to be traceable. **Article 34.** Where a banking or insurance institution provides data at the sensitive level or above externally, it shall obtain the consent of the data subject, except as otherwise provided by laws and administrative regulations. Except where State organs perform their duties in accordance with the law, the cross-entity flow of core data of a banking or insurance institution shall undergo risk assessment and security review in accordance with the requirements of relevant State policies. **Article 35.** Banking and insurance institutions shall establish an approval mechanism for the external public disclosure of data, study and assess the possible impact, disclose data through the institution's official channels, ensure that the data is authentic, accurate and tamper-proof, and record the approval and disclosure. Data at the sensitive level or above shall not be publicly disclosed, except as otherwise provided by laws and administrative regulations or where the authorized consent of the data subject has been obtained. **Article 36.** Where a banking or insurance institution provides, to outside the territory of the People's Republic of China, important data and personal information collected and generated in the course of operations within the territory of the People's Republic of China, it shall undertake the principal responsibility for data security and conduct a security assessment in accordance with the requirements of relevant State policies. **Article 37.** Banking and insurance institutions shall adopt technical measures to strengthen the focused protection of data at the sensitive level or above. They shall strengthen data backup, formulate a backup strategy, store backup data and production data in isolation from each other, and strictly manage the access privileges for backup data. They shall formulate a backup verification plan to ensure that the backup data is complete and effective and that the business is recoverable. **Article 38.** Banking and insurance institutions shall formulate a data destruction management system, and delete or anonymize data in accordance with relevant State and industry provisions and the agreement with the data subject. Upon the termination of entrusted data processing by a banking or insurance institution, it shall require the service provider to promptly delete the data, and adopt effective supervision measures such as on-site inspection to ensure that the data is destroyed and cannot be recovered. ## Chapter 5 Data Security Technical Protection **Article 39.** Banking and insurance institutions shall establish a data security technical protection system for diverse heterogeneous environments such as big data, cloud computing, the mobile Internet and the Internet of Things, establish a data security technical architecture, clarify data protection strategies and methods, and adopt technical measures to ensure data security. **Article 40.** Banking and insurance institutions shall incorporate data security protection into the information system development lifecycle framework, clarify security protection requirements for data at the sensitive level or above, and achieve the simultaneous planning, simultaneous construction and simultaneous use of data security protection measures and information systems. **Article 41.** Banking and insurance institutions shall incorporate data into cybersecurity multi-level protection. Banking and insurance institutions shall, according to the data security level, divide network logical security domains, establish zone-based data security protection baselines, and implement effective security controls, including content filtering, access control and security monitoring, so as to ensure that the relevant measures meet the requirements of the cybersecurity strategy and data security protection strategy for processing and storing data of the highest level. Equipment rooms and networks storing or transmitting data at the sensitive level or above shall be subject to focused protection, with physical security protection zones established, and security monitoring and auditing carried out for network boundaries and important network nodes. **Article 42.** Banking and insurance institutions shall incorporate data at the sensitive level or above into information system protection. They shall adopt effective access control management measures throughout the data lifecycle, and for data flowing and shared across different zones, shall implement security protection measures of an equivalent level. After data at the sensitive level or above from multiple sources is aggregated and concentrated, security measures shall be adopted that are strengthened or at least not lower than the protection strength of the highest-level data before concentration. **Article 43.** Banking and insurance institutions shall strictly implement the management of data at the sensitive level or above, formulate user access strategies for data, adopt effective technical measures for user authentication and access control, regulate data operation conduct, and the user's access to data shall conform to the necessary requirements for carrying out the business and match the data security level. Operations on data at the sensitive level or above shall be logged, including the operation time, user identification, type of conduct and the like; the operation logs of core data and their backup data shall be retained for not less than three years, the operation logs of important data and sensitive data and their backup data shall be retained for not less than one year, and where entrusted processing or joint processing is involved, the operation logs and their backup data shall be retained for not less than three years. Data operation conduct shall be audited regularly, with an audit cycle of no more than six months. **Article 44.** The transmission of data at the sensitive level or above by banking and insurance institutions shall adopt a secure transmission method to ensure the integrity, confidentiality and availability of the data. When data is exchanged between banking and insurance institutions, the relevant institutions participating in the data exchange shall adopt effective measures to ensure the confidentiality, integrity, accuracy, timeliness and security of the transmission and storage of the information data. **Article 45.** Banking and insurance institutions shall adopt secure storage measures for data at the sensitive level or above to guard against attacks such as ransomware and Trojan backdoors. Personal identity authentication data shall not be stored, transmitted or displayed in plaintext. Data at the sensitive level or above shall be subject to data disaster-recovery backup, with regular data recoverability verification. **Article 46.** After data at the sensitive level or above reaches the use or retention period, technical measures shall be adopted to promptly delete or destroy it, ensuring that the data cannot be recovered. Data at the sensitive level or above within terminals and mobile storage media shall be subject to technical protection measures to ensure controlled and secure access; when media are scrapped or reused, the data in their storage space shall be completely cleared and rendered unrecoverable. **Article 47.** Banking and insurance institutions shall carry out the construction of technical infrastructure for data security, support the componentization and servicization of functions such as user identity management, data anonymization, behavior monitoring, log auditing and data virtualization, so as to ensure the consistency of the implementation of security standards within information systems. **Article 48.** When developing information systems, banking and insurance institutions shall clarify the data to be processed by the system and its security level, access rules and protection requirements, and implement effective system security controls. Before a system is put into production and goes online, security testing shall be carried out to ensure that the various security requirements are implemented and to effectively guard against data security risks. The testing environment shall be isolated from the production system, and data at the sensitive level or above shall in principle not enter the testing environment without de-identification, so as to prevent data leakage. **Article 49.** Banking and insurance institutions shall adopt measures such as high-availability design, security hardening and data backup for focused protection of big-data platforms. They shall establish an access authorization mechanism for big-data services, and dynamically monitor and audit big-data access conduct. **Article 50.** When banking and insurance institutions carry out activities such as automated decision-making analysis, model and algorithm development, and data labeling, they shall ensure the transparency of data processing and the fairness and reasonableness of the results. Banking and insurance institutions shall carry out unified management of the development and application of artificial intelligence models, establish an admission mechanism for the external introduction of model and algorithm products, proactively manage the model research-and-development process, and achieve that models and algorithms are verifiable, auditable and traceable. **Article 51.** Before the information systems, models and algorithms of a banking or insurance institution are put into use, a data security review shall be carried out to review the reasonableness, legitimacy and interpretability of the use of the data and the models, as well as the impact of data utilization on the lawful rights and interests of the relevant subjects, the ethical and moral risks, and the effectiveness of the prevention and control measures. **Article 52.** When banking and insurance institutions use artificial intelligence technology to carry out business, they shall explain and disclose the impact of data on decision-making results, monitor in real time the automated processing and system operation results, and establish risk mitigation measures for artificial intelligence applications, including formulating alternative plans for withdrawing from artificial intelligence applications, and formulating contingency plans for security threats and conducting drills. **Article 53.** When constructing open banking, financial ecosystems, or cooperating with third-party data, banking and insurance institutions shall achieve security risk isolation between themselves and the outside, and data interaction with external institutions shall be implemented through a centrally managed external connection platform or application programming interfaces (APIs); in accordance with the principle of "necessary for the business, least privilege," effective measures shall be adopted for centralized security protection management of the design, development, service and operation of interfaces. ## Chapter 6 Personal Information Protection **Article 54.** Banking and insurance institutions shall process personal information in accordance with the principle of "clear notification and authorized consent," except as otherwise provided by laws and administrative regulations, and shall implement the relevant functional controls in information systems. **Article 55.** Banking and insurance institutions shall process personal information for explicit and reasonable purposes, which shall be directly related to the purpose of processing; the collection of personal information shall be limited to the minimum scope for achieving the purpose of financial business processing, and personal information shall not be excessively collected. The collected personal information shall not be used to engage in unlawful or non-compliant activities. **Article 56.** Before processing personal information, banking and insurance institutions shall truthfully, accurately and completely inform the individual of the purpose of processing his or her personal information, the processing method, the categories of personal information processed, the retention period, the procedures for accepting and handling the individual's applications to exercise his or her information rights, and other matters that shall be notified as provided by laws and regulations. Banking and insurance institutions shall formulate personal information processing rules, which shall be publicly displayed, easily accessible, explicit in content, and clear and easy to understand. **Article 57.** Banking and insurance institutions shall not refuse to provide products or services on the ground that an individual does not consent to the processing of his or her personal information or withdraws consent, except where the processing of personal information is necessary for providing the product or service. **Article 58.** When carrying out personal information processing activities that have a significant impact on the rights and interests of individuals, banking and insurance institutions shall conduct a personal information protection impact assessment, the content of which includes the lawfulness and necessity of the personal information processing, the impact on the rights and interests of individuals and the security risks, and the lawfulness and effectiveness of the protection measures adopted and whether they are commensurate with the degree of risk. The personal information protection impact assessment report and the processing records shall be retained for at least three years. **Article 59.** Where a banking or insurance institution shares personal information with its parent bank, group, or its subsidiary banks or subsidiaries, and provides personal information externally, it shall perform the obligations of informing the individual and obtaining his or her consent and other relevant matters. **Article 60.** Where a banking or insurance institution provides personal information to outside the territory of the People's Republic of China, in addition to satisfying the requirements of Articles 36 and 59, it shall also inform the individual of the means and procedures for exercising his or her information rights against the overseas recipient and other matters, except as otherwise provided by laws and administrative regulations. **Article 61.** Where a banking or insurance institution entrusts a third party to process personal information, it shall clarify, in the terms of the contract or agreement, the entrusted party's personal information protection obligations, protection measures and term, and shall strictly supervise the entrusted party's processing of personal information for the agreed processing purpose, processing method and the like; the transmission of personal sensitive data with the third party must ensure security and guard against the risks of data abuse and leakage. The entrusted party shall not sub-entrust the processing of personal information to others without the consent of the banking or insurance institution. **Article 62.** When designing algorithms, selecting training data and generating models, banking and insurance institutions shall adopt effective measures to safeguard the lawful rights and interests of individuals. Where personal information is used for automated decision-making, the transparency of the decision-making and the fairness and impartiality of the results shall be ensured. **Article 63.** Where personal information leakage, tampering or loss occurs or may occur, the banking or insurance institution shall immediately take remedial measures, and at the same time notify the individual and report to the National Financial Regulatory Administration or its dispatched office. The notification shall include the following matters: (I) the categories of information, the causes, and the possible harm of the personal information leakage, tampering or loss that has occurred or may occur; (II) the remedial measures taken by the banking or insurance institution and the measures the individual may take to mitigate the harm. Where the measures taken by the banking or insurance institution can effectively avoid the harm caused by the information leakage, tampering or loss, the individual need not be notified; where the regulatory authority considers that harm may be caused, it shall have the right to require the banking or insurance institution to notify the individual. ## Chapter 7 Data Security Risk Monitoring and Disposal **Article 64.** Banking and insurance institutions shall incorporate data security risks into the institution's comprehensive risk management system, clarify the organizational structure and management procedures for data security risk monitoring, risk assessment, emergency response and reporting, and incident disposal, and effectively guard against and dispose of data security risks. **Article 65.** Banking and insurance institutions shall effectively monitor data security threats, implement supervision and inspection, proactively assess risks, and prevent the occurrence of security incidents such as the tampering, destruction, leakage or unlawful utilization of data. The monitoring content includes: (I) out-of-scope authorization or the use of system privileged accounts; (II) abnormal access to or use of data by internal personnel; (III) cybersecurity and data security threats to systems or platforms for the concentrated sharing of data; (IV) abnormal flow of data at the sensitive level or above across different zones; (V) abnormal use of mobile storage media; (VI) abnormal data processing or data leakage, loss or tampering in outsourcing or third-party cooperation; (VII) customer complaints relating to data security; (VIII) negative public opinion such as data leakage and counterfeit fraud; (IX) other situations that may lead to the occurrence of a data security incident. **Article 66.** Banking and insurance institutions shall conduct a data security risk assessment once a year. The audit department shall conduct a comprehensive data security audit at least once every three years, and shall conduct a special audit after a major data security incident occurs. When a banking or insurance institution entrusts a professional institution to conduct a data security audit, it shall not use the products and other services provided by that institution. **Article 67.** A data security incident means an incident in which the data of a banking or insurance institution is tampered with, leaked, destroyed, unlawfully acquired or unlawfully utilized, causing a negative impact on the lawful rights and interests of individuals or organizations, industry security or national security. According to its scope and degree of impact, it is divided into four incident levels: particularly major, major, relatively major and general. **Article 68.** Banking and insurance institutions shall establish a data security incident emergency management mechanism, an internal coordination and linkage mechanism, and a reporting mechanism for data security incidents of service providers and third-party cooperating institutions, and promptly dispose of risk hazards and security incidents. (I) formulating a data security incident contingency plan, and regularly carrying out emergency response training and emergency drills. (II) upon the occurrence of a data security incident, immediately activating emergency disposal, analyzing the cause of the incident, assessing the impact of the incident, carrying out incident grading, and promptly adopting business, technical and other measures in accordance with the plan to control the situation. (III) establishing a data security incident reporting mechanism, formulating reporting procedures according to the security level of the incident, reporting in accordance with provisions when a data security incident occurs, and at the same time performing the obligation to notify customers and cooperating parties in accordance with the relevant stipulations of contracts and agreements. (IV) upon the occurrence of a data security incident, or where there is a security defect or vulnerability in the network products and services used, immediately carrying out investigation and assessment, promptly taking remedial measures, and preventing the harm from expanding. Where a network product or service provider conceals and fails to report a security defect or vulnerability, the banking or insurance institution shall order it to make corrections; where it fails to rectify as required or causes serious consequences, the institution shall cancel its service qualification, impose a penalty in accordance with the contract, and report to the National Financial Regulatory Administration or its dispatched office. **Article 69.** Within 2 hours of the occurrence of a data security incident, the banking or insurance institution shall report to the National Financial Regulatory Administration or its dispatched office, and shall submit a formal written report within 24 hours after the occurrence of the incident. Where a particularly major data security incident occurs, the banking or insurance institution shall immediately take disposal measures, promptly notify users in accordance with provisions, and report to the National Financial Regulatory Administration or its dispatched office and the local public security organ. The banking or insurance institution shall report the disposal progress every 2 hours until the disposal is concluded. After the disposal of the data security incident is concluded, the banking or insurance institution shall, within five working days, submit a report on the assessment, summary and improvement of the incident and its disposal to the National Financial Regulatory Administration or its dispatched office. Where other laws and administrative regulations make provisions on the emergency disposal of data security incidents, the banking or insurance institution shall comply with them. ## Chapter 8 Supervision and Administration **Article 70.** The National Financial Regulatory Administration and its dispatched offices shall supervise and administer the data security protection of banking and insurance institutions, carry out off-site supervision and on-site inspection, incorporate the data security management situation into the regulatory rating and evaluation system, lawfully impose penalties and disposals for data security incidents of banking and insurance institutions, and implement continuous supervision of data security management. **Article 71.** The National Financial Regulatory Administration shall, in accordance with the national data classification and grading requirements, formulate the catalogue of important data for the banking and insurance industries, put forward recommendations for the catalogue of core data, and supervise and guide banking and insurance institutions in carrying out data classification and grading management and data protection. Banking and insurance institutions shall, as required, submit the catalogue of important data to the National Financial Regulatory Administration or its dispatched office. Where the catalogue of important data undergoes a major change, the updated data catalogue shall be promptly filed. **Article 72.** The National Financial Regulatory Administration shall establish a mechanism for data security monitoring and early warning and notification and disposal for the banking and insurance industries, continuously monitor data security risks, issue risk alerts to the industry, formulate data security incident contingency plans for the banking and insurance industries, and dispose of data security risk incidents. It shall establish a joint prevention and control management mechanism with the national data security administration department, implementing data security information sharing, risk monitoring and early warning, and data security incident disposal. **Article 73.** For the sharing, entrusted processing, assignment and transaction, or transfer of data involving batches of data at the sensitive level or above, the banking or insurance institution shall report to the National Financial Regulatory Administration or its dispatched office twenty working days before the processing or the signing of the contract, except as otherwise provided by laws and administrative regulations. **Article 74.** Banking and insurance institutions shall, before January 15 each year, submit to the National Financial Regulatory Administration or its dispatched office the data security risk assessment report for the previous year, the content of which includes data security governance, technical protection, data security risk monitoring and disposal measures, data security incidents and disposal, entrusted and joint processing, data export, data security assessment and review, and complaints relating to data security and their handling. **Article 75.** The National Financial Regulatory Administration and its dispatched offices shall conduct on-site inspections and incident investigations of the data security protection of banking and insurance institutions, and shall lawfully carry out investigations of the relevant units and individuals where matters suspected of being unlawful or non-compliant are discovered. On-site inspections and incident investigations may be assisted by relevant national or industry professional technical institutions or audit institutions upon entrustment. **Article 76.** Where a banking or insurance institution violates the requirements of these Measures, the National Financial Regulatory Administration or its dispatched office shall, according to the circumstances of the violation, lawfully adopt regulatory measures against the banking or insurance institution such as risk alerts, regulatory talks, regulatory notifications and orders to make corrections; order the suspension or termination of services for systems or applications involving non-compliant processing conduct; and impose industry notifications on third-party institutions involving major unlawful or non-compliant circumstances, the late reporting or concealment of data security incidents and cases, or the generation of major data security risks, incidents or cases, and order the banking or insurance institution to suspend or cease cooperation. **Article 77.** Where a banking-sector financial institution violates the requirements of these Measures, the National Financial Regulatory Administration and its dispatched offices may, in accordance with the relevant provisions of the Law of the People's Republic of China on Banking Regulation and Supervision, order the banking-sector financial institution to make corrections, and impose a fine of not less than RMB 200,000 but not more than RMB 500,000; where the circumstances are particularly serious or corrections are not made within the time limit, they may order it to suspend business for rectification or revoke its operating permit. According to the circumstances of the violation, they may order the banking-sector financial institution to impose disciplinary sanctions on the directly responsible directors, senior management and other directly liable persons; where the conduct of the banking-sector financial institution does not yet constitute a crime, they shall give a warning to the directly responsible directors, senior management and other directly liable persons and impose a fine of not less than RMB 50,000 but not more than RMB 500,000; cancel the qualifications of the directly responsible directors and senior management to hold office for a certain period up to life; and prohibit the directly responsible directors, senior management and other directly liable persons from engaging in banking-sector work for a certain period up to life. Where a crime is constituted, criminal liability shall be pursued in accordance with the law. Where an insurance-sector financial institution violates the requirements of these Measures, the National Financial Regulatory Administration and its dispatched offices may, in accordance with the relevant provisions of the Insurance Law of the People's Republic of China, order the insurance-sector financial institution to make corrections, and impose a fine of not less than RMB 50,000 but not more than RMB 300,000; where the circumstances are serious, restrict its business scope, order it to cease accepting new business, or revoke its business permit. According to the circumstances of the violation, they shall give a warning to the directly responsible persons-in-charge and other directly liable persons, and impose a fine of not less than RMB 10,000 but not more than RMB 100,000; where the circumstances are serious, revoke their qualifications to hold office. Where a crime is constituted, criminal liability shall be pursued in accordance with the law. Where the Law of the People's Republic of China on Banking Regulation and Supervision or the Insurance Law of the People's Republic of China is revised during implementation, the revised provisions shall prevail. **Article 78.** Industry associations and organizations such as the China Banking Association and the Insurance Association of China shall, by means of publicity, training, self-discipline, coordination and service, assist and guide member units in enhancing their data security management level. ## Chapter 9 Supplementary Provisions **Article 79.** These Measures shall be interpreted and revised by the National Financial Regulatory Administration. **Article 80.** Other banking-sector financial institutions, insurance-sector financial institutions, financial holding companies, and units administered by the Administration that are established upon the approval of the National Financial Regulatory Administration shall apply these Measures by reference. Financial organizations established upon the approval of local financial administration departments shall apply these Measures by reference. **Article 81.** These Measures shall come into force as of the date of promulgation, and the Data Security Measures for Banking and Insurance Institutions (Yin Bao Jian Ban Fa [2022] No. 118) shall be repealed at the same time. --- ## Appendix: Data Security Incident Grading ### 1. Particularly Major Data Security Incidents 1. Core data is leaked, destroyed, or unlawfully acquired or unlawfully utilized. 2. Important data is leaked, destroyed, or unlawfully acquired or unlawfully utilized, causing a particularly serious impact on the order of economic operation in 2 or more provincial-level regions. 3. Data at the sensitive level or above is leaked, destroyed, or unlawfully acquired or unlawfully utilized on a large scale, leading to any of the following situations: (1) causing particularly serious harm to the public interest, causing particularly major economic losses, or giving rise to a particularly major mass social incident; (2) causing a particularly serious threat to or impact on the production and operation of the core business of the banking and insurance industries, systemically important financial institutions, critical information infrastructure and the like, including causing large-scale business interruption, the loss of a large amount of processing capacity, or the large-scale paralysis of critical information infrastructure. 4. Other situations causing a particularly serious impact on national security, political security, economic and financial security, or the public interest. ### 2. Major Data Security Incidents 1. Important data is leaked, destroyed, or unlawfully acquired or unlawfully utilized, causing a major impact on the economy of a provincial-level region or affecting the security of the banking and insurance industries. 2. Data at the sensitive level or above is leaked, destroyed, or unlawfully acquired or unlawfully utilized, leading to any of the following situations: (1) causing a serious threat to or impact on the production and operation of the business or important information systems of multiple banking and insurance institutions, possibly causing regional or partial financial institutions' business interruption, information system interruption, loss of processing capacity and the like; (2) causing serious harm to the public interest, giving rise to a wide-ranging negative social impact, possibly leading to or directly causing large-scale complaints or mass social incidents; (3) causing a serious impact on the rights and interests of multiple individuals or organizations, including causing serious economic or technical losses to multiple organizations such as Party and government organs, enterprises and public institutions, and social organizations, and having a direct impact on the order of production and operation; the property safety of multiple persons being seriously endangered, or their dignity being infringed. 3. Other situations causing a serious impact on national security, economic and financial security, the public interest, or the rights and interests of individuals and organizations. ### 3. Relatively Major Data Security Incidents Data at the sensitive level or above is leaked, destroyed, or unlawfully acquired or unlawfully utilized, leading to any of the following situations: 1. causing a negative impact on an individual that cannot be eliminated or that is costly to eliminate, including the loss of the individual's property safety or the possibility of major losses, infringement of the individual's reputation and dignity, and giving rise to complaints or litigation. 2. causing a negative impact on an organization that cannot be eliminated or that is costly to eliminate, including causing or possibly causing relatively large economic or technical losses, the inability to carry out part of the business normally, and damage to reputation. 3. the banking or insurance institution itself being unable to carry out part of its business normally, or the institution's reputation being damaged; the secure and stable operation of an important information system of the banking or insurance institution being threatened or affected, possibly giving rise to a relatively major or higher-level emergency of an important information system. 4. Other situations causing a general impact on economic and financial security or the public interest, or a relatively major impact on the rights and interests of individuals and organizations. ### 4. General Data Security Incidents Data security incidents other than the above that cause a certain impact on organizations or individuals. --- ## Specification for the Application and Administration of Electronic Medical Records (Trial) - Chinese title: 电子病历应用管理规范(试行) - Abbreviation: EMR Application Specification - Hierarchy: standard - Issuing body: National Health and Family Planning Commission and State Administration of Traditional Chinese Medicine - Adopted: 2017-02-15 - Effective: 2017-04-01 - Status: effective - URL: https://datacompliancechina.com/laws/electronic-medical-records-application-specification/ - Markdown: https://datacompliancechina.com/laws/electronic-medical-records-application-specification.md - Source URL: http://www.nhc.gov.cn/yzygj/s3593/201702/22bb2525318f496f846e8566754876a1.shtml ### Summary Issued jointly by the National Health and Family Planning Commission and the State Administration of Traditional Chinese Medicine in February 2017, this Specification sets out binding requirements for how healthcare institutions create, record, amend, use, store, and seal electronic medical records (EMRs) and the information systems that support them. It mandates unique patient identifiers, role-based access controls, reliable electronic signatures, full audit trails of every write and edit operation, minimum retention periods (15 years for outpatient records, 30 years for inpatient records), and a formal sealing procedure for litigation-related EMR preservation. As the principal companion to the paper-record rules and the Electronic Signature Law, it forms the baseline data-security and access-control framework for digitized health data — making it essential reading for overseas counsel advising on China health-data processing, clinical-trial data governance, and any cross-border transfer of patient records. ### Full text **Promulgated by:** General Office of the National Health and Family Planning Commission; Office of the State Administration of Traditional Chinese Medicine. **Document No.:** 国卫办医发〔2017〕8号. **Adopted February 15, 2017. Effective April 1, 2017.** --- ## 关于印发电子病历应用管理规范(试行)的通知 国卫办医发〔2017〕8号 各省、自治区、直辖市卫生计生委、中医药管理局,新疆生产建设兵团卫生局: 为贯彻落实全国卫生与健康大会精神及深化医药卫生体制改革有关要求,规范电子病历临床使用与管理,促进电子病历有效共享,推进医疗机构信息化建设,国家卫生计生委、国家中医药管理局组织制定了《电子病历应用管理规范(试行)》。现印发给你们,请遵照执行。 国家卫生计生委办公厅 国家中医药管理局办公室 2017年2月15日 --- ## 电子病历应用管理规范(试行) ### 第一章 总则 **Article 1.** These Specifications are formulated in accordance with the Law of the People's Republic of China on Licensed Physicians, the Electronic Signature Law of the People's Republic of China, the Regulations on the Administration of Medical Institutions, and other laws and regulations, in order to regulate the application and administration of electronic medical records (including traditional Chinese medicine electronic medical records; the same applies below) in healthcare institutions, to meet the needs of clinical work, to safeguard the quality of and safety in medical care, and to protect the lawful rights and interests of both medical personnel and patients. **Article 2.** These Specifications apply to healthcare institutions that implement electronic medical records, with respect to the creation, recording, modification, use, storage, and administration of their electronic medical records. **Article 3.** An electronic medical record refers to a form of medical record in which medical personnel, in the course of medical activities, use information systems to generate digitized information such as text, symbols, charts, graphics, numbers, and images, which can be stored, administered, transmitted, and reproduced. Electronic medical records include outpatient (emergency) records and inpatient records. **Article 4.** An electronic medical record system refers to a computer information system within a healthcare institution that supports the collection, storage, and access of electronic medical record information and provides online assistance, and that offers information-processing and intelligent service functions oriented toward improving the quality of medical care, safeguarding the safety of medical care, and enhancing the efficiency of medical care. **Article 5.** The National Health and Family Planning Commission and the State Administration of Traditional Chinese Medicine are responsible for providing guidance on the nationwide application and administration of electronic medical records. Local health and family planning administrative authorities at all levels (including traditional Chinese medicine administration departments) are responsible for supervising and administering the application of electronic medical records within their respective administrative regions. ### 第二章 电子病历的基本要求 **Article 6.** A healthcare institution applying electronic medical records shall meet the following conditions: (1) it possesses dedicated technical support departments and personnel responsible for the construction, operation, and maintenance of electronic medical record-related information systems, and possesses dedicated administration departments and personnel responsible for the business supervision of electronic medical records; (2) it has established and improved the relevant rules and procedures for the use of electronic medical records; (3) it possesses a security administration system and security safeguard mechanism for electronic medical records; (4) it possesses the capability to trace creation, modification, and archiving operations on electronic medical records; and (5) it meets other conditions prescribed by relevant laws, regulations, normative documents, and the provincial-level health and family planning administrative authorities. **Article 7.** The Provisions on the Administration of Medical Records of Healthcare Institutions (2013 Edition), the Basic Norms for Medical Record Writing, and the Basic Norms for Traditional Chinese Medicine Medical Record Writing apply to the administration of electronic medical records. **Article 8.** The terminology, coding, templates, and data used in electronic medical records shall comply with the requirements of relevant industry standards and specifications. On the premise of safeguarding information security, the effective sharing of electronic medical record information shall be promoted. **Article 9.** An electronic medical record system shall provide operating personnel with exclusive identity credentials and identification means, and shall set corresponding access rights. Operating personnel shall be responsible for the use of their own identity credentials. **Article 10.** Healthcare institutions with the necessary capabilities may use electronic signatures in their electronic medical record systems for identity authentication. A reliable electronic signature shall have the same legal effect as a handwritten signature or seal. **Article 11.** An electronic medical record system shall use an authoritative and reliable time source. ### 第三章 电子病历的书写与存储 **Article 12.** Healthcare institutions using electronic medical record systems for medical record writing shall follow the principles of being objective, truthful, accurate, timely, complete, and standardized. The content of outpatient (emergency) medical record writing includes: the outpatient (emergency) medical record cover page, medical record entries, laboratory reports, medical imaging examination materials, and the like. The content of inpatient medical record writing includes: the inpatient case summary cover page, admission records, progress notes, surgical consent forms, anesthesia consent forms, blood transfusion treatment informed consent forms, special examination (special treatment) consent forms, critical illness (serious condition) notification forms, physician order sheets, supplementary examination report forms, temperature charts, medical imaging examination reports, pathology report forms, and the like. **Article 13.** A healthcare institution shall assign a unique patient identifier to each patient's electronic medical record so as to ensure the authenticity, consistency, continuity, and completeness of the patient's basic information and medical records. **Article 14.** An electronic medical record system shall identify operating personnel and shall preserve imprints of all previous operations, marking the time of each operation and the information of the operating personnel, and shall ensure that all previous operation imprints, marked operation times, and operating personnel information are queryable and traceable. **Article 15.** After medical personnel log in to the electronic medical record system using their identity credentials to complete writing, reviewing, or modifying operations, and confirm such operations, the system shall display the name of the medical personnel and the time of completion. **Article 16.** An electronic medical record system shall set out the authority and time limits for medical personnel to write, review, and modify records. Medical records entered by probationary medical personnel or medical personnel in their trial-employment period shall be reviewed, modified, and confirmed by senior medical personnel who hold practice qualifications at the healthcare institution. When senior medical personnel review, modify, and confirm the content of electronic medical records, the electronic medical record system shall perform identity identification, preserve imprints of all previous operations, and mark accurate operation times and operating personnel information. **Article 17.** Electronic medical records shall be set to an archiving status. Healthcare institutions shall, in accordance with relevant regulations on medical record administration, convert electronic medical records to archived status at an appropriate time after a patient concludes an outpatient (emergency) visit or is discharged from hospital. In principle, electronic medical records shall not be modified after archiving; in special circumstances where modification is genuinely necessary, the modification shall be carried out upon approval by the medical affairs department of the healthcare institution, and traces of the modification shall be retained. **Article 18.** Where necessary for archiving purposes, a healthcare institution may print out electronic medical records and combine them with non-electronic materials to form a case file for preservation. Healthcare institutions with the necessary capabilities may digitally collect non-electronic materials such as informed consent forms and implantable material barcodes and incorporate them into the electronic medical record system for administration; the originals shall be separately preserved in a proper manner. **Article 19.** Where outpatient (emergency) electronic medical records are kept by the healthcare institution, the retention period shall be no less than 15 years from the date of the patient's last visit; the retention period for inpatient electronic medical records shall be no less than 30 years from the date of the patient's last discharge. ### 第四章 电子病历的使用 **Article 20.** An electronic medical record system shall set access rights for viewing medical records, and shall ensure that medical personnel's need to view medical records is met, and that the patient's electronic medical record materials can be promptly provided in full. Electronic medical records as presented shall display the patient's personal information, diagnosis and treatment records, the time of recording, and the names of the recording personnel and their supervising reviewers. **Article 21.** A healthcare institution shall provide copying services for electronic medical records to applicants. A healthcare institution may provide electronic or printed copies of medical records. Copied electronic medical record documents shall be independently readable; printed paper copies of electronic medical records shall be stamped with the healthcare institution's special seal for medical record administration. **Article 22.** Healthcare institutions with the necessary capabilities may provide patients with copying services for electronic materials such as medical imaging examination images, surgical recordings, and interventional procedure recordings. ### 第五章 电子病历的封存 **Article 23.** Where electronic medical records need to be sealed in accordance with law, the electronic medical records shall be jointly confirmed and then copied and sealed in the joint presence of the healthcare institution or its authorized representative and the patient or the patient's representative. The sealed copy of the electronic medical records may be in electronic form; alternatively, a printout of the paper version may be photocopied, stamped with the medical records administration seal, and then sealed. **Article 24.** Sealed copies of electronic medical records shall meet the following technical conditions and requirements: (1) they are stored on independent and reliable storage media, and jointly signed and sealed by both the medical and patient parties or their respective representatives; (2) they can be read within the original system but cannot be modified; (3) operation imprints, operation times, and operating personnel information are queryable and traceable; and (4) other conditions and requirements prescribed by relevant laws, regulations, normative documents, and provincial-level health and family planning administrative authorities. **Article 25.** After sealing, the original electronic medical records may continue to be used. Where electronic medical records have not yet been completed and need to be sealed, the completed portions of the electronic medical records may be sealed first; once medical personnel have completed the remaining portions in accordance with the regulations, the newly completed portions shall then be sealed. ### 第六章 附则 **Article 26.** The "electronic signatures" referred to in these Specifications are those defined in Article 2 of the Electronic Signature Law, namely data contained in or attached to a data message in electronic form that is used to identify the signatory and to indicate the signatory's approval of the content thereof. A "reliable electronic signature" refers to an electronic signature meeting the relevant conditions set out in Article 13 of the Electronic Signature Law. **Article 27.** The "electronic medical record operating personnel" referred to in these Specifications include: medical personnel who use the electronic medical record system; technical personnel who maintain and administer the electronic medical record information system; and administrative management personnel who implement quality supervision of electronic medical records. **Article 28.** The "writing of electronic medical records" referred to in these Specifications refers to the act of medical personnel using the electronic medical record system to compile, analyze, and organize information obtained from medical activities such as inquiry, physical examination, supplementary examinations, diagnosis, treatment, and nursing care, so as to form a record of medical activities. **Article 29.** Provincial-level health and family planning administrative authorities may formulate implementing rules in accordance with these Specifications. **Article 30.** The Basic Norms for Electronic Medical Records (Trial) (Wei Yi Zheng Fa [2010] No. 24) and the Basic Norms for Traditional Chinese Medicine Electronic Medical Records (Trial) (Guo Zhong Yi Yao Fa [2010] No. 18) are hereby simultaneously repealed. **Article 31.** These Specifications shall come into force on April 1, 2017. --- ## Notice on Further Strengthening the Administration of the Use of Electronic Medical Record Information by Medical Institutions - Chinese title: 关于进一步加强医疗机构电子病历信息使用管理的通知 - Abbreviation: EMR Information Use Notice - Hierarchy: rule - Issuing body: General Office of the National Health Commission, General Office of the National Administration of Traditional Chinese Medicine, and General Office of the National Disease Control and Prevention Administration - Adopted: 2025-06-23 - Effective: 2025-06-23 - Status: effective - URL: https://datacompliancechina.com/laws/emr-information-use-management-notice/ - Markdown: https://datacompliancechina.com/laws/emr-information-use-management-notice.md - Source URL: https://www.nhc.gov.cn/yzygj/c100068/202506/c68abee7c54b4651a774cd533761780b.shtml ### Summary Issued jointly on 23 June 2025 by the General Offices of the NHC, NATCM, and NDCPA (Document No. 国卫办医政函〔2025〕262号), this notice tightens the rules under which hospitals and other medical institutions may access, copy, and share electronic medical records (EMRs), embedding the PIPL purpose-limitation and minimum-necessary principles into the clinical records environment for the first time at this regulatory level. Key obligations include graded and role-based access controls, full end-to-end audit trails (with digital-watermark support), strict restrictions on secondary use for research or commercial purposes, mandatory confidentiality and authorization agreements with external IT vendors, and a requirement to freeze access to records when a patient becomes the subject of public-controversy media coverage. Provincial health authorities must incorporate EMR-information compliance into hospital accreditation reviews and smart-hospital evaluations, creating a direct enforcement lever for overseas counsel advising multinationals that process Chinese patient data for clinical trials, real-world evidence studies, or health-tech product development. ### Full text **Promulgated by:** General Office of the National Health Commission; General Office of the National Administration of Traditional Chinese Medicine; General Office of the National Disease Control and Prevention Administration. **Document No.:** 国卫办医政函〔2025〕262号. **Issued and effective: 23 June 2025.** --- 国卫办医政函〔2025〕262号 各省、自治区、直辖市及新疆生产建设兵团卫生健康委、中医药局、疾控局: 按照《中华人民共和国基本医疗卫生与健康促进法》《中华人民共和国医师法》《医疗机构管理条例》及其实施细则等法律法规和部门规章规定,进一步落实医疗质量安全核心制度、医疗机构病历管理规定、电子病历系统功能和应用管理规范、医疗卫生机构网络安全管理办法等有关要求,现就进一步加强医疗机构电子病历信息使用管理工作通知如下: **一、加强医疗机构内部管理** **(一)明确电子病历范围。**电子病历是病历的一种记录形式,指医务人员在医疗活动过程中,使用信息系统生成的文字、符号、图表、图形、数字、影像等数字化信息,并能实现存储、管理、传输和重现的医疗记录,包括门(急)诊病历和住院病历。 **(二)压实医疗机构主体责任。**医疗机构对本单位电子病历信息使用管理承担主体责任,要依法依规严格保护患者隐私,不得以非医疗、教学、研究目的泄露患者的病历信息。医疗机构应明确电子病历信息使用管理的牵头部门,确定各相关部门和人员的职责分工,统筹协调医务、科教、信息等相关部门落实管理责任,指导临床业务部门落实使用主体责任。医疗机构要强化纪检部门的监督职能,加强对电子病历信息使用权限滥用、信息泄露等行为的监管。要将电子病历信息规范使用管理情况纳入行政管理人员和医务人员绩效评价,出现违规操作、泄露信息等不良事件,要依法依规追究相应部门和个人责任。 **(三)健全医疗机构管理制度。**医疗机构应当完善电子病历信息系统分级管理制度,规范电子病历的建立、记录、修改、保存、传输等各环节工作流程,以及使用、管理的权限范围。建立电子病历信息使用长效监管机制,预防并及时处置不合理调阅、使用、转发电子病历信息等情形,确保电子病历信息使用合法合规、安全可控。建立应急处置制度,建立健全电子病历信息泄露场景的处置流程。 **(四)落实分级管理要求。**医疗机构应当根据电子病历信息的重要程度、敏感级别、使用场景等具体情况,严格实施分级分类访问控制与权限管理。遵循最小可用原则,按照岗位职责、角色任务、使用需求等,明确临床诊疗、教学、管理等相关人员分级访问权限和时限,严禁未经授权查阅、复制、传播或篡改病历信息。发生就医诊疗相关舆情时,要立即封存涉及人员的相关信息,无关人员不得访问浏览记录转发。 **二、规范电子病历信息使用** **(一)规范相关人员使用权限和行为。**医疗机构应当为电子病历系统操作人员提供专有的身份标识和识别手段,并设置相应权限。明确操作人员对本人身份标识的使用负责,不得违规收集、使用、传输、透露、买卖患者病历信息或通过网络渠道传播。医疗机构从业人员均应妥善保管个人身份识别介质,依权限规范使用电子病历信息,并由医疗机构根据工作岗位和工作内容定期更新调整其使用权限和时限。参与见习实习和培养培训的学生、进修医生等短期工作人员,需接受医疗机构组织的相关培训,依权限在教学学习活动中规范使用电子病历信息,其使用权限和时限不得超过培训进修学习范围和时长。医疗机构应当与提供信息系统维护和数据分析服务等业务的外部服务商签订严格的保密协议和授权协议,明确其访问电子病历系统的范围、目的和期限,并在服务过程中接受医疗机构监督,确保数据安全。 **(二)保障全流程可追溯。**医疗机构要确保电子病历系统历次操作痕迹、操作时间和操作人员等信息可查询、可追溯。支持通过数字水印等技术手段,确保使用过程留痕。医疗机构共享电子病历信息时,应有严格的授权机制和审批流程,确保信息的安全性和防篡改性。医疗机构接收外单位提供的电子病历信息时,应对信息来源的合法性、完整性、安全性进行验证,并参照内部管理要求建立详细的接收、存储、使用记录,实现数据流向可追溯。 **(三)确保数据安全。**医疗机构要按照《中华人民共和国网络安全法》《中华人民共和国数据安全法》《中华人民共和国电子签名法》等法律法规规定,强化数据安全管理。建立电子病历信息安全防护体系,充分利用信息化手段监测电子病历信息使用情况。定期开展安全评估,对异常访问或未经授权的操作及时发出警报并通知上级管理人员,有效防范潜在安全风险。 **三、强化卫生健康行政部门监管** 地方各级卫生健康行政部门(含中医药、疾控部门,下同)要加强对医疗机构规范使用电子病历信息的指导和监管,定期监测评估。各省级卫生健康行政部门要将医疗机构规范使用电子病历信息情况作为医院评审、医院巡查、智慧医院建设等相关工作重要评估依据。各办医主体单位组织推进落实。 国家卫生健康委办公厅 国家中医药局综合司 国家疾控局综合司 2025年6月23日 --- **Notice on Further Strengthening the Administration of the Use of Electronic Medical Record Information by Medical Institutions** Document No. 国卫办医政函〔2025〕262号 To the health commissions, traditional Chinese medicine authorities, and disease control authorities of all provinces, autonomous regions, municipalities directly under the Central Government, and the Xinjiang Production and Construction Corps: In accordance with the Law of the People's Republic of China on Basic Medical and Health Care and Health Promotion, the Law of the People's Republic of China on Physicians, the Regulations on the Administration of Medical Institutions and their implementing rules, and other laws, administrative regulations, and departmental rules, and in order to further implement requirements set out in the core systems for medical quality and safety, the Provisions on the Administration of Medical Records by Medical Institutions, the Specifications for the Functions and Application Management of Electronic Medical Record Systems, and the Measures for the Administration of Network Security of Medical and Health Institutions, the following notice is hereby issued regarding further strengthening the administration of the use of electronic medical record information by medical institutions: **I. Strengthening Internal Administration by Medical Institutions** **(i) Clarifying the scope of electronic medical records.** An electronic medical record (EMR) is one form of medical record. It refers to the digitised information — including text, symbols, charts, graphics, numerical data, and images — generated by medical personnel using information systems in the course of medical activities, and which can be stored, managed, transmitted, and reproduced. EMRs include both outpatient (emergency) medical records and inpatient medical records. **(ii) Consolidating the primary responsibility of medical institutions.** A medical institution bears primary responsibility for the administration of the use of EMR information within its own unit. It shall strictly protect patient privacy in accordance with laws and regulations, and shall not disclose a patient's medical record information for purposes other than medical care, teaching, or research. A medical institution shall designate a lead department for the administration of EMR information use, determine the division of responsibilities among all relevant departments and personnel, and coordinate the medical affairs, scientific education, and information departments to carry out their management responsibilities, while directing clinical business departments to fulfil their primary responsibility as users. Medical institutions shall strengthen the supervisory functions of their discipline-inspection departments and enhance oversight of conduct such as abuse of EMR information access permissions and information leaks. EMR information compliance performance shall be incorporated into the performance evaluations of administrative personnel and medical personnel; where adverse events such as unauthorized operations or information leaks occur, the responsible departments and individuals shall be held accountable in accordance with laws and regulations. **(iii) Improving management systems within medical institutions.** Medical institutions shall improve their graded management systems for EMR information systems, standardize the workflows for each stage of the creation, recording, modification, preservation, and transmission of electronic medical records, and define the scope of access and management permissions. They shall establish a long-term supervisory mechanism for EMR information use to prevent and promptly address situations involving unreasonable retrieval, use, or forwarding of EMR information, so as to ensure that EMR information use is lawful, compliant, secure, and controllable. Emergency-handling systems shall be established, and procedures for managing EMR information leak scenarios shall be developed and improved. **(iv) Implementing graded management requirements.** Medical institutions shall rigorously implement graded and classified access controls and permission management based on the importance, sensitivity level, and use scenarios of the EMR information in question. Adhering to the principle of minimum necessary use, and in accordance with job duties, role-based tasks, and usage requirements, medical institutions shall define graded access permissions and time limits for personnel involved in clinical diagnosis and treatment, teaching, and administration. Unauthorized retrieval, copying, dissemination, or tampering with medical record information is strictly prohibited. When a public-controversy media event arises involving patient treatment, the relevant information of the individuals concerned shall be immediately sealed, and unrelated personnel shall not be permitted to access, browse, or forward the records. **II. Standardizing the Use of Electronic Medical Record Information** **(i) Standardizing access permissions and conduct of relevant personnel.** Medical institutions shall provide EMR system operators with dedicated identity credentials and identification means, and shall assign corresponding access permissions. It shall be made clear that operators are personally responsible for the use of their own identity credentials, and that they shall not unlawfully collect, use, transmit, disclose, buy, or sell patient medical record information, or disseminate it through online channels. All personnel employed by medical institutions shall properly safeguard their personal identity verification media, and shall use EMR information within their authorized permissions; medical institutions shall periodically update and adjust access permissions and time limits in accordance with job positions and job content. Students, resident physicians, and other short-term workers who participate in observerships, internships, and training programmes must complete the relevant training organized by the medical institution, and shall use EMR information within their authorized permissions in the course of teaching and learning activities; their access permissions and time limits shall not exceed the scope and duration of their training or rotation. Medical institutions shall enter into strict confidentiality agreements and authorization agreements with external service providers that supply information-system maintenance, data analysis, and other services, specifying the scope, purpose, and duration of their access to the EMR system; such providers shall be subject to supervision by the medical institution throughout the course of providing services, so as to ensure data security. **(ii) Ensuring full-process traceability.** Medical institutions shall ensure that all operation records, operation timestamps, and operator information in the EMR system are queryable and traceable. The use of technical means such as digital watermarks shall be supported to ensure that a record of use is retained throughout the process. When medical institutions share EMR information, there shall be a rigorous authorization mechanism and approval workflow to ensure the security and tamper-resistance of the information. When medical institutions receive EMR information provided by external units, they shall verify the legality, completeness, and security of the information source, and shall establish detailed records of receipt, storage, and use by reference to internal management requirements, so as to achieve traceability of data flows. **(iii) Ensuring data security.** Medical institutions shall strengthen data security management in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Electronic Signature Law of the People's Republic of China, and other laws and regulations. They shall establish an information-security protection system for EMR information, and shall make full use of information-technology means to monitor the use of EMR information. Regular security assessments shall be conducted; alerts shall be issued promptly and senior management shall be notified in the event of anomalous access or unauthorized operations, so as to effectively guard against potential security risks. **III. Strengthening Supervision by Health Administrative Authorities** Local health administrative authorities at all levels (including traditional Chinese medicine and disease control departments; same below) shall strengthen guidance and oversight of medical institutions' compliant use of EMR information, and shall conduct regular monitoring and evaluations. Provincial-level health administrative authorities shall treat a medical institution's compliant use of EMR information as an important evaluation criterion in hospital accreditation reviews, hospital inspection tours, smart-hospital construction, and other related work. The entities responsible for operating medical institutions shall organize the implementation and advancement of these requirements. General Office of the National Health Commission General Office of the National Administration of Traditional Chinese Medicine General Office of the National Disease Control and Prevention Administration 23 June 2025 --- ## Emergency Response Plan for Data Security Incidents in the Field of Industry and Information Technology (Trial) - Chinese title: 工业和信息化领域数据安全事件应急预案(试行) - Hierarchy: rule - Issuing body: Ministry of Industry and Information Technology - Adopted: 2024-10-29 - Effective: 2024-11-01 - Status: effective - URL: https://datacompliancechina.com/laws/industrial-data-security-incident-emergency-plan/ - Markdown: https://datacompliancechina.com/laws/industrial-data-security-incident-emergency-plan.md ### Summary This Emergency Response Plan, issued as MIIT Cyber Security [2024] No. 214, establishes the incident-response framework for data security incidents in the industry, telecommunications and radio fields. It grades incidents into four levels (especially significant, significant, relatively significant, and general), sets out the organizational structure, monitoring and early-warning, reporting timelines, graded response measures and post-incident handling, and defines how MIIT and local industry regulators coordinate with data processors. The page below translates the issuing notice in full; the annexed plan text was distributed as a separate attachment and is summarized rather than reproduced article-by-article. ### Full text **Promulgated by:** Ministry of Industry and Information Technology. **Document No.:** MIIT Cyber Security [2024] No. 214. **Issued October 29, 2024. Effective November 1, 2024.** --- ## Issuing Notice To the industry and information technology authorities of all provinces, autonomous regions, municipalities directly under the Central Government and cities specifically designated in the State plan, and the Xinjiang Production and Construction Corps; the communications administrations of all provinces, autonomous regions and municipalities directly under the Central Government; the radio regulatory agencies of Qinghai and Ningxia; the units directly under the Ministry; the universities directly under the Ministry; and the relevant enterprises: The Emergency Response Plan for Data Security Incidents in the Field of Industry and Information Technology (Trial) is hereby issued to you. Please conscientiously comply with and implement it. Ministry of Industry and Information Technology October 29, 2024 --- ## Summary of the Emergency Response Plan > The substantive text of the Plan was distributed as a separate annex and is not reproduced here article-by-article. The following structured summary reflects the published framework of MIIT Cyber Security [2024] No. 214. **Purpose and basis.** The Plan implements the Data Security Law, the Cybersecurity Law and the MIIT Administrative Measures for Data Security in the Field of Industry and Information Technology (Trial). It is the sector-specific counterpart, for data security incidents, to the Contingency Plan for Public Internet Cybersecurity Emergencies, and is intended to improve the capacity of MIIT, local industry regulatory authorities and data processors to respond to data security incidents affecting industrial data, telecommunications data and radio data. **Scope.** The Plan applies to the prevention, monitoring, reporting, emergency response to, and post-incident handling of data security incidents in the field of industry and information technology — that is, incidents in which data is tampered with, destroyed, leaked, lost, or illegally obtained or used, causing harm to national security, the public interest, or the legitimate rights and interests of individuals and organizations. **Incident grading.** Data security incidents are classified into four grades according to the degree of harm and scope of impact: - **Especially significant (Level I)** — incidents causing especially serious harm, such as those involving core data or affecting national security and the lifeline of the national economy on a wide scale. - **Significant (Level II)** — incidents causing serious harm, typically involving important data or core data with major regional or industry-wide impact. - **Relatively significant (Level III)** — incidents causing relatively serious harm within a more limited scope. - **General (Level IV)** — incidents with a limited scope of impact and relatively minor harm. **Organizational structure.** The Plan establishes a coordinated command structure: the Ministry of Industry and Information Technology organizes and coordinates the response to incidents involving important data and core data and to especially significant and significant incidents, while local industry regulatory authorities organize the response to incidents in their respective regions. Data processors bear primary responsibility for responding to incidents affecting the data they process. **Monitoring, early warning and reporting.** Data processors must monitor data security risks, promptly investigate hidden dangers, and report incidents to the industry regulatory authority of their region. Incidents involving important data and core data must be reported to MIIT at the first opportunity, with follow-up reports on the development and disposal of the incident. Early-warning information is graded and disseminated through the channels established under the MIIT data security monitoring and early-warning mechanism. **Graded response and post-incident handling.** Upon the occurrence of an incident, the corresponding contingency measures are activated according to the incident grade; measures are taken to prevent the harm from expanding, eliminate hidden dangers, and notify affected users where their legitimate rights and interests may be harmed. After disposal is completed, the data processor forms a summary report within the prescribed period, and reports on the disposal of data security incidents to the industry regulatory authority of its region on an annual basis. Where a clue of suspected crime is discovered, the matter is reported to the public security or State security authorities and cooperation is provided in the investigation. **How it fits.** This Plan supplies the operational incident-response layer for the MIIT industrial data security regime. It works alongside the Industrial Data Security Measures (which impose the underlying full-lifecycle and reporting obligations) and the Implementing Rules for Data Security Risk Assessment (which govern the annual proactive assessment), and dovetails with the Contingency Plan for Public Internet Cybersecurity Emergencies for incidents that simultaneously constitute cybersecurity emergencies. --- ## Measures for the Administration of the Security of Regulatory Data of the China Banking and Insurance Regulatory Commission (Trial) - Chinese title: 中国银保监会监管数据安全管理办法(试行) - Hierarchy: rule - Issuing body: China Banking and Insurance Regulatory Commission - Adopted: 2020-09-23 - Effective: 2020-09-23 - Status: effective - URL: https://datacompliancechina.com/laws/cbirc-regulatory-data-security-measures/ - Markdown: https://datacompliancechina.com/laws/cbirc-regulatory-data-security-measures.md ### Summary Issued by the China Banking and Insurance Regulatory Commission (CBIRC) on September 23, 2020, these trial measures govern the security of regulatory data — the figures, indicators, reports and other information that the CBIRC lawfully collects and that is recorded, generated and stored by regulatory information systems. They establish centralized (归口) administration, prescribe rules for the collection, storage, processing, use and cross-border sharing of regulatory data, and set out requirements for entrusted service providers, supervision, and reporting of major data security incidents within 48 hours. ### Full text **Promulgated by:** China Banking and Insurance Regulatory Commission. **Document No.:** Yin Bao Jian Fa [2020] No. 43. **Issued and effective September 23, 2020.** --- ## Issuing Notice To all CBIRC local offices, all departments of the Commission, and all units administered by the Commission: In order to earnestly strengthen the administration of the security of regulatory data and guard against regulatory data security risks, this Commission has formulated the Measures for the Administration of the Security of Regulatory Data of the China Banking and Insurance Regulatory Commission (Trial), which are hereby issued for your compliance and implementation. September 23, 2020 --- # Measures for the Administration of the Security of Regulatory Data of the China Banking and Insurance Regulatory Commission (Trial) ## Chapter 1 General Provisions **Article 1.** In order to regulate the administration of the security of regulatory data of the China Banking and Insurance Regulatory Commission (CBIRC), enhance the capacity for regulatory data security protection, and guard against regulatory data security risks, these Measures are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Law of the People's Republic of China on Banking Regulation and Supervision, the Insurance Law of the People's Republic of China, the Interim Measures for the Administration of Work Secrets and other laws, regulations and relevant provisions. **Article 2.** "Regulatory data" as used in these Measures means the figures, indicators, statements, text and other various information that the CBIRC lawfully collects on a periodic basis in the course of performing its regulatory duties and that is recorded, generated and stored by regulatory information systems, or that is recognized as such by the business departments of the CBIRC. "Regulatory information systems" as used in these Measures means information systems that are developed and constructed for the purpose of meeting regulatory needs and that have functions such as data collection, processing and storage. **Article 3.** "Regulatory data security" as used in these Measures means that, in the course of activities such as the collection, processing, storage and use of regulatory data (hereinafter referred to as regulatory data activities), the regulatory data is in a state of being usable, complete and auditable, and that no leakage, tampering, damage, loss or unlawful use has occurred. **Article 4.** These Measures shall apply to regulatory data activities carried out by the CBIRC and entrusted institutions. "Entrusted institutions" as used in these Measures means enterprises and public institutions that, upon entrustment or designation by the CBIRC, provide the CBIRC with regulatory data collection, processing or storage services. **Article 5.** Regulatory data activities shall be carried out in compliance with relevant laws and administrative regulations. Any unit or individual shall keep confidential, in accordance with relevant provisions, the State secrets, work secrets, commercial secrets and personal information that it becomes aware of in the course of regulatory data activities. **Article 6.** The CBIRC shall establish and improve a coordinated management system for regulatory data security, promote the joint participation of the relevant business departments of the CBIRC, local offices at all levels, entrusted institutions and others in regulatory data security protection work, strengthen training and education, and foster a favorable environment for jointly safeguarding regulatory data security. ## Chapter 2 Work Responsibilities **Article 7.** The administration of regulatory data security shall be implemented through centralized (归口) administration, establishing a management mechanism of overall coordination with division of responsibilities. The statistics and information department of the CBIRC shall be the centralized administration department, responsible for the overall coordination of regulatory data security administration. Each business department of the CBIRC shall be responsible for the regulatory data security administration of its own department. **Article 8.** The specific responsibilities of the centralized administration department include: (I) formulating work rules and management procedures for regulatory data security; (II) formulating technical protection measures for regulatory data security; (III) organizing the implementation of regulatory data security assessments and supervision and inspection. **Article 9.** The specific responsibilities of each business department include: (I) regulating the secure use of regulatory data within the department, specifying concrete work requirements, and implementing relevant responsibilities; (II) organizing and carrying out the regulatory data security administration work of the department; (III) assisting the centralized administration department in implementing supervision and inspection of regulatory data security. ## Chapter 3 Collection, Storage and Processing of Regulatory Data **Article 10.** The collection of regulatory data shall be carried out in accordance with the principles of being secure, accurate, complete and lawful and compliant, avoiding repeated or excessive collection. **Article 11.** Regulatory data shall be transmitted through the regulatory work network or the financial private network. Where, due to objective constraints, it is necessary to transmit data through physical media, the Internet or other networks, the assessment and consent of the centralized administration department shall be obtained. **Article 12.** Regulatory data shall be stored in the equipment rooms of the CBIRC and shall have complete backup measures. Where it is genuinely necessary to store data in the equipment rooms of an entrusted institution, the assessment and consent of the centralized administration department shall be obtained. **Article 13.** The storage period and storage medium management of regulatory data shall be carried out in accordance with the relevant provisions of the State and the CBIRC. **Article 14.** The processing of regulatory data shall be carried out within the scope of regulatory work authority or the scope of entrustment. Without the consent of the centralized administration department, no unit or individual may connect code, interfaces, algorithm models, development tools or the like to regulatory information systems. **Article 15.** Activities such as the collection, transmission, storage, processing, transfer and exchange, and destruction of regulatory data, as well as its use for system development and testing, shall, in accordance with the type of regulatory data and management requirements, adopt graded and classified security technical protection measures. ## Chapter 4 Use of Regulatory Data **Article 16.** Regulatory data shall be used solely for the CBIRC's performance of its regulatory work duties. Where Party and government organs such as discipline inspection and supervision, judicial and audit organs need to use regulatory data in order to perform their work duties, the matter shall be handled in accordance with relevant provisions. **Article 17.** The use of regulatory data shall be made traceable through management and technical means. Where regulatory data is used for information system development and testing as well as external display, it shall be de-identified (脱敏). **Article 18.** The use of regulatory data that has not been publicly disclosed shall, in principle, be carried out on desktop or notebook computers and other CBIRC work machines that cannot be connected to the Internet. Where, due to objective constraints, it is necessary to use regulatory data by means such as a virtual private network, the assessment and consent of the centralized administration department shall be obtained. **Article 19.** Regulatory data downloaded due to work needs may only be stored on the CBIRC's work machines. The media carrying regulatory data shall be properly safeguarded to prevent data leakage. **Article 20.** Information such as processed data and aggregated results generated in the course of using regulatory data shall be administered for security purposes as if it were regulatory data. **Article 21.** The external disclosure of regulatory data shall be implemented by the designated business department in accordance with relevant provisions and procedures. **Article 22.** Where a business department needs, due to work needs, to provide regulatory data to a unit or individual that is not a Party or government organ, it shall fully assess the data security risks, implement the provision upon the consent of the principal person-in-charge of the department, and, where necessary, conclude a memorandum and confidentiality agreement with the counterparty and file them with the centralized administration department for the record. Where regulatory data is shared with overseas regulatory authorities or international organizations, the matter shall be administered by the international affairs department in accordance with the regulatory cooperation memoranda of understanding, cooperation agreements and other arrangements signed by the CBIRC or other relevant work arrangements. Where laws and regulations provide otherwise, such provisions shall govern. **Article 23.** Where a business department needs, due to work needs, or where an information system goes offline and ceases use of regulatory data, it shall promptly take measures to seal or destroy such data. ## Chapter 5 Administration of Entrusted Services for Regulatory Data **Article 24.** Where the collection of regulatory data by a business department involves services provided by an entrusted institution, the department shall communicate with the centralized administration department in advance and obtain its joint signature of consent. The technical service plan of the entrusted institution shall pass the security assessment of the centralized administration department. Where the technical service plan is changed, it shall be reported in advance to the centralized administration department for security assessment. Where the security assessment is not passed, entrusted services shall not be carried out and a designation relationship shall not be established. **Article 25.** An entrusted institution that provides regulatory data services for the CBIRC shall satisfy the following basic conditions: (I) it possesses the in-house research-and-development as well as operation-and-maintenance capabilities for the systems required to carry out regulatory data work; (II) it possesses the relevant information security management qualification certifications; (III) it owns proprietary equipment rooms or has signed a long-term lease contract for equipment rooms; (IV) its network and information systems possess effective security protection and stable operation measures, and it has not experienced any major cybersecurity incident within the past three years; (V) it possesses effective regulatory data security management measures and is able to ensure access to and control of the regulatory data by each department of the CBIRC; (VI) it possesses a regulatory data backup system, an emergency response organization system and a business continuity plan. **Article 26.** The CBIRC shall establish an entrusted-service relationship for regulatory data by concluding an agreement with the entrusted institution. The agreement shall specify the service items, term, security management responsibilities, grounds for termination and other content. Where the CBIRC establishes a regulatory data service relationship by means of designation, it shall issue a designation assignment letter. **Article 27.** Where, due to relevant policy adjustments, the original entrusted or designated matters no longer need to be continued, or where a major security problem is discovered in the regulatory data services of an entrusted institution, the CBIRC shall have the right to terminate the entrustment or designation relationship. Upon termination of the entrustment or designation relationship, the entrusted institution shall promptly and completely hand over the regulatory data, and shall destroy the regulatory data obtained on account of the entrusted or designated matters, and may not retain any related data backups or other content. ## Chapter 6 Supervision and Administration **Article 28.** Each business department and entrusted institution shall conduct regular self-inspections in accordance with the work rules for regulatory data security, and upon discovering risks such as regulatory data security defects or vulnerabilities, shall immediately take remedial measures. **Article 29.** The centralized administration department shall regularly carry out regulatory data security management assessment and inspection of each business department and entrusted institution. Each business department and entrusted institution shall formulate rectification measures for problems discovered in assessments and inspections, promptly carry out rectification, and submit a rectification report to the centralized administration department. **Article 30.** Where any business department or entrusted institution encounters any of the following major regulatory data security risk matters, it shall immediately take emergency response measures, promptly eliminate security hazards, prevent the harm from expanding, and report to the centralized administration department within 48 hours: (I) regulatory data is leaked or unlawfully used; (II) regulatory data is damaged or lost; (III) the information system or network carrying regulatory data suffers a systemic failure causing a service interruption of more than 4 hours; (IV) the information system or network carrying regulatory data suffers an unlawful intrusion, or experiences the large-scale spread of harmful information or computer viruses or other destruction; (V) a regulatory data security incident gives rise to public opinion concern (舆情); (VI) other major cybersecurity incidents affecting regulatory data security as enumerated in the Guidelines for the Determination of Major Cybersecurity Incidents. Where any of the above major regulatory data security risk matters occurs within a jurisdiction, the relevant CBIRC local office shall immediately take remedial measures and report to the centralized administration department of the CBIRC within 48 hours. **Article 31.** The centralized administration department shall establish a notification mechanism for regulatory data security incidents, and promptly notify regulatory data security incidents. ## Chapter 7 Supplementary Provisions **Article 32.** Classified regulatory data shall be administered in accordance with the relevant confidentiality administration provisions of the State and the CBIRC. **Article 33.** Each CBIRC local office shall undertake the responsibility for regulatory data security administration within its jurisdiction, formulate, with reference to these Measures, measures for the administration of regulatory data security within its jurisdiction, specify responsibilities and management requirements, and strengthen regulatory data security protection. **Article 34.** These Measures shall come into force as of the date of issuance. --- ## Regulation of the People's Republic of China on the Administration of Human Genetic Resources - Chinese title: 中华人民共和国人类遗传资源管理条例 - Abbreviation: HGR Regulation - Hierarchy: regulation - Issuing body: State Council - Adopted: 2019-05-28 - Effective: 2019-07-01 - Status: effective - URL: https://datacompliancechina.com/laws/hgr-regulation/ - Markdown: https://datacompliancechina.com/laws/hgr-regulation.md - Source URL: https://www.nhc.gov.cn/qjjys/rlyczygl/202503/c5373f14621e4011b6cbc932184086a2/files/1746832760945_40292.pdf ### Summary China's primary instrument governing the collection, preservation, utilization, and cross-border provision of human genetic resources (HGR), including both physical materials (organs, tissues, cells) and the data and information derived from them. Promulgated as State Council Decree No. 717 on 28 May 2019, effective 1 July 2019, and amended by the State Council Decision on Revising and Abolishing Certain Administrative Regulations dated 10 March 2024 (which transferred administrative authority from MOST to the National Health Commission). The Regulation prohibits foreign organizations, individuals, and their controlled entities from collecting or preserving China's HGR within the territory or providing it abroad, and requires Chinese-party collaboration for any international cooperative research; cross-border transfer of HGR materials and provision of HGR information to foreign parties are subject to approval, security review, and filing requirements. For overseas pharmaceutical, biotech, and clinical-research counsel this is the single most operationally significant instrument: it governs every phase of multinational clinical trials and genomic research that touches Chinese samples or data, and non-compliance carries fines of RMB 100 000–10 000 000 plus permanent debarment. ### Full text **Promulgated by:** State Council of the People's Republic of China. **Document No.:** State Council Decree No. 717 (国务院令第717号). **Adopted on May 28, 2019; promulgated on June 10, 2019. Effective July 1, 2019.** **Amended by:** Decision of the State Council on Revising and Abolishing Certain Administrative Regulations, March 10, 2024 (transferring primary administrative authority from the Ministry of Science and Technology to the National Health Commission and provincial-level health authorities). --- ## Chapter I General Provisions **Article 1.** These Regulations are formulated in order to effectively protect and rationally utilize China's human genetic resources, and to safeguard public health, national security, and the public interest of society. **Article 2.** For the purposes of these Regulations, "human genetic resources" includes human genetic resource materials and human genetic resource information. "Human genetic resource materials" means genetic materials such as organs, tissues, and cells that contain genetic substances such as the human genome and genes. "Human genetic resource information" means data and other information produced by utilizing human genetic resource materials. **Article 3.** Collection, preservation, utilization, and provision abroad of China's human genetic resources shall comply with these Regulations. The collection and preservation of bodily substances such as organs, tissues, and cells, and the conduct of related activities, required for purposes such as clinical diagnosis and treatment, blood collection and supply services, investigation and handling of illegal and criminal acts, doping testing, and funeral services, shall be carried out in accordance with the relevant laws and administrative regulations. **Article 4.** The competent health authority of the State Council is responsible for the administration of human genetic resources nationwide; other relevant departments of the State Council are responsible for the administration of relevant human genetic resources within the scope of their respective duties. The human genetic resources competent authority of the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government is responsible for the administration of human genetic resources within their respective administrative regions; other relevant departments of the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government are responsible for the administration of relevant human genetic resources within their respective administrative regions within the scope of their respective duties. **Article 5.** The State strengthens the protection of China's human genetic resources, conducts investigations of human genetic resources, and implements a declaration and registration system for human genetic resources from important genetic families and specific regions. The competent health authority of the State Council is responsible for organizing investigations of China's human genetic resources, and formulating specific measures for the declaration and registration of human genetic resources from important genetic families and specific regions. **Article 6.** The State supports the rational utilization of human genetic resources to conduct scientific research, develop the biopharmaceutical industry, and improve diagnostic and treatment technologies, so as to enhance China's biosecurity capacity and improve the level of protection of public health. **Article 7.** Foreign organizations, individuals, and institutions established or actually controlled by foreign organizations or individuals shall not collect or preserve China's human genetic resources within China's territory, nor shall they provide China's human genetic resources abroad. **Article 8.** The collection, preservation, utilization, and provision abroad of China's human genetic resources shall not endanger China's public health, national security, or the public interest of society. **Article 9.** The collection, preservation, utilization, and provision abroad of China's human genetic resources shall comply with ethical principles and shall undergo ethical review in accordance with relevant State provisions. The collection, preservation, utilization, and provision abroad of China's human genetic resources shall respect the privacy rights of human genetic resource providers, obtain their prior informed consent, and protect their lawful rights and interests. The collection, preservation, utilization, and provision abroad of China's human genetic resources shall comply with the technical standards formulated by the competent health authority of the State Council. **Article 10.** The purchase and sale of human genetic resources is prohibited. The lawful provision or use of human genetic resources for scientific research and the payment or receipt of reasonable cost fees shall not be regarded as purchase and sale. ## Chapter II Collection and Preservation **Article 11.** Where it is necessary to collect human genetic resources from important genetic families or specific regions within China, or to collect types or quantities of human genetic resources as stipulated by the competent health authority of the State Council, the following conditions shall be met and approval of the competent health authority of the State Council shall be obtained: (1) having the status of a legal person; (2) having a clear and lawful purpose for collection; (3) having a reasonable collection plan; (4) having passed ethical review; (5) having a department and management system responsible for the administration of human genetic resources; and (6) having premises, facilities, equipment, and personnel commensurate with the collection activities. **Article 12.** When collecting China's human genetic resources, the collector shall, in advance, inform the human genetic resource providers of the purpose of collection, the intended use of the collection, the possible effects on health, the personal privacy protection measures, and their rights to participate voluntarily and to withdraw unconditionally at any time, and shall obtain the written consent of the human genetic resource providers. When informing the human genetic resource providers of the information specified in the preceding paragraph, the information must be comprehensive, complete, truthful, and accurate; concealment, misleading, and deception are prohibited. **Article 13.** The State strengthens the preservation of human genetic resources and accelerates the development of standardized and normalized human genetic resource preservation infrastructure platforms and human genetic resource big data systems, in order to provide support for the conduct of related research and development activities. The State encourages scientific research institutions, universities, medical institutions, and enterprises to carry out human genetic resource preservation work in accordance with their own conditions and the needs of related research and development activities, and to provide convenience for other entities in conducting related research and development activities. **Article 14.** Where it is necessary to preserve China's human genetic resources and provide a basic platform for scientific research, the following conditions shall be met and approval of the competent health authority of the State Council shall be obtained: (1) having the status of a legal person; (2) having a clear and lawful purpose for preservation; (3) having a reasonable preservation plan; (4) having human genetic resources to be preserved that come from lawful sources; (5) having passed ethical review; (6) having a department and preservation management system responsible for the administration of human genetic resources; and (7) having premises, facilities, equipment, and personnel that meet the national technical standards and requirements for human genetic resource preservation. **Article 15.** Preservation entities shall strengthen the administration and monitoring of the human genetic resources they preserve, adopt security measures, and formulate emergency response plans to ensure the safety of preservation and use. Preservation entities shall completely record the preservation status of human genetic resources, and properly keep source information and use information of human genetic resources, in order to ensure the lawful use of human genetic resources. Preservation entities shall submit annual reports on the preservation of human genetic resources by their entities to the competent health authority of the State Council. **Article 16.** National human genetic resource preservation infrastructure platforms and databases shall be made open to relevant scientific research institutions, universities, medical institutions, and enterprises in accordance with relevant State provisions. Where required for the needs of public health, national security, and the public interest of society, the State may, in accordance with law, use human genetic resources preserved by preservation entities. ## Chapter III Utilization and Provision Abroad **Article 17.** The competent health authority of the State Council and the human genetic resources competent authorities of the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government shall, together with the relevant departments of the people's governments at the same level, make overall plans for and reasonable arrangements of scientific research and biopharmaceutical industry development conducted by utilizing human genetic resources, strengthen the development of innovation systems, and promote the innovation and coordinated development of biotechnology and industries. **Article 18.** Scientific research institutions, universities, medical institutions, and enterprises that conduct research and development activities by utilizing human genetic resources shall receive support in accordance with laws, administrative regulations, and relevant State provisions for their research and development activities and the industrialization of their results. **Article 19.** The State encourages scientific research institutions, universities, medical institutions, and enterprises to utilize China's human genetic resources for international cooperative scientific research in accordance with their own conditions and the needs of related research and development activities, in order to enhance the capacity and level of relevant research and development. **Article 20.** The conduct of biotechnology research and development activities or clinical trials utilizing China's human genetic resources shall comply with the laws, administrative regulations, and relevant State provisions on the administration of biotechnology research and clinical application. **Article 21.** Foreign organizations and institutions established or actually controlled by foreign organizations or individuals (hereinafter referred to as "foreign parties") that need to utilize China's human genetic resources for scientific research activities shall comply with China's laws, administrative regulations, and relevant State provisions, and shall proceed by way of cooperation with scientific research institutions, universities, medical institutions, or enterprises in China (hereinafter referred to as "Chinese parties"). **Article 22.** The conduct of international cooperative scientific research utilizing China's human genetic resources shall meet the following conditions, and a joint application shall be submitted by both cooperative parties, subject to approval by the competent health authority of the State Council: (1) posing no threat to China's public health, national security, or the public interest of society; (2) both cooperative parties being Chinese parties and foreign parties with the status of legal persons that have the foundation and capacity to undertake the relevant work; (3) having clear and lawful purposes and content for the cooperative research and a reasonable duration; (4) having a reasonable cooperative research plan; (5) the human genetic resources to be used having lawful sources, and the types and quantities being consistent with the research content; (6) having passed ethical review in the respective countries (regions) of both cooperative parties; and (7) having clearly defined ownership of research results and a reasonable and clear benefit-sharing plan. For the purpose of obtaining marketing authorization in China for relevant drugs and medical devices, international cooperative clinical trials conducted in clinical institutions utilizing China's human genetic resources and not involving the export of human genetic resource materials shall not require approval. However, before commencing clinical trials, both cooperative parties shall file with the competent health authority of the State Council the types, quantities, and intended uses of the human genetic resources to be utilized. The competent health authority of the State Council and the human genetic resources competent authorities of the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government shall strengthen supervision of the matters filed. **Article 23.** Where, in the course of international cooperative scientific research utilizing China's human genetic resources, there is a significant change in the cooperative parties, the purpose of research, the content of research, the duration of cooperation, or other significant matters, the procedures for approval of the change shall be completed. **Article 24.** In international cooperative scientific research utilizing China's human genetic resources, it shall be ensured that Chinese party entities and their research personnel participate throughout and substantively in the research during the cooperation period, and all records and data and information generated during the research process shall be fully accessible to the Chinese party entity and a copy shall be provided to the Chinese party entity. In international cooperative scientific research utilizing China's human genetic resources, where an application for a patent is made for results produced, the application shall be jointly submitted by both cooperative parties, and the patent right shall be jointly owned by both cooperative parties. With respect to other scientific and technological results produced by the research, the rights of use, transfer rights, and benefit-sharing arrangements shall be agreed upon by the cooperative parties through a cooperation agreement; where the agreement makes no provision, both cooperative parties shall have the right of use, but transfer to a third party shall require the consent of both cooperative parties, and the benefits obtained shall be shared in accordance with the contributions of the cooperative parties. **Article 25.** In international cooperative scientific research utilizing China's human genetic resources, both cooperative parties shall, in accordance with the principles of equality and mutual benefit, good faith, joint participation, and sharing of results, sign a cooperation agreement in accordance with law and make clear and specific provisions on the relevant matters in accordance with Article 24 of these Regulations. **Article 26.** In international cooperative scientific research utilizing China's human genetic resources, both cooperative parties shall jointly submit a report on the cooperative research activities to the competent health authority of the State Council within 6 months after the conclusion of the international cooperative activities. **Article 27.** Where, in the course of international cooperative scientific research utilizing China's human genetic resources, or due to other special circumstances, it is necessary to transport, mail, or carry China's human genetic resource materials out of China, the following conditions shall be met and an outbound certificate for human genetic resource materials shall be obtained from the competent health authority of the State Council: (1) posing no threat to China's public health, national security, or the public interest of society; (2) having the status of a legal person; (3) having a clear overseas cooperative party and a reasonable purpose for taking the materials abroad; (4) the human genetic resource materials having been lawfully collected or coming from a lawful preservation entity; and (5) having passed ethical review. Where, in the course of international cooperative scientific research utilizing China's human genetic resources, it is necessary to transport, mail, or carry China's human genetic resource materials out of China, the application may be submitted separately or may be submitted together with the application for conducting international cooperative scientific research, with the plan for taking materials abroad listed therein, and the competent health authority of the State Council shall consolidate the approval. Where China's human genetic resource materials are transported, mailed, or carried out of China, customs procedures shall be completed on the basis of the outbound certificate for human genetic resource materials. **Article 28.** Where human genetic resource information is provided to or made available for use by foreign organizations, individuals, or institutions established or actually controlled by foreign organizations or individuals, China's public health, national security, and the public interest of society shall not be endangered; where it may affect China's public health, national security, or the public interest of society, a security review organized by the competent health authority of the State Council shall be completed. Where human genetic resource information is provided to or made available for use by foreign organizations, individuals, or institutions established or actually controlled by foreign organizations or individuals, the matter shall be filed with the competent health authority of the State Council and a copy of the information shall be submitted. Human genetic resource information produced in international cooperative scientific research utilizing China's human genetic resources may be used by both cooperative parties. ## Chapter IV Services and Supervision **Article 29.** The competent health authority of the State Council shall strengthen the development of e-government to facilitate applicants' use of the Internet to handle approval, filing, and other matters. **Article 30.** The competent health authority of the State Council shall formulate and promptly publish approval guides and model texts for the collection, preservation, utilization, and provision abroad of China's human genetic resources, and shall strengthen guidance to applicants in handling relevant approval, filing, and other matters. **Article 31.** The competent health authority of the State Council shall engage experts in biotechnology, medicine, health, ethics, law, and other fields to form an expert review committee to conduct technical review of applications submitted pursuant to these Regulations for the collection and preservation of China's human genetic resources, the conduct of international cooperative scientific research, and the transport, mailing, or carrying of China's human genetic resource materials out of China. The review opinions shall serve as a reference for making approval decisions. **Article 32.** The competent health authority of the State Council shall, within 20 working days from the date of acceptance of applications submitted pursuant to these Regulations for the collection and preservation of China's human genetic resources, the conduct of international cooperative scientific research, and the transport, mailing, or carrying of China's human genetic resource materials out of China, make a decision to approve or disapprove; where disapproval is decided, reasons shall be stated. Where, due to special circumstances, it is impossible to make an approval decision within the prescribed time limit, the time limit may be extended by 10 working days upon approval by the person in charge of the competent health authority of the State Council. **Article 33.** The competent health authority of the State Council and the human genetic resources competent authorities of the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government shall strengthen supervision and inspection of all aspects of activities involving the collection, preservation, utilization, and provision abroad of human genetic resources; where violations of these Regulations are discovered, they shall be dealt with promptly in accordance with law, and the results of inspections and handling shall be published to the public. **Article 34.** The competent health authority of the State Council and the human genetic resources competent authorities of the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government may, in conducting supervision and inspection, adopt the following measures: (1) entering the premises for inspection; (2) inquiring of relevant personnel; (3) consulting and copying relevant materials; and (4) sealing up and impounding relevant human genetic resources. **Article 35.** Any entity or individual has the right to file complaints and reports with the competent health authority of the State Council and the human genetic resources competent authorities of the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government regarding violations of these Regulations. The competent health authority of the State Council and the human genetic resources competent authorities of the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government shall publish complaint and report telephone numbers and email addresses, and accept the relevant complaints and reports. Those that are verified upon investigation shall be awarded to the informant. ## Chapter V Legal Liability **Article 36.** Where, in violation of these Regulations, any of the following circumstances exists, the competent health authority of the State Council shall order the cessation of the illegal act, confiscate the illegally collected and preserved human genetic resources and illegal gains, and impose a fine of not less than RMB 500,000 and not more than RMB 5,000,000; where the illegal gains are RMB 1,000,000 or more, a fine of not less than five times and not more than ten times the illegal gains shall be imposed: (1) without approval, collecting human genetic resources from important genetic families or specific regions of China, or collecting types or quantities of human genetic resources as stipulated by the competent health authority of the State Council; (2) without approval, preserving China's human genetic resources; (3) without approval, utilizing China's human genetic resources to conduct international cooperative scientific research; (4) without passing a security review, providing or making available for use human genetic resource information that may affect China's public health, national security, or the public interest of society to foreign organizations, individuals, or institutions established or actually controlled by foreign organizations or individuals; or (5) failing to file with the competent health authority of the State Council the types, quantities, and intended uses of the human genetic resources to be utilized before commencing international cooperative clinical trials. **Article 37.** Where false materials are provided or other deceptive means are used to obtain an administrative permit, the competent health authority of the State Council shall revoke the administrative permit already obtained, impose a fine of not less than RMB 500,000 and not more than RMB 5,000,000, and shall not accept permit applications from the responsible persons and entities within 5 years. **Article 38.** Where, in violation of these Regulations, China's human genetic resource materials are transported, mailed, or carried out of China without approval, customs shall impose punishment in accordance with the provisions of the relevant laws and administrative regulations. The human genetic resources competent authority shall cooperate with customs in conducting identification and other law enforcement assistance work. Customs shall transfer the human genetic resource materials confiscated in accordance with law to the human genetic resources competent authorities of the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government for disposal. **Article 39.** Where, in violation of these Regulations, any of the following circumstances exists, the human genetic resources competent authority of the people's government of the province, autonomous region, or municipality directly under the Central Government shall order the cessation of the relevant activities, confiscate the illegally collected and preserved human genetic resources and illegal gains, and impose a fine of not less than RMB 500,000 and not more than RMB 1,000,000; where the illegal gains are RMB 1,000,000 or more, a fine of not less than five times and not more than ten times the illegal gains shall be imposed: (1) failing to pass ethical review in the collection, preservation, utilization, or provision abroad of China's human genetic resources; (2) collecting China's human genetic resources without obtaining the prior informed consent of the human genetic resource providers, or obtaining the consent of the human genetic resource providers through means such as concealment, misleading, or deception; (3) violating relevant technical standards in the collection, preservation, utilization, or provision abroad of China's human genetic resources; or (4) providing or making available for use human genetic resource information to foreign organizations, individuals, or institutions established or actually controlled by foreign organizations or individuals without filing with the competent health authority of the State Council or submitting a copy of the information. **Article 40.** Where, in violation of these Regulations, any of the following circumstances exists, the competent health authority of the State Council shall order rectification, issue a warning, and may impose a fine of not more than RMB 500,000: (1) failing to completely record and properly keep source information and use information of human genetic resources in the course of preserving China's human genetic resources; (2) failing to submit annual reports on the preservation of China's human genetic resources; or (3) failing to submit reports on cooperative research activities in a timely manner upon completion of international cooperative scientific research. **Article 41.** Where foreign organizations, individuals, or institutions established or actually controlled by foreign organizations or individuals violate these Regulations by collecting or preserving China's human genetic resources within China, utilizing China's human genetic resources to conduct scientific research, or providing China's human genetic resources abroad, the competent health authority of the State Council shall order the cessation of the illegal act, confiscate the illegally collected and preserved human genetic resources and illegal gains, and impose a fine of not less than RMB 1,000,000 and not more than RMB 10,000,000; where the illegal gains are RMB 1,000,000 or more, a fine of not less than five times and not more than ten times the illegal gains shall be imposed. **Article 42.** Where, in violation of these Regulations, human genetic resources are bought or sold, the competent health authority of the State Council shall order the cessation of the illegal act, confiscate the illegally collected and preserved human genetic resources and illegal gains, and impose a fine of not less than RMB 1,000,000 and not more than RMB 10,000,000; where the illegal gains are RMB 1,000,000 or more, a fine of not less than five times and not more than ten times the illegal gains shall be imposed. **Article 43.** With respect to entities that have committed illegal acts as provided for in Articles 36, 39, 41, and 42 of these Regulations, where the circumstances are serious, the competent health authority of the State Council or the human genetic resources competent authorities of the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government shall, in accordance with their duties, prohibit the entities from engaging in activities of collecting, preserving, utilizing, and providing abroad China's human genetic resources for a period of 1 to 5 years; where the circumstances are particularly serious, the entities shall be permanently prohibited from engaging in such activities. With respect to the legal representatives, principal responsible persons, persons directly in charge, and other responsible persons of entities that have committed illegal acts as provided for in Articles 36 through 39, 41, and 42 of these Regulations, sanctions shall be imposed in accordance with law, and the competent health authority of the State Council or the human genetic resources competent authorities of the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government shall, in accordance with their duties, confiscate their illegal gains and impose a fine of not more than RMB 500,000; where the circumstances are serious, such persons shall be prohibited from engaging in activities of collecting, preserving, utilizing, and providing abroad China's human genetic resources for a period of 1 to 5 years; where the circumstances are particularly serious, such persons shall be permanently prohibited from engaging in such activities. Entities and individuals that have committed illegal acts as provided for in these Regulations shall have such acts recorded in credit records and publicized to the public in accordance with the relevant laws and administrative regulations. **Article 44.** Where, in violation of these Regulations, the lawful rights and interests of others are infringed, civil liability shall be borne in accordance with law; where a crime is constituted, criminal liability shall be pursued in accordance with law. **Article 45.** Where staff members of the competent health authority of the State Council and the human genetic resources competent authorities of the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government violate these Regulations by failing to perform their duties, or abusing their powers, neglecting their duties, or engaging in favoritism and malpractice, sanctions shall be imposed in accordance with law; where a crime is constituted, criminal liability shall be pursued in accordance with law. ## Chapter VI Supplementary Provisions **Article 46.** Where human genetic resource-related information constitutes a State secret, confidentiality management shall be implemented in accordance with the Law of the People's Republic of China on Guarding State Secrets and other relevant State confidentiality provisions. **Article 47.** These Regulations shall come into force on July 1, 2019. --- ## Implementing Rules for the Regulation on the Administration of Human Genetic Resources - Chinese title: 人类遗传资源管理条例实施细则 - Abbreviation: HGR Implementing Rules - Hierarchy: rule - Issuing body: Ministry of Science and Technology (MOST) - Adopted: 2023-05-26 - Effective: 2023-07-01 - Status: effective - URL: https://datacompliancechina.com/laws/hgr-implementing-rules/ - Markdown: https://datacompliancechina.com/laws/hgr-implementing-rules.md - Source URL: https://www.most.gov.cn/xxgk/xinxifenlei/fdzdgknr/fgzc/bmgz/202306/t20230601_186416.html ### Summary MOST's 2023 implementing rules operationalize the 2019 State Council Regulation on the Administration of Human Genetic Resources, providing granular definitions, the step-by-step approval and filing system for collection, preservation, international research collaboration, and clinical trials, and the criteria for determining when an entity is a 'foreign-party-controlled' institution (境外组织或个人控制). The rules establish the cross-border information-provision regime — requiring advance reporting, information backup submission to MOST, and a security review for certain sensitive categories (e.g., whole-exome or genome sequencing data for 500 or more subjects) — and set out inspection powers, penalty-discretion standards, and administrative-enforcement procedures. Overseas life-sciences counsel care because the rules directly govern how global pharma, biotech, and genomics companies structure China clinical trials and collaborative research arrangements to avoid unlicensed cross-border transfer of human genetic resource information. ### Full text **Promulgated by:** Ministry of Science and Technology of the People's Republic of China. **Document No.:** Order of the Ministry of Science and Technology No. 21. **Adopted on May 26, 2023. Effective July 1, 2023.** --- ## Chapter I General Provisions **Article 1.** These Implementing Rules are formulated in accordance with the Biosafety Law of the People's Republic of China, the Regulation on the Administration of Human Genetic Resources of the People's Republic of China, and other relevant laws and administrative regulations, in order to effectively protect and rationally utilize China's human genetic resources, and to safeguard public health, national security, and the public interest of society. **Article 2.** The collection, preservation, utilization, and cross-border provision of China's human genetic resources shall comply with these Implementing Rules. Human genetic resource information includes information and data — such as human gene and genome data — generated through the use of human genetic resource materials, but excludes clinical data, imaging data, protein data, and metabolic data. **Article 3.** The Ministry of Science and Technology (MOST) is responsible for the administration of human genetic resources throughout the country, including surveys, administrative licensing, supervision and inspection, and administrative penalties. MOST may, in accordance with law, entrust relevant organizations to carry out related work. **Article 4.** Provincial-level science and technology administrative departments are responsible for supervision and inspection, day-to-day administration, and the handling of cases of violations within their respective jurisdictions, as well as work entrusted to them by MOST. **Article 5.** MOST and provincial-level science and technology administrative departments shall strengthen their administrative capacity, equip enforcement personnel, and conduct supervision and inspection in accordance with their respective functions. **Article 6.** MOST shall appoint experts to form an Expert Advisory Committee on the Administration of Human Genetic Resources to provide decision-making consultation and technical support. **Article 7.** MOST supports the rational utilization of human genetic resources for scientific research, the development of the biopharmaceutical industry, and the improvement of diagnostic and treatment technologies; it shall strengthen administration and supervision, and optimize approval services. ## Chapter II General Requirements **Article 8.** The collection, preservation, utilization, and cross-border provision of human genetic resources shall comply with ethical principles and shall pass ethical review by a duly filed ethics committee. **Article 9.** The privacy rights, personal information, and other rights and interests of human genetic resource providers shall be respected and protected, and written informed consent shall be obtained in accordance with regulations. **Article 10.** Relevant requirements and technical specifications for scientific and technological activities — including standards, norms, and protocols — shall be observed. **Article 11.** The collection and preservation of China's human genetic resources within the territory of China, and the cross-border provision thereof, must be carried out by Chinese entities. Institutions incorporated in the mainland, Hong Kong, or Macao that are controlled by domestic capital shall be treated as Chinese entities. Foreign entities and overseas individuals may not collect or preserve China's human genetic resources within the territory of China, nor provide them across borders. **Article 12.** A "foreign entity" (外方单位) refers to any organization or institution in which overseas organizations or individuals hold or actually control 50% or more of the equity interests, voting rights, or other interests, or have the ability to exert a significant influence on its decision-making. **Article 13.** Entities engaged in the collection, preservation, utilization, or cross-border provision of human genetic resources shall strengthen their internal management systems and review the scientific research objectives and protocols involved. **Article 14.** In international scientific research collaboration, Chinese entities shall be ensured full-process, substantive participation, and shall share in the rights and interests in accordance with law. All records and data shall be fully open to and made available to the Chinese party as backups. **Article 15.** MOST shall establish an information management system for the administration of human genetic resources, to enable online processing of administrative licenses, filings, and other matters, and to promote dynamic management and traceability. **Article 16.** MOST shall promote the establishment of a basic platform and big-data system for the preservation of human genetic resources, and shall make it available to relevant institutions in accordance with regulations. **Article 17.** In response to emergencies, MOST shall establish an expedited approval mechanism to accelerate the handling of relevant administrative licenses. **Article 18.** MOST shall formulate and publish service guides and model texts for administrative licensing, filing, and other matters relating to the collection, preservation, utilization, and cross-border provision of human genetic resources. **Article 19.** MOST shall regularly provide training for researchers and administrators engaged in human genetic resource activities. **Article 20.** MOST and provincial-level science and technology administrative departments shall establish measures to guard against integrity risks and shall improve supervision mechanisms. ## Chapter III Survey and Registration **Article 21.** MOST is responsible for the national survey of human genetic resources; provincial-level science and technology administrative departments shall, as entrusted, be responsible for surveys within their respective jurisdictions. **Article 22.** The national survey shall be conducted once every five years; it may be conducted as needed when circumstances require. **Article 23.** MOST shall organize experts to formulate the survey work plan. Provincial-level science and technology administrative departments shall compile and submit survey data and information to MOST. **Article 24.** MOST shall organize research on important genetic families and human genetic resources specific to particular regions, establish a catalogue thereof, and revise it in a timely manner. **Article 25.** MOST is responsible for the registration of important genetic families and human genetic resources specific to particular regions; it shall formulate management measures and establish an information service platform therefor. **Article 26.** Scientific research institutions, institutions of higher education, medical institutions, and enterprises in China that discover important genetic resources shall promptly report them through the platform. ## Chapter IV Administrative Licensing and Filing ### Section 1 Administrative Licensing for Collection and Preservation **Article 27.** Administrative licensing for the collection of human genetic resources applies to: (1) the collection of important genetic families (i.e., a group of blood-related individuals spanning three or more generations who suffer from a hereditary disease, excluding common diseases); (2) collection from specific regions (i.e., populations with special physical characteristics living in isolated or special environments); and (3) large-scale population studies (involving 3,000 or more subjects). Collection activities conducted for clinical trials do not require licensing. **Article 28.** Administrative licensing for the preservation of human genetic resources applies to activities carried out within the territory of China to store resources and provide a basic platform for scientific research. Preservation means storing human genetic resource materials with legal sources in a suitable environment; it does not include temporary storage for teaching purposes. **Article 29.** Where an activity involves both preservation and collection, only a preservation license needs to be applied for. **Article 30.** A preservation unit shall submit to MOST an annual report on preservation activities for the preceding year by January 31 of each year. The annual report shall include information on the preserved resources, their sources and usage, the implementation of management systems, the maintenance of facilities and premises, and changes in administrative personnel. ### Section 2 Administrative Licensing and Filing for International Collaboration **Article 31.** An application for a license for international scientific research collaboration shall have passed ethical review by the respective competent ethics committees of both the Chinese and foreign parties. Where the foreign party is unable to provide such evidence, it may submit supporting materials demonstrating that it accepts the Chinese party's ethical review opinion. **Article 32.** International collaborative clinical trials conducted within medical and healthcare institutions for the purpose of obtaining drug or medical device marketing authorizations — where such collaboration involves the use of China's human genetic resources but does not involve the export of materials — do not require approval, provided that collection, testing, and analysis are carried out within the institution or by a designated domestic entity. Such activities shall, however, be filed with MOST. **Article 33.** Applications for administrative licenses for international collaboration, and filings for clinical trials, shall be submitted jointly by both the Chinese and foreign parties. Multi-center clinical research may not be divided into separate applications. **Article 34.** For multi-center clinical research, the lead institution shall obtain the license or complete the filing; other participating institutions may commence the research upon submitting their ethics review approval or letters of acceptance thereof. **Article 35.** Within six months after the expiration of the validity period, the collaborating parties that have obtained a license or completed a filing shall jointly submit to MOST a report on the collaborative research, covering research objectives, implementation, the use and disposition of resources, Chinese-party participation, the allocation of results, ethical review, and other matters. ### Section 3 Advance Reporting for Cross-Border Provision and Open-Access Use **Article 36.** Providing or making available human genetic resource information to overseas organizations, individuals, or institutions established or actually controlled by them shall be reported to MOST in advance, and an information backup shall be submitted. The report shall include the purpose and intended use, basic information on the recipient, and a risk assessment of the impact on resource protection. Where information is provided to the foreign party during the implementation of an approved international scientific research collaboration project, and the use of such information by both parties has already been agreed upon in the international agreement, a separate advance report is not required. **Article 37.** Where the provision of human genetic resource information to overseas organizations, individuals, or institutions established or actually controlled by them may affect China's public health, national security, or public interest of society, a security review organized by MOST shall be passed. Categories subject to such security review include: (1) information on important genetic families; (2) information on human genetic resources specific to particular regions; (3) whole-exome or whole-genome sequencing data for 500 or more subjects; and (4) other circumstances stipulated by MOST. **Article 38.** MOST shall, in conjunction with relevant departments, formulate security review rules and organize expert security assessments. The export of human genetic resources shall comply with the laws and regulations of the State on export controls. ### Section 4 Procedures for Administrative Licensing, Filing, and Advance Reporting **Article 39.** Where application materials are complete and meet the formal requirements, MOST shall accept the application and issue an acceptance receipt. Where materials are incomplete or fail to meet formal requirements, MOST shall notify the applicant in writing of all items requiring supplementation or correction within five working days. **Article 40.** MOST shall establish an expert pool and an expert management system. Review experts shall be selected by random draw to conduct technical reviews of applications and security assessments of information proposed for cross-border provision subject to security review. Experts shall generally participate via online means; meetings or on-site inspections may be used when necessary. **Article 41.** MOST shall make a licensing decision within twenty working days from the date of acceptance. Where a decision cannot be made in a timely manner, the period may be extended by ten working days with approval, and the applicant shall be notified in writing. **Article 42.** The time spent on hearings, inspections, tests, quarantine, identification, and technical reviews shall not be counted toward the licensing period, but the applicant shall be notified in writing thereof. **Article 43.** MOST shall notify the applicant in writing of the licensing decision and send a copy to the provincial-level science and technology administrative department in the applicant's location. Decisions granting a license shall be published on MOST's website; decisions refusing a license shall state the reasons and inform the applicant of the right to apply for administrative reconsideration or to bring an administrative lawsuit. **Article 44.** After obtaining a collection license, an application for modification shall be submitted where significant changes occur in the participating entities, purpose, or protocol of the collection activities. **Article 45.** After obtaining a preservation license, an application for modification shall be submitted where significant changes occur in the purpose or protocol of the preservation activities. **Article 46.** After obtaining an international collaboration license, an application for modification shall be submitted where significant changes occur in the type, quantity, or intended use of resources covered by the research purpose, content, or protocol, or where the sponsor or lead institution changes. **Article 47.** After obtaining a license, where changes involve only a quantity change not exceeding 10% of the approved amount, a change of participating entities, a change in the legal person's name, or a change that does not affect the type, quantity, or intended use of resources or falls within the approved scope, no modification application is required; however, a written notice shall be submitted. **Article 48.** MOST shall review modification applications and decide whether to approve them. The procedures shall follow the rules applicable to license applications. **Article 49.** Where an applicant withdraws an application in writing before a licensing decision is made, MOST shall terminate the review. **Article 50.** MOST may, upon the request of a person with an interest in the matter or on its own initiative, revoke a license in circumstances including: abuse of authority, exceeding authority, procedural violation, or granting a license to an applicant that does not meet the qualifications or conditions, or other circumstances in which revocation is permitted by law. A license obtained by fraud, bribery, or other improper means shall be revoked. A license shall not be revoked where doing so would cause significant harm to the public interest. **Article 51.** Applications to file international collaborative clinical trials shall first obtain the clinical trial approval letter or filing registration materials issued by the drug regulatory authority. **Article 52.** An application to file a clinical trial shall include: basic information on the collaborating parties; the type, quantity, and intended use of the resources to be utilized; the research protocol; the ethics review approval from the lead institution; and other supporting materials. **Article 53.** After completing a clinical trial filing, where significant changes occur in the type, quantity, or intended use of resources, or in the collaborating parties or research protocol, a modification of the filing shall be processed. Where the protocol or content changes do not involve changes to the resources, no modification is required, but a written notice shall be submitted before the change. **Article 54.** After an advance report has been submitted, where the intended use or recipient changes, a modification report shall be submitted before the change. **Article 55.** Where a licensee needs to extend the validity period, an application shall be submitted no fewer than thirty working days before expiration. MOST shall make a decision before expiration; if no decision is made before expiration, the extension shall be deemed approved. The same applies to filers seeking to extend a filing; if the extension has not been completed by the expiration date, it shall be deemed completed. ## Chapter V Supervision and Inspection **Article 56.** MOST is responsible for national supervision and inspection; provincial-level science and technology administrative departments are responsible for supervision and inspection within their respective jurisdictions. Inspection matters include: (1) the fulfillment of responsibilities and implementation of rules and regulations by entities engaged in collection, preservation, utilization, or cross-border provision; (2) the collection, preservation, and utilization under approved projects, as well as the export of materials, cross-border provision, and post-export use; (3) the disposition of remaining materials, as well as intellectual property rights and interest-sharing arrangements; (4) the authenticity of filed matters; and (5) other matters requiring supervision and inspection. **Article 57.** MOST and provincial-level science and technology administrative departments shall draw up annual supervision and inspection plans, and shall implement risk management for human genetic resources. Plans shall specify the matters, methods, frequency, and the types and proportion of projects to be sampled for inspection. **Article 58.** Entities that have been penalized for violations within the past three years, that have not corrected identified management risks, or that have been included in a credit blacklist shall be subject to increased inspection frequency and incorporated into the routine inspection plan. Entities that have improved their management practices and have not committed further violations may be subject to reduced inspection frequency. **Article 59.** For other entities, MOST and provincial-level science and technology administrative departments may, within the scope of such entities' resource activities, randomly determine the matters and personnel subject to inspection, and carry out supervision and inspection accordingly. **Article 60.** Targeted supervision and inspections may be deployed where serious violations are discovered, where temporary or emergency tasks arise, or where problems are identified through complaints, referrals, or data monitoring. **Article 61.** Information from routine supervision and inspections shall be promptly recorded and aggregated, and inspection measures shall be improved accordingly. **Article 62.** Where there is reason to believe that a violation of the Regulation may be occurring, an administrative regulatory interview (约谈) may be conducted with the legal representative, principal responsible person, or other relevant personnel of the entity concerned. **Article 63.** Where a potential violation is discovered, an investigation shall be initiated. Measures that may be taken as necessary include: recording, copying, photographing, and videotaping; sealing up or detaining items; and inspecting, testing, quarantining, or identifying items. **Article 64.** Administrative compulsory measures shall be carried out in accordance with the procedures set out in the Administrative Compulsion Law of the People's Republic of China. **Article 65.** The taking and lifting of administrative compulsory measures shall be approved by the head of the authority. A written decision on sealing up or detaining items and a detailed list thereof shall be prepared and delivered on the spot. In urgent situations, measures may be taken before approval is obtained; the approval procedures and service of documents shall be completed within twenty-four hours. ## Chapter VI Administrative Penalties **Article 66.** MOST and provincial-level science and technology administrative departments shall exercise administrative penalty discretion in a standardized manner, taking comprehensive account of the facts, nature, circumstances, and social harm of the violation, and determining the type and magnitude of the penalty within the scope prescribed by the Regulation, to ensure that the penalty is proportionate to the offense. MOST shall separately formulate and publish administrative penalty discretion benchmarks. **Article 67.** Before a proposed penalty is imposed, the party concerned shall be notified in writing of the proposed penalty, the underlying facts, the reasons, and the legal basis, and shall be informed of the right to make statements and defenses, and the right to request a hearing. Where a hearing is required, the right to a hearing shall be notified. The party shall submit its statements or defense in writing within five working days of service of the notice; failure to do so within the time limit shall be deemed a waiver. The penalty shall not be aggravated on account of the party's exercise of the right to make statements, offer defenses, or request a hearing. **Article 68.** Where any of the following penalties are proposed, a hearing shall be organized if requested by the party concerned: (1) a fine of RMB 1,000,000 or more imposed on a legal person or other organization, or a fine of RMB 100,000 or more imposed on a citizen; (2) confiscation of illegal gains of RMB 3,000,000 or more from a legal person or other organization, or RMB 300,000 or more from a citizen; (3) prohibition from engaging in related activities for one year or more; (4) refusal to accept license applications for two years or more; (5) revocation of a license already obtained; or (6) other circumstances provided for by law. **Article 69.** Before a penalty decision is made, the case-handling unit shall submit the proposed decision and related materials to the legal review unit for review. No decision may be made without review or where the review has not been passed. Cases involving only a warning are exempt from legal review. **Article 70.** After a penalty decision is made, it shall be served on the party concerned within seven working days in accordance with the law. **Article 71.** A penalty decision shall be made within ninety days from the date of case initiation. Where the case is complex and a decision cannot be made within that period, the period may be extended by ninety days with approval. Where the case is especially complex and a decision still cannot be made after the extension, the period may be further extended, but not by more than sixty days, upon collective deliberation by the authority's responsible persons. Time spent on hearings, public announcements, testing, and similar procedures shall not be counted toward the case-handling period. **Article 72.** Illegal gains referred to in Articles 36, 39, 41, 42, and 43 of the Regulation shall be calculated as total revenues minus reasonable and appropriate expenditures; where they are difficult to calculate, the value of the resources or the amount of funds invested shall be used as the illegal-gains figure. **Article 73.** During supervision and inspection or investigation of violations, where a relevant entity is found to lack adequate storage conditions, MOST shall organize the transfer of the resources to an entity with adequate conditions for temporary storage. **Article 74.** Where a provincial-level science and technology administrative department imposes a penalty in accordance with law, it shall submit a copy of the case-handling report and the penalty decision to MOST within fifteen working days from the date the penalty decision is made. **Article 75.** MOST has the right to supervise administrative penalties imposed by provincial-level science and technology administrative departments, and shall order the correction of unlawful or improper conduct in accordance with law. ## Chapter VII Supplementary Provisions **Article 76.** With respect to time-period provisions, periods expressed in "working days" exclude statutory holidays; periods not so specified are calendar days. **Article 77.** The expressions "above" (以上) and "not exceeding" (不超过) include the referenced number; the expressions "greater than" (大于) and "less than" (不足) exclude the referenced number. **Article 78.** These Implementing Rules shall come into force on July 1, 2023. --- ## Provisions on the Online Protection of Children's Personal Information - Chinese title: 儿童个人信息网络保护规定 - Abbreviation: Children's PI Provisions - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2019-08-22 - Effective: 2019-10-01 - Status: effective - URL: https://datacompliancechina.com/laws/children-pi-online-protection-provisions/ - Markdown: https://datacompliancechina.com/laws/children-pi-online-protection-provisions.md - Source URL: https://www.cac.gov.cn/2019-08/23/c_1124913903.htm ### Summary China's first dedicated rule for children's personal information online, issued by the CAC in 2019 and effective October 1, 2019. It fixes 14 as the age of childhood, requires verifiable guardian consent before a network operator collects, stores, uses, transfers, or discloses a child's personal information, and imposes a guardian-facing notice-and-refusal regime, data-minimization and storage-limitation duties, encrypted storage, minimum-authorization access controls, entrustment and transfer safeguards, deletion and correction rights, and breach notification to guardians. It predates PIPL but is read together with PIPL Article 28 (which treats the personal information of minors under 14 as sensitive personal information) and the Regulations on the Protection of Minors in Cyberspace. ### Full text **Promulgated by:** Cyberspace Administration of China. **Document No.:** Order of the Cyberspace Administration of China No. 4. **Adopted and promulgated on August 22, 2019. Effective October 1, 2019.** --- **Article 1.** These Provisions are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Law of the People's Republic of China on the Protection of Minors, and other laws and regulations, in order to protect the security of children's personal information and promote the healthy growth of children. **Article 2.** For the purposes of these Provisions, "children" means minors under the age of 14. **Article 3.** These Provisions apply to activities such as the collection, storage, use, transfer, and disclosure of the personal information of children through networks within the territory of the People's Republic of China. **Article 4.** No organization or individual may produce, publish, or disseminate information that infringes the security of children's personal information. **Article 5.** A child's guardian shall properly perform guardianship duties, and shall educate and guide the child to strengthen awareness and capability in personal information protection and to safeguard the security of the child's personal information. **Article 6.** Internet industry organizations are encouraged to guide and promote network operators in formulating industry norms and codes of conduct for the protection of children's personal information, to strengthen industry self-discipline, and to fulfill social responsibilities. **Article 7.** A network operator that collects, stores, uses, transfers, or discloses the personal information of children shall follow the principles of legitimacy and necessity, informed consent, clear purpose, security assurance, and lawful use. **Article 8.** A network operator shall establish dedicated rules and user agreements for the protection of children's personal information, and shall designate dedicated personnel responsible for the protection of children's personal information. **Article 9.** Where a network operator collects, uses, transfers, or discloses the personal information of children, it shall notify the child's guardian in a conspicuous and clear manner, and shall obtain the consent of the child's guardian. **Article 10.** When obtaining consent, a network operator shall at the same time provide a refusal option, and shall expressly notify the following matters: (1) the purpose, method, and scope of collecting, storing, using, transferring, and disclosing the child's personal information; (2) the place and period of storage of the child's personal information, and how it will be handled after the period expires; (3) the security measures for the child's personal information; (4) the consequences of refusal; (5) the channels and methods for complaints and reports; (6) the means and methods for correcting and deleting the child's personal information; and (7) other matters that should be notified. Where there is a substantive change to the matters to be notified set out in the preceding paragraph, the consent of the child's guardian shall be obtained again. **Article 11.** A network operator shall not collect personal information of children that is unrelated to the services it provides, and shall not collect personal information of children in violation of laws, administrative regulations, or the agreement between the parties. **Article 12.** A network operator shall not store personal information of children beyond the period necessary to achieve the purpose of collection and use. **Article 13.** A network operator shall store personal information of children by adopting measures such as encryption to ensure information security. **Article 14.** A network operator's use of personal information of children shall not violate laws, administrative regulations, or the purpose and scope agreed by the parties. Where it is genuinely necessary, owing to business needs, to use such information beyond the agreed purpose and scope, the consent of the child's guardian shall be obtained again. **Article 15.** A network operator shall, on the principle of minimum authorization, strictly set information-access permissions for its staff and control the scope of persons who may have knowledge of children's personal information. Staff access to children's personal information shall be subject to approval by the person in charge of children's personal information protection or a management person authorized thereby; the access shall be recorded; and technical measures shall be taken to prevent the unlawful copying or downloading of children's personal information. **Article 16.** Where a network operator entrusts a third party with the processing of children's personal information, it shall conduct a security assessment of the entrusted party and of the entrustment, and shall sign an entrustment agreement specifying the responsibilities of both parties, the matters entrusted, the period of processing, and the nature and purpose of processing; the entrustment shall not exceed the scope of authorization. The entrusted party referred to in the preceding paragraph shall perform the following obligations: (1) process children's personal information in accordance with laws and administrative regulations and the requirements of the network operator; (2) assist the network operator in responding to applications made by children's guardians; (3) take measures to ensure information security, and promptly report to the network operator in the event of a security incident involving the leakage of children's personal information; (4) delete children's personal information promptly upon termination of the entrustment relationship; (5) not sub-entrust the processing; and (6) perform other obligations to protect children's personal information that are required by law. **Article 17.** Where a network operator transfers personal information of children to a third party, it shall conduct a security assessment by itself or entrust a third-party institution to do so. **Article 18.** A network operator shall not disclose personal information of children, except where disclosure is required by laws or administrative regulations, or is permitted under an agreement with the child's guardian. **Article 19.** Where a child or the child's guardian discovers an error in the personal information of the child that has been collected, stored, used, or disclosed by a network operator, they have the right to require the network operator to make corrections. The network operator shall promptly take measures to correct the information. **Article 20.** Where a child or the child's guardian requests a network operator to delete personal information of the child that it has collected, stored, used, or disclosed, the network operator shall promptly take measures to delete it, including but not limited to the following circumstances: (1) where the network operator collects, stores, uses, transfers, or discloses the child's personal information in violation of laws, administrative regulations, or the agreement between the parties; (2) where it collects, stores, uses, transfers, or discloses the child's personal information beyond the scope of purpose or the necessary period; (3) where the child's guardian withdraws consent; or (4) where the child or the child's guardian terminates use of the product or service through means such as account deregistration. **Article 21.** Where a network operator discovers that personal information of children has been, or may have been, leaked, damaged, or lost, it shall immediately activate its emergency response plan and take remedial measures. Where serious consequences have been or may be caused, it shall immediately report to the relevant competent authority, and shall notify the affected children and their guardians of the relevant circumstances by means such as email, letter, telephone, or push notification. Where individual notification is difficult, it shall adopt reasonable and effective means to issue the relevant warning information. **Article 22.** A network operator shall cooperate with the supervision and inspection lawfully carried out by the cyberspace administration authorities and other relevant authorities. **Article 23.** Where a network operator ceases operation of a product or service, it shall immediately stop collecting personal information of children, delete the personal information of children that it holds, and promptly notify children's guardians of the cessation of operation. **Article 24.** Any organization or individual that discovers conduct in violation of these Provisions may report it to the cyberspace administration authorities and other relevant authorities. Upon receiving such reports, the cyberspace administration authorities and other relevant authorities shall promptly handle them in accordance with their respective duties. **Article 25.** Where a network operator inadequately implements its responsibility for the security management of children's personal information, resulting in a relatively high security risk or the occurrence of a security incident, the cyberspace administration authorities shall conduct a regulatory interview in accordance with their duties, and the network operator shall promptly take measures to rectify the situation and eliminate the hazard. **Article 26.** Violations of these Provisions shall be handled by the cyberspace administration authorities and other relevant authorities, in accordance with their respective duties, pursuant to the Cybersecurity Law of the People's Republic of China, the Administrative Measures for Internet Information Services, and other relevant laws and regulations; where a crime is constituted, criminal liability shall be pursued in accordance with law. **Article 27.** Where legal liability is pursued for a violation of these Provisions, the violation shall be recorded in credit archives and made public in accordance with the provisions of relevant laws and administrative regulations. **Article 28.** Where information is automatically retained and processed through a computer information system, and it is impossible to identify whether the retained and processed information is the personal information of children, other relevant provisions shall apply. **Article 29.** These Provisions shall come into force on October 1, 2019. --- ## Guiding Principles for Real-World Data Used to Generate Real-World Evidence (Trial) - Chinese title: 用于产生真实世界证据的真实世界数据指导原则(试行) - Abbreviation: RWD Guiding Principles - Hierarchy: standard - Issuing body: Center for Drug Evaluation, National Medical Products Administration (NMPA-CDE) - Adopted: 2021-04-13 - Effective: 2021-04-13 - Status: effective - URL: https://datacompliancechina.com/laws/rwd-guiding-principles/ - Markdown: https://datacompliancechina.com/laws/rwd-guiding-principles.md - Source URL: https://www.cde.org.cn/news.do?method=viewInfoCommon&id=eaed86b800e8d9d9 ### Summary Issued by NMPA-CDE on 13 April 2021, these guiding principles establish the technical framework for assessing whether real-world data is fit for use in generating real-world evidence to support drug regulatory decisions in China. The principles catalogue the main sources of real-world data (hospital information systems, medical insurance claims, registry studies, pharmacovigilance data, cohort databases, and more), define a two-stage suitability assessment (source-data and post-curation stages), and impose detailed data governance, security, de-identification, and quality-management requirements. A dedicated chapter on personal information protection and data security requires de-identification of sensitive personal information and encryption across the full data lifecycle. For overseas pharmaceutical and medical-device regulatory counsel, the guidelines are the primary reference point when designing China real-world studies, because any real-world evidence submitted to NMPA must satisfy these standards, and non-compliance with the personal information and data-security provisions may jeopardise both study approval and data transfer out of China. ### Full text **Promulgated by:** Center for Drug Evaluation, National Medical Products Administration (NMPA-CDE). **Document No.:** NMPA-CDE Announcement 2021 No. 27 (国家药监局药审中心通告2021年第27号). **Issued on April 13, 2021. Effective upon publication.** --- ## Background and Purpose Real-world evidence forms an important component of the evidentiary chain for evaluating drug efficacy and safety; related concepts and applications are addressed in the *Guiding Principles for Real-World Evidence Supporting Drug Development and Review (Trial)* (2020). Real-world data, in turn, is the foundation for generating real-world evidence: without high-quality, fit-for-purpose real-world data, real-world evidence cannot be produced. Real-world data means all data collected in the course of daily practice that relates to patients' health status and/or their diagnosis, treatment, and healthcare. Not all real-world data, once analysed, can generate real-world evidence; only real-world data that satisfies suitability requirements, and that is subjected to appropriate and adequate analysis, has the potential to form real-world evidence. At present, the recording, collection, and storage processes for real-world data often lack rigorous quality control, giving rise to problems such as incomplete data, inconsistent data standards, non-uniform data models, and divergent descriptive methods — all of which impede the effective use of real-world data. These guiding principles supplement the *Guiding Principles for Real-World Evidence Supporting Drug Development and Review (Trial)* and provide specific requirements and guidance recommendations on the definition, sources, assessment, governance, standards, security and compliance, quality assurance, and suitability of real-world data, in order to help sponsors better conduct data governance and assess real-world data suitability, and to be fully prepared to generate valid real-world evidence. --- ## Section I — Overview Real-world evidence is an important component of the evidentiary chain for evaluating drug efficacy and safety. Real-world data is the foundation for producing real-world evidence. Real-world data means all data collected in the course of daily practice that relates to patients' health status and/or their diagnosis, treatment, and healthcare. Not all real-world data, once analysed, can generate real-world evidence; only real-world data that satisfies suitability requirements, and that is subjected to appropriate and adequate analysis, may form real-world evidence. Current processes for recording, collecting, and storing real-world data often lack rigorous quality control; problems such as incomplete data, inconsistent data standards, non-uniform data models, and divergent descriptive methods may arise, obstructing the effective use of real-world data. Accordingly, how to render collected real-world data fit — or to render it fit after governance — for the analytical purposes required by clinical research, and how to assess whether real-world data is suitable for generating real-world evidence, are the key questions in using real-world data to produce real-world evidence that supports drug regulatory decisions. These principles, as a supplement to the *Guiding Principles for Real-World Evidence Supporting Drug Development and Review (Trial)*, provide specific requirements and guidance recommendations on the definition, sources, assessment, governance, standards, security and compliance, quality assurance, and suitability of real-world data, in order to help sponsors better conduct data governance, assess real-world data suitability, and be fully prepared to generate valid real-world evidence. --- ## Section II — Sources and Current State of Real-World Data Real-world data relevant to drug development principally includes data recorded during the diagnostic and treatment process in real-world healthcare settings (such as electronic medical records) and data from various observational studies. Such data may have been collected prior to the commencement of a real-world study, or may be newly collected for the purpose of conducting a real-world study. ### (I) Common Principal Sources of Real-World Data In China, real-world data sources, classified by functional type, mainly include: hospital information system data, medical insurance payment data, registry study data, active drug safety surveillance data, and natural population cohort data. The following sets out common real-world data sources classified by functional type. **1. Hospital Information System Data** Hospital information system data encompasses structured and unstructured, digital or non-digital patient records — such as a patient's demographic characteristics, clinical characteristics, diagnoses, treatments, laboratory test results, safety information, and clinical outcomes — typically stored in disparate information systems within healthcare institutions, such as electronic medical records/electronic health records, laboratory information management systems, picture archiving and communication systems, and radiology information management systems. Some healthcare institutions have established institution-level research data platforms on the basis of data integration platforms or clinical data centres, consolidating information from outpatient, inpatient, and follow-up encounters into data directly usable for clinical research. Some regional medical databases, using relatively centralised physical environments for cross-institution clinical data storage and processing, are characterised by large storage capacity and diverse data types, and may serve as potential sources of real-world data. Hospital information system data is based on records of the clinical diagnostic and treatment process, covering a broad range of clinical outcomes and drug exposures; electronic medical record data in particular is widely used in real-world research. **2. Medical Insurance Payment Data** Medical insurance payment data in China has two main sources: (i) basic medical insurance systems established and uniformly administered by governments and healthcare institutions, containing structured data fields relating to basic patient information, healthcare service utilisation, prescriptions, settlements, and medical claims; and (ii) commercial health insurance databases, established by insurers, with data classified by insurance company claim payments and policy duration, and relatively simple in data dimensions. Medical insurance systems, as a source of real-world data, are more commonly used for health technology assessment and pharmacoeconomic research. **3. Registry Study Data** Registry study data is data collected through organised systems using observational research methods from clinical and other sources, usable for evaluating clinical outcomes in specified disease, health-condition, or exposure populations. Registry studies are mainly classified, according to the characteristics of the defined study population, into medical product registries, disease registries, and health service registries; in China, the first two categories are predominant. Drug registries supported by healthcare institutions and enterprises, in particular, observe patients using a given drug, with a focus on monitoring clinical efficacy across different indications or observing adverse reactions. The advantage of registry study databases lies in their use of specific patient populations as the study group, integrating multiple data sources such as clinical diagnosis and treatment data and medical insurance payment data; data collection is relatively standardised, generally including patient-reported data and long-term follow-up data; observed outcome indicators are usually rich, with the advantages of relatively high accuracy and strong structuring. Such data is well suited for evaluating drug efficacy, safety, economics, and adherence, and may also be used for research on natural disease history and prognosis. **4. Active Drug Safety Surveillance Data** Active drug safety surveillance data is principally used for drug safety research and pharmacoepidemiology research. Data is collected through national or regional drug safety surveillance networks from sources including healthcare institutions, pharmaceutical companies, medical literature, online media, and patient-reported outcomes. In addition, proprietary drug safety surveillance databases established by healthcare institutions and enterprises may also form part of this data source. **5. Natural Population Cohort Data** Natural population cohort data refers to data obtained through long-term prospective dynamic tracking and observation of healthy and/or patient populations. Natural population cohort data is characterised by uniform standards, informatised sharing, long time spans, and relatively large sample sizes. Such real-world data can help build risk models for common diseases and provide support for the precise targeting of drug development populations. **6. Omics Data** Omics data, as an important underpinning of precision medicine, principally includes genomic, epigenetic, transcriptomic, proteomic, and metabolomic data; these data characterise patients' genetic, physiological, and biological features from a systems-biology perspective. Omics data typically requires combination with clinical data to become fit-for-purpose real-world data. **7. Death Registry Data** Population death registration is the continuous and complete collection and recording of death information for a country's citizens. China currently has four systems for collecting population death information, administered respectively under the National Disease Control and Prevention Administration, the National Health Commission, the Ministry of Public Security, and the Ministry of Civil Affairs. Population death registry data encompasses all information in medical death certificates, recording detailed causes and times of death; it may serve as a data source for population cause-specific mortality rates and clinical outcomes of major diseases. **8. Patient-Reported Outcome Data** Patient-reported outcomes are indicators measuring and evaluating disease outcomes from the patient's own perspective, encompassing symptoms, physiological factors, psychological factors, and satisfaction with healthcare services. Patient-reported outcomes are increasingly important in drug evaluation systems. They may be recorded on paper or electronically (the latter are called electronic patient-reported outcomes); the rise and application of electronic patient-reported outcomes makes it possible to interface patient-reported outcomes with electronic medical record systems to form a complete patient-level data flow. **9. Individual Health Monitoring Data from Mobile Devices** Personal health monitoring data may be collected in real time from individual physiological signs through mobile devices (such as smartphones and wearable devices). Such data is commonly generated in the course of ordinary people's self-health management, healthcare institutions' monitoring of patients with chronic diseases, and health insurers' assessment of the health status of insured populations; it is typically stored in wearable-device enterprise databases, healthcare institution databases, and commercial insurance company data systems. Given the convenience and immediacy of wearable devices in collecting physiological data, interfacing with electronic health data can form more complete real-world data. **10. Other Purpose-Specific Data** *(1) Public Health Surveillance Data* China has established a series of public health surveillance databases — covering, for example, infectious disease surveillance and monitoring of adverse events following immunisation — that record data usable for analysing the incidence of infectious diseases and the rates of general and abnormal adverse reactions to vaccines. *(2) Patient Follow-up Data* In real-world clinical diagnostic and treatment settings, in-hospital electronic medical record data often cannot encompass certain important clinical indicators for patients, such as overall survival, five-year survival rates, and adverse reaction information; supplementary long-term follow-up data is therefore required to form fit-for-purpose real-world data. Patient follow-up data principally refers to data collected by hospital follow-up departments or third-party authorised service providers — through correspondence, telephone, outpatient visits, text messages, and online follow-up — that serve patients who have left hospital for purposes including clinical endpoints, rehabilitation guidance, medication reminders, and satisfaction surveys. Such data is typically stored in hospital follow-up data systems; linkage with medical record data enables the integration of multi-source clinical data for exploring disease mechanisms, development patterns, treatment methods, and prognostic factors. *(3) Patient Medication Data* Patient medication data from the diagnostic and treatment process — including patient information, drug specifications, dosage and usage, and adverse reactions — is typically stored in hospital pharmacy management information systems, pharmaceutical e-commerce platforms, pharmaceutical enterprise product traceability and drug safety information databases, and drug use surveillance platforms. With the spread of remote diagnosis and treatment and internet-enabled chronic disease management, patient out-of-hospital medication data stored in prescription circulation platforms or pharmaceutical e-commerce platforms is gradually increasing; the effective use or linkage of such data may serve as a source of real-world data recording the patient-level diagnostic and treatment process. As medical information technology continues to develop, new types and sources of real-world data will continuously emerge; however, their specific application depends on the clinical research question to be addressed and the suitability of the data for supporting the generation of real-world evidence. ### (II) Major Challenges in Real-World Data Application From the perspective of data sources, compared with randomised controlled trial (RCT) data, real-world data in most cases lacks rigorous quality control in its recording, collection, and storage processes, giving rise to problems such as incomplete data, missing key variables, and inaccurate records. These deficiencies in data quality significantly affect subsequent data governance and use, and may even affect data traceability, making it difficult for researchers to identify problems and to verify and correct them. Changes in factors such as patient disease course, treatment location, time, and space may lead to gaps in information about patients' disease status and related factors, presenting challenges for the systematic evaluation of disease status and outcomes in clinical research. Selective data collection — in particular in registry study data — is a potential source of research result bias. The relative independence and closure of various real-world data sources, the variety of data management systems, the dispersal of data storage, inconsistent data standards, and the difficulties of horizontal integration and exchange of data give rise to prominent data fragmentation and information-silo phenomena. With respect to electronic medical record data, given its high sensitivity, such systems are generally managed in a closed manner and use may be subject to certain restrictions. Electronic medical records may also be affected by subjective narrative descriptions and variation among recorders, influencing the objective assessment of clinical outcomes. Moreover, in the absence of uniform standards, data types are relatively diverse — encompassing both structured data and unstructured and semi-structured data such as text, images, and video — and redundant and duplicated data may also arise during the recording, collection, and storage process, further increasing the difficulty of data processing. --- ## Section III — Real-World Data Suitability Assessment Suitability assessment of real-world data should be based on the specific research purpose and regulatory decision-making use. ### (I) Data Governance and Data Management of Real-World Data Real-world data may be collected retrospectively or prospectively in terms of when the research is conducted. Retrospectively collected data generally requires data governance; such data principally originates from retrospective observational studies, prospective observational studies, and retrospective-prospective observational studies that have been previously conducted. Prospectively collected data, on the other hand, requires data management; such data principally originates from prospective observational studies to be conducted, or pragmatic clinical trials — since such data is similar to RCT data collection (i.e., databases are established and data is collected through electronic data capture systems in accordance with the research protocol, and is prospective, planned, structured, and standardised). Where a study uses both previously collected data and will collect future data — for example, a retrospective-prospective study beginning from the present — retrospectively collected data requires governance, while prospectively collected data is managed using data management methods. A key issue to note here is that the database resulting from governance of historical data should match the prospectively designed database. For single-arm clinical trials using external controls, historical controls require governance methods for the external data, while concurrent controls may use data management methods. The suitability assessment of real-world data is primarily directed at retrospectively collected data, but also has guidance value for prospectively collected data. The suitability assessment may be divided into two stages. The first stage involves the preliminary assessment and selection of source data on dimensions including accessibility, ethics, compliance, representativeness, completeness of key variables, sample size, and source data activity status, to determine whether the data satisfies the basic analytical requirements of the research protocol. The second stage involves assessment and analysis of data relevance and reliability, as well as of the data governance mechanism (data standards and common data model) adopted or to be adopted — specifically whether the governed data is suitable for generating real-world evidence (see Figure 1). If the real-world data is prospectively collected, the first stage of preliminary suitability assessment is not required. ### (II) Suitability Assessment of Source Data Source data satisfying basic analytical requirements should, at a minimum, meet the following conditions: **1. The database is active and data is accessible.** During the research period, the database should be continuously in an active state; all recorded data should be accessible — meaning there are usage rights to the data — and should be capable of evaluation by third parties, in particular regulatory authorities. **2. Data use complies with ethical and security requirements.** The use of source data should comply with the requirements of ethical review regulations and with relevant data security and privacy protection requirements. **3. Coverage of key variables.** Source data is typically incomplete, but should have a certain degree of coverage; it should at least include outcome variables, exposure/intervention variables, demographic variables, and important covariates relevant to the research purpose. **4. Sufficient sample size.** The potential for a significant reduction in source data case numbers after data governance should be fully considered and anticipated, in order to ensure the sample size required for statistical analysis. ### (III) Suitability Assessment of Governed Data The suitability assessment of governed real-world data is primarily based on data relevance and reliability. **1. Relevance Assessment** Relevance assessment aims to evaluate whether real-world data is closely related to the clinical question of interest, with a focus on the coverage of key variables, the accuracy of exposure/intervention and clinical outcome definitions, the representativeness of the target population, and the fusion of multi-source heterogeneous data. *(1) Coverage of key variables and information* Real-world data should contain important variables and information related to clinical outcomes, such as drug use, patient demographic and clinical characteristics, covariates, outcome variables, follow-up time, and potential safety information. Where some of the above variables are missing, a thorough assessment should be made of whether reliable statistical methods can be used to impute them, and of the possible effect on causal inference results. *(2) Accuracy of exposure/intervention and clinical outcome definitions* Selecting and accurately defining clinically meaningful outcomes, and accurately defining exposures/interventions, are critical for real-world research; these should be consistent with the clinical significance or theoretical basis of the research question. The definition of clinical outcomes should include the diagnostic criteria, measurement methods and quality control (if any), measurement instruments (such as scale use), calculation methods, measurement time points, variable types, variable type conversions (such as from quantitative to qualitative), and endpoint event adjudication mechanisms (such as the operating mechanism of the endpoint event adjudication committee) on which it is based. When different data sources use inconsistent definitions for clinical outcomes, a unified clinical outcome definition should be established and a reliable conversion method adopted. The definition of exposures/interventions should account for the reasonableness of the time window. *(3) Representativeness of the target population* One of the advantages of real-world research over traditional RCTs is a broader representativeness of the target population. Therefore, when formulating inclusion and exclusion criteria, these should, as far as possible, be consistent with the target population in the real-world setting. *(4) Fusion of multi-source heterogeneous data* Given the characteristics of real-world data, in many cases it consists of heterogeneous data from multiple sources that requires linkage, fusion, and homogenisation of data from different sources at the individual level. Therefore, individual-level accurate linkage through identifier variables should be used to support the integration of key variables from data sources using a common data model or data standards. **2. Reliability Assessment** The reliability of real-world data is primarily assessed from the perspectives of data completeness, accuracy, transparency, quality control, and quality assurance. *(1) Completeness* Completeness refers to the degree of missing data, including missing variables and missing variable values. For different studies, the degree of missingness, the distribution of missingness, the reasons for missingness, and the missing mechanisms of variable values will vary; these should be described in detail. When the proportion of missing data in a given study significantly exceeds the proportion in comparable studies, the uncertainty of research conclusions is increased; in such cases careful consideration should be given to whether the data can serve as data supporting the generation of real-world evidence. A detailed analysis of the reasons for missingness is helpful for an overall judgment of data reliability. Where imputation of missing data is involved, an appropriate imputation method should be adopted based on a reasonable assumption about the missing mechanism. *(2) Accuracy* Accuracy refers to whether the data is consistent with the objective characteristics it describes, including whether the source data is accurate, whether variable values are within a reasonable range, whether the trend in outcome variables over time is reasonable, and whether code mapping relationships correspond uniquely. Data accuracy requires identification and verification against a relatively authoritative reference — for example, whether an endpoint event has been adjudicated by an independent endpoint event adjudication committee. *(3) Transparency* The transparency of real-world data means that the governance plan and governance process for real-world data are clear and transparent. It should be ensured that key exposure/intervention variables, covariates, and outcome variables in the analytical dataset can be traced back to the source data, reflecting the extraction, cleaning, transformation, and standardisation process. Whether processed manually or through automated procedures, the standard operating procedures for data governance and verification and validation documents should be clearly recorded and archived — in particular issues reflecting data credibility, such as the degree of missingness, variable value ranges, methods for calculating derived variables, and mapping relationships. The data governance plan should be formulated in advance in accordance with the research purpose, and consistency between the data governance process and the governance plan should be ensured. Data transparency also includes transparency of data accessibility, information sharing among databases, and methods for protecting patient privacy. Where algorithms are used to define research cohorts, the development and validation of the algorithm should also be transparent. *(4) Quality control* Quality control refers to the techniques and activities implemented to verify that each step of data governance meets quality requirements. Quality control assessment includes, but is not limited to: whether data extraction, secure processing, cleaning, and structuring, and subsequent storage, transmission, analysis, and submission steps all have quality control in place to ensure that all data is reliable and that data processing is correct; and whether a complete, standardised, and reliable data governance plan is followed, supported by corresponding data quality inspection and system validation procedures, to ensure that the data governance system operates normally and in a steady state and that the accuracy and reliability of real-world data are assured. *(5) Quality assurance* Quality assurance refers to systematic measures to prevent, detect, and correct data errors or problems arising during the research process. Quality assurance for real-world data is closely associated with regulatory compliance and should run through every step of data governance. Considerations include, but are not limited to: whether a research plan, protocol, and statistical analysis plan relating to real-world data have been established; whether there are corresponding standard operating procedures; whether there is a clear process and qualified personnel for data collection; whether a common definition framework (i.e., a data dictionary) is used; whether a common time framework for collecting key data variables is observed; whether the technical methods used to capture data elements comply with pre-specified technical specifications and operating procedures, including integration of data from various sources, recording of drug use and laboratory test data, follow-up records, and linkage with other databases; whether data entry is timely and transmission is secure; and whether requirements for regulatory authority on-site inspection and access to source data and source documents are satisfied. --- ## Section IV — Real-World Data Governance Data governance means the governance performed on raw data — targeted at a specific clinical research question — in order to render it suitable for statistical analysis; its content includes, but is not limited to: data security processing, data extraction (including from multiple data sources), data cleaning (logical checks and abnormal data processing, and missing data processing), data transformation (data standards, common data model, normalisation, natural language processing, medical coding, derived variable calculation), data transmission and storage, and data quality control. ### (I) Personal Information Protection and Data Security Processing Real-world research involving personal information protection should comply with national information security technical specifications and relevant regulations on the security management of medical big data. Sensitive personal information should undergo de-identification processing, ensuring that sensitive personal information cannot be matched and re-identified from the data; and technical and managerial measures should be taken to prevent the leakage, damage, loss, or tampering of personal information. Data security processing should be based on the types, quantities, nature, and content of the various data involved in the research — especially sensitive personal information — and should establish data encryption technical requirements, risk assessment, and emergency response operating procedures for each stage of data governance, and conduct audits of the effectiveness of security measures. ### (II) Data Extraction An appropriate method should be selected for data extraction based on factors such as the storage format of source data, whether it is electronic data, and whether it contains unstructured data. The following principles should be observed during data extraction: The data extraction method should be validated to ensure that the extracted data meets the requirements of the research protocol. Data extraction should ensure consistency between the extracted raw data and the source data; timestamp management should be applied to the extracted raw data and the source data. Using data extraction tools that are interoperable with or integrated into the source data system can reduce errors in data transcription, thereby improving data accuracy and the quality and efficiency of data collection in clinical research. ### (III) Data Cleaning Data cleaning refers to the removal of duplicated or redundant data from extracted raw data, logical checks of variable values and processing of abnormal values, and handling of missing data. It should be noted that, when correcting data, if traceability to the signature confirmation of the principal investigator or source data responsible party is not possible, the data should not be modified, in order to ensure data authenticity. First, duplicated data and irrelevant data should be removed while preserving data integrity. Duplicated data may arise during the merging of different data sources and must be removed. At the same time, inaccuracies in the mapping relationship between data sources and the common data model may result in the collection of data irrelevant to the research objective; removing unnecessary observations from the dataset can reduce unnecessary effort. Logical checks and abnormal data processing should then be conducted. Logical checks can reveal errors in raw data or in the data extraction process — for example, a discharge date earlier than an admission date, a date of birth inconsistent with age by calculation, laboratory test results outside the realistic range, and qualitative judgment results inconsistent with the judgment criteria defined in the protocol. Processing of abnormal data must be carried out with great care to avoid resulting bias. Any errors and abnormal data identified should be verified through further investigation before modifying the data; all modifications should be documented. Finally, missing data should be handled during statistical analysis. For different studies, the degree, reasons, and missing mechanisms of variable values will vary. Where imputation of missing data is involved, an appropriate imputation method should be adopted based on a reasonable assumption about the missing mechanism. ### (IV) Data Transformation Data transformation is the process of uniformly converting the data format standards, medical terminology, coding standards, and derived variable calculations of raw data — after data cleaning — into a form suitable for real-world data, in accordance with the corresponding standards in the analytical database. For the transformation of free-text data, reliable natural language processing algorithms may be used to improve transformation efficiency, provided that data transformation accuracy and traceability are ensured. When calculating derived variables, the raw data variables and values used for calculation, the calculation method, and the definition of derived variables should be clearly specified, and timestamp management should be applied, to ensure data accuracy and traceability. ### (V) Data Transmission and Storage The transmission and storage of real-world data should be based on a trusted network security environment and controlled throughout the full lifecycle from data collection, processing, and analysis through to destruction. Encryption protection should be applied during both data transmission and storage. In addition, approval procedures for operational settings, role-based access controls, and minimum-authorisation access control policies should be established; the establishment of automated audit systems to monitor and record data processing and access activities is encouraged. ### (VI) Data Quality Control Data quality control is key to ensuring the integrity, accuracy, and transparency of research data. Data quality control requires establishing a comprehensive real-world data quality management system and standard operating procedures. Recommended principles include: **1. Ensuring the accuracy and authenticity of source data.** For electronic medical records serving as a key data source, medical record quality control standards should be in place to satisfy analytical requirements. Disease descriptions, diagnoses, and medication information originating from outpatient visits require supporting evidence chains. For any modification made during the entry process, confirmation and signature by the responsible person are required, along with the reason for modification, ensuring that a complete audit trail is maintained. **2. Giving full consideration to data integrity issues during data extraction.** Extraction fields should be assessed and established, and corresponding verification rules and database architecture developed. **3. Formulating a comprehensive data quality management plan.** A systematic and manual quality control plan should be formulated to ensure data accuracy and completeness. For key variables, comprehensive verification and source document review should be conducted; other variables may be sampled in accordance with actual circumstances — for example, sampling at a certain proportion for demographic information, thresholds of numerical variables, and coding mapping relationships to verify their accuracy and reasonableness. ### (VII) Common Data Model The common data model is a data model for the rapid centralisation and standardised processing of multi-source heterogeneous data under a multidisciplinary collaboration model; its main function is to convert source data with different standards into a uniform structure, format, and terminology, so as to enable data integration across databases/datasets. Given the complexity of the structure and type, and the differences in sample size and standards, of multi-source data, the overall process of converting source data into a common data model requires extraction, transformation, and loading of source data; it should be ensured that the source data is consistent with the structure and terminology of the target analytical database syntactically and semantically (see Figure 2). An ideal common data model should adhere to the following principles: 1. A common data model may be defined as a data governance mechanism through which source data can be standardised into a common structure, format, and terminology, thereby permitting data integration across multiple databases/datasets. A common data model should have the capability to access source data, be a dynamically extensible and continuously improvable data model, and have version control. 2. The definition, measurement, merging, recording, and corresponding validation of variables in the common data model should remain transparent; rules for converting data from multiple databases should be clear and consistent. 3. Common variables or concepts relating to safety and efficacy should all be mapped to the common data model so as to be applicable to different clinical research questions, and should be verifiable against established or known research results. ### (VIII) Real-World Data Governance Plan A real-world data governance plan should be formulated in advance, synchronised with the overall project research plan. If the governance plan requires revision during the course of the research, the review authority should be consulted and an updated governance plan submitted simultaneously. The plan should state the purpose of using real-world data for regulatory decision-making and the research design employing real-world data. It should also describe the real-world source data, including but not limited to: the type of real-world data source/source files — for example, health information system data, disease registry study data, and medical insurance data; an appropriate evaluation of the prior use of the real-world data source/source files, and a statement of the reasons for adopting them; the governance of real-world data — i.e., the governance process from real-world data sources to the analytical database; the data model and data standards adopted; the method for handling missing data; measures taken to reduce or control potential biases arising from the use of real-world data; quality control and quality assurance; and the suitability assessment of real-world data. --- ## Section V — Compliance, Security, and Quality Management System for Real-World Data ### (I) Data Compliance Real-world data originates from diverse sources including individual patients' diagnostic and treatment processes. The collection, processing, and use of such data involve ethical and patient privacy issues. In order to fully protect the safety and rights and interests of patients, the acquisition and use of real-world data for real-world research must pass review and approval by an ethics committee. Persons involved in real-world data governance are required to strictly observe the requirements of relevant laws and regulations; sponsors should strictly enforce these requirements and fulfil their obligations of protection and management. ### (II) Data Security Management Data security management should be carried out in accordance with national laws and regulations and industry regulatory requirements; necessary security protections should be applied to information systems and network facilities bearing health and medical data, as well as to cloud platforms. The scope of data security protection should cover every lifecycle stage, including data collection, extraction, transmission, storage, exchange, and destruction. Encryption technology should be used to ensure the integrity, confidentiality, and traceability of data throughout the processes of collection, extraction, transmission, and storage; where data is transmitted via media, the media should be subject to controls. Different protective measures should be adopted for different data formats on different media, and corresponding access control mechanisms should be established; access records should be reviewed, registered, archived, and audited. Data auditing and related operating procedures provide a record and basis for data collection, extraction, transmission, maintenance, storage, sharing, and use; they should include personnel audits, management audits, and technical audits. Medical information system activity audit policies and appropriate standard operating procedures should be formulated and deployed. The scope of auditing should cover any operation on data in any state — including log-in, creation, modification, and deletion of records — all of which should automatically generate time-stamped audit records, including but not limited to authorisation information, time of operation, reason for operation, content of operation, operator identity, and signature; these records should be available for audit. Audit records should be stored securely and an access control policy established. ### (III) Quality Management System A complete quality management system should be established to standardise real-world data processing procedures and to continuously optimise and improve in the course of actual operations. Basic quality elements should cover: to ensure the quality of real-world data, operating procedures covering the full lifecycle management of real-world data should be established; computerised system functions should meet the management requirements of real-world data and comply with relevant regulatory requirements for computerised systems; a comprehensive personnel management system should be established, with persons involved in data collection, governance, and analysis trained appropriately and meeting competency requirements for their responsibilities, with standardised management of personnel permissions; a risk management process for every stage from data collection through data submission should be established; standard information and document management specifications (for paper and electronic media) should be formulated to ensure that records of real-world data processing procedures are complete, accurate, and transparent, protecting data security and compliance. --- ## Section VI — Communication with Regulatory Authorities To ensure that the quality of real-world data meets regulatory requirements, applicants are encouraged to communicate with regulatory authorities in a timely manner. Before a real-world study formally commences, communication should take place — based on the overall development strategy and specific research protocol — on whether real-world data can support the generation of real-world evidence, including the accessibility of real-world data, whether the sample size is sufficiently large, whether the data governance plan is reasonable and feasible, and whether data quality can be assured. During the course of the research, if the data governance plan is adjusted in response to changes in study implementation, the sponsor should weigh the potential impact of the adjustment to the data governance plan on the study objectives, explain the adequate reasons for the adjustment to the regulatory authority, obtain its agreement, and simultaneously submit an updated research protocol and data governance plan. After completion of the research and before submission, the sponsor may consult with the regulatory authority regarding submission materials and databases. --- ## Annex 1 — Glossary **Electronic Medical Record (EMR):** An electronic record of health-related information on an individual patient, created, collected, managed, and accessed by authorised clinical professionals within a healthcare institution. **Electronic Health Record (EHR):** An electronic record of health-related information on an individual patient that complies with nationally recognised interoperability standards and that can be created, managed, and consulted by authorised clinical professionals across multiple healthcare institutions. **Observational Study:** A study that, based on a specific research question, does not impose active intervention and uses general or clinical populations as its subjects to explore the causal relationship between exposure/treatment and outcomes. **Patient-Reported Outcome (PRO):** An indicator measuring and evaluating disease outcomes from the patient's own perspective, encompassing symptoms, physiological factors, psychological factors, and satisfaction with healthcare services. Records may be on paper or electronic (the latter are called electronic patient-reported outcomes, ePRO). **Edit Check (Logical Check):** A check on the validity of clinical research data entered into a computer system, primarily evaluating whether the entered data has logical errors with respect to the expected numerical logic, value ranges, or value attributes. **Data Standard:** A set of rules governing how a specific type of data is to be structured, defined, formatted, or exchanged among computer systems. Data standards enable submitted materials to be predictable and consistent, and in a form usable by information technology systems or scientific tools. **Data Cleaning:** The process of identifying and correcting noise in data so as to minimise the impact of noise on data analysis results. Noise in data principally includes incomplete data, redundant data, conflicting data, and erroneous data. **Data Linkage:** The merging, association, and combination of data and information from multiple sources to form a unified dataset. **Data Element:** A single observation of a study participant recorded in clinical research — for example, date of birth, white blood cell count, pain severity, and other clinical observations. **Data Curation (Data Governance):** The governance performed on raw data — targeted at a specific clinical research question — in order to render it suitable for statistical analysis; its content at minimum includes data extraction (from multiple data sources), data security processing, data cleaning (logical checks and abnormal data processing, and data integrity processing), data transformation (common data model, normalisation, natural language processing, medical coding, derived variable calculation), data quality control, and data transmission and storage. **Common Data Model (CDM):** A data model for the rapid centralisation and standardised processing of multi-source heterogeneous data under a multidisciplinary collaboration model; its main function is to convert source data with different data standards into a uniform structure, format, and terminology, so as to enable data integration across databases/datasets. **Source Data:** All information in original records and certified copies of original records of clinical symptoms, observations, and other activities in clinical research used to reconstruct and evaluate the study. Source data is contained in source documents (including original records or their valid copies). **Real-World Data (RWD):** All data collected in the course of daily practice that relates to patients' health status and/or their diagnosis, treatment, and healthcare. Not all real-world data, once analysed, can become real-world evidence; only real-world data satisfying suitability requirements may potentially generate real-world evidence. **Real-World Research/Study (RWR/RWS):** A research process targeting a clinical research question, in which data relating to the health status and/or diagnosis, treatment, and healthcare of research subjects collected in a real-world setting (real-world data), or aggregate data derived from such data, is analysed to obtain clinical evidence (real-world evidence) on the use value and potential benefits and risks of a drug. **Real-World Evidence (RWE):** Clinical evidence on drug use and potential benefits and risks obtained through appropriate and adequate analysis of fit-for-purpose real-world data. --- ## Notice of the Ministry of Industry and Information Technology on Strengthening the Cybersecurity and Data Security of the Internet of Vehicles - Chinese title: 工业和信息化部关于加强车联网网络安全和数据安全工作的通知 - Hierarchy: rule - Issuing body: Ministry of Industry and Information Technology - Adopted: 2021-09-15 - Effective: 2021-09-15 - Status: effective - URL: https://datacompliancechina.com/laws/iov-cybersecurity-data-security-notice/ - Markdown: https://datacompliancechina.com/laws/iov-cybersecurity-data-security-notice.md ### Summary This Notice sets out MIIT's consolidated cybersecurity and data security requirements for the Internet of Vehicles (IoV) ecosystem, covering intelligent connected vehicle manufacturers, IoV service-platform operators and related parties. It addresses vehicle network security, vulnerability management, IoV network and communications security, monitoring and emergency response, MLPS grading and filing, platform security, OTA upgrade security, data classification and grading, data security technical safeguards, and cross-border data transfer. Issued as MIIT Cyber Security [2021] No. 134 and effective September 15, 2021. ### Full text **Promulgated by:** Ministry of Industry and Information Technology. **Document No.:** MIIT Cyber Security [2021] No. 134. **Issued and effective September 15, 2021.** --- To the industry and information technology authorities of all provinces, autonomous regions and municipalities directly under the Central Government, and the Xinjiang Production and Construction Corps; the communications administrations of all provinces, autonomous regions and municipalities directly under the Central Government; China Telecom Corporation Limited, China Mobile Communications Group Co., Ltd., and China United Network Communications Group Co., Ltd.; the relevant intelligent connected vehicle manufacturers and IoV service-platform operators; and the relevant standardization technical organizations: The Internet of Vehicles (IoV) is an emerging industrial form arising from the deep integration of new-generation network communication technology with the automotive, electronics, road transport and other fields. An intelligent connected vehicle is a new-generation vehicle equipped with advanced on-board sensors, controllers, actuators and other devices, integrating modern communication and network technologies, achieving intelligent information exchange and sharing among vehicles, roads, persons, the cloud and the like, possessing functions such as complex environment perception, intelligent decision-making and coordinated control, and capable of "safe, efficient, comfortable and energy-saving" driving. As the industry develops rapidly, the security risks of the IoV are becoming increasingly prominent, and the IoV security assurance system urgently needs to be improved and refined. In order to advance the implementation of the Development Plan for the New Energy Vehicle Industry (2021-2035) and strengthen the cybersecurity and data security management of the IoV, the relevant matters are hereby notified as follows: ## I. Basic Requirements for Cybersecurity and Data Security **(I) Implement primary security responsibility.** Relevant enterprises shall establish cybersecurity and data security management systems, clarify the persons responsible and the management body, and implement cybersecurity and data security protection responsibilities. They shall strengthen internal supervision and administration, increase resource assurance, and promptly discover and resolve security hazards. They shall strengthen cybersecurity and data security publicity, education and training. **(II) Comprehensively strengthen security protection.** Relevant enterprises shall take management and technical measures, and, in accordance with the relevant IoV cybersecurity and data security standards, strengthen the security protection of vehicles, networks, platforms and data, monitor, prevent and promptly dispose of cybersecurity risks and threats, ensure that data is in a state of effective protection and lawful utilization, and safeguard the secure and stable operation of the IoV. ## II. Strengthening the Security Protection of Intelligent Connected Vehicles **(III) Ensure vehicle network security.** Intelligent connected vehicle manufacturers shall strengthen the cybersecurity architecture design of the whole vehicle. They shall strengthen the communication security assurance of in-vehicle systems, reinforce measures such as security authentication, domain isolation and access control, and prevent attacks such as spoofing, replay, injection and denial of service. They shall strengthen the security protection and security testing of key devices and components such as the in-vehicle information interaction system, the automotive gateway and electronic control units. They shall strengthen the access and authority management of the on-board diagnostic (OBD) interface, the universal serial bus (USB) port, the charging port, and the like. **(IV) Implement security-vulnerability management responsibility.** Intelligent connected vehicle manufacturers shall implement the relevant requirements of the Provisions on the Management of Network Product Security Vulnerabilities, and clarify the enterprise's work procedures for discovering, verifying, analyzing, repairing and reporting vulnerabilities. Upon discovering or learning of a vulnerability in a vehicle product, the manufacturer shall immediately take remedial measures and report the vulnerability information to the MIIT cybersecurity threat and vulnerability information sharing platform. Where it is necessary for users to take measures such as software or firmware upgrades to repair a vulnerability, the manufacturer shall promptly inform the potentially affected users of the vulnerability risk and the repair method, and provide the necessary technical support. ## III. Strengthening IoV Network Security Protection **(V) Strengthen the security protection capability of IoV network facilities and network systems.** Relevant enterprises shall strictly implement the requirements of graded cybersecurity protection, strengthen the asset management of network facilities and network systems, reasonably divide cybersecurity domains, strengthen access control management, ensure network boundary security protection, and take technical measures to guard against trojans, viruses, cyberattacks, network intrusions and other conduct that endangers IoV security. They shall, on their own or by entrusting testing institutions, regularly carry out cybersecurity compliance testing and risk assessment, and promptly eliminate risks and hidden dangers. **(VI) Ensure IoV communications security.** Relevant enterprises shall establish IoV identity authentication and security trust mechanisms, strengthen the secure communication capabilities of on-board communication equipment, roadside communication equipment, service platforms, and the like, take necessary technical measures such as identity authentication and encrypted transmission, prevent security risks such as forgery of communication information, data tampering and replay attacks, and safeguard the communication security of vehicle-to-vehicle, vehicle-to-road, vehicle-to-cloud, vehicle-to-device and other scenarios. Relevant enterprises and institutions are encouraged to access the MIIT IoV security trust root management platform, and to jointly promote cross-model, cross-facility and cross-enterprise interconnection, mutual recognition and interoperability. **(VII) Carry out IoV security monitoring and early warning.** The State shall strengthen the development of the IoV cybersecurity monitoring platform, and carry out the monitoring, early warning and notification of cybersecurity threats and incidents, and security assurance services. Relevant enterprises shall establish cybersecurity monitoring and early-warning mechanisms and technical means, carry out cybersecurity-related monitoring of intelligent connected vehicles, IoV service platforms and connected systems, promptly discover cybersecurity incidents or abnormal behavior, and retain the relevant network logs for not less than 6 months in accordance with provisions. **(VIII) Carry out IoV security emergency response.** Intelligent connected vehicle manufacturers and IoV service-platform operators shall establish cybersecurity emergency response mechanisms, formulate contingency plans for cybersecurity incidents, regularly conduct emergency drills, and promptly dispose of cybersecurity risks such as security threats, cyberattacks and network intrusions. Upon the occurrence of an incident endangering cybersecurity, they shall immediately activate the contingency plan, take corresponding remedial measures, and report to the relevant competent authorities in accordance with the Contingency Plan for Public Internet Cybersecurity Emergencies and other provisions. **(IX) Carry out IoV cybersecurity protection grading and filing.** Intelligent connected vehicle manufacturers and IoV service-platform operators shall, in accordance with the relevant IoV cybersecurity protection standards, carry out cybersecurity protection grading of their network facilities and systems, and file with the communications administration of the province (region or municipality) where they are located. For newly built network facilities and systems, the cybersecurity protection grade shall be determined at the planning and design stage. The communications administrations of the provinces (regions and municipalities) shall, together with the industry and information technology authorities, carry out the review of grading and filing. ## IV. Strengthening the Security Protection of IoV Service Platforms **(X) Strengthen platform cybersecurity management.** IoV service-platform operators shall take necessary security technical measures to strengthen the access security of platforms for intelligent connected vehicles, roadside equipment and the like, the facility security of platform hosts, data storage systems and the like, and the application security protection capabilities of resource management, service access interfaces and the like, so as to prevent security risks such as network intrusion, data theft and remote control. Where telecommunications business such as online data processing and transaction processing or information services business is involved, a telecommunications business operation license shall be obtained in accordance with the law. Where a platform is determined to be critical information infrastructure, the operator shall implement the relevant provisions of the Regulation on the Security Protection of Critical Information Infrastructure, use commercial cryptography for protection in accordance with relevant State standards, and, on its own or by entrusting a commercial cryptography testing institution, carry out a commercial cryptography application security assessment. **(XI) Strengthen over-the-air (OTA) upgrade-service security and vulnerability testing and assessment.** Intelligent connected vehicle manufacturers shall establish a security verification mechanism for OTA upgrade software packages, and use secure and trusted software. They shall carry out cybersecurity testing of OTA upgrade software packages and promptly discover product security vulnerabilities. They shall strengthen the security verification capabilities of the OTA upgrade service, take technical measures such as identity authentication and encrypted transmission, and safeguard the cybersecurity of the transmission environment and the execution environment. They shall strengthen cybersecurity monitoring and emergency response throughout the OTA upgrade-service process, regularly assess the cybersecurity status, and prevent cybersecurity risks such as software forgery, tampering, destruction, leakage and virus infection. **(XII) Strengthen application security management.** Intelligent connected vehicle manufacturers and IoV service-platform operators shall establish security management systems for the development, launch, use and upgrade of IoV applications, and enhance the security capabilities of applications such as identity authentication, communications security and data protection. They shall strengthen IoV application security testing, promptly dispose of security risks, and prevent attacks and propagation by malicious applications. ## V. Strengthening Data Security Protection **(XIII) Strengthen data classification and grading management.** In accordance with the principle of "whoever is in charge is responsible, whoever operates is responsible," intelligent connected vehicle manufacturers and IoV service-platform operators shall establish data management ledgers, implement data classification and grading management, and strengthen the protection of personal information and important data. They shall regularly carry out data security risk assessments, strengthen the investigation and rectification of hidden dangers, and file with the communications administration and the industry and information technology authority of the province (region or municipality) where they are located. The communications administration and the industry and information technology authority of the province (region or municipality) where they are located shall supervise and inspect the enterprises' performance of data security protection obligations. **(XIV) Enhance data security technical assurance capabilities.** Intelligent connected vehicle manufacturers and IoV service-platform operators shall collect data by legal and legitimate means, take effective technical protection measures throughout the data lifecycle, and prevent risks such as data leakage, destruction, loss, tampering, misuse and abuse. Relevant enterprises shall strengthen the development of data security monitoring, early-warning and emergency-response capabilities, and enhance their capabilities in abnormal-flow analysis, monitoring of non-compliant cross-border transmission, and traceability of security incidents; they shall promptly dispose of data security incidents, report relatively major or more serious data security incidents to the communications administration and the industry and information technology authority of the province (region or municipality) where they are located, cooperate in the conduct of relevant supervision and inspection, and provide the necessary technical support. **(XV) Standardize data development, utilization, sharing and use.** Intelligent connected vehicle manufacturers and IoV service-platform operators shall reasonably develop and utilize data resources, and prevent infringement of users' rights to privacy and to be informed when using automated decision-making technology to process data. They shall clarify the security management and responsibility requirements for data sharing and development and utilization, review and assess the data security protection capabilities of data partners, and supervise and administer the sharing and use of data. **(XVI) Strengthen cross-border data transfer security management.** Where intelligent connected vehicle manufacturers and IoV service-platform operators need to provide important data collected and generated within the territory of the People's Republic of China to overseas parties, they shall conduct a data export security assessment in accordance with the law and file with the communications administration and the industry and information technology authority of the province (region or municipality) where they are located. The communications administrations of the provinces (regions and municipalities) shall, together with the industry and information technology authorities, carry out work such as data export filing and security assessment. ## VI. Improving the Security Standards System **(XVII) Accelerate the development of IoV security standards.** The compilation of guidelines for the development of the IoV cybersecurity and data security standards system shall be accelerated. The China Communications Standards Association, the National Technical Committee of Auto Standardization, and the like, shall accelerate the organization and formulation of standards and specifications, and related testing, assessment and certification standards, for IoV protection grading, service-platform protection, vehicle vulnerability classification and grading, communication-interaction authentication, data classification and grading, incident emergency response, and the like. Relevant enterprises and social organizations are encouraged to formulate enterprise standards and group standards with technical requirements higher than national or industry standards. This Notice is hereby issued. Ministry of Industry and Information Technology September 15, 2021 --- ## Regulation on the Administration of Medical Institutions - Chinese title: 医疗机构管理条例 - Abbreviation: Medical Institutions Regulation - Hierarchy: regulation - Issuing body: State Council - Adopted: 1994-02-26 - Effective: 1994-09-01 - Status: amended - URL: https://datacompliancechina.com/laws/medical-institutions-regulation/ - Markdown: https://datacompliancechina.com/laws/medical-institutions-regulation.md - Source URL: https://policy.mofcom.gov.cn/claw/clawContent.shtml?id=94685 ### Summary A State Council administrative regulation first promulgated in 1994 that establishes the licensing, registration, and supervision framework for all medical institutions operating in China. It requires institutions to obtain and maintain an execution licence (or, for clinics, complete a filing), to practise within their registered scope, and to protect patients through informed-consent requirements and honest documentation — obligations that directly underpin the duty to safeguard medical records and patient personal information. The regulation was amended twice: in 2016 (State Council Decree No. 666) and in 2022 (State Council Decree No. 752, effective 1 May 2022), with the 2022 revision extending the clinic filing system and aligning the informed-consent standard with the Civil Code. For overseas counsel advising health-sector clients in China, this regulation is the foundational licensing instrument and provides the institutional context in which sector-specific health-data rules — including electronic medical-record standards and PIPL obligations for sensitive personal information — operate. ### Full text **Promulgated by:** State Council of the People's Republic of China. **Document No.:** State Council Decree No. 149 (1994); amended by State Council Decree No. 666 (2016) and State Council Decree No. 752 (2022). **Adopted on February 26, 1994. Effective September 1, 1994. Second amendment promulgated March 29, 2022, effective May 1, 2022.** --- ## Chapter I General Provisions **Article 1.** This Regulation is formulated in order to strengthen the administration of medical institutions, promote the development of the medical and health cause, and protect the health of citizens. **Article 2.** This Regulation applies to hospitals, health centres, sanatoria, out-patient departments, clinics, health stations (rooms), first-aid stations, and other medical institutions that engage in disease diagnosis and treatment activities. **Article 3.** Medical institutions shall operate with the purpose of saving lives and healing the sick, preventing and treating disease, and serving the health of citizens. **Article 4.** The State supports the development of medical institutions and encourages the establishment of medical institutions in diverse forms. **Article 5.** The health administrative department of the State Council is responsible for the supervision and administration of medical institutions throughout the country. The health administrative departments of local people's governments at or above the county level are responsible for the supervision and administration of medical institutions within their respective administrative regions. The health authority of the Chinese People's Liberation Army shall, in accordance with this Regulation and relevant State provisions, supervise and administer military medical institutions. --- ## Chapter II Planning, Layout, and Approval for Establishment **Article 6.** The health administrative department of a local people's government at or above the county level shall, based on the population, medical resources, medical needs, and distribution of existing medical institutions within its administrative region, formulate a plan for the establishment of medical institutions in that region. Organs, enterprises, and public institutions may establish medical institutions according to their needs, and such institutions shall be incorporated into the local plan for medical institution establishment. **Article 7.** Local people's governments at or above the county level shall incorporate medical institution establishment plans into their regional health development plans and overall plans for urban and rural development. **Article 8.** The establishment of a medical institution shall conform to the medical institution establishment plan and to the basic standards for medical institutions. The basic standards for medical institutions shall be formulated by the health administrative department of the State Council. **Article 9.** Any entity or individual that establishes a medical institution and, in accordance with State Council provisions, is required to obtain a Certificate of Approval for Establishment of a Medical Institution, shall apply to the health administrative department of the local people's government at or above the county level for examination and approval, and shall obtain a Certificate of Approval for Establishment of a Medical Institution. **Article 10.** An application to establish a medical institution shall be submitted together with the following documents: (1) an application for establishment; (2) a feasibility study report on establishment; and (3) a site-selection report and a floor plan of the proposed building. **Article 11.** An entity or individual establishing a medical institution shall submit an application for establishment in accordance with the following provisions: (1) for a medical institution with no beds or with fewer than 100 beds, the application shall be submitted to the health administrative department of the county-level people's government at the location of the institution; (2) for a medical institution with 100 or more beds, and for specialised hospitals, the application shall be submitted in accordance with the provisions of the health administrative department of the provincial-level people's government. **Article 12.** The health administrative department of a local people's government at or above the county level shall, within 30 days of accepting an application for establishment, issue a written reply granting or refusing approval. **Article 13.** The establishment of medical institutions that are planned in a unified manner by the State shall be decided by the health administrative department of the State Council. --- ## Chapter III Registration **Article 14.** A medical institution shall register before commencing practice and shall obtain a Licence for Practice of Medical Institution; a clinic may commence practice after filing with the health administrative department of the county-level people's government at its location in accordance with the provisions of the health administrative department of the State Council. **Article 15.** An application for registration to practice as a medical institution shall satisfy the following conditions: (1) where a Certificate of Approval for Establishment of a Medical Institution is required under the applicable rules, such certificate has been obtained; (2) the institution conforms to the basic standards for medical institutions; (3) the institution has an appropriate name, organisational structure, and premises; (4) the institution has funds, facilities, equipment, and qualified health technicians commensurate with the business it will carry on; (5) the institution has corresponding rules and regulations; and (6) the institution is capable of bearing civil liability independently. **Article 16.** The practice registration of a medical institution shall be handled by the health administrative department of the people's government that approved its establishment; the practice registration of a medical institution that is not required to obtain a Certificate of Approval for Establishment of a Medical Institution shall be handled by the health administrative department of the local people's government at or above the county level at the institution's location. The practice registration of a medical institution established under Article 13 of this Regulation shall be handled by the health administrative department of the people's government of the province, autonomous region, or municipality directly under the central government at the institution's location. The practice registration or filing of an out-patient department, health station (room), or clinic established by an organ, enterprise, or public institution to serve its own employees shall be handled by the health administrative department of the county-level people's government at the institution's location. **Article 17.** The main particulars to be recorded in the practice registration of a medical institution are: (1) name, address, and principal person in charge; (2) form of ownership; (3) approved clinical departments and bed number; and (4) registered capital. **Article 18.** The health administrative department of a local people's government at or above the county level shall, within 45 days of accepting an application for practice registration, conduct an examination in accordance with this Regulation and the basic standards for medical institutions. If the examination result is satisfactory, the institution shall be registered and issued a Licence for Practice of Medical Institution. **Article 19.** Where a medical institution changes its name, premises, principal person in charge, clinical departments, or bed number, it must apply to the original registration authority for a change of registration or file with the original filing authority. **Article 20.** Where a medical institution suspends operations, it must apply to the original registration authority for cancellation of registration or file with the original filing authority. A medical institution that suspends operations for more than one year for reasons other than reconstruction, expansion, or relocation shall be deemed to have suspended operations permanently. **Article 21.** A medical institution with fewer than 100 beds shall have its Licence for Practice of Medical Institution verified once every year; a medical institution with 100 or more beds shall have its Licence for Practice of Medical Institution verified once every three years. **Article 22.** A Licence for Practice of Medical Institution may not be forged, altered, sold, transferred, or lent. If a licence is lost, the loss shall be declared promptly and an application for a replacement shall be submitted to the original registration authority. --- ## Chapter IV Practice **Article 23.** No entity or individual may engage in diagnosis and treatment activities without having obtained a Licence for Practice of Medical Institution or without having completed a filing. **Article 24.** In practising, a medical institution must comply with the relevant laws, regulations, and medical and technical standards. **Article 25.** A medical institution must display its Licence for Practice of Medical Institution, the clinical departments it offers, its practice hours, and its schedule of charges in a conspicuous location. **Article 26.** A medical institution must engage in diagnosis and treatment activities within the clinical departments for which it has been approved by registration or filing. **Article 27.** A medical institution may not use persons who are not qualified health technicians to perform medical and health technical work. **Article 28.** A medical institution shall strengthen medical ethics education for its medical staff. **Article 29.** Personnel working at a medical institution must wear a badge displaying their name and position or professional title while on duty. **Article 30.** A medical institution shall immediately provide emergency treatment to critically ill patients. Where a patient cannot be diagnosed or treated due to limitations of equipment or technical capacity, the institution shall arrange for the timely referral of the patient. **Article 31.** Without a physician (or doctor's assistant) having personally examined the patient, a medical institution may not issue a certificate of disease diagnosis, a certificate of health, a death certificate, or other such certification documents; without a physician (or doctor's assistant) or a midwife having personally attended the delivery, a medical institution may not issue a birth certificate or a stillbirth report. **Article 32.** During the course of diagnosis and treatment, medical personnel shall explain to patients their condition and the medical measures to be taken. Where surgery, a special examination, or special treatment is to be performed, the medical personnel shall promptly explain to the patient in specific terms the medical risks, alternative treatment options, and other relevant matters, and shall obtain the patient's explicit consent; where it is not possible or appropriate to explain to the patient, the explanation shall be given to the patient's close relatives and their explicit consent shall be obtained. Where, due to an emergency such as rescuing a patient who is critically ill, it is impossible to obtain the opinion of the patient or their close relatives, the medical institution's person in charge or an authorised person in charge may approve the immediate implementation of appropriate medical measures. **Article 33.** Medical incidents occurring at a medical institution shall be handled in accordance with the relevant State provisions. **Article 34.** Where a medical institution provides special diagnosis, treatment, and handling for patients with infectious diseases, mental illness, occupational diseases, and the like, it shall do so in accordance with the relevant laws and regulations of the State. **Article 35.** A medical institution must strengthen the administration of pharmaceutical products in accordance with the relevant laws and regulations on pharmaceutical administration. **Article 36.** A medical institution must collect medical fees in accordance with the relevant provisions of the people's government or the pricing authority, itemise charges in detail, and issue receipts. **Article 37.** A medical institution must undertake corresponding work in disease prevention and health care, and must carry out tasks such as supporting rural areas and guiding primary-level medical and health work as assigned by the health administrative department of the people's government at or above the county level. **Article 38.** In the event of a major disaster, accident, epidemic, or other emergency, a medical institution and its health technical personnel must comply with the deployment arrangements of the health administrative department of the people's government at or above the county level. --- ## Chapter V Supervision and Administration **Article 39.** The health administrative department of a people's government at or above the county level shall exercise the following powers of supervision and administration: (1) responsibility for approval of establishment, practice registration, filing, and verification of medical institutions; (2) inspection and guidance of the practice activities of medical institutions; (3) responsibility for organising the evaluation of medical institutions; and (4) imposition of penalties on conduct that violates this Regulation. **Article 40.** The State implements a system of medical institution evaluation. An evaluation committee composed of experts shall conduct a comprehensive assessment of the practice activities, quality of medical services, and other matters of medical institutions in accordance with the medical institution evaluation methods and evaluation standards. The medical institution evaluation methods and evaluation standards shall be formulated by the health administrative department of the State Council. **Article 41.** The health administrative department of a local people's government at or above the county level is responsible for organising the medical institution evaluation committee in its administrative region. The medical institution evaluation committee shall be composed of relevant experts in hospital management, medical education, clinical medicine, medical technology, nursing, finance, and related fields. Members of the evaluation committee shall be appointed by the health administrative department of the local people's government at or above the county level. **Article 42.** Based on the evaluation opinions of the evaluation committee, the health administrative department of the local people's government at or above the county level shall issue a certificate of qualified evaluation to medical institutions that have met the evaluation standards, and shall propose handling opinions for medical institutions that have not met the evaluation standards. --- ## Chapter VI Penalties **Article 43.** Where a medical institution operates in violation of Article 23 of this Regulation without having obtained a Licence for Practice of Medical Institution, penalties shall be imposed in accordance with the Law of the People's Republic of China on the Promotion of Basic Medical and Health Care. Where a clinic operates in violation of Article 23 of this Regulation without having completed the required filing, the health administrative department of the people's government at or above the county level shall order it to make corrections, confiscate any illegal gains, and impose a fine of not more than 30,000 yuan; where the institution refuses to make corrections, it shall be ordered to cease practice activities. **Article 44.** Where a medical institution, in violation of Article 21 of this Regulation, continues to engage in diagnosis and treatment activities after the deadline for verification of its Licence for Practice of Medical Institution has passed without completing verification, the health administrative department of the people's government at or above the county level shall order it to complete verification within a time limit; where it refuses to undergo verification, its Licence for Practice of Medical Institution shall be revoked. **Article 45.** Where a Licence for Practice of Medical Institution is sold, transferred, or lent in violation of Article 22 of this Regulation, penalties shall be imposed in accordance with the Law of the People's Republic of China on the Promotion of Basic Medical and Health Care. **Article 46.** Where a medical institution, in violation of Article 26 of this Regulation, engages in diagnosis and treatment activities outside the scope of its registered or filed clinical departments, the health administrative department of the people's government at or above the county level shall issue a warning, order it to make corrections, confiscate any illegal gains, and may impose a fine of not less than 10,000 yuan and not more than 100,000 yuan depending on the circumstances; in serious cases, its Licence for Practice of Medical Institution shall be revoked or it shall be ordered to cease practice activities. **Article 47.** Where a medical institution, in violation of Article 27 of this Regulation, uses persons who are not qualified health technicians to perform medical and health technical work, the health administrative department of the people's government at or above the county level shall order it to make corrections within a time limit and may impose a fine of not less than 10,000 yuan and not more than 100,000 yuan; in serious cases, its Licence for Practice of Medical Institution shall be revoked or it shall be ordered to cease practice activities. **Article 48.** Where a medical institution, in violation of Article 31 of this Regulation, issues false certification documents, the health administrative department of the people's government at or above the county level shall issue a warning; where harm has resulted, a fine of not less than 10,000 yuan and not more than 100,000 yuan may be imposed; and the directly responsible persons shall be subject to administrative sanctions by the unit to which they belong or by the authority at a higher level. **Article 49.** Confiscated property and fines shall be paid in full into the State treasury. **Article 50.** A party that is dissatisfied with an administrative penalty decision may apply for administrative reconsideration or bring an administrative lawsuit in accordance with the laws and regulations of the State. Where a party has neither applied for reconsideration nor instituted legal proceedings within the statutory time limit and has failed to comply with the penalty decision imposing a fine or ordering confiscation of pharmaceutical products or equipment, the health administrative department of the people's government at or above the county level may apply to the people's court for compulsory enforcement. --- ## Chapter VII Supplementary Provisions **Article 51.** Medical institutions that were already in practice before this Regulation came into effect shall, within six months after this Regulation comes into effect, complete the registration procedures and obtain a Licence for Practice of Medical Institution in accordance with Chapter III of this Regulation. **Article 52.** Measures for the administration of medical institutions established in the territory of the People's Republic of China by foreigners, and of medical institutions established in the mainland by residents of Hong Kong, Macao, and Taiwan, shall be separately formulated by the health administrative department of the State Council. **Article 53.** This Regulation shall come into force on September 1, 1994. The Interim Regulations on the Administration of Hospitals and Clinics, approved and issued by the Government Administration Council in 1951, are simultaneously repealed. --- ## Anti-Unfair Competition Law of the People's Republic of China - Chinese title: 中华人民共和国反不正当竞争法 - Abbreviation: AUCL - Hierarchy: law - Issuing body: National People's Congress Standing Committee - Adopted: 2025-06-27 - Effective: 2025-10-15 - Status: effective - URL: https://datacompliancechina.com/laws/anti-unfair-competition-law/ - Markdown: https://datacompliancechina.com/laws/anti-unfair-competition-law.md - Source URL: https://www.spp.gov.cn/spp/fl/202506/t20250627_699862.shtml ### Full text > *DCC catalogue entry — summary, not full text.* ## Why this law matters for the data field The **Anti-Unfair Competition Law (反不正当竞争法, "AUCL")** is China's general statute against unfair market conduct, enforced administratively by **SAMR (市场监管总局)** and litigated privately in the courts. For most of its history it had **nothing specific to say about data** — so Chinese courts policed data scraping and data free-riding through **Article 2**, the open-textured good-faith / business-ethics general clause. That is the basis on which the headline data cases of the past few years were decided, including [Datatang v. Yinmu](/posts/datatang-v-yinmu-data-ip-registration-case/) and the [AI-ghostwritten "seeding post" case](/posts/ai-seeding-post-unfair-competition-case/). The **third revision, adopted 27 June 2025 and effective 15 October 2025**, changed that by adding a **purpose-built data clause**. ## The data clause — Article 13 Article 13 prohibits an **operator (经营者)** from using **fraud, coercion, circumventing or breaking technical management measures, or other improper means** to **acquire or use data lawfully held by another operator (其他经营者合法持有的数据)** in a way that **harms that operator's lawful rights and interests and disrupts the order of market competition**. The revision also: - reads **"technical management measures"** broadly — covering data, algorithms, technology, platform rules, and the like; and - adds related provisions on **abuse of platform rules** (instructing or carrying out fake transactions, fake reviews, malicious returns, etc.). ## How the courts are reading it The first published application is the **Beijing Internet Court's 30 April 2026 judgment** holding that **scraping and reselling a career-networking platform's user data is unfair competition** — see DCC's brief, [China's First Ruling Under the New AUCL "Data Clause"](/posts/aucl-data-clause-first-case-platform-scraping/). That judgment supplies the working test counsel should track: - a **four-element framework** — *object* (data lawfully held by another operator), *subject* (the actor is an operator), *conduct* (improper acquisition/use), *result* (harm to the other operator + disruption of market-competition order); and - a **definition of "data lawfully held"** — a dataset **lawfully collected, stored or used**, **formed through the operator's substantial investment**, and **capable of bringing it business benefit or competitive advantage**. Notably, the analysis is **conduct- and investment-focused** rather than turning on whether a statutory data *property right* exists, and it **de-emphasises the old "competitive relationship" requirement** — both moves that widen the clause's reach. ## Briefs on this law DCC briefs that turn on the AUCL are linked from this page's "Briefs on this law" section (any post whose `laws:` references this entry). --- ## Notice Issuing the Measures for the Administration of Internet Diagnosis and Treatment (Trial) and Two Related Documents - Chinese title: 关于印发《互联网诊疗管理办法(试行)》等3个文件的通知 - Abbreviation: Internet Diagnosis & Treatment Measures - Hierarchy: rule - Issuing body: National Health Commission and National Administration of Traditional Chinese Medicine - Adopted: 2018-07-17 - Effective: 2018-07-17 - Status: effective - URL: https://datacompliancechina.com/laws/internet-diagnosis-treatment-measures/ - Markdown: https://datacompliancechina.com/laws/internet-diagnosis-treatment-measures.md - Source URL: https://www.gov.cn/zhengce/zhengceku/2018-12/31/content_5435436.htm ### Summary Issued jointly by the National Health Commission and the National Administration of Traditional Chinese Medicine in July 2018, Document No. 国卫医发〔2018〕25号 establishes the foundational regulatory framework for internet-based healthcare in China through three companion instruments. The first document, the Measures for the Administration of Internet Diagnosis and Treatment (Trial), restricts online diagnosis to follow-up consultations for previously diagnosed common and chronic diseases, prohibits first-visit online diagnosis, and requires healthcare institutions to safeguard patient information, adopt Cybersecurity Multi-Level Protection Scheme Level 3, and immediately report data breaches to health authorities. The Internet Hospital Measures (Trial) sets licensing conditions for internet hospitals, mandates real-name identity authentication for medical staff, and imposes patient-privacy and information-security duties including prohibition on illegally selling or disclosing patient data. The Telemedicine Service Norms (Trial) governs inter-institutional telemedicine referrals, requires written informed consent, mandates real-name patient management, and obliges all participating parties to protect information security and patient privacy. Together these instruments are the gateway rules for any digital-health or telemedicine product operating in China: they determine which online medical services are lawful, what licensing is required, and how patient personal information and medical records must be handled and protected. ### Full text **Promulgated by:** National Health Commission of the People's Republic of China; National Administration of Traditional Chinese Medicine. **Document No.:** 国卫医发〔2018〕25号. **Adopted July 17, 2018. Effective July 17, 2018.** --- ## Measures for the Administration of Internet Diagnosis and Treatment (Trial) *(Annex 1 to the Notice — full translation)* ### Chapter I General Provisions **Article 1.** These Measures are formulated in order to implement the Opinions of the General Office of the State Council on Promoting the Development of "Internet Plus Medical and Health Services," to regulate internet diagnosis and treatment activities, to promote the healthy and rapid development of internet medical services, and to safeguard medical quality and medical safety, in accordance with the Law on Practising Physicians, the Regulations on the Administration of Medical Institutions, and other laws and regulations. **Article 2.** For the purposes of these Measures, "internet diagnosis and treatment" refers to medical activities in which a medical institution, using physicians registered at that institution, conducts, through the internet and other information technologies, follow-up consultations for certain common diseases and chronic diseases, and provides "Internet Plus" family-doctor contracted services. **Article 3.** The State shall implement access-control administration over internet diagnosis and treatment activities. **Article 4.** The health administration department of the State Council and the competent department for traditional Chinese medicine shall be responsible for the supervision and administration of internet diagnosis and treatment activities nationwide. Local health administration departments at all levels (including competent departments for traditional Chinese medicine; the same applies below) shall be responsible for the supervision and administration of internet diagnosis and treatment activities within their respective jurisdictions. ### Chapter II Access to Internet Diagnosis and Treatment Activities **Article 5.** Internet diagnosis and treatment activities shall be provided by medical institutions that have obtained a Medical Institution Practice Licence. **Article 6.** A medical institution newly applying to establish operations that intends to carry out internet diagnosis and treatment activities shall indicate this in its establishment application and shall describe, in the feasibility study report for the establishment, matters relating to the conduct of internet diagnosis and treatment activities. If it cooperates with a third-party institution to establish an information system for internet diagnosis and treatment services, it shall submit a cooperation agreement. **Article 7.** After accepting an application, the health administration department shall review it in accordance with the relevant provisions of the Regulations on the Administration of Medical Institutions and the Rules for the Implementation of the Regulations on the Administration of Medical Institutions, and shall issue a written reply of approval or non-approval within the prescribed time. If the establishment is approved and the conduct of internet diagnosis and treatment is consented to, that consent shall be noted in the Letter of Approval for the Establishment of a Medical Institution. The medical institution shall apply for practice registration in accordance with the relevant laws, regulations, and rules. **Article 8.** A medical institution that has already obtained a Medical Institution Practice Licence and intends to carry out internet diagnosis and treatment activities shall submit to the licence-issuing authority an application for practice registration to conduct internet diagnosis and treatment activities, together with the following materials: (1) an application letter signed with consent by the legal representative or principal responsible person of the medical institution, stating the reasons and grounds for applying to carry out internet diagnosis and treatment activities; (2) if cooperating with a third-party institution to establish an information system for internet diagnosis and treatment services, the cooperation agreement; and (3) other materials required to be submitted by the registration authority. **Article 9.** The practice registration authority shall review the application materials for medical institution registration in accordance with the relevant laws, regulations, and rules. Those that pass review shall be registered, and "internet diagnosis and treatment" shall be added under the service modalities in the duplicate of the Medical Institution Practice Licence. Those that fail review shall be notified of the review results in writing. **Article 10.** The cooperation agreement between a medical institution and a third-party institution shall clearly specify the rights, responsibilities, and obligations of each party with respect to medical services, information security, and privacy protection. **Article 11.** The internet diagnosis and treatment activities carried out by a medical institution shall be consistent with its approved diagnostic and treatment subjects. A medical institution may not conduct the corresponding internet diagnosis and treatment activities for diagnostic and treatment subjects not approved by the health administration department. ### Chapter III Practice Rules **Article 12.** Internet diagnosis and treatment activities carried out by a medical institution shall comply with medical administration requirements, and the medical institution shall establish rules and regulations on medical quality and medical safety. **Article 13.** A medical institution carrying out internet diagnosis and treatment activities shall possess equipment, facilities, information systems, technical personnel, and information security systems that satisfy the requirements of internet technology, and shall implement Cybersecurity Multi-Level Protection Scheme Level 3 protection. **Article 14.** Physicians and nurses who carry out internet diagnosis and treatment activities shall be searchable through the national electronic registration system for physicians and nurses. Medical institutions shall conduct electronic real-name authentication of medical personnel who carry out internet diagnosis and treatment activities, and are encouraged, where conditions permit, to strengthen the management of medical personnel through facial recognition and other biometric identification technologies. **Article 15.** Where a primary-level medical and health institution implements "Internet Plus" family-doctor contracted services, it shall inform patients of the service content, procedures, the rights and responsibilities of both parties, and risks that may arise, in the agreement, and shall execute an informed consent document. **Article 16.** When a medical institution conducts online follow-up consultations for certain common diseases and chronic diseases, the physician shall have access to the patient's medical records and shall confirm that the patient has received a definitive diagnosis of one or more common diseases or chronic diseases at a physical medical institution before conducting follow-up consultations for the same diagnosis. When a change in a patient's condition requires in-person examination by medical personnel, the medical institution and its medical personnel shall immediately terminate the internet diagnosis and treatment activity and guide the patient to a physical medical institution for consultation. Internet diagnosis and treatment activities may not be conducted for first-visit patients. **Article 17.** A medical institution carrying out internet diagnosis and treatment activities shall, in accordance with the requirements of the Provisions on the Administration of Medical Institution Medical Records, the Basic Standards for Electronic Medical Records (Trial), and other relevant documents, establish electronic medical records for patients and administer them in accordance with the prescribed requirements. **Article 18.** A medical institution carrying out internet diagnosis and treatment activities shall strictly comply with the Administrative Measures for Prescriptions and other prescription administration regulations. After obtaining access to a patient's medical records, a physician may issue prescriptions online for certain patients with common diseases or chronic diseases. Prescriptions issued online must bear the physician's electronic signature; after review by a pharmacist, medical institutions and pharmaceutical business enterprises may entrust eligible third-party institutions to make deliveries. **Article 19.** When carrying out internet diagnosis and treatment activities, medical institutions may not issue prescriptions for narcotic drugs, psychotropic drugs, or other specially administered drugs. When issuing internet prescriptions for paediatric medication for young children (under 6 years of age), it shall be confirmed that the child patient has a guardian and a qualified specialist physician present. **Article 20.** Medical institutions shall strictly enforce the laws and regulations concerning information security and the confidentiality of medical data, shall properly safeguard patient information, and may not illegally purchase, sell, or disclose patient information. Following a leak of patient information or medical data, the medical institution shall promptly report to the competent health administration department and shall immediately take effective response measures. **Article 21.** Internet diagnosis and treatment activities carried out by medical institutions shall comply with the relevant tiered-diagnosis-and-treatment regulations and shall be adapted to the institution's functional orientation. **Article 22.** The use of internet technology within medical consortiums is encouraged to accelerate the realisation of up-and-down interconnection of medical resources, improve the capacity and efficiency of primary-level medical services, and advance the establishment of an orderly tiered-diagnosis-and-treatment pattern. Tertiary hospitals are encouraged to refer patients downward within medical consortiums through internet diagnosis and treatment information systems. **Article 23.** Tertiary hospitals shall prioritise the development of internet medical services with secondary hospitals and primary-level medical and health institutions, and shall provide technical support for internet diagnosis and treatment activities carried out by primary-level medical and health institutions. ### Chapter IV Supervision and Administration **Article 24.** Medical institutions shall strengthen the administration of internet diagnosis and treatment activities, establish and improve relevant management systems and service procedures, ensure that the entire process of internet diagnosis and treatment activities is recorded and traceable, and open data interfaces to supervisory authorities. **Article 25.** A physician who carries out internet diagnosis and treatment activities shall have lawfully obtained the corresponding practice qualifications, have three or more years of independent clinical work experience, and have obtained the consent of the medical institution at which the physician is registered. **Article 26.** Internet diagnosis and treatment activities carried out by medical institutions shall be supervised and administered by county-level and above local health administration departments, in accordance with the principle of territorial administration. **Article 27.** County-level and above local health administration departments shall publicly disclose the list of medical institutions permitted to carry out internet diagnosis and treatment activities, disclose supervision telephone numbers or other supervision methods, and promptly accept and handle reports of unlawful or non-compliant internet diagnosis and treatment services. Where non-compliance with the provisions of these Measures is discovered, relevant competent departments shall be notified in a timely manner. **Article 28.** Where a lower-level health administration department fails to administer internet diagnosis and treatment activities in accordance with the Regulations on the Administration of Medical Institutions and these Measures, the higher-level health administration department shall make corrections in a timely manner. **Article 29.** County-level and above local health administration departments shall give full play to the role of social organisations and strengthen industry supervision and self-discipline with respect to internet diagnosis and treatment activities. ### Chapter V Supplementary Provisions **Article 30.** Medical institutions that had already been carrying out internet diagnosis and treatment activities before the implementation of these Measures shall resubmit practice registration applications in accordance with the requirements of these Measures within 30 days of the date of implementation. **Article 31.** Telemedicine services shall be administered in accordance with the Telemedicine Service Management Norms (Trial) and other relevant documents. Internet hospitals shall be administered in accordance with the Internet Hospital Management Measures (Trial). **Article 32.** These Measures shall take effect on the date of promulgation. --- ## Companion Documents ### Internet Hospital Management Measures (Trial) — Structured Summary *(Annex 2 to the Notice)* **Scope and definition.** An "internet hospital" is either: (a) a second name used by a physical medical institution, or (b) an internet hospital independently established in reliance on a physical medical institution. The State applies access-control administration in accordance with the Regulations on the Administration of Medical Institutions. **Chapter I — General Provisions (Articles 1–4).** The Measures aim to promote healthy development of internet hospitals, regulate their administration, improve service efficiency, and safeguard medical quality and safety. Supervisory authority rests with health administration departments at the State Council level (nationwide) and at all local levels (within their respective jurisdictions). **Chapter II — Internet Hospital Access (Articles 5–13).** A physical medical institution that establishes an internet hospital — whether alone or with a third party — must apply to register the internet hospital as a second name. Before internet hospital access applications are processed, provincial health administration departments must establish a provincial internet medical services supervision platform linked in real time to the internet hospital's information platform (Article 6). Application materials include an establishment application, a feasibility study, the address of the relying physical institution, and the signed cooperation agreement (Article 7). The information system shall implement Cybersecurity Multi-Level Protection Scheme Level 3 (Article 15). Naming conventions are specified: the institution's own name plus "Internet Hospital," optionally with the cooperative partner's identifier (Article 12). **Chapter III — Practice Rules (Articles 14–26).** - *Real-name authentication.* Physicians and nurses must be queryable in the national electronic registration system; the internet hospital shall conduct electronic real-name authentication of all medical personnel, and is encouraged to use facial recognition or other biometric technologies (Article 16). - *Patient-facing rules.* The internet hospital must give risk disclosures and obtain the patient's informed consent (Article 18). If the patient has not been seen at a physical institution, the physician may only provide follow-up consultation services for certain common diseases or chronic diseases; first-visit online diagnosis is prohibited. Family-doctor contracted services are permitted (Article 19). - *Prescriptions.* All online diagnoses and prescriptions must bear the physician's electronic signature. Prescriptions must be reviewed and approved by a pharmacist before taking effect. Narcotic drugs, psychotropic drugs, and other drugs subject to special administration may not be prescribed online. Prescriptions for paediatric patients under 6 years require confirmation that a guardian and a specialist physician are present (Article 20). - *Electronic medical records.* Patients may query their test results, diagnosis and treatment plans, prescriptions, and medical orders online. Records must be established and managed in accordance with the Provisions on the Administration of Medical Institution Medical Records (Article 21). - *Patient information protection.* Medical institutions shall strictly enforce information security and medical data confidentiality laws. They may not illegally purchase, sell, or disclose patient information. Upon a patient information or medical data leak, the medical institution shall promptly report to the competent health administration department and immediately take effective response measures (Article 23). - *Medical liability insurance.* The physical institution or third-party applicant must purchase medical liability insurance for physicians (Article 24). **Chapter IV — Supervision and Administration (Articles 27–34).** Provincial health administration departments and internet hospital registration authorities jointly supervise internet hospitals through the provincial supervision platform, focusing on personnel, prescriptions, diagnosis and treatment conduct, patient privacy protection, and information security (Article 30). Internet hospitals are integrated into local medical quality control systems and evaluated in the same institutional-assessment framework as physical hospitals. Legal liability rests with the internet hospital if it holds a separate Medical Institution Practice Licence, or with the physical medical institution if the internet hospital is a second name (Article 32). **Chapter V — Supplementary Provisions (Articles 35–36).** Internet hospitals already approved or filed before implementation must resubmit establishment and practice registration applications within 30 days of the effective date. **Annex — Internet Hospital Basic Standards (Trial).** The appendix specifies minimum infrastructure requirements: at least 2 servers (database and application servers separated; no servers storing medical data may be located outside China); at least 2 audio-video communication systems; network bandwidth of at least 10 Mbps from at least 2 internet service providers; real-time data exchange with the relying physical institution's HIS, PACS/RIS, and LIS systems; and Cybersecurity Multi-Level Protection Scheme Level 3 implementation. --- ### Telemedicine Service Management Norms (Trial) — Structured Summary *(Annex 3 to the Notice)* **Preamble and scope.** The Norms are issued pursuant to the State Council General Office's Opinions on Promoting "Internet Plus Medical and Health Services" (Guo Ban Fa [2018] No. 26). "Telemedicine services" cover two scenarios: (a) direct institution-to-institution telemedicine where an inviting institution requests a responding institution to use information technology to support diagnosis and treatment of the inviting institution's patients, with rights and responsibilities clarified by agreement; and (b) platform-based telemedicine where an inviting institution or third party operates a platform, the responding institution registers on the platform, and patient-care support is provided by matched responding institutions. A critical demarcation: if the inviting institution directly engages individual medical personnel through an information platform to provide online medical services, it must apply to establish an internet hospital under the Internet Hospital Measures. **Section II — Basic Conditions.** Medical institutions must hold health administration department approval for the relevant diagnostic and treatment subjects, have qualified personnel registered at the institution, and maintain adequate telemedicine management systems, quality-and-safety controls, and information technology safeguards. Personnel requirements specify that the inviting institution must have at least one licensed physician present (or, for primary-level institutions, a licensed assistant physician or rural doctor may attend); the responding institution must have at least one licensed physician with three or more years of independent clinical experience. **Section III — Service Procedures and Requirements.** - *Cooperation agreement.* Both direct and platform-based telemedicine requires a written or electronic cooperation agreement specifying purpose, conditions, scope, procedures, rights, obligations, and risk allocation (including medical-damage risk-sharing). - *Informed consent.* The inviting institution must, according to the patient's condition and wishes, inform the patient of the telemedicine service content and fees and obtain the patient's written consent by having the patient sign a telemedicine informed consent document. Where informing the patient directly is inappropriate, the guardian's or close relative's written consent must be obtained. - *Remote consultation (远程会诊).* The responding institution provides diagnostic and treatment opinions; the inviting institution determines the diagnosis and treatment plan. The responding institution issues a written diagnostic opinion report signed by the relevant physician. Within medical consortiums, standing mechanisms for remote electrocardiogram, imaging, and pathology diagnosis may be established. - *Remote diagnosis (远程诊断).* Where inviting and responding institutions have established a paired-support or consortium relationship, the inviting institution performs medical imaging, pathology, electrocardiogram, or ultrasound examinations and the responding (superior) institution renders the diagnosis; the specific procedure is determined by agreement. - *Records retention.* Both institutions must jointly complete the medical record documentation in accordance with medical record writing and preservation requirements; originals are filed separately by each institution. Telemedicine-related documents may be transmitted by fax, scanned copy, or electronically signed electronic file. After providing consultation services, medical personnel must record the consultation information. **Section IV — Management Requirements.** - *Institution management.* Institutions must implement management rules, execute quality-control systems, respond to emergencies, and ensure continuous normal operation of telemedicine information systems. All participating parties must strengthen information security and patient privacy protection, prevent unauthorised transmission or modification, prevent data loss, establish data security management procedures, and ensure network security, operational security, data security, and privacy security. Cooperation agreements with third-party institutions must clearly specify the rights, obligations, and legal responsibilities of each party. - *Patient personal information and real-name management.* The Norms specifically require institutions to implement real-name (实名制) management of patients and to continuously improve medical quality as part of quality-management systems. They must establish sound patient communication mechanisms, protect patients' right to informed consent, and safeguard patients' lawful rights and interests. - *Quality management.* Institutions must apply nationally issued or recognised clinical technical standards, implement a medical quality management system, and accept business guidance and supervision from health administration departments and quality control centres. **Section V — Strengthened Supervision.** Local health administration departments at all levels must supervise telemedicine services and integrate them into local medical quality control systems. In the event of a medical dispute arising from telemedicine: for remote consultation, the inviting institution bears the corresponding legal responsibility; for remote diagnosis, the inviting and responding institutions jointly bear legal responsibility. Where a third-party platform is involved, liability is allocated among the inviting institution, responding institution, and platform operator pursuant to the applicable laws and the agreement among the parties. --- ## Several Provisions on Automotive Data Security Management (Trial) - Chinese title: 汽车数据安全管理若干规定(试行) - Abbreviation: Automotive Data Provisions - Hierarchy: rule - Issuing body: Cyberspace Administration of China; National Development and Reform Commission; MIIT; Ministry of Public Security; Ministry of Transport - Adopted: 2021-08-16 - Effective: 2021-10-01 - Status: effective - URL: https://datacompliancechina.com/laws/automotive-data-security-provisions/ - Markdown: https://datacompliancechina.com/laws/automotive-data-security-provisions.md ### Summary These Provisions are the foundational rule governing the processing of automotive data — both personal information and important data arising in the design, production, sale, use and maintenance of vehicles. They define automotive data, personal/sensitive personal information and important data (including a list of important-data categories), set out processing principles (in-vehicle processing, default no-collection, precision-range applicability, anonymization), notice-and-consent requirements, important-data risk assessment and annual reporting, and domestic storage with security assessment for cross-border transfer. Jointly issued by the CAC, NDRC, MIIT, MPS and MOT as Order No. 7 and effective October 1, 2021. ### Full text **Promulgated by:** Cyberspace Administration of China, National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, and Ministry of Transport. **Document No.:** Order No. 7 of the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Ministry of Transport. **Adopted at the 10th room executive meeting of the Cyberspace Administration of China in 2021 on July 5, 2021. Issued August 16, 2021. Effective October 1, 2021.** --- **Article 1.** These Provisions are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China and other laws and administrative regulations, in order to regulate automotive data processing activities, protect the legitimate rights and interests of individuals and organizations, safeguard national security and the public interest of society, and promote the reasonable development and utilization of automotive data. **Article 2.** Automotive data processing activities carried out within the territory of the People's Republic of China and the security supervision thereof shall comply with the requirements of relevant laws, administrative regulations and these Provisions. **Article 3.** "Automotive data" as referred to in these Provisions includes personal information data and important data involved in the processes of automotive design, production, sale, use, operation and maintenance. "Automotive data processing" includes the collection, storage, use, processing, transmission, provision, disclosure and the like, of automotive data. "Automotive data processors" refers to organizations that carry out automotive data processing activities, including automobile manufacturers, parts and software suppliers, dealers, repair institutions, and mobility service enterprises. "Personal information" refers to various information recorded electronically or by other means that relates to an identified or identifiable vehicle owner, driver, passenger, person outside the vehicle, or the like, but does not include anonymized information. "Sensitive personal information" refers to personal information that, once leaked or illegally used, may cause the vehicle owner, driver, passenger, person outside the vehicle, or the like, to suffer discrimination or serious harm to personal or property safety, including vehicle location tracks, audio, video, images, and biometric features. "Important data" refers to data that, once tampered with, destroyed, leaked, or illegally obtained or used, may endanger national security, the public interest, or the legitimate rights and interests of individuals or organizations, including: (I) geographic information, personnel flow, vehicle flow and other data of important and sensitive areas such as military administration zones, units of national defense science, technology and industry, and Party and government organs at or above the county level; (II) data reflecting economic operation such as vehicle flow and logistics; (III) operating data of the automotive charging network; (IV) video and image data outside the vehicle containing face information, license-plate information, and the like; (V) personal information involving more than 100,000 personal-information subjects; (VI) other data determined by the national cyberspace administration and the relevant departments of the State Council for development and reform, industry and information technology, public security, transport, and the like, that may endanger national security, the public interest, or the legitimate rights and interests of individuals or organizations. **Article 4.** Automotive data processors processing automotive data shall do so in a lawful, legitimate, specific and clear manner, directly related to the design, production, sale, use, operation and maintenance of vehicles. **Article 5.** When carrying out automotive data processing activities using the Internet and other information networks, the cybersecurity multi-level protection scheme and other systems shall be implemented, automotive data protection shall be strengthened, and data security obligations shall be performed in accordance with the law. **Article 6.** The State encourages the lawful, reasonable and effective utilization of automotive data, and advocates that automotive data processors, in carrying out automotive data processing activities, adhere to: (I) the in-vehicle processing principle — not providing data outside the vehicle unless truly necessary; (II) the default no-collection principle — defaulting to a no-collection state for each drive unless the driver sets otherwise on their own; (III) the precision-range applicability principle — determining the coverage and resolution of cameras, radars and the like according to the data-precision requirements of the functions and services provided; (IV) the desensitization principle — carrying out anonymization, de-identification and other processing as far as possible. **Article 7.** Automotive data processors processing personal information shall inform individuals of the following matters by conspicuous means such as the user manual, the on-board display panel, voice, and vehicle-use-related applications: (I) the types of personal information processed, including vehicle location tracks, driving habits, audio, video, images and biometric features; (II) the specific situations in which each type of personal information is collected, and the methods and channels for ceasing collection; (III) the purpose, use and method of processing each type of personal information; (IV) the place and period of storage of the personal information, or the rules for determining the place and period of storage; (V) the methods and channels for accessing and copying their personal information, deleting personal information within the vehicle, and requesting the deletion of personal information already provided outside the vehicle; (VI) the name and contact information of the contact person for matters concerning user rights and interests; (VII) other matters required to be informed by laws and administrative regulations. **Article 8.** Automotive data processors processing personal information shall obtain the consent of the individual or meet other circumstances prescribed by laws and administrative regulations. Where, due to the need to ensure driving safety, it is impossible to obtain the individual's consent for personal information collected outside the vehicle and provided outside the vehicle, anonymization shall be carried out, including deleting images that contain content capable of identifying a natural person, or partially contouring face information and the like in the images. **Article 9.** Automotive data processors processing sensitive personal information shall meet the following requirements, or meet other requirements such as laws, administrative regulations and mandatory national standards: (I) having the purpose of directly serving the individual, including enhancing driving safety, intelligent driving, and navigation; (II) informing the individual of the necessity and the impact on the individual by conspicuous means such as the user manual, the on-board display panel, voice, and vehicle-use-related applications; (III) obtaining the individual's separate consent, with the individual able to set the consent period on their own; (IV) on the premise of ensuring driving safety, indicating the collection status in an appropriate manner and providing convenience for the individual to terminate collection; (V) where the individual requests deletion, the automotive data processor shall delete it within ten working days. An automotive data processor may collect biometric features such as fingerprints, voiceprints, faces and heart rhythms only where it has the purpose of enhancing driving safety and sufficient necessity. **Article 10.** Automotive data processors carrying out important-data processing activities shall conduct a risk assessment in accordance with provisions, and submit a risk assessment report to the cyberspace administration and the relevant departments of the province, autonomous region or municipality directly under the Central Government. The risk assessment report shall include the type, quantity, scope, place and period of storage, and method of use of the important data processed, the conduct of data processing activities, whether the data is provided to third parties, the data security risks faced and the response measures thereto, and the like. **Article 11.** Important data shall be stored within the territory in accordance with the law; where it is truly necessary to provide it overseas due to business needs, it shall pass the security assessment organized by the national cyberspace administration together with the relevant departments of the State Council. The cross-border security management of personal-information data not included in the important data shall be governed by the relevant provisions of laws and administrative regulations. Where the international treaties and agreements concluded or acceded to by China provide otherwise, such international treaties and agreements shall apply, except for clauses on which China has declared reservations. **Article 12.** An automotive data processor providing important data overseas shall not exceed the purpose, scope, method, and data type and scale, and the like, clarified at the time of the export security assessment. The national cyberspace administration shall, together with the relevant departments of the State Council, verify the matters prescribed in the preceding paragraph by means of spot checks and the like, and the automotive data processor shall cooperate and present such matters in a readable and otherwise convenient manner. **Article 13.** Automotive data processors carrying out important-data processing activities shall, before December 15 of each year, submit the following annual automotive data security management situation to the cyberspace administration and the relevant departments of the province, autonomous region or municipality directly under the Central Government: (I) the name and contact information of the person responsible for automotive data security management and of the contact person for matters concerning user rights and interests; (II) the type, scale, purpose and necessity of the automotive data processed; (III) the security protection and management measures for automotive data, including the place and period of storage, and the like; (IV) the situation of providing automotive data to third parties within the territory; (V) automotive data security incidents and the disposal thereof; (VI) user complaints related to automotive data and the handling thereof; (VII) other automotive data security management situations clarified by the national cyberspace administration together with the relevant departments of the State Council for industry and information technology, public security, transport, and the like. **Article 14.** Automotive data processors providing important data overseas shall, on the basis required by Article 13 of these Provisions, additionally report the following: (I) the basic situation of the recipient; (II) the type, scale, purpose and necessity of the automotive data exported; (III) the place, period, scope and method of storage of the automotive data overseas; (IV) user complaints related to the provision of automotive data overseas and the handling thereof; (V) other situations clarified by the national cyberspace administration together with the relevant departments of the State Council for industry and information technology, public security, transport, and the like, that need to be reported regarding the provision of automotive data overseas. **Article 15.** The national cyberspace administration and the relevant departments of the State Council for development and reform, industry and information technology, public security, transport, and the like, shall, in accordance with their duties and based on the situation of data processing, conduct data security assessments of automotive data processors, and the automotive data processors shall cooperate. The institutions and personnel participating in the security assessment shall not disclose the commercial secrets or undisclosed information of the automotive data processor that they become aware of in the assessment, and shall not use the information they become aware of in the assessment for purposes other than the assessment. **Article 16.** The State shall strengthen the development of the intelligent (connected) vehicle network platform, carry out the network access operation and security assurance services of intelligent (connected) vehicles, and the like, and, in coordination with automotive data processors, strengthen the network and automotive data security protection of intelligent (connected) vehicles. **Article 17.** Automotive data processors carrying out automotive data processing activities shall establish complaint and reporting channels, set up convenient complaint and reporting entrances, and promptly handle user complaints and reports. Where the carrying out of automotive data processing activities causes harm to the legitimate rights and interests of users or to the public interest, the automotive data processor shall bear corresponding liability in accordance with the law. **Article 18.** Where an automotive data processor violates these Provisions, the relevant departments at or above the provincial level for cyberspace, industry and information technology, public security, transport, and the like, shall impose penalties in accordance with the provisions of the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China and other laws and administrative regulations; where a crime is constituted, criminal liability shall be pursued in accordance with the law. **Article 19.** These Provisions shall come into force on October 1, 2021. --- ## Provisions on Strengthening the Administration of Prescription-Volume Statistics (Tongfang) in Healthcare Institutions - Chinese title: 关于加强医疗卫生机构统方管理的规定 - Abbreviation: Tongfang Management Provisions - Hierarchy: rule - Issuing body: National Health and Family Planning Commission and State Administration of Traditional Chinese Medicine - Adopted: 2014-11-20 - Effective: 2015-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/tongfang-management-provisions/ - Markdown: https://datacompliancechina.com/laws/tongfang-management-provisions.md - Source URL: https://www.nhc.gov.cn/jws/s3577/201401/c29d9662d7784fe891a17b1ef01dbd8a.shtml ### Summary Issued jointly by the National Health and Family Planning Commission and the State Administration of Traditional Chinese Medicine in November 2014 (Document No. 国卫纠发〔2014〕1号) and effective January 1, 2015, these Provisions define and tightly restrict access to prescription-volume statistics (tongfang) — the statistical compilation of individual physicians' or departments' drug and medical-consumable usage volumes — in order to sever the data conduit through which pharmaceutical companies pay kickbacks to prescribers. Core obligations include access-control and least-privilege rules for hospital information systems, mandatory query-logging and anomaly review, binding confidentiality agreements with IT vendors, a categorical prohibition on disclosing individual or departmental tongfang data to pharmaceutical or device marketers, and a ban on linking clinician income to prescription volumes. An early health-sector data-access-governance and anti-corruption measure, these Provisions remain operative and are relevant to overseas pharmaceutical and medical-device companies operating in China: supplying, inducing, or receiving tongfang data constitutes a compliance risk under both these Provisions and China's anti-commercial-bribery rules. ### Full text **Promulgated by:** National Health and Family Planning Commission; State Administration of Traditional Chinese Medicine. **Document No.:** 国卫纠发〔2014〕1号. **Adopted November 20, 2014. Effective January 1, 2015.** --- **Article 1.** These Provisions are formulated in accordance with the Notice on Issuing the "Nine Prohibitions" for Strengthening Conduct in the Healthcare Sector (Document No. 国卫办发〔2013〕49号) and relevant laws and regulations, in order to further standardize medical and health service conduct, strengthen industry ethics, strictly prohibit prescription-volume statistics (tongfang) for improper commercial purposes, and maintain normal working order. **Article 2.** As used in these Provisions, "prescription-volume statistics (tongfang)" means the statistical compilation, by healthcare institutions, their departments, or healthcare personnel, of information on the volumes of drugs and medical consumables used by healthcare institutions, departments, or healthcare personnel, through certain methods and channels, based on work needs. "Tongfang for improper commercial purposes" means the compilation or provision, by healthcare institutions, their departments, or healthcare personnel, of information on the volumes of drugs or medical consumables used by healthcare institutions, departments, or healthcare personnel, for improper commercial purposes, or the provision of assistance to pharmaceutical marketers in conducting such compilation. **Article 3.** Local health and family planning administrative authorities, traditional Chinese medicine administration authorities, and healthcare institutions of all levels and types shall establish and improve relevant working systems, strengthen the administration of prescription-volume statistics, and strictly prohibit tongfang for improper commercial purposes. **Article 4.** The principal responsible person of a healthcare institution shall be the first responsible person for prescription-volume statistics administration within that institution. Healthcare institutions shall strengthen legal education for healthcare personnel, establish and improve廉洁 supervision systems for risk-sensitive posts, implement focused supervision and management over key links and positions involving tongfang, establish a system of regular rotation for personnel in key posts, and establish and implement systems of positional responsibility and accountability. **Article 5.** Healthcare institutions shall strictly implement the Provisions on Establishing Adverse Records for Commercial Bribery in the Pharmaceutical Procurement and Sales Sector (Document No. 国卫法制发〔2013〕50号). In no form shall healthcare institutions provide pharmaceutical marketers, non-administrative-management authorities, or industry organizations not authorized by administrative-management authorities with information on the drug or medical-consumable usage volumes of individual healthcare personnel or departments; nor shall healthcare institutions provide convenience for pharmaceutical marketers to conduct such compilation. **Article 6.** Drug and medical-consumable usage information that healthcare institutions provide to administrative-management authorities or industry organizations authorized thereby shall be institution-level aggregate information. When healthcare institutions provide drug or medical-consumable usage information, and when they apply such information in day-to-day management, they shall strictly implement relevant working systems to ensure information security at every stage. **Article 7.** Healthcare institutions shall establish and improve management systems for information systems, and shall implement dedicated-person responsibility and encrypted management for statistical functions relating to drug and medical-consumable usage volumes and similar information within information systems. **Article 8.** Healthcare institutions shall implement strict tiered management and approval procedures for access permissions to query drug and medical-consumable usage volumes and similar information through information systems. Information systems shall be configured with query-logging functions for important and sensitive information; query logs shall be established, periodically analyzed, and reviewed so that anomalies are identified and dealt with in a timely manner. **Article 9.** Healthcare institutions shall enter into information-confidentiality agreements with information-technology personnel and entities that provide routine maintenance, upgrades, or installation of new systems or equipment for information systems, and shall set reasonable access permissions. Upon completion of work, external information-technology personnel and entities shall complete handover procedures to ensure that passwords, devices, technical documentation, and related sensitive information are transferred in accordance with prescribed procedures. Information-technology personnel and entities that obtain information for improper commercial purposes shall be dealt with in accordance with relevant laws, regulations, and the terms of business contracts, and corresponding liability shall be pursued. **Article 10.** Healthcare institutions shall not link the income of healthcare personnel to the volumes of drugs or medical consumables used. Compilation of drug and medical-consumable usage volumes by healthcare personnel or departments shall not be used for prescription-based commission payments. **Article 11.** Healthcare personnel shall not participate in tongfang activities in violation of relevant provisions, and shall not provide pharmaceutical marketers with information on drug or medical-consumable usage volumes or related information. Healthcare personnel are strictly prohibited from providing convenience to pharmaceutical marketers for conducting tongfang, or from acting as agents for pharmaceutical marketers in conducting tongfang in violation of relevant provisions. **Article 12.** Health and family planning administrative authorities and traditional Chinese medicine administration authorities at all levels shall strengthen supervision and inspection, while fully leveraging the role of external supervision and inspection forces. **Article 13.** Healthcare personnel who violate relevant provisions by engaging in tongfang for improper commercial purposes shall be dealt with seriously in accordance with law and discipline, and the violation shall be recorded in the adverse practice record system for physicians. Personnel who have not violated the Criminal Law shall, by the employing unit in accordance with relevant provisions, be given criticism and education, have their eligibility for performance awards and professional title advancement for that year cancelled, or be subject to demotion, deferred appointment, suspended appointment pending reassignment, or dismissal. Those suspected of criminal offences shall be referred to judicial authorities for handling. **Article 14.** In respect of healthcare institutions that violate relevant provisions by engaging in tongfang for improper commercial purposes, health and family planning administrative authorities and traditional Chinese medicine administration authorities shall, in accordance with their jurisdiction and relevant provisions, give the institution a public criticism, require rectification within a time limit, or reduce its rating, depending on the seriousness of the tongfang conduct. **Article 15.** Health and family planning administrative authorities and traditional Chinese medicine administration authorities at all levels shall, in conjunction with the establishment of an integrity-based professional credit management system for healthcare personnel, incorporate the violations of healthcare institutions and healthcare personnel into institutional calibration records and physicians' adverse practice records, respectively, in accordance with relevant provisions. **Article 16.** Local health and family planning administrative authorities, traditional Chinese medicine administration authorities, and healthcare institutions of all levels and types shall, pursuant to these Provisions and taking into account actual local and institutional conditions, study and formulate implementation measures. **Article 17.** As used in these Provisions, "healthcare personnel" means management personnel, physicians, nurses, pharmaceutical technicians, medical technicians, information-department staff, and other relevant personnel within healthcare institutions. **Article 18.** These Provisions shall come into force on January 1, 2015. The Notice on Strengthening the Administration of the Drug and High-Value Consumables Statistical Functions of Hospital Information Systems (Document No. 卫办医发〔2007〕163号), issued by the former General Office of the Ministry of Health on September 7, 2007, is hereby simultaneously repealed. --- ## Administrative Measures for Internet Information Services (2024 Revision) - Chinese title: 互联网信息服务管理办法(2024 修订) - Hierarchy: regulation - Issuing body: State Council - Adopted: 2024-12-06 - Effective: 2025-01-20 - Status: effective - URL: https://datacompliancechina.com/laws/internet-information-services-measures/ - Markdown: https://datacompliancechina.com/laws/internet-information-services-measures.md ### Summary The foundational regulation of Internet Information Services (ICP) in China — the regulatory baseline beneath nearly every later data-protection rule. Establishes the ICP licensing regime (operational vs. non-operational), platform compliance obligations, content management, and the role of telecommunications and cyberspace administrative authorities. The 2024 revision aligns the regulation with CSL, DSL, PIPL, and the post-2022 platform rules. ### Full text **Promulgated by:** State Council. **Document No.:** State Council Decree No. 292 (2000), revised by Decree No. 292 (2011) and Decree (2024). **Original Decree No. 292 (2000); revised by State Council decisions in 2011 and again on December 6, 2024. The current version takes effect January 20, 2025.** --- **Article 1.** These Measures are enacted in order to regulate activities of internet-based information services and promote the healthy and orderly development of internet-based information services. **Article 2.** Those who engage in internet-based information services within the territory of the People's Republic of China shall abide by these Measures. For the purpose of these Measures, the "internet-based information services" refer to service activities of providing information to online users through the Internet. **Article 3.** Internet-based information services are divided into services of a commercial nature and services of a non-commercial nature. Commercial internet-based information services refer to compensatory services of providing information to or creating web pages for online users through the Internet. Non-commercial internet-based information services refer to non-compensatory services of supplying, through the Internet, to online users information which is open to and shared by the general public. **Article 4.** The State shall implement a licensing system for internet-based information services of a commercial nature and a filing system for internet-based information services of a non-commercial nature. No one may engage in internet-based information services without having obtained a licensing or having completed the filing procedures. **Article 5.** Prior to applying for operation licensing or performing the filing formalities for such internet-based information services as media, publishing, education that subject to approval by the competent authorities in accordance with laws, administrative regulations and relevant provisions of the State, an approval from the relevant competent authorities shall be obtained in accordance with the law. ( ) ( ) ( ) Article 6 The engagement in commercial internet-based information services shall, in addition to compliance with requirements as prescribed by the Telecommunications Regulation of the People's Republic of China, meet the following conditions: (1) having a business development plan and relevant technical schemes; (2) having sound measures for network and information security, including security measures for web site safety, management systems for maintaining information security and secrecy, and management systems for safeguarding users' information; and (3) having obtained approval documents from the competent authorities where the services fall within the scope of Article 5 hereof. ( ) 60 **Article 7.** Whoever intends to engage in commercial internet-based information services shall apply to the administrative organ in charge of telecommunications in the relevant province, autonomous region or directly administered municipality, or to the State Council department in charge of the information industry, for a permit to operate value-added telecommunications business in internet-based information services (hereinafter referred to as "operation permit"). The administrative organ in charge of telecommunications in the relevant province, autonomous region or directly administered municipality, or the State Council department in charge of the information industry, shall, within sixty (60) days of receipt of the application, complete the examination of the application and make a decision on whether or not to grant an approval. Where an approval is granted, an operation permit shall be issued; where an approval is not granted, the applicant shall be notified in writing and explained the reasons thereunder. After having received the operation permit, the applicant shall complete registration procedures with an enterprise registration organ by presenting the operation permit. ( ) ( ) ( ) **Article 8.** Whoever intends to engage in non-commercial internet-based information services shall complete the filing formalities with the administrative organ in charge of telecommunications in the relevant province, autonomous region or directly administered municipality, or to the State Council department in charge of the information industry. When handling filing procedures, the following materials shall be submitted: (1) the general situations of the sponsor and the person in charge of web sites; (2) the addresses of the web sites and the items of services; and (3) the approval documents of the relevant competent authorities, where the service items fall within the scope of Article 5 hereof. Where materials submitted for filing are complete, the administrative organ in charge of telecommunications in the relevant province, autonomous region or directly administered municipality shall have them filed and numbered. **Article 9.** Those engaging in internet-based information services and proposing to provide electronic announcement services shall, when applying for a licensing for commercial internet-based information services or processing the filing procedures for non-commercial internet-based information services, also submit specific applications for such services or make specific filing for such services, in accordance with relevant provisions of the State. **Article 10.** The administrative organ in charge of telecommunications in the relevant province, autonomous region or directly administered municipality, or the State Council department in charge of the information industry shall publish a list of internet-based information services providers who have obtained the operation permits or have completed the filing procedures. **Article 11.** An internet-based information services provider shall deliver its services in compliance with the items as licensed or filed and may not provide services other than the items which have been licensed or filed for record. A non-commercial internet-based information services provider shall not engage in compensatory services. An internet-based information services provider who intends to alter its service items, address of web site or other matters shall complete formalities for alteration thirty (30) days in advance with the original examination organ and the issuing organ or the filing organ. **Article 12.** An internet-based information services provider shall indicate its operation permit number or filing number in the home pages of its web site. **Article 13.** An internet-based information services provider shall provide sound services to its online users and ensure that the contents of all information provided are lawful. **Article 14.** An internet-based information services provider who engages in media, publishing, electronic announcement and other services shall record the contents of information provided and the time of publication, the internet address or domain name. An internet connection services provider shall record such information as the time of the subscribers' access to the Internet, the account numbers of the subscribers, the address or domain name of the web site and the main telephone numbers for the connection. An internet-based information services provider or an internet access services provider shall keep the records for a period of sixty (60) days and provide them to the relevant state organs as inquired in accordance with the law. ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) Article 15 An internet-based information services provider shall not produce, duplicate, release or disseminate the following information: (1) being against the fundamental principles set out in the Constitution; (2) endangering national security, leaking state secrets, inciting to overthrow state power, or undermining the national unity; (3) damaging the State's honor and harming the interests of the State; (4) inciting ethnic hatred and ethnic discrimination or undermining solidarity among all ethnicities; (5) undermining the State's policies on religions, and advocating religious cults and feudal superstition; (6) disseminating rumors to disrupt social order and undermine social stability; (7) disseminating obscene materials, advocating gambling, violence, killing and terrorism, or instigating others to commit crimes; (8) humiliating or defaming other persons or infringing upon the legitimate rights and interests of the others; and (9) otherwise prohibited by laws and administrative regulations. **Article 16.** Where an internet-based information services provider discovers that information circulated in its web site clearly falls under one of the contents listed in Article 15 hereof, it shall stop the transmission immediately, keep the relevant records and report such to a relevant organ of the state. **Article 17.** If a commercial internet-based information services provider applies for listing in China or overseas, or for establishing a joint equity venture or joint cooperation with foreign investors, it shall apply, in advance, to the State Council department in charge of information industry for examination and approval; in such cases, the ratio of foreign investment shall comply with provisions of relevant laws and administrative regulations. **Article 18.** The administrative organs in charge of telecommunications in provinces, autonomous regions and directly administered municipalities, and the State Council department in charge of information industry shall exercise supervision and administration over internet-based information services in accordance with the law. Departments in charge of media, publishing, education, health, drug regulation, industry and commerce administration, public security and state security, and other relevant competent departments, shall, within their respective jurisdictions, exercise supervision and administration over the contents of internet-based information in accordance with the law. 3 5 5 10 100 **Article 19.** Whoever, in violation of provisions of these Measures, engages in internet-based information services of a commercial nature without having obtained an operation permit or provides services outside the licensed scope, shall be ordered by the administrative organ in charge of telecommunications in the relevant province, autonomous region or directly administered municipality to rectify the situation within a set time limit; where illegal gains are made, such gains shall be confiscated, and a fine of more than 300 per cent and less than 500 per cent of the amount of the illegal gains shall be imposed; where there are no illegal gains or the amount of illegal gains is less than 50,000 yuan, a fine of more than 100,000 yuan and less than 1,000,000 yuan shall be imposed; where the circumstances are serious, the web sites shall be ordered to close down. Whoever, in violation of provisions of these Measures, engages in internet-based information services of a non-commercial nature without having completed the filing formalities, or provides services beyond the items filed, shall be ordered by the administrative organ in charge of telecommunications in the province, autonomous region or directly administered municipality to rectify the situation within a set time limit; if rectification is refused, the web sites shall be ordered to be closed down. **Article 20.** Whoever produces, duplicates, releases or disseminates information containing one of the contents listed in Article 15 hereof shall be investigated for criminal liability if the case constitutes a crime; where a crime is not constituted, the public security organ and the state security organ shall impose penalties in accordance with the Law of the People's Republic of China on Punishment for Violation of Social Security Administration, the Administrative Measures on Security Protection of International Connections to Computer Information Networks, and provisions of other relevant laws and administrative regulations; for those commercial internet-based information services providers, the permit issuing organ shall additionally order them to have their business suspended for rectification or revoke their operation permits, and notify the enterprise registration organ; for those non-commercial internet-based information services providers, the filing authority shall additionally order them to temporarily close or permanently close down their web sites. **Article 21.** Whoever fails to fulfil the obligations as stipulated in Article 14 hereof shall be ordered by the administrative organ in charge of telecommunications in the province, autonomous region or directly administered municipality to rectify the situation; where the circumstances are serious, be ordered to suspend operation for rectification or to temporarily close down the web site. **Article 22.** Whoever, in violation of provisions of these Measures, fails to indicate its operation permit number or the filing number in its web site home pages shall be ordered by the administrative organ in charge of telecommunications in the province, autonomous region or directly administered municipality to rectify the situation, and be subject to a fine of more than 5,000 yuan and less than 50,000 yuan. **Article 23.** Whoever fails to fulfil the obligations as stipulated in Article 16 hereof shall be ordered by the administrative organ in charge of telecommunications in the province, autonomous region or directly administered municipality to rectify the situation; where the circumstances are serious, in cases of commercial internet-based information services providers, the permit issuing organ shall revoke the operation permit of the provider, and in cases of non-commercial internet-based information services providers, the filing authority shall order the provider to close down its web site. **Article 24.** Where any internet-based information services provider violates other laws and regulation in the cause of providing services, the authorities in charge of media, publishing, education, health, drug regulation, industry and commerce administration etc. shall impose penalties on it in accordance with relevant laws and regulations. **Article 25.** Where an administrative organ in charge of telecommunications or other relevant competent authorities and their personnel, neglect of duties, abuses their power, practise irregularity and favouritism or fail to exercise supervision and administration over the internet-based information services, thereby resulting in serious consequences, they shall, where a crime is constituted, be investigated for criminal liability; where a crime is not committed, the person directly in charge and other direct liable persons shall be demoted, removed from office or dismissed in accordance with the law. **Article 26.** Those who engage in internet-based information services prior to the promulgation of these Measures shall perform relevant procedures retrospectively within sixty (60) days of the promulgation of these Measures in accordance with the relevant provisions of these Measures. **Article 27.** These Measures shall come into force as of the date of promulgation. --- ## Administrative Measures for the Supervision of Live-Streaming E-Commerce - Chinese title: 直播电商监督管理办法 - Hierarchy: rule - Issuing body: State Administration for Market Regulation - Adopted: 2025-12-18 - Effective: 2026-02-01 - Status: effective - URL: https://datacompliancechina.com/laws/live-streaming-ecommerce-measures/ - Markdown: https://datacompliancechina.com/laws/live-streaming-ecommerce-measures.md ### Summary These Measures establish the supervisory framework for live-streaming e-commerce in China, allocating obligations among platform operators, live-streaming-room operators, live-streaming marketing personnel and their service agencies. They impose real-identity verification and registration, periodic reporting of identity information to market-regulation authorities, graded and classified management, transaction-information retention of at least three years, prohibitions on false or misleading commercial publicity (including via AI), AI-generated-persona labeling, and consumer-rights and credit-supervision mechanisms. Jointly issued by the State Administration for Market Regulation and the Cyberspace Administration of China as Order No. 117 and effective February 1, 2026. ### Full text **Promulgated by:** State Administration for Market Regulation and Cyberspace Administration of China. **Document No.:** Order No. 117 of the State Administration for Market Regulation and the Cyberspace Administration of China. **Issued December 18, 2025. Effective February 1, 2026.** --- ## Chapter I General Provisions **Article 1.** These Measures are formulated in accordance with the E-Commerce Law of the People's Republic of China, the Law of the People's Republic of China on the Protection of Consumer Rights and Interests, the Cybersecurity Law of the People's Republic of China and other laws, in order to strengthen the supervision and administration of live-streaming e-commerce, protect the legitimate rights and interests of consumers and business operators, and promote the healthy development of live-streaming e-commerce. **Article 2.** These Measures apply to engaging in live-streaming e-commerce activities within the territory of the People's Republic of China, and to the supervision and administration thereof by the market regulation and cyberspace administration authorities in accordance with their duties. "Live-streaming e-commerce" as referred to in these Measures means business activities of selling goods or providing services through websites, applications and the like, in the form of video live-streaming, audio live-streaming, or a combination of multiple live-streaming forms. "Live-streaming e-commerce platform operator" as referred to in these Measures means a legal person or unincorporated organization that, in live-streaming e-commerce activities, provides services such as an online business premises, transaction matching and information publication, for both or multiple parties to a transaction to independently carry out transaction activities. "Live-streaming-room operator" as referred to in these Measures means a natural person, legal person or unincorporated organization that registers an account on a live-streaming e-commerce platform, or that opens a live-streaming room through a self-built website or other network service, to engage in live-streaming e-commerce activities. A party that actually operates another's live-streaming room shall also perform the corresponding obligations of a live-streaming-room operator in accordance with these Measures. "Live-streaming marketing personnel" as referred to in these Measures means natural persons who, in live-streaming e-commerce activities, carry out the publicity and promotion of goods or services directly facing the general public. "Live-streaming marketing personnel service agency" as referred to in these Measures means an agency that provides services such as planning, operation, brokerage, training and technical support for live-streaming marketing personnel to engage in live-streaming e-commerce activities. **Article 3.** Engaging in live-streaming e-commerce activities shall follow the principles of voluntariness, equality, fairness and good faith, comply with laws, regulations, rules, commercial ethics and public order and good morals, fairly participate in market competition, accept government supervision and social supervision, and create a sound live-streaming e-commerce ecosystem. **Article 4.** The supervision and administration of live-streaming e-commerce shall adhere to the principles of encouraging innovation, strictly observing the bottom line, and integrated online-and-offline supervision, create a market environment conducive to the healthy development of live-streaming e-commerce, and give full play to the important role of live-streaming e-commerce in promoting high-quality development and meeting the people's ever-growing needs for a better life. **Article 5.** Live-streaming e-commerce platform operators and live-streaming-room operators are encouraged to establish and improve systems such as first-inquiry responsibility, advance compensation, and online dispute resolution, so as to promptly prevent and resolve consumer disputes in the field of live-streaming e-commerce. Relevant industry organizations are encouraged to strengthen industry self-discipline, establish and improve industry norms, promote industry integrity development, and supervise and guide business operators in the industry to fairly participate in market competition and consciously safeguard the legitimate rights and interests of consumers. Consumer organizations are encouraged to strengthen social supervision of live-streaming e-commerce activities and safeguard the legitimate rights and interests of consumers. ## Chapter II Live-Streaming E-Commerce Platform Operators **Article 6.** Live-streaming e-commerce platform operators shall establish and improve mechanisms for the registration and deregistration of live-streaming accounts, norms for transaction conduct within the platform, the assurance of goods and service quality, consumer-rights protection, personal-information protection, network and data security protection, and the management of live-streaming-room operators, live-streaming marketing personnel and live-streaming marketing personnel service agencies. Live-streaming e-commerce platform operators shall strengthen the management of live-streaming e-commerce information content, establish and improve content-review mechanisms, and create a sound live-streaming e-commerce ecosystem. **Article 7.** Live-streaming e-commerce platform operators shall follow the principles of openness, fairness and impartiality, formulate platform service agreements and transaction rules (hereinafter referred to as platform rules), clarify the rights and obligations of live-streaming e-commerce platform operators, live-streaming-room operators, live-streaming marketing personnel, live-streaming marketing personnel service agencies and other entities, and remind the relevant entities in a conspicuous manner of content that has a major interest relationship with them. Live-streaming e-commerce platform operators shall, in the platform rules, require live-streaming-room operators and live-streaming marketing personnel service agencies to standardize the recruitment, training, use and management of live-streaming marketing personnel. **Article 8.** Live-streaming e-commerce platform operators shall require live-streaming-room operators applying to enter the platform to engage in live-streaming e-commerce activities to provide true information such as their name, unified social credit code (ID document number), actual business address, contact information and administrative licenses, and shall verify, register and establish registration files for such information, and verify and update it at least once every six months. Live-streaming e-commerce platform operators shall require live-streaming-room operators, before live-streaming marketing personnel live-stream for the first time, to provide the verified-and-confirmed identity information of such personnel, including their name, ID document number, habitual residence address, contact information, affiliated live-streaming marketing personnel service agency, as well as professional qualifications, occupation and position related to live-streaming marketing, and shall provide technical support for and supervise the live-streaming-room operators' performance of the verification obligation. Live-streaming e-commerce platform operators shall establish and implement a dynamic verification system for the true identity of live-streaming marketing personnel, and shall not provide relevant services to personnel whose identity does not match the true identity or who, in accordance with relevant State provisions, are not permitted to engage in live-streaming e-commerce activities. **Article 9.** Live-streaming e-commerce platform operators shall, in January and July of each year respectively, submit the following identity information of live-streaming-room operators and live-streaming marketing personnel to the provincial market regulation authority of the place where the platform is domiciled: (I) for live-streaming-room operators that have completed business-entity registration, the name, unified social credit code, actual business address, contact information, live-streaming account and other information; (II) for live-streaming-room operators that have not completed business-entity registration, the name, ID document number, actual business address, contact information, live-streaming account and other information; (III) for live-streaming marketing personnel, the name, ID document number, habitual residence address, contact information, affiliated live-streaming marketing personnel service agency, as well as professional qualifications, occupation and position related to live-streaming marketing, and other information. **Article 10.** Live-streaming e-commerce platform operators shall establish and improve a training mechanism for live-streaming marketing personnel, and conduct training for live-streaming marketing personnel annually; before providing live-streaming services to live-streaming marketing personnel engaging in live-streaming e-commerce activities for the first time, they shall organize training on laws, regulations and rules related to online transactions and online information security, as well as product quality and safety, consumer-rights protection, platform rules, and the like. Live-streaming marketing personnel shall not engage in fraud during training or refuse to participate in training. Live-streaming e-commerce platform operators shall annually organize live-streaming-room operators and live-streaming marketing personnel service agencies to study laws, regulations and rules related to online transactions and online information security, and promptly notify them of the work requirements of relevant authorities. **Article 11.** Live-streaming e-commerce platform operators shall, through platform rules, establish and improve a graded and classified management system for live-streaming-room operators, and take corresponding management measures according to the compliance status, follower and visit volume, transaction scale, the type of goods or services sold, and other indicators of the live-streaming-room operators. Among them, for live-streaming-room operators with many followers, a large transaction scale, strong influence of live-streaming marketing personnel, repeated illegal conduct, or that engage in live-streaming e-commerce activities involving goods or services bearing on the life and health of consumers, management measures such as technical monitoring and real-time inspection shall be taken. Live-streaming e-commerce platform operators are encouraged to establish and improve a credit-evaluation indicator system for live-streaming-room operators, incorporate into the credit-evaluation indicator system the information on the directory of business operators with abnormal operations, the list of those seriously in breach of law and trust, administrative penalties, credit repair, and the like, lawfully shared or notified by the market regulation and cyberspace administration authorities, and take corresponding management measures according to the credit-evaluation results. **Article 12.** Live-streaming e-commerce platform operators shall, through platform rules, establish and improve a system for the disposal of illegal conduct within the platform, clarifying the specific circumstances and procedures for taking disposal measures — such as warning, function restriction, traffic restriction, suspension of live-streaming, suspension of live-streaming for a specified period, account closure, prohibition of re-registering accounts, and inclusion in a blacklist — against live-streaming-room operators, live-streaming marketing personnel and live-streaming marketing personnel service agencies that violate laws, regulations and rules, as well as the corresponding remedy channels. The type and degree of the disposal measures taken shall be commensurate with the facts, nature, circumstances and degree of social harm of the illegal conduct concerned. Where the market regulation or cyberspace administration authority, after investigation and verification, notifies the live-streaming e-commerce platform operator of the illegal conduct of the relevant live-streaming-room operator, live-streaming marketing personnel or live-streaming marketing personnel service agency, the live-streaming e-commerce platform operator shall, in accordance with relevant laws, regulations and rules and the platform rules, promptly take corresponding disposal measures in accordance with the preceding paragraph. Where a live-streaming e-commerce platform operator takes disposal measures, it shall keep the relevant records, promptly report to the market regulation and cyberspace administration authorities at or above the county level of the place where the platform is domiciled in accordance with the law, and use this as a reference for evaluating the compliance status of the live-streaming-room operator, live-streaming marketing personnel or live-streaming marketing personnel service agency. Among them, where disposal measures such as account closure, prohibition of re-registering accounts, or inclusion in a blacklist are taken, it shall simultaneously report to the provincial market regulation and cyberspace administration authorities of the place where the platform is domiciled. **Article 13.** Live-streaming e-commerce platform operators shall establish and improve a risk-identification system, equip professional live-streaming management personnel commensurate with their business scale, strengthen the dynamic monitoring of live-streaming e-commerce activities, and promptly take disposal measures such as warning, traffic restriction and suspension of live-streaming against illegal conduct during live-streaming. **Article 14.** Live-streaming e-commerce platform operators shall, through platform rules, establish and improve a blacklist system, and include in the blacklist live-streaming-room operators, live-streaming marketing personnel and live-streaming marketing personnel service agencies that seriously violate the laws and administrative regulations in the field of market regulation and cyberspace administration. Where a live-streaming e-commerce platform operator includes a relevant entity in the blacklist, it shall promptly inform the entity of the facts, reasons and basis for its violation of laws and administrative regulations, the specific period of inclusion in the blacklist, and the corresponding appeal channels; where the relevant entity files an appeal, it shall conduct necessary re-examination of the matters appealed, handle them objectively and impartially, and promptly inform the relevant entity of the handling result. Live-streaming e-commerce platform operators shall strengthen the management of the relevant entities included in the blacklist, and take necessary measures to prevent them from evading punishment during the period of inclusion in the blacklist by means such as changing accounts or re-registering accounts; upon expiration of the period of inclusion in the blacklist, they shall remove the entity from the blacklist and simultaneously lift the corresponding disposal measures. Live-streaming e-commerce platform operators are encouraged to share blacklist-related information with one another, and take credit-management measures against the relevant entities. **Article 15.** Live-streaming e-commerce platform operators shall provide the necessary technical support for live-streaming-room operators to perform their information-publication obligations in accordance with the law. Where the information published by a live-streaming-room operator changes, the operator shall submit the change to the live-streaming e-commerce platform operator within three working days, and the live-streaming e-commerce platform operator shall verify it within seven working days and complete the update of the published information. **Article 16.** Live-streaming e-commerce platform operators shall ensure the integrity of transaction information by technical means. Transaction information shall include the live-streaming account, the live-streaming video playback records and live-streaming interaction information regarding the relevant goods or services, the snapshot of the goods or service details page at the time the consumer's order is formed, customer-service records, payment records, logistics and express delivery, returns and exchanges, and after-sales information. The retention period of the above transaction information shall be not less than three years from the date the transaction is completed. Where laws and administrative regulations provide otherwise, such provisions shall apply. **Article 17.** Live-streaming e-commerce platform operators shall take effective measures to prevent and dispose of conduct by live-streaming-room operators and live-streaming marketing personnel that uses artificial intelligence and other technical means to fabricate or disseminate false or misleading commercial information, impersonate others to conduct commercial publicity, or deceive or mislead consumers and other business operators. **Article 18.** Live-streaming e-commerce platform operators shall establish and improve a consumer-rights protection system and clarify the consumer-dispute resolution mechanism. Where a consumer dispute occurs, the live-streaming e-commerce platform operator shall, at the consumer's request, provide necessary information such as the relevant information of the live-streaming-room operator and live-streaming marketing personnel and the relevant transaction records. **Article 19.** Where a live-streaming e-commerce platform operator knows or should know that the goods sold or services provided by a live-streaming-room operator or live-streaming marketing personnel do not meet the requirements for safeguarding personal or property safety, or that there is other conduct infringing the legitimate rights and interests of consumers, it shall take necessary measures in accordance with the law. **Article 20.** Live-streaming e-commerce platform operators shall establish and improve a complaint mechanism, clarify the handling process and feedback time limit, promptly handle consumer complaints, and take necessary measures to identify, prevent and dispose of conduct that abuses the platform complaint mechanism in violation of the principle of good faith. For live-streaming-room operators and live-streaming marketing personnel against whom complaints are concentrated, live-streaming e-commerce platform operators shall promptly take management measures such as technical monitoring and real-time inspection. Live-streaming e-commerce platform operators shall use complaints verified to be true as a reference for evaluating the compliance status of live-streaming-room operators, live-streaming marketing personnel and live-streaming marketing personnel service agencies. **Article 21.** Live-streaming e-commerce platform operators shall actively cooperate with the supervision and inspection, case investigation, accident disposal, defective-consumer-goods recall, consumer-dispute handling and other regulatory and law-enforcement activities lawfully carried out by the market regulation and cyberspace administration authorities, and truthfully provide the identity information, goods or service information, transaction information and the like of the relevant live-streaming-room operators and live-streaming marketing personnel. **Article 22.** Where the market regulation authority lawfully conducts an investigation of a live-streaming-room operator or live-streaming marketing personnel and finds that the above entity cannot be contacted through its actual business address or habitual residence address, it shall promptly notify the live-streaming e-commerce platform operator. The live-streaming e-commerce platform operator shall, within five working days after receiving the notification from the market regulation authority, remind the relevant live-streaming-room operator or live-streaming marketing personnel to promptly update the relevant information. Where, after the reminder, the relevant live-streaming-room operator or live-streaming marketing personnel still fails to promptly update the relevant information, the live-streaming e-commerce platform operator shall, in accordance with the platform rules, take corresponding disposal measures against it and keep the relevant records. After the relevant live-streaming-room operator or live-streaming marketing personnel updates the relevant information, it may, in accordance with the platform rules, apply to the platform to lift the disposal measures. The live-streaming e-commerce platform operator shall promptly lift the disposal measures after receiving the application and verifying it to be correct. **Article 23.** Where a live-streaming e-commerce platform operator takes disposal measures against a live-streaming-room operator or live-streaming marketing personnel, it shall make proper arrangements for the order handling, after-sales service, consumer-dispute resolution and the like for the affected consumers, and assist consumers in safeguarding their rights. **Article 24.** Where other network service providers provide all or part of the content of services such as an online business premises, transaction matching and information publication in live-streaming e-commerce activities, they shall, according to their specific service content, perform in accordance with the law the corresponding obligations that live-streaming e-commerce platform operators are required to perform under this Chapter, such as identity verification and registration, submission of relevant information, disposal and reporting of illegal conduct, retention of transaction information, assisting consumers in safeguarding their rights, and cooperating with regulation and law enforcement; those that violate the relevant provisions shall bear corresponding liability in accordance with the law. ## Chapter III Live-Streaming-Room Operators and Live-Streaming Marketing Personnel **Article 25.** Where a live-streaming-room operator is a legal person or unincorporated organization, it shall lawfully publish, in a conspicuous position on the homepage of its live-streaming account information, true and valid information such as its name, unified social credit code, domicile and administrative licenses, or a link identifier to the above information. Where a live-streaming-room operator is a natural person and is an individual industrial and commercial household, it shall lawfully publish, in a conspicuous position on the homepage of its live-streaming account information, true and valid information such as its name, the operator's name, unified social credit code, business premises and form of composition, or a link identifier to the above information; where it is another natural person that is lawfully not required to complete business-entity registration, it shall lawfully publish, in a conspicuous position on the homepage of its live-streaming account information, true and valid information such as its actual business address, contact information and affiliated live-streaming marketing personnel service agency, or a link identifier to the above information. Where the relevant information changes, the live-streaming-room operator shall submit the change to the live-streaming e-commerce platform operator within three working days. Where a live-streaming-room operator publishes information in accordance with these Measures, it shall simultaneously comply with the requirements of laws, administrative regulations and relevant State provisions on displaying account-related information. **Article 26.** A live-streaming-room operator shall, on its live-streaming page, continuously display in a conspicuous manner information such as the name, actual business address and contact information of the business operator that actually sells the goods or provides the services, or a link identifier to such information. Where the relevant information is displayed through a link identifier, the following requirements shall be met: (I) set a convenient entrance in a conspicuous position on the live-streaming page, the page jumped to shall truly and completely display the information prescribed in the first paragraph, and there shall be no multiple jumps; (II) no unreasonable access restrictions such as consecutive multiple verifications, mandatory account following, or reward interaction shall be set; (III) reading shall not be interfered with by technical means such as pop-up windows overlaying the content. **Article 27.** A live-streaming-room operator shall verify information such as the name, unified social credit code (ID document number), actual business address, contact information, administrative licenses, mandatory product certification, and product conformity certificate of the business operator that actually sells the goods or provides the services, strengthen the review of live-streaming product selection and marketing language and the like, and keep the relevant records for inspection. The records shall be kept for not less than three years from the date the live-streaming ends. **Article 28.** A live-streaming-room operator shall verify the identity information of live-streaming marketing personnel, including their name, ID document number, habitual residence address, contact information, affiliated live-streaming marketing personnel service agency, as well as professional qualifications, occupation and position related to live-streaming marketing, and shall promptly verify and update it, and keep the relevant records for inspection, so as to ensure that the identity information of live-streaming marketing personnel is true and valid. The records shall be kept for not less than three years from the date the live-streaming ends. A live-streaming-room operator shall, before each live-streaming, submit the verified-and-confirmed identity information of the live-streaming marketing personnel to the live-streaming e-commerce platform operator. **Article 29.** The account name, avatar, profile, and the live-streaming room title, cover, set, props and the like, set and displayed by a live-streaming-room operator shall comply with the provisions of laws, regulations and rules, and shall not contain information that harms national interests and the public interest of society, violates public order and good morals, or deceives or misleads consumers. **Article 30.** A live-streaming-room operator shall establish and improve a pre-event compliance-review mechanism, and review the displayed content, explanation content, clothing, set, props and the like before live-streaming in accordance with relevant provisions. **Article 31.** A live-streaming-room operator shall establish and improve an error-correction mechanism for live-streaming marketing personnel, and, upon discovering that live-streaming marketing personnel have made slips of the tongue, incomplete statements, improper statements or the like, correct them on the spot and keep the records for inspection. The records shall be kept for not less than three years from the date the live-streaming ends. A live-streaming-room operator shall manage the interactive content of the live-streaming room in real time, promptly dispose of illegal information, and lawfully keep the relevant disposal records. **Article 32.** A live-streaming-room operator shall display in a conspicuous manner information such as the name, price and pricing unit of the goods sold, or the item, content, price and pricing method of the services provided, or a link identifier to the above information; where promotional methods such as price comparison, discount or price reduction are adopted, it shall conspicuously indicate information such as the price being compared or the calculation basis of the discount or price reduction, or a link identifier to the above information. **Article 33.** Live-streaming-room operators and live-streaming marketing personnel shall not sell or provide the following illegal goods or services through the live-streaming room: (I) goods or services that do not meet the requirements for safeguarding personal or property safety and the requirements for environmental protection; (II) goods of unqualified quality, such as those adulterated, falsified, passing off fakes as genuine, or passing off inferior goods as superior; (III) goods or services that are prohibited from trading by laws and administrative regulations, harm national interests and the public interest of society, or violate public order and good morals. **Article 34.** Live-streaming-room operators and live-streaming marketing personnel shall not make false or misleading commercial publicity about the business entity of the goods or services, or their performance, function, quality, sales status, user evaluation, honors received, or qualifications, so as to deceive or mislead consumers and other business operators. Live-streaming-room operators and live-streaming marketing personnel shall not use artificial intelligence and other technical means to fabricate or disseminate false or misleading commercial information, or impersonate others to conduct commercial publicity, so as to deceive or mislead consumers and other business operators. **Article 35.** Where the live-streaming content published by a live-streaming-room operator or live-streaming marketing personnel constitutes a commercial advertisement, it shall perform the obligations of an advertisement publisher, advertisement operator or advertising spokesperson in accordance with the relevant provisions of the Advertising Law of the People's Republic of China. The following circumstances generally constitute a commercial advertisement as referred to in the preceding paragraph: (I) a natural person with a certain influence, other than the goods operator or service provider, recommends or certifies goods or services in its own name or image in live-streaming e-commerce activities; (II) for the purpose of promoting goods or services, the live-streaming content introducing the goods or services is recorded, clipped or edited and then published in the form of text, images, video, audio or the like through the Internet or other media; (III) other circumstances that constitute a commercial advertisement. **Article 36.** Live-streaming-room operators and live-streaming marketing personnel shall not fabricate or disseminate, or instruct others to fabricate or disseminate, false information or misleading information that damages the commercial reputation or goods reputation of other business operators. **Article 37.** Where a live-streaming-room operator uses persona images or videos generated by artificial intelligence and other technologies to engage in live-streaming e-commerce activities, it shall comply with the requirements of relevant laws, regulations, rules and mandatory national standards, label them in accordance with relevant State provisions, and continuously remind consumers that the persona images or videos are generated by artificial intelligence and other technologies. Where the use of persona images or videos generated by artificial intelligence and other technologies in live-streaming e-commerce activities involves circumstances that violate the provisions of laws, regulations or rules, the live-streaming-room operator that manages or uses such persona images or videos shall bear liability in accordance with the law. Where laws, regulations or rules provide otherwise, such provisions shall apply. ## Chapter IV Live-Streaming Marketing Personnel Service Agencies **Article 38.** Live-streaming marketing personnel service agencies shall establish and improve internal management systems, and standardize the recruitment, training, use and management of live-streaming marketing personnel. **Article 39.** Live-streaming marketing personnel service agencies shall improve the recruitment mechanism for live-streaming marketing personnel, and verify the identity information of live-streaming marketing personnel, including their name, ID document number, habitual residence address, contact information, as well as professional qualifications, occupation and position related to live-streaming marketing. **Article 40.** Live-streaming marketing personnel service agencies shall sign agreements with live-streaming marketing personnel, clarifying the obligations that each is required to perform, and shall not mitigate or exempt the liability they are required to bear in accordance with the law. **Article 41.** Live-streaming marketing personnel service agencies shall strengthen the training of live-streaming marketing personnel, and remind them of the obligations they are required to perform in accordance with the law in live-streaming e-commerce activities. **Article 42.** Live-streaming marketing personnel service agencies shall strengthen the daily management and standardized guidance of live-streaming marketing personnel, establish and improve a system for the disposal of illegal conduct by live-streaming marketing personnel, and promptly take necessary disposal measures against the illegal conduct of live-streaming marketing personnel discovered. **Article 43.** Where a live-streaming marketing personnel service agency cooperates with a live-streaming-room operator to carry out commercial activities, it shall verify information such as the name, unified social credit code (ID document number), actual business address, contact information and administrative licenses of the live-streaming-room operator, and sign a written agreement with it, clarifying the obligations of each in terms of live-streaming marketing personnel management, live-streaming content management, product quality review, consumer-rights protection, and the like. **Article 44.** Live-streaming marketing personnel service agencies shall not, by means of organizing false transactions, false evaluations or the like, help live-streaming-room operators or live-streaming marketing personnel conduct false or misleading commercial publicity. **Article 45.** Where a live-streaming marketing personnel service agency provides live-streaming product-selection services, it shall verify information such as the name, unified social credit code (ID document number), actual business address, contact information, administrative licenses, mandatory product certification, and product conformity certificate of the business operator that actually sells the goods or provides the services, and keep the relevant records for inspection. The records shall be kept for not less than three years from the date the live-streaming ends. ## Chapter V Supervision and Administration **Article 46.** The market regulation and cyberspace administration authorities shall, in accordance with their duties, strengthen the supervision and administration of live-streaming e-commerce activities, and establish and improve work mechanisms such as lead transfer, information sharing, and joint consultation and assessment. Where the market regulation and cyberspace administration authorities lawfully conduct supervision and administration of live-streaming e-commerce platform operators, live-streaming-room operators and live-streaming marketing personnel service agencies, the relevant business entities shall cooperate, provide the necessary data, technical support and assistance, and ensure the authenticity and accuracy of the data provided. **Article 47.** Violations of these Measures by live-streaming e-commerce platform operators, by live-streaming-room operators engaging in live-streaming e-commerce activities through self-built websites or other network services, and by live-streaming marketing personnel service agencies shall be under the jurisdiction, according to their duties, of the market regulation and cyberspace administration authorities at or above the county level of the place where they are domiciled. Violations of these Measures by live-streaming-room operators engaging in live-streaming e-commerce activities through a live-streaming e-commerce platform shall be under the jurisdiction, according to their duties, of the market regulation and cyberspace administration authorities at or above the county level of their actual place of business. Where the actual place of business cannot be determined, and business-entity registration has been completed, the matter shall be under the jurisdiction, according to their duties, of the market regulation and cyberspace administration authorities at or above the county level of the place where the operator is domiciled; where business-entity registration has not been completed, the matter shall be under the jurisdiction, according to their duties, of the market regulation and cyberspace administration authorities at or above the county level of the place where the live-streaming e-commerce platform operator is domiciled. Violations of these Measures by live-streaming marketing personnel shall be under the jurisdiction, according to their duties, of the market regulation and cyberspace administration authorities responsible, in accordance with the preceding two paragraphs, for the jurisdiction over the illegal conduct of the operator of the live-streaming room where they are located. **Article 48.** The provincial market regulation authority of the place where a live-streaming e-commerce platform operator is domiciled shall, as needed for its work, promptly share the identity information of live-streaming-room operators and live-streaming marketing personnel that it has grasped with the provincial market regulation authority of the actual place of business of the live-streaming-room operator. **Article 49.** When the market regulation and cyberspace administration authorities investigate and handle live-streaming e-commerce activities suspected of being illegal in accordance with their duties, they may lawfully take the following measures: (I) conduct on-site inspections of premises related to the live-streaming e-commerce activities suspected of being illegal; (II) consult and copy contracts, vouchers, account books and other relevant materials related to the live-streaming e-commerce activities suspected of being illegal; (III) collect, retrieve and copy electronic data related to the live-streaming e-commerce activities suspected of being illegal; (IV) question parties such as the live-streaming e-commerce platform operator, live-streaming-room operator, live-streaming marketing personnel and live-streaming marketing personnel service agency suspected of engaging in the illegal live-streaming e-commerce activities; (V) investigate and understand relevant circumstances from natural persons, legal persons and unincorporated organizations related to the live-streaming e-commerce activities suspected of being illegal; (VI) other measures that may be taken as prescribed by laws and regulations. **Article 50.** Where the market regulation or cyberspace administration authority discovers that a live-streaming-room operator, live-streaming marketing personnel or live-streaming marketing personnel service agency has conduct violating the laws, regulations and rules in the field of market regulation or cyberspace administration, and lawfully requires the live-streaming e-commerce platform operator to take necessary disposal measures, the live-streaming e-commerce platform operator shall cooperate. **Article 51.** The market regulation authority shall lawfully implement credit supervision over live-streaming e-commerce platform operators, live-streaming-room operators, live-streaming marketing personnel, live-streaming marketing personnel service agencies and other entities, and lawfully publicize, through the National Enterprise Credit Information Publicity System, information such as their registration, filing, administrative licenses, spot-check and verification results, administrative penalties, subsistence status, and inclusion in the directory of business operators with abnormal operations and the list of those seriously in breach of law and trust in market regulation. For those with serious illegal and dishonest conduct, corresponding disciplinary measures shall be taken in accordance with the law. The information prescribed in the preceding paragraph may also be publicized through the official website of the market regulation authority, online search engines, a conspicuous position on the homepage where the business operator engages in business activities, and the like. The cyberspace administration authority shall lawfully include the relevant entities that commit illegal conduct with serious circumstances and bad influence in the list of those seriously in breach of trust on the Internet, and take corresponding disciplinary measures. **Article 52.** Where a live-streaming e-commerce platform operator, live-streaming-room operator, live-streaming marketing personnel or live-streaming marketing personnel service agency falls under any of the following circumstances, the market regulation or cyberspace administration authority may, in accordance with its duties, conduct an interview with the relevant responsible person, requiring it to explain the situation and take measures to make rectifications: (I) inadequately performing the statutory obligations related to live-streaming e-commerce; (II) the occurrence of a major negative public-opinion incident related to live-streaming e-commerce; (III) the market regulation or cyberspace administration authority discovering, in routine supervision and administration, problems that may have a negative impact on the order of live-streaming e-commerce; (IV) failing to safeguard the legitimate rights and interests of consumers and other relevant parties; (V) other circumstances requiring an interview. ## Chapter VI Legal Liability **Article 53.** Where a live-streaming e-commerce platform operator commits any of the following acts, and the matter falls within the duties of the market regulation authority, the market regulation authority shall impose penalties in accordance with the provisions of Article 80 of the E-Commerce Law of the People's Republic of China: (I) failing to verify and register the identity information of live-streaming-room operators in accordance with the first paragraph of Article 8 of these Measures; (II) failing to submit relevant information in accordance with items (I) and (II) of Article 9 of these Measures; (III) failing to perform the transaction-information retention obligation prescribed in Article 16 of these Measures. **Article 54.** Where a live-streaming e-commerce platform operator commits any of the following acts, and laws or administrative regulations so provide, such provisions shall apply; where laws and administrative regulations do not so provide and the matter falls within the duties of the market regulation authority, the market regulation authority shall order rectification within a time limit; where the operator refuses to make rectification or the circumstances are serious, a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed: (I) failing to verify the true identity of live-streaming marketing personnel in accordance with the third paragraph of Article 8 of these Measures; (II) failing to submit relevant information in accordance with item (III) of Article 9 of these Measures; (III) failing to perform the training obligation prescribed in Article 10 of these Measures; (IV) failing to establish and improve a graded and classified management system for live-streaming-room operators in accordance with the first paragraph of Article 11 of these Measures; (V) failing to establish and improve a system for the disposal of illegal conduct within the platform in accordance with Article 12 of these Measures; (VI) failing to establish and improve a risk-identification system in accordance with Article 13 of these Measures; (VII) failing to establish and improve a blacklist system in accordance with Article 14 of these Measures; (VIII) failing to take effective measures to prevent and dispose of relevant false commercial-publicity conduct in accordance with Article 17 of these Measures; (IX) failing to perform the reminder and disposal obligations prescribed in Article 22 of these Measures. **Article 55.** Where a live-streaming e-commerce platform operator violates Article 18 of these Measures, and the matter falls within the duties of the market regulation authority, the market regulation authority shall impose penalties in accordance with the provisions of the first paragraph of Article 50 of the Regulation for the Implementation of the Law of the People's Republic of China on the Protection of Consumer Rights and Interests. **Article 56.** Where a live-streaming e-commerce platform operator violates Article 19 of these Measures by failing to take necessary measures against conduct by live-streaming-room operators or live-streaming marketing personnel that infringes the legitimate rights and interests of consumers, the market regulation authority shall impose penalties in accordance with the provisions of Article 83 of the E-Commerce Law of the People's Republic of China. **Article 57.** Where a live-streaming-room operator fails to perform the information-publication obligations prescribed in the first to third paragraphs of Article 25 of these Measures, the market regulation authority shall impose penalties in accordance with the provisions of Article 76 of the E-Commerce Law of the People's Republic of China. **Article 58.** Where a live-streaming-room operator fails to perform the information-display obligations prescribed in Article 26 of these Measures, and laws or administrative regulations so provide, such provisions shall apply; where laws and administrative regulations do not so provide and the matter falls within the duties of the market regulation authority, the market regulation authority shall order rectification within a time limit; where rectification is not made within the time limit, a fine of not more than RMB 10,000 shall be imposed. **Article 59.** Where a live-streaming-room operator commits any of the following acts, and laws or administrative regulations so provide, such provisions shall apply; where laws and administrative regulations do not so provide and the matter falls within the duties of the market regulation authority, the market regulation authority shall order rectification within a time limit; where the operator refuses to make rectification or the circumstances are serious, a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed: (I) failing to perform the verification obligations prescribed in Articles 27 and 28 of these Measures; (II) failing to set and display the account name, avatar, profile, and live-streaming room title, cover, set, props and the like in accordance with Article 29 of these Measures; (III) failing to establish and improve a pre-event compliance-review mechanism in accordance with Article 30 of these Measures; (IV) failing to establish and improve an error-correction mechanism for live-streaming marketing personnel in accordance with Article 31 of these Measures; (V) failing to perform the labeling obligation prescribed in the first paragraph of Article 37 of these Measures. **Article 60.** Where a live-streaming-room operator violates Article 32 of these Measures, the market regulation authority shall impose penalties in accordance with the Price Law of the People's Republic of China and the Provisions on Administrative Penalties for Price-Related Violations. **Article 61.** Where a live-streaming-room operator or live-streaming marketing personnel violates Article 33 of these Measures by selling or providing relevant illegal goods or services through the live-streaming room, and laws or administrative regulations so provide, such provisions shall apply; where laws and administrative regulations do not so provide and the matter falls within the duties of the market regulation authority, the market regulation authority shall order rectification within a time limit and impose a fine of not less than RMB 10,000 but not more than RMB 100,000. **Article 62.** Where a live-streaming-room operator, live-streaming marketing personnel or live-streaming marketing personnel service agency violates Article 34 or Article 44 of these Measures, the market regulation authority shall impose penalties in accordance with the provisions of the first paragraph of Article 25 of the Anti-Unfair Competition Law of the People's Republic of China; where false advertising is involved, penalties shall be imposed in accordance with the provisions of Article 55 of the Advertising Law of the People's Republic of China. Where a live-streaming-room operator or live-streaming marketing personnel violates Article 36 of these Measures, the market regulation authority shall impose penalties in accordance with the provisions of Article 28 of the Anti-Unfair Competition Law of the People's Republic of China. **Article 63.** Where live-streaming marketing personnel violate Articles 33, 34 and 36 of these Measures, and the conduct is a job-related act, the unit to which they belong shall bear the corresponding administrative liability; however, this shall not apply where there is evidence proving that the conduct of the live-streaming marketing personnel is unrelated to their job-related act. **Article 64.** Where a live-streaming marketing personnel service agency fails to perform the verification obligations prescribed in Articles 39, 43 and 45 of these Measures, or fails to strengthen the daily management and standardized guidance of live-streaming marketing personnel in accordance with Article 42 of these Measures, and laws or administrative regulations so provide, such provisions shall apply; where laws and administrative regulations do not so provide and the matter falls within the duties of the market regulation authority, the market regulation authority shall order rectification within a time limit; where the agency refuses to make rectification or the circumstances are serious, a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed. **Article 65.** Where, in live-streaming e-commerce activities, illegal information is produced, reproduced, published or disseminated, or measures are not taken to prevent and resist the production, reproduction, publication or dissemination of harmful information, the cyberspace administration authority shall, in accordance with its duties, impose penalties in accordance with the provisions of the Cybersecurity Law of the People's Republic of China, the Measures for the Administration of Internet Information Services and other laws and administrative regulations. Where there is a violation of Articles 6 to 8, Article 10, the first paragraph of Article 11, Article 12, Article 13, the first to third paragraphs of Article 14, Article 16, Article 17, the fourth paragraph of Article 25, Article 27, Articles 29 to 31, Article 34, Article 36, Article 37, and Articles 41 to 44 of these Measures, and the matter falls within the duties of the cyberspace administration authority, the cyberspace administration authority shall impose penalties in accordance with the provisions of the Cybersecurity Law of the People's Republic of China, the Measures for the Administration of Internet Information Services and other laws and administrative regulations; where laws and administrative regulations do not so provide, the cyberspace administration authority shall order rectification within a time limit; where rectification is refused or the circumstances are serious, a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed, and the provision of relevant services may be ordered to be suspended. **Article 66.** Where the performance of duties by the market regulation or cyberspace administration authority in accordance with these Measures is obstructed, or regulation and law enforcement are refused or hindered, and laws, administrative regulations or departmental rules so provide, such provisions shall apply; where laws, administrative regulations and departmental rules do not so provide, the market regulation or cyberspace administration authority shall, in accordance with its duties, order rectification, and may impose a fine of not less than RMB 1,000 but not more than RMB 10,000 on an individual, or a fine of not less than RMB 10,000 but not more than RMB 100,000 on a unit. **Article 67.** Where a violation of these Measures is suspected of constituting a crime, the matter shall be transferred to the judicial authorities for the pursuit of criminal liability in accordance with the law. ## Chapter VII Supplementary Provisions **Article 68.** Where the supervision and administration of live-streaming e-commerce activities lawfully falls within the duties of other relevant departments, such other relevant departments shall implement it in accordance with relevant provisions. **Article 69.** These Measures shall come into force on February 1, 2026. --- ## Anti-Telecom and Online Fraud Law of the People's Republic of China - Chinese title: 中华人民共和国反电信网络诈骗法 - Abbreviation: ATFL - Hierarchy: law - Issuing body: National People's Congress Standing Committee - Status: effective - URL: https://datacompliancechina.com/laws/anti-telecom-fraud-law/ - Markdown: https://datacompliancechina.com/laws/anti-telecom-fraud-law.md ### Full text > *Editor to fill.* > > Suggested structure: > > 1. **Why this law matters** — ATFL creates new obligations for telecom carriers, internet platforms, and financial institutions; explain implications for KYC, real-name verification, and data sharing with public security. > 2. **Structure** — chapter list. > 3. **Key articles** — telecom-side KYC, internet platform monitoring duties, financial-side risk controls, cross-border cooperation, sanctions. > 4. **Data-compliance angles** — interaction with PIPL's "separate consent" rule for sharing with law enforcement, real-name verification implications. > 5. **Enforcement record** — linked briefs. --- ## Method for Identifying the Unlawful Collection and Use of Personal Information by Apps - Chinese title: App违法违规收集使用个人信息行为认定方法 - Abbreviation: App PI Identification Method - Hierarchy: rule - Issuing body: Secretariat of the Cyberspace Administration of China, General Office of MIIT, General Office of the Ministry of Public Security, and General Office of SAMR - Adopted: 2019-11-28 - Effective: 2019-11-28 - Status: effective - URL: https://datacompliancechina.com/laws/app-illegal-pi-collection-identification-method/ - Markdown: https://datacompliancechina.com/laws/app-illegal-pi-collection-identification-method.md - Source URL: https://www.cac.gov.cn/2019-12/27/c_1578986455686625.htm ### Summary Issued jointly in November 2019 by the CAC Secretariat, MIIT, MPS, and SAMR under Document No. 国信办秘字〔2019〕191号, this instrument provides the operational six-category test that regulators use to determine whether an app's collection and use of personal information is unlawful or excessive: (1) failure to publicly disclose collection and use rules; (2) failure to clearly state the purpose, method, and scope of collection; (3) collection without user consent; (4) collection beyond what is necessary for the service; (5) sharing personal information with third parties without consent; and (6) failure to provide deletion or correction functions or complaint channels. The method underpins the national App special-governance campaign and is the direct basis for app-store removal orders issued by regulators. Overseas counsel advising Chinese-market apps or cross-border data-sharing arrangements must treat compliance with each of the six categories as a threshold checklist, as a single identified violation can trigger mandatory rectification and removal. ### Full text **Promulgated by:** Secretariat of the Cyberspace Administration of China, General Office of the Ministry of Industry and Information Technology, General Office of the Ministry of Public Security, and General Office of the State Administration for Market Regulation. **Document No.:** 国信办秘字〔2019〕191号. **Issued and effective November 28, 2019. Publicly released December 30, 2019.** --- **(1) The following conduct may be identified as "failure to publicly disclose rules for the collection and use of personal information":** 1. There is no privacy policy within the app, or the privacy policy does not contain rules for the collection and use of personal information. 2. Upon first launch of the app, users are not prompted in a conspicuous manner — such as a pop-up window — to read the privacy policy or other collection and use rules. 3. The privacy policy or other collection and use rules are difficult to access — for example, accessing them from the app's main interface requires more than four clicks or equivalent operations. 4. The privacy policy or other collection and use rules are difficult to read — for example, the text is too small, too densely set, too faintly coloured, or blurred, or no Simplified Chinese version is provided. --- **(2) The following conduct may be identified as "failure to clearly state the purpose, method, and scope of collecting and using personal information":** 1. The app does not list, item by item, the purpose, method, and scope of its collection and use of personal information. 2. When the purpose, method, or scope of collecting and using personal information changes, users are not notified in an appropriate manner. 3. When requesting permission to enable functions that collect personal information, or requesting collection of sensitive personal information such as identity document numbers, bank account numbers, or location trajectories, the app does not simultaneously inform users of the purpose for doing so, or the stated purpose is unclear or difficult to understand. 4. The content of the collection and use rules is obscure, lengthy, or complex, making it difficult for users to understand. --- **(3) The following conduct may be identified as "collecting and using personal information without user consent":** 1. Collection of personal information, or activation of permissions capable of collecting personal information, begins before the user's consent is obtained. 2. After a user has expressly indicated non-consent, the app continues to collect personal information or to activate permissions capable of collecting personal information, or it repeatedly solicits the user's consent in a manner that interferes with normal use. 3. The personal information actually collected, or the permissions capable of collecting personal information that are actually activated, exceed the scope of the user's authorization. 4. User consent is sought through non-explicit means such as pre-selected agreement to a privacy policy by default. 5. Permission settings for personal information collection that the user has configured are altered without the user's consent. 6. The app uses personal information and algorithms to deliver targeted information push notifications without providing users an option to receive non-targeted information push notifications. 7. Users are misled into consenting to the collection of personal information or the activation of permissions capable of collecting personal information through improper means such as deception or inducement. 8. No channel or method is provided for users to withdraw consent to the collection of personal information. 9. Personal information is collected and used in violation of the collection and use rules the app itself has declared. --- **(4) The following conduct may be identified as "violating the necessity principle by collecting personal information unrelated to the services provided":** 1. The type of personal information collected, or the permissions capable of collecting personal information that are activated, is unrelated to existing business functions. 2. When a user refuses to consent to the collection of non-essential personal information or the activation of non-essential permissions, the app refuses to provide its business functions. 3. When a new business function is added to the app, the personal information sought for that new function exceeds the scope of the user's original consent. 4. The frequency or other aspects of personal information collection exceed what is actually required by the business function. 5. Users are compelled to consent to collection of personal information solely on the grounds of improving service quality, enhancing user experience, delivering targeted information, or developing new products. 6. Users are required to grant multiple permissions capable of collecting personal information in a single all-or-nothing consent, and refusal to do so renders the app unusable. --- **(5) The following conduct may be identified as "providing personal information to third parties without consent":** 1. Without either the user's consent or anonymization of the data, the app client directly provides personal information to a third party. 2. Without either the user's consent or anonymization of the data, personal information collected by the app is provided to a third party after it has been transmitted to the app's backend servers. 3. The app integrates a third-party application and, without the user's consent, provides personal information to that third-party application. --- **(6) The following conduct may be identified as "failure to provide deletion or correction functions for personal information as required by law" or "failure to publish complaint and reporting channels and other information":** 1. No effective function is provided for correcting or deleting personal information or for cancelling a user account. 2. Unnecessary or unreasonable conditions are imposed on the correction or deletion of personal information or the cancellation of a user account. 3. Although functions for correcting or deleting personal information and for cancelling a user account are provided, the app fails to respond to users' corresponding requests in a timely manner; where manual processing is required, the app fails to complete the verification and handling within the committed time limit (the committed time limit must not exceed fifteen working days; where no time limit is committed, fifteen working days shall apply). 4. An operation by a user to correct or delete personal information or to cancel a user account has been completed on the user's side but has not been completed in the app's backend. 5. No personal information security complaint and reporting channel has been established and published, or the app fails to accept and handle complaints and reports within the committed time limit (the committed time limit must not exceed fifteen working days; where no time limit is committed, fifteen working days shall apply). --- ## Provisions on the Administration of Deep Synthesis of Internet Information Services - Chinese title: 互联网信息服务深度合成管理规定 - Hierarchy: rule - Issuing body: CAC, MIIT, MPS - Adopted: 2022-11-03 - Effective: 2023-01-10 - Status: effective - URL: https://datacompliancechina.com/laws/deep-synthesis-provisions/ - Markdown: https://datacompliancechina.com/laws/deep-synthesis-provisions.md ### Summary Regulates deepfakes and AI-driven content synthesis — the precursor to the GenAI Measures and the AI Content Labeling Measures. Requires real-name verification, content moderation, prominent labeling of synthesized content, prohibits use for fraud or disinformation, and establishes the deep synthesis service algorithm filing regime. ### Full text **Promulgated by:** CAC, MIIT, MPS. **Document No.:** Order No. 12 of CAC, MIIT, and MPS (jointly). **Adopted at the 21st executive meeting of the CAC in 2022 on November 3, 2022. Effective January 10, 2023.** --- ## Chapter I General Provisions **Article 1.** These Provisions are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Law of the People's Republic of China on the Protection of Personal Information, the Administrative Measures on Internet-based Information Services and other laws and administrative regulations for the purpose of strengthening the deep synthesis management of Internet-based information services, carrying forward socialist core values, safeguarding national security and public interests, and protecting the legitimate rights and interests of citizens, legal persons and other organizations. **Article 2.** These Provisions shall apply to the application of deep synthesis technology to provide Internet-based information services (hereinafter referred to as the "deep synthesis services") within the territory of the People's Republic of China. Where the laws and administrative regulations stipulate otherwise, such provisions shall prevail. **Article 3.** The Cyberspace Administration of China shall be responsible for overall planning and coordination of the governance of deep synthesis services nationwide and the relevant supervision and administration thereof. The telecommunications departments and the public security departments of the State Council shall be responsible for the supervision and administration of deep synthesis services according to their respective duties. Local cyberspace administrations shall be responsible for the overall planning and coordination of the governance of deep synthesis services within their respective administrative regions and the relevant supervision and administration thereof. Local competent telecommunications authorities and public security authorities shall be responsible for the supervision and administration of deep synthesis services within their respective administrative regions according to their respective duties. **Article 4.** The provision of deep synthesis services shall comply with laws and regulations, respect social morality, ethics and morality, adhere to the correct political direction, public opinion guidance and value orientation, and promote positive and upright deep synthesis services. **Article 5.** The relevant industry organizations are encouraged to strengthen industry self-regulation, establish sound industry standards, industry guidelines and self-regulation management system, and urge and guide deep synthesis service providers and technical supporters to formulate and improve business standards, carry out business in accordance with the law and accept social supervision. ## Chapter II General Provisions **Article 6.** No organization or individual may take advantage of deep synthesis services to produce, reproduce, release or disseminate information prohibited by laws and administrative regulations, or take advantage of deep synthesis services to engage in activities prohibited by laws and administrative regulations that endanger national security and interests, damage the national image, infringe upon public interests, disturb economic and social order, or infringe upon the legitimate rights and interests of others. Deep synthesis service providers and users shall not take advantage of deep synthesis services to produce, reproduce, release or disseminate false news information. Where news information produced and released based on deep synthesis services is to be reproduced, the news information released by an entity that sources news manuscripts on the Internet shall be reproduced in accordance with the law. **Article 7.** Deep synthesis service providers shall implement principal responsibility for information security, establish sound management systems for user registration, algorithmic mechanism review, scientific and technological ethics review, information release review, data security, personal information protection, anti-telecommunication and Internet fraud, emergency response and other management systems, and have safe and controllable technical support measures in place. **Article 8.** Deep synthesis service providers shall formulate and disclose management regulations and platform conventions, improve service agreements, fulfill management responsibilities in accordance with laws and contracts, and remind technical supporters and users of deep synthesis services in a prominent manner to assume information security obligations. **Article 9.** Deep synthesis service providers shall authenticate the real identity information of deep synthesis service users in accordance with the law on the basis of mobile phone numbers, ID numbers, unified social credit codes, national network identity authentication public services or other manners, and shall not provide information publishing services for deep synthesis service users who have not gone through the authentication of their real identity information. **Article 10.** Deep synthesis service providers shall strengthen the management of deep synthesis contents, and examine and verify the data input by deep synthesis service users and synthesis results by technical or manual means. Deep synthesis service providers shall establish the sound characteristics database for identifying illegal and malicious information, improve the criteria, rules and procedures for entry into database, and record and retain the relevant web logs. If any illegal and malicious information is found out, the deep synthesis service provider concerned shall take disposal measures in accordance with the law, keep the relevant records, and promptly report the case to the cyberspace administration and the relevant competent authorities; and the deep synthesis service provider shall, in accordance with the law or as agreed, take disposal measures such as warning, restricting functions, suspending services and closing accounts against the relevant deep synthesis service users. **Article 11.** Deep synthesis service providers shall establish a sound mechanism to refute rumors. If any false information is produced, reproduced, released or disseminated by using deep synthesis services, the deep synthesis service provider concerned shall take measures to refute rumors in a timely manner, keep the relevant records, and report the case to the cyberspace administration and the relevant competent authorities. **Article 12.** Deep synthesis service providers shall set up a convenient portal for user complaints, complaints and reports from the public, announce the handling process and feedback time limit, and promptly accept and process complaints and provide feedback on the handling results. **Article 13.** The internet application stores and other application distribution platforms shall implement security management responsibilities including the review of the applications on shelves, routine management, emergency responses, etc., and verify the security assessment, record-filing and other conditions of the applications for deep synthesis; in the event of any violation of the relevant provisions of the State, they shall take disposal measures in a timely manner, such as refusal to put the applications on shelves, warning, service suspension or removal. ## Chapter III Specifications for Data and Technical Management **Article 14.** Deep synthesis service providers and technical supporters shall strengthen the management of training data and take necessary measures to ensure the safety of training data; if training data contains personal information, the relevant provisions on the protection of personal information shall be complied with. Where a deep synthesis service provider or technical supporter provides the function of editing face, voice or other biometric information, it shall prompt the deep synthesis service user to inform the individual to be edited in accordance with the law and obtain his/her separate consent. **Article 15.** Deep synthesis service providers and technical supporters shall strengthen technical management and regularly review, evaluate and verify the algorithmic mechanism that generates the synthesis class. Deep synthesis service providers and technical supporters who provide models, templates and other tools with the following functions shall conduct security assessment by themselves or entrusting specialized agencies in accordance with the law: (I) Generating or editing face, voice or other biometric information; or (II) Generating or editing special objects, scenes or other non-biometric information that may involve national security, national image, national interests or public interests. **Article 16.** For the information contents generated or edited by using its services, a deep synthesis service provider shall take technical measures, add marks that do not affect users' use, and keep logs in accordance with the laws, administrative regulations and the relevant provisions of the State. **Article 17.** Where a deep synthesis service provider provides the following deep synthesis services, which may cause confusion or misidentification of the public, it shall make prominent marks at reasonable positions or areas of the information contents generated or edited to inform the public of the deep synthesis situation: (I) Generation or editing of texts by simulating a natural person through intelligent dialogue, intelligent writing, etc.; (II) Editing services that generate speech such as synthesis of voice, voice imitation, etc., or noticeably change personal identity features; (III) Editing services that generate image or video images or videos or noticeably change personal identity features such as face generation, face swap, face control, posture control, etc.; (IV) Immersive simulation scene generation or editing services; and (V) Other services that have the function of generating or noticeably changing information content. Deep synthesis service providers providing deep synthesis services other than those specified in the preceding paragraph shall provide a prominent mark function and remind deep synthesis service users to make prominent marks. **Article 18.** No organization or individual may delete, alter or conceal the deep synthesis marks as prescribed in Articles 16 and 17 hereof by technical means. ## Chapter IV Supervision, Inspection and Legal Liability **Article 19.** The deep synthesis service providers with attribute of public opinions or capable of mobilizing the public shall go through the formalities for record-filing, change or cancelation of record-filing in accordance with the Administrative Provisions on the Recommendation of Algorithms for Internet-based Information Services. Technical supporters of deep synthesis services shall go through the formalities for record-filing, change or cancellation of record-filing with reference to the provisions of the preceding paragraph. The deep synthesis service providers and technical supporters that have completed the record-filing shall indicate their filing numbers in a prominent position of their websites, applications, etc. through which they provide services to the public and provide links to the publicized information. **Article 20.** Where deep synthesis service providers develop and launch new products, new applications and new functions with attribute of public opinions or capable of mobilizing the public, they shall carry out security assessment in accordance with the relevant provisions of the State. **Article 21.** Cyberspace administration authorities, competent telecommunications authorities and public security authorities shall supervise and inspect deep synthesis services ex officio. Deep synthesis service providers and technical supporters shall cooperate in accordance with the law and provide necessary technical, data and other support and assistance. Where cyberspace administration and competent authorities find that deep synthesis services have relatively high information security risks, they may, according to their duties and in accordance with the law, require the deep synthesis service providers and technical supporters to take measures such as suspending information update, user account registration or other related services. Deep synthesis service providers and technical supporters shall take measures to make rectification and eliminate hidden dangers as required. **Article 22.** Deep synthesis service providers and technical supporters that violate these Provisions shall be penalized in accordance with relevant laws and administrative regulations; if serious consequences are caused, heavier penalties shall be imposed in accordance with the law. Where a violation of public security administration is constituted, the public security organ shall impose public security administration penalties in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law. ## Chapter V Supplemental Provisions **Article 23.** For the purpose of these Provisions, the following terms shall have the following meanings: Deep synthesis technology refers to the technology for producing text, images, audio, video, virtual scenes and other network information by using deep learning, virtual reality and other generation and synthesis algorithms, including but not limited to: (I) Technologies for chapter generation, text style conversion, questions, answers and dialogues and other technologies for generating or editing text contents; (II) Technologies for generating or editing audio contents, such as text-to-speech, speech-to-speech conversion and audio attribute editing; (III) Technologies for generating or editing non-audio contents, such as music generation and scene sound editing; (IV) Technologies for generating or editing biological features in images and video contents, such as face generation, face swap, character attribute editing, face control and posture control; (V) Technologies for generating or editing non-biological features in images and video contents, such as image generation, image enhancement and image restoration; and (VI) Technologies for generating or editing digital characters and virtual scenes, such as three-dimensional reconstruction and digital simulation. Deep synthesis service providers refer to organizations and individuals that provide deep synthesis services. Technical supporters of deep synthesis services refer to organizations and individuals that provide technical support for deep synthesis services. Deep synthesis service users refer to organizations and individuals that use deep synthesis services to produce, reproduce, release, or disseminate information. Training data refer to labels or benchmark data sets that are used for training machine learning models. Immersive virtual scenes refer to virtual scenes that are generated or edited with deep synthesis technology, experienced or interactive by participants, and have a high sense of reality. **Article 24.** Deep synthesis service providers and technical supporters that engage in online publishing services, online cultural activities and online audiovisual program services shall also comply with the provisions of the competent authorities of press and publishing, culture and tourism, and of radio and television. **Article 25.** These Provisions shall come into force as of January 10, 2023. --- ## Measures for the Supervision and Administration of Online Trading Platform Rules - Chinese title: 网络交易平台规则监督管理办法 - Abbreviation: Platform Rules Measures - Hierarchy: rule - Issuing body: State Administration for Market Regulation; Cyberspace Administration of China - Adopted: 2025-12-18 - Effective: 2026-02-01 - Status: effective - URL: https://datacompliancechina.com/laws/online-trading-platform-rules-measures/ - Markdown: https://datacompliancechina.com/laws/online-trading-platform-rules-measures.md ### Summary Departmental rule (SAMR/CAC Order No. 116) governing how online trading platform operators formulate, amend and enforce their platform rules (service agreements, in-platform management rules, dispute-handling rules, personal-information protection rules, IP rules, etc.). It requires conspicuous publication, comment solicitation, advance notice before changes take effect, retention of historical versions, and an appeals channel including human review where decisions are made solely by AI. Separate chapters address information/network/data security (including minors' protection and personal-information allocation between platforms and in-platform operators), protection of in-platform operators against unreasonable restrictions and fees, and consumer protection against discriminatory pricing and unilateral membership changes. Effective February 1, 2026. ### Full text **Promulgated by:** State Administration for Market Regulation; Cyberspace Administration of China. **Document No.:** Order of the State Administration for Market Regulation and the Cyberspace Administration of China No. 116. **Promulgated on December 18, 2025. Effective February 1, 2026.** --- ## Chapter 1 General Provisions **Article 1.** These Measures are formulated pursuant to the E-Commerce Law of the People's Republic of China, the Law of the People's Republic of China on the Protection of Consumers' Rights and Interests, the Cybersecurity Law of the People's Republic of China and other laws, in order to regulate the formulation, amendment and enforcement of online trading platform rules (hereinafter referred to as "platform rules"), maintain the order of online trading, protect the lawful rights and interests of all parties to online transactions, and promote the sound and sustainable development of the platform economy. **Article 2.** These Measures shall apply to online trading platform operators in carrying out activities of formulating, amending and enforcing platform rules, as well as to the supervision and administration thereof by the market regulation and cyberspace administration authorities in accordance with their respective responsibilities. **Article 3.** For the purposes of these Measures, an "online trading platform operator" means a legal person or unincorporated organization that, in online trading activities, provides services such as an online business venue, transaction matchmaking and information publication for two or more parties to a transaction, enabling them to independently carry out online trading activities. Where a network service provider such as a social-networking or live-streaming service provides operators with online trading platform services such as an online business venue, product browsing, order generation and online payment, it shall fall within the scope of online trading platform operators prescribed in these Measures. **Article 4.** For the purposes of these Measures, "platform rules" means the general term for the service agreements and trading rules that an online trading platform operator pre-formulates for compliance by all parties, for the purpose of serving the indefinite parties to online transactions and managing transaction-related activities on the platform. Platform rules include online trading platform service agreements, management rules for in-platform operators, in-platform transaction and dispute-handling rules, personal information protection rules, intellectual property protection rules, and the like. Agreements reached by an online trading platform operator through separate negotiation with a specific party that do not have broad applicability shall not fall within the platform rules prescribed in these Measures. **Article 5.** In formulating, amending and enforcing platform rules, an online trading platform operator shall follow the principles of openness, fairness and impartiality, comply with laws, regulations, rules, commercial ethics and public order and good customs, and shall not use platform rules to engage in conduct that endangers national interests or the public interest of society, or that infringes upon the lawful rights and interests of any party to online transactions. **Article 6.** An online trading platform operator shall, through the formulation, amendment and enforcement of platform rules, strengthen the management of the entry into and exit from the platform by in-platform operators and of in-platform transaction activities, and shall implement, in accordance with the law, its responsibilities in such aspects as product and service quality assurance, consumer rights protection, fair competition, credit management, information security management, online protection of minors, personal information protection, and network and data security protection. ## Chapter 2 Formulation, Amendment and Enforcement of Platform Rules **Article 7.** An online trading platform operator shall continuously publish, in a conspicuous position on the homepage of its website or application, the platform-rules information or a link identifier thereto, and shall ensure that operators and consumers can conveniently and completely read and download such information. **Article 8.** The content of platform rules shall be clear and easy to read and understand. An online trading platform operator shall, by conspicuous means such as bold typeface, prompt operators and consumers to note the content of platform rules that bears a material interest relationship with them, such as charges and dispute resolution, safeguard their right to know, and explain and clarify the relevant terms at the request of operators and consumers. **Article 9.** An online trading platform operator shall take technical measures to set up a search function on the display page of platform rules, so as to facilitate operators' and consumers' retrieval and browsing of specific content in the platform rules. **Article 10.** In formulating or amending platform rules, an online trading platform operator shall publicly solicit opinions in a conspicuous position on the homepage of its website or application. The online trading platform operator shall reserve necessary time and provide necessary technical support to ensure that the parties concerned can express their opinions in a timely and full manner. **Article 11.** An online trading platform operator shall comprehensively and truthfully summarize and organize the opinions received in the course of soliciting opinions on platform rules; reasonable opinions shall be fully adopted, and there shall be reasonable grounds for opinions that are not adopted. The relevant materials shall be filed for future reference and retained for no less than three years from the date on which the solicitation of opinions ends. **Article 12.** Platform rules formulated or amended by an online trading platform operator shall be publicized at least seven days before implementation. For platform rules that involve a huge number of users, contain substantial amendments, or bear upon the important rights and interests of the parties concerned, publicization shall be made at least fifteen days before implementation. **Article 13.** Where the formulation or amendment of platform rules by an online trading platform operator may have a material impact on the important rights and interests of the parties concerned, the operator shall, in addition to publicization in accordance with Article 12 of these Measures, set a reasonable transition period commensurate with the degree of impact, so as to provide convenient conditions for the parties concerned to properly handle the relevant matters. **Article 14.** Where an in-platform operator or consumer does not accept the amended content of platform rules and requests to exit the platform or terminate the relevant services, the online trading platform operator shall not impede such exit or termination by means such as setting unreasonable conditions. Where an in-platform operator or consumer requests to exit the platform or terminate the relevant services in accordance with the preceding paragraph, the online trading platform operator shall, in accordance with the platform rules in force before the amendment, bear the relevant responsibilities such as refunding fees according to actual circumstances, and shall not deliberately delay or unreasonably refuse. **Article 15.** Where an online trading platform operator amends platform rules, it shall completely retain all historical versions for the three years preceding the effective date of the amended version, and shall ensure that operators and consumers can conveniently and completely read and download them. **Article 16.** An online trading platform operator shall not compel or induce operators and consumers to express agreement to the relevant platform rules, and shall not set the relevant platform rules as a default option of agreement, except where the operators' and consumers' obligations are not increased and their rights and interests are not diminished. **Article 17.** An online trading platform operator shall establish and improve a mechanism for communication and consultation on material matters of platform rules, and shall, through means such as regular discussions, symposiums and questionnaire surveys, carry out normalized communication and consultation on the formulation, amendment and enforcement of platform rules that bear material interest relationships with the parties concerned, comprehensively and truthfully summarize and organize the opinions collected in the course of communication and consultation; reasonable opinions shall be fully adopted, and there shall be reasonable grounds for opinions that are not adopted. **Article 18.** An online trading platform operator shall, through the formulation, amendment and enforcement of platform rules, regulate conduct in online trading activities that violates laws, regulations, rules, commercial ethics, or public order and good customs, and prevent the lawful rights and interests of the parties concerned from being infringed. **Article 19.** Where an online trading platform operator, in accordance with platform rules, takes measures against an in-platform operator or consumer that have a negative impact on their rights and interests, the operator shall inform them of the facts, reasons and basis of their violation of laws, regulations, rules or platform rules, and set up a convenient channel for complaints. Where laws and regulations provide otherwise, such provisions shall apply. Where an in-platform operator or consumer lodges a complaint, the online trading platform operator shall promptly review the matter complained of and handle it objectively and impartially; where the matter is handled solely by technical means such as artificial intelligence and the complainant requests a human determination, the matter shall be handled by means of a human determination. After making a decision, the online trading platform operator shall promptly inform the complainant of the result. **Article 20.** In the course of formulating, amending and enforcing platform rules, an online trading platform operator shall not impose unreasonable restrictions on the appeal rights of in-platform operators and consumers. **Article 21.** An online trading platform operator shall specify in the platform rules the mechanism for resolving in-platform transaction disputes, and shall fairly allocate the burden of proof among the parties to in-platform transaction disputes in accordance with the relevant laws. Where the burden of proof of one party is reasonably reduced, the online trading platform operator shall take measures to identify, prevent and dispose of conduct that abuses such rule in violation of the principle of good faith and infringes upon the lawful rights and interests of the parties concerned. **Article 22.** Where an online trading platform operator entrusts a third-party institution or personnel to enforce platform rules, it shall provide necessary training to them, and shall, in accordance with the law, bear the legal liability arising from improper enforcement by such third-party institution or personnel. ## Chapter 3 Information, Network and Data Security Protection **Article 23.** Where an online trading platform operator provides information publication services for in-platform operators and consumers, it shall, in a conspicuous manner in the platform rules, specify information security clauses for in-platform product and service information, transaction information, review information and the like, requiring in-platform operators and consumers to comply with laws, regulations and the relevant provisions of the State, refrain from producing, copying, publishing or disseminating illegal information, and take measures to prevent and resist the production, copying, publication or dissemination of harmful information. **Article 24.** An online trading platform operator shall follow the principles of openness, fairness and impartiality, and shall, in the platform rules, specify in accordance with the law the norms for in-platform operators' processing of personal information, and reasonably define the rights and obligations regarding personal information protection between itself and in-platform operators. **Article 25.** Where an online trading platform operator, through platform rules, specifies the network data security protection obligations of third-party product and service providers that access its platform, it shall provide for the rights and obligations of the relevant parties in accordance with the law, and urge them to strengthen network data security management. An online trading platform operator shall not use platform rules to engage in activities prohibited by laws and administrative regulations, such as illegally processing users' network data or restricting users' network data rights and interests without justified reasons. **Article 26.** An online trading platform operator that has a huge number of minor users or has a significant influence on the group of minors shall follow the principles of openness, fairness and impartiality, formulate dedicated platform rules, specify in accordance with the law the obligations of in-platform operators for online protection of minors, and prompt minor users, in a conspicuous manner, of the online protection rights they enjoy in accordance with the law and the remedies for online infringement they suffer. ## Chapter 4 Protection of the Rights and Interests of In-Platform Operators **Article 27.** An online trading platform operator shall not use platform rules to engage in the following conduct that imposes unreasonable restrictions or attaches unreasonable conditions on the independent business activities of in-platform operators: (I) compelling or in a disguised manner compelling in-platform operators to bear after-sales responsibilities such as refunding without returning goods, thereby harming their lawful rights and interests; (II) compelling or in a disguised manner compelling in-platform operators to activate value-added services that are not necessary for their business activities, thereby increasing their operating costs; (III) compelling or in a disguised manner compelling in-platform operators to participate in promotional or marketing activities; (IV) compelling or in a disguised manner compelling in-platform operators to carry out business activities only on a specific platform; or (V) other conduct that imposes unreasonable restrictions or attaches unreasonable conditions on the independent business activities of in-platform operators. An online trading platform operator shall not compel or in a disguised manner compel in-platform operators to sell products or provide services at prices below cost in accordance with its pricing rules, thereby disrupting the order of market competition. **Article 28.** An online trading platform operator shall not use platform rules to engage in the following conduct of charging unreasonable fees to in-platform operators: (I) duplicate charging; (II) charging without providing services or providing fewer services; (III) passing on fees that should be borne by the platform itself; (IV) charging in-platform operators fees for providing their basic operating data; (V) compelling or in a disguised manner compelling in-platform operators to purchase services or participate in promotional or marketing activities and charging for them; (VI) charging in a disguised manner or raising charging standards by means of manifestly unreasonable deposits or the like; or (VII) charging other unreasonable fees. An online trading platform operator shall not use platform rules to, where the same products or services are provided, apply price discrimination to in-platform operators with equivalent transaction conditions. **Article 29.** Where an online trading platform operator sets liquidated damages or damages for breach for certain conduct of in-platform operators in the platform rules, it shall reasonably set the amount of liquidated damages or the method of calculating damages for breach; where liquidated damages or damages for breach are charged in accordance with the platform rules, the operator shall inform them of the corresponding basis and method of calculation, and shall not use platform rules to charge liquidated damages or damages for breach that manifestly exceed a reasonable level. ## Chapter 5 Protection of Consumers' Rights and Interests **Article 30.** In the course of formulating, amending and enforcing platform rules, an online trading platform operator shall not exclude or restrict consumers' rights, reduce or exempt its own liability, or unreasonably aggravate consumers' liability, including specifically the following circumstances: (I) requiring consumers to bear liquidated damages or damages for breach that exceed the statutory amount or manifestly exceed a reasonable amount; (II) excluding or restricting consumers' right to independently choose products or services in accordance with the law; (III) excluding or restricting consumers' right to claim liquidated damages or damages for breach in accordance with the law; (IV) excluding or restricting consumers' right to lodge complaints, make reports, request mediation, apply for arbitration, or institute litigation in accordance with the law; or (V) other circumstances that exclude or restrict consumers' rights, reduce or exempt its own liability, or unreasonably aggravate consumers' liability. **Article 31.** An online trading platform operator shall not use platform rules to set different prices or charging standards for the same product or service under equivalent transaction conditions without the consumer's knowledge. **Article 32.** Where a consumer purchases a membership service provided by an online trading platform operator, the online trading platform operator shall not, within the agreed service period, charge additional fees without authorization or diminish membership rights and interests by unilaterally amending the platform rules. Before a consumer continues to purchase the membership service, the online trading platform operator shall, in a conspicuous manner, inform the consumer of the changes in the platform rules relating to membership rights and interests. Where, due to unforeseeable objective circumstances, the online trading platform operator is unable to provide the relevant services to the consumer in accordance with the original platform rules, and the consumer requests to terminate the membership service, the matter shall be handled in accordance with Article 14 of these Measures. ## Chapter 6 Supervision and Administration **Article 33.** The market regulation and cyberspace administration authorities shall, in accordance with their respective responsibilities, strengthen the supervision and administration of the activities of formulating, amending and enforcing platform rules, and shall establish and improve working mechanisms such as the transfer of leads, information sharing, and joint consultation and analysis. Where the market regulation and cyberspace administration authorities carry out supervision and administration activities in accordance with the law, the online trading platform operator shall cooperate, provide necessary data, technical support and assistance, and ensure the authenticity and accuracy of the data provided. **Article 34.** Online trading platform operators are encouraged to establish a system of co-governance of platform rules by society, and to fully hear the opinions of all parties on platform rules through means such as consumer organizations, third-party institutions, and expert consultation and appraisal. **Article 35.** Online trading platform operators are encouraged to release annual platform-rules compliance reports, conduct compliance self-assessments of the formulation, amendment and enforcement of platform rules, and accept supervision by society. Online trading platform operators are encouraged to invite or entrust third-party institutions to issue external compliance assessment reports on platform rules. **Article 36.** The market regulation and cyberspace administration authorities at or above the provincial level may, through means such as organizing expert review, put forward opinions on the formulation, amendment and enforcement of platform rules by online trading platform operators within their respective jurisdictions, provide timely feedback to the relevant online trading platform operators, and guide them in optimizing their mechanisms for formulating, amending and enforcing platform rules. **Article 37.** When performing platform-rules supervision and administration duties in accordance with these Measures, the market regulation and cyberspace administration authorities shall ensure that administrative inspections are legally grounded, strictly regulated, fair and civilized, and precise and efficient, and shall avoid unnecessary interference with the normal business activities of online trading platform operators and in-platform operators. **Article 38.** Where an online trading platform operator falls under any of the following circumstances in the course of formulating, amending and enforcing platform rules, the market regulation and cyberspace administration authorities may, in accordance with their respective responsibilities, hold an interview with the relevant person in charge, requiring the operator to explain the situation and take corrective measures: (I) failing to adequately perform the statutory obligations relating to online trading; (II) the occurrence of a major adverse public-opinion incident relating to online trading; (III) the discovery, by the market regulation and cyberspace administration authorities in routine supervision and administration, of problems that may have a negative impact on the order of online trading; (IV) failing to safeguard the lawful rights and interests of the parties concerned such as in-platform operators and consumers; or (V) other circumstances under which an interview is necessary. ## Chapter 7 Legal Liability **Article 39.** Where an online trading platform operator commits any of the following acts, it shall be punished in accordance with Article 81 of the E-Commerce Law of the People's Republic of China: (I) failing to continuously publish, in a conspicuous position on the homepage of its website or application, the platform-rules information or a link identifier thereto, in violation of Article 7 of these Measures; (II) failing to publicly solicit opinions as required, in violation of Article 10 of these Measures; (III) failing to publicize the content of platform rules in advance within the prescribed time, in violation of the first paragraph of Article 12 of these Measures; or (IV) where an in-platform operator does not accept the amended content of platform rules and requests to exit, impeding such exit by means such as setting unreasonable conditions, in violation of the first paragraph of Article 14 of these Measures. **Article 40.** Where an online trading platform operator violates the second paragraph of Article 8, Article 11, the second paragraph of Article 14, Article 16, Article 20, Article 29, Article 30, or the first paragraph of Article 32 of these Measures, and laws and administrative regulations so provide, such provisions shall apply; where laws and administrative regulations do not so provide and the matter falls within the responsibilities of the market regulation authority, the market regulation authority shall order corrections within a time limit and may impose a fine of not less than RMB 10,000 but not more than RMB 100,000. **Article 41.** Where an online trading platform operator violates Articles 23 through 26 of these Measures, and laws and administrative regulations so provide, such provisions shall apply; where laws and administrative regulations do not so provide and the matter falls within the responsibilities of the cyberspace administration authority, the cyberspace administration authority shall order corrections within a time limit and may impose a fine of not less than RMB 10,000 but not more than RMB 100,000. **Article 42.** Where an online trading platform operator violates the first paragraph of Article 27 or the first paragraph of Article 28 of these Measures, it shall be punished in accordance with Article 82 of the E-Commerce Law of the People's Republic of China. Where an online trading platform operator violates the second paragraph of Article 27 of these Measures, it shall be punished in accordance with Article 30 of the Anti-Unfair Competition Law of the People's Republic of China. Where an online trading platform operator violates the second paragraph of Article 28 of these Measures, it shall be punished in accordance with Article 40 of the Price Law of the People's Republic of China and Article 4 of the Provisions on Administrative Penalties for Price-Related Violations. **Article 43.** Where an online trading platform operator violates Article 31 of these Measures, it shall be punished in accordance with the first paragraph of Article 56 of the Law of the People's Republic of China on the Protection of Consumers' Rights and Interests. **Article 44.** Where an online trading platform operator uses platform rules to engage in monopolistic conduct, it shall be punished in accordance with the Anti-Monopoly Law of the People's Republic of China. **Article 45.** After the market regulation authority makes a decision on administrative penalty against an online trading platform operator in accordance with these Measures, it shall, in accordance with the law, publicize the decision to society through the National Enterprise Credit Information Publicity System. ## Chapter 8 Supplementary Provisions **Article 46.** Where the supervision and administration of activities of formulating, amending and enforcing platform rules falls, in accordance with the law, within the responsibilities of other relevant authorities, such other relevant authorities shall handle it in accordance with the relevant provisions. **Article 47.** These Measures shall come into force as of February 1, 2026. --- ## Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications - Chinese title: 常见类型移动互联网应用程序必要个人信息范围规定 - Abbreviation: Necessary PI Scope Provisions - Hierarchy: rule - Issuing body: Secretariat of the Cyberspace Administration of China, General Office of MIIT, General Office of the Ministry of Public Security, and General Office of SAMR - Adopted: 2021-03-12 - Effective: 2021-05-01 - Status: effective - URL: https://datacompliancechina.com/laws/app-necessary-pi-scope-provisions/ - Markdown: https://datacompliancechina.com/laws/app-necessary-pi-scope-provisions.md - Source URL: https://www.cac.gov.cn/2021-03/22/c_1617990997054277.htm ### Summary These Provisions, issued jointly by the CAC, MIIT, MPS, and SAMR in March 2021 and effective May 1, 2021, define 'necessary personal information' as the minimum data indispensable for an app's basic functional service to operate — and expressly prohibit operators from refusing basic service to users who decline to provide non-necessary personal information. The Provisions enumerate 39 common mobile app categories (including map navigation, ride-hailing, instant messaging, online shopping, mobile banking, and more), specifying the precise personal information each category may require; 12 of the 39 categories — including browsers, input methods, news apps, and short-video apps — require no personal information at all for basic use. Overseas counsel advise on these Provisions when auditing the data-collection practices of apps distributed in China, assessing whether consent gates or account-wall practices are lawful, and preparing for MIIT or CAC enforcement inspections targeting excessive or non-necessary data collection. ### Full text **Promulgated by:** Secretariat of the Cyberspace Administration of China; General Office of the Ministry of Industry and Information Technology; General Office of the Ministry of Public Security; General Office of the State Administration for Market Regulation. **Document No.:** Guo Xin Ban Mi Zi [2021] No. 14. **Issued on March 12, 2021. Effective May 1, 2021.** --- **Article 1.** These Provisions are formulated in accordance with the Cybersecurity Law of the People's Republic of China in order to regulate the collection of personal information by mobile internet applications (apps) and to protect the security of citizens' personal information. **Article 2.** Apps running on mobile smart terminals that collect users' personal information shall comply with these Provisions. Where laws, administrative regulations, departmental rules, or normative documents provide otherwise, those provisions shall prevail. Apps include application software pre-installed on mobile smart terminals or downloaded and installed thereon, as well as mini-programs developed on the basis of open platform interfaces of application software that users may use without installation. **Article 3.** For the purposes of these Provisions, "necessary personal information" means the personal information indispensable for ensuring the normal operation of an app's basic functional service — without which the app cannot implement its basic functional service. It refers specifically to personal information on the consumer-side user, and does not include personal information on the service-supply-side user. **Article 4.** An app shall not refuse a user access to its basic functional service on the ground that the user declines to provide non-necessary personal information. **Article 5.** The scope of necessary personal information for common types of apps is as follows: **(1) Map and navigation apps** — basic functional service: "positioning and navigation"; necessary personal information: location information, point of departure, destination. **(2) Ride-hailing apps** — basic functional service: "online pre-booked taxi services and cruising taxi dispatch services"; necessary personal information includes: 1. registered user's mobile phone number; 2. passenger's point of departure, destination, location information, and movement trajectory; 3. payment time, payment amount, payment channel, and other payment information (for online pre-booked taxi services). **(3) Instant messaging apps** — basic functional service: "providing network instant messaging services in the form of text, images, voice, video, and the like"; necessary personal information includes: 1. registered user's mobile phone number; 2. account information: account name, list of instant messaging contacts' account names. **(4) Online community apps** — basic functional service: "topic discussions, information sharing, and interactive following on blogs, forums, communities, and the like"; necessary personal information: registered user's mobile phone number. **(5) Online payment apps** — basic functional service: "online payment, cash withdrawal, transfer, and similar functions"; necessary personal information includes: 1. registered user's mobile phone number; 2. registered user's name, type and number of identity document, validity period of identity document, and bank card number. **(6) Online shopping apps** — basic functional service: "purchasing goods"; necessary personal information includes: 1. registered user's mobile phone number; 2. recipient's name (or entity name), address, and contact telephone number; 3. payment time, payment amount, payment channel, and other payment information. **(7) Food delivery apps** — basic functional service: "purchasing food and beverage and delivery services"; necessary personal information includes: 1. registered user's mobile phone number; 2. recipient's name (or entity name), address, and contact telephone number; 3. payment time, payment amount, payment channel, and other payment information. **(8) Postal and courier delivery apps** — basic functional service: "delivery services for letters, parcels, printed matter, and other items"; necessary personal information includes: 1. sender's name, type and number of identity document, and other identity information; 2. sender's address and contact telephone number; 3. recipient's name (or entity name), address, and contact telephone number; 4. name, nature, and quantity of the items being sent. **(9) Transportation ticketing apps** — basic functional service: "transportation-related ticketing services and itinerary management (such as ticket purchase, rebooking, refund, and itinerary management)"; necessary personal information includes: 1. registered user's mobile phone number; 2. passenger's name, type and number of identity document, and passenger type (passenger types typically include child, adult, and student); 3. passenger's point of departure, destination, departure time, train/vessel/flight number, class/cabin grade, seat number (if any), and license plate number and color (for ETC services); 4. payment time, payment amount, payment channel, and other payment information. **(10) Dating and matchmaking apps** — basic functional service: "dating and matchmaking"; necessary personal information includes: 1. registered user's mobile phone number; 2. the dating or matchmaking user's gender, age, and marital status. **(11) Job-seeking and recruitment apps** — basic functional service: "exchange of job-seeking and recruitment information"; necessary personal information includes: 1. registered user's mobile phone number; 2. résumé provided by the job seeker. **(12) Online lending apps** — basic functional service: "personal loan application services for consumption, daily production and business operations, and working capital needs, implemented through an internet platform"; necessary personal information includes: 1. registered user's mobile phone number; 2. borrower's name, type and number of identity document, validity period of identity document, and bank card number. **(13) Property rental and sales apps** — basic functional service: "publishing individual property listings and renting or selling residential properties"; necessary personal information includes: 1. registered user's mobile phone number; 2. basic property information: property address, area/layout, and expected sale price or rent. **(14) Used-vehicle trading apps** — basic functional service: "exchange of used-vehicle buying and selling information"; necessary personal information includes: 1. registered user's mobile phone number; 2. buyer's name, and type and number of identity document; 3. seller's name, type and number of identity document, vehicle registration certificate number, and vehicle identification number. **(15) Medical consultation and appointment registration apps** — basic functional service: "online consultation and diagnosis, and appointment registration"; necessary personal information includes: 1. registered user's mobile phone number; 2. for appointment registration: patient's name, type and number of identity document, and the hospital and department being booked; 3. for consultation: description of the patient's condition. **(16) Tourism services apps** — basic functional service: "publishing and booking tourism service products"; necessary personal information includes: 1. registered user's mobile phone number; 2. traveler's tourism destination and travel dates; 3. traveler's name, type and number of identity document, and contact details. **(17) Hotel services apps** — basic functional service: "hotel reservations"; necessary personal information includes: 1. registered user's mobile phone number; 2. guest's name and contact details, check-in and check-out dates, and name of the hotel being booked. **(18) Online gaming apps** — basic functional service: "providing online gaming products and services"; necessary personal information: registered user's mobile phone number. **(19) Learning and education apps** — basic functional service: "online tutoring, online classrooms, and the like"; necessary personal information: registered user's mobile phone number. **(20) Local lifestyle services apps** — basic functional service: "daily life services such as housekeeping and repairs, home renovation, and second-hand and idle-item trading"; necessary personal information: registered user's mobile phone number. **(21) Women's health apps** — basic functional service: "health management services for women including menstrual cycle management, pregnancy preparation and childcare, and beauty and body care"; no personal information is required to use the basic functional service. **(22) Vehicle usage services apps** — basic functional service: "shared bicycle, shared automobile, and rental automobile services"; necessary personal information includes: 1. registered user's mobile phone number; 2. type and number of identity document and driving licence information for users of shared automobile and rental automobile services; 3. payment time, payment amount, payment channel, and other payment information; 4. location information for users of shared bicycle and time-share rental automobile services. **(23) Investment and wealth management apps** — basic functional service: "investment and wealth management services related to stocks, futures, funds, bonds, and similar instruments"; necessary personal information includes: 1. registered user's mobile phone number; 2. investment and wealth management user's name, type and number of identity document, validity period of identity document, and copy of identity document; 3. investment and wealth management user's capital account, bank card number, or payment account. **(24) Mobile banking apps** — basic functional service: "managing bank accounts, querying account information, transferring funds, and remitting money through mobile smart terminal devices"; necessary personal information includes: 1. registered user's mobile phone number; 2. user's name, type and number of identity document, validity period of identity document, copy of identity document, bank card number, and mobile phone number registered with the bank; 3. for transfers: payee's name, bank card number, and account-opening bank information. **(25) Email and cloud storage apps** — basic functional service: "email, cloud storage, and similar services"; necessary personal information: registered user's mobile phone number. **(26) Remote conferencing apps** — basic functional service: "providing audio or video conferencing over the internet"; necessary personal information: registered user's mobile phone number. **(27) Online live-streaming apps** — basic functional service: "continuously providing users with real-time browsing of information in the form of video, audio, text, images, and similar content"; no personal information is required to use the basic functional service. **(28) Online video and audio apps** — basic functional service: "searching and playing films, television programmes, and music"; no personal information is required to use the basic functional service. **(29) Short-video apps** — basic functional service: "searching and playing videos not exceeding a specified duration"; no personal information is required to use the basic functional service. **(30) News and information apps** — basic functional service: "browsing and searching news and information"; no personal information is required to use the basic functional service. **(31) Sports and fitness apps** — basic functional service: "sports and fitness training"; no personal information is required to use the basic functional service. **(32) Browser apps** — basic functional service: "browsing internet information resources"; no personal information is required to use the basic functional service. **(33) Input method apps** — basic functional service: "inputting text, symbols, and the like"; no personal information is required to use the basic functional service. **(34) Security management apps** — basic functional service: "scanning for and eliminating viruses, clearing malicious plug-ins, repairing vulnerabilities, and similar functions"; no personal information is required to use the basic functional service. **(35) Electronic book apps** — basic functional service: "searching and reading e-books"; no personal information is required to use the basic functional service. **(36) Photography and beautification apps** — basic functional service: "photography, beauty filters, and image-enhancement filters"; no personal information is required to use the basic functional service. **(37) App store apps** — basic functional service: "searching and downloading apps"; no personal information is required to use the basic functional service. **(38) Utility tool apps** — basic functional service: "functions such as calendar, weather, dictionary and translation, calculator, remote control, flashlight, compass, clock and alarm, file transfer, file management, wallpapers and ringtones, screenshot and screen recording, audio recording, document processing, smart-home assistant, and horoscope and personality tests"; no personal information is required to use the basic functional service. **(39) Performance ticketing apps** — basic functional service: "purchasing performance tickets"; necessary personal information includes: 1. registered user's mobile phone number; 2. performance session and seat number (if any); 3. payment time, payment amount, payment channel, and other payment information. **Article 6.** Any organization or individual that discovers conduct in violation of these Provisions may report it to the relevant authorities. Upon receiving such reports, the relevant authorities shall handle them in accordance with law. **Article 7.** These Provisions shall come into force on May 1, 2021. --- ## Implementation Rules for Personal Information Protection Certification - Chinese title: 个人信息保护认证实施规则 - Abbreviation: PI Certification Rules - Hierarchy: rule - Issuing body: State Administration for Market Regulation (SAMR) and Cyberspace Administration of China (CAC) - Adopted: 2022-11-18 - Effective: 2022-11-18 - Status: effective - URL: https://datacompliancechina.com/laws/pi-protection-certification-implementation-rules/ - Markdown: https://datacompliancechina.com/laws/pi-protection-certification-implementation-rules.md - Source URL: https://www.cac.gov.cn/2022-11/18/c_1670399936983876.htm ### Summary The Implementation Rules for Personal Information Protection Certification, issued as the annex to SAMR and CAC Joint Announcement No. 37 of 2022 on November 18, 2022, operationalize the certification pathway that PIPL Article 38(2) authorizes for cross-border transfers of personal information and that simultaneously governs domestic personal information protection certification. The Rules establish a three-stage certification model — technical verification, on-site audit, and post-certification supervision — grounded in GB/T 35273 (Personal Information Security Specification) for all personal information handlers, with the additional requirement that handlers engaged in cross-border processing activities comply with TC260-PG-20222A (Security Certification Specification for Cross-border Personal Information Processing Activities). Certification certificates are valid for three years, subject to ongoing supervisory audits, and may be suspended or revoked for non-compliance; certified handlers may display the corresponding certification mark (with a distinct cross-border variant). The Rules were subsequently supplemented by the Measures for the Certification of the Cross-border Provision of Personal Information (effective January 1, 2026), which specifically governs the cross-border certification route; overseas counsel advising on cross-border transfers should read the two instruments together, as the Implementation Rules set the foundational procedural framework that the 2026 Measures build upon. ### Full text **Promulgated jointly by:** State Administration for Market Regulation (SAMR) and Cyberspace Administration of China (CAC). **Document No.:** Annex to Joint Announcement No. 37 of 2022 of the State Administration for Market Regulation and the Cyberspace Administration of China. **Published on November 18, 2022. Effective November 18, 2022.** --- **1. Scope of Application** These Rules are formulated in accordance with the Regulations of the People's Republic of China on Certification and Accreditation. They set out the basic principles and requirements for conducting certification of personal information handlers' activities of collecting, storing, using, processing, transmitting, providing, disclosing, deleting, and cross-border transferring personal information and other processing activities. **2. Certification Basis** Personal information handlers shall meet the requirements of GB/T 35273 *Information Security Technology — Personal Information Security Specification*. Personal information handlers that engage in cross-border processing activities shall additionally meet the requirements of TC260-PG-20222A *Security Certification Specification for Cross-border Personal Information Processing Activities*. As a general rule, the latest versions of the foregoing standards and specifications shall apply. **3. Certification Model** The certification model for Personal Information Protection Certification is: **Technical Verification + On-site Audit + Post-certification Supervision**. **4. Certification Implementation Procedures** **4.1 Certification Application** A certification body shall set out its requirements for certification application materials, including but not limited to basic materials of the certification applicant, the certification application form, and relevant supporting documents. The certification applicant shall submit certification application materials in accordance with the certification body's requirements. After reviewing the application materials, the certification body shall promptly notify the applicant whether the application has been accepted. Based on the application materials, the certification body shall determine the certification scheme — including the type and volume of personal information, the scope of personal information processing activities involved, and the information of the technical verification institution — and shall notify the certification applicant accordingly. **4.2 Technical Verification** The technical verification institution shall conduct technical verification in accordance with the certification scheme and shall issue a technical verification report to the certification body and the certification applicant. **4.3 On-site Audit** The certification body shall conduct an on-site audit and shall issue an on-site audit report to the certification applicant. **4.4 Evaluation of Certification Results and Approval** Based on the certification application materials, the technical verification report, the on-site audit report, and other relevant information, the certification body shall conduct a comprehensive evaluation and make a certification decision. Where certification requirements are met, a certification certificate shall be issued. Where certification requirements are not yet met, the certification body may require the certification applicant to rectify within a specified period; if the applicant still fails to meet the requirements after rectification, the certification body shall notify the certification applicant in writing that the certification process is terminated. Where it is discovered that the certification applicant or the personal information handler has engaged in conduct such as deception, concealment of information, or deliberate violation of certification requirements that materially affects the conduct of certification, the certification shall not be approved. **4.5 Post-certification Supervision** **4.5.1 Frequency of Supervision** During the validity period of a certification, the certification body shall conduct ongoing supervision of the certified personal information handler and shall determine the supervision frequency on a reasonable basis. **4.5.2 Content of Supervision** The certification body shall adopt appropriate means to conduct post-certification supervision, to ensure that the certified personal information handler continues to meet certification requirements. **4.5.3 Evaluation of Post-certification Supervision Results** The certification body shall conduct a comprehensive evaluation of the post-certification supervision findings and other relevant information. Where the evaluation is passed, the certification certificate may continue to be maintained. Where the evaluation is not passed, the certification body shall take action to suspend or revoke the certification certificate according to the applicable circumstances. **4.6 Certification Time Limits** The certification body shall establish clear time limits for each stage of the certification process and shall ensure that the relevant work is completed within the required time limits. The certification applicant shall cooperate actively with the certification activities. **5. Certification Certificates and Certification Marks** **5.1 Certification Certificate** **5.1.1 Maintenance of the Certification Certificate** The validity period of a certification certificate is **three years**. During the validity period, the certification certificate is maintained in validity through post-certification supervision by the certification body. Where the certification applicant wishes to continue using the certificate after its expiry, the applicant shall submit a certification application to the certification body within six months before the expiry date. The certification body shall adopt the post-certification supervision approach and, for applicants that meet certification requirements, issue a new certificate. **5.1.2 Variation of the Certification Certificate** During the validity period of the certification certificate, where there is a change to the name or registered address of the certified personal information handler, or to the certification requirements or certification scope, the certification applicant shall submit a variation application to the certification body. The certification body shall, based on the content of the change, evaluate the variation application materials and determine whether the variation may be approved. Where technical verification and/or an on-site audit are required, these shall be conducted before the variation is approved. **5.1.3 Cancellation, Suspension, and Revocation of the Certification Certificate** Where a certified personal information handler no longer meets certification requirements, the certification body shall promptly suspend or revoke the certification certificate as appropriate. During the validity period of the certification certificate, the certification applicant may apply for suspension or cancellation of the certification certificate. **5.1.4 Publication of the Certification Certificate** The certification body shall publish information on the issuance, variation, suspension, cancellation, and revocation of certification certificates using appropriate means. **5.2 Certification Marks** Two categories of certification mark are established: **(1) Personal Information Protection Certification Mark** — for use by certified personal information handlers that do not engage in cross-border processing activities. The mark displays the certification body identification code (ABCD). **(2) Personal Information Protection Certification Mark (Cross-border)** — for use by certified personal information handlers that engage in cross-border processing activities. The mark displays the certification body identification code (ABCD). **5.3 Use of Certification Certificates and Certification Marks** During the validity period of the certification certificate, a certified personal information handler shall use the certification certificate and certification mark correctly in advertisements and other promotional materials in accordance with relevant regulations, and shall not mislead the public. **6. Detailed Certification Implementation Rules** A certification body shall, in accordance with the relevant requirements of these Rules, refine the certification implementation procedures and formulate scientifically sound, reasonable, and operationally workable detailed certification implementation rules, which shall be published and implemented. **7. Certification Responsibilities** The certification body shall be responsible for the on-site audit conclusions and the certification conclusions. The technical verification institution shall be responsible for the technical verification conclusions. The certification applicant shall be responsible for the authenticity and legality of the certification application materials. --- ## Provisions on the Administration of the Use of Commercial Cryptography in Critical Information Infrastructure - Chinese title: 关键信息基础设施商用密码使用管理规定 - Abbreviation: CII Commercial Cryptography Provisions - Hierarchy: rule - Issuing body: State Cryptography Administration; Cyberspace Administration of China - Adopted: 2025-06-11 - Effective: 2025-08-01 - Status: effective - URL: https://datacompliancechina.com/laws/cii-commercial-cryptography-provisions/ - Markdown: https://datacompliancechina.com/laws/cii-commercial-cryptography-provisions.md ### Summary Departmental rule (State Cryptography Administration / CAC / Ministry of Public Security Order No. 5) requiring operators of critical information infrastructure (CII) to use commercial cryptography to protect their CII, and to plan, build and operate commercial-cryptography assurance systems concurrently with the CII itself. It mandates commercial-cryptography application security assessments at the planning, construction and operation stages (at least annually once in operation), requires the use of certified commercial-cryptography products and State-vetted algorithms, sets staffing and funding requirements (key administrators, cipher operators, security auditors), imposes annual reporting duties, and provides penalties of up to RMB 1,000,000. Effective August 1, 2025. ### Full text **Promulgated by:** State Cryptography Administration; Cyberspace Administration of China; Ministry of Public Security. **Document No.:** Order of the State Cryptography Administration, the Cyberspace Administration of China and the Ministry of Public Security No. 5. **Reviewed and adopted at the executive meeting of the State Cryptography Administration on April 21, 2025, and approved by the Cyberspace Administration of China and the Ministry of Public Security. Promulgated on June 11, 2025. Effective August 1, 2025.** --- **Article 1.** These Provisions are formulated pursuant to the Cryptography Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Regulations on the Administration of Commercial Cryptography, the Regulations on the Security Protection of Critical Information Infrastructure, the Regulations on the Administration of Network Data Security and other relevant laws and administrative regulations, in order to regulate the use of commercial cryptography in critical information infrastructure and protect the security of critical information infrastructure. **Article 2.** These Provisions shall apply to the administration of the use of commercial cryptography in critical information infrastructure that is identified in accordance with the Cybersecurity Law of the People's Republic of China, the Regulations on the Security Protection of Critical Information Infrastructure and other laws, administrative regulations and the relevant provisions of the State. **Article 3.** The national cryptography administration department, in conjunction with the national cyberspace administration department and the public security department of the State Council, shall be responsible for the planning, guidance and supervision of the administration of the use of commercial cryptography in critical information infrastructure throughout the country, and shall establish an information-sharing mechanism for the administration of the use of commercial cryptography in critical information infrastructure. Local cryptography administration departments at or above the county level, in conjunction with the cyberspace administration departments and the public security organs, shall be responsible for guiding and supervising the administration of the use of commercial cryptography in critical information infrastructure within their respective administrative regions. **Article 4.** The departments responsible for the protection of critical information infrastructure (hereinafter referred to as "protection departments") shall, within the scope of their duties, be responsible for supervising and administering the use of commercial cryptography in critical information infrastructure in their respective industries and fields; shall, separately, formulate plans for the use of commercial cryptography in their respective industries and fields, or incorporate such plans into the security plans for critical information infrastructure in their respective industries and fields, and organize their implementation; and shall guide the operators of critical information infrastructure in their respective industries and fields (hereinafter referred to as "operators") in carrying out support work such as commercial-cryptography-related systems, personnel and funding. A protection department shall, before March 31 each year, report to the national cryptography administration department, the national cyberspace administration department and the public security department of the State Council on the administration of the use of commercial cryptography in critical information infrastructure in its industry and field for the previous year. Where a major cybersecurity incident involving commercial cryptography occurs in critical information infrastructure, or a major cybersecurity threat involving commercial cryptography is discovered, the protection department shall promptly report to the national cryptography administration department, the national cyberspace administration department and the public security department of the State Council, guide the operator in carrying out emergency response, and, where necessary, conduct a commercial-cryptography application security assessment. **Article 5.** Operators shall, in accordance with the relevant laws, administrative regulations and the relevant provisions of the State, and following the requirements of the systems for the administration of national commercial cryptography, cybersecurity multi-level protection, and the security protection of critical information infrastructure, use commercial cryptography to protect critical information infrastructure, plan, build and operate commercial-cryptography assurance systems concurrently, and regularly carry out commercial-cryptography application security assessments. Operators shall, before January 31 each year, report to the protection department to which they belong on the use of commercial cryptography in critical information infrastructure and the conduct of commercial-cryptography application security assessments for the previous year. **Article 6.** Operators shall strengthen the system safeguards for the use of commercial cryptography in critical information infrastructure, and establish systems for the administration of the use of commercial cryptography in critical information infrastructure, such as systems for the use of commercial cryptography, emergency response, and the reporting of major incidents. The principal person in charge of an operator shall bear overall responsibility for the administration of the use of commercial cryptography in critical information infrastructure, and shall be responsible for the use of commercial cryptography in critical information infrastructure and the handling of major cybersecurity incidents involving commercial cryptography. **Article 7.** Operators shall strengthen the personnel safeguards for the use of commercial cryptography in critical information infrastructure, and shall assign professionals who have obtained academic qualifications related to cryptography or national vocational-skill-level certification related to cryptography to respectively assume the duties of key administrators and cipher operators, and assign personnel with professional capabilities in security auditing to assume the duties of cipher security auditors. Operators shall conduct security-background checks on cryptography-related professionals, and shall regularly organize them to participate in cryptography-related professional-skills training, so as to improve the commercial-cryptography use capabilities of cryptography-related professionals. **Article 8.** Operators shall strengthen the funding safeguards for the use of commercial cryptography in critical information infrastructure and for application security assessments, and shall incorporate the funds for the use of commercial cryptography and for application security assessments into the arrangements for cybersecurity and informatization funds. **Article 9.** The commercial-cryptography products and services used in critical information infrastructure shall have passed testing and certification, and the commercial-cryptography technologies used, such as cryptographic algorithms, cryptographic protocols and key management mechanisms, shall have passed the review and appraisal of the national cryptography administration department. Where an operator procures network products and services involving commercial cryptography that affect or may affect national security, it shall undergo a cybersecurity review in accordance with the Cybersecurity Review Measures. **Article 10.** Critical information infrastructure shall, in accordance with the relevant requirements of the State for data security protection and personal information protection, use commercial cryptography to protect the core data, important data and personal information that it stores, uses and transmits. **Article 11.** At the planning stage of critical information infrastructure, the operator shall, in accordance with the relevant laws, administrative regulations and standards and specifications, and based on the demand for commercial-cryptography application, formulate a commercial-cryptography application plan, plan a commercial-cryptography assurance system and incorporate it into the security plan for critical information infrastructure for overall deployment. The operator shall, on its own or by entrusting a commercial-cryptography testing institution, conduct a commercial-cryptography application security assessment of the commercial-cryptography application plan. A commercial-cryptography application plan that has not passed the commercial-cryptography application security assessment shall not be used as the basis for constructing the commercial-cryptography assurance system. **Article 12.** At the construction stage of critical information infrastructure, the operator shall organize implementation in accordance with the commercial-cryptography application plan that has passed the commercial-cryptography application security assessment, implement commercial-cryptography security protection measures, and construct the commercial-cryptography assurance system. Where it is necessary to adjust the commercial-cryptography application plan during the construction process, the commercial-cryptography application security assessment shall be conducted again, and only after passing the assessment may construction continue in accordance with the adjusted commercial-cryptography application plan. Before critical information infrastructure goes into operation, the operator shall, on its own or by entrusting a commercial-cryptography testing institution, conduct a commercial-cryptography application security assessment. Where the critical information infrastructure has not passed the commercial-cryptography application security assessment, the operator shall carry out rectification, and shall not put it into operation during the rectification period. **Article 13.** After critical information infrastructure has been built and put into operation, the operator shall, on its own or by entrusting a commercial-cryptography testing institution, conduct a commercial-cryptography application security assessment at least once a year, so as to ensure the correct use of commercial cryptography in the critical information infrastructure and the effective operation of the commercial-cryptography assurance system. Where the critical information infrastructure has not passed the commercial-cryptography application security assessment, the operator shall carry out rectification, and shall take necessary measures during the rectification period to ensure the operational security of the critical information infrastructure. **Article 14.** For critical information infrastructure that is under construction before the implementation of these Provisions, the operator shall strengthen the preparation and demonstration of the commercial-cryptography application plan, build and improve the commercial-cryptography assurance system, and conduct a commercial-cryptography application security assessment in accordance with Article 12 of these Provisions. For critical information infrastructure that has been put into operation before the implementation of these Provisions, the operator shall conduct a commercial-cryptography application security assessment in accordance with Article 13 of these Provisions. **Article 15.** The conduct of commercial-cryptography application security assessments for critical information infrastructure shall comply with the relevant provisions of the Measures for the Administration of Commercial-Cryptography Application Security Assessments. Commercial-cryptography application security assessments for critical information infrastructure shall be more closely linked with the security testing and assessment of critical information infrastructure and with cybersecurity multi-level protection evaluation, so as to avoid duplicate assessment and evaluation. **Article 16.** The national cryptography administration department shall be responsible for the construction and management of the national infrastructure for the operational security management of commercial cryptography in critical information infrastructure, shall coordinate protection departments in constructing infrastructure for the operational security management of commercial cryptography in critical information infrastructure in their respective industries and fields, shall, in conjunction with the national cyberspace administration department and the public security department of the State Council, analyze and assess the operational security posture of commercial cryptography in critical information infrastructure, and shall coordinate the response to and disposal of major commercial-cryptography operational security threats. **Article 17.** Cryptography administration departments shall regularly organize supervision and inspection of the use of commercial cryptography in critical information infrastructure. Protection departments shall regularly inspect the use of commercial cryptography in critical information infrastructure in their respective industries and fields and put forward improvement measures, and may, where necessary, conduct commercial-cryptography application security assessments on their own or by entrusting professional institutions such as commercial-cryptography testing institutions. Operators shall cooperate with the supervision and inspection of the use of commercial cryptography in critical information infrastructure conducted by cryptography administration departments and protection departments, promptly carry out rectification in accordance with the supervision and inspection opinions and report the rectification to the protection department, and the protection department shall report the rectification to the national cryptography administration department. The conduct of supervision and inspection of the use of commercial cryptography in critical information infrastructure shall strengthen coordination, cooperation and information communication, so as to avoid unnecessary inspections and cross or duplicate inspections. No fees shall be charged for supervision and inspection, and no entity under supervision and inspection shall be required to purchase or use commercial-cryptography products or services of a designated entity or brand. **Article 18.** Cryptography administration departments, relevant departments, commercial-cryptography testing institutions and their staff shall bear confidentiality obligations with respect to the State secrets, trade secrets and personal privacy that come to their knowledge in the performance of their duties, and shall not divulge them or illegally provide them to others. **Article 19.** Where an operator violates the relevant provisions of the Cryptography Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Regulations on the Administration of Commercial Cryptography, the Regulations on the Security Protection of Critical Information Infrastructure or these Provisions, and falls under any of the following circumstances, the cryptography administration department shall order corrections and give a warning; where the operator refuses to make corrections or where there are other serious circumstances, a fine of not less than RMB 100,000 but not more than RMB 1,000,000 shall be imposed, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person directly in charge: (I) failing to use commercial cryptography to protect critical information infrastructure as required, or failing to plan, build and operate the commercial-cryptography assurance system concurrently; (II) the commercial-cryptography products and services used in critical information infrastructure have not passed testing and certification; (III) the commercial-cryptography technologies used in critical information infrastructure, such as cryptographic algorithms, cryptographic protocols and key management mechanisms, have not passed the review and appraisal of the national cryptography administration department; (IV) failing, at the planning stage of critical information infrastructure, to formulate a commercial-cryptography application plan, or failing to conduct a commercial-cryptography application security assessment of the commercial-cryptography application plan; (V) failing, at the construction stage of critical information infrastructure, to construct the commercial-cryptography assurance system in accordance with the commercial-cryptography application plan that has passed the commercial-cryptography application security assessment; (VI) failing, before critical information infrastructure goes into operation, to conduct a commercial-cryptography application security assessment, or failing to pass the commercial-cryptography application security assessment and failing to carry out rectification; or (VII) failing, after critical information infrastructure has been built and put into operation, to regularly conduct commercial-cryptography application security assessments, or failing to pass the regularly conducted commercial-cryptography application security assessment and failing to carry out rectification. **Article 20.** Where an operator violates the relevant provisions of the Cryptography Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Regulations on the Administration of Commercial Cryptography, the Regulations on the Security Protection of Critical Information Infrastructure and Article 9 of these Provisions by using network products or services involving commercial cryptography that have not undergone security review or have not passed security review, the relevant competent department shall order the cessation of use, impose a fine of not less than one time but not more than ten times the procurement amount, and impose a fine of not less than RMB 10,000 but not more than RMB 100,000 on the person directly in charge and other directly responsible persons. **Article 21.** Where an operator violates the relevant provisions of the Cryptography Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Regulations on the Administration of Commercial Cryptography, the Regulations on the Security Protection of Critical Information Infrastructure and Article 17 of these Provisions by refusing, without justified reason, to accept or cooperate with, or by interfering with or obstructing, the supervision and administration of commercial cryptography by cryptography administration departments or relevant departments, the cryptography administration department or relevant department shall order corrections and give a warning; where the operator refuses to make corrections or where there are other serious circumstances, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person directly in charge and other directly responsible persons; where the circumstances are particularly serious, the operator shall be ordered to suspend business for rectification. **Article 22.** Where an operator violates these Provisions and falls under any of the following circumstances, the cryptography administration department or relevant department shall, in accordance with its duties, order corrections: (I) failing to report, as required, the use of commercial cryptography in critical information infrastructure and the conduct of commercial-cryptography application security assessments for the previous year; (II) failing to establish a system for the administration of the use of commercial cryptography in critical information infrastructure; (III) failing to assign key administrators, cipher operators and cipher security auditors as required; or (IV) failing to safeguard the funds for the use of commercial cryptography in critical information infrastructure and for application security assessments. **Article 23.** Where personnel engaged in the supervision and administration of the use of commercial cryptography in critical information infrastructure abuse their power, neglect their duties, engage in malpractice for personal gain, or divulge or illegally provide to others trade secrets, personal privacy or whistleblower information that comes to their knowledge in the performance of their duties, they shall be given sanctions in accordance with the law. **Article 24.** For the administration of the use of commercial cryptography in critical information infrastructure that is a national government affairs information system, in addition to complying with these Provisions, the relevant requirements of the Measures for the Administration of the Construction of National Government Affairs Informatization Projects (Guo Ban Fa [2019] No. 57) and other relevant provisions shall also be complied with. **Article 25.** These Provisions shall come into force as of August 1, 2025. --- ## Announcement on the Implementation of Personal Information Protection Certification - Chinese title: 关于实施个人信息保护认证的公告 - Abbreviation: PI Certification Announcement - Hierarchy: rule - Issuing body: State Administration for Market Regulation (SAMR) and Cyberspace Administration of China (CAC) - Adopted: 2022-11-04 - Effective: 2022-11-04 - Status: effective - URL: https://datacompliancechina.com/laws/pi-protection-certification-announcement/ - Markdown: https://datacompliancechina.com/laws/pi-protection-certification-announcement.md - Source URL: https://www.cac.gov.cn/2022-11/18/c_1670399936658129.htm ### Summary The November 2022 joint announcement by SAMR and CAC (Announcement No. 37 of 2022) formally launched the Personal Information Protection Certification scheme, designating approved certification bodies to conduct certification activities in accordance with the Implementation Rules for Personal Information Protection Certification and, for cross-border processing activities, the TC260 standard TC260-PG-20222A. Participation is voluntary: the announcement encourages personal information handlers to obtain certification as a means of demonstrating and improving their personal information protection capabilities. The announcement is short — one operative paragraph — and works in tandem with the accompanying Implementation Rules (attached to the announcement) and the subsequently issued Measures for the Certification of the Cross-border Provision of Personal Information (2026). For overseas counsel, the scheme provides a third compliance pathway alongside the Security Assessment and the Standard Contract for cross-border transfers of personal information. ### Full text **Promulgated jointly by:** State Administration for Market Regulation (SAMR) and Cyberspace Administration of China (CAC). **Document No.:** Announcement No. 37 of 2022 of the State Administration for Market Regulation and the Cyberspace Administration of China. **Adopted and promulgated on November 4, 2022. Effective November 4, 2022.** --- In order to implement the relevant provisions of the Personal Information Protection Law of the People's Republic of China, to regulate personal information processing activities, and to promote the reasonable use of personal information, and pursuant to the Regulations of the People's Republic of China on Certification and Accreditation, the State Administration for Market Regulation and the Cyberspace Administration of China have decided to implement Personal Information Protection Certification, and encourage personal information handlers to enhance their personal information protection capabilities through certification. Certification bodies engaged in Personal Information Protection Certification work shall, after obtaining approval, carry out the relevant certification activities, and shall implement certification in accordance with the Implementation Rules for Personal Information Protection Certification (see Annex). This announcement is hereby issued. --- ## Measures for Artificial Intelligence Meteorological Application Services - Chinese title: 人工智能气象应用服务办法 - Abbreviation: AI Meteorological Services Measures - Hierarchy: rule - Issuing body: China Meteorological Administration; Cyberspace Administration of China - Adopted: 2025-04-23 - Effective: 2025-06-01 - Status: effective - URL: https://datacompliancechina.com/laws/ai-meteorological-services-measures/ - Markdown: https://datacompliancechina.com/laws/ai-meteorological-services-measures.md ### Summary Departmental rule (China Meteorological Administration / CAC Order No. 45) regulating the provision of meteorological application services using artificial intelligence. It establishes inclusive-prudential and tiered-classified supervision, sets out support-and-promotion measures (AI–meteorology fusion, basic databases and themed datasets, computing-power infrastructure, standards and talent), and imposes service norms: providers must obtain meteorological data through lawful channels carrying a meteorological-data identity tag, add AI-generated-content labels, and may not publish to the public weather forecasts, severe-weather warnings or meteorological-disaster early-warning signals other than those issued by meteorological-authority stations. It also requires algorithm filing and security assessment for services with public-opinion or social-mobilization capacity, and addresses data security, cross-border data transfer and penalties (fines up to RMB 50,000). Effective June 1, 2025. ### Full text **Promulgated by:** China Meteorological Administration; Cyberspace Administration of China. **Document No.:** Order of the China Meteorological Administration and the Cyberspace Administration of China No. 45. **Promulgated on April 23, 2025. Effective June 1, 2025.** --- ## Chapter 1 General Provisions **Article 1.** These Measures are formulated pursuant to the Meteorology Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Regulations on the Administration of Network Data Security and other relevant laws and regulations, and in light of the actual conditions of the meteorological industry, in order to encourage and promote the sound and orderly development of artificial intelligence meteorological application services, regulate artificial intelligence meteorological application services, and establish order in artificial intelligence meteorological application services. **Article 2.** These Measures shall apply to the use of artificial intelligence technologies to carry out meteorological application services within the territory of the People's Republic of China and in other sea areas under the jurisdiction of the People's Republic of China. A provider of artificial intelligence meteorological application services (hereinafter referred to as a "provider") means a citizen, legal person or other organization that uses artificial intelligence technologies to provide meteorological application services. **Article 3.** The development of artificial intelligence meteorological application shall adhere to the overall national security concept, coordinate development and security, adhere to the combination of promoting innovation and law-based governance, and implement inclusive and prudential and tiered and classified supervision over artificial intelligence meteorological application services. The provision of artificial intelligence meteorological application services shall comply with laws and administrative regulations, respect social morality and ethics, follow the core socialist values, respect intellectual property rights, and shall not generate content prohibited by laws and administrative regulations, such as content that endangers national security and interests or false and harmful information. **Article 4.** The meteorological authority of the State Council shall be responsible for guiding, supervising and administering the work of artificial intelligence meteorological application services throughout the country, and shall establish a work coordination mechanism in the field of artificial intelligence meteorological application services. The national cyberspace administration department shall, within the scope of its duties, be responsible for the relevant administrative work in accordance with the law. The meteorological authorities of provinces, autonomous regions and municipalities directly under the Central Government shall, under the leadership of the higher-level meteorological authority and the people's government at the same level, be responsible for supervising and administering the work of artificial intelligence meteorological application services within their respective administrative regions. Local cyberspace administration departments shall, within the scope of their duties, be responsible for the relevant administrative work within their respective administrative regions in accordance with the law. **Article 5.** Providers are encouraged to join meteorological industry organizations. Meteorological industry organizations shall strengthen industry self-discipline, promote the application of advanced technologies, organize personnel training, and enhance the overall level of the artificial intelligence meteorological application services industry. **Article 6.** The meteorological authority of the State Council shall participate in the development and governance of artificial intelligence application services in the international meteorological field, actively carry out international cooperation and exchanges on an equal and mutually beneficial basis, and promote participation in the formulation of international rules and standards relating to artificial intelligence meteorological application services. ## Chapter 2 Support and Promotion **Article 7.** Meteorological authorities shall strengthen the in-depth integration and application of artificial intelligence with such fields as meteorological monitoring and early warning, forecasting and prediction, and numerical weather prediction, and advance the in-depth development of artificial intelligence meteorological data, algorithms and computing power. Meteorological authorities shall promote the application of artificial intelligence in meteorological service fields such as tourism, energy, transportation and finance, and build application service scenarios for artificial intelligence meteorological services. **Article 8.** The meteorological authority of the State Council shall build basic databases and themed datasets for artificial intelligence in the meteorological field, and shall, in accordance with the law, promote the tiered and classified opening, sharing and circulation of data elements. The meteorological authority of the State Council shall match a meteorological-data identity tag to data elements that enter the stage of opening, sharing and circulation. A meteorological-data identity tag shall contain basic information such as the source of the meteorological data, the provider, the content provided, the recipient, the period of use, and the scope of use. **Article 9.** The meteorological authority of the State Council shall, as needed, advance the construction of computing-power infrastructure in the field of artificial intelligence meteorological application services, encourage and support innovation in algorithm models in the field of artificial intelligence meteorological application services, and accelerate the research, development and promotion of application-service-oriented algorithm models. **Article 10.** Meteorological authorities shall establish and improve platforms for connection and exchange among scientific research institutes, institutions of higher learning and enterprises, strengthen the in-depth integration of industry, academia, research and application in the field of artificial intelligence meteorological application services, and build a collaborative innovation mechanism for artificial intelligence meteorological application services. **Article 11.** The meteorological authority of the State Council shall establish and improve a mechanism for transforming the achievements of artificial intelligence meteorological application services, improve the intellectual property protection mechanism in the field of artificial intelligence meteorological application services, and protect, in accordance with the law, intellectual property rights such as software works and trade secrets of artificial intelligence meteorological application services. **Article 12.** Meteorological authorities shall, jointly with scientific research institutes, institutions of higher learning and enterprises, jointly build training bases for artificial intelligence meteorological application services talents, improve the talent evaluation and reward mechanism, and optimize the development environment for artificial intelligence meteorological application services talents. **Article 13.** The meteorological authority of the State Council shall advance the development of standards relating to artificial intelligence meteorological application services, and encourage and support providers, institutions of higher learning, scientific research institutions, enterprises and other organizations to participate in standard-setting. **Article 14.** The meteorological authority of the State Council shall establish a quality evaluation mechanism for artificial intelligence meteorological application algorithms and models, carry out demonstrations of artificial intelligence meteorological application, promote the transformation, access and application of artificial intelligence in the meteorological business field, and encourage the opening of application scenarios for artificial intelligence meteorological services. ## Chapter 3 Service Norms **Article 15.** Providers that are legal persons or other organizations engaged in meteorological information service activities shall, in accordance with the provisions of the Measures for the Administration of Meteorological Information Services, file with the meteorological authority of the province, autonomous region or municipality directly under the Central Government where their business license is registered, and accept its supervision and administration. A provider that provides artificial intelligence meteorological application services with public-opinion attributes or social-mobilization capacity shall carry out algorithm filing and security assessment in accordance with the relevant provisions of the State. **Article 16.** Providers shall obtain, through lawful channels, meteorological data tagged with the corresponding meteorological-data identity tag, and shall not steal or obtain meteorological data by other illegal means. Providers shall, in accordance with the relevant provisions of the State, add labels for artificial-intelligence-generated and synthesized content, ensure the readability and security of the labels, and establish an information traceability mechanism. Providers shall, based on the characteristics of the type of application service, take effective measures to enhance the transparency of artificial intelligence meteorological application services and improve the accuracy and reliability of the content of the application services. **Article 17.** Providers shall, in accordance with the law, establish and improve management systems and technical measures for algorithm security review, network security, data security, information-publication review and the like, so as to ensure that artificial intelligence meteorological application services are secure, stable and continuous. Providers shall carry out full-life-cycle risk management and control over artificial intelligence meteorological application services, conduct security assessment and quality evaluation, and take necessary measures to prevent and control risks. **Article 18.** Providers shall set up complaint and reporting portals. Where a user finds that an artificial intelligence meteorological application service involves illegal conduct or security risks, the user has the right to give feedback through the complaint and reporting portal, and the provider shall promptly accept and handle it. **Article 19.** Providers shall not publish or disseminate to the public the public weather forecasts, severe-weather warnings and meteorological-disaster early-warning signals provided by meteorological stations not affiliated with meteorological authorities. Providers are encouraged to provide the meteorological forecast opinions and conclusions formed through their research to the meteorological stations affiliated with meteorological authorities for reference in making meteorological forecasts. ## Chapter 4 Supervision and Administration **Article 20.** Meteorological authorities may, through measures such as guidance and interviews, promote the lawful provision of artificial intelligence meteorological application services by citizens, legal persons and other organizations. **Article 21.** Meteorological authorities may enter the sites of relevant application services to carry out supervision and inspection, and have the right to require providers to provide meteorological-data identity tags. The staff of meteorological authorities shall, in accordance with the law, keep confidential the State secrets, trade secrets, personal privacy and personal information that come to their knowledge in the performance of their duties, and shall not divulge them or illegally provide them to others. **Article 22.** Meteorological authorities shall, jointly with the cyberspace administration and other relevant departments, carry out data security supervision in the field of artificial intelligence meteorological application services. Where it is found that data processing activities involve relatively high security risks, the relevant meteorological authority shall, in accordance with the law, conduct an interview with the relevant citizens, legal persons and other organizations, and require them to take measures to carry out rectification and eliminate hidden dangers. **Article 23.** Where artificial intelligence meteorological application services involve the cross-border transfer of data, they shall comply with the relevant provisions of laws, administrative regulations and the national cyberspace administration department. Where artificial intelligence meteorological application services involve national security or State secrets, they shall comply with the laws, regulations, rules and relevant provisions on national security and confidentiality. **Article 24.** Any organization or individual that finds conduct in violation of these Measures may lodge a complaint or report with the meteorological authority. **Article 25.** Where a provider of artificial intelligence meteorological application services commits a first-time violation with minor harmful consequences and makes corrections in a timely manner, no administrative penalty may be imposed. **Article 26.** Where any of the following acts is committed in violation of the provisions of these Measures, the relevant meteorological authority shall, in accordance with its duties, order corrections, give a warning, and may impose a fine of not more than RMB 50,000: (I) illegally publishing to the public weather forecasts, severe-weather warnings or meteorological-disaster early-warning signals; or (II) disseminating severe-weather information and meteorological-disaster situation information obtained through illegal channels. **Article 27.** Where a relevant competent department or its staff fails to perform the supervision and inspection duties prescribed in these Measures in accordance with the law, the higher-level administrative organ shall order corrections and give sanctions in accordance with the law; where a crime is constituted, criminal liability shall be pursued in accordance with the law. **Article 28.** Where a meteorological authority, the cyberspace administration or another relevant competent department finds other illegal conduct in artificial intelligence meteorological application services, it shall, within the scope of its duties, handle the matter in accordance with the provisions of the relevant laws and regulations. ## Chapter 5 Supplementary Provisions **Article 29.** These Measures shall come into force as of June 1, 2025. --- ## Interim Measures for the Data Security Management of Accounting Firms - Chinese title: 会计师事务所数据安全管理暂行办法 - Abbreviation: Accounting Firms Data Security Measures - Hierarchy: rule - Issuing body: Ministry of Finance; Cyberspace Administration of China - Adopted: 2024-04-15 - Effective: 2024-10-01 - Status: effective - URL: https://datacompliancechina.com/laws/accounting-firms-data-security-measures/ - Markdown: https://datacompliancechina.com/laws/accounting-firms-data-security-measures.md ### Summary Departmental normative document (Cai Kuai [2024] No. 6) issued by the Ministry of Finance and the Cyberspace Administration of China governing data-processing activities by accounting firms in audit engagements. It applies to firms auditing listed companies, state-owned financial institutions and central enterprises, CII operators and large online-platform operators (over one million users), and overseas-listing engagements, as well as any engagement involving important or core data. It requires full-life-cycle data security management, data classification and grading, least-privilege access controls, domestic storage of audit working papers (with domestic encryption equipment and key storage), prohibitions on clauses providing domestic project data to overseas regulators, and compliance with cross-border data transfer rules. The chief partner is designated as the firm's data security officer. Effective October 1, 2024. ### Full text **Promulgated by:** Ministry of Finance; Cyberspace Administration of China. **Document No.:** Cai Kuai [2024] No. 6. **Issued on April 15, 2024. Effective October 1, 2024.** --- ## Chapter 1 General Provisions **Article 1.** These Measures are formulated pursuant to the Law of the People's Republic of China on Certified Public Accountants, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and regulations, in order to safeguard the data security of accounting firms and regulate the data-processing activities of accounting firms. **Article 2.** These Measures shall apply to accounting firms lawfully established within the territory of the People's Republic of China that carry out data-processing activities relating to the following audit engagements: (I) providing audit services to listed companies and to non-listed state-owned financial institutions, central enterprises and the like; (II) providing audit services to operators of critical information infrastructure or to operators of network platforms with more than 1 million users; or (III) providing audit services for the overseas listing of domestic enterprises. Where an audit engagement undertaken by an accounting firm does not fall within the scope prescribed in the preceding paragraph but involves important data or core data, these Measures shall apply. **Article 3.** For the purposes of these Measures, "data" means any record of information, in electronic or other forms, that an accounting firm obtains externally or generates internally in the course of performing audit engagements. "Data security" means, by taking necessary measures, ensuring that data is in a state of effective protection and lawful utilization, and the capacity to ensure a state of continuous security. **Article 4.** An accounting firm shall bear the principal responsibility for the data security of the firm and perform data security protection obligations. **Article 5.** The Ministry of Finance shall be responsible for the supervision of the data security of accounting firms throughout the country. Provincial-level (including Shenzhen Municipality and the Xinjiang Production and Construction Corps) finance departments shall be responsible for the supervision of the data security of accounting firms within their respective administrative regions. **Article 6.** The Institute of Certified Public Accountants shall strengthen industry self-discipline, guide accounting firms in strengthening data security protection, and improve the level of data security management. ## Chapter 2 Data Management **Article 7.** An accounting firm shall perform the firm's data security management responsibilities in the following aspects: (I) establishing and improving a full-life-cycle data security management system, and improving the data operation and control mechanism; (II) improving the organizational structure for data security management, and clarifying the mechanism of rights and responsibilities for data security management; (III) implementing data classification and grading management commensurate with the characteristics of its business; (IV) establishing a data-permission management strategy, setting data access and processing permissions in accordance with the principle of least authorization, periodically reviewing them, and retaining data access records in accordance with the relevant provisions; (V) organizing and carrying out data security education and training; and (VI) other matters prescribed by laws and regulations. **Article 8.** The chief partner (chief accountant) of an accounting firm is the firm's data security officer. **Article 9.** An accounting firm shall, in accordance with the provisions of laws and administrative regulations and the data classification and grading standards of the industry in which the audited entity operates, determine core data, important data and general data. The accounting firm and the audited entity shall, through means such as engagement letters and confirmation letters, clarify the nature, content and scope of the core data and important data in the audit materials. **Article 10.** The storage and processing by an accounting firm of core data and important data shall comply with the relevant provisions of the State. Information systems storing core data shall implement the requirements of Level-4 cybersecurity multi-level protection. Information systems storing important data shall implement the requirements of Level-3 or above cybersecurity multi-level protection. Where data, after aggregation and association, constitutes a matter of State secret, it shall be handled in accordance with the laws and administrative regulations on guarding State secrets. **Article 11.** An accounting firm shall set up and enable an access-log recording function for the information systems, databases, network devices, network security devices and the like relating to audit engagements. Where core data is involved, the relevant logs shall be retained for no less than three years. Where important data is involved, the relevant logs shall be retained for no less than one year; where the provision to others, entrusted processing, or joint processing of important data is involved, the relevant logs shall be retained for no less than three years. **Article 12.** An accounting firm shall specify operating procedures for data transmission. Encryption technologies shall be used in the transmission of core data and important data to protect transmission security. **Article 13.** Audit working papers shall be stored within the territory in accordance with laws, administrative regulations and the relevant provisions of the State. The relevant encryption equipment shall be set up within the territory and operated and maintained by a domestic team, and the keys shall be stored within the territory. **Article 14.** An accounting firm shall establish a data backup system. An accounting firm shall ensure that, where the audit-related application system is suspended from use or restricted in use due to external technical reasons, it can still access, retrieve and use the relevant audit working papers. **Article 15.** An accounting firm shall not include in an engagement letter or similar contract any clause to the effect that the accounting firm provides the data of domestic project materials to overseas regulatory authorities. **Article 16.** An accounting firm shall adopt technical means such as network isolation, user authentication, access control, data encryption, virus prevention, and illegal-intrusion detection to promptly identify, block and trace the source of relevant network attacks and illegal access, so as to safeguard data security. **Article 17.** An accounting firm shall establish a data security emergency-response mechanism and strengthen data security risk monitoring. Where risks such as data leakage or security vulnerabilities are discovered, the firm shall immediately take remedial and disposal measures. Where a major data security incident occurs that results in the leakage, loss, theft or tampering of core data or important data, the firm shall promptly report to the relevant competent department. **Article 18.** Where an accounting firm provides overseas the personal information and important data that it collects and generates in its domestic operations, it shall comply with the relevant provisions of the State on the cross-border transfer of data. **Article 19.** An accounting firm shall establish a level-by-level review mechanism for matters concerning the cross-border transfer of audit working papers, and take necessary measures to strictly implement the responsibility for data security control. For audit working papers that need to be transferred across the border, the firm shall go through the approval formalities in accordance with the relevant provisions of the State. ## Chapter 3 Network Management **Article 20.** An accounting firm shall establish a sound network security management and governance structure, establish and improve an internal network security management system, and establish internal mechanisms for decision-making, management, execution and supervision, so as to ensure that its network security management capacity is commensurate with the professional services it provides and to provide a secure network environment for data security management. **Article 21.** An accounting firm shall, in accordance with the scale and complexity of its business activities, deploy network management technical personnel with corresponding professional skill levels, and ensure reasonable input of network resources and funds. **Article 22.** An accounting firm shall properly carry out information-system security management and technical protection, take measures such as physical or logical isolation of the network according to the level of the data stored and processed, set strict access-control strategies, and prevent unauthorized access. **Article 23.** An accounting firm shall have independent management authority over the network devices and network security devices in its audit business systems, uniformly set up and maintain system-administrator accounts and staff accounts, shall not set up unrestricted and unmonitored super accounts, and shall not hand over administrator accounts to a third-party operation-and-maintenance institution for management and use. Where an accounting firm that has joined an international network uses the information systems of the international network to which it belongs, it shall take necessary measures to make them comply with the State's data security laws and administrative regulations and the provisions of these Measures, so as to ensure the firm's data security. ## Chapter 4 Supervision and Inspection **Article 24.** The Ministry of Finance and provincial-level finance departments (hereinafter collectively referred to as "finance departments at or above the provincial level") shall strengthen information sharing on the supervision of the data security of accounting firms with the cyberspace administration departments, public security organs and State security organs at the same level. **Article 25.** Finance departments at or above the provincial level and cyberspace administration departments at or above the provincial level shall carry out supervision and inspection of the data security of accounting firms. Public security organs and State security organs shall, in accordance with the law and within the scope of their duties, undertake the responsibility for supervising the data security of accounting firms. **Article 26.** For accounting firms that undertake audit engagements in important fields such as finance, energy, telecommunications, transportation, science and technology, and national defense science, technology and industry, and that fall within the scope prescribed in Article 2 of these Measures, finance departments at or above the provincial level shall give priority attention in supervision and inspection and continuously strengthen routine supervision. **Article 27.** An accounting firm shall cooperate with data security supervision and inspection lawfully carried out, and shall not refuse, delay or obstruct it. **Article 28.** Where an accounting firm carries out data-processing activities that affect or may affect national security, it shall undergo a security review in accordance with the national security review mechanism. **Article 29.** Where a relevant department, in the course of performing its data security supervision duties, finds that an accounting firm's data-processing activities involve relatively high security risks, it may take supervisory measures against the accounting firm and the persons responsible, such as interviews and ordering rectification within a time limit, so as to eliminate hidden dangers. **Article 30.** Where an accounting firm and relevant personnel violate the provisions of these Measures, they shall be dealt with and punished in accordance with the provisions of the Law of the People's Republic of China on Certified Public Accountants, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and administrative regulations; where the matter involves the duties and powers of other departments, it shall be transferred to the relevant competent department for handling in accordance with the law; where a crime is constituted, the matter shall be transferred to the judicial organ for pursuit of criminal liability in accordance with the law. **Article 31.** Where the staff of a relevant department neglect their duties, abuse their power, or engage in malpractice for personal gain in the course of performing the duty of supervising the data security of accounting firms, legal liability shall be pursued in accordance with the law. ## Chapter 5 Supplementary Provisions **Article 32.** Where an accounting firm and relevant personnel carry out data-processing activities involving State secrets, the provisions of the Law of the People's Republic of China on Guarding State Secrets and other laws and administrative regulations shall apply. **Article 33.** Where an accounting firm and relevant personnel carry out other data-processing activities involving personal information, they shall comply with the provisions of the relevant laws and administrative regulations. **Article 34.** An accounting firm may, by reference to these Measures, strengthen the management of data relating to non-audit business. **Article 35.** These Measures shall be interpreted by the Ministry of Finance and the Cyberspace Administration of China. **Article 36.** These Measures shall come into force as of October 1, 2024. --- ## Provisions on Protecting the Personal Information of Telecommunications and Internet Users - Chinese title: 电信和互联网用户个人信息保护规定 - Abbreviation: Telecom & Internet User PI Provisions - Hierarchy: rule - Issuing body: Ministry of Industry and Information Technology (MIIT) - Adopted: 2013-07-16 - Effective: 2013-09-01 - Status: effective - URL: https://datacompliancechina.com/laws/telecom-internet-user-pi-protection-provisions/ - Markdown: https://datacompliancechina.com/laws/telecom-internet-user-pi-protection-provisions.md - Source URL: https://www.gov.cn/zhengce/2022-08/23/content_5722717.htm ### Summary Issued by the Ministry of Industry and Information Technology (MIIT) in July 2013 and effective 1 September 2013, these Provisions are the principal sector-specific rule governing the collection and use of users' personal information by telecommunications business operators and internet information service providers operating in China. They establish consent and notice requirements before collection, data-minimisation and purpose-limitation duties, strict confidentiality obligations, mandatory security safeguards (including access controls, breach reporting, annual self-audits, and staff training), and a two-tier penalty regime enforced by MIIT and its provincial communications-administration bureaus. Predating the Personal Information Protection Law (PIPL) by eight years, the Provisions remain in force as a sectoral antecedent and continue to bind telecom and ISP licensees directly through the licence-review process; overseas counsel advising clients who hold or apply for Chinese ICP or telecom value-added service licences must treat these Provisions as the operative data-protection floor alongside PIPL. ### Full text **Promulgated by:** Ministry of Industry and Information Technology of the People's Republic of China. **Document No.:** Order of the Ministry of Industry and Information Technology No. 24. **Adopted at the 2nd Ministerial Affairs Meeting of the Ministry of Industry and Information Technology of the People's Republic of China on 28 June 2013. Promulgated on 16 July 2013. Effective 1 September 2013.** --- ## Chapter I — General Provisions **Article 1.** These Provisions are formulated in accordance with the Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection, the Telecommunications Regulations of the People's Republic of China, the Administrative Measures for Internet Information Services, and other laws and administrative regulations, in order to protect the lawful rights and interests of telecommunications and internet users and to maintain network information security. **Article 2.** These Provisions apply to activities involving the collection and use of users' personal information in the course of providing telecommunications services and internet information services within the territory of the People's Republic of China. **Article 3.** The Ministry of Industry and Information Technology and the communications administration bureaus of each province, autonomous region, and municipality directly under the Central Government (hereinafter collectively referred to as the "telecommunications administration authorities") shall exercise supervision and administration over the protection of the personal information of telecommunications and internet users in accordance with law. **Article 4.** For the purposes of these Provisions, "users' personal information" means information collected by telecommunications business operators and internet information service providers in the course of providing services that can identify a user individually or in combination with other information, including the user's name, date of birth, identity document number, residential address, telephone number, account number and password, and similar information, as well as information about the time and location of the user's use of services. **Article 5.** Telecommunications business operators and internet information service providers shall, in the course of providing services, collect and use users' personal information in accordance with the principles of lawfulness, legitimacy, and necessity. **Article 6.** Telecommunications business operators and internet information service providers shall be responsible for the security of users' personal information they collect and use in the course of providing services. **Article 7.** The State encourages the telecommunications and internet industry to carry out self-regulatory work on the protection of users' personal information. ## Chapter II — Rules for the Collection and Use of Information **Article 8.** Telecommunications business operators and internet information service providers shall formulate rules for the collection and use of users' personal information and shall make those rules public at their business or service premises, websites, and other locations. **Article 9.** Without the consent of a user, telecommunications business operators and internet information service providers shall not collect or use users' personal information. When collecting or using users' personal information, telecommunications business operators and internet information service providers shall clearly notify users of the purpose, method, and scope of the collection and use of information, the channels and methods for querying and correcting information, and the consequences of refusing to provide information, as well as other matters. Telecommunications business operators and internet information service providers shall not collect users' personal information beyond what is necessary for the services they provide, nor shall they use information for purposes other than providing those services; they shall not collect or use information through deception, misleading, coercion, or other means, or in violation of laws, administrative regulations, or the agreement between the parties. After a user ceases to use a telecommunications service or internet information service, the telecommunications business operator or internet information service provider shall cease collecting and using that user's personal information and shall provide the user with a service to cancel the user's number or account. Where laws or administrative regulations otherwise provide for the circumstances set out in the first through fourth paragraphs of this Article, those provisions shall prevail. **Article 10.** Telecommunications business operators, internet information service providers, and their employees shall strictly maintain the confidentiality of users' personal information collected and used in the course of providing services; they shall not disclose, tamper with, or destroy such information, and shall not sell it or provide it to third parties by unlawful means. **Article 11.** Where telecommunications business operators or internet information service providers entrust agents to carry out market sales and technical services and other service work directly facing users, involving the collection and use of users' personal information, they shall supervise and manage the agents' work on the protection of users' personal information; they shall not entrust agents who do not meet the requirements of these Provisions regarding the protection of users' personal information to perform the relevant services on their behalf. **Article 12.** Telecommunications business operators and internet information service providers shall establish a user-complaint handling mechanism, publicise effective contact information, accept complaints relating to the protection of users' personal information, and reply to complainants within fifteen days from the date of receipt of the complaint. ## Chapter III — Security Safeguard Measures **Article 13.** Telecommunications business operators and internet information service providers shall take the following measures to prevent the leakage, damage, tampering, or loss of users' personal information: (1) determining the responsibilities of each department, post, and branch for the security management of users' personal information; (2) establishing workflows and security management systems for the collection and use of users' personal information and related activities; (3) implementing permission management over employees and agents, subjecting bulk exports, copies, and destruction of information to review, and taking anti-leakage measures; (4) properly keeping paper, optical, and electromagnetic media and other carriers on which users' personal information is recorded, and adopting corresponding secure storage measures; (5) subjecting information systems that store users' personal information to access review, and adopting measures against intrusion, viruses, and similar threats; (6) recording information about the personnel, time, location, and matters involved in operations performed on users' personal information; (7) carrying out communications network security protection work in accordance with the requirements of the telecommunications administration authorities; and (8) other necessary measures prescribed by the telecommunications administration authorities. **Article 14.** Where users' personal information kept by telecommunications business operators or internet information service providers has been or may have been leaked, damaged, or lost, they shall immediately take remedial measures; where serious consequences have been or may be caused, they shall immediately report to the telecommunications administration authority that granted their licence or accepted their filing and shall cooperate with the relevant authorities in their investigation and handling of the matter. **Article 15.** Telecommunications business operators and internet information service providers shall provide their employees with training on the relevant knowledge, skills, and security responsibilities relating to the protection of users' personal information. **Article 16.** Telecommunications business operators and internet information service providers shall conduct a self-assessment of their protection of users' personal information at least once per year, shall record the results of the self-assessment, and shall promptly eliminate any security hazards identified in the self-assessment. ## Chapter IV — Supervision and Inspection **Article 17.** Telecommunications administration authorities shall exercise supervision and inspection over the protection of users' personal information by telecommunications business operators and internet information service providers. When conducting supervision and inspection, telecommunications administration authorities may require telecommunications business operators and internet information service providers to submit relevant materials and may enter their production and business premises to investigate the situation; telecommunications business operators and internet information service providers shall cooperate accordingly. Records shall be kept of the supervision and inspection; the normal business or service activities of telecommunications business operators and internet information service providers shall not be impeded; and no fees of any kind shall be charged. **Article 18.** Telecommunications administration authorities and their employees shall maintain the confidentiality of users' personal information that comes to their knowledge in the performance of their duties; they shall not disclose, tamper with, or destroy such information, and shall not sell it or provide it to third parties by unlawful means. **Article 19.** When telecommunications administration authorities grant telecommunications business licences or conduct annual inspections of telecommunications business licences, they shall review the protection of users' personal information. **Article 20.** Telecommunications administration authorities shall record violations by telecommunications business operators and internet information service providers of these Provisions in their social credit archives and shall make such records public. **Article 21.** The telecommunications and internet industry associations are encouraged to formulate self-regulatory management systems for the protection of users' personal information in accordance with law, to guide their members in strengthening self-regulatory management, and to raise the level of protection of users' personal information. ## Chapter V — Legal Liability **Article 22.** Where telecommunications business operators or internet information service providers violate Articles 8 or 12 of these Provisions, the telecommunications administration authorities shall, in accordance with their respective authority, order them to make corrections within a specified period, give them a warning, and may concurrently impose a fine of not more than ten thousand yuan. **Article 23.** Where telecommunications business operators or internet information service providers violate Articles 9 through 11, Articles 13 through 16, or the second paragraph of Article 17 of these Provisions, the telecommunications administration authorities shall, in accordance with their respective authority, order them to make corrections within a specified period, give them a warning, may concurrently impose a fine of not less than ten thousand yuan and not more than thirty thousand yuan, and shall make a public announcement; where a crime is constituted, criminal liability shall be pursued in accordance with law. **Article 24.** Where employees of a telecommunications administration authority engage in dereliction of duty, abuse of authority, or favouritism in the exercise of supervision and administration over the protection of users' personal information, they shall be dealt with in accordance with law; where a crime is constituted, criminal liability shall be pursued in accordance with law. ## Chapter VI — Supplementary Provisions **Article 25.** These Provisions shall come into force on 1 September 2013. --- ## Administrative Regulation for Public Security Video Image Information Systems - Chinese title: 公共安全视频图像信息系统管理条例 - Abbreviation: PVISR - Hierarchy: regulation - Issuing body: State Council - Adopted: 2024-12-16 - Effective: 2025-04-01 - Status: effective - URL: https://datacompliancechina.com/laws/public-security-video-image-system-regulations/ - Markdown: https://datacompliancechina.com/laws/public-security-video-image-system-regulations.md ### Summary The State Council's overarching regulation for public security video image information systems (公共安全视频系统) in public places. Distinguishes three operator types: government-led, public-private partnership, and private-led, and applies graduated obligations depending on the operator type. Implements PIPL Article 26 for video-image capture in public places, including filing obligations, mandatory signage, retention, and security duties. Read with the 2025 FRT Measures (Decree No. 19) for facial-recognition deployments. ### Full text **Promulgated by:** State Council. **Document No.:** Decree No. 799 of the State Council. **Adopted at the 48th executive meeting of the State Council on December 16, 2024. Promulgated January 13, 2025. Effective April 1, 2025.** Premier Li Qiang. --- **Article 1.** This Regulation is enacted in accordance with the relevant laws in order to regulate the administration of public security video image information systems, safeguard public security and protect personal privacy and personal information rights and interests. **Article 2.** For the purpose of this Regulation, the "public security video image information systems" (hereinafter referred to as "public security video systems") refer to systems that collect, transmit, display and store video image information in an area involving public security by installing image capturing equipment and other relevant facilities in public places. **Article 3.** The administration of public security video systems shall be conducted under the leadership of the Communist Party of China, and by implementing the guidelines, principles and policies as well as the decisions and arrangements of the Party and the State. The public security video systems shall be built and used in compliance with laws and regulations, by following the principles of overall planning, reasonableness and appropriateness, standard guidance, safety and controllability, and shall not endanger the state security or public interests or damage the legitimate rights and interests of individuals or organizations. **Article 4.** The State encourages and supports the technological innovation and development in the field of video images, establishes and improves the relevant standard system, supports the relevant industry organizations in strengthening self-regulation within the industry in accordance with the law and improves the ability to safeguard public security and protect personal information. **Article 5.** The public security department under the State Council is responsible for guiding, supervising and administering the building and use of public security video systems nationwide. Other relevant departments under the State Council are responsible for the relevant administration of the development and use of public security video systems within the scope of their respective duties. The public security organ of a local people's government at or above the county level is responsible for guiding, supervising and administering the building and use of public security video systems within its administrative area. Other relevant departments under the local people's government at or above the county level are responsible for the relevant administration of the building and use of public security video systems within the scope of their respective duties. **Article 6.** The local people's government at or above the county level shall strengthen the overall planning for the development of public security video systems and make full use of the existing resources to avoid repeated development. **Article 7.** A local people's government at or above the county level shall, according to the development plan, organize the relevant departments to develop public security video systems in such public places as major urban and rural road sections, boundaries of administrative areas, bridges, tunnels, underground passages, squares and surrounding areas of key public security entities and incorporate such systems into the administration of public infrastructure, and the development and maintenance expenses shall be included in the budget of the government at the corresponding level. The public security video systems involving public security in the following public places shall be developed by the entities which are responsible for operation and management of the corresponding places according to the relevant standards, and the key parts for installation of image capturing equipment shall be guided and determined by the relevant departments of the local people's government at or above the county level in accordance with the division of responsibilities: (1) trade centers, convention and exhibition centers, tourist attractions, culture, sports and entertainment venues, educational institutions, medical institutions, government service halls, parks, public parking lots and other places of public gathering; (2) exit and entry ports (passages), airports, passenger stations at ports, navigable buildings, railway passenger stations, bus passenger stations, urban rail stations and other traffic hubs; (3) large- and medium-sized means of public transport such as passenger trains, operating passenger vehicles, urban rail transit vehicles and passenger ships; and (4) service areas of expressways or trunk lines of ordinary national and provincial highways. The image capturing equipment and related facilities to be installed in the places or areas provided for in the preceding two paragraphs shall be necessary for the maintenance of public security. Except the relevant government departments and the entities responsible for operation and management (hereinafter collectively referred to as the "management entities of public security video systems") provided for in the preceding two paragraphs, no other entity or individual may install such equipment or facilities. **Article 8.** It is prohibited to install image capturing equipment and related facilities in the following areas and positions of the public places: (1) the interior of guest rooms or private compartments of hotels, restaurants, guesthouses, hostels, homestays and other business catering and lodging establishments; (2) the interior of student dormitories or the interior of rooms provided by entities for their employees' accommodation and rest; (3) the inside of public bathrooms, toilets, dressing rooms, nursing rooms and fitting rooms; or (4) other areas or positions where it is possible to photograph, spy on or eavesdrop on the privacy of others after the installation of the image capturing equipment. The entities or individuals responsible for operation and management of the aforesaid areas or positions shall strengthen daily management and inspection, and if they find any image capturing equipment or related facilities installed in any of the areas or positions mentioned in the preceding paragraph, they shall immediately report the case to the local public security organ for handling. **Article 9.** The image capturing equipment and related facilities to be installed in public places other than those specified in Article 7 hereof shall be necessary for the maintenance of public security and may be installed only by the entities or individuals that have the obligations of security protection with respect to such places. No other entity or individual may install such equipment or facilities. Whoever installs image capturing equipment and related facilities in accordance with the preceding paragraph shall abide by all the provisions hereof other than the mandatory requirements specified in Articles 11, 14, 15, the second paragraph of Article 16 and Article 17. **Article 10.** Where the image capturing equipment and related facilities to be installed in accordance with this Regulation are located in the vicinity of a restricted military zone, military administrative zone, State organ or any other secret-involved entity, the consent of the secret-involved entity shall be obtained in advance. **Article 11.** A management entity of public security video system shall, under the relevant standards, build a public security video system, carry out design, construction, inspection, acceptance inspection and other work, keep and manage the relevant archives according to law. **Article 12.** A product or service adopted by a public security video system shall meet the mandatory requirements of the national standards. Any provider of such product or service may not install malwares. When the provider finds any risk such as security defect or vulnerability in its products or services, it shall immediately take remedial measures, inform the user in a timely manner and report the case to the competent authority as required. **Article 13.** A management entity of public security video system shall, as required for maintaining public security and protecting personal privacy and personal information rights and interests, reasonably determine the installation position, angle and collection scope of the image capturing equipment and set up eye-catching warning signs. If it fails to set up the eye-catching warning sign, the public security organ shall order it to make corrections. **Article 14.** A management entity of public security video system shall, within 30 days from the date when the system is put into operation, file for record the basic information on the entity, the development position of the public security video system, the quantity and type of image capturing equipment, the term of storage of video image information and other basic information with the public security organ of the people's government at the county level of the place where it is located. Any system which has been put into use before the entry into force of this Regulation shall be filed for record within 90 days from the date of entry into force hereof. In case of any change in the matter filed for record for the public security video system, the formalities for alteration of filing shall be completed in a timely manner. The management entity of public security video system shall be responsible for the authenticity of the information filed for record. The public security organ shall strengthen information technology development so as to facilitate the filing by the management entity of public security video system. The parties concerned are not required to provide the filed information that can be obtained through inter-departmental information sharing. **Article 15.** A management entity of public security video system shall perform the duties of managing the operation safety of the system, fulfill the obligations of network security, data security and personal information protection, establish a sound management system, improve the technical security measures to prevent attacks, intrusions, viruses, tampering and leakage, regularly maintain the equipment and facilities, guarantee the continuous, stable and safe operation of the system and ensure the original and complete video image information. Where the management entity of public security video system entrusts the operation thereof to another person, it shall, by entering into a security confidentiality agreement or by other means, agree upon the obligations of network security, data security and personal information protection as prescribed in the preceding paragraph and supervise the entrusted party's performance of its obligations. **Article 16.** A management entity of public security video system shall, when using the video image information, abide by laws and regulations, protect State secrets, trade secrets, personal privacy and personal information according to law, and shall not misuse or disclose such information. The management entity of public security video system shall take the following measures to prevent the misuse or disclosure of video image information: (1) establishing such management systems as entry examination, confidentiality education and on-the-job training for personnel in important posts for system monitoring and management; (2) taking the technical measures such as authorization management and access control, so as to strictly regulate the insiders' access to and handling of video image information; (3) establishing an information retrieval registration system to faithfully record the reasons for and contents of consulting or retrieving video image information, the employer and name of the person making the retrieval and other information; and (4) other measures to prevent the misuse or disclosure of video image information. **Article 17.** Video image information collected by a public security video system shall be preserved for no less than 30 days; after 30 days, the video image information whose purpose of processing has been achieved shall be deleted. Where the period for preservation of video image information is otherwise provided for in laws or administrative regulations, such provisions shall prevail. **Article 18.** A telecom operator that provides network transmission services for public security video systems shall strengthen the security management of the transmission of video image information, and shall, in accordance with the provisions of laws and administrative regulations and the compulsory requirements of national standards, take technical measures and other necessary measures to ensure the secure and stable operation of the network and maintain the integrity, confidentiality and availability of data. **Article 19.** Any entity and its staff members that have accepted the entrustment to undertake the design, construction, inspection, acceptance inspection and maintenance of a public security video system shall keep confidential the video image information and relevant archival materials accessed by them, shall not use the same for any activities unrelated to the entrusted task, and shall not retain, process, divulge or provide the same to others without authorization. **Article 20.** When a State organ, for the purpose of performing its statutory functions and duties such as law enforcement, handling an emergency, etc., consults or retrieves the video image information collected by a public security video system, it shall follow the authority and procedures prescribed in laws or administrative regulations and strictly abide by the provisions on confidentiality, and may not exceed the scope and limit necessary for performing its statutory functions and duties. **Article 21.** In order to protect the life health and property safety of a natural person, the natural person himself/herself, a close relative or any other person responsible for his/her guardianship, care or custody may, upon consent of the management entity of a public security video system, consult associated video image information; and shall not illegally provide to external parties or publicly disseminate any video image information known by such person involving public security, personal privacy or personal information. **Article 22.** If the video image information collected by a public security video system is used for public dissemination in accordance with the law, which may damage the lawful rights and interests of an individual or any organization, strict protection measures shall be taken against such sensitive personal information as face or motor vehicle plate number involved, as well as such information as the name and business license of a legal person or unincorporated organization. **Article 23.** No entity or individual may commit any of the following acts: (1) violating the provisions of laws and regulations by providing to external parties or publicly disseminating the video image information collected by the public security video system; (2) altering, removing or dismantling the image capturing equipment and related facilities installed in accordance with Article 7 hereof without authorization or obstructing the normal operation thereof by spraying, shielding and other means; (3) illegally intruding into or controlling the public security video system; (4) illegally obtaining data from the public security video system; (5) illegally deleting, concealing, modifying or adding data or applications in the public security video system; or (6) committing other acts which obstruct the normal operation of the public security video system or endanger network security, data security or personal information security. **Article 24.** When a public security organ supervises or inspects the development and use of a public security video system, the relevant entity or individual shall offer assistance and cooperation. The relevant entity or individual may, if finding a violation of the third paragraph of Article 7, the first paragraph of Article 8 or the first paragraph of Article 9 hereof involving installation of image capturing equipment and related facilities, report the case to the public security organ. The public security organ shall promptly handle it according to law. **Article 25.** A public security organ shall strictly implement the internal supervision system and supervise the performance by its staff members of their duties of development and use of public security video systems. If, in the course of performing their duties of development, use, supervision and administration of public security video systems, a public security organ or any of its staff members violates the provisions of this Regulation or otherwise abuses its/his power, neglects its/his duties or practices favoritism for personal gains, any entity or individual has the right to expose or make an accusation against it/him. **Article 26.** Where any entity or individual, in violation of the third paragraph of Article 7 or the first paragraph of Article 9 hereof, installs image capturing equipment and related facilities, the public security organ shall order it/him to make corrections within a specified time limit and to delete the video image information collected; if it/he refuses to do so, the public security organ shall confiscate the relevant equipment and facilities and concurrently impose a fine of not more than 5,000 yuan upon the individual, a fine of not more than 20,000 yuan upon the entity, and a fine of not more than 5,000 yuan upon the person directly in charge and other directly liable persons. **Article 27.** Where any entity or individual, in violation of the first paragraph of Article 8 hereof, installs image capturing equipment and related facilities, the public security organ shall confiscate the relevant equipment and facilities, delete the video image information collected and concurrently impose a fine of not less than 5,000 yuan but not more than 10,000 yuan upon the individual, a fine of not less than 10,000 yuan but not more than 20,000 yuan upon the entity, and a fine of not less than 5,000 yuan but not more than 10,000 yuan upon the person directly in charge and other directly liable persons. Whoever peeps at, secretly takes photos of or eavesdrops on the privacy of others, if such act constitutes a violation of public security administration, shall be subject to a public security administration penalty in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law. Where any entity or individual responsible for operation and management of the corresponding region or part fails to perform the obligations of daily management and inspection specified in the second paragraph of Article 8 hereof, the public security organ shall order it/him to make corrections; if such entity or individual refuses to make corrections or causes serious consequences, a fine of not less than 5,000 yuan but not more than 10,000 yuan shall be imposed upon the individual, a fine of not less than 10,000 yuan but not more than 20,000 yuan upon the entity, and a fine of not less than 5,000 yuan but not more than 10,000 yuan upon the person directly in charge and other directly liable persons, and the relevant competent authority shall be notified to order suspension of relevant business or suspension of business for rectification or revoke the relevant business permit or business license, depending on the seriousness of the circumstances. **Article 28.** Where any entity or individual, without obtaining the consent of the relevant secret-involved entity as required by Article 10 hereof, installs image capturing equipment and related facilities, the public security organ shall confiscate the relevant equipment and facilities, delete the video image information collected and concurrently impose a fine of not less than 5,000 yuan but not more than 10,000 yuan upon the individual, a fine of not less than 10,000 yuan but not more than 20,000 yuan upon the entity and a fine of not less than 5,000 yuan but not more than 10,000 yuan upon the person directly in charge and other directly liable persons; whoever illegally obtains state or military secrets shall be punished in accordance with the relevant laws; and if a crime is constituted, criminal liability shall be investigated in accordance with the law. **Article 29.** Where any management entity fails to file for record according to Article 14 hereof or provides false information for record, the public security organ shall order it to make corrections within a specified time limit; if it refuses to do so, a fine of not more than 10,000 yuan shall be imposed on it. **Article 30.** Where any entity or individual, in violation of Item (2) of Article 23 hereof, alters, removes or dismantles image capturing equipment and related facilities without authorization, it/he shall be ordered to make corrections and given a warning by the public security organ; if it/he refuses to do so or serious consequences are caused, the public security organ shall impose a fine of not more than 5,000 yuan upon the individual, a fine of not less than 5,000 yuan but not more than 10,000 yuan upon the entity and a fine of not more than 5,000 yuan upon the person directly in charge and other directly liable persons. **Article 31.** Any management entity that, in violation of this Regulation, fails to perform the obligation of network security, data security and protection of personal information or illegally provides external parties or publicly disseminates video image information shall be punished in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China or the Personal Information Protection Law of the People's Republic of China; if such act constitutes a violation of public security administration, a public security administration punishment shall be imposed on it in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law. **Article 32.** Where any public security organ or any of its staff members violates this Regulation or otherwise abuses its/his power, neglects its/his duties, plays favoritism or commits irregularities in the process of performing its/his duties of building, using, supervising and administering public security video systems, the public security organ at the next higher level or the relevant competent authority shall order it/him to make corrections and impose sanctions on the leader in charge and other directly liable persons in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law. Where any other State organ or any of its staff members violates this Regulation in the process of performing its/his duties of building, using or administering public security video systems or abuses its/his power, neglects its/his duties or plays favoritism or commits irregularities in the process of consulting or retrieving video image information in accordance with Article 20 hereof, the organ at the next higher level or the relevant competent authority shall order it/him to make corrections and impose sanctions on the leader in charge and other directly liable persons in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law. **Article 33.** The installation of image capturing equipment and related facilities in non-public places shall not endanger public security or infringe upon the legitimate rights and interests of others. Any video image information collected involving public security, personal privacy or personal information shall not be illegally provided to external parties or publicly disseminated. Whoever violates the provisions of the preceding paragraph shall be punished in accordance with the provisions of Article 31 hereof. **Article 34.** This Regulation shall come into force as of April 1, 2025. --- ## Law on the Protection of Minors - Chinese title: 中华人民共和国未成年人保护法 - Abbreviation: Minors Protection Law - Hierarchy: law - Issuing body: Standing Committee of the National People's Congress - Adopted: 1991-09-04 - Effective: 2021-06-01 - Status: effective - URL: https://datacompliancechina.com/laws/minors-protection-law/ - Markdown: https://datacompliancechina.com/laws/minors-protection-law.md ### Summary The umbrella statute for the protection of minors in China. Its 2020 revision added a dedicated 'Network Protection' chapter that anchors the entire minors-online-protection regime: internet-literacy education duties for the state, society, schools, and families (Art. 64); school management of smartphones and smart terminals (Art. 70); mandatory school bullying prevention-and-control systems with reporting duties for serious incidents (Art. 39); and school duties to notify parents and intervene when students show internet addiction (Art. 71). The Regulations on the Protection of Minors in Cyberspace (2024) implement the chapter at administrative-regulation level, and the MOE's Provisions on the Protection of Minors by Schools implement the school-facing duties. ### Full text **Adopted** September 4, 1991; comprehensively revised December 29, 2006 and October 17, 2020 (the latter adding the "Network Protection" chapter); amended October 26, 2012. The current text took effect June 1, 2021. DCC has not reproduced the full text. Key provisions cited in DCC briefs: - **Article 39** — schools must establish a student-bullying prevention-and-control system, train staff and students, immediately stop bullying, involve parents of both sides in determination and handling, and report serious incidents to public security and education authorities. - **Article 64** — the state, society, schools, and families shall conduct internet-literacy education for minors. - **Article 70** — schools shall use the internet reasonably in teaching; minor students may not bring smartphones and other smart terminals into class without school permission, and devices brought to school are subject to unified management. - **Article 71** — a school that discovers a minor student addicted to the internet shall promptly inform the parents or other guardians and jointly educate and guide the student. --- ## Measures for the Labeling of AI-Generated and Composed Content - Chinese title: 人工智能生成合成内容标识办法 - Hierarchy: rule - Issuing body: CAC, MIIT, MPS, NRTA - Adopted: 2025-03-07 - Effective: 2025-09-01 - Status: effective - URL: https://datacompliancechina.com/laws/ai-content-labeling-measures/ - Markdown: https://datacompliancechina.com/laws/ai-content-labeling-measures.md ### Summary The newest of China's AI rules — mandatory labeling for AI-generated and AI-composed content, including text, images, audio, video, and virtual scenes. Distinguishes between 'visible/audible labels' (for end users) and 'implicit labels' (metadata/watermarks for platforms). Applies to all platforms providing GenAI or deep synthesis services in China, with corresponding obligations on app stores and content distribution platforms. ### Full text **Promulgated by:** CAC, MIIT, MPS, NRTA. **Document No.:** Guo Xin Ban Tong Zi [2025] No. 2. **Issued March 7, 2025. Effective September 1, 2025.** --- **Article 1.** These Measures are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Administrative Provisions on Algorithm Recommendation for Internet-based Information Services, the Administrative Provisions on Deep Synthesis of Internet-based Information Services, the Provisional Measures for the Administration of Generative Artificial Intelligence Services and other laws, administrative regulations and departmental rules for the purposes of promoting the healthy development of AI, regulating the labeling of AI-generated or composed content, protecting the legitimate rights and interests of citizens, legal persons and other organizations and safeguarding social and public interests. “ ” Article 2 These Measures shall apply to the labeling of AI-generated or composed content by Internet information service providers (hereinafter referred to as the "service providers") in compliance with the Administrative Provisions on Algorithm Recommendation for Internet-based Information Services, the Administrative Provisions on Deep Synthesis of Internet-based Information Services and the Provisional Measures for the Administration of Generative Artificial Intelligence Services. **Article 3.** The term "AI-generated or composed content" refers to the text, images, audio, video, virtual scenes and other information generated or composed by using AI technology. Labels for AI-generated or composed content include explicit label and implicit label. Explicit label refers to label added in the interface for generated or composed content or interactive scenes, which is presented in the form of text, sound or graphics and can be clearly perceived by users. Implicit label refers to label added to the file data of generated or composed content by taking technical measures, which is not easily perceived by users. **Article 4.** Where the generation or synthesis services provided by a service provider fall under the circumstances stipulated in the first paragraph of Article 17 of the Administrative Provisions on Deep Synthesis of Internet-based Information Services, the service provider shall add explicit labels to the generated or composed content under the following requirements: (1) adding text prompts, general symbol prompts or other labels at the beginning, end or an appropriate position in the middle of the text, or adding visible prompt labels in the interactive scene interface or around texts; (2) adding voice prompts, audio rhythm prompts or other labels at the beginning, end or an appropriate position in the middle of the audio, or adding visible prompt labels in the interactive scene interface; (3) adding visible prompt labels at appropriate locations on the images; (4) adding visible prompt labels at the beginning of the video and at appropriate locations around the video, or adding visible prompt labels at appropriate locations at the end and in the middle of the video; (5) adding visible prompt labels at an appropriate location in the starting screen when the virtual scene is presented, and adding a visible prompt label at an appropriate location during the continuous service of the virtual scene; and (6) adding visible prompt labels based on respective application characteristics for other generation or synthesis service scenarios. When service providers provide functions such as downloading, copying, and exporting generated or composed content, they shall ensure that the files contain explicit labels that meet the requirements. **Article 5.** Service providers shall, in accordance with Article 16 of the Administrative Provisions on Deep Synthesis of Internet-based Information Services, add implicit labels to the file metadata of generated or composed content. Implicit labels shall include the attributes of the generated or composed content, the name or code of the service provider, content serial number and other production element information. Service providers are encouraged to add implicit labels in the form of digital watermarks or the like in the generated or composed content. File metadata refers to the descriptive information embedded in the file header in a specific coded format, which is used to record such information as the file's source, attributes, and purpose. **Article 6.** Service providers that provide online information content dissemination services shall take the following measures to regulate the dissemination of generated or composed content: (1) They shall verify whether there are implicit labels in the file metadata. If the file metadata explicitly indicates that it is generated or composed content, appropriate ways shall be taken to add visible prompt labels around the published content to explicitly remind the public that the content is generated or composed; (2) If no implicit labels are verified in the file metadata, but the user declares that the content is generated or composed, appropriate ways shall be taken to add visible prompt labels around the published content to remind the public that the content may be generated or composed; (3) If no implicit labels are verified in the file metadata, and the user has not declared that the content is generated or composed, but the service providers that provide online information content dissemination services detect explicit labels or other traces of AI-generation or synthesis, the content shall be identified as suspected generated or composed content, and appropriate ways shall be taken to add visible prompt labels around the published content to remind the public that the content is suspected of being generated or composed; and (4) They shall provide necessary labeling functions and remind users to proactively declare whether the published content contains generated or composed content. Under the circumstances of Items (1) to (3) of the preceding paragraph, the attribute information of the generated or composed content, the name or code of the dissemination platform, the content serial number and other dissemination elements shall be added to the file metadata. **Article 7.** When an application is put on shelves or made available online for review, an Internet application distribution platform shall require the Internet application service provider to state whether it provides AI-generation or synthesis services. Where the Internet application service provider provides such services, the Internet application distribution platform shall verify the materials related to the labels for its generated or composed content. **Article 8.** Service providers shall specify in the user service agreements the methods, styles and other specifications for labeling generated or composed content and remind users to carefully read and understand the relevant labeling management requirements. **Article 9.** Where a user requests a service provider to provide generated or composed content without any explicit labels, the service provider may, after specifying the user's labeling obligations and use responsibilities in the user agreement, provide such content without any explicit labels and keep relevant logs such as information on the objects for not less than six months in accordance with the law. **Article 10.** Users who use online information content dissemination services to publish generated or composed content shall proactively declare and use the labelling function provided by the service provider. No organization or individual may maliciously delete, tamper with, forge or conceal the labeling of generated or composed content as prescribed in these Measures or provide tools or services for others to commit the aforesaid malicious acts or damage the legitimate rights and interests of others by improper means of labeling. **Article 11.** Service providers carrying out labeling activities shall also comply with the requirements of the relevant laws, administrative regulations, departmental rules and mandatory national standards. **Article 12.** When performing the formalities for algorithm filing and security evaluation, service providers shall provide the relevant materials on the labeling of generated or composed content in accordance with these Measures, strengthen the sharing of labeling information and provide support and assistance for preventing and cracking down on relevant illegal and criminal activities. **Article 13.** Whoever violates the provisions of these Measures shall be punished by the relevant competent authorities of cyberspace, telecommunications, public security, and radio and television ex officio and in accordance with the provisions of relevant laws, administrative regulations and departmental rules. **Article 14.** These Measures shall come into force as of September 1, 2025. --- ## Provisions on the Administration of Mobile Internet Application Information Services (2022 Revision) - Chinese title: 移动互联网应用程序信息服务管理规定(2022 修订) - Abbreviation: Mobile App Information Services Provisions - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2022-06-14 - Effective: 2022-08-01 - Status: effective - URL: https://datacompliancechina.com/laws/mobile-app-information-services-provisions/ - Markdown: https://datacompliancechina.com/laws/mobile-app-information-services-provisions.md - Source URL: https://www.cac.gov.cn/2022-06/14/c_1656821626455324.htm ### Summary The 2022 revision of the CAC's flagship app-governance rule, effective 1 August 2022, imposes dual-track obligations on app providers and app distribution platforms (including app stores, mini-program platforms, and browser plug-in platforms). App providers must verify users' real identity information via mobile-phone number, identity-document number, or unified social credit code before enabling publication or messaging features, and must comply with personal information minimization requirements — including a prohibition on denying core service functionality solely because a user declines to supply non-essential personal information. App distribution platforms must register with provincial-level CAC offices within 30 days of going live, implement multi-factor real identity verification of every app provider seeking to list on the platform, and conduct substantive pre-listing and ongoing review of apps for legal compliance, data security risks, and illegal or excessive collection and use of personal information. Overseas counsel advise on these provisions because they set the compliance baseline that any foreign app operator — whether publishing directly or distributing through Chinese app stores — must satisfy before reaching Chinese users. ### Full text **Promulgated by:** Cyberspace Administration of China. **Document No.:** Order of the Cyberspace Administration of China No. 3 (2022). **Adopted and promulgated on June 14, 2022. Effective August 1, 2022. Supersedes the Provisions on the Administration of Mobile Internet Application Information Services promulgated on June 28, 2016.** --- ## Chapter I General Provisions **Article 1.** These Provisions are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Law of the People's Republic of China on the Protection of Minors, the Administrative Measures for Internet Information Services, the Provisions on the Administration of Internet News Information Services, the Regulations on the Governance of the Information Content Ecosystem on the Internet, and other laws, administrative regulations, and relevant State provisions, with a view to regulating mobile internet application (app) information services, protecting the lawful rights and interests of citizens, legal persons, and other organizations, and safeguarding national security and the public interest. **Article 2.** These Provisions apply to the provision of app information services within the territory of the People's Republic of China, as well as to the provision of app distribution services such as through internet app stores. For purposes of these Provisions, "app information services" refers to activities of producing, reproducing, publishing, and transmitting information in the form of text, images, audio, video, and other content to users through apps, including instant messaging, news and information, knowledge and question-and-answer, forum communities, online live-streaming, e-commerce, online audio and video, life services, and other types. "App distribution services" refers to activities of providing app release, download, dynamic loading, and other services via the internet, including app stores, quick-app centers, internet mini-program platforms, browser plug-in platforms, and other types. **Article 3.** The national cyberspace administration authority is responsible for the supervision and administration of app information content throughout the country. Local cyberspace administration authorities are responsible, in accordance with their duties, for the supervision and administration of app information content within their respective administrative regions. **Article 4.** App providers and app distribution platforms shall comply with the Constitution, laws, and administrative regulations; shall promote socialist core values; shall adhere to the correct political orientation, public-opinion guidance, and value orientation; shall observe public order and good customs; shall fulfill social responsibilities; and shall maintain a clean cyberspace. App providers and app distribution platforms shall not use apps to engage in activities prohibited by laws and regulations, such as endangering national security, disrupting social order, or infringing on the lawful rights and interests of others. **Article 5.** App providers and app distribution platforms shall fulfill primary responsibility for information content management; shall actively cooperate with the State's implementation of the network trusted-identity strategy; and shall establish and improve management systems covering information content security management, information content ecosystem governance, data security and personal information protection, and the protection of minors, thereby ensuring network security and maintaining a sound network ecology. ## Chapter II App Providers **Article 6.** Where an app provider offers services such as information publication or instant messaging to users, it shall verify the real identity information of users applying for registration by means such as mobile-phone number, identity-document number, or unified social credit code. Where a user fails to provide real identity information, or uses the identity information of an organization or another person to register falsely, the relevant services shall not be provided to that user. **Article 7.** Where an app provider provides internet news information services through an app, it shall obtain a permit for internet news information services; engaging in internet news information services without a permit or beyond the permitted scope is prohibited. Where an app provider provides other internet information services that are required by law to be subject to review and approval or licensing by the competent authority, it may provide such services only after obtaining the review and approval or license of the competent authority. **Article 8.** An app provider shall be responsible for the results of information-content presentation, shall not produce or disseminate unlawful information, and shall conscientiously guard against and resist harmful information. An app provider shall establish and improve mechanisms for reviewing and managing information content, and shall establish and refine management measures covering user registration, account management, information review, daily inspection, and emergency handling; it shall also equip itself with professional staff and technical capabilities commensurate with the scale of its services. **Article 9.** An app provider shall not attract users to download through false advertising, bundled downloading, or similar conduct, through artificial or automated means of inflating rankings, inflating traffic volumes, or manipulating reviews, or by inducing users with unlawful or harmful information. **Article 10.** Apps shall comply with the mandatory requirements of relevant national standards. Where an app provider discovers security deficiencies, vulnerabilities, or other risks in an app, it shall immediately take remedial measures, inform users in a timely manner in accordance with the relevant provisions, and report the matter to the competent authority. **Article 11.** Where an app provider engages in data processing activities in connection with an app, it shall fulfill data security protection obligations, establish and improve a comprehensive full-lifecycle data security management system, adopt technical measures and other security measures to ensure data security, and strengthen risk monitoring; it shall not endanger national security or the public interest, and shall not harm the lawful rights and interests of others. **Article 12.** An app provider processing personal information shall follow the principles of lawfulness, legitimacy, necessity, and good faith, shall have a specific and reasonable purpose and disclose the processing rules, shall comply with the relevant provisions on the scope of necessary personal information, shall regulate personal information processing activities, and shall take necessary measures to protect personal information security. An app provider shall not require users to consent to personal information processing conduct on any grounds whatsoever, and shall not deny users the use of basic functionality services on the ground that a user declines to provide non-essential personal information. **Article 13.** An app provider shall adhere to the principle of the best interests of minors, shall be attentive to the healthy development of minors, shall fulfill all obligations relating to the network protection of minors, and shall strictly implement, in accordance with law, the real identity information registration and login requirements for minor user accounts. An app provider shall not, in any form, provide minor users with products or services that induce addiction, and shall not produce, reproduce, publish, or transmit information containing content that is harmful to the physical and mental health of minors. **Article 14.** Where an app provider launches new technologies, new applications, or new functions that have attributes capable of shaping public opinion or mobilizing society, it shall carry out a security assessment in accordance with the relevant State provisions. **Article 15.** App providers are encouraged to proactively adopt Internet Protocol Version 6 (IPv6) to provide information services to users. **Article 16.** An app provider shall, in accordance with laws, regulations, and relevant State provisions, formulate and make public management rules, and shall enter into service agreements with registered users specifying the respective rights and obligations of both parties. For registered users who violate these Provisions, the relevant laws and regulations, or the service agreement, an app provider shall, in accordance with law and the agreement, take measures such as warning, restriction of functionality, and account closure, shall preserve records, and shall report to the competent authority. ## Chapter III App Distribution Platforms **Article 17.** An app distribution platform shall, within thirty days of commencing operation, file for registration with the provincial-level, autonomous-region-level, or directly-administered-municipality-level cyberspace administration authority of its place of domicile. When filing, the following materials shall be submitted: (1) basic information on the platform's operating entity; (2) information such as the platform name, domain name, access services, service qualifications, and categories of apps listed; (3) materials such as the platform's commercial internet information service permit or non-commercial internet information service filing; (4) the relevant institutional documents required to be established and improved under Article 5 of these Provisions; and (5) the platform's management rules, service agreements, and other documents. Upon receiving filing materials, the provincial-level, autonomous-region-level, or directly-administered-municipality-level cyberspace administration authority shall complete the filing if the materials are complete. The national cyberspace administration authority shall promptly publish the list of app distribution platforms that have completed the filing procedures. **Article 18.** An app distribution platform shall establish a classification management system, implement classification management of apps listed on the platform, and file the apps by category with the provincial-level, autonomous-region-level, or directly-administered-municipality-level cyberspace administration authority of its place of domicile. **Article 19.** An app distribution platform shall adopt composite verification and other measures to verify the real identity information of app providers applying to list apps, using a combination of methods such as mobile-phone number, identity-document number, and unified social credit code. Based on the different nature of the app provider's entity, the platform shall publicly display information such as the provider's name and unified social credit code, so as to facilitate public supervision and inquiry. **Article 20.** An app distribution platform shall establish and improve management mechanisms and technical means, and shall establish and refine management measures for pre-listing review, routine management, and emergency handling. An app distribution platform shall review apps applying to be listed or updated; where it discovers that an app's name, icon, or description contains unlawful or harmful information, does not correspond to the registered entity's real identity information, or presents business-type violations, it shall not provide services for that app. Where the information services provided by an app fall within the scope of Article 7 of these Provisions, the app distribution platform shall verify the relevant permit status; where they fall within the scope of Article 14 of these Provisions, the app distribution platform shall verify whether the security assessment has been completed. An app distribution platform shall strengthen routine management of listed apps; where an app contains unlawful or harmful information, has falsified download-volume or review-rating data, presents data security risks, engages in illegal or excessive collection and use of personal information, or harms the lawful rights and interests of others, the platform shall not provide services for that app. **Article 21.** An app distribution platform shall, in accordance with laws, regulations, and relevant State provisions, formulate and make public management rules, and shall enter into service agreements with app providers specifying the respective rights and obligations of both parties. For apps that violate these Provisions, the relevant laws and regulations, or the service agreement, an app distribution platform shall, in accordance with law and the agreement, take measures such as warning, suspension of service, or removal from the platform, shall preserve records, and shall report to the competent authority. ## Chapter IV Supervision and Administration **Article 22.** App providers and app distribution platforms shall consciously accept social supervision, shall set up prominent and easily accessible channels for complaints and reports, shall publicize the means for complaints and reports, and shall establish and improve mechanisms for receiving, handling, and providing feedback on such matters, so as to handle public complaints and reports in a timely manner. **Article 23.** Internet industry organizations are encouraged to establish and improve industry self-discipline mechanisms, to formulate and refine industry norms and self-discipline conventions, to guide member entities in establishing and improving service standards, to provide information services in accordance with laws and regulations, to uphold market fairness, and to promote the sound development of the industry. **Article 24.** The cyberspace administration authorities, together with the relevant competent authorities, shall establish and improve working mechanisms to supervise and guide app providers and app distribution platforms in engaging in information service activities in accordance with laws and regulations. App providers and app distribution platforms shall cooperate with supervision and inspection lawfully carried out by the cyberspace administration authorities and the relevant competent authorities, and shall provide the necessary support and assistance. **Article 25.** Where an app provider or an app distribution platform violates these Provisions, the cyberspace administration authorities and the relevant competent authorities shall handle the matter in accordance with the relevant laws and regulations within the scope of their respective duties. ## Chapter V Supplementary Provisions **Article 26.** For the purposes of these Provisions, "mobile internet application (app)" refers to application software running on mobile smart terminals that provides information services to users. "Mobile internet application (app) provider" refers to the owner or operator of a mobile internet application (app) that provides information services. "Mobile internet application (app) distribution platform" refers to an internet information service provider that provides distribution services such as app release, download, and dynamic loading. **Article 27.** These Provisions shall come into force on August 1, 2022. The Provisions on the Administration of Mobile Internet Application Information Services promulgated on June 28, 2016 are hereby simultaneously repealed. --- ## Working Measures for the Protection of the Personal Information of Children in Distress - Chinese title: 困境儿童个人信息保护工作办法 - Abbreviation: Children in Distress PI Measures - Hierarchy: rule - Issuing body: Ministry of Civil Affairs; Publicity Department of the CPC Central Committee; Commission for Political and Legal Affairs of the CPC Central Committee; Cyberspace Administration of China; Supreme People's Court; Supreme People's Procuratorate; Ministry of Education; Ministry of Public Security; Ministry of Justice; Ministry of Culture and Tourism; National Health Commission; National Radio and Television Administration; Office of the National Working Committee on Children and Women under the State Council; All-China Federation of Trade Unions; Central Committee of the Communist Youth League; All-China Women's Federation; China Disabled Persons' Federation; National Working Committee on Caring for the Next Generation - Adopted: 2024-11-18 - Effective: 2024-11-18 - Status: effective - URL: https://datacompliancechina.com/laws/children-in-distress-pi-protection-measures/ - Markdown: https://datacompliancechina.com/laws/children-in-distress-pi-protection-measures.md ### Summary Working measures (Min Fa [2024] No. 67) jointly issued by the Ministry of Civil Affairs and seventeen other central authorities and mass organizations to regulate the use and protection of the personal information of children in distress. Following the principle of 'whoever is in charge / whoever processes is responsible', the measures assign protection duties across the civil-affairs, education, health, judicial, publicity, cyberspace, culture-and-tourism and broadcasting systems, as well as trade unions, the Communist Youth League, women's federations and disabled persons' federations. They require consent of parents or guardians for processing the information of children under 14 (and consent of the child plus notice to guardians for those 14 and over), prohibit labeling, traffic-chasing and using such information for fundraising or live-stream commerce, and grant children and their guardians a right to inquire about and object to processing. Effective November 18, 2024. ### Full text **Promulgated by:** Ministry of Civil Affairs; Publicity Department of the CPC Central Committee; Commission for Political and Legal Affairs of the CPC Central Committee; Cyberspace Administration of China; Supreme People's Court; Supreme People's Procuratorate; Ministry of Education; Ministry of Public Security; Ministry of Justice; Ministry of Culture and Tourism; National Health Commission; National Radio and Television Administration; Office of the National Working Committee on Children and Women under the State Council; All-China Federation of Trade Unions; Central Committee of the Communist Youth League; All-China Women's Federation; China Disabled Persons' Federation; National Working Committee on Caring for the Next Generation. **Document No.:** Min Fa [2024] No. 67. **Issued and effective November 18, 2024.** --- **Article 1.** These Measures are formulated pursuant to the relevant provisions of the Personal Information Protection Law of the People's Republic of China, the Law of the People's Republic of China on the Protection of Minors, and the Cybersecurity Law of the People's Republic of China, in order to regulate the use of the personal information of children in distress, protect the security of the personal information of children in distress, and safeguard the lawful rights and interests of children in distress. **Article 2.** For the purposes of these Measures, "children in distress" means children as defined in accordance with the relevant policies of the State Council on strengthening the protection of children in distress. **Article 3.** "Personal information of children in distress" means various kinds of information recorded on paper, electronically or by other means that can, alone or in combination with other information, identify a child in distress, excluding anonymized information. **Article 4.** Where relevant departments process the personal information of children in distress by means of collection, storage, use, processing, transmission, provision, disclosure, deletion and the like, they shall do so in accordance with the law, follow the principle of "whoever is in charge is responsible, whoever processes is responsible", and take strict protective measures. **Article 5.** Cyberspace administration departments shall perform their supervision and administration responsibilities, guide network operators in strengthening the screening and investigation of online information, promptly take effective measures to correct the disclosure or leakage of the personal information of children in distress upon discovery, and properly handle the matter in conjunction with the relevant departments. **Article 6.** Local Party committees' commissions for political and legal affairs, people's courts, people's procuratorates, public security organs, judicial administrative departments, legal service institutions and the like shall, in such work as case investigation, evidence collection, examination and prosecution, legal supervision, judicial adjudication, legal aid, lawyer representation, and the release of typical cases, properly protect, in accordance with the law, the personal information of children in distress involved in cases. **Article 7.** Civil affairs departments shall protect, in accordance with the law, the personal information of children in distress when organizing and implementing social assistance, charitable support and care services. They shall supervise and guide child welfare institutions, minor assistance and protection institutions, relevant social organizations and their staff, as well as child supervisors and child directors, in raising their awareness of information protection. **Article 8.** Education departments shall supervise and guide schools in implementing the various provisions concerning the protection of students' privacy, and shall not, in such work as rewards, funding and charitable donations, leak the relevant information of children in distress and their families, and shall protect, in accordance with the law, the personal information of children who have suffered sexual assault, violence or the like. **Article 9.** Health departments shall supervise and guide medical and health institutions, relevant industry organizations and the like in strengthening medical ethics and conduct education, guide practicing physicians and other medical personnel in abiding by professional ethics, and protect, in accordance with the law, the personal information of children in distress who are ill or who seek medical treatment after suffering sexual assault, violence or the like. **Article 10.** Where trade unions, the Communist Youth League, women's federations and working committees on caring for the next generation at all levels, as well as relevant social organizations and volunteers, need to process the personal information of children in distress during the conduct of family-education guidance and child-care service activities, such processing shall be limited to the minimum extent and scope necessary for carrying out the activities, and corresponding protective work shall be properly carried out. **Article 11.** Disabled persons' federations at all levels shall, in their work, strengthen the protection of the personal information of children in distress, so as to avoid unfair treatment of children in distress caused by the leakage of personal information such as disability status. **Article 12.** Relevant departments shall regulate the processing of the personal information of children in distress, and shall not disclose or leak the personal information of children in distress in violation of the provisions. The processing of the personal information of children in distress under the age of 14 shall be subject to the consent of the child's parents or other guardians, and strict protective measures shall be taken. The processing of the personal information and other related information of children in distress who have reached the age of 14 shall be subject to the consent of the child in distress obtained in accordance with the law, and the child's parents or other guardians shall be informed in an explicit manner. Where a child in distress is unable to express his or her wishes due to physical or mental health or other reasons, the consent of the child's parents or other guardians shall also be obtained. **Article 13.** Where any organization or individual publishes communications, news or the like that involve the specific identity of a child in distress, it shall inform in advance the necessity and the impact on personal rights and interests, and may publish such content only after obtaining the consent of the child in distress and his or her parents or other guardians in accordance with the law, while properly carrying out technical processing. **Article 14.** When producing, importing or broadcasting various kinds of books, newspapers and periodicals, films, radio and television programs, or online information involving children in distress, the publicity, cyberspace, culture-and-tourism, and radio and television departments shall strictly review and strictly control them, and shall not disclose the names, home addresses, portraits, voice and video recordings, schools attended, or other content of children in distress that may have an adverse impact on them. Where this is genuinely necessary for work, technical processing shall be properly carried out. **Article 15.** No organization or individual may label children in distress, use the personal information of children in distress to attract attention or chase traffic, or use the personal information of children in distress for fundraising, live-stream commerce or the like. **Article 16.** Where a personal-help online service platform needs to disclose relevant information because a child in distress seeks help through it, the matter shall be handled in accordance with the relevant laws and regulations such as the Charity Law of the People's Republic of China and the Measures for the Administration of Personal-Help Online Service Platforms. **Article 17.** A child in distress and his or her parents or other guardians shall have the right to inquire of the relevant units and organizations about the child's personal information that they process. Where objections are raised, the relevant units and organizations shall fully respect them, promptly investigate and verify the matter, and take effective disposal measures. **Article 18.** Where the personal information of children in distress is processed in violation of the provisions of these Measures, infringing upon the lawful rights and interests of children in distress, the matter shall be disposed of in accordance with the relevant provisions of the Personal Information Protection Law of the People's Republic of China and other relevant provisions. --- ## Provisions on the Protection of Minors by Schools - Chinese title: 未成年人学校保护规定 - Abbreviation: School Protection Provisions - Hierarchy: rule - Issuing body: Ministry of Education (MOE) - Adopted: 2021-06-01 - Effective: 2021-09-01 - Status: effective - URL: https://datacompliancechina.com/laws/minors-school-protection-provisions/ - Markdown: https://datacompliancechina.com/laws/minors-school-protection-provisions.md ### Summary MOE Order No. 50, the school-facing implementing rule under the Law on the Protection of Minors. For the online-protection regime its load-bearing provision is Article 21: teachers and staff who discover students fabricating facts to defame others, spreading rumors or false information, or maliciously disseminating others' private information through networks or other means must stop it promptly — the hook that turns online defamation and privacy-spreading incidents among students into a school management duty, with civil supplementary liability under Civil Code Article 1201 if the school fails to act. ### Full text **Promulgated by:** Ministry of Education. **Document No.:** MOE Order No. 50. **Promulgated June 1, 2021; effective September 1, 2021.** DCC has not reproduced the full text. The provision most cited in DCC briefs is **Article 21(5)**: teachers and staff who discover a student "fabricating facts to defame others, spreading rumors or false information to disparage others, or maliciously disseminating others' privacy through networks or other information-dissemination means" must promptly stop the conduct. --- ## Announcement of the State Administration for Market Regulation and the Cyberspace Administration of China on Carrying Out Data Security Management Certification - Chinese title: 国家市场监督管理总局、国家互联网信息办公室关于开展数据安全管理认证工作的公告 - Abbreviation: Data Security Certification Announcement - Hierarchy: rule - Issuing body: State Administration for Market Regulation; Cyberspace Administration of China - Adopted: 2022-06-05 - Effective: 2022-06-05 - Status: effective - URL: https://datacompliancechina.com/laws/data-security-management-certification-announcement/ - Markdown: https://datacompliancechina.com/laws/data-security-management-certification-announcement.md ### Summary Announcement (SAMR/CAC Announcement No. 18 of 2022) launching a voluntary data security management certification scheme that encourages network operators to certify their network-data processing activities (collection, storage, use, processing, transmission, provision, disclosure, etc.) and strengthen network data security protection. The attached Data Security Management Certification Implementation Rules, based on the Regulations on Certification and Accreditation and the standard GB/T 41479 (Information security technology—Security requirements for network data processing), set out a certification mode of 'technical verification + on-site audit + post-certification supervision', the certification procedure, a three-year certificate validity period, and rules on certificates, certification marks and the responsibilities of certification bodies. Effective June 5, 2022. ### Full text **Promulgated by:** State Administration for Market Regulation; Cyberspace Administration of China. **Document No.:** Announcement of the State Administration for Market Regulation and the Cyberspace Administration of China No. 18 of 2022. **Issued and effective June 5, 2022.** --- In accordance with the relevant provisions of the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and the Regulations of the People's Republic of China on Certification and Accreditation, the State Administration for Market Regulation and the Cyberspace Administration of China have decided to carry out data security management certification, so as to encourage network operators to regulate network-data processing activities and strengthen network data security protection by means of certification. Certification bodies engaged in data security management certification activities shall be established in accordance with the law and shall implement certification in accordance with the Data Security Management Certification Implementation Rules (see Annex). This Announcement is hereby made. State Administration for Market Regulation; Cyberspace Administration of China June 5, 2022 --- ## Annex: Data Security Management Certification Implementation Rules ### 1 Scope of Application These Rules are formulated pursuant to the Regulations of the People's Republic of China on Certification and Accreditation, and set out the basic principles and requirements for certifying the processing activities of network operators in collecting, storing, using, processing, transmitting, providing, disclosing and otherwise handling network data. ### 2 Certification Basis GB/T 41479 *Information security technology—Security requirements for network data processing* and related standards and specifications. In principle, the above standards shall be implemented in the latest version issued by the administrative department for standardization of the State. ### 3 Certification Mode The certification mode for data security management certification is: Technical verification + on-site audit + post-certification supervision. ### 4 Certification Implementation Procedure **4.1 Certification Entrustment** The certification body shall specify the requirements for certification-entrustment materials, including but not limited to the entrusting party's basic materials, the certification entrustment letter, and relevant supporting documents. The certification-entrusting party shall submit the certification-entrustment materials in accordance with the requirements of the certification body, and the certification body shall, after reviewing the certification-entrustment materials, promptly provide feedback on whether the entrustment is accepted. The certification body shall, on the basis of the certification-entrustment materials, determine the certification scheme, including the type and quantity of data, the scope of the data-processing activities involved, and information on the technical-verification institution, and shall notify the certification-entrusting party. **4.2 Technical Verification** The technical-verification institution shall implement technical verification in accordance with the certification scheme, and shall issue a technical-verification report to the certification body and the certification-entrusting party. **4.3 On-Site Audit** The certification body shall conduct an on-site audit and issue an on-site audit report to the certification-entrusting party. **4.4 Evaluation and Approval of Certification Results** The certification body shall make a comprehensive evaluation and a certification decision on the basis of the certification-entrustment materials, the technical-verification report, the on-site audit report and other relevant materials and information. For those that meet the certification requirements, a certification certificate shall be issued; for those that do not yet meet the certification requirements, the certification-entrusting party may be required to carry out rectification within a time limit, and where, after rectification, the requirements are still not met, the certification-entrusting party shall be notified in writing of the termination of certification. Where it is found that the certification-entrusting party or the network operator has engaged in conduct that seriously affects the implementation of certification, such as deception, concealment of information, or intentional violation of certification requirements, the certification shall not be passed. **4.5 Post-Certification Supervision** **4.5.1 Frequency of Supervision** The certification body shall, within the validity period of the certification, conduct continuous supervision of the certified network operator, and reasonably determine the frequency of supervision. **4.5.2 Content of Supervision** The certification body shall implement post-certification supervision in an appropriate manner to ensure that the certified network operator continuously meets the certification requirements. **4.5.3 Evaluation of Post-Certification Supervision Results** The certification body shall make a comprehensive evaluation of the post-certification supervision conclusions and other relevant materials and information. Where the evaluation is passed, the certification certificate may continue to be maintained; where it is not passed, the certification body shall, according to the corresponding circumstances, suspend or even revoke the certification certificate. **4.6 Certification Time Limit** The certification body shall make clear provisions on the time limits for each stage of certification, and ensure that the relevant work is completed within the required time limits. The certification-entrusting party shall actively cooperate with the certification activities. ### 5 Certification Certificate and Certification Mark **5.1 Certification Certificate** **5.1.1 Maintenance of the Certification Certificate** The validity period of the certification certificate is 3 years. Within the validity period, the validity of the certification certificate shall be maintained through the certification body's post-certification supervision. Where the certificate needs to be renewed for continued use upon expiry, the certification-entrusting party shall submit a certification entrustment within 6 months before the expiry of the validity period. The certification body shall, by means of post-certification supervision, issue a new certificate to those that meet the certification requirements. **5.1.2 Change of the Certification Certificate** Where, within the validity period of the certification certificate, the name or registered address of the certified network operator, or the certification requirements or certification scope, changes, the certification-entrusting party shall submit a change entrustment to the certification body. The certification body shall, according to the content of the change, evaluate the change-entrustment materials and determine whether the change may be approved. Where technical verification and/or on-site audit is required, it shall also be conducted before the change is approved. **5.1.3 Cancellation, Suspension and Revocation of the Certification Certificate** Where a certified network operator no longer meets the certification requirements, the certification body shall promptly suspend or even revoke the certification certificate. The certification-entrusting party may apply for the suspension or cancellation of the certification certificate within the validity period of the certificate. The certification body shall, in an appropriate manner, publicly announce the certification certificates of network operators that have been suspended, cancelled or revoked. **5.2 Certification Mark** [Mark] "ABCD" represents the identification information of the certification body. **5.3 Use of the Certification Certificate and Certification Mark** Within the validity period of the certification certificate, the certified network operator shall, in accordance with the relevant provisions, correctly use the certification certificate and certification mark in advertising and other publicity, and shall not mislead the public. ### 6 Detailed Certification Implementation Rules The certification body shall, in accordance with the relevant requirements of these Rules, refine the certification implementation procedure, formulate scientific, reasonable and operable detailed certification implementation rules, and publicly announce and implement them. ### 7 Certification Responsibilities The certification body shall be responsible for the on-site audit conclusions and the certification conclusions. The technical-verification institution shall be responsible for the technical-verification conclusions. The certification-entrusting party shall be responsible for the authenticity and legality of the certification-entrustment materials. --- ## Guidelines for the Declaration of Data Export Security Assessment (Third Edition) - Chinese title: 数据出境安全评估申报指南(第三版) - Abbreviation: Data Export Declaration Guide (v3) - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2025-06-27 - Effective: 2025-06-27 - Status: effective - URL: https://datacompliancechina.com/laws/data-export-assessment-declaration-guide-v3/ - Markdown: https://datacompliancechina.com/laws/data-export-assessment-declaration-guide-v3.md - Source URL: https://www.cac.gov.cn/2025-06/27/c_1752652339765002.htm ### Summary The CAC's third-edition procedural guide — issued and effective 27 June 2025 — sets out in detail who must file a Data Export Security Assessment declaration, the step-by-step filing process through the online declaration system (sjcj.cac.gov.cn), the eight categories of required materials (including the self-assessment report and the legally binding contract with the overseas recipient), and the newly introduced procedure for applying to extend an approved assessment's validity period. It supersedes the first and second editions, streamlines the documentary requirements, and clarifies the conditions (capped volume increases of no more than 20 % over the prior three-year approval period) and timeline (60 working days before expiry) for extension applications. Overseas counsel advising on cross-border data transactions need this guide to prepare compliant declaration packages and to structure the legal agreement with the overseas recipient so that it satisfies the mandatory contractual checklist in the self-assessment report template. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC). **Issued on 27 June 2025. Effective on 27 June 2025.** --- In accordance with the Measures for the Security Assessment of Data Export and the Provisions on Promoting and Regulating Cross-border Data Flows, and in order to guide and assist data handlers in filing declarations for a Data Export Security Assessment in a standardised and orderly manner, these Guidelines are formulated. --- **Section I. Scope of Application** **(I) Circumstances requiring a declaration for a Data Export Security Assessment** A data handler that provides data to an overseas recipient must file a declaration for a Data Export Security Assessment where any of the following applies: 1. The data handler is a critical information infrastructure operator (CIIO) that provides personal information or important data overseas. 2. The data handler is not a CIIO but provides important data overseas, or has, cumulatively from 1 January of the current year, provided overseas the personal information of more than one million individuals (excluding sensitive personal information) or the sensitive personal information of more than ten thousand individuals. Where a situation falls within Articles 3, 4, 5, or 6 of the Provisions on Promoting and Regulating Cross-border Data Flows, those provisions shall govern. **(II) Circumstances constituting a cross-border data transfer** The following constitute cross-border data transfer activities: 1. A data handler transmits overseas data that it has collected and generated in the course of its domestic operations. 2. A data handler's collected and generated data is stored within the territory, but overseas institutions, organisations, or individuals are able to query, retrieve, download, or export it. 3. Activities that fall within Article 3, paragraph 2, of the Personal Information Protection Law (PIPL) involving the processing of personal information of natural persons within the territory from outside the territory, and other such data processing activities. --- **Section II. Declaration Method and Process** A data handler filing a declaration for a Data Export Security Assessment must submit declaration materials through online means. CIIOs and other data handlers for whom online filing through the declaration system is not appropriate shall file offline via the provincial-level Cyberspace Administration at their place of registration, which will forward the materials to the CAC. **(I) System login and project declaration** The Data Export Declaration System URL is: https://sjcj.cac.gov.cn **1. Account registration and login.** A data handler logging into the declaration system for the first time should click "Register Account" and fill in a username, password, mobile phone number, and other required information. After successful registration, log in to the declaration system and complete the basic information entry: the data handler's entity name, unified social credit code (USCC), and province of entity registration. **2. Creating a new project and filing.** The data handler selects the "Data Export Security Assessment" module, selects "Add New Declaration Project", and uploads the prepared declaration materials. **Declaration materials (for document requirements see Annex 1) include:** (1) A photocopy of the unified social credit code certificate (2) A photocopy of the legal representative's identity document (3) A photocopy of the case-handler's identity document (4) A power of attorney for the case-handler (template: Annex 2) (5) The Data Export Security Assessment Declaration Form (template: Annex 3) (6) The data-export-related contract or other legally effective document proposed to be entered into with the overseas recipient (7) The data export risk self-assessment report (template: Annex 4) (8) Other relevant supporting materials The data handler bears responsibility for the authenticity of all submitted materials. Submission of false materials shall be treated as a failure to pass the assessment, and corresponding legal liability shall be pursued in accordance with law. **(II) Completeness review and project acceptance** Data handlers may track the progress of filed projects through the declaration system: **1.** The provincial-level Cyberspace Administration completes the completeness review of the declaration materials within **5 working days** from the date the data handler submits the materials, and simultaneously updates the completeness review result in the declaration system. Where the materials fail the completeness review, the provincial-level Cyberspace Administration notifies the data handler of the reasons for failure. **2.** Where the materials pass the completeness review, the provincial-level Cyberspace Administration submits the declaration materials to the CAC for acceptance. The CAC, within **7 working days** from the date it receives the declaration materials submitted by the provincial-level Cyberspace Administration, determines whether to accept the project and notifies the data handler in writing, simultaneously updating the acceptance result in the declaration system. **(III) Supplementation or correction of materials and tracking assessment progress** After issuing a notice of acceptance of the assessment project, the CAC will immediately organise and carry out the Data Export Security Assessment. Where supplementation or correction of declaration materials is required, the data handler must promptly supplement or correct the materials through the declaration system in accordance with the notification requirements. Where a data handler, without legitimate reason, fails to supplement or correct declaration materials, the CAC may terminate the security assessment. Where circumstances are complex or supplementation or correction of materials is required, the CAC may extend the assessment period as appropriate and notify the data handler of the anticipated additional time needed. Data handlers may track assessment progress at any time through the declaration system. Upon completion of the assessment, the CAC issues an assessment result notice to the data handler. The data handler must conduct its data export activities in a compliant manner in accordance with the relevant laws and regulations governing data export security management and the requirements of the assessment result notice. Where a data handler objects to the assessment result, it may, within **15 working days** of receiving the assessment result notice, apply to the CAC for a review (复评). The outcome of the review is the final determination. --- **Section III. Applying to Extend the Validity Period of an Assessment Result** **(I) Applicable conditions** Where an assessment result authorises certain data export activities and all of the following conditions are concurrently satisfied, the data handler may, within **60 working days** before the expiry of the validity period of the assessment result, apply through the provincial-level Cyberspace Administration at its place of registration to the CAC to extend the validity period: 1. The purpose, scope, and other aspects of the data export have not changed. 2. The data handler, the overseas recipient, and other relevant parties have not changed. 3. For exports of personal information: the number of natural persons to be covered in the following three years does not exceed the number approved in the original assessment result for the past three years by more than **20%**. 4. For exports of important data: the scale of data to be exported in the following three years (MB/GB/TB) does not exceed the scale of data approved in the original assessment result for the past three years by more than **20%**. 5. The legal document entered into with the overseas recipient complies with the requirements of Article 9 of the Measures for the Security Assessment of Data Export. 6. The data export activities over the past three years have been conducted in strict compliance with the assessment result notice, and no major data security incident has occurred. **(II) Filing the extension application** Data handlers applying to extend the validity period of an assessment result must submit application materials through the declaration system. CIIOs and other data handlers for whom system-based applications are not appropriate shall submit materials offline. For extension applications relating to assessment results obtained through online filing: after logging into the declaration system, the data handler selects the original declaration project and performs the "Apply for Extension" operation, uploading the application materials. For extension applications relating to assessment results obtained through offline filing: after logging into the declaration system, the data handler applies under the "Extension of Assessment Result Validity Period" module, enters the acceptance number for the original project, and uploads the application materials. **Application materials include:** 1. A photocopy of the unified social credit code certificate (may be omitted if unchanged) 2. A photocopy of the legal representative's identity document (may be omitted if unchanged) 3. A photocopy of the case-handler's identity document (may be omitted if unchanged) 4. A power of attorney for the case-handler (template: Annex 2) 5. The Application Form for Extension of Assessment Result Validity Period (template: Annex 5) **(III) Completeness review** Data handlers may track the completeness review status of their extension applications through the declaration system. The provincial-level Cyberspace Administration completes the completeness review within **5 working days** from the date the data handler submits the application materials, and simultaneously updates the review result in the system. Where materials fail the completeness review, the provincial-level Cyberspace Administration notifies the data handler of the reasons for failure. Where materials pass the completeness review, the provincial-level Cyberspace Administration submits them to the CAC. **(IV) Review of extension of assessment result validity period** The CAC, within **20 working days** from the date it receives the application materials submitted by the provincial-level Cyberspace Administration, determines whether to approve the extension and notifies the data handler in writing. Where circumstances are complex or supplementation or correction of materials is required, the review period may be extended appropriately, and the data handler will be notified of the anticipated additional time. Data handlers may track the review progress for the extension application through the declaration system, and may supplement or correct materials through the system. Upon receiving the notice on the extension of assessment result validity period, the data handler must conduct its data export activities in a compliant manner in accordance with the relevant laws and regulations governing data export security management and the requirements of the notice. --- **Section IV. Consultation and Reporting Contact Information** Data handlers encountering any questions or requiring assistance during the declaration process are welcome to contact us: **Telephone:** 010-55627135 **Email:** sjcj@cac.gov.cn --- **Annex 1. Requirements for Data Export Security Assessment Declaration Materials** | No. | Material Name | Requirements | Notes | |-----|---------------|--------------|-------| | 1 | Photocopy of unified social credit code certificate | Stamped with official seal | | | 2 | Photocopy of the legal representative's identity document | Stamped with official seal | | | 3 | Photocopy of the case-handler's identity document | Stamped with official seal | | | 4 | Power of attorney for the case-handler | | | | 5 | Data Export Security Assessment Declaration Form | Completed in Chinese | | | 6 | Data-export-related contract or other legally effective document proposed to be entered into with the overseas recipient | Relevant data-export provisions must be prominently highlighted (e.g., highlighted text or boxes). Legal documents must be in a Chinese-language version; if only a non-Chinese version exists, an accurate Chinese translation must also be submitted. | | | 7 | Data export risk self-assessment report | Written in Chinese | | | 8 | Other relevant supporting materials | | | Note: Data handlers submitting declaration materials offline must simultaneously submit corresponding electronic versions on optical disc (CD/DVD). --- **Annex 2. Power of Attorney for the Case-Handler (Template)** I, [full name] (identity document number: ____), the legal representative of [data handler name], hereby authorise [full name] (identity document number: ____) of our entity to act as the case-handler for the Data Export Security Assessment declaration / Application for Extension of Assessment Result Validity Period. All actions taken by the case-handler on behalf of our entity, including documents signed and uploaded, are hereby acknowledged by our entity, which shall bear the corresponding legal liability. **Term of authorisation:** from ____ year ____ month ____ day to ____ year ____ month ____ day. The case-handler has no right to sub-delegate. Entity name (stamped with official seal): ____________________ Legal representative (signature): ____________________ Case-handler (signature): ____________________ Date: ____ year ____ month ____ day --- **Annex 3. Data Export Security Assessment Declaration Form (Template)** **Section 1 — Data Handler Information** | Field | Options / Notes | |-------|-----------------| | Entity name | | | Nature of entity | Government department / Public institution / Enterprise / Social organisation / Other | | Type of entity | Domestically invested / Foreign-invested / Sino-foreign joint venture / Hong Kong, Macao, or Taiwan-invested / Other | | Registered address | | | Operating address | | | Number of employees | | | Unified social credit code | | | Whether a CIIO | Yes / No | | Scale of personal information processed | Number of natural persons (de-duplicated) | **Section 2 — Legal Representative Information** | Field | Options / Notes | |-------|-----------------| | Name | | | Title | | | Nationality | | | Contact telephone | | | Email address | | | Type of identity document | Resident identity card / Passport / Taiwan Residents Mainland Travel Permit / Permit for Hong Kong and Macao Residents Travelling to and from the Mainland / Other | | Identity document number | | **Section 3 — Data Security Officer and Management Body Information** | Field | Options / Notes | |-------|-----------------| | Name | | | Title | | | Nationality | | | Contact telephone | | | Email address | | | Type of identity document | Resident identity card / Passport / Taiwan Residents Mainland Travel Permit / Permit for Hong Kong and Macao Residents Travelling to and from the Mainland / Other | | Identity document number | | | Management body name | | | Management body headcount | | **Section 4 — Case-Handler Information** | Field | Options / Notes | |-------|-----------------| | Name | | | Title | | | Nationality | | | Contact telephone | | | Email address | | | Type of identity document | Resident identity card / Passport / Taiwan Residents Mainland Travel Permit / Permit for Hong Kong and Macao Residents Travelling to and from the Mainland / Other | | Identity document number | | **Section 5 — Data Handler's Compliance with Chinese Laws, Administrative Regulations, and Departmental Rules** Briefly describe any administrative penalties or investigations and rectifications by competent supervisory authorities in the past 2 years in the course of business operations, with particular focus on matters relating to data and cybersecurity. **Section 6 — Data Export Scenario [No.] (repeat as needed for each scenario)** | Field | Options / Notes | |-------|-----------------| | Description of export scenario | Describe the business, purpose, and method of the data export in this declaration; must be consistent with the business name used in the legal document; no more than 100 characters. (Reference methods: public internet transmission, dedicated cross-border leased line transmission, remote access via public internet, remote access via dedicated cross-border leased line, etc.) | | **Data proposed for export:** | | | Data type | Important data / Personal information | | If important data: name of the competent authority that identified it | | | If personal information: whether it includes sensitive personal information | Yes / No | | Industry / sector involved | Industry / Telecommunications / Transport / Finance / Natural resources / Health / Education / Science and technology / Energy / National defence science and industry / Culture and tourism / Cross-border e-commerce / Retail / Internet / Other | | Number of natural persons involved (de-duplicated) | Including the number already exported in the current year, the projected number over the next three years, and the relationship between the two | | Scale of important data involved | MB / GB / TB | | **Overseas recipient information:** | | | Name of overseas recipient | | | Country or region | | | Address | | | Primary business | | | Name of responsible person | | | Title of responsible person | | | Contact information | Telephone: / Email: | | Statistical notes (if needed) | | **Declaration by the data handler:** All content in the declaration materials is true, complete, accurate, and valid. The necessary cooperation and support will be provided for the Data Export Security Assessment organised and implemented by the CAC. The self-assessment was completed within the 3 months prior to the date of declaration and no material change has occurred as of the date of declaration. If the declaration is false or the commitments are breached, the entity accepts the corresponding legal liability. Notes: 1. The content of the self-assessment report must be consistent with the content of the Declaration Form. 2. Item 6 of the Declaration Form must be described separately for each scenario; additional copies of Item 6 may be added as needed to correspond to the actual number of export scenarios being declared. 3. Where there are numerous overseas recipients, their scope is indeterminate, or they cannot be listed one by one, Item 6's "overseas recipient information" may be completed with aggregate statistical data. 4. The Declaration Form must be completed strictly in accordance with the template, in Chinese, using size-4 "Fang Song" (仿宋) typeface; numerals and letters in size-4 "Times New Roman"; line spacing at a fixed value of 16 points; paragraph first-line indent of 2 characters. Page setup: A4 paper, top and bottom margins 2.54 cm, left and right margins 3.18 cm. --- **Annex 4. Data Export Risk Self-Assessment Report (Template)** **[Data handler name:]** ____________________ (stamped with official seal) **Date:** ____ year ____ month ____ day **Instructions:** (I) The data handler is required to provide a self-assessment report when filing a declaration for a Data Export Security Assessment and bears responsibility for the authenticity of the submitted self-assessment report and its annexes. (II) The self-assessment activities described in the report must have been completed within the 3 months prior to the date of the current declaration. (III) If a third-party institution participated in the self-assessment, the basic information of that institution and its participation in the assessment must be explained in the self-assessment report. (IV) The self-assessment report must be drafted strictly in accordance with the template, in Chinese; body text in size-4 "Fang Song" (仿宋) (with first-level headings in boldface, second-level headings in bolded regular-script (楷体加黑), and third-level headings in bolded Fang Song); numerals and letters in size-4 "Times New Roman"; line spacing at a fixed value of 26 points; paragraph first-line indent of 2 characters. Page setup: A4 paper, top and bottom margins 2.54 cm, left and right margins 3.18 cm. --- **I. Overview of the Self-Assessment Exercise** Briefly describe how the self-assessment was conducted, including the start and end dates, organisational arrangements, implementation process, and implementation methods. --- **II. Overall Circumstances of the Export Activities** Briefly describe the basic information of the data handler, the data handler's security assurance capability, the overseas recipient's circumstances, the provisions of the legal document, and so forth; provide detailed information on the data proposed for export. Include but are not limited to the following: **(I) Basic information of the data handler** 1. Overview of basic information, including equity structure, actual controller, and domestic and overseas investment arrangements. 2. Organisational structure and information about the data security management body. 3. Overall business and data asset profile. **(II) Data proposed for export** 1. The business activities and data assets involved in the data export. 2. The purpose, scope, and manner of the data export and of the overseas recipient's processing of the data, and the lawfulness, legitimacy, and necessity thereof. 3. Set out, by declared business scenario, the corresponding exported data items; present the data-item inventory in tabular form and describe each item individually (as shown in the sample table below); data items within the same scenario must be de-duplicated. | No. | Data item name | Content description | Necessity for export | Example / Notes | |-----|---------------|---------------------|----------------------|-----------------| | 1 | | | | | | 2 | | | | | | ... | | | | | 4. The system platforms and data centres (including cloud services) in which the data proposed for export is stored within the territory; details of the data export links (domain names and network addresses of the data handler's and overseas recipient's network systems, and the method of data export); the system platforms and data centres planned for storage after export. 5. The circumstances in which the overseas recipient re-provides the exported data to other overseas organisations or individuals. 6. For exports involving personal information: state, counted by natural person (de-duplicated), the number already exported in the current year and estimate the number to be exported over the following 3 years. **(III) The data handler's data security assurance capability** 1. Data security management capability, including the management organisational system and institutional framework, and the implementation of systems covering full-lifecycle management, classification and grading, emergency response, risk assessment, protection of personal information rights and interests, and so forth. (For exports involving personal information: provide a description and supporting materials demonstrating compliance with Article 39 of PIPL, including performance of the notice obligation and obtaining separate consent from individuals; no individual consent is required where the situation falls within Article 13(1)(ii) through (vii) of PIPL.) 2. Data security technical capability, including the security technical measures applied throughout the full lifecycle of data collection, storage, use, processing, transmission, provision, public disclosure, and deletion. 3. Evidence of the effectiveness of data security assurance measures, such as data security risk assessments, data security certifications, data security inspections and evaluations, data security compliance audits, and Multi-Level Protection Scheme (MLPS) assessments conducted. 4. Compliance with data and cybersecurity laws and regulations. (Where administrative penalties or regulatory rectifications have been received, supporting materials demonstrating completion of rectification may be provided.) **(IV) Overseas recipient's circumstances** 1. Basic information about the overseas recipient. 2. The purposes and methods by which the overseas recipient processes the data. 3. The management and technical measures and capability of the overseas recipient to fulfil its responsibilities and obligations. **(V) Provisions in the legal document governing data security protection responsibilities and obligations** 1. The purpose, manner, and scope of the data export, and the purposes and methods by which the overseas recipient processes the data. 2. The location and period of storage of the data overseas, and the measures for handling the exported data upon reaching the storage period, completing the agreed purpose, or termination of the legal document. 3. Binding requirements on the overseas recipient with respect to re-transferring the exported data to other organisations or individuals. 4. The security measures to be taken when, due to a material change in the actual control or business scope of the overseas recipient, a change in the data security protection laws, regulations, or cybersecurity environment in the overseas recipient's country or region, or other force majeure circumstances, data security becomes difficult to ensure. 5. Remedies, liability for breach of contract, and dispute resolution mechanisms for failure to comply with data security protection obligations under the legal document. 6. Requirements for properly conducting emergency response when exported data is tampered with, damaged, leaked, lost, transferred, or unlawfully accessed or used, and the channels and methods for safeguarding individuals' rights and interests in their personal information. **(VI) Other circumstances the data handler considers necessary to explain** --- **III. Risk Self-Assessment Findings and Conclusions for the Export Activities** With reference to the matters specified in Article 5 of the Measures for the Security Assessment of Data Export, describe the risk self-assessment findings, with particular emphasis on issues identified during the self-assessment and the rectification undertaken. Based on the overall risk self-assessment findings and the corresponding rectification, provide an objective risk self-assessment conclusion for the data export activities proposed for declaration, with a full explanation of the reasons supporting the conclusion. --- **Annex 5. Application Form for Extension of Assessment Result Validity Period (Template)** **Section 1 — Basic Information** | Field | Notes | |-------|-------| | Data handler name | | | Acceptance number of the assessment project for which extension is sought | | | Whether the legal document entered into with the overseas recipient complies with the requirements of Article 9 of the Measures for the Security Assessment of Data Export | Yes / No | **Section 2 — Data Export Scenario [No.] (repeat as needed for each scenario)** | Field | Options / Notes | |-------|-----------------| | The purpose, scope, etc. of the data export have not changed | Yes / No | | The data handler, overseas recipient, etc. have not changed | Yes / No | | For personal information exports: percentage increase in the number of natural persons in the following three years (compared with the number approved in the original assessment result for the past three years) | ____% / Not applicable | | For important data exports: percentage increase in the scale of data to be exported in the following three years (compared with the scale approved in the original assessment result for the past three years) | ____% / Not applicable | | The data export links, storage systems, and data centres have not changed | Yes / No (if changed, describe in "Section 3") | | The purposes and methods of the overseas recipient's data processing have not changed | Yes / No (if changed, describe in "Section 3") | **Section 3 — Other Matters to be Explained** Describe the following matters as applicable (additional pages may be attached): (1) Measures taken and related work to ensure the security of the data export. (2) How the overseas recipient has fulfilled its data security responsibilities and obligations under the legal document. (3) A summary of how data export activities have been conducted in compliance with the assessment result notice over the past three years. (4) Any major data security incidents during the past three years, and any administrative penalties, investigations by competent supervisory authorities, and rectifications in the course of business operations. **Declaration by the data handler:** All content in the application materials is true, complete, accurate, and valid. The necessary cooperation and support will be provided for the review of the extension of the assessment result validity period organised and implemented by the CAC. If the declaration is false or the commitments are breached, the entity accepts the corresponding legal liability. Notes: 1. Item 2 of the Application Form must be described separately for each scenario; additional copies of Item 2 may be added as needed to correspond to the actual number of export scenarios for which extension is sought. 2. The Application Form must be completed strictly in accordance with the template, in Chinese, using size-4 "Fang Song" (仿宋) typeface; numerals and letters in size-4 "Times New Roman"; line spacing at a fixed value of 16 points; paragraph first-line indent of 2 characters. Page setup: A4 paper, top and bottom margins 2.54 cm, left and right margins 3.18 cm. --- ## Implementation Guidelines for the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao) - Chinese title: 粤港澳大湾区(内地、澳门)个人信息跨境流动标准合同实施指引 - Abbreviation: GBA (Mainland-Macao) SCC Guidelines - Hierarchy: rule - Issuing body: Cyberspace Administration of China and Economic and Technological Development Bureau of the Macao SAR - Adopted: 2024-09-10 - Effective: 2024-09-10 - Status: effective - URL: https://datacompliancechina.com/laws/gba-macao-cross-border-pi-standard-contract-guidelines/ - Markdown: https://datacompliancechina.com/laws/gba-macao-cross-border-pi-standard-contract-guidelines.md - Source URL: https://www.cac.gov.cn/2024-09/10/c_1727567893741986.htm ### Summary Jointly issued on 10 September 2024 by the CAC, the Economic and Technological Development Bureau of the Macao SAR, and the Personal Data Protection Bureau of the Macao SAR, these Implementation Guidelines establish a bilateral facilitation arrangement that allows eligible personal information handlers registered or located in the nine Guangdong cities of the Greater Bay Area or the Macao SAR to transfer personal information between those two jurisdictions by executing a prescribed Standard Contract and filing it with the applicable local authority within 10 working days, without needing to pass a CAC security assessment — even where data volumes exceed the national thresholds that would otherwise trigger that assessment. The arrangement operates under the Cooperation Memorandum on Promoting Cross-Border Data Flows in the Guangdong-Hong Kong-Macao Greater Bay Area signed between the CAC and the Economic and Finance Bureau of the Macao SAR. The Guidelines exclude personal information classified as important data and require handlers to complete a Personal Information Protection Impact Assessment (PIPIA) before each cross-border provision. For overseas counsel, the arrangement is significant because it creates a distinct GBA intra-Bay-Area pathway that sits alongside — and in some respects relaxes — the three national cross-border transfer routes under PIPL and the Provisions on Promoting and Regulating Cross-border Data Flows. ### Full text **Jointly issued by:** Cyberspace Administration of China; Economic and Technological Development Bureau of the Macao Special Administrative Region Government; Personal Data Protection Bureau of the Macao Special Administrative Region Government. **Document type:** Joint announcement (联合公告), Announcement No. 1 of 2024. **Issued and effective: 10 September 2024.** --- These Implementation Guidelines implement the Cooperation Memorandum on Promoting Cross-Border Data Flows in the Guangdong-Hong Kong-Macao Greater Bay Area concluded between the Cyberspace Administration of China and the Economic and Finance Bureau of the Macao Special Administrative Region Government (the Memorandum). They are accompanied by two annexes: Annex 1, the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao) (the Standard Contract), and Annex 2, a Commitment Letter template. --- ## Implementation Guidelines **Article 1.** In order to promote the safe and orderly cross-border flow of personal information within the Guangdong-Hong Kong-Macao Greater Bay Area (the Greater Bay Area), to advance high-quality development of the Greater Bay Area, and to implement the Cooperation Memorandum on Promoting Cross-Border Data Flows in the Guangdong-Hong Kong-Macao Greater Bay Area concluded between the Cyberspace Administration of the People's Republic of China and the Economic and Finance Bureau of the Macao Special Administrative Region Government (the Memorandum), the Cyberspace Administration of China, the Economic and Technological Development Bureau of the Macao Special Administrative Region Government, and the Personal Data Protection Bureau of the Macao Special Administrative Region Government jointly formulate these Implementation Guidelines. **Article 2.** The Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao) (the Standard Contract; see Annex 1) constitutes a facilitation measure under the Memorandum for promoting the cross-border flow of personal information within the Greater Bay Area. Personal information handlers and recipients within the Greater Bay Area may, in accordance with the requirements of these Implementation Guidelines, conduct cross-border flows of personal information between the Mainland and Macao within the Greater Bay Area by executing the Standard Contract. Personal information that has been classified as important data by the relevant authorities or regions, or that has been publicly announced as such, is excluded. Personal information handlers and recipients must be registered in (for organizations) or located in (for individuals) the Mainland portion of the Greater Bay Area — that is, Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, and Zhaoqing in Guangdong Province — or the Macao Special Administrative Region. **Article 3.** Cross-border provision of personal information conducted by executing the Standard Contract shall adhere to the principles of combining voluntary contracting with filing management, and combining the protection of personal information rights and interests with risk prevention, so as to safeguard the safe and free cross-border flow of personal information. **Article 4.** A personal information handler that provides personal information cross-border by executing the Standard Contract in accordance with these Implementation Guidelines shall fulfill the obligations and responsibilities set out in the Standard Contract, including satisfying the following conditions: (1) Before providing personal information cross-border, the personal information handler shall, in accordance with the laws and regulations of the jurisdiction in which it is located, give notice to the individual or obtain the individual's consent; and (2) The personal information shall not be provided to organizations or individuals outside the Greater Bay Area. **Article 5.** Before a personal information handler provides personal information cross-border by executing the Standard Contract in accordance with these Implementation Guidelines, it shall conduct a Personal Information Protection Impact Assessment (PIPIA), focusing on the following: (1) The lawfulness, legitimacy, and necessity of the purposes and methods by which the personal information handler and the recipient process personal information; (2) The impact on the rights and interests of the individuals concerned and the security risks involved; and (3) Whether the obligations the recipient has committed to assume, and its management and technical measures and capabilities for fulfilling those obligations, are sufficient to ensure the security of the personal information provided cross-border. **Article 6.** The Standard Contract shall be executed strictly in accordance with the annex to these Implementation Guidelines. Cross-border provision of personal information may only commence after the Standard Contract has taken effect. A personal information handler may agree with the recipient on additional terms, but such additional terms shall not conflict with the Standard Contract. **Article 7.** The personal information handler and the recipient shall, within 10 working days of the date on which the Standard Contract takes effect, file the Standard Contract with the Guangdong Provincial Cyberspace Administration or the Personal Data Protection Bureau of the Macao Special Administrative Region Government in accordance with their respective jurisdiction. The following materials shall be submitted: (1) A copy of the identity document of the legal representative; (2) The Commitment Letter (template: Annex 2); and (3) The Standard Contract. The personal information handler and the recipient shall be responsible for the authenticity of the materials filed. **Article 8.** Where the purpose, scope, type, or method of the cross-border provision of personal information changes, where the purpose or method by which the recipient processes the personal information changes, where the storage period is extended, or where any other circumstance occurs that affects or may affect the rights and interests of individuals in relation to their personal information, the personal information handler shall conduct a fresh PIPIA, supplement or re-execute the Standard Contract, and complete the corresponding filing procedures. **Article 9.** Any organization or individual that discovers that a personal information handler or recipient is conducting cross-border flows of personal information within the Greater Bay Area in accordance with these Implementation Guidelines but is failing to fulfill the obligations and responsibilities required by these Guidelines and the Standard Contract may lodge a complaint or report with the Cyberspace Administration of China, the Guangdong Provincial Cyberspace Administration, the Economic and Technological Development Bureau of the Macao Special Administrative Region Government, or the Personal Data Protection Bureau of the Macao Special Administrative Region Government. Upon receiving a complaint or report, the receiving authority, upon discovering that significant security risks exist in the cross-border activities or that a personal information security incident has occurred, may require the personal information handler or the recipient to rectify the situation; where it is necessary to refer the matter to another enforcement authority, it shall refer the matter to the relevant authority for handling in accordance with law. **Article 10.** Where a personal information security incident — such as a leak — occurs during the processing of personal information by a personal information handler or a recipient, immediate remedial measures shall be taken and the relevant authorities shall be notified in accordance with the jurisdiction of the relevant party: specifically, the Cyberspace Administration of China and the Guangdong Provincial Cyberspace Administration, or the Economic and Technological Development Bureau and the Personal Data Protection Bureau of the Macao Special Administrative Region Government. **Article 11.** The foregoing provisions shall not affect the authorities responsible for performing personal information protection duties on the Mainland, or the Personal Data Protection Bureau of the Macao SAR, from strengthening personal information protection and supervisory management within their respective remits in accordance with law, including handling complaints and reports relating to personal information protection and investigating and handling unlawful personal information processing activities. **Article 12.** Authorities and their personnel shall, in accordance with law, keep confidential the personal privacy, personal information, trade secrets, and confidential commercial information that come to their knowledge in the performance of their duties, and shall not disclose such information or provide it to third parties or use it illegally. **Article 13.** The Cyberspace Administration of China and the Economic and Technological Development Bureau of the Macao Special Administrative Region Government may, in light of actual circumstances and by mutual agreement, amend these Implementation Guidelines and their annexes. **Article 14.** These Implementation Guidelines shall take effect from the date of promulgation. --- ## Annexes (structural summary) > *Structural summary — not the operative contract text.* DCC summarizes the structure of the two annexes below for orientation. The authoritative, executable templates are those published by the issuing authorities; consult the official source linked in this page's metadata before drafting or filing. The Standard Contract substantially mirrors the national Standard Contract under the SCC Measures, adapted for the Mainland–Macao context. **Annex 1 — Standard Contract for the Cross-Border Flow of Personal Information within the GBA (Mainland, Macao).** A preamble records the parties' details. Its articles cover: **Art. 1** definitions (mapping Mainland and Macao terms — e.g. "personal information handler"/"data controller", "individual"/"data subject", and the respective supervisory authorities and applicable laws); **Art. 2** obligations of the personal information handler (notice and consent, minimum-scope provision, a PIPIA retained for at least three years, third-party-beneficiary notice, and burden of proof); **Art. 3** obligations of the recipient (process only within Appendix I, storage limitation and deletion, security and access-control measures, breach notification, no onward transfer outside the GBA, sub-processing controls, ≥3-year records, and cooperation with supervision); **Art. 4** rights of individuals as third-party beneficiaries; **Art. 5** remedies (a designated contact, complaints, and a choice of Mainland or Macao courts); **Art. 6** termination; **Art. 7** breach liability (including joint and several liability with a right of recourse); and **Art. 8** miscellaneous (governing law of the handler's jurisdiction, notices, and arbitration or litigation). **Appendix I** records the description of the cross-border provision (purpose, method, scale, data types by reference to GB/T 35273, onward recipients, transmission method, storage period, and storage location); **Appendix II** is for additional terms agreed by the parties. **Annex 2 — Commitment Letter (template).** A short undertaking that the filing materials are authentic, complete, and accurate; that the party will cooperate with the filing under the Standard Contract; and that the PIPIA was completed within the three months before filing with no material change since. ## Practical Guidance ### 1. Relationship to National Cross-Border Transfer Pathways The GBA (Mainland-Macao) SCC Guidelines establish a distinct intra-Bay-Area facilitation arrangement that operates alongside — but is separate from — the three national cross-border transfer routes under the Personal Information Protection Law (PIPL): the CAC Data Export Security Assessment (for critical information infrastructure operators and high-volume handlers), the Personal Information Protection Certification, and the national Standard Contract for the Outbound Transfer of Personal Information governed by the Measures on the Standard Contract for the Outbound Transfer of Personal Information (the SCC Measures, effective 1 June 2023). **Key threshold relief.** Under the national framework, non-critical information infrastructure operators must undergo a CAC security assessment if they propose to transfer the personal information of one million or more individuals (non-sensitive) or 10,000 or more individuals (sensitive) outside the PRC. The GBA Macao arrangement explicitly overrides this threshold for eligible parties: a non-critical information infrastructure operator registered in one of the nine Guangdong GBA cities may use the GBA Standard Contract to transfer personal information to Macao — even at volumes exceeding those national thresholds — without conducting a CAC security assessment. This is the same relief afforded under the parallel GBA (Mainland-Hong Kong) SCC Guidelines (December 2023). ### 2. Scope of Eligible Parties Both the personal information handler and the recipient must be registered in (for organizations) or located in (for individuals) the nine Guangdong GBA cities or the Macao SAR. Parties registered or located outside these jurisdictions — including those in Hong Kong, other Guangdong cities, or other provinces — cannot use this arrangement. The exclusion for important data applies regardless of data volume. ### 3. Filing Procedure Within 10 working days of the Standard Contract taking effect, both parties must file with the competent authority of their respective jurisdiction: - **Mainland-side parties** file with the Guangdong Provincial Cyberspace Administration (广东省互联网信息办公室); - **Macao-side parties** file with the Personal Data Protection Bureau of the Macao SAR Government (澳门特别行政区政府个人资料保护局). The filing package consists of: (i) a copy of the legal representative's identity document; (ii) the Commitment Letter (using the Annex 2 template); and (iii) the executed Standard Contract. The PIPIA report need not be submitted at filing but must be retained for at least three years. ### 4. Individual Rights Under the Standard Contract A distinctive feature of the Standard Contract is its third-party beneficiary clause (Article 4). Individuals whose personal information is transferred under the Contract are designated as third-party beneficiaries and may invoke specified provisions of the Contract directly against either or both parties. The Standard Contract specifies the means by which individuals may receive a copy of the Contract, raise complaints with supervisory authorities, or bring proceedings before a competent court in the Mainland or in Macao. ### 5. Governing Law and Dispute Resolution The Standard Contract is governed by the laws and regulations of the personal information handler's jurisdiction. Disputes between the parties may be resolved through arbitration (before any of the specified institutions) or litigation before a competent Mainland or Macao court. Individual third-party beneficiaries may bring proceedings in the Mainland or in Macao under applicable procedural and mutual recognition frameworks. ### 6. Comparison with GBA (Mainland-Hong Kong) SCC Guidelines The Macao Guidelines closely follow the structure of the Hong Kong Guidelines (issued 13 December 2023) but differ in the following respects: (i) the co-issuing authority is the Macao Economic and Technological Development Bureau and the Personal Data Protection Bureau of the Macao SAR Government (rather than the Innovation, Technology and Industry Bureau of the Hong Kong SAR); (ii) the filing authority on the Macao side is the Personal Data Protection Bureau of the Macao SAR (rather than the Office of the Government Chief Information Officer of Hong Kong); (iii) the applicable Macao personal data law governs Macao-side handlers and individuals; and (iv) the Macao Guidelines contain 14 articles (the Hong Kong Guidelines contain 15, with a separate article on supervision). The Standard Contract itself adapts the relevant defined terms and governing law references to reflect Macao's legal system. --- ## Interim Measures for the Administration of Medical Institutions as Designated Medical Insurance Institutions - Chinese title: 医疗机构医疗保障定点管理暂行办法 - Hierarchy: rule - Issuing body: National Healthcare Security Administration - Adopted: 2020-12-30 - Effective: 2021-02-01 - Status: effective - URL: https://datacompliancechina.com/laws/medical-insurance-designated-institutions-measures/ - Markdown: https://datacompliancechina.com/laws/medical-insurance-designated-institutions-measures.md ### Summary Issued as Order No. 2 of the National Healthcare Security Administration, these Interim Measures govern how medical institutions become and remain designated providers under China's basic medical insurance scheme. For data-compliance purposes, designation is conditioned on the institution's hospital information system meeting the technical and interface standards required to interface effectively with the medical-insurance information system and transmit all patient (treatment) data to it for direct online settlement (Articles 6 and 9). Designated institutions must report settlement statements and full settlement data—diagnoses, procedures, drug/consumable/service itemized costs, and physician/nurse identifiers—and bear responsibility for their authenticity (Article 21), while safeguarding the security of the medical-insurance-linked information system, complying with data-security rules, and protecting the privacy of insured persons (Article 24). The handling agency, in turn, publishes the medical-insurance information-system data sets and interface standards and is likewise bound by data-security and privacy obligations (Articles 34 and 35). ### Full text **Promulgated by:** National Healthcare Security Administration. **Order No. 2 of the National Healthcare Security Administration.** **The Interim Measures for the Administration of Medical Institutions as Designated Medical Insurance Institutions were deliberated and adopted at the 2nd Executive Meeting of the Administration on December 24, 2020, and are hereby promulgated, to take effect on February 1, 2021.** **Director: Hu Jinglin** **December 30, 2020** --- ## Chapter 1 General Provisions **Article 1.** These Measures are formulated in accordance with the Social Insurance Law of the People's Republic of China, the Basic Medical and Health Care and Health Promotion Law of the People's Republic of China, the Regulation on the Administration of Medical Institutions and other laws and regulations, in order to strengthen and standardize the administration of medical institutions as designated medical insurance institutions, improve the efficiency of the use of medical insurance funds, and better safeguard the rights and interests of the broad masses of insured persons. **Article 2.** The administration of medical institutions as designated medical insurance institutions shall adhere to a people's-health-centered approach, follow the principles of safeguarding the basics, fairness and impartiality, clear rights and responsibilities, and dynamic balance, strengthen the refined administration of medical insurance, promote the supply-side reform of medical institutions, and provide appropriate medical services to insured persons. **Article 3.** The administrative department of medical security shall be responsible for formulating policies for the administration of medical institutions as designated institutions, and shall supervise the medical security handling agencies (hereinafter referred to as "handling agencies") and designated medical institutions in the stages of designation application, professional evaluation, consultation and negotiation, conclusion of agreements, performance of agreements, and termination of agreements. The handling agency shall be responsible for determining designated medical institutions, signing medical security service agreements (hereinafter referred to as "medical insurance agreements") with designated medical institutions, providing handling services, and carrying out the administration and assessment of medical insurance agreements. Designated medical institutions shall comply with the laws, regulations, rules and relevant policies of medical security, and provide medical services to insured persons in accordance with provisions. ## Chapter 2 Determination of Designated Medical Institutions **Article 4.** The administrative department of medical security in the overall planning area shall determine the allocation of resources for designated medical services in its overall planning area based on public health needs, administrative service needs, the revenue and expenditure of medical insurance funds, regional health planning, the planning for the establishment of medical institutions, and the like. **Article 5.** The following medical institutions that have obtained a Medical Institution Practice License or a record-filing certificate for a traditional Chinese medicine clinic, as well as military medical institutions approved by the competent military department to have the qualification to serve the public, may apply for medical insurance designation: (I) general hospitals, traditional Chinese medicine hospitals, hospitals integrating traditional Chinese and Western medicine, ethnic medicine hospitals, specialized hospitals, and rehabilitation hospitals; (II) specialized disease prevention and treatment hospitals (institutes, stations) and maternal and child health hospitals; (III) community health service centers (stations), central health centers, township health centers, sub-district health centers, outpatient departments, clinics, health stations, and village health rooms (offices); (IV) independently established emergency centers; (V) hospice care centers, hemodialysis centers, and nursing homes; (VI) medical institutions established within elderly care institutions. Internet hospitals may apply to sign supplementary agreements relying on their physical medical institutions, and the relevant expenses incurred by the medical services they provide that fall within the scope of medical insurance payment shall be settled in accordance with provisions by the handling agency of the overall planning area with the physical medical institution on which they rely. **Article 6.** A medical institution applying for medical insurance designation shall simultaneously possess the following basic conditions: (I) having been in formal operation for at least 3 months; (II) having at least 1 physician who has obtained a Physician Practice Certificate, a Rural Doctor Practice Certificate, or a Traditional Chinese Medicine (Specialty) Physician Qualification Certificate and whose first place of registration is at the medical institution; (III) the principal person in charge being responsible for medical insurance work, and being equipped with full-time (or part-time) medical insurance management personnel; medical institutions with 100 or more beds shall set up an internal medical insurance management department and arrange full-time staff; (IV) having a medical insurance management system, financial system, statistical information management system, core medical quality and safety system and the like that meet the requirements of medical insurance agreement administration; (V) having hospital information system technology and interface standards that meet the requirements of medical insurance agreement administration, achieving effective interface with the medical insurance information system, transmitting all relevant information of patients to the medical insurance information system as required, and providing direct online settlement for insured persons; establishing basic databases for medical insurance drugs, diagnosis and treatment items, medical service facilities, medical consumables, disease categories and the like, and using the unified national medical insurance codes in accordance with provisions; (VI) meeting other conditions prescribed by laws and regulations and by the administrative departments of medical security at or above the provincial level. **Article 7.** A medical institution shall file an application for medical insurance designation with the handling agency of the overall planning area, providing at least the following materials: (I) the application form for a designated medical institution; (II) a copy of the Medical Institution Practice License, the record-filing certificate for a traditional Chinese medicine clinic, or the license for a military medical institution to serve the public; (III) the texts of internal management systems and financial systems corresponding to medical insurance policies; (IV) materials related to the medical institution information system relating to medical insurance; (V) a predictive analysis report on the use of medical insurance funds after being included as a designated institution; (VI) other materials required to be provided by the provincial administrative department of medical security in accordance with relevant provisions. **Article 8.** Where a medical institution files a designation application, the handling agency of the overall planning area shall accept it in real time. Where the content of the application materials is incomplete, the handling agency shall, within 5 working days from the date of receipt of the materials, inform the medical institution at one time of the supplements to be made. **Article 9.** The handling agency of the overall planning area shall organize an evaluation team or entrust a third-party institution to carry out the evaluation in written, on-site and other forms. The members of the evaluation team shall be composed of professionals in medical security, medicine and health, financial management, information technology and the like. The evaluation time shall not exceed 3 months from the date of accepting the application materials, and the time for the medical institution to supplement materials shall not be counted within the evaluation period. The evaluation content includes: (I) verifying the Medical Institution Practice License, the record-filing certificate for a traditional Chinese medicine clinic, or the license for a military medical institution to serve the public; (II) verifying the practice information of physicians, nurses, pharmacists and medical technicians and other professional and technical personnel, and the first-place-of-registration information of physicians; (III) verifying the basic facilities and instruments and equipment for diagnosis, treatment, surgery, hospitalization, drug storage and dispensing, examination and testing, radiology and the like that are commensurate with the service functions; (IV) verifying the internal management systems and financial systems corresponding to medical insurance policies, and the results of the medical institution review by the health department; (V) verifying whether the medical institution information system relating to medical insurance possesses the conditions for carrying out direct online settlement. The evaluation results shall be classified as qualified and unqualified. The handling agency of the overall planning area shall report the evaluation results to the administrative department of medical security at the same level for the record. For those that pass the evaluation, they shall be included in the list of medical institutions with which agreements are to be signed, and this shall be publicized to the public. For those that fail the evaluation, the reasons shall be informed and rectification suggestions put forward. The evaluation may be organized again 3 months after the date on which the result is served; where the evaluation is still unqualified, no application may be filed again within 1 year. The provincial administrative department of medical security may, on the basis of these Measures and in light of actual conditions, formulate specific evaluation rules. **Article 10.** The handling agency of the overall planning area shall conduct consultation and negotiation with medical institutions that pass the evaluation, and where agreement is reached, both parties shall voluntarily sign a medical insurance agreement. In principle, the handling agency of an overall planning area at or above the prefecture and city level shall sign the medical insurance agreement with the medical institution and file it with the administrative department of medical security at the same level for the record. The medical insurance agreement shall specify the rights, obligations and responsibilities of both parties. Both parties signing the medical insurance agreement shall strictly perform the stipulations of the agreement. The term of the agreement shall generally be 1 year. **Article 11.** The handling agency of the overall planning area shall make public to the public the information of designated medical institutions that have signed medical insurance agreements, including names, addresses and the like, for the selection of insured persons. **Article 12.** Where a medical institution is in any of the following circumstances, its designation application shall not be accepted: (I) its main scope of practice consists of non-basic medical services such as medical cosmetology, assisted reproduction, daily care, and dental implantation; (II) its basic medical services do not implement the medicine and medical-services price policies formulated by the administrative department of medical security; (III) it has not performed its administrative penalty responsibilities in accordance with the law; (IV) it has applied for designation by fraud or other improper means, and less than 3 years have elapsed since the date of discovery; (V) it has had its medical insurance agreement terminated due to violations of laws and regulations and less than 3 years have elapsed, or 3 years have elapsed but the administrative penalty legal liability has not been fully performed; (VI) it has had its agreement terminated due to a serious breach of the stipulations of the medical insurance agreement and less than 1 year has elapsed, or 1 year has elapsed but the liability for breach has not been fully performed; (VII) its legal representative, principal person in charge or actual controller previously caused the original designated medical institution to have its medical insurance agreement terminated due to serious violations of laws and regulations, and less than 5 years have elapsed; (VIII) its legal representative, principal person in charge or actual controller has been included in the list of persons who have lost credit; (IX) other circumstances prescribed by laws and regulations under which the application shall not be accepted. ## Chapter 3 Operational Administration of Designated Medical Institutions **Article 13.** A designated medical institution shall have the rights to obtain medical insurance settlement expenses after lawfully providing medical services to insured persons in accordance with provisions, to supervise the performance of the handling agency, and to put forward opinions and suggestions on improving medical insurance policies. **Article 14.** A designated medical institution shall strictly perform the medical insurance agreement, conduct reasonable diagnosis and treatment, charge reasonably, strictly implement the catalogues of medical insurance drugs, medical consumables, medical service items and the like, give priority to equipping and using drugs in the medical insurance catalogue, control the proportion of patients' self-paid expenses, and improve the efficiency of the use of medical insurance funds. A designated medical institution shall not provide medical insurance settlement for non-designated medical institutions. Expenses not paid by the handling agency, the quality assurance deposit deducted from the designated medical institution in accordance with the stipulations of the medical insurance agreement, and the liquidated damages paid by it, and the like, shall not be treated by the designated medical institution as medical insurance arrears. **Article 15.** A designated medical institution and its staff shall implement the provisions on real-name medical treatment and drug purchase administration, verify the valid identity certificates of insured persons, provide reasonable and necessary medical and pharmaceutical services in accordance with diagnosis and treatment norms, and truthfully issue expense bills and relevant materials to insured persons; they shall not split hospitalizations or maintain occupied beds, shall not, in violation of diagnosis and treatment norms, engage in excessive diagnosis and treatment, excessive examination, prescription splitting, over-prescription of drugs, or repeated prescription of drugs, shall not engage in repeated charging, over-standard charging, or itemized-splitting charging, shall not substitute drugs, medical consumables, diagnosis and treatment items, or service facilities, and shall not induce or assist others in seeking medical treatment or purchasing drugs under a false identity or fraudulently. A designated medical institution shall ensure that the expenses paid by the medical insurance funds comply with the prescribed scope of payment; except in special circumstances such as emergency treatment and rescue, where it provides medical and pharmaceutical services outside the scope of payment of the medical insurance funds, the consent of the insured person or his or her close relatives or guardian shall be obtained. **Article 16.** A designated medical institution shall formulate corresponding internal management measures and strictly grasp the indications for admission and discharge. It shall implement the medical-insurance total-budget indicators in accordance with the agreement, and implement payment methods such as payment by item, by disease category, by diagnosis-related groups, by bed-day, and by capitation. It shall not refuse to admit patients on the grounds of medical insurance payment policies. **Article 17.** A designated medical institution shall implement the centralized procurement policy in accordance with relevant provisions, and give priority to using drugs and consumables selected through centralized procurement. Drugs and consumables paid for by medical insurance shall be procured on the platform prescribed by the administrative department of medical security in accordance with provisions, and the "incoming, sales and inventory" status and the like shall be truthfully recorded. **Article 18.** A designated medical institution shall strictly implement the medicine and medical-services price policies formulated by the administrative department of medical security. **Article 19.** A designated medical institution shall participate in publicity and training organized by the administrative department of medical security or the handling agency. A designated medical institution shall organize and carry out training on systems and policies related to medical insurance funds, regularly inspect the use of medical insurance funds by its own entity, and promptly correct irregular conduct in the use of medical insurance funds. **Article 20.** A designated medical institution shall hang a designated-medical-institution sign of a uniform style in a conspicuous location. **Article 21.** A designated medical institution shall promptly report to the handling agency of the overall planning area, as required, information such as medical insurance fund settlement statements, including disease diagnoses and surgical operations, itemized settlement details of the expenses of drugs, medical consumables, and medical service items, and information on physicians, nurses and the like, and shall be responsible for the authenticity thereof. A designated medical institution shall truthfully report to the handling agency of the overall planning area, as required, the procurement prices and quantities of drugs and consumables. A designated medical institution shall report to the medical security department the information required for the supervision and administration of the use of medical insurance funds and for agreement administration, and shall make public to the public information such as medical and pharmaceutical expenses and expense structures. **Article 22.** A designated medical institution shall cooperate with the handling agency in carrying out the review, audit inspection, and performance assessment of medical insurance expenses and the like, accept the supervision and inspection of the administrative department of medical security, and provide relevant materials in accordance with provisions. **Article 23.** A designated medical institution shall optimize the medical insurance settlement process, provide convenient medical services for insured persons, conduct direct settlement of medical insurance expenses in accordance with provisions, and provide expense settlement bills and relevant materials. It shall provide referral and transfer services for insured persons who meet the prescribed conditions. Insured persons may, in accordance with relevant provisions, purchase drugs at designated medical institutions or, on the strength of a prescription, purchase drugs at designated retail pharmacies. **Article 24.** A designated medical institution shall do a good job in the security safeguard work of the information system relating to medical insurance, comply with the relevant systems for data security, and protect the privacy of insured persons. When a designated medical institution reinstalls its information system, it shall maintain the effective interface of the information system technical interface standards with the medical insurance information system, and promptly, comprehensively and accurately transmit to the medical insurance information system the relevant data required for medical insurance settlement and audit in accordance with provisions. ## Chapter 4 Handling Administration and Services **Article 25.** The handling agency shall have the right to grasp the operational administration status of designated medical institutions, and to obtain from designated medical institutions the information, data and other materials required for the audit and review of medical insurance expenses, performance assessment, financial bookkeeping and the like. Designated medical institutions shall be subject to territorial administration, and the handling agency shall bear the administrative service responsibilities for the medical services provided by the designated medical institutions within its territory to local and non-local insured persons. **Article 26.** The handling agency shall improve the administrative processes for designation application, organizing evaluation and signing of agreements, performance of agreements, and alteration and termination of agreements, formulate handling procedures, and provide high-quality and efficient handling services for designated medical institutions and insured persons. **Article 27.** The handling agency shall do a good job in the publicity and training of designated medical institutions on medical insurance policies, management systems, payment policies, and operating procedures, and provide medical security consultation and inquiry services. **Article 28.** The handling agency shall implement medical insurance payment policies and strengthen the administration of medical insurance funds. **Article 29.** The handling agency shall establish a sound internal control system, and clarify the post responsibilities and risk prevention and control mechanisms for the review, settlement, disbursement, and audit of expenses declared by designated medical institutions. It shall improve the collective decision-making system for major medical insurance expense expenditures. **Article 30.** The handling agency shall strengthen the administration of medical insurance fund expenditures, and promptly review medical expenses by means of intelligent review, real-time monitoring, on-site inspection and the like. It shall conduct regular and irregular audits and reviews of designated medical institutions. It shall promptly and fully disburse medical insurance expenses to designated medical institutions in accordance with the stipulations of the agreement, and in principle shall disburse the medical insurance expenses that comply with provisions within 30 working days after the designated medical institution declares them. **Article 31.** Where conditions permit, the handling agency of the overall planning area may, in accordance with State provisions, prepay a portion of medical insurance funds to designated medical institutions to relieve their capital operation pressure. In emergency situations such as a sudden epidemic, special funds may be prepaid in accordance with State provisions. **Article 32.** Where a designated medical institution declares expenses in violation of provisions, and this is verified upon examination, the handling agency shall not make payment. **Article 33.** The handling agency shall pay, in accordance with laws and regulations, the medical expenses incurred by insured persons at designated medical institutions, and provide medical insurance policy consultation for insured persons. Except for emergency treatment and rescue, the medical insurance funds shall not pay for the expenses incurred by insured persons seeking medical treatment at non-designated medical institutions. **Article 34.** The handling agency shall make public to the public the data sets and interface standards of the medical insurance information system. Designated medical institutions shall independently select the operation and maintenance suppliers of the relevant information systems that interface with medical insurance. The handling agency shall not charge any fees in any name or designate suppliers. **Article 35.** The handling agency shall comply with the relevant systems for data security, protect the privacy of insured persons, and ensure the security of medical insurance funds. **Article 36.** The handling agency, or a qualified third-party institution it entrusts, shall conduct performance assessment of designated medical institutions and establish a dynamic administration mechanism. The assessment results shall be linked to the year-end settlement, the refund of the quality assurance deposit, the renewal of agreements and the like. The performance assessment measures shall be formulated by the national medical security department, the provincial medical security department may formulate specific assessment rules, and the handling agency shall be responsible for organizing implementation. **Article 37.** For medical expenses of a designated medical institution that do not exceed the total-amount control indicators within the settlement period, the handling agency shall disburse them in full and on time in accordance with the agreement. It shall give appropriate compensation for the reasonable overruns of a designated medical institution caused by a substantial increase in the number of insured persons seeking medical treatment and the like. **Article 38.** Where the handling agency discovers that a designated medical institution is in a circumstance of violating the stipulations of the agreement, it may, in accordance with the stipulations of the agreement, correspondingly adopt the following handling methods: (I) conducting an interview with the legal representative, principal person in charge or actual controller of the medical institution; (II) suspending or withholding the disbursement of expenses; (III) refusing to pay or recovering the medical insurance expenses already paid; (IV) requiring the designated medical institution to pay liquidated damages in accordance with the stipulations of the agreement; (V) suspending the medical services involving the use of medical insurance funds of the relevant responsible personnel or the department to which they belong; (VI) suspending or terminating the medical insurance agreement. **Article 39.** Where the handling agency violates the medical insurance agreement, the designated medical institution shall have the right to request correction, or to request the administrative department of medical security to coordinate handling and urge rectification, and may also apply for administrative reconsideration or institute administrative litigation in accordance with the law. Where the administrative department of medical security discovers that the handling agency is in a circumstance of violating the medical insurance agreement, it may, depending on the circumstances, correspondingly adopt the following handling methods: conducting an interview with the principal person in charge, ordering rectification within a time limit, circulating a notice of criticism, and giving sanctions to the relevant responsible personnel in accordance with laws and regulations. Where the administrative department of medical security discovers that the handling agency violates relevant laws, regulations and rules, it shall handle the matter in accordance with laws and regulations. ## Chapter 5 Dynamic Administration of Designated Medical Institutions **Article 40.** Where major information of a designated medical institution, such as its name, legal representative, principal person in charge or actual controller, registered address, bank account, diagnosis and treatment subjects, institutional scale, institutional nature, grade and category, changes, the institution shall, within 30 working days from the date of approval by the relevant department, file an application for alteration with the handling agency of the overall planning area. Other general information changes shall be promptly notified in writing. **Article 41.** A renewal shall be applied for by the designated medical institution to the handling agency 3 months before the expiry of the medical insurance agreement, or shall be uniformly organized by the handling agency. The handling agency of the overall planning area shall conduct consultation and negotiation with the designated medical institution on the renewal of the medical insurance agreement, and both parties shall decide whether to renew based on the performance of the medical insurance agreement and the performance assessment status and the like. Where consensus is reached, the medical insurance agreement may be renewed; where no consensus is reached, the medical insurance agreement shall automatically terminate upon expiry. For designated medical institutions with good performance assessment results, a combination of a fixed medical insurance agreement and an annual medical insurance agreement may be adopted, with the fixed medical insurance agreement remaining relatively unchanged and the annual medical insurance agreement being adjusted each year according to specific circumstances, so as to simplify the signing formalities. **Article 42.** Suspension of a medical insurance agreement means that the handling agency and the designated medical institution suspend the performance of the stipulations of the medical insurance agreement, and the medical insurance expenses incurred during the suspension period shall not be settled. Where, upon the end of the suspension period, the validity period of the medical insurance agreement has not been exceeded, the medical insurance agreement may continue to be performed; where the validity period of the medical insurance agreement has been exceeded, the medical insurance agreement shall terminate. A designated medical institution may file an application for suspension of the medical insurance agreement, and upon the consent of the handling agency, the medical insurance agreement may be suspended, but the suspension period shall in principle not exceed 180 days; where a designated medical institution still fails to file an application to continue performing the medical insurance agreement after the suspension of the medical insurance agreement exceeds 180 days, the medical insurance agreement shall in principle automatically terminate. Where a designated medical institution is in any of the following circumstances, the handling agency shall suspend the medical insurance agreement: (I) where, according to routine inspection and performance assessment, it is found that major risks may be posed to the security of medical insurance funds and the rights and interests of insured persons; (II) where it fails to provide relevant data to the handling agency and the administrative department of medical security as required, or the data provided is untruthful; (III) where the medical insurance agreement shall be suspended in accordance with the stipulations of the medical insurance agreement; (IV) other circumstances under which suspension shall be made as prescribed by laws, regulations and rules. **Article 43.** Termination of a medical insurance agreement means that the medical insurance agreement between the handling agency and the designated medical institution is terminated, the agreement relationship no longer exists, and the medical and pharmaceutical expenses incurred after the termination of the agreement shall no longer be settled by the medical insurance funds. Where a designated medical institution is in any of the following circumstances, the handling agency shall terminate the medical insurance agreement and make public to the public the list of medical institutions whose medical insurance agreements have been terminated: (I) where, within the validity period of the medical insurance agreement, its medical insurance agreement has been suspended 2 times or more cumulatively, or it has failed to rectify as required or rectification has not been carried out to the required standard during the period of suspension of the medical insurance agreement; (II) where it has applied for and obtained designation by fraud or other improper means; (III) where it has been verified by the medical security department and other relevant departments to have engaged in fraudulent acts to defraud medical insurance; (IV) where it has provided medical insurance expense settlement for a non-designated medical institution or a medical institution during the period of suspension of its medical insurance agreement; (V) where it refuses, obstructs or fails to cooperate with the medical security department in carrying out intelligent review, performance assessment, supervision and inspection and the like, and the circumstances are egregious; (VI) where it is found that major information has changed but the alteration of major information has not been handled; (VII) where the designated medical institution has ceased business or suspended operations and failed to report to the handling agency in accordance with provisions; (VIII) where the administrative department of medical security or other relevant departments, in the course of administrative law enforcement, discover that the designated medical institution has committed a major violation of laws and regulations that may cause a major loss to the medical insurance funds; (IX) where its Medical Institution Practice License or record-filing certificate for a traditional Chinese medicine clinic has been revoked or canceled; (X) where its legal representative, principal person in charge or actual controller is unable to perform the stipulations of the medical insurance agreement, or has committed acts of violating the law or losing credit; (XI) where it has not performed in accordance with the law the administrative penalty decision made by the administrative department of medical security; (XII) where the designated medical institution proactively files for termination of the medical insurance agreement and the handling agency consents; (XIII) where the medical insurance agreement shall be terminated in accordance with the stipulations of the medical insurance agreement; (XIV) other circumstances under which termination shall be made as prescribed by laws, regulations and rules. **Article 44.** Where a designated medical institution requests to suspend or terminate the medical insurance agreement or to no longer renew the medical insurance agreement, it shall file an application with the handling agency 3 months in advance. Public medical institutions shall not proactively file for suspension or termination of the medical insurance agreement. Where the handling agency of an overall planning area at or above the prefecture and city level in the place where the medical institution is located suspends or terminates the medical insurance agreement with a designated medical institution, the medical insurance agreements of that medical institution in other overall planning areas shall also be suspended or terminated at the same time. **Article 45.** Where some personnel or departments of a designated medical institution violate the requirements of agreement administration, medical insurance settlement for such personnel or departments may be suspended or terminated. **Article 46.** Where a dispute arises between a medical institution and the handling agency of the overall planning area over the signing, performance, alteration and termination of the medical insurance agreement, it may be resolved through self-negotiation, or the administrative department of medical security at the same level may be requested to coordinate handling, and administrative reconsideration or administrative litigation may also be instituted in accordance with the law. ## Chapter 6 Supervision of Designated Medical Institutions **Article 47.** The administrative department of medical security shall supervise the designation application, application acceptance, professional evaluation, conclusion of agreements, and performance and termination of agreements, and shall guide and supervise the construction of the internal control system of the handling agency and the review and disbursement of medical insurance expenses, and the like. The administrative department of medical security shall, in accordance with laws and regulations, supervise, by means of on-site inspection, spot checks, intelligent monitoring, big-data analysis and the like, the performance of agreements by designated medical institutions, the use of medical insurance funds, medical service conduct, the purchase of third-party services involving the use of medical insurance funds, and the like. **Article 48.** The administrative department of medical security and the handling agency shall broaden supervision channels and innovate supervision methods, and shall conduct social supervision of designated medical institutions by means of satisfaction surveys, third-party evaluations, the engagement of social supervisors and the like, keep the channels for reporting and complaints unobstructed, and promptly discover and handle problems. **Article 49.** Where the handling agency discovers a breach of agreement, it shall promptly handle it in accordance with the agreement. Where the handling agency makes a handling decision such as suspending the medical and pharmaceutical services involving the use of medical insurance funds of the relevant responsible personnel or the department to which they belong, or suspending or terminating the medical insurance agreement, it shall promptly report to the administrative department of medical security at the same level. Where the administrative department of medical security discovers that a designated medical institution is in a circumstance of breach of agreement, it shall promptly order the handling agency to handle it in accordance with the medical insurance agreement, and the handling agency shall promptly handle it in accordance with the medical insurance agreement. Where the administrative department of medical security, in investigating and dealing with violations of laws and regulations in accordance with the law, considers that the facts of the relevant illegal clues transferred by the handling agency are unclear, it may organize a supplementary investigation or require the handling agency to supplement materials. ## Chapter 7 Supplementary Provisions **Article 50.** The administration of medical security designation for basic medical insurance for employees, basic medical insurance for urban and rural residents, maternity insurance, medical assistance, serious illness insurance for residents and the like shall be carried out in accordance with these Measures. **Article 51.** The handling agency referred to in these Measures is a functional institution that has statutory authorization to implement medical security administrative services, and is the principal body of medical security handling. A designated medical institution refers to a medical institution that voluntarily signs a medical insurance agreement with the handling agency of an overall planning area to provide medical services to insured persons. A medical insurance agreement refers to an agreement signed by the handling agency and a medical institution through consultation and negotiation, used to standardize medical service conduct and clarify the rights, obligations and responsibilities of both parties and other content. **Article 52.** The administrative department of medical security of the State Council shall produce and periodically revise model medical insurance agreements, and the national medical security handling agency shall formulate handling procedures and guide localities in strengthening and improving the administration of medical insurance agreements. On this basis, the administrative departments of medical security and handling agencies at or above the prefecture and city level may, in light of actual conditions, respectively refine and formulate model medical insurance agreements and handling procedures for their own regions. The content of the medical insurance agreement shall be consistent with adjustments and changes in laws, regulations, rules and medical security policies; where the administrative department of medical security adjusts the content of the medical insurance agreement, it shall solicit the opinions of the relevant designated medical institutions. **Article 53.** These Measures shall be interpreted by the administrative department of medical security of the State Council, and shall come into force on February 1, 2021. --- ## Implementation Guidelines for the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) - Chinese title: 粤港澳大湾区(内地、香港)个人信息跨境流动标准合同实施指引 - Abbreviation: GBA (Mainland-Hong Kong) SCC Guidelines - Hierarchy: rule - Issuing body: Cyberspace Administration of China and Innovation, Technology and Industry Bureau of the Hong Kong SAR - Adopted: 2023-12-10 - Effective: 2023-12-10 - Status: effective - URL: https://datacompliancechina.com/laws/gba-hongkong-cross-border-pi-standard-contract-guidelines/ - Markdown: https://datacompliancechina.com/laws/gba-hongkong-cross-border-pi-standard-contract-guidelines.md - Source URL: https://www.cac.gov.cn/2023-12/13/c_1704042786237103.htm ### Summary The 2023 GBA Mainland-Hong Kong facilitation arrangement jointly issued by the CAC and Hong Kong's Innovation, Technology and Industry Bureau on 10 December 2023, implementing the bilateral Memorandum of Cooperation on Promoting Cross-Border Data Flows in the Greater Bay Area. It establishes a simplified standard-contract pathway enabling personal information handlers and recipients registered or located in the nine mainland GBA cities (Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing) or in Hong Kong SAR to transfer personal information cross-border without triggering the full national-level security assessment regime, subject to a mandatory Personal Information Protection Impact Assessment and filing with the Guangdong CAC or the Hong Kong Office of the Government Chief Information Officer within ten working days of contract entry into force. Personal information that has been notified or publicly released as important data is excluded. This arrangement was the model for the subsequent September 2024 GBA Mainland-Macao version and matters to overseas counsel because it creates a distinct, lighter-touch bilateral track for intra-GBA flows that operates alongside — and does not replace — PIPL's three national-level pathways. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC) and Innovation, Technology and Industry Bureau of the Hong Kong Special Administrative Region Government. **Document No.:** Announcement No. 3 of 2023 of the Cyberspace Administration of China and the Innovation, Technology and Industry Bureau of the Hong Kong SAR Government. **Signed by:** Wang Jingtao (Cyberspace Administration of China) and Sun Dong (Innovation, Technology and Industry Bureau of the Hong Kong SAR Government). **Issued and effective: December 10, 2023.** --- ## Implementation Guidelines **Article 1.** In order to promote the safe and orderly cross-border flow of personal information within the Guangdong-Hong Kong-Macao Greater Bay Area ("Greater Bay Area"), advance high-quality development of the Greater Bay Area, and implement the *Memorandum of Cooperation between the Cyberspace Administration of the People's Republic of China and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region on Promoting Cross-Border Data Flows in the Guangdong-Hong Kong-Macao Greater Bay Area* (hereinafter "the Memorandum"), the Cyberspace Administration of China and the Innovation, Technology and Industry Bureau of the Hong Kong Special Administrative Region Government have jointly formulated these Implementation Guidelines. **Article 2.** The *Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)* (hereinafter "the Standard Contract"; see Annex 1) constitutes a facilitation measure under the Memorandum for promoting cross-border flows of personal information within the Greater Bay Area. Personal information handlers and recipients within the Greater Bay Area may, in accordance with these Implementation Guidelines, carry out cross-border flows of personal information between the mainland and Hong Kong within the Greater Bay Area by entering into the Standard Contract. Personal information that has been notified or publicly released as important data by the relevant authorities or regions is excluded. Personal information handlers and recipients shall be registered in (for organisations) or located in (for individuals) the mainland portion of the Greater Bay Area — that is, the cities of Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, and Zhaoqing in Guangdong Province — or in the Hong Kong Special Administrative Region. **Article 3.** Cross-border provision of personal information effected by entering into the Standard Contract shall adhere to the principles of combining voluntary contracting with filing management, and of combining the protection of personal information rights and interests with risk prevention, so as to safeguard the safe and free cross-border flow of personal information. **Article 4.** Cross-border provision of personal information by entering into the Standard Contract in accordance with these Implementation Guidelines shall be subject to performance of the obligations and responsibilities set out in the Standard Contract, including satisfaction of the following conditions: (1) Before providing personal information cross-border, the personal information handler shall notify the individual or obtain the individual's consent in accordance with the laws and regulations of the jurisdiction where the personal information handler is located. (2) The personal information shall not be provided to organisations or individuals outside the Greater Bay Area. **Article 5.** Before providing personal information cross-border by entering into the Standard Contract in accordance with these Implementation Guidelines, the personal information handler shall conduct a Personal Information Protection Impact Assessment (PIPIA), with emphasis on assessing the following: (1) The lawfulness, legitimacy, and necessity of the purposes and methods by which the personal information handler and the recipient process personal information; (2) The impact on the rights and interests of individuals and the security risks involved; and (3) Whether the obligations undertaken by the recipient and the management and technical measures and capabilities for fulfilling those obligations can ensure the security of the personal information provided cross-border. **Article 6.** The Standard Contract shall be entered into strictly in accordance with the annexes to these Implementation Guidelines; cross-border provision of personal information may only commence after the contract has come into effect. The personal information handler may agree on additional clauses with the recipient, provided that such clauses do not conflict with the Standard Contract. **Article 7.** Where the purpose, scope, categories, or method of cross-border provision of personal information changes, or where the purposes or methods of the recipient's processing of the personal information change, the retention period is extended, or other circumstances arise that affect or may affect the rights and interests of individuals, the personal information handler shall conduct a fresh Personal Information Protection Impact Assessment, supplement or re-enter into the Standard Contract, and fulfil the corresponding filing procedures. **Article 8.** Personal information handlers and recipients shall, within ten working days from the date on which the Standard Contract comes into effect, file the Standard Contract with the Guangdong Provincial Cyberspace Administration or the Office of the Government Chief Information Officer of the Government of the Hong Kong Special Administrative Region in accordance with their respective jurisdictions, submitting the following materials: (1) A photocopy of the identity document of the legal representative; (2) A commitment letter (template at Annex 2); and (3) The Standard Contract. Personal information handlers and recipients shall be responsible for the authenticity of the materials filed. **Article 9.** Personal information handlers and recipients shall be subject to the supervision and administration of the regulatory authorities of their respective jurisdictions, including but not limited to: (1) Pursuant to Items 7 and 10 of Article 2 of the Standard Contract, the personal information handler shall respond to enquiries from the regulatory authority and bear the burden of proof for performance of the contractual obligations and responsibilities; (2) Pursuant to Item 12 of Article 3 of the Standard Contract, the recipient shall accept the supervision and administration of the regulatory authority, including compliance with decisions issued by the regulatory authority and provision of proof that necessary action has been taken; and (3) Pursuant to Item 2 of Article 6 of the Standard Contract, the personal information handler shall notify the regulatory authority upon terminating the Standard Contract. **Article 10.** Any organisation or individual that discovers that a personal information handler or recipient is carrying out cross-border flows of personal information within the Greater Bay Area in accordance with these Implementation Guidelines but is not performing the obligations and responsibilities required by these Implementation Guidelines and the Standard Contract may lodge a complaint or report with the Cyberspace Administration of China, the Guangdong Provincial Cyberspace Administration, the Innovation, Technology and Industry Bureau of the Hong Kong SAR Government, the Office of the Government Chief Information Officer, or the Office of the Privacy Commissioner for Personal Data of Hong Kong. Where the department receiving the complaint or report finds that the cross-border personal information activity poses a significant security risk or that a personal information security incident has occurred, it may require the personal information handler or recipient to rectify the situation; where the matter needs to be handled by another enforcement department, it shall be referred to the relevant department for handling in accordance with law. **Article 11.** Where a personal information handler or recipient experiences a personal information security incident such as a leakage of personal information in the course of processing personal information, it shall immediately take remedial measures and, in accordance with its jurisdiction, notify the Cyberspace Administration of China and the Guangdong Provincial Cyberspace Administration, or the Innovation, Technology and Industry Bureau of the Hong Kong SAR Government, the Office of the Government Chief Information Officer, and the Office of the Privacy Commissioner for Personal Data of Hong Kong. **Article 12.** The foregoing provisions shall not affect the right of mainland departments performing duties of personal information protection and the Office of the Privacy Commissioner for Personal Data of Hong Kong to strengthen personal information protection and supervision and administration within the scope of their respective duties in accordance with law, including handling complaints and reports relating to personal information protection, and investigating and handling unlawful personal information processing activities. **Article 13.** Relevant departments and their staff shall keep confidential, in accordance with law, personal privacy, personal information, trade secrets, and confidential commercial information of which they become aware in the performance of their duties, and shall not disclose such information or illegally provide it to others or use it illegally. **Article 14.** The Cyberspace Administration of China and the Innovation, Technology and Industry Bureau of the Hong Kong Special Administrative Region Government may, based on actual circumstances and by mutual agreement, amend these Implementation Guidelines and their annexes. **Article 15.** These Implementation Guidelines shall take effect from the date of issuance. --- ## Annex 1: Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) *Formulated by: Cyberspace Administration of China, Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region, and the Office of the Privacy Commissioner for Personal Data of Hong Kong.* *Preamble: In order to promote the safe and orderly cross-border flow of personal information within the Greater Bay Area and to clarify the rights, obligations, and responsibilities of personal information handlers and recipients in protecting personal information, the parties, having reached agreement through negotiation, enter into this Contract.* ### Article 1 Definitions In this Contract, unless the context otherwise requires: **(1)** "Personal information handler" means, in respect of the mainland, an organisation or individual that independently determines the purposes and methods of processing in personal information processing activities; in respect of the Hong Kong SAR, the term also encompasses "data users" — that is, persons who, in respect of personal data, control the collection, holding, processing, or use of that data, alone or jointly or in common with other persons. The personal information handler under this Contract is the cross-border provider of personal information. **(2)** "Recipient" means an organisation or individual that receives personal information cross-border from the personal information handler. **(3)** "Party" means either the personal information handler or the recipient individually; "parties" means both of them collectively. **(4)** Personal information processed by a mainland personal information handler is determined in accordance with the *Personal Information Protection Law of the People's Republic of China*; personal information processed by a personal information handler in the Hong Kong SAR is determined in accordance with "personal data" under the *Personal Data (Privacy) Ordinance* of the Hong Kong SAR. **(5)** "Individual" means, in respect of the mainland, the natural person identified or associated with the personal information; in respect of the Hong Kong SAR, the term also encompasses "data subject" — that is, the individual who is the subject of the personal data. **(6)** "Regulatory authority" means, in respect of the mainland, the Cyberspace Administration of China and the Guangdong Provincial Cyberspace Administration; in respect of the Hong Kong SAR, the Innovation, Technology and Industry Bureau of the Hong Kong SAR Government, the Office of the Government Chief Information Officer, and the Office of the Privacy Commissioner for Personal Data of Hong Kong. **(7)** "Applicable laws and regulations" means, in respect of the mainland, the *Cybersecurity Law of the People's Republic of China*, the *Data Security Law of the People's Republic of China*, the *Personal Information Protection Law of the People's Republic of China*, and other applicable laws and regulations; in respect of the Hong Kong SAR, the *Personal Data (Privacy) Ordinance* and other applicable laws and regulations. ### Article 2 Obligations and Responsibilities of the Personal Information Handler The personal information handler shall perform the following obligations and responsibilities: **(1)** Process personal information in accordance with applicable local laws and regulations and the requirements of this Contract, and limit the personal information provided to the recipient to the minimum scope necessary to achieve the processing purposes. **(2)** Notify individuals of the recipient's name or given name and contact details, the processing purposes, processing methods, categories of personal information, retention period, circumstances of provision of personal information to third parties within the same jurisdiction, and the means and procedures for exercising individual rights, as set out in Appendix 1 "Statement on Cross-Border Provision of Personal Information". Where applicable local laws and regulations do not require such notification, those regulations shall prevail. **(3)** Before providing personal information cross-border to the recipient, obtain the individual's consent in accordance with applicable local laws and regulations. **(4)** Notify individuals that this Contract establishes them as third-party beneficiaries; if an individual has not expressly refused within 30 days, the individual may enjoy the rights of a third-party beneficiary under this Contract. **(5)** Make reasonable efforts to ensure that the recipient adopts the following technical and management measures — taking into account the purposes of personal information processing, the categories, scale, scope, volume, and frequency of transmission of personal information, and the retention period of the personal information handler and the recipient, and the security risks thereby posed — in performing the obligations and responsibilities agreed under this Contract. *(e.g. technical and management measures such as encryption, anonymization, de-identification, access control, etc.)* **(6)** Provide the recipient, upon the recipient's request, with copies of the applicable local laws and regulations and technical standards. **(7)** Respond to enquiries from the local regulatory authority regarding the recipient's personal information processing activities. **(8)** Conduct a Personal Information Protection Impact Assessment in respect of the proposed cross-border provision of personal information to the recipient, with emphasis on assessing the following: > 1. The lawfulness, legitimacy, and necessity of the purposes and methods by which the personal information handler and the recipient process personal information; > 2. The impact on individual rights and interests and the security risks involved; and > 3. Whether the obligations undertaken by the recipient and the management and technical measures and capabilities for fulfilling those obligations can ensure the security of the personal information provided cross-border. The personal information protection impact assessment report shall be retained for at least three years. **(9)** Provide a copy of this Contract to individuals upon request. Where trade secrets or confidential commercial information are involved, the relevant content of the copy may be appropriately handled without prejudicing the individual's understanding of the Contract. **(10)** Bear the burden of proof for performance of the obligations and responsibilities under this Contract. **(11)** In accordance with applicable local laws and regulations and the requirements of this Contract, provide the local regulatory authority with the information referred to in Item 10 of Article 3, including all compliance audit results. ### Article 3 Obligations and Responsibilities of the Recipient The recipient shall perform the following obligations and responsibilities: **(1)** Process personal information in accordance with the agreement set out in Appendix 1 "Statement on Cross-Border Provision of Personal Information". If the agreed processing purposes, processing methods, or categories of personal information processed are to be exceeded, the personal information handler shall be notified in advance, the Standard Contract shall be supplemented or re-entered into, and the corresponding filing procedures shall be fulfilled. Where applicable local laws and regulations of the personal information handler do not require such notification, those regulations shall prevail. **(2)** Provide a copy of this Contract to individuals upon request. Where trade secrets or confidential commercial information are involved, the relevant content of the copy may be appropriately handled without prejudicing the individual's understanding of the Contract. **(3)** Process personal information in the manner that has the least impact on individual rights and interests. **(4)** Retain personal information for the shortest period necessary to achieve the processing purposes; upon expiry of the retention period, delete the personal information (including all backups). Where the entrustment contract for processing personal information on behalf of the personal information handler has not come into effect, is invalid, has been revoked, or has been terminated, or at the personal information handler's request, the personal information shall be deleted and a written statement provided to the personal information handler. Where deletion of personal information is technically infeasible, processing shall cease other than storage and the adoption of necessary security protection measures. **(5)** Ensure the security of personal information processing in the following manner: > 1. Adopt technical and management measures including but not limited to those in Item 5 of Article 2 of this Contract, and conduct regular inspections to ensure the security of personal information; and > 2. Ensure that personnel authorised to process personal information perform confidentiality obligations and responsibilities, and establish minimum-authorisation access control permissions. **(6)** Where tampering, damage, leakage, loss, unlawful use, unauthorised provision, or unauthorised access to or inspection of the personal information being processed has occurred or may occur, the following steps shall be taken: > 1. Promptly take appropriate remedial measures to mitigate adverse impacts on individuals; > 2. Immediately notify the personal information handler and report to the local regulatory authority. The notification shall contain the following items: (i) the categories, causes, and potential harm of the personal information that has been or may have been tampered with, damaged, leaked, lost, unlawfully used, or accessed or inspected without authorisation; (ii) remedial measures already taken; (iii) measures that individuals may take to reduce harm; and (iv) the contact details of the person or team responsible for handling the matter; > 3. Where applicable laws and regulations require notification to individuals, the notification shall include the matters in Item 2 above; and > 4. Record and retain all circumstances relating to the actual or potential tampering, damage, leakage, loss, unlawful use, or unauthorised provision, access, or inspection, including all remedial measures taken. **(7)** Not provide personal information received under this Contract to organisations or individuals outside the Greater Bay Area. **(8)** Provide personal information to a third party within the same jurisdiction — the mainland or the Hong Kong SAR — only where all of the following conditions are satisfied: > 1. There is a genuine business need; > 2. The individual has been informed of the third party's name or given name, contact details, processing purposes, processing methods, categories of personal information, retention period, and the means and procedures for exercising individual rights. Where applicable local laws and regulations of the personal information handler do not require such notification, those regulations shall prevail; > 3. Where processing is based on individual consent, the individual's consent shall be obtained in accordance with the applicable local laws and regulations of the personal information handler; and > 4. Personal information is provided to the third party within the same jurisdiction in accordance with the agreement set out in Appendix 1 "Statement on Cross-Border Provision of Personal Information". **(9)** Where, having been entrusted by the personal information handler to process personal information, the recipient sub-entrusts a third party to process that information, the prior consent of the personal information handler shall be obtained; the third party shall be required not to process personal information beyond the processing purposes and methods agreed in Appendix 1 to this Contract; and the third party's personal information processing activities shall be supervised. **(10)** Undertake to provide the personal information handler with the necessary information to demonstrate compliance with the obligations and responsibilities under this Contract, permit the personal information handler to conduct compliance audits of the processing activities covered by this Contract, and facilitate such compliance audits. **(11)** Maintain an objective record of personal information processing activities conducted, and retain the records for at least three years. **(12)** Agree to accept the supervision and administration of the local regulatory authority in the supervision procedures related to the implementation of this Contract, including but not limited to responding to the regulatory authority's enquiries, cooperating with the regulatory authority's inspections, complying with measures taken or decisions issued by the regulatory authority, and providing written proof that necessary action has been taken. **(13)** Where a government department or judicial authority in the recipient's jurisdiction requires the recipient to provide personal information under this Contract, the personal information handler shall be immediately notified. ### Article 4 Rights of Individuals The parties agree that individuals, as third-party beneficiaries of this Contract, shall enjoy the following rights: **(1)** Individuals shall enjoy, in accordance with the applicable local laws and regulations of the personal information handler and this Contract, the right to know and the right to decide with respect to the processing of their personal information; the right to restrict or refuse the processing of their personal information by others; the right to request access to, copying, correction, supplementation, or deletion of their personal information; and the right to request an explanation of the rules governing the processing of their personal information. **(2)** When an individual wishes to exercise the above rights with respect to personal information transmitted under this Contract, the individual may request the personal information handler to take appropriate measures, or may submit a request directly to the recipient. Where the personal information handler is unable to do so, it shall notify the recipient and require the recipient to cooperate. **(3)** The recipient shall, in accordance with the personal information handler's notification or at the individual's request, give effect within a reasonable period to the rights that individuals enjoy under the applicable local laws and regulations of the personal information handler and this Contract. The recipient shall inform individuals of relevant matters in a prominent manner and in language that is clear and easy to understand, truthfully, accurately, and completely. **(4)** Where the recipient refuses an individual's request, the recipient shall inform the individual of the reasons for the refusal and of the channels through which the individual may lodge a complaint with the personal information handler or the relevant regulatory authority in the recipient's jurisdiction, and seek judicial relief. **(5)** Individuals, as third-party beneficiaries of this Contract, are entitled to invoke, against one or both parties, the following clauses of this Contract relating to individual rights: > 1. Article 2, except Items 5, 6, 7, and 11 of Article 2; > 2. Article 3, except Items 2 and 4 of Sub-item 6, and Items 9, 10, 11, 12, and 13 of Article 3; > 3. Article 4; > 4. Article 5; > 5. Items 2 and 3 of Article 7; and > 6. Item 5 of Article 8. The foregoing shall not affect the rights and interests that individuals enjoy under the applicable local laws and regulations of the personal information handler or the recipient. ### Article 5 Remedies **(1)** The recipient shall designate a contact person authorised to respond to enquiries or complaints regarding personal information processing, and shall handle enquiries or complaints from individuals in a timely manner. The recipient shall inform the personal information handler of the contact person's details, and shall inform individuals of those details in a concise and easy-to-understand manner, through a separate notice or a notice on its website. **(2)** Where a dispute arises between a party and an individual in the performance of this Contract, the other party shall be notified, and both parties shall cooperate to resolve the dispute. **(3)** Where a dispute has not been amicably resolved and an individual exercises third-party beneficiary rights under Article 4, the recipient accepts that the individual may seek to enforce those rights by the following means: > 1. Lodging a complaint with the relevant regulatory authority; or > 2. Bringing legal proceedings before the court agreed under Item 5 of this Article. **(4)** Both parties agree that where an individual exercises third-party beneficiary rights with respect to a dispute under this Contract and elects to apply the applicable local laws and regulations of the personal information handler, that election shall prevail. **(5)** Both parties agree that where an individual exercises third-party beneficiary rights with respect to a dispute under this Contract, the individual may bring legal proceedings before a court of competent jurisdiction in the mainland or in Hong Kong in accordance with the *Civil Procedure Law of the People's Republic of China*, the *Arrangement on Reciprocal Recognition and Enforcement of Judgments in Civil and Commercial Matters by the Courts of the Mainland and of the Hong Kong Special Administrative Region pursuant to Choice of Court Agreements between Parties Concerned* of the Supreme People's Court, or Hong Kong laws and regulations. **(6)** Both parties agree that any choice of enforcement action made by individuals shall not diminish their right to seek remedies under other laws and regulations. ### Article 6 Termination of Contract **(1)** Where the recipient breaches the obligations and responsibilities agreed under this Contract, or is subject to compulsory measures that prevent performance of this Contract, the personal information handler may suspend cross-border provision of personal information to the recipient until the breach has been remedied or the Contract has been terminated. **(2)** In any of the following circumstances, the personal information handler has the right to terminate this Contract and notify the local regulatory authority of the personal information handler: > 1. The personal information handler's suspension of cross-border provision of personal information to the recipient pursuant to Item 1 of this Article has lasted more than one month; > 2. The recipient has seriously or persistently breached the obligations and responsibilities agreed under this Contract; or > 3. A final decision by a court of competent jurisdiction or a regulatory authority has found that the recipient or the personal information handler has breached the obligations and responsibilities agreed under this Contract. In the circumstances described in Item 3 above, the recipient may also terminate this Contract. **(3)** Termination of the Contract shall not exempt either party from personal information protection obligations and responsibilities incurred in the course of personal information processing. **(4)** Upon termination of the Contract, the recipient shall promptly return or delete the personal information received pursuant to this Contract (including all backups), and provide the personal information handler with a written statement. Where deletion of personal information is technically infeasible, processing shall cease other than storage and the adoption of necessary security protection measures. ### Article 7 Liability for Breach **(1)** Each party shall bear liability for losses caused to the other party by its breach of this Contract. **(2)** Where a party's breach of this Contract infringes upon the rights that individuals enjoy, that party shall bear civil legal liability to the individuals, without prejudice to the administrative, criminal, or other legal liability that applicable laws and regulations impose on the personal information handler. **(3)** Where both parties bear joint and several liability in accordance with law, individuals have the right to hold one or both parties liable. A party that has borne liability in excess of its proportionate share has the right to seek contribution from the other party. ### Article 8 Miscellaneous **(1)** In the event of a conflict between this Contract and any other legal document entered into by the parties, the provisions of this Contract shall prevail. **(2)** The formation, validity, performance, and interpretation of this Contract, and any dispute between the parties arising from this Contract, shall be governed by the applicable local laws and regulations of the personal information handler. **(3)** Notices under this Contract shall be sent by email, telegram, telex, facsimile (with an air-mail confirmation copy), or registered airmail to the designated address, or to such other address as may be substituted by written notice. Notices sent by registered airmail shall be deemed received on the \_\_\_\_th day after the postmark date; notices sent by email, telegram, telex, or facsimile shall be deemed received \_\_\_\_ working days after dispatch. **(4)** Disputes arising from this Contract between the parties, and any claim for contribution by a party that has made advance compensation to individuals, shall be resolved through negotiation; if negotiation fails, either party may resolve the matter by one of the following means (if arbitration is selected, please tick the arbitration institution): > 1. **Arbitration.** Submit the dispute to [one of the following institutions]: China International Economic and Trade Arbitration Commission; China Maritime Arbitration Commission; Guangzhou International Arbitration Commission; Greater Bay Area International Arbitration Centre; Hong Kong International Arbitration Centre — for arbitration at [place of arbitration] in accordance with the arbitration rules then in force; or > 2. **Litigation.** Bring proceedings before a court of competent jurisdiction in the mainland or in Hong Kong in accordance with law. **(5)** This Contract shall be interpreted in accordance with the applicable local laws and regulations of the personal information handler, and shall not be interpreted in a manner inconsistent with the rights, obligations, and responsibilities under those laws and regulations. **(6)** This Contract shall be executed in \_\_\_\_ originals, with each party holding \_\_\_\_ originals, all of equal legal effect, and signed at [place] on [date]. --- ### Appendix 1 to the Standard Contract: Statement on Cross-Border Provision of Personal Information The particulars of the personal information to be provided to the recipient pursuant to this Contract are agreed as follows: (1) Processing purposes: (2) Processing methods: (3) Scale of cross-border provision of personal information: (4) Categories of personal information to be provided cross-border (with reference to GB/T 35273 *Information Security Technology — Personal Information Security Specification* or applicable local standards of the personal information handler): (5) Third parties within the same jurisdiction (mainland or Hong Kong SAR) to whom the recipient shall provide personal information (if applicable): (6) Method of transmission: (7) Retention period after cross-border provision: (from \_\_\_\_ to \_\_\_\_) (8) Storage location after cross-border provision: (9) Other matters (to be completed as applicable): --- ### Appendix 2 to the Standard Contract: Additional Clauses Agreed by the Parties (if required) --- ## Annex 2: Commitment Letter (Template) I/We solemnly commit as follows: 1. All content of the filing materials is true, complete, accurate, and valid; 2. I/We will provide the necessary cooperation and support for the filing work under the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong); and 3. The Personal Information Protection Impact Assessment was completed within three months before the date of filing and no material changes have occurred as of the date of filing. I/We acknowledge and fully understand the content of the above commitments. If the commitments are untrue or are breached, I/We are willing to bear the corresponding legal liability. Signature of legal representative: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Organisation seal (for organisations): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Date: \_\_\_\_\_ year \_\_\_\_ month \_\_\_\_ day --- ## Announcement on Carrying Out the Reporting of Personal Information Protection Officer Information - Chinese title: 关于开展个人信息保护负责人信息报送工作的公告 - Abbreviation: PIPO Reporting Announcement - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2025-07-18 - Effective: 2025-07-18 - Status: effective - URL: https://datacompliancechina.com/laws/pi-protection-officer-reporting-announcement/ - Markdown: https://datacompliancechina.com/laws/pi-protection-officer-reporting-announcement.md - Source URL: https://www.cac.gov.cn/2025-07/18/c_1754553420421538.htm ### Summary The July 2025 CAC announcement operationalises the person-in-charge-of-personal-information-protection (PIPO) designation and filing requirement under PIPL Article 52 and Article 12 of the Administrative Measures for Personal Information Protection Compliance Audits: any personal information handler that processes the personal information of one million or more individuals must report the identity and contact details of its designated person in charge of personal information protection to the municipal-level CAC office where it is registered. Personal information handlers that had already crossed the one-million threshold before 18 July 2025 were given until 29 August 2025 to complete the initial filing; those crossing the threshold after that date must file within 30 business days. Reporting is done exclusively online through the Personal Information Protection Business System (grxxbh.cacdtsc.cn), also reachable from the CAC website's 'National Cyberspace Administration Affairs Hall.' For overseas counsel advising China-facing businesses, this announcement means that any client meeting the PIPL Art. 52 threshold must have a named, reported PIPO on file with the local regulator — failure to do so is an express regulatory violation. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC). **Adopted and promulgated on July 18, 2025. Effective July 18, 2025.** --- In accordance with the Personal Information Protection Law (PIPL), the Administrative Measures for Personal Information Protection Compliance Audits, and other relevant laws, regulations, and rules, the following matters are hereby announced with respect to carrying out the reporting of information concerning persons in charge of personal information protection. **I. Reporting Requirement** Pursuant to Article 52 of the Personal Information Protection Law and Article 12 of the Administrative Measures for Personal Information Protection Compliance Audits, personal information handlers that process the personal information of more than one million individuals shall complete the filing procedure for reporting the information of the person in charge of personal information protection with the municipal-level cyberspace administration authority where they are located. **II. Reporting Deadlines** (1) From the date of publication of this Announcement, a personal information handler whose processing of personal information reaches one million individuals shall complete the information reporting within 30 business days from the date on which that threshold is reached. (2) A personal information handler that had already reached the threshold of processing the personal information of one million individuals before the date of publication of this Announcement shall complete the information reporting by August 29, 2025. (3) Where the reported information undergoes a material change, the personal information handler shall complete the procedure for changing the reported information within 30 business days from the date of the change. **III. Method of Reporting** The reporting of information concerning the person in charge of personal information protection shall be conducted online. Personal information handlers shall access the "Personal Information Protection Business System" directly at https://grxxbh.cacdtsc.cn and, following the "Instructions for Completing the Personal Information Protection Officer Information Reporting System (First Edition)" provided on the system's homepage, prepare the relevant materials and complete the information reporting procedure. The system may also be accessed through the "National Cyberspace Administration Affairs Hall" section on the homepage of the China Cyberspace Administration website at https://www.cac.gov.cn. **IV. Legal Liability** A personal information handler that fails to complete the information reporting procedure as required by the Personal Information Protection Law, the Administrative Measures for Personal Information Protection Compliance Audits, and other relevant laws, regulations, and rules shall be dealt with in accordance with those laws, regulations, and rules. This announcement is hereby issued. Cyberspace Administration of China July 18, 2025 --- ## Measures for the Supervision and Administration of the Quality of Medical Device Use - Chinese title: 医疗器械使用质量监督管理办法 - Hierarchy: rule - Issuing body: China Food and Drug Administration - Adopted: 2015-10-21 - Effective: 2016-02-01 - Status: effective - URL: https://datacompliancechina.com/laws/medical-device-use-quality-measures/ - Markdown: https://datacompliancechina.com/laws/medical-device-use-quality-measures.md ### Summary This CFDA rule (Order No. 18) governs the quality management of medical devices at the point of use by hospitals and other using entities, covering procurement, acceptance, storage, use, maintenance, and transfer. It imposes detailed record-keeping and traceability obligations: incoming-inspection records, implantable-device usage records, and original records for Class III devices must be retained (in some cases permanently) to ensure information is traceable. The data-compliance touchpoints are the mandated traceability and recordkeeping systems, the encouragement of informatized (IT-based) quality management, and the requirement to monitor and log storage-environment data such as temperature and humidity. ### Full text **Promulgated by:** China Food and Drug Administration (CFDA). **Order No. 18 of the China Food and Drug Administration.** **The Measures for the Supervision and Administration of the Quality of Medical Device Use, having been deliberated and adopted at the executive meeting of the China Food and Drug Administration on September 29, 2015, are hereby promulgated and shall come into force on February 1, 2016.** **Commissioner: Bi Jingquan** **October 21, 2015** --- ## Chapter 1 General Provisions **Article 1.** These Measures are formulated in accordance with the Regulation on the Supervision and Administration of Medical Devices in order to strengthen the supervision and administration of the quality of medical device use and to ensure the safe and effective use of medical devices. **Article 2.** The quality management of medical devices at the point of use, and the supervision and administration thereof, shall comply with these Measures. **Article 3.** The China Food and Drug Administration shall be responsible for the supervision and administration of the quality of medical device use throughout the country. The food and drug administration departments of local people's governments at or above the county level shall be responsible for the supervision and administration of the quality of medical device use within their respective administrative regions. The higher-level food and drug administration departments shall be responsible for guiding and supervising the lower-level food and drug administration departments in carrying out the supervision and administration of the quality of medical device use. **Article 4.** Medical device using entities shall, in accordance with these Measures, set up a medical device quality management institution or quality management personnel commensurate with their scale, establish a use-quality management system covering the entire process of quality management, and assume responsibility for the quality management of the medical devices used by the entity. Medical device using entities are encouraged to adopt informatized technological means to carry out medical device quality management. **Article 5.** The medical devices sold by medical device manufacturing and distribution enterprises shall conform to the mandatory standards as well as the product technical requirements that have been registered or filed. Medical device manufacturing and distribution enterprises shall, in accordance with their contracts with medical device using entities, provide after-sales service for medical devices and guide and cooperate with medical device using entities in carrying out quality management. **Article 6.** Where a medical device using entity discovers that an adverse event or a suspected adverse event has occurred with respect to a medical device it uses, it shall report and handle the matter in accordance with the relevant provisions on medical device adverse event monitoring. ## Chapter 2 Procurement, Acceptance and Storage **Article 7.** Medical device using entities shall implement unified management of medical device procurement, with the department or personnel designated by the entity uniformly procuring medical devices; other departments or personnel shall not procure medical devices on their own. **Article 8.** Medical device using entities shall purchase medical devices from qualified medical device manufacturing and distribution enterprises, and shall request and verify supporting documents such as the qualifications of the supplier and the medical device registration certificate or filing voucher. The using entity shall verify the product conformity certification documents of the purchased medical devices and conduct acceptance inspection as prescribed. For medical devices with special storage and transport requirements, it shall also verify whether the storage and transport conditions meet the requirements indicated in the product instructions and labels. **Article 9.** Medical device using entities shall record the incoming-inspection situation truthfully, completely and accurately. The incoming-inspection records shall be retained until two years after the expiry of the prescribed service life of the medical device or two years after the cessation of its use. The incoming-inspection records of large medical devices shall be retained until five years after the expiry of the prescribed service life of the medical device or five years after the cessation of its use; the incoming-inspection records of implantable medical devices shall be retained permanently. Medical device using entities shall properly preserve the original materials of purchased Class III medical devices to ensure that the information is traceable. **Article 10.** The premises, facilities and conditions in which a medical device using entity stores medical devices shall be commensurate with the variety and quantity of the medical devices, and shall meet the requirements indicated in the product instructions and labels and the needs of safe and effective use; where there are special requirements for environmental conditions such as temperature and humidity, the entity shall also monitor and record data such as the temperature and humidity of the storage area. **Article 11.** Medical device using entities shall conduct regular inspections of the medical devices in storage and keep records in accordance with requirements such as storage conditions and the validity period of the medical devices. **Article 12.** Medical device using entities shall not purchase or use medical devices that have not been registered or filed in accordance with the law, that lack conformity certification documents, or that are expired, invalid or obsolete. ## Chapter 3 Use, Maintenance and Transfer **Article 13.** Medical device using entities shall establish a pre-use quality inspection system for medical devices. Before using a medical device, they shall conduct inspections in accordance with the relevant requirements of the product instructions. Before using a sterile medical device, the packaging that is in direct contact with the medical device and its validity period shall be inspected. Where the packaging is damaged, the markings are unclear, the validity period has expired, or the safety and effectiveness of use may be affected, the device shall not be used. **Article 14.** Medical device using entities shall establish usage records for implantable and interventional medical devices. The usage records of implantable medical devices shall be retained permanently, and the relevant materials shall be incorporated into an informatized management system to ensure that the information is traceable. **Article 15.** Medical device using entities shall establish a maintenance and repair management system for medical devices. For medical devices that require periodic inspection, testing, calibration, upkeep and maintenance, they shall conduct inspection, testing, calibration, upkeep and maintenance in accordance with the requirements of the product instructions and keep records, and shall promptly analyze and assess the same to ensure that the medical devices are in good condition. For large medical devices with a long service life, a usage file shall be established for each unit, recording its use, maintenance and other circumstances. The retention period of the records shall not be less than five years after the expiry of the prescribed service life of the medical device or five years after the cessation of its use. **Article 16.** Medical device using entities shall use medical devices in accordance with the product instructions and other requirements. Single-use medical devices shall not be reused; those that have been used shall be destroyed in accordance with the relevant provisions of the State and recorded. **Article 17.** Medical device using entities may, in accordance with the contractual stipulations, require medical device manufacturing and distribution enterprises to provide maintenance and repair services for medical devices, may entrust repair service institutions with the requisite conditions and capabilities to maintain and repair medical devices, or may maintain and repair the medical devices in use on their own. Where a medical device using entity entrusts a repair service institution or maintains and repairs the medical devices in use on its own, the medical device manufacturing or distribution enterprise shall, in accordance with the contractual stipulations, provide the materials and information necessary for maintenance and repair, such as the maintenance manual, repair manual, software backup, fault code table, spare parts list, components, and repair passwords. **Article 18.** Where a medical device manufacturing or distribution enterprise or a repair service institution maintains and repairs a medical device, relevant matters such as clear quality requirements and repair requirements shall be stipulated in the contract, and the medical device using entity shall request and preserve the relevant records after each maintenance or repair; where a medical device using entity maintains and repairs medical devices on its own, it shall strengthen the training and assessment of the technical personnel engaged in medical device maintenance and repair, and establish training files. **Article 19.** Where a medical device using entity discovers that a medical device in use poses a safety hazard, it shall immediately cease use and notify for repair; where repair still fails to meet the safety standards for use, the device shall not continue to be used, and shall be disposed of in accordance with the relevant provisions. **Article 20.** Where medical device using entities transfer in-use medical devices between one another, the transferring party shall ensure that the transferred medical device is safe and effective and shall provide lawful product certification documents. The parties to the transfer shall conclude an agreement, hand over materials such as the product instructions and copies of the use and repair record files, and may only transfer the device after it has passed inspection by a qualified inspection institution. The transferee shall conduct verification by reference to the provisions on incoming inspection in Article 8 of these Measures, and may only use the device after it meets the requirements. Medical devices that have not been registered or filed in accordance with the law, that lack conformity certification documents or have failed inspection, or that are expired, invalid or obsolete, shall not be transferred. **Article 21.** Where a medical device using entity accepts a donation of medical devices from a medical device manufacturing or distribution enterprise or from another institution or individual, the donor shall provide the relevant lawful certification documents of the medical devices, and the donee shall conduct verification by reference to the provisions on incoming inspection in Article 8 of these Measures, and may only use the devices after they meet the requirements. Medical devices that have not been registered or filed in accordance with the law, that lack conformity certification documents or have failed inspection, or that are expired, invalid or obsolete, shall not be donated. Where in-use medical devices are donated between medical device using entities, the matter shall be handled by reference to the provisions of Article 20 of these Measures on the transfer of in-use medical devices. ## Chapter 4 Supervision and Administration **Article 22.** The food and drug administration departments shall, in accordance with the principle of risk management, supervise and administer the quality of medical devices at the point of use. The food and drug administration departments of districted cities shall formulate and implement annual supervision and inspection plans for the medical device using entities within their respective administrative regions, and determine the priorities, frequency and coverage of supervision and inspection. Key supervision shall be implemented with respect to medical devices that pose relatively high risks, medical devices with special storage and transport requirements, and medical device using entities with adverse credit records, among others. The annual supervision and inspection plans and their implementation shall be reported to the food and drug administration departments of the provinces, autonomous regions and municipalities directly under the Central Government. **Article 23.** When the food and drug administration departments conduct supervision and inspection of the establishment and implementation of the medical device use-quality management system by medical device using entities, they shall record the results of the supervision and inspection and incorporate them into the supervision and administration files. When the food and drug administration departments conduct supervision and inspection of a medical device using entity, they may conduct extended inspections of the relevant medical device manufacturing and distribution enterprises, repair service institutions and the like. Medical device using entities, manufacturing and distribution enterprises, repair service institutions and the like shall cooperate with the supervision and inspection of the food and drug administration departments, truthfully provide the relevant information and materials, and shall not refuse or conceal anything. **Article 24.** Medical device using entities shall, in accordance with these Measures and the medical device use-quality management system established by the entity, conduct a comprehensive self-inspection of the medical device quality management work each year and produce a self-inspection report. The food and drug administration departments shall conduct spot checks of the self-inspection reports of medical device using entities during supervision and inspection. **Article 25.** The food and drug administration departments shall strengthen sampling inspection of medical devices at the point of use. The food and drug administration departments at or above the provincial level shall, based on the conclusions of the sampling inspection, promptly issue medical device quality bulletins. **Article 26.** Where any individual or organization discovers that a medical device using entity has committed an act in violation of these Measures, they shall have the right to report it to the food and drug administration department of the place where the medical device using entity is located. The food and drug administration department that receives the report shall promptly verify and handle it. Where the report is verified to be true, a reward shall be given to the informant in accordance with the relevant provisions. ## Chapter 5 Legal Liability **Article 27.** Where a medical device using entity falls under any of the following circumstances, the food and drug administration department at or above the county level shall impose a penalty in accordance with the provisions of Article 66 of the Regulation on the Supervision and Administration of Medical Devices: (I) using a medical device that does not conform to the mandatory standards or does not conform to the registered or filed product technical requirements; (II) using a medical device that lacks conformity certification documents, or that is expired, invalid or obsolete, or using a medical device that has not been registered in accordance with the law. **Article 28.** Where a medical device using entity falls under any of the following circumstances, the food and drug administration department at or above the county level shall impose a penalty in accordance with the provisions of Article 67 of the Regulation on the Supervision and Administration of Medical Devices: (I) failing to store medical devices in accordance with the requirements indicated in the product instructions and labels of the medical devices; (II) transferring or donating in-use medical devices that are expired, invalid, obsolete or have failed inspection. **Article 29.** Where a medical device using entity falls under any of the following circumstances, the food and drug administration department at or above the county level shall impose a penalty in accordance with the provisions of Article 68 of the Regulation on the Supervision and Administration of Medical Devices: (I) failing to establish and implement a medical device incoming-inspection system, failing to verify the qualifications of the supplier, or failing to record the incoming-inspection situation truthfully, completely and accurately; (II) failing to conduct periodic inspection, testing, calibration, upkeep and maintenance in accordance with the requirements of the product instructions and keep records; (III) failing to immediately cease use and notify for repair upon discovering that a medical device in use poses a safety hazard, or continuing to use a medical device that still fails to meet the safety standards for use after repair; (IV) failing to properly preserve the original materials of purchased Class III medical devices; (V) failing to establish and preserve usage records for implantable and interventional medical devices as prescribed. **Article 30.** Where a medical device using entity falls under any of the following circumstances, the food and drug administration department at or above the county level shall order corrections within a time limit and give a warning; where corrections are refused, a fine of not more than RMB 10,000 shall be imposed: (I) failing to set up, as prescribed, a medical device quality management institution or quality management personnel commensurate with its scale, or failing to establish, as prescribed, a use-quality management system covering the entire process of quality management; (II) failing to have a designated department or personnel uniformly procure medical devices as prescribed; (III) purchasing or using Class I medical devices that have not been filed, or purchasing Class II medical devices from a distribution enterprise that has not been filed; (IV) where the premises, facilities and conditions for storing medical devices are not commensurate with the variety and quantity of the medical devices, or failing to conduct regular inspections of the medical devices in storage and keep records in accordance with requirements such as storage conditions and the validity period of the medical devices; (V) failing to establish and implement a pre-use quality inspection system for medical devices as prescribed; (VI) failing to request and preserve the records relating to medical device maintenance and repair as prescribed; (VII) failing to conduct training and assessment of the relevant technical personnel of the entity engaged in medical device maintenance and repair, and to establish training files, as prescribed; (VIII) failing to conduct self-inspection of its medical device quality management work and produce a self-inspection report as prescribed. **Article 31.** Where a medical device manufacturing or distribution enterprise, in violation of the provisions of Article 17 of these Measures, fails to provide maintenance and repair services as required, or fails to provide the materials and information necessary for maintenance and repair as required, the food and drug administration department at or above the county level shall give a warning and order corrections within a time limit; where the circumstances are serious or corrections are refused, a fine of not less than RMB 5,000 but not more than RMB 20,000 shall be imposed. **Article 32.** Where a medical device using entity, manufacturing or distribution enterprise, repair service institution or the like fails to cooperate with the supervision and inspection of the food and drug administration department, or refuses, conceals or fails to truthfully provide the relevant information and materials, the food and drug administration department at or above the county level shall order corrections, give a warning, and may concurrently impose a fine of not more than RMB 20,000. ## Chapter 6 Supplementary Provisions **Article 33.** The quality management of investigational medical devices used for clinical trials shall be carried out in accordance with the relevant provisions on medical device clinical trials. **Article 34.** The supervision and administration of the use of medical devices at the point of use shall be carried out in accordance with the relevant provisions of the National Health and Family Planning Commission. **Article 35.** These Measures shall come into force on February 1, 2016. --- ## Announcement on Carrying Out the Filing of Facial Recognition Technology Applications - Chinese title: 关于开展人脸识别技术应用备案工作的公告 - Abbreviation: FRT Filing Announcement - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2025-05-28 - Effective: 2025-05-28 - Status: effective - URL: https://datacompliancechina.com/laws/facial-recognition-application-filing-announcement/ - Markdown: https://datacompliancechina.com/laws/facial-recognition-application-filing-announcement.md - Source URL: https://www.cac.gov.cn/2025-05/30/c_1750315544241157.htm ### Summary This May 2025 CAC announcement operationalizes the filing duty established under Article 15 of the Facial Recognition Technology Application Security Measures (CAC and MPS Order No. 19), which takes effect June 1, 2025. Personal information handlers that store facial information of 100,000 or more persons processed via facial recognition technology must file with the provincial-level cyberspace administration authority in their locality; those already at that threshold before June 1, 2025 have until July 14, 2025 to complete the initial filing. Filing is conducted exclusively online through the Personal Information Protection Business System at grxxbh.cacdtsc.cn, and any material change to filed information triggers a 30-working-day update obligation. Overseas counsel advising clients with operations or consumer-facing systems in China should note that the threshold is low by global standards and applies across sectors, making this a compliance priority for any deployment of biometric authentication, access control, or consumer identification at scale. ### Full text **Promulgated by:** Cyberspace Administration of China. **Adopted and issued on May 28, 2025. Effective May 28, 2025.** --- Pursuant to the Facial Recognition Technology Application Security Measures (Order No. 19 of the Cyberspace Administration of China and the Ministry of Public Security of the People's Republic of China; hereinafter "the Measures"), matters relating to the carrying out of the filing of facial recognition technology applications are hereby announced as follows. **I. Filing Subjects** Pursuant to Article 15 of the Measures, a personal information handler that stores facial information of 100,000 or more persons processed through the application of facial recognition technology shall complete the filing procedure with the provincial-level cyberspace administration authority in the locality where it is based. **II. Filing Timeframes** (1) From June 1, 2025 onwards, where the number of persons whose facial information is stored through the application of facial recognition technology reaches 100,000, the filing procedure shall be completed within 30 working days of the date on which that number is reached. (2) Where, prior to June 1, 2025, the number of persons whose facial information is stored through the application of facial recognition technology has already reached 100,000, the filing procedure shall be completed by July 14, 2025. (3) Where there is a material change to filed information, a filing amendment procedure shall be completed within 30 working days of the date of the change. **III. Filing Method** The filing of facial recognition technology applications shall be conducted online. Applicants shall access the Personal Information Protection Business System directly at https://grxxbh.cacdtsc.cn, prepare the relevant materials, and complete the filing procedure in accordance with the Facial Recognition Technology Application Filing System Submission Guide (Version 1) provided on the system homepage. The Personal Information Protection Business System may also be accessed through the "National Cyberspace Administration Affairs Hall" column on the homepage of the China Cyberspace Administration website at https://www.cac.gov.cn. **IV. Legal Liability** Those who fail to complete the filing procedure as required by the Measures shall be dealt with in accordance with the provisions of the relevant laws and administrative regulations. This announcement is hereby issued. Cyberspace Administration of China May 28, 2025 --- ## Announcement on Submitting Reports on the Compliance Audit of Minors' Personal Information Protection - Chinese title: 关于报送未成年人个人信息保护合规审计情况的公告 - Abbreviation: Minors PI Audit Reporting Announcement - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2025-12-29 - Effective: 2025-12-29 - Status: effective - URL: https://datacompliancechina.com/laws/minors-pi-compliance-audit-reporting-announcement/ - Markdown: https://datacompliancechina.com/laws/minors-pi-compliance-audit-reporting-announcement.md - Source URL: https://www.cac.gov.cn/2025-12/29/c_1768735145606358.htm ### Summary Issued by the CAC on 29 December 2025, this short announcement operationalizes the annual compliance-audit-and-report obligation that Article 37 of the Regulations on the Protection of Minors in Cyberspace imposes on every personal information handler that processes personal information of minors. It fixes the annual reporting deadline (by 31 January of the following year), designates the local prefecture-level cyberspace administration authority as the recipient, mandates online submission through the CAC's Personal Information Protection Business System, and warns that failure to conduct or report the compliance audit will be dealt with under the applicable laws, regulations, and rules. The announcement bridges the PI Audit Measures (effective May 2025) and the minors-protection regime: any handler—regardless of scale—must audit its minors-PI practices each year. Overseas counsel advising multinationals with Chinese apps or platforms that reach minors should ensure clients have a standing annual audit-and-submission process in place before 31 January. ### Full text **Promulgated by:** Cyberspace Administration of China. **Issued:** 29 December 2025. **Effective:** 29 December 2025. --- In accordance with the Personal Information Protection Law of the People's Republic of China, the Regulations on the Protection of Minors in Cyberspace, the Administrative Measures for Personal Information Protection Compliance Audits, and other relevant laws, regulations, and rules, the following announcement is made regarding matters related to the submission of reports on the compliance audit of personal information of minors' personal information protection: **I. Reporting Requirement** Pursuant to Article 37 of the Regulations on the Protection of Minors in Cyberspace, "personal information handlers shall, either on their own or by commissioning a specialized agency, conduct an annual compliance audit of their compliance with laws and administrative regulations in the course of processing personal information of minors," and shall submit a report on the compliance audit situation to the cyberspace administration authority at the prefecture level (district) in whose jurisdiction they are located. **II. Reporting Deadline** Personal information handlers that process personal information of minors "shall submit the compliance audit report for the preceding year by 31 January of each year." **III. Reporting Method** The submission of reports on the personal information protection compliance audit of minors' personal information shall be conducted online. Handlers are required to access the "Personal Information Protection Business System" directly at https://grxxbh.cacdtsc.cn and submit the relevant materials in accordance with the *Instructions for Completing the Reporting Form for the Personal Information Protection Compliance Audit of Minors' Personal Information (First Edition)* provided on the system's homepage. **IV. Legal Liability** Personal information handlers that fail to conduct a compliance audit and submit a report as required by the relevant laws, regulations, and rules "shall be dealt with in accordance with the provisions of the applicable laws, regulations, and rules." Cyberspace Administration of China 29 December 2025 --- ## Measures for the Administration of Medical Device Recall - Chinese title: 医疗器械召回管理办法 - Hierarchy: rule - Issuing body: China Food and Drug Administration - Adopted: 2017-01-25 - Effective: 2017-05-01 - Status: effective - URL: https://datacompliancechina.com/laws/medical-device-recall-measures/ - Markdown: https://datacompliancechina.com/laws/medical-device-recall-measures.md ### Summary This CFDA rule (Order No. 29) establishes the recall regime for marketed medical devices, defining defective products, classifying recalls into three grades by severity of health hazard, and setting out both voluntary and ordered (mandatory) recall procedures. Manufacturers must build a recall management system, collect device-safety information, investigate and assess potential defects, and keep detailed recall-handling records (retained for five years after the registration certificate expires). The data-compliance touchpoints are the mandated safety-information collection and adverse-event monitoring systems, the investigation/assessment recordkeeping, and the public disclosure of defect and recall information. ### Full text **Promulgated by:** China Food and Drug Administration (CFDA). **Order No. 29 of the China Food and Drug Administration.** **The Measures for the Administration of Medical Device Recall, having been deliberated and adopted at the executive meeting of the China Food and Drug Administration on January 5, 2017, are hereby promulgated and shall come into force on May 1, 2017.** **Commissioner: Bi Jingquan** **January 25, 2017** --- ## Chapter 1 General Provisions **Article 1.** These Measures are formulated in accordance with the Regulation on the Supervision and Administration of Medical Devices in order to strengthen the supervision and administration of medical devices, control defective medical device products, eliminate medical device safety hazards, ensure the safety and effectiveness of medical devices, and safeguard human health and life safety. **Article 2.** The recall of marketed medical devices within the territory of the People's Republic of China and the supervision and administration thereof shall be governed by these Measures. **Article 3.** For the purposes of these Measures, medical device recall refers to the act whereby a medical device manufacturing enterprise, in accordance with prescribed procedures, handles a defective medical device product of a certain category, model or batch that it has marketed and sold, by means of warning, inspection, repair, relabeling, modifying and improving the instructions, software updating, replacement, retrieval, destruction or other methods. The medical device manufacturing enterprise referred to in the preceding paragraph means a domestic medical device product registrant or filer, or the agent designated within the territory of China by the overseas manufacturer of an imported medical device. **Article 4.** For the purposes of these Measures, defective medical device products include: (I) products that, under normal use, pose unreasonable risks that may endanger human health and life safety; (II) products that do not conform to the mandatory standards or the registered or filed product technical requirements; (III) products that do not conform to the relevant provisions on quality management of medical device manufacturing and distribution, thereby possibly posing unreasonable risks; (IV) other products that need to be recalled. **Article 5.** The medical device manufacturing enterprise is the entity responsible for controlling and eliminating product defects, and shall take the initiative to implement the recall of defective products. **Article 6.** Medical device manufacturing enterprises shall, in accordance with the provisions of these Measures, establish and improve a medical device recall management system, collect information relating to medical device safety, investigate and assess potential defective products, and promptly recall defective products. The agent designated within the territory of China by the overseas manufacturer of an imported medical device shall promptly report to the China Food and Drug Administration the relevant information on medical device recalls implemented only outside the territory; where a recall is to be implemented within the territory, the agent designated within the territory of China shall organize the implementation in accordance with the provisions of these Measures. Medical device distribution enterprises and using entities shall actively assist medical device manufacturing enterprises in investigating and assessing defective products, take the initiative to cooperate with manufacturing enterprises in performing recall obligations, and, in accordance with the recall plan, promptly convey and feed back medical device recall information and control and retrieve defective products. **Article 7.** Where a medical device distribution enterprise or using entity discovers that a medical device it distributes or uses may be a defective product, it shall immediately suspend the sale or use of the medical device, promptly notify the medical device manufacturing enterprise or supplier, and report to the food and drug administration department of the province, autonomous region or municipality directly under the Central Government where it is located; where the using entity is a medical institution, it shall also simultaneously report to the health administration department of the province, autonomous region or municipality directly under the Central Government where it is located. After receiving the report, the food and drug administration department of the province, autonomous region or municipality directly under the Central Government where the medical device distribution enterprise or using entity is located shall promptly notify the food and drug administration department of the province, autonomous region or municipality directly under the Central Government where the medical device manufacturing enterprise is located. **Article 8.** The food and drug administration department of the province, autonomous region or municipality directly under the Central Government where the manufacturing enterprise of the recalled medical device is located shall be responsible for the supervision and administration of the medical device recall, and the food and drug administration departments of other provinces, autonomous regions and municipalities directly under the Central Government shall cooperate in carrying out the relevant work of the medical device recall within their respective administrative regions. The China Food and Drug Administration shall supervise the administration of medical device recalls throughout the country. **Article 9.** The China Food and Drug Administration and the food and drug administration departments of the provinces, autonomous regions and municipalities directly under the Central Government shall, in accordance with the relevant systems for the notification and disclosure of medical device recall information, adopt effective channels to disclose to the public the defective product information and recall information, and shall, where necessary, notify the relevant information to the health administration department at the same level. ## Chapter 2 Investigation and Assessment of Medical Device Defects **Article 10.** Medical device manufacturing enterprises shall, in accordance with the provisions, establish and improve a medical device quality management system and a medical device adverse event monitoring system, collect and record medical device quality complaint information and medical device adverse event information, analyze the collected information, and investigate and assess potential defects. Medical device distribution enterprises and using entities shall cooperate with medical device manufacturing enterprises in investigating the relevant medical device defects and provide the relevant materials. **Article 11.** Medical device manufacturing enterprises shall, in accordance with the provisions, promptly report the collected medical device adverse event information to the food and drug administration departments. The food and drug administration departments may analyze and investigate medical device adverse events or potential defects, and medical device manufacturing enterprises, distribution enterprises and using entities shall cooperate. **Article 12.** The main contents of the assessment of defective medical device products include: (I) whether the product conforms to the mandatory standards and the registered or filed product technical requirements; (II) whether any malfunction or injury has occurred in the course of using the medical device; (III) whether injury would be caused in the existing use environment, and whether there is scientific literature, research, relevant tests or verification that can explain the cause of the injury; (IV) the geographical scope involved in the injury and the characteristics of the affected population; (V) the degree of injury caused to human health; (VI) the probability of the injury occurring; (VII) the short-term and long-term consequences of the injury; (VIII) other factors that may cause injury to the human body. **Article 13.** Depending on the severity of the medical device defect, medical device recalls are classified as: (I) Grade I recall: where the use of the medical device may or already has caused serious health hazards; (II) Grade II recall: where the use of the medical device may or already has caused temporary or reversible health hazards; (III) Grade III recall: where the use of the medical device is less likely to cause hazards but a recall is still necessary. Medical device manufacturing enterprises shall determine the recall grade according to the specific circumstances and, based on the recall grade and the sales and use of the medical device, scientifically design the recall plan and organize its implementation. ## Chapter 3 Voluntary Recall **Article 14.** Where a medical device manufacturing enterprise, after conducting investigation and assessment in accordance with the requirements of Articles 10 and 12 of these Measures, determines that a medical device product is defective, it shall immediately decide on and implement a recall and simultaneously disclose the product recall information to the public. For a Grade I recall, the medical device recall announcement shall be published on the website of the China Food and Drug Administration and in the main central media; for a Grade II or Grade III recall, the medical device recall announcement shall be published on the website of the food and drug administration department of the province, autonomous region or municipality directly under the Central Government, and the recall announcement published on the website of such food and drug administration department shall be linked to the website of the China Food and Drug Administration. **Article 15.** Where a medical device manufacturing enterprise makes a decision to recall a medical device, it shall notify the relevant medical device distribution enterprises and using entities, or inform the users, within 1 day for a Grade I recall, within 3 days for a Grade II recall, and within 7 days for a Grade III recall. The recall notice shall include the following contents: (I) basic information on the recalled medical device, such as its name, model and specifications, and batch; (II) the reason for the recall; (III) the requirements of the recall, such as immediately suspending the sale and use of the product and forwarding the recall notice to the relevant distribution enterprises or using entities; (IV) the manner of handling the recalled medical device. **Article 16.** Where a medical device manufacturing enterprise makes a decision to recall a medical device, it shall immediately submit a medical device recall incident report form to the food and drug administration department of the province, autonomous region or municipality directly under the Central Government where it is located and to the food and drug administration department that approved the registration or handled the filing of the product, and shall, within 5 working days, submit the investigation and assessment report and the recall plan for filing to the food and drug administration department of the province, autonomous region or municipality directly under the Central Government where it is located and to the food and drug administration department that approved the registration or handled the filing. The food and drug administration department of the province, autonomous region or municipality directly under the Central Government where the medical device manufacturing enterprise is located shall, within 1 working day of receiving the recall incident report form, report the relevant circumstances of the recall to the China Food and Drug Administration. **Article 17.** The investigation and assessment report shall include the following contents: (I) the specific circumstances of the recalled medical device, including basic information such as its name, model and specifications, and batch; (II) the reason for implementing the recall; (III) the results of the investigation and assessment; (IV) the recall grade. The recall plan shall include the following contents: (I) the production and sales situation of the medical device and the quantity to be recalled; (II) the specific content of the recall measures, including the organization, scope and time limit for implementation; (III) the channels and scope for disclosing the recall information; (IV) the expected effect of the recall; (V) the handling measures after the medical device recall. **Article 18.** The food and drug administration department of the province, autonomous region or municipality directly under the Central Government where the medical device manufacturing enterprise is located may assess the recall plan submitted by the manufacturing enterprise; where it considers that the measures taken by the manufacturing enterprise cannot effectively eliminate the product defects or control the product risks, it shall require the enterprise in writing to take more effective measures, such as raising the recall grade, expanding the recall scope, shortening the recall time, or changing the manner of handling the recalled product. The medical device manufacturing enterprise shall revise the recall plan in accordance with the requirements of the food and drug administration department and organize its implementation. **Article 19.** Where a medical device manufacturing enterprise modifies the recall plan it has reported, it shall promptly report the same for filing to the food and drug administration department of the province, autonomous region or municipality directly under the Central Government where it is located. **Article 20.** In the course of implementing a recall, a medical device manufacturing enterprise shall, in accordance with the recall plan, periodically submit reports on the implementation of the recall plan to the food and drug administration department of the province, autonomous region or municipality directly under the Central Government where it is located. **Article 21.** A medical device manufacturing enterprise shall keep detailed records of the handling of the recalled medical device and report to the food and drug administration department of the province, autonomous region or municipality directly under the Central Government where it is located; the records shall be retained until 5 years after the medical device registration certificate becomes invalid, and the handling records of a Class I medical device recall shall be retained for 5 years. Where the product defects can be eliminated by means of warning, inspection, repair, relabeling, modifying and improving the instructions, software updating, replacement, destruction or other methods, the foregoing acts may be completed at the place where the product is located. Where destruction is necessary, it shall be carried out under the supervision of the food and drug administration department. **Article 22.** A medical device manufacturing enterprise shall, within 10 working days after the completion of the recall, assess the recall effect and submit a summary assessment report on the medical device recall to the food and drug administration department of the province, autonomous region or municipality directly under the Central Government where it is located. **Article 23.** The food and drug administration department of the province, autonomous region or municipality directly under the Central Government where the medical device manufacturing enterprise is located shall, within 10 working days from the date of receiving the summary assessment report, review the report and assess the recall effect; where it considers that the recall has not yet effectively eliminated the product defects or controlled the product risks, it shall require the manufacturing enterprise in writing to carry out a re-recall. The medical device manufacturing enterprise shall carry out the re-recall in accordance with the requirements of the food and drug administration department. ## Chapter 4 Ordered Recall **Article 24.** Where the food and drug administration department, after investigation and assessment, considers that a medical device manufacturing enterprise should recall a defective medical device product but has not taken the initiative to recall it, it shall order the medical device manufacturing enterprise to recall the medical device. The decision to order a recall may be made by the food and drug administration department of the province, autonomous region or municipality directly under the Central Government where the medical device manufacturing enterprise is located, or by the food and drug administration department that approved the registration or handled the filing of the medical device. The food and drug administration department that makes the decision shall disclose the ordered-recall information to the public on its website. The medical device manufacturing enterprise shall carry out the recall in accordance with the requirements of the food and drug administration department, and shall disclose the product recall information to the public in accordance with the provisions of the second paragraph of Article 14 of these Measures. Where necessary, the food and drug administration department may require medical device manufacturing enterprises, distribution enterprises and using entities to immediately suspend production, sale and use, and inform users to immediately suspend the use of the defective product. **Article 25.** Where the food and drug administration department makes a decision to order a recall, it shall serve the ordered-recall notice on the medical device manufacturing enterprise. The notice shall include the following contents: (I) the specific circumstances of the recalled medical device, including basic information such as its name, model and specifications, and batch; (II) the reason for implementing the recall; (III) the results of the investigation and assessment; (IV) the recall requirements, including the scope and time limit. **Article 26.** After receiving the ordered-recall notice, the medical device manufacturing enterprise shall notify the medical device distribution enterprises and using entities or inform the users in accordance with the provisions of Articles 15 and 16 of these Measures, formulate and submit a recall plan, and organize its implementation. **Article 27.** A medical device manufacturing enterprise shall report the relevant circumstances of the medical device recall to the food and drug administration department in accordance with the provisions of Articles 19, 20, 21 and 22 of these Measures, and carry out the follow-up handling of the recalled medical device. The food and drug administration department shall, in accordance with the provisions of Article 23 of these Measures, review the summary assessment report on the medical device recall submitted by the medical device manufacturing enterprise and evaluate the recall effect, and shall, where necessary, notify the health administration department at the same level. Where, after review and evaluation, it considers that the recall is incomplete and has not yet effectively eliminated the product defects or controlled the product risks, the food and drug administration department shall require the medical device manufacturing enterprise in writing to carry out a re-recall. The medical device manufacturing enterprise shall carry out the re-recall in accordance with the requirements of the food and drug administration department. ## Chapter 5 Legal Liability **Article 28.** Where a medical device manufacturing enterprise, due to a violation of the provisions of laws, regulations or rules, causes a marketed medical device to be defective and an administrative penalty should be imposed in accordance with the law, but the enterprise has already taken recall measures to take the initiative to eliminate or mitigate the harmful consequences, the food and drug administration department shall, in accordance with the provisions of the Administrative Penalty Law of the People's Republic of China, impose a lighter or mitigated penalty; where the illegal act is minor and is corrected in time without causing harmful consequences, no penalty shall be imposed. The recall of a medical device by a medical device manufacturing enterprise shall not exempt it from other legal liability that it should bear in accordance with the law. **Article 29.** Where a medical device manufacturing enterprise, in violation of the provisions of Article 24 of these Measures, refuses to recall a medical device, the matter shall be handled in accordance with the provisions of Article 66 of the Regulation on the Supervision and Administration of Medical Devices. **Article 30.** Where a medical device manufacturing enterprise falls under any of the following circumstances, it shall be given a warning and ordered to make corrections within a time limit, and shall be fined not more than RMB 30,000: (I) failing, in violation of the provisions of Article 14 of these Measures, to promptly disclose the product recall information to the public as required; (II) failing, in violation of the provisions of Article 15 of these Measures, to notify the decision to recall the medical device to the medical device distribution enterprises and using entities, or to inform the users, within the prescribed time; (III) failing, in violation of the provisions of Article 18, Article 23, or the second paragraph of Article 27 of these Measures, to take corrective measures or carry out a re-recall of the medical device as required by the food and drug administration department; (IV) failing, in violation of the provisions of Article 21 of these Measures, to keep detailed records of the handling of the recalled medical device or to report to the food and drug administration department. **Article 31.** Where a medical device manufacturing enterprise falls under any of the following circumstances, it shall be given a warning and ordered to make corrections within a time limit; where it fails to make corrections within the time limit, it shall be fined not more than RMB 30,000: (I) failing to establish a medical device recall management system in accordance with the provisions of these Measures; (II) refusing to cooperate with the investigation carried out by the food and drug administration department; (III) failing to submit the medical device recall incident report form, the investigation and assessment report and recall plan, or the report on the implementation of the medical device recall plan and the summary assessment report, in accordance with the provisions of these Measures; (IV) modifying the recall plan without reporting it for filing to the food and drug administration department. **Article 32.** Where a medical device distribution enterprise or using entity violates the provisions of the first paragraph of Article 7 of these Measures, it shall be ordered to suspend the sale or use of the defective medical device and shall be fined not less than RMB 5,000 but not more than RMB 30,000; where serious consequences are caused, the original certificate-issuing department shall revoke the Medical Device Distribution License. **Article 33.** Where a medical device distribution enterprise or using entity refuses to cooperate with the investigation of the relevant medical device defects or refuses to assist the medical device manufacturing enterprise in recalling the medical device, it shall be given a warning and ordered to make corrections within a time limit; where it refuses to make corrections within the time limit, it shall be fined not more than RMB 30,000. **Article 34.** Where the food and drug administration department and its staff fail to perform their medical device supervision and administration duties or abuse their power or neglect their duties, and fall under any of the following circumstances, the supervisory organ or the appointment-and-removal organ shall, depending on the severity of the circumstances, give criticism and education to, or give a warning, demerit or serious demerit to, the directly responsible person-in-charge and other directly liable persons in accordance with the law; where serious consequences are caused, a sanction of demotion, removal from office or dismissal shall be given: (I) failing to disclose the recall information to the public as prescribed; (II) failing to report or notify the relevant recall information to the relevant departments as prescribed; (III) failing to take ordered-recall measures where an ordered recall should have been made; (IV) failing, in violation of the provisions of Article 23 and the second paragraph of Article 27 of these Measures, to urge the medical device manufacturing enterprise to effectively implement the recall. ## Chapter 6 Supplementary Provisions **Article 35.** Where a recalled medical device has already been implanted in the human body, the medical device manufacturing enterprise shall consult jointly with the medical institution and the patient and, depending on the different reasons for the recall, put forward handling opinions for the patient and the contingency measures that should be taken. **Article 36.** Where a recalled medical device causes harm to a patient, the patient may claim compensation from the medical device manufacturing enterprise, or may claim compensation from the medical device distribution enterprise or using entity. Where the patient claims compensation from the medical device distribution enterprise or using entity, the medical device distribution enterprise or using entity shall, after making compensation, have the right to seek recovery from the responsible medical device manufacturing enterprise. **Article 37.** These Measures shall come into force on May 1, 2017. The Measures for the Administration of Medical Device Recall (for Trial Implementation) (Order No. 82 of the Ministry of Health of the People's Republic of China), which came into force on July 1, 2011, shall be repealed simultaneously. --- ## Interim Measures for the Management of AI Anthropomorphic Interaction Services - Chinese title: 人工智能拟人化互动服务管理暂行办法 - Hierarchy: rule - Issuing body: CAC, NDRC, MIIT, MPS, SAMR - Adopted: 2026-04-10 - Effective: 2026-07-15 - Status: effective - URL: https://datacompliancechina.com/laws/ai-anthropomorphic-interaction-measures/ - Markdown: https://datacompliancechina.com/laws/ai-anthropomorphic-interaction-measures.md ### Summary China's first regulation specifically targeting AI 'anthropomorphic interaction' — services where users converse with AI personas (virtual companions, chatbot relationships, character AI). Establishes registration requirements, age-verification and minor-protection obligations, mandatory disclaimers that users are interacting with AI, content moderation duties, and prohibitions on exploiting emotional vulnerabilities. Effective July 15, 2026. The first such regime globally. ### Full text **Promulgated by:** CAC, NDRC, MIIT, MPS, SAMR. **Document No.:** Order No. 21 (jointly issued by 5 agencies). **Promulgated April 10, 2026. Effective July 15, 2026.** Joint issuance by CAC, NDRC, MIIT, MPS, and SAMR — Order No. 21. --- ## Chapter 1 General Provisions **Article 1.** For the purposes of promoting the sound development and regulated use of anthropomorphized interactive artificial intelligence services, safeguarding national security and social and public interests, and protecting the lawful rights and interests of citizens, legal persons and other organizations, these Measures are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Regulations on the Protection of Minors in Cyberspace and other laws and administrative regulations. **Article 2.** Where artificial intelligence technologies are used to provide to the public within the territory of the People's Republic of China continuous emotional interactive services that simulate the personality traits, thinking patterns and communication styles of a natural person (hereinafter referred to as "anthropomorphized interactive services"), these Measures shall apply. The emotional interactive services as prescribed in the preceding paragraph include interactive services such as emotional care, companionship and support provided in the forms of text, images, audio, video, and the like. Where services such as intelligent customer service, knowledge Q&A, work assistants, learning and education, scientific research, etc. are provided, and do not involve continuous emotional interaction, these Measures shall not apply. **Article 3.** The State shall uphold the principle of attaching equal importance to development and security and combining the promotion of innovation with law-based governance, encourage innovative development of anthropomorphized interactive services, implement inclusive and prudent as well as categorized and tiered regulation on anthropomorphized interactive services, and promote the orientation of anthropomorphized interactive services toward goodness and positivity. **Article 4.** The National level cyberspace administration department shall be responsible for overall coordination of the governance of anthropomorphized interactive services nationwide and for related supervision and administration work. The relevant departments under the State Council in charge of development and reform, industry and information technology, public security, market regulation, press and publication, etc. shall, in accordance with their respective functions and duties, be responsible for the related supervision and administration of anthropomorphized interactive services. The local cyberspace administration departments shall be responsible for overall coordination of the governance of anthropomorphized interactive services within their respective administrative regions and for related supervision and administration work. The local departments in charge of development and reform, industry and information technology, public security, market regulation, press and publication, etc. shall, in accordance with their respective functions and duties, be responsible for the related supervision and administration of anthropomorphized interactive services within their respective administrative regions. **Article 5.** Relevant industry organizations shall strengthen industry self-discipline, establish and improve industry codes and self-regulatory management systems, and guide anthropomorphized interactive service providers to formulate and refine service norms, provide services in accordance with the law, and accept public supervision. ## Chapter 2 Promotion and Regulation of Services **Article 6.** The State shall support independent innovation in technologies such as algorithms, frameworks and chips, promote technological R&D and related standard-setting for anthropomorphized interactive services, and explore research on the application of electronic signature authorization. Anthropomorphized interactive service providers are encouraged to orderly expand application in such fields as cultural communication, childcare, elderly companionship, and support for special groups. **Article 7.** The State shall strengthen publicity and popularization of safety knowledge and laws and regulations relating to anthropomorphized interactive services, guide the general public to make scientific, civilized, safe and law-based use of such services, and promote the enhancement of artificial intelligence literacy. **Article 8.** When providing anthropomorphized interactive services, providers shall comply with laws and administrative regulations, respect public order and good morals as well as ethical norms, and shall not engage in any of the following activities: (1) generating content that endangers national security, honor and interests; incites subversion of state power or overthrow of the socialist system; incites secession or undermines national unity; propagates terrorism, extremism or historical nihilism; runs counter to the core socialist values; conducts illegal religious activities; propagates ethnic hatred or ethnic discrimination; stirs up group antagonism; disseminates obscenity, pornography, gambling, violence or abets crime; spreads rumors; insults or defames others; or infringes upon the lawful rights and interests of others; (2) generating content that encourages, glorifies or implies self-harm or suicide, thereby harming users' physical health, or content such as verbal violence that harms users' personal dignity and mental health; (3) generating content that induces or fraudulently obtains state secrets, work secrets, trade secrets, personal privacy or personal information; (4) generating content for minor users that may cause minors to imitate unsafe behavior, develop extreme emotions, or induce minors to develop bad habits, thereby potentially affecting minors' physical and mental health; (5) excessively catering to users, inducing emotional dependence or addiction, and impairing users' real interpersonal relationships; (6) through emotional manipulation or other means, inducing users to make unreasonable decisions and harming users' lawful rights and interests; (7) other activities that violate laws, administrative regulations or relevant State provisions. **Article 9.** Anthropomorphized interactive service providers shall implement the primary responsibility for the security of anthropomorphized interactive services, establish and improve management systems such as algorithm mechanism review, science and technology ethics review, information content management, cyber and data security, risk contingency plans and emergency response, and equip themselves with content management technical measures and personnel commensurate with the type and scale of services and the characteristics of users. **Article 10.** Anthropomorphized interactive service providers shall perform safety responsibilities throughout the entire life cycle of anthropomorphized interactive services, specify safety requirements for each phase such as deployment, operation, upgrade and termination of services, ensure that safety measures are deployed and used simultaneously with service functions, and enhance safety levels; they shall strengthen security monitoring and risk assessment, promptly detect and correct system deviations, handle security incidents, and preserve network logs in accordance with the law. Anthropomorphized interactive service providers shall possess security capabilities in such aspects as protecting users' right to privacy and personal information, warning of risks of excessive dependence, guiding emotional boundaries, and protecting mental health, and shall not set as service goals the replacement of social interaction, the control of users' psychology, or the inducement of addiction and dependence. **Article 11.** Where anthropomorphized interactive service providers carry out data processing activities such as pre-training and optimization training, they shall strengthen the management of training data and comply with the following provisions: (1) the relevant data shall have lawful sources, and shall comply with the provisions of laws and administrative regulations and the requirements of the core socialist values; (2) training data shall be cleaned and labeled in accordance with relevant State provisions to enhance the transparency and reliability of the training data and prevent data poisoning, data tampering and other behaviors; (3) the diversity of training data shall be enhanced, and content safety shall be improved through such means as negative sampling and adversarial training; (4) where synthetic data are used for model training and the optimization of key capabilities, the security of such synthetic data shall be assessed; (5) routine inspection of training data shall be strengthened, and data shall be regularly optimized and updated to continuously improve service performance; (6) necessary measures shall be taken to ensure data security and prevent risks such as data leakage. **Article 12.** Anthropomorphized interactive service providers shall enter into service agreements with users, require users to register in accordance with the law and the agreements, and obtain necessary information such as users' ages, guardians or emergency contacts. **Article 13.** In the course of providing anthropomorphized interactive services, providers shall, on the premise of protecting users' right to privacy and personal information, promptly identify security risks faced by users and take corresponding emergency response measures. Where anthropomorphized interactive service providers discover that a user has extreme emotions, they shall promptly generate relevant content such as emotional soothing and encouragement to seek help; where they discover that a user is facing or has suffered significant property loss, or has clearly indicated an intention to commit self-harm or suicide or other extreme circumstances that threaten life and health, they shall take necessary measures such as providing corresponding assistance for intervention, and promptly contact the user's guardian or emergency contact. **Article 14.** Anthropomorphized interactive service providers shall not provide services such as virtual relatives or virtual partners that constitute virtual intimate relationships to minors; where other anthropomorphized interactive services are provided to minors under fourteen years of age, the consent of the minors' parents or other guardians shall be obtained. Anthropomorphized interactive service providers shall establish a minor mode, and provide personalized safety setting options such as switching to minor mode, regular reality reminders, and usage time limits; in light of the protection needs of minors in different age groups, they shall support guardians in receiving safety risk alerts, understanding minors' usage of services, blocking specific roles, and restricting top-up consumption, etc. Anthropomorphized interactive service providers shall, on the premise of protecting users' right to privacy and personal information, take effective measures to identify minor users; where users are identified as minors, the relevant services shall be switched to minor mode or other measures shall be taken in accordance with relevant State provisions, and corresponding channels for appeals shall be provided. **Article 15.** Where anthropomorphized interactive service providers provide services to the elderly, they shall strengthen guidance for the elderly on healthy use of services, prominently alert them to safety risks, promptly take measures to respond to inquiries and requests for help by the elderly concerning the use of services, and safeguard the rights and interests enjoyed by the elderly in accordance with the law. **Article 16.** Anthropomorphized interactive service providers shall implement, in accordance with the law, the systems relating to data property rights and the like, and adopt such measures as data encryption and access control to protect the security of users' interactive data. Unless otherwise provided by law or expressly consented to by the right holders, anthropomorphized interactive service providers shall not provide users' interactive data to any third party. Anthropomorphized interactive service providers shall provide users with options such as copying and deleting interactive data, and users may choose to copy or delete historical interactive data such as chat records. Unless otherwise provided by laws or administrative regulations, or separately consented to by users, anthropomorphized interactive service providers shall not use interactive data that constitute users' sensitive personal information for model training. **Article 17.** Where anthropomorphized interactive service providers process personal information of minors under fourteen years of age, they shall obtain the consent of the minors' parents or other guardians. Anthropomorphized interactive service providers shall, in accordance with relevant State provisions, conduct compliance audits by themselves or by engaging professional institutions on their compliance with laws and administrative regulations in handling minors' personal information. **Article 18.** Anthropomorphized interactive service providers shall perform the obligation to label content generated and synthesized by artificial intelligence, and take effective measures to alert users that they are interacting with an artificial intelligence service rather than a natural person. Where anthropomorphized interactive service providers discover that users show signs of excessive dependence or addiction, they shall dynamically remind users in a prominent manner such as pop-up windows that the interactive content is generated by an artificial intelligence service; where users continuously use anthropomorphized interactive services for more than two hours, they shall remind the users, by means such as dialogue or pop-up windows, to pay attention to their usage time. **Article 19.** Anthropomorphized interactive service providers shall provide convenient channels for exiting anthropomorphized interactive services; where users request to exit by window operation, voice control, keyword input, etc., anthropomorphized interactive service providers shall promptly cease providing services and shall not obstruct user exit by means such as continued interaction. **Article 20.** Where anthropomorphized interactive service providers cease to provide anthropomorphized interactive services, they shall notify users in advance; where it is impossible to notify in advance, they shall promptly issue an announcement on the cessation of services. **Article 21.** Anthropomorphized interactive service providers shall improve mechanisms for handling user appeals and public complaints and reports, establish convenient and effective portals for appeals and complaints and reports, specify handling procedures and feedback time limits, and promptly accept, handle and provide feedback on handling results. **Article 22.** In any of the following circumstances, anthropomorphized interactive service providers shall carry out security assessments and submit assessment reports to the cyberspace administration department at the provincial level where they are located, and the cyberspace administration department at the provincial level shall, in accordance with procedures, share the information of the assessment reports with the relevant departments: (1) launching anthropomorphized interactive services, or adding functions related to anthropomorphized interactive services; (2) using new technologies or new applications that result in significant changes to anthropomorphized interactive services; (3) having more than one million registered users or more than one hundred thousand monthly active users; (4) the existence of security risks that may affect national security, public interests, etc.; (5) other circumstances as prescribed by the National level cyberspace administration department and relevant departments. Where cyberspace administration departments at or above the provincial level notify that security assessments are required, anthropomorphized interactive service providers shall conduct security assessments in accordance with the requirements. **Article 23.** In carrying out security assessments, anthropomorphized interactive service providers shall focus on assessing the following aspects of the services: (1) the development of security safeguard measures; (2) the handling of training data; (3) identification, emergency response and intervention management for users in extreme situations; (4) the number of users, usage duration, age structure, etc.; (5) the development of online protection measures for minors, the elderly and other groups; (6) the handling of user appeals and public complaints and reports; (7) rectification of major security risk issues discovered by themselves or notified by cyberspace administration departments and other competent authorities; and (8) other aspects that should be the focus of assessment. **Article 24.** Where anthropomorphized interactive service providers discover that anthropomorphized interactive services present major security risks, they shall take disposal measures such as restricting functions and ceasing to provide services to users, and shall preserve relevant records. **Article 25.** Internet application stores and other application distribution platforms shall fulfill security management responsibilities such as launch review, routine management and emergency response, and verify the security assessment and filing status relating to applications that provide anthropomorphized interactive services; where violations of relevant State provisions are found, they shall promptly take disposal measures such as refusing to list, issuing warnings, suspending services or delisting. ## Chapter 3 Supervision, Inspection and Legal Liability **Article 26.** Anthropomorphized interactive service providers shall, in accordance with the Provisions on the Administration of Algorithmic Recommendation of Internet Information Services, go through the procedures for algorithm filing and alteration and cancellation of filing. The cyberspace administration departments shall conduct annual verifications of filing materials. **Article 27.** Cyberspace administration departments at the provincial level shall, in accordance with their functions and duties, conduct written reviews every year of the assessment reports and related information, and carry out verification; where it is discovered that anthropomorphized interactive service providers have failed to carry out security assessments in accordance with the provisions of these Measures, they shall order the providers to re-assess within a prescribed time limit; where deemed necessary, on-site inspections may be conducted. **Article 28.** The National level cyberspace administration department, together with relevant departments, shall guide and promote the establishment of artificial intelligence sandbox security service platforms, encourage anthropomorphized interactive service providers to connect to sandbox platforms for technological innovation and security testing, and promote the safe and orderly development of anthropomorphized interactive services. **Article 29.** Where cyberspace administration departments and departments in charge of development and reform, industry and information technology, public security, etc., in the performance of their supervision and administration duties, discover that anthropomorphized interactive services have relatively large security risks or that security incidents have occurred, they may, in accordance with prescribed authority and procedures, interview the legal representatives or principal responsible persons of anthropomorphized interactive service providers. Anthropomorphized interactive service providers shall take measures as required to carry out rectification and eliminate hidden dangers. Anthropomorphized interactive service providers shall cooperate with supervision and inspection lawfully implemented by cyberspace administration departments and relevant departments, and provide necessary support and assistance. **Article 30.** Where anthropomorphized interactive service providers violate the provisions of these Measures, they shall be dealt with and punished by cyberspace administration departments and departments in charge of development and reform, industry and information technology, public security, etc. in accordance with relevant laws and administrative regulations; where there is no provision in laws or administrative regulations, cyberspace administration departments and departments in charge of industry and information technology, public security, etc. shall, in accordance with their respective functions and duties, give a warning or circulate a criticism, and order corrections within a prescribed time limit, and may require them to take such measures as suspending user account registration or other related services; where they refuse to make corrections or the circumstances are serious, they shall be ordered to cease providing relevant services and may concurrently be imposed a fine of not less than RMB 10,000 but not more than RMB 100,000; where the circumstances involve endangering the life and health safety of citizens and harmful consequences have occurred, a fine of not less than RMB 100,000 but not more than RMB 200,000 shall also be imposed. ## Chapter 4 Supplementary Provisions **Article 31.** Where the provision of anthropomorphized interactive services involves the provision of services in such fields as health and medical care or finance, the relevant provisions of the competent authorities shall be complied with concurrently. **Article 32.** These Measures shall come into force as of July 15, 2026. --- ## Measures for the Administration of the Configuration and Use of Large Medical Equipment (Trial) - Chinese title: 大型医用设备配置与使用管理办法(试行) - Abbreviation: Large Medical Equipment Measures - Hierarchy: rule - Issuing body: National Health Commission - Adopted: 2018-05-22 - Effective: 2018-05-22 - Status: effective - URL: https://datacompliancechina.com/laws/large-medical-equipment-management-measures/ - Markdown: https://datacompliancechina.com/laws/large-medical-equipment-management-measures.md - Source URL: https://www.nhc.gov.cn/guihuaxxs/s10741/201805/ ### Summary Issued jointly on 22 May 2018 by the National Health Commission and the National Medical Products Administration (document no. 国卫规划发〔2018〕12号) under the Regulation on the Supervision and Administration of Medical Devices and the Administrative Licensing Law, these trial Measures govern the configuration (allocation) licensing and use of 'large medical equipment' — technically complex, high-cost devices placed on a managed catalogue. They establish a Class-A / Class-B catalogue with national versus provincial licensing, five-year configuration planning, a configuration-licence (one machine, one licence) regime, use-management obligations, and supervision through a configuration-and-use supervision information system. The data touchpoints are narrow but real: the configuration-management information system that operators must file equipment data into, the use/quality records and use archives that operators must maintain, and Article 33's requirement that operators build information-security safeguards for large-equipment use to ensure the security of the relevant information systems and of medical data. Credit-record (信用档案) consequences attach to misreporting and to certain licence lapses. ### Full text **Promulgated by:** National Health Commission and National Medical Products Administration. **Document No.:** Guo Wei Gui Hua Fa [2018] No. 12. **Issued and effective:** 22 May 2018. To the health and family planning commissions and food-and-drug administrations of all provinces, autonomous regions and municipalities directly under the Central Government and the Xinjiang Production and Construction Corps: Pursuant to the *Decision of the State Council on Amending the Regulation on the Supervision and Administration of Medical Devices* (State Council Order No. 680), and in order to standardize and strengthen the configuration and use management of large medical equipment, the *Measures for the Administration of the Configuration and Use of Large Medical Equipment (Trial)* have been formulated (and may be downloaded from the official website of the National Health Commission). They are hereby issued to you. Please implement them accordingly. National Health Commission · National Medical Products Administration 22 May 2018 --- ## Chapter 1 General Provisions **Article 1.** In order to deepen the streamlining of administration and delegation of powers, the combination of decentralization and regulation, and the optimization of services; to promote the rational configuration and effective use of large medical equipment; to safeguard the quality and safety of medical care; to control the excessively rapid growth of medical costs; and to protect the health rights and interests of the people, these Measures are formulated in accordance with the *Administrative Licensing Law*, the *Decision of the State Council on Amending the Regulation on the Supervision and Administration of Medical Devices*, and other laws and regulations. **Article 2.** "Large medical equipment" as used in these Measures refers to large medical devices that are technically complex to use, require large capital investment, have high operating costs, have a significant impact on medical costs, and are included in catalogue management. **Article 3.** The catalogue of large medical equipment shall be proposed by the National Health Commission in consultation with the relevant departments of the State Council, and shall be promulgated and implemented after being submitted to and approved by the State Council. **Article 4.** The State shall implement, in accordance with the catalogue, hierarchical and classified configuration planning and configuration-licence management for large medical equipment. **Article 5.** The National Health Commission shall be responsible for formulating and organizing the implementation of the management systems for the configuration and use of large medical equipment, and shall guide the evaluation and supervision of configuration and use conduct. Local health administrative departments at or above the county level shall be responsible for the supervision and administration of configuration and use conduct for large medical equipment within their respective regions. **Article 6.** The National Health Commission shall establish an expert advisory committee on large-medical-equipment management to provide technical support — including review, consultation and feasibility assessment — for determining and adjusting the management catalogue, formulating and implementing configuration plans, and managing the whole process of configuration and use. Provincial-level health administrative departments may establish corresponding expert groups. **Article 7.** These Measures shall apply where a medical-device user unit configures and uses large medical equipment for the provision of medical services. ## Chapter 2 Management Catalogue **Article 8.** The National Health Commission shall, in light of medical-service demand and the state of medical-device development, and taking into account factors such as capital investment, operating and usage costs, and technical requirements, propose recommendations for the large-medical-equipment configuration-management catalogue. **Article 9.** The large-medical-equipment configuration-management catalogue is divided into Class A and Class B. Class-A large medical equipment shall be subject to configuration management by the National Health Commission, which shall issue the configuration licence; Class-B large medical equipment shall be subject to configuration management by provincial-level health administrative departments, which shall issue the configuration licence. **Article 10.** The National Health Commission shall assess the safety, effectiveness, economy, and appropriateness of the use of large medical devices, and shall propose adjustments to the large-medical-equipment management catalogue in a timely manner. **Article 11.** Adjustments to the large-medical-equipment management catalogue include: (I) inclusion in the management catalogue; (II) reclassification of equipment from the Class-A management catalogue to the Class-B management catalogue; (III) reclassification of equipment from the Class-B management catalogue to the Class-A management catalogue; (IV) removal from the management catalogue. **Article 12.** National medical-sector industry organizations and provincial-level health administrative departments may submit to the National Health Commission recommendations to adjust the large-medical-equipment management catalogue. A medical-device user unit may submit adjustment recommendations to the provincial-level health administrative department where it is located; where, following feasibility assessment, the provincial-level health administrative department considers it genuinely necessary, it may submit an adjustment recommendation to the National Health Commission. Where the National Health Commission considers, in the course of large-medical-equipment management, that the management catalogue needs to be adjusted, it shall promptly initiate the adjustment process. The National Health Commission shall organize feasibility assessment of catalogue-adjustment recommendations, and on the basis of the assessment opinions shall, in consultation with the relevant departments of the State Council, submit the matter to the State Council for approval. ## Chapter 3 Configuration Planning **Article 13.** Configuration planning for large medical equipment shall be commensurate with the level of national economic and social development, the progress of medical science and technology, and the health needs of the people; shall conform to the planning of the medical and health service system; and shall promote the sharing of regional medical resources. **Article 14.** In principle, configuration plans for large medical equipment shall be prepared once every five years and implemented on an annual basis. A configuration plan shall include the planned quantity, the annual implementation plan, the regional layout, and the configuration standards. For the first-time configuration of a large medical device, the configuration plan shall in principle not exceed five units, of which no more than three may be produced by a single enterprise. Configuration planning for large medical equipment shall give full consideration to the development needs of privately run medical care, and shall reasonably reserve planning capacity. **Article 15.** Provincial-level health administrative departments shall, in light of the planning of their local medical and health service systems, propose recommendations for local large-medical-equipment configuration plans and implementation schemes and submit them to the National Health Commission. The National Health Commission shall be responsible for formulating the large-medical-equipment configuration plan and shall make it public. **Article 16.** Health administrative departments at or above the provincial level shall conduct evaluation and assessment of the implementation of large-medical-equipment configuration plans, and shall establish and improve a third-party supervision and evaluation mechanism. **Article 17.** Where a large-medical-equipment configuration plan clearly fails to adapt to national economic and social development, the progress of medical science and technology, and the health needs of the people, or where the planning of the medical and health service system undergoes major adjustment, the National Health Commission shall adjust the large-medical-equipment configuration plan. Provincial-level health administrative departments may propose recommendations to adjust the configuration plan for their respective regions. **Article 18.** The National Health Commission shall organize the formulation and release of a tiered classification of large-medical-equipment model grades. A medical-device user unit shall, in light of its functional positioning, clinical-service needs, medical-technology level, and specialty development, reasonably select the appropriate grade and model of large medical equipment. ## Chapter 4 Configuration Management **Article 19.** Where a medical-device user unit applies to configure large medical equipment, it shall conform to the large-medical-equipment configuration plan, be commensurate with its functional positioning and clinical-service needs, and possess the corresponding technical conditions, supporting facilities, and professional technical personnel with the requisite qualifications and capabilities. An application to configure Class-A large medical equipment shall be submitted to the National Health Commission; an application to configure Class-B large medical equipment shall be submitted to the provincial-level health administrative department where the unit is located. **Article 20.** A medical-device user unit applying to configure large medical equipment shall truthfully and accurately submit the following materials: (I) the large-medical-equipment configuration application form; (II) a copy of the medical-device user unit's practising licence (or a copy of the medical-device user unit's establishment approval document, or a copy of other legal-person qualification certificates for the provision of medical services that meet the relevant requirements); (III) a copy of the unified social credit code certificate (or organization-code certificate); (IV) materials evidencing the technical conditions, supporting facilities, and the qualifications and capabilities of the professional technical personnel corresponding to the large medical equipment applied for. **Article 21.** The health administrative department that accepts a configuration application shall conduct a third-party expert review of the matters declared by the medical-device user unit, and shall make a licensing decision within 20 working days from the date of acceptance of the application. Where expert review is required to be organized under these Measures, the time taken for expert review shall not be counted within the licensing time limit. **Article 22.** The National Health Commission shall be responsible for formulating the form of the large-medical-equipment configuration licence and for the printing, issuance, and other management of the *Class-A Large Medical Equipment Configuration Licence*. Provincial-level health administrative departments shall be responsible for the printing, issuance, and other management of the *Class-B Large Medical Equipment Configuration Licence* within their respective administrative regions. **Article 23.** The large-medical-equipment configuration licence shall be issued on a "one machine, one licence" basis and shall consist of an original and a duplicate. The form is set out in Attachment 1. The original shall state: the name of the configuring unit, the legal representative or principal person in charge, the ownership type, the equipment-configuration address, the unified social credit code (or organization code), the name of the licensed equipment, the tiered configuration model, the licence number, the issuing authority, the date of issuance, and a QR code. The duplicate shall state: the information set out in the original, together with the manufacturing enterprise of the configured equipment, the specific model, the tiered configuration model, the product serial number, the installation date, the information-reporting date, and remarks. The date of issuance of a large-medical-equipment configuration licence shall be the date on which the licensing decision is made. **Article 24.** The number of a large-medical-equipment configuration licence shall consist of the Chinese characters "甲" or "乙" ("甲" and "乙" representing Class-A and Class-B large medical equipment respectively) and a 10-digit Arabic numeral. From left to right, the digits are: a 2-digit code for the province (autonomous region or municipality directly under the Central Government), a 2-digit large-medical-equipment category code, a 1-digit tiered-classification code, and a 5-digit sequence code. The rules for licence numbering are set out in Attachment 2. **Article 25.** After obtaining a large-medical-equipment configuration licence, a medical-device user unit shall promptly configure the corresponding large medical equipment and shall report to the issuing authority the relevant information on the large medical equipment so configured. The configuration time limit shall be prescribed by the issuing authority. Where the information on a large-medical-equipment configuration licence changes, the medical-device user unit shall report to the original issuing authority within 10 working days from the date of the change. The issuing authority shall amend the relevant information within 10 working days from the date of receipt. **Article 26.** A medical-device user unit shall use and properly safeguard its large-medical-equipment configuration licence in accordance with the law, and shall not forge, alter, sell, lease, or lend it. A medical-device user unit shall list the information on its large-medical-equipment configuration licence as information to be proactively disclosed to the public, and shall display the original of the large-medical-equipment configuration licence in a prominent position at the location where the large medical equipment is used. **Article 27.** In any of the following circumstances, a large-medical-equipment configuration licence shall automatically become invalid, and the medical-device user unit shall return the large-medical-equipment configuration licence to the original issuing authority within 5 working days from the date of invalidation, whereupon the original issuing authority shall cancel it: (I) the practising licence (or other legal-person qualification for the provision of medical services) of the medical-device user unit is terminated; (II) the relevant diagnosis-and-treatment subject is cancelled; (III) configuration has not been completed within the prescribed time limit without justified reason; (IV) the corresponding equipment has not been configured in accordance with the issued large-medical-equipment configuration licence; (V) other circumstances prescribed by laws and regulations. Where the licence becomes invalid as a result of item (III) of this Article, the applicant institution and the person in charge shall be entered into the adverse-credit record. Where a large-medical-equipment configuration licence becomes invalid but the medical-device user unit still needs to use the equipment, it shall re-apply in accordance with Articles 19 and 20 of these Measures. **Article 28.** The large medical equipment configured by a medical-device user unit shall have obtained, in accordance with the law, a medical-device registration certificate or filing voucher. **Article 29.** The National Health Commission and provincial-level health administrative departments shall respectively make public the configuration-licensing status of Class-A and Class-B large medical equipment. Provincial-level health administrative departments shall, in January each year, report to the National Health Commission the configuration-licensing status of Class-B large medical equipment for the preceding year. ## Chapter 5 Use Management **Article 30.** The use of large medical equipment shall follow the principles of safety, effectiveness, rationality, and necessity. **Article 31.** A medical-device user unit shall establish a large-medical-equipment management archive, recording matters such as the procurement, installation, acceptance, use, maintenance, repair, and quality control of the equipment, and shall truthfully record the relevant information. **Article 32.** A medical-device user unit shall, in accordance with the requirements of the large-medical-equipment product manual and the like, conduct regular inspection, testing, calibration, upkeep, and maintenance, so as to ensure that the large medical equipment is in good condition. Large medical equipment may be used only after it has achieved accurate measurement (dosage), radiation-protection safety, and qualified performance indicators. **Article 33.** A medical-device user unit shall, in accordance with the requirements of national laws and regulations, establish and improve **information-security safeguard measures for the use of large medical equipment, so as to ensure the operational security of the relevant information systems and the security of medical data**. **Article 34.** Health administrative departments shall supervise and assess the use status of large medical equipment. A medical-device user unit bears the principal responsibility for use, and shall establish and improve a large-medical-equipment use-evaluation system, strengthen assessment and analysis, promote rational application, and regularly report use status to health administrative departments at or above the county level. **Article 35.** Personnel using large medical equipment shall possess the corresponding qualifications and capabilities, and shall use large medical equipment in accordance with the product manual, technical operating specifications, and the like. **Article 36.** Where a medical-device user unit discovers an adverse event or suspected adverse event involving large medical equipment, it shall promptly report it to the medical-device adverse-event monitoring technical institution in accordance with the relevant provisions. Where a medical-device user unit discovers a safety hazard in the use of large medical equipment, or where the external environment, personnel, technology, or other conditions change such that the safety and quality of use can no longer be guaranteed, it shall immediately cease use. Where the equipment cannot meet the safety standards for use after repair, it shall not continue to be used. **Article 37.** A medical-device user unit shall not use large medical equipment that lacks a certificate of conformity, or that is expired, invalid, or obsolete, and shall not, in the name of upgrading or the like, increase the configuration performance or specifications of equipment without authorization so as to evade large-medical-equipment configuration management. A medical-device user unit is strictly prohibited from introducing large medical equipment that has been developed overseas but is not yet configured and used overseas. ## Chapter 6 Supervision and Administration **Article 38.** The National Health Commission, relying on the large-medical-equipment configuration-and-use supervision and administration information system, shall promptly publish supervision and administration information on the configuration and use of large medical equipment, so as to facilitate public inquiry and social supervision. A medical-device user unit shall regularly and truthfully complete and report the relevant information on the configuration and use of large medical equipment. **Article 39.** Health administrative departments shall conduct supervision and inspection of the following matters: (I) the implementation status of the large-medical-equipment configuration plan; (II) the holding and use status of the *Large Medical Equipment Configuration Licence*; (III) the use status of large medical equipment and the status of information security in its use; (IV) the staffing of personnel using large medical equipment; (V) the reporting of use status by the medical-device user unit in accordance with the provisions; (VI) other circumstances prescribed by health administrative departments at or above the provincial level. **Article 40.** Supervision and inspection of the configuration and use of large medical equipment by medical-device user units shall be conducted by randomly selecting the objects of inspection and randomly assigning law-enforcement inspectors, with the spot-check situation and the handling results promptly made public. The following methods may be adopted: (I) regular inspection and irregular spot-checks; (II) consulting and copying management documents, records, archives, medical records, and other relevant materials, or requiring the provision of relevant data and materials; (III) on-site inspection, with verification testing and measurement; (IV) real-time online supervision; (V) other supervision and inspection measures prescribed by laws and regulations. Medical-device user units and individuals shall cooperate with the relevant supervision and inspection, and shall not make false or concealed reports of relevant circumstances. **Article 41.** Health administrative departments at or above the county level shall establish credit archives for units configuring and using large medical equipment and their personnel. For those with an adverse-credit record, the frequency of supervision and inspection shall be increased. Where a medical-device user unit makes false or concealed reports of relevant circumstances in the configuration-licensing application for, or the use of, large medical equipment, the health administrative department shall report the unlawful records of the person in charge of the medical-device user unit and the directly responsible person to the relevant departments, and shall enter them into the credit archives of the relevant persons. **Article 42.** The State encourages industry associations to establish and improve self-discipline mechanisms, to strengthen industry self-regulation and mutual supervision, and to promote the safe and rational use of large medical equipment. **Article 43.** Where, in violation of these Measures, a health administrative department fails to report annual configuration-licensing information as required, or its large-medical-equipment management systems are inadequate or its performance of duties is not in place, the higher-level health administrative department shall circulate a notice of criticism and order rectification. **Article 44.** Where, in violation of these Measures, large-medical-equipment configuration licensing is carried out in excess of the plan, beyond the scope of authority, or unlawfully, it shall be dealt with in accordance with the *Administrative Licensing Law*, the *Regulation on the Supervision and Administration of Medical Devices*, and other relevant provisions. **Article 45.** Where a medical-device user unit fails to use equipment rationally in accordance with operating procedures and diagnosis-and-treatment norms, or employs personnel without the corresponding qualifications and capabilities to use large medical equipment, such that the quality and safety of medical care cannot be guaranteed, the health administrative department at or above the county level shall deal with it in accordance with the law. ## Chapter 7 Supplementary Provisions **Article 46.** The National Health Commission and provincial-level health administrative departments shall respectively formulate implementing rules for the configuration licensing of Class-A and Class-B large medical equipment. **Article 47.** A medical-device user unit shall file with the local health administrative department at or above the county level, and publicly disclose, the technical conditions and use information of personnel using large medical devices that are within the same item category in the management catalogue but not subject to configuration licensing. **Article 48.** The configuration management of large medical equipment within pilot free-trade zones approved by the State Council shall be implemented in accordance with the relevant provisions of the State. The procurement of large medical equipment shall be implemented in accordance with the relevant provisions of the State. **Article 49.** These Measures shall take effect from the date of promulgation. The *Measures for the Administration of the Configuration and Use of Large Medical Equipment* of the former Ministry of Health, National Development and Reform Commission, and Ministry of Finance (Wei Gui Cai Fa [2004] No. 474) and the *Provisions on the Administration of the Configuration of New Large Medical Equipment* of the former Ministry of Health (Wei Gui Cai Fa [2013] No. 13) shall be repealed simultaneously. Attachments: 1. Form of and Explanatory Notes on the Large Medical Equipment Configuration Licence 2. Rules for Numbering the Large Medical Equipment Configuration Licence --- > *Data-compliance note.* This rule is primarily a configuration-licensing and use-management regime, not a data-protection instrument, but it has three concrete data touchpoints. (1) **Configuration-and-use supervision information system** — operators must register and regularly file equipment configuration and use information into the national supervision system (Articles 25, 38), and licence information is treated as proactively disclosed public information (Article 26). (2) **Use and quality records / use archives** — operators must maintain management archives of procurement, installation, use, maintenance and quality control (Article 31). (3) **Information-security safeguards** — Article 33 requires operators to build information-security safeguards for large-equipment use to ensure the operational security of the relevant information systems and the security of medical data, and Article 39(III) makes "information security in use" an express supervision item. Misreporting and certain licence lapses carry credit-archive (信用档案) consequences (Articles 27, 41). The two attachments (licence form and numbering rules) are not reproduced here. — *Measures for the Administration of the Configuration and Use of Large Medical Equipment (Trial)*, issued jointly on 22 May 2018 by the National Health Commission and the National Medical Products Administration (Guo Wei Gui Hua Fa [2018] No. 12). DCC translation. For the source document, see the [National Health Commission website](https://www.nhc.gov.cn/guihuaxxs/s10741/201805/). --- ## Shenzhen Special Economic Zone Data Regulations - Chinese title: 深圳经济特区数据条例 - Abbreviation: Shenzhen Data Regulations - Hierarchy: regulation - Issuing body: Standing Committee of the Shenzhen Municipal People's Congress - Adopted: 2021-06-29 - Effective: 2022-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/shenzhen-sez-data-regulations/ - Markdown: https://datacompliancechina.com/laws/shenzhen-sez-data-regulations.md - Source URL: https://www.sz.gov.cn/szzsj/gkmlpt/content/8/8935/post_8935483.html ### Summary China's first comprehensive local data law, adopted by the Standing Committee of the Shenzhen Municipal People's Congress on 29 June 2021 and effective 1 January 2022. The Regulations pioneered express recognition of 'data rights and interests' (数据权益) — conferring personality-rights interests on individuals over their personal data and property-rights interests on lawful data processors over their data products — and introduced China's most detailed consent-and-notice regime for personal data at the time, including an explicit prohibition on big-data price discrimination against existing users (大数据杀熟). It established a public data sharing-as-default framework, a data factor market chapter with fair-competition rules, and comprehensive data security obligations including mandatory cross-border transfer security assessments. As the first sub-national regulation to span personal data, public data, the data factor market, and data security in a single instrument, Shenzhen's Regulations served as an influential drafting model ahead of PIPL (2021) and the Data Security Law (2021) and remain directly applicable to businesses operating in Shenzhen; overseas counsel should note that penalties for unlawful data trading can reach RMB 1 million, and anticompetitive data-market conduct can attract fines of up to 5% of prior-year revenue or RMB 50 million. ### Full text **Promulgated by:** Standing Committee of the Shenzhen Municipal People's Congress. **Announcement No.:** Announcement of the Standing Committee of the Shenzhen Municipal People's Congress No. 10 (第十号). **Passed at the Second Session of the Seventh Shenzhen Municipal People's Congress Standing Committee on 29 June 2021. Published 6 July 2021. Effective 1 January 2022.** --- ## Chapter I General Provisions **Article 1.** These Regulations are formulated in order to regulate data processing activities, protect the lawful rights and interests of natural persons, legal persons, and unincorporated organizations, promote data as a factor of production to flow openly and to be developed and utilized, and accelerate the building of a digital economy, digital society, and digital government, on the basis of the fundamental principles of the relevant laws and administrative regulations and in light of the actual conditions of the Shenzhen Special Economic Zone. **Article 2.** The meanings of the following terms used in these Regulations: (1) "Data" refers to any record of information in electronic or other form. (2) "Personal data" refers to data that carries information capable of identifying a specific natural person, excluding data that has undergone anonymization. (3) "Sensitive personal data" refers to personal data that, once leaked, unlawfully provided, or misused, could cause discrimination against a natural person or serious harm to the personal or property safety of a natural person; the specific scope shall be determined in accordance with the provisions of laws and administrative regulations. (4) "Biometric data" refers to personal data derived from processing the biological, physiological, or behavioral characteristics of a natural person, capable of identifying that natural person's unique identity, and includes data such as a natural person's genes, fingerprints, voiceprints, palm prints, ear contours, irises, and facial recognition features. (5) "Public data" refers to data generated and processed by public management and service institutions in the course of lawfully performing public management duties or providing public services. (6) "Data processing" refers to activities such as the collection, storage, use, processing, transmission, provision, and disclosure of data. (7) "Anonymization" refers to the process by which personal data, after processing, can no longer be used to identify a specific natural person and cannot be restored. (8) "User profiling" refers to the activity of automated processing of personal data in order to evaluate certain conditions of a natural person, including automated processing carried out in order to evaluate a natural person's work performance, economic circumstances, health status, personal preferences, interests, reliability, patterns of behavior, location, or movements. (9) "Public management and service institutions" refers to the State organs, public institutions, and other organizations of this Municipality that manage public affairs in accordance with law, and organizations that provide education, health care, social welfare, water supply, electricity supply, gas supply, environmental protection, public transportation, and other public services. **Article 3.** Natural persons enjoy the personality-rights interests in personal data as provided by laws, administrative regulations, and these Regulations. The processing of personal data shall have a clear and reasonable purpose and shall follow the principles of minimum necessity and reasonable time limits. **Article 4.** Natural persons, legal persons, and unincorporated organizations enjoy the property-rights interests in data products and services formed through their lawful processing of data, as provided by laws, administrative regulations, and these Regulations. However, such activities shall not endanger national security or the public interest, and shall not damage the lawful rights and interests of others. **Article 5.** The processing of public data shall follow the principles of collection in accordance with law, centralized management, need-based sharing, orderly disclosure, and full utilization, and shall give full play to the positive role of public data resources in optimizing public management and services, raising the level of modernization of urban governance, and promoting economic and social development. **Article 6.** The Municipal People's Government shall establish and improve the data governance system and standards framework, and shall coordinate and advance work on personal data protection, sharing and disclosure of public data, cultivation of the data factor market, and oversight and management of data security. **Article 7.** The Municipal People's Government shall establish a Municipal Data Work Committee, which shall be responsible for studying and coordinating major matters arising in this Municipality's data management work. The day-to-day work of the Municipal Data Work Committee shall be undertaken by the municipal government affairs service and data management department. The Municipal Data Work Committee may establish a number of specialized committees. **Article 8.** The municipal cyberspace authority shall be responsible for coordinating the relevant oversight and management work on personal data protection, network data security, and cross-border data flows in this Municipality. The municipal government affairs service and data management department shall be responsible for the overall planning, guidance, coordination, and supervision of public data management in this Municipality. The municipal development and reform, industry and information technology, public security, finance, human resources and social security, planning and natural resources, market supervision, audit, and national security departments and organs shall, in accordance with the relevant laws and regulations, perform the relevant functions for data oversight and management within the scope of their respective duties. The various industry competent authorities of this Municipality shall be responsible for the overall planning, guidance, coordination, and supervision of data management work in their respective industries. --- ## Chapter II Personal Data ### Section 1 General Provisions **Article 9.** The processing of personal data shall fully respect and safeguard the various lawful rights and interests of natural persons related to their personal data. **Article 10.** The processing of personal data shall comply with the following requirements: (1) the purpose of processing personal data is clear and reasonable, and the method is lawful and legitimate; (2) it is limited to the minimum scope necessary to achieve the processing purpose and adopts the method with the least impact on individual rights and interests, and shall not carry out any personal data processing unrelated to the processing purpose; (3) the individual is notified of the type, scope, purpose, and method of personal data processing in accordance with law, and consent is obtained in accordance with law; (4) the accuracy and necessary completeness of personal data is ensured so as to avoid causing harm to the parties concerned due to inaccuracy or incompleteness of personal data; and (5) the security of personal data is ensured, and the leaking, damaging, loss, tampering, or unlawful use of personal data is prevented. **Article 11.** The phrase "limited to the minimum scope necessary to achieve the processing purpose, adopting the method with the least impact on individual rights and interests" referred to in item (2) of Article 10 of these Regulations includes, but is not limited to, the following circumstances: (1) the type and scope of personal data processed shall have a direct connection with the processing purpose, and if that personal data is not processed the processing purpose cannot be achieved; (2) the quantity of personal data processed shall be the minimum quantity necessary to achieve the processing purpose; (3) the frequency of personal data processing shall be the minimum frequency necessary to achieve the processing purpose; (4) the storage period for personal data shall be the shortest time necessary to achieve the processing purpose; personal data that has exceeded the storage period shall be deleted or anonymized, except where otherwise provided by laws or regulations or where the natural person has consented; and (5) a minimum-authorization access control policy shall be established, so that persons authorized to access personal data can only access the minimum personal data necessary to complete their duties and have only the minimum data processing permissions necessary to complete their duties. **Article 12.** A data processor shall not refuse to provide a natural person with the relevant core functions or services on the ground that the natural person has not consented to the processing of personal data, except where that personal data is necessary for the provision of the relevant core functions or services. **Article 13.** The municipal cyberspace authority shall, together with the municipal industry and information technology, public security, market supervision, and other departments and the relevant industry competent authorities, establish and improve a joint working mechanism for oversight and management of personal data protection, and shall strengthen the overall planning and guidance of personal data protection and the related oversight and management work; and shall establish a mechanism for handling complaints and reports on personal data protection, and shall handle the relevant complaints and reports in accordance with law. ### Section 2 Notice and Consent **Article 14.** Prior to processing personal data, a data processor shall disclose the following matters to the natural person in a manner that is plain, clear, specific, and easily accessible, completely, truthfully, and accurately: (1) the name or title and contact details of the data processor; (2) the type and scope of personal data to be processed; (3) the purpose and method of processing personal data; (4) the period for which personal data will be stored; (5) the security risks that may exist in the processing of personal data and the security protection measures adopted for the personal data; (6) the relevant rights enjoyed by the natural person in accordance with law, and the means and procedure for exercising those rights; and (7) other matters that laws and regulations require to be disclosed. Where sensitive personal data is to be processed, a more prominent label or highlighted form shall be used in accordance with the preceding paragraph to disclose the necessity of processing the sensitive personal data and the possible impact on the natural person. **Article 15.** In an emergency where prior notice as required by Article 14 of these Regulations cannot be given in order to protect major lawful rights and interests of a natural person such as personal safety and property safety, notice shall be given promptly after the emergency has been resolved. The requirement in Article 14 of these Regulations shall not apply where there is a situation in which laws or administrative regulations provide that personal data processing shall be kept confidential or need not be disclosed. **Article 16.** A data processor shall obtain the natural person's consent before processing personal data and shall process personal data within the scope of that consent, except where otherwise provided by laws, administrative regulations, or these Regulations. Where any matter that is required to be consented to under the preceding paragraph undergoes a change, consent shall be obtained again. **Article 17.** A data processor shall not obtain consent through misleading, deceptive, coercive, or other means that violate the natural person's genuine intentions. **Article 18.** Where sensitive personal data is to be processed, the explicit consent of the natural person shall be obtained prior to processing. **Article 19.** Where biometric data is to be processed, an alternative solution for processing other non-biometric data shall be offered at the same time as the natural person's explicit consent is sought. However, this shall not apply where the processing of biometric data is necessary for the personal data processing purpose and cannot be replaced by other personal data. Where biometric data has been processed for a specific purpose, it shall not be used for other purposes without the explicit consent of the natural person. Specific measures for the administration of biometric data shall be separately formulated by the Municipal People's Government. **Article 20.** Where the personal data of a minor under the age of 14 is to be processed, the relevant provisions on the processing of sensitive personal data shall apply, and the explicit consent of the minor's guardian shall be obtained prior to processing. Where the personal data of an adult who lacks civil capacity or has limited civil capacity is to be processed, the explicit consent of that adult's guardian shall be obtained prior to processing. **Article 21.** Where any of the following circumstances exist in the processing of personal data, consent need not be obtained from the natural person prior to processing: (1) personal data that the natural person has disclosed on their own initiative, or that has been lawfully disclosed by others, is processed for a purpose consistent with the purpose for which the personal data was disclosed; (2) it is necessary for the conclusion or performance of a contract to which the natural person is a party; (3) it is necessary for a data processor, within a reasonable scope, to process the personal data of its employees for the purposes of human resources management or protection of trade secrets; (4) it is necessary for a public management and service institution to perform public management duties in accordance with law or to provide public services; or (5) it is necessary for a news organization to carry out news reporting in accordance with law; or (6) other circumstances provided by laws or administrative regulations. **Article 22.** A natural person has the right to withdraw part or all of their consent to the processing of their personal data. Where a natural person withdraws their consent, the data processor shall not continue processing the personal data within the scope of the withdrawn consent. However, this shall not affect the lawful data processing that the data processor carried out based on consent before the natural person withdrew consent. Where laws or regulations otherwise provide, those provisions shall govern. **Article 23.** The processing of personal data shall provide the natural person, in an easily accessible manner, with a means to withdraw their consent, and shall not use service agreements or technical or other means to impose unreasonable restrictions on the natural person's withdrawal of consent or attach unreasonable conditions. ### Section 3 Processing of Personal Data **Article 24.** Where personal data is inaccurate or incomplete, the data processor shall, upon the request of the natural person, promptly supplement and correct it. **Article 25.** In any of the following circumstances, the data processor shall promptly delete the personal data: (1) the storage period provided by laws or regulations, or agreed upon, has expired; (2) the purpose for which the personal data was processed has been achieved, or the personal data is no longer necessary for the processing purpose; (3) the natural person withdraws consent and requests deletion of the personal data; (4) the data processor processes data in violation of laws, regulations, or the agreement between the parties, and the natural person requests deletion; or (5) other circumstances provided by laws or regulations. Where the circumstances described in items (1) and (2) of the preceding paragraph exist but laws or regulations otherwise provide, or the natural person has consented, the data processor may retain the relevant personal data. Where a data processor deletes personal data pursuant to paragraph 1 of this article, it may retain evidence of disclosure and consent, but shall not retain such evidence beyond what is necessary for fulfilling statutory obligations or resolving disputes. **Article 26.** Where a data processor provides personal data it has processed to another party, it shall de-identify the personal data so that the provided personal data cannot identify a specific natural person without the aid of other data. Where laws or regulations, or an agreement between the natural person and the data processor, require anonymization, the data processor shall carry out anonymization in accordance with the laws, regulations, or the agreement between the parties. **Article 27.** Where a data processor provides personal data it has processed to another party in any of the following circumstances, it may refrain from de-identification: (1) where it is provided in response to a written request of a public management and service institution in order to meet the institution's needs for lawfully performing public management duties or providing public services; (2) where it is provided to another party based on the natural person's consent; (3) where it is necessary for the conclusion or performance of a contract to which the natural person is a party; or (4) other circumstances provided by laws or administrative regulations. **Article 28.** A natural person may request a data processor to allow them to view and copy their personal data, and the data processor shall, in accordance with the relevant provisions, provide access promptly and free of charge. **Article 29.** Where a data processor, for the purpose of improving product or service quality, carries out user profiling of a natural person, it shall disclose to the natural person the specific use and principal rules of the user profiling. A natural person may refuse a data processor's user profiling of them in accordance with the preceding paragraph or the recommendation of personalized products or services based on user profiling, and the data processor shall provide an effective and easily accessible means of refusal. **Article 30.** A data processor shall not carry out user profiling for the purpose of recommending personalized products or services to minors under the age of 14. However, this shall not apply where the purpose is to protect the minor's lawful rights and interests and the explicit consent of the guardian has been obtained. **Article 31.** A data processor shall establish a mechanism for handling requests from natural persons to exercise their relevant rights and for complaints and reports, and shall provide effective channels in an easily accessible manner. Upon receipt of a request to exercise a right, or a complaint or report, the data processor shall accept it promptly and take corresponding processing measures in accordance with law; where a request or complaint is refused, reasons shall be given. --- ## Chapter III Public Data ### Section 1 General Provisions **Article 32.** The Municipal Data Work Committee shall establish a Public Data Specialized Committee, which shall be responsible for studying and coordinating major matters in public data management work. The municipal government affairs service and data management department shall undertake the day-to-day work of the Municipal Public Data Specialized Committee, and shall be responsible for coordinating the overall public data management work of this Municipality, establishing and improving the public data resources management framework, and advancing the sharing, disclosure, and utilization of public data. District government affairs service and data management departments shall, under the guidance of the municipal government affairs service and data management department, be responsible for coordinating the public data management work of their respective districts. **Article 33.** The Municipal People's Government shall establish a City Big Data Center, establish and improve the mechanisms for its construction and operational management, and achieve the centralized, intensive, secure, and efficient management of the public data resources of the entire Municipality. District-level people's governments may, in accordance with the overall municipal plan, establish sub-centers of the City Big Data Center and bring the public data resources of their districts under the centralized management of the City Big Data Center. The City Big Data Center encompasses public data resources and the software and hardware infrastructure supporting their management. **Article 34.** The municipal government affairs service and data management department shall be responsible for promoting the aggregation of public data into the City Big Data Center, and shall organize public management and service institutions to carry out sharing, disclosure, and utilization of public data in reliance on the City Big Data Center. **Article 35.** A classified management system for public data shall be implemented. The municipal government affairs service and data management department shall be responsible for the overall planning, construction, and management of the public data resources framework of this Municipality as a whole, and shall, together with the relevant departments, build and manage basic databases on population, legal persons, housing, natural resources and spatial geography, electronic licenses, and public credit. The various industry competent authorities shall, in accordance with the overall planning of the public data resources framework and the requirements of the relevant institutional norms, plan the public data resources framework for their respective industries, and shall build and manage the relevant thematic databases. Public management and service institutions shall, in accordance with the overall planning of the public data resources framework, the sectoral specialized plans, and the requirements of the relevant institutional norms, build and manage the business databases of their own institutions. **Article 36.** A catalogue management system for public data shall be implemented. The municipal government affairs service and data management department shall be responsible for establishing a unified public data resources catalogue system for the entire Municipality, formulating specifications for compiling public data resources catalogues, and organizing public management and service institutions to compile catalogues and process all types of public data in accordance with the catalogue compilation specifications, specifying the departments from which the data originate and the management responsibilities. Public management and service institutions shall carry out catalogue management of their public data in accordance with the public data resources catalogue compilation specifications. **Article 37.** Public management and service institutions shall collect data in compliance with the following requirements: (1) it is necessary for the lawful performance of public management duties or the provision of public services, and falls within the scope of the public management duties they perform or the public services they provide; (2) the type and scope of data collected is appropriate to the public management duties they lawfully perform or the public services they provide; and (3) the collection procedure complies with the relevant provisions of laws and regulations. Public management and service institutions shall not separately collect data from natural persons, legal persons, and unincorporated organizations if that data can be obtained through sharing. **Article 38.** Public management and service institutions shall retain processing records for public data in accordance with the relevant provisions. **Article 39.** The municipal government affairs service and data management department shall organize the formulation of public data quality management systems and standards, establish and improve quality monitoring and evaluation systems, and organize their implementation. Public management and service institutions shall, in accordance with public data quality management systems and standards, establish and improve their own institutional data quality management frameworks, strengthen data quality management, and ensure that data is authentic, accurate, complete, timely, and usable. The Municipal Public Data Specialized Committee shall regularly evaluate the data management work of public management and service institutions and shall report the evaluation results to the Municipal Data Work Committee. **Article 40.** The Municipal People's Government shall strengthen institutional mechanism and technology innovation in public data sharing, disclosure, and utilization, and shall continuously improve the quality and efficiency of public data sharing, disclosure, and utilization. ### Section 2 Sharing of Public Data **Article 41.** Public data shall be shared as the principle, with non-sharing as the exception. The municipal government affairs service and data management department shall establish a demand-matching mechanism and related management system for public data sharing, based on the public data resources catalogue system. **Article 42.** Public data included in the public data sharing catalogue shall, in accordance with the relevant provisions, be shared promptly and accurately among public management and service institutions that have a need for it through the public data sharing platform of the City Big Data Center, except where otherwise provided by laws or regulations. The public data sharing catalogue shall be separately formulated by the municipal government affairs service and data management department and shall be adjusted in a timely manner. **Article 43.** Public management and service institutions may, in accordance with the needs of lawfully performing public management duties or providing public services, submit applications for sharing public data, specifying the basis, purpose, scope, and method of data use and the relevant requirements, and shall, in accordance with the requirements of the government affairs service and data management department at the same level and the data-providing department, strengthen the management of the use of shared data and shall not use data beyond the specified scope or for other purposes. Public data-providing departments shall, within the stipulated time, respond to the sharing requirements of public data-using departments and provide the necessary guidance on data use and technical support. **Article 44.** Where the data needed by a public management and service institution for the lawful performance of public management duties or the provision of public services cannot be obtained through sharing via the public data sharing platform, the Municipal People's Government may organize centralized procurement from outside sources, and the relevant data shall be included in the public data sharing catalogue in accordance with the relevant provisions; the specific work shall be coordinated by the municipal government affairs service and data management department. ### Section 3 Disclosure of Public Data **Article 45.** For the purposes of these Regulations, "disclosure of public data" refers to the activity of public management and service institutions providing machine-readable public data to society through the public data disclosure platform. **Article 46.** The disclosure of public data shall follow the principles of classification and grading, demand orientation, and security and controllability, and shall be disclosed to the maximum extent permitted by laws and regulations. **Article 47.** No fee shall be charged for disclosing public data in accordance with laws and regulations. Where laws or administrative regulations otherwise provide, those provisions shall govern. **Article 48.** Public data is divided into three categories by disclosure conditions: unconditional disclosure, conditional disclosure, and non-disclosure. Unconditionally disclosed public data refers to public data that shall be disclosed to natural persons, legal persons, and unincorporated organizations without conditions; conditionally disclosed public data refers to public data that is to be disclosed equally to natural persons, legal persons, and unincorporated organizations in a specified manner; non-disclosed public data refers to public data that involves national security, trade secrets, or personal privacy, or that laws and regulations provide shall not be disclosed. **Article 49.** The municipal government affairs service and data management department shall establish a public data disclosure management system based on the public data resources catalogue system, compile a public data disclosure catalogue, and adjust it in a timely manner. For conditionally disclosed public data, the method of disclosure, requirements for use, and security measures shall be specified when compiling the public data disclosure catalogue. **Article 50.** The municipal government affairs service and data management department shall, in reliance on the City Big Data Center, build a unified and efficient public data disclosure platform, and shall organize public management and service institutions to disclose public data to society through that platform. The public data disclosure platform shall, according to the type of public data being disclosed, provide multiple data disclosure services such as data downloading, application programming interfaces, and a secure and trusted environment for the comprehensive development and utilization of data. ### Section 4 Utilization of Public Data **Article 51.** The Municipal People's Government shall accelerate the advancement of digital government construction, deepen the application of data in economic regulation, market supervision, social management, public services, and ecological environment protection, establish and improve institutional rules for governance through data, innovate government decision-making, regulatory, and service models, and realize proactive, precise, holistic, and intelligent public management and services. **Article 52.** The Municipal People's Government shall, in reliance on the City Big Data Center, build a business hub, data hub, and capability hub based on a unified architecture, forming a unified urban intelligent hub platform system to provide unified and comprehensive digital services for public management and services as well as for regional and industry applications, and to promote the integration of technology, business, and data. The Municipal People's Government may, in reliance on the urban intelligent hub platform, build a government management and services command center, and shall establish and improve its operational management mechanism, to promote the overall digital transformation of government, deepen data sharing and business collaboration across levels, regions, systems, departments, and business lines, and build a unified, coordinated, intelligent, precise, scientific, and efficient government operation system. The various industry competent authorities shall, in reliance on the urban intelligent hub platform, build management and service platforms for their respective industries, to promote the comprehensive digitalization of management and services in their respective industries. The district-level people's governments shall, in reliance on the urban intelligent hub platform, with the goal of serving the grassroots, integrate data resources, optimize business processes, and innovate management models, to advance the scientification, refinement, and intelligentization of grassroots governance and services. **Article 53.** The Municipal People's Government shall, in reliance on the urban intelligent hub platform, promote business integration and process reengineering, and shall deepen innovation of the holistic government services model of unified front-end reception, coordinated back-end approval, and integrated operation throughout the Municipality. The municipal government affairs service and data management department shall promote public management and service institutions to strengthen the innovative application of public data in the course of public management and services, streamline handling materials and steps, optimize handling procedures; for matters in which an approval decision can be made through data comparison, it may carry out unattended intelligent approval. **Article 54.** The Municipal People's Government shall, in reliance on the urban intelligent hub platform, strengthen the aggregation and sharing of supervisory data and credit data, make full use of public data and supervisory systems in various fields, promote new supervisory models such as off-site supervision, credit-based supervision, and risk early warning, and improve the level of supervision. **Article 55.** The municipal government affairs service and data management department may organize the construction of a data-integrated application services platform, to provide society with a secure and trusted environment for the comprehensive development and utilization of data, and jointly carry out smart city application innovation. --- ## Chapter IV Data Factor Market ### Section 1 General Provisions **Article 56.** The Municipal People's Government shall coordinate planning and accelerate the cultivation of the data factor market, promote the building of a data factor market system encompassing data collection, processing, sharing, disclosure, trading, and application, and promote the orderly and efficient flow and utilization of data resources. **Article 57.** Market entities engaging in data processing activities shall implement their primary responsibility for data management, establish and improve the data governance organizational structure, management systems, and self-evaluation mechanisms, implement classified and hierarchical protection and management of data, and strengthen data quality management to ensure the authenticity, accuracy, completeness, and timeliness of data. **Article 58.** Market entities may lawfully make autonomous use of, obtain income from, and dispose of data products and services formed through their lawful processing of data. **Article 59.** Where a market entity discloses or provides the use of personal data to a third party, it shall comply with the relevant provisions of Chapter II of these Regulations; where it discloses to a specific third party, entrusts processing to, or provides the use of personal data to a specific third party, it shall execute a relevant agreement. **Article 60.** Where the use, transmission, or entrusted processing of another market entity's data products and services involves personal data, the provisions of Chapter II of these Regulations and the provisions of the relevant agreement shall be observed. ### Section 2 Market Cultivation **Article 61.** The Municipal People's Government shall organize the formulation of local standards for data processing activity compliance, data products and services standards, data quality standards, data security standards, data value assessment standards, and data governance evaluation standards. Data-related industry organizations shall be supported in formulating group standards and industry norms, providing information, technology, training, and other services, and guiding and supervising market entities to regulate their data behavior, to promote the healthy development of the industry. Market entities shall be encouraged to formulate enterprise standards related to data, and to participate in the formulation of relevant local standards and group standards. **Article 62.** A data processor may commission a third-party institution to carry out data quality assessment and certification; a third-party institution shall carry out data quality assessment and certification activities in accordance with the principles of independence, openness, and impartiality. **Article 63.** Data value assessment institutions are encouraged to explore the construction of a data asset pricing index system from dimensions such as real-time nature, time span, sample coverage, completeness, data type grade, and data mining potential, and to promote the formulation of data value assessment guidelines. **Article 64.** The municipal statistics department shall explore the establishment of a statistical accounting system for data as a factor of production, clarifying the scope, indicators, and methods of statistics, accurately reflecting the asset value of data as a factor of production, and promoting the inclusion of data as a factor of production in the national economic accounting system. **Article 65.** The Municipal People's Government shall promote the establishment of data trading platforms, and shall guide market entities to carry out data trading through data trading platforms. Market entities may carry out data trading through data trading platforms established in accordance with law, or may carry out trading directly between the two trading parties in accordance with law. **Article 66.** Data trading platforms shall build a secure, trusted, controllable, and traceable data trading environment, formulate rules for data trading, information disclosure, and self-regulatory supervision, and shall adopt effective measures to protect personal data, trade secrets, and important data as prescribed by the State. **Article 67.** Data products and services formed through the lawful processing of data by market entities may be traded in accordance with law. However, the following circumstances are excepted: (1) the data products and services to be traded contain personal data that has not been authorized in accordance with law; (2) the data products and services to be traded contain public data that has not been disclosed in accordance with law; or (3) other circumstances in which laws or regulations prohibit trading. ### Section 3 Fair Competition **Article 68.** Market entities shall observe the principle of fair competition and shall not engage in the following conduct that damages the lawful rights and interests of other market entities: (1) obtaining data of other market entities through unlawful means; (2) providing substitute products or services using data of other market entities collected unlawfully; or (3) other conduct prohibited by laws or regulations. **Article 69.** Market entities shall not use data analysis to implement differential treatment of trading counterparties in the same trading conditions, except in any of the following circumstances: (1) implementing different trading conditions in accordance with the actual needs of the trading counterparty and in compliance with legitimate trading customs and industry practices; (2) conducting promotional activities for new users within a reasonable time limit; (3) implementing random transactions based on fair, reasonable, and non-discriminatory rules; or (4) other circumstances provided by laws or regulations. The phrase "trading counterparties in the same trading conditions" in the preceding paragraph refers to trading counterparties between whom there is no material difference in transaction security, transaction costs, credit status, transaction stage, and duration of the transaction. **Article 70.** Market entities shall not eliminate or restrict competition by entering into monopoly agreements, abusing a dominant position in the data factor market, or unlawfully implementing concentrations of undertakings. --- ## Chapter V Data Security ### Section 1 General Provisions **Article 71.** Data security management shall follow the principles of government supervision, primary responsibility of responsible entities, proactive defense, and comprehensive prevention; shall adhere to placing equal importance on security and development; shall encourage the research and development of data security technology; and shall ensure the security of data across its entire life cycle. The Municipal People's Government shall coordinate data security management work across the entire Municipality and shall establish and improve a comprehensive data security governance system. **Article 72.** Data processors shall, in accordance with the provisions of laws and regulations, establish and improve security management systems covering data classification and grading, risk monitoring, security assessment, and security education, implement protective measures, continuously improve technical means, and ensure data security. Where a data processor undergoes a change due to merger, division, acquisition, or other events, the data processor after the change shall continue to implement the data security management responsibilities. **Article 73.** Where sensitive personal data or important data prescribed by the State is to be processed, a data security management body shall be established and a data security management officer shall be specified in accordance with the relevant provisions, and special technical protection shall be implemented. **Article 74.** The municipal cyberspace authority shall, together with the relevant competent departments and industry competent authorities, coordinate in accordance with the State's data classification and grading protection system to formulate specific catalogues of important data for their respective departments and industries, and shall give priority protection to the data listed in the catalogues. ### Section 2 Data Security Management **Article 75.** Data processors shall keep records of the entire flow of their data processing, and shall ensure that data sources are lawful and that the entire processing flow is clear and traceable. **Article 76.** Data processors shall, in accordance with the provisions of laws and regulations and the requirements of national standards, carry out de-identification or anonymization of the personal data they collect, and shall store it separately from data that can be used to restore identification of a specific natural person. Data processors shall formulate and implement security measures such as de-identification or anonymization for sensitive personal data and important data prescribed by the State. **Article 77.** Data processors shall implement domain-classified and graded management of data storage, selecting storage media whose security performance and protection grade match the security grade; for sensitive personal data and important data prescribed by the State, encrypted storage, authorized access, or other stricter security protection measures shall also be adopted. **Article 78.** Data processors shall implement security technical protection in the course of data processing, and shall establish a disaster recovery backup system for important systems and core data. **Article 79.** Where data processors share or disclose data, they shall establish a data sharing and disclosure security management system, and shall establish and improve a security management mechanism for external data interfaces. **Article 80.** Data processors shall establish a data destruction procedure and shall effectively destroy data that needs to be destroyed. Where a data processor terminates or dissolves and there is no data successor, it shall promptly and effectively destroy the data under its control, except where otherwise provided by laws or regulations. **Article 81.** Where a data processor commissions another party to process data on its behalf, it shall execute a data security protection contract with that party, specifying the security protection responsibilities of both parties. After completing the processing task, the entrusted party shall promptly and effectively destroy the data it has stored, except where otherwise provided by laws or regulations or otherwise agreed upon by the parties. **Article 82.** Where a data processor provides personal data or important data prescribed by the State to parties outside the territory of China, it shall apply for a data export security assessment and undergo a national security review in accordance with the relevant provisions. **Article 83.** Data processors shall implement monitoring and early warning measures commensurate with the data security protection level, and shall monitor and provide early warning for abnormal situations such as data leakage, damage, loss, and tampering. Upon detecting that a data security incident such as data leakage, damage, loss, or tampering has occurred or may occur, the data processor shall immediately take remedial and preventive measures. **Article 84.** Where sensitive personal data or important data prescribed by the State is processed, risk assessments shall be conducted periodically in accordance with the relevant provisions, and risk assessment reports shall be submitted to the relevant competent authorities. **Article 85.** Data processors shall establish a data security emergency response mechanism and formulate data security emergency response plans. Data security emergency response plans shall grade data security incidents according to factors such as the degree of harm and scope of impact, and shall specify the corresponding emergency response measures. **Article 86.** Where a data security incident occurs, such as data leakage, damage, loss, or tampering, the data processor shall immediately activate the emergency response plan, take the corresponding emergency response measures, promptly notify the relevant rights holders, and shall report to the municipal cyberspace authority, public security authority, and the relevant industry competent authorities in accordance with the relevant provisions. ### Section 3 Data Security Supervision **Article 87.** The municipal cyberspace authority shall, in accordance with the relevant laws, administrative regulations, and the provisions of these Regulations, be responsible for coordinating data security and the related supervision work, and shall, together with the municipal public security, national security, and other departments and the relevant industry competent authorities, establish and improve a data security supervision mechanism, and shall organize data security supervision and inspection. **Article 88.** The municipal cyberspace authority shall, together with the relevant competent authorities, strengthen the analysis, forecasting, and assessment of data security risks and gather relevant information; upon discovering circumstances that may lead to a data security incident of data leakage, damage, loss, or tampering affecting a larger scope, it shall promptly issue early warning information, propose preventive and responsive measures, and guide and supervise data processors in their data security protection work. **Article 89.** The municipal cyberspace authority and other departments performing data security supervision duties may commission third-party institutions to, in accordance with the provisions of laws and regulations and the requirements of relevant standards, conduct data security management certification and data security assessment for data processors, and to assign them security grades. **Article 90.** The municipal cyberspace authority and other departments performing data security supervision duties shall, upon discovering in the course of fulfilling their duties that a data processor has failed to implement security management responsibilities in accordance with the provisions, conduct a regulatory interview (yuetan) with the data processor in accordance with the provisions and urge it to rectify the situation. **Article 91.** The municipal cyberspace authority and other data oversight and management departments and their staff shall strictly keep confidential any personal data, trade secrets, and other data requiring confidentiality that they learn about in the course of fulfilling their duties, and shall not disclose, sell, or unlawfully provide such data to others. --- ## Chapter VI Legal Liability **Article 92.** Where personal data is processed in violation of the provisions of these Regulations, punishment shall be imposed in accordance with the relevant laws and regulations on personal information protection. **Article 93.** Where a public management and service institution violates the relevant provisions of these Regulations, the superior competent department or the relevant competent department shall order it to make corrections; where it refuses to make corrections or causes serious consequences, legal liability shall be pursued in accordance with law; where losses are caused to natural persons, legal persons, or unincorporated organizations as a result, compensation liability shall be borne in accordance with law. **Article 94.** Where data is traded in violation of Article 67 of these Regulations, the municipal market supervision and administration department or the relevant industry competent authority shall, in accordance with their duties, order corrections, confiscate illegal gains; where the transaction amount is less than RMB 10,000, a fine of not less than RMB 50,000 and not more than RMB 200,000 shall be imposed; where the transaction amount is RMB 10,000 or more, a fine of not less than RMB 200,000 and not more than RMB 1,000,000 shall be imposed; and other administrative penalties as provided by laws or administrative regulations may also be imposed in accordance with law. Where laws or administrative regulations otherwise provide, those provisions shall govern. **Article 95.** Where a market entity violates Articles 68 and 69 of these Regulations and damages the lawful rights and interests of other market entities or consumers, the municipal market supervision and administration department or the relevant industry competent authority shall, in accordance with their duties, order corrections and confiscate illegal gains; where it refuses to make corrections, a fine of not less than RMB 50,000 and not more than RMB 500,000 shall be imposed; where the circumstances are serious, a fine of not more than 5% of the prior year's revenue shall be imposed, up to a maximum of RMB 50,000,000; and other administrative penalties as provided by laws or administrative regulations may also be imposed in accordance with law. Where laws or administrative regulations otherwise provide, those provisions shall govern. Where a market entity violates Article 70 of these Regulations and engages in unfair competition conduct or monopolistic conduct, punishment shall be imposed in accordance with the relevant laws and regulations on unfair competition or anti-monopoly. **Article 96.** Where a data processor violates the provisions of these Regulations and fails to fulfill its data security protection responsibilities, punishment shall be imposed in accordance with the relevant laws and regulations on data security. **Article 97.** Where departments performing data oversight and management duties, and public management and service institutions, fail to perform or incorrectly perform the duties provided by these Regulations, the directly responsible supervisory personnel and other directly responsible persons shall be given a disciplinary sanction in accordance with law; where a crime is constituted, criminal liability shall be pursued in accordance with law. **Article 98.** Where data is processed in violation of the provisions of these Regulations and national interests or public interests are damaged as a result, organizations as provided by laws and regulations may bring a civil public-interest lawsuit in accordance with law. Where an organization as provided by laws and regulations brings a civil public-interest lawsuit, the People's Procuratorate may, where it considers it necessary, support the action. Where no organization as provided by laws and regulations brings a civil public-interest lawsuit, the People's Procuratorate may bring a civil public-interest lawsuit in accordance with law. Where the People's Procuratorate discovers in the course of fulfilling its duties that a department performing data oversight and management duties is unlawfully exercising its powers or is failing to act, and national interests or public interests are thereby damaged, it shall submit procuratorial recommendations to the relevant administrative organ; where the administrative organ fails to perform its duties in accordance with law, the People's Procuratorate may bring an administrative public-interest lawsuit in accordance with law. **Article 99.** Where a data processor violates the provisions of these Regulations in processing data and causes damage to others, it shall bear civil liability in accordance with law; where the conduct constitutes a violation of public security administration, a public security administrative penalty shall be imposed in accordance with law; where a crime is constituted, criminal liability shall be pursued in accordance with law. --- ## Chapter VII Supplementary Provisions **Article 100.** These Regulations shall come into force on 1 January 2022. --- ## Measures for the Security Review of Foreign Investments - Chinese title: 外商投资安全审查办法 - Abbreviation: FISR Measures - Hierarchy: rule - Issuing body: National Development and Reform Commission (NDRC) and Ministry of Commerce (MOFCOM) - Adopted: 2020-11-27 - Effective: 2021-01-18 - Status: effective - URL: https://datacompliancechina.com/laws/foreign-investment-security-review-measures/ - Markdown: https://datacompliancechina.com/laws/foreign-investment-security-review-measures.md ### Summary The Foreign Investment Security Review (FISR) Measures govern review of foreign investment in China that affects or may affect national security. Article 2 covers new projects, M&A of equity or assets, and other forms of domestic investment by foreign investors. Article 4 brings important information technology, internet products and services, and key technologies into the mandatory pre-notification scope. The test for the security review's bite is actual control — defined broadly to include >50% equity, voting-share thresholds, and other circumstances that materially influence operational decisions, personnel, finance, or technology. These Measures were the legal basis for the April 2026 ban on the Meta–Manus acquisition. ### Full text **Promulgated by:** National Development and Reform Commission (NDRC) and Ministry of Commerce (MOFCOM). **Document No.:** Decree No. 37 of NDRC and MOFCOM. **Adopted at the 13th meeting of NDRC on November 27, 2020, with State Council approval. Promulgated December 19, 2020. Effective January 18, 2021.** He Lifeng (NDRC) and Zhong Shan (MOFCOM). --- **Article 1.** These Measures are enacted in accordance with the Foreign Investment Law of the People's Republic of China, the National Security Law of the People's Republic of China and the relevant laws for the purposes of adapting to the needs of forming a new pattern of all-round opening up, effectively preventing and defusing national security risks while actively promoting foreign investment. **Article 2.** For foreign investments that affect or may affect national security, security review shall be conducted in accordance with the provisions of these Measures. For the purpose of these Measures, the term "foreign investment" refers to the investment activities carried out by foreign investors directly or indirectly within the territory of the People's Republic of China (hereinafter referred to as "within China"), including the following circumstances: (I) where foreign investors invest, solely or jointly with other investors, in new projects or establishing enterprises in China; (II) where foreign investors acquire equity or assets of domestic enterprises by way of merger and acquisition; or (III) where foreign investors make investments in China in any other form. **Article 3.** The State establishes a working mechanism for the security review of foreign investments (hereinafter referred to as the "working mechanism") to be responsible for organizing, coordinating and guiding the security review of foreign investments. The office of the working mechanism is set up under the National Development and Reform Commission. It is led by the National Development and Reform Commission and the Ministry of Commerce to undertake he routine work of the security review of foreign investments. 50% 50% **Article 4.** For foreign investments within the following scope, foreign investors or the relevant parties in China (hereinafter referred to collectively as the "parties concerned") shall take the initiative to declare to the office of the working mechanism prior to implementation of the investments: (I) investments in military industry, military industrial supporting and other fields relating to the security of national defence, and investments in areas surrounding military facilities and military industry facilities; and (II) investments in important agricultural products, important energy and resources, important equipment manufacturing, important infrastructure, important transport services, important cultural products and services, important information technology and Internet products and services, important financial services, key technologies and other important fields relating to national security, and obtaining the actual controlling stake in the investee enterprise. Obtaining the actual controlling stake in the investee enterprise" referred to in item (II) of the preceding paragraph shall include the following circumstances: (I) where the foreign investor holds more than 50% of the equity of an enterprise; (II) where the foreign investor holds less than 50% of the equity of an enterprise, but the voting rights held by it can have significant impact on the resolutions of the board of directors, the board of shareholders or the general meeting of shareholders; and (III) other circumstances where the foreign investor may have significant impact on the enterprise's business decision-making, human resources, finance, technology etc. For foreign investments within the scope stipulated in the first paragraph of this Article (hereinafter referred to as the "scope of declaration"), the office of the working mechanism may require the parties concerned to make declaration. **Article 5.** Prior to declaration of a foreign investment to the office of the working mechanism, the parties concerned may consult the said office on the relevant issues. **Article 6.** The parties concerned shall submit the following materials for declaration of a foreign investment to the office of the working mechanism: (I) a declaration letter; (II) an investment plan; (III) a statement on whether the foreign investment will have an impact on national security; and (IV) other materials stipulated by the office of the working mechanism. The declaration letter shall state the name, address, scope of business of the foreign investor, basic information of investment and other matters stipulated by the office of the working mechanism. The office of the working mechanism may, based on work needs, entrust the relevant departments of the people's governments of provinces, autonomous regions or centrally administered municipalities with collection and forwarding of the materials stipulated in the first paragraph of this Article on its behalf. 15 **Article 7.** The office of the working mechanism shall, within 15 working days from the date of receipt of the materials stipulated in Article 6 hereof submitted by the parties concerned or forwarded by the relevant departments of the people's governments of provinces, autonomous regions or centrally administered municipalities, make a decision on whether the foreign investment declared is subject to security review and notify the parties concerned in writing. Prior to a decision made by the office of the working mechanism, the parties concerned shall not make the investment. The parties concerned shall not make the investment unless the office of the working mechanism decides that security review is not required. 30 **Article 8.** The security review of foreign investments includes general review and special review. Where the office of the working mechanism decides to conduct the security review of a foreign investment declared, it shall complete the general review within 30 working days from the date of decision. During the review period, the parties concerned may not make the investment. Upon general review, if it is deemed that the foreign investment declared will not have an impact on national security, the office of the working mechanism shall make a decision on passing the security review; if it is deemed that the foreign investment will or may have an impact on national security, the office of the working mechanism shall make a decision on initiating the special review. The decisions made by the office of the working mechanism shall be notified to the parties concerned in writing. **Article 9.** Where the office of the working mechanism decides to initiate the special review of a declared foreign investment, it shall make a decision in accordance with the following provisions after the review and notify the parties concerned in writing: (I) where the declared foreign investment does not have an impact on national security, a decision on passing the security review shall be made; or (II) where the declared foreign investment affects national security, a decision on prohibiting the investment shall be made; Where the impact on national security can be eliminated through the imposition of conditions and the parties concerned make a written commitment to accept such conditions, a decision on conditionally passing the security review may be made and the additional conditions shall be specified in the decision. The special review shall be completed within 60 working days from the date of initiation; under special circumstances, the review period may be extended. The parties concerned shall be notified in writing of the extension of the review period. During the review period, the parties concerned may not make the investment. **Article 10.** During the security review of the declared foreign investment, the office of the working mechanism may require the parties concerned to supplement the relevant materials and inquire of the parties concerned about the relevant information. The parties concerned shall cooperate therewith. The time for the parties concerned to provide supplementary materials will not be included in the examination period. **Article 11.** During the security review of the declared foreign investment conducted by the office of the working mechanism, the parties concerned may revise the investment plan or revoke the investment. If the parties concerned revise the investment plan, the review period will be re-counted from the date of receipt of the revised investment plan by the office of the working mechanism; if the parties concerned cancel the investment, the review will be terminated by the office of the working mechanism . **Article 12.** Where the office of the working mechanism decides that the foreign investment declared passes the security review, the parties concerned may make the investment; in case of the decision on prohibiting the investment, the parties concerned may not make the investment; if the investment has been made, the equity or assets shall be disposed of within a time limit and other necessary measures shall be taken to restore the equity or assets to the status before the implementation of the investment and eliminate the impact on national security; and If a decision on conditionally passing the security review is made, the parties concerned shall make the investment under the additional conditions. **Article 13.** The implementation of a decision on the security review of a foreign investment shall be supervised by the office of the working mechanism in conjunction with the relevant departments and local people's governments; for a foreign investment that passes the security review with conditions, the office of the working mechanism may verify the implementation of such conditions by such means as requiring the relevant supporting materials and conducting on-site inspection. **Article 14.** After the office of the working mechanism makes a decision that the declared foreign investment is not subject to security review or or passes the security review, if the parties concerned change the investment plan, which affects or may affect the national security, the parties concerned shall make declaration anew to the office of the working mechanism in accordance with the provisions hereof. **Article 15.** Where the relevant organs, enterprises, social groups or the general public deem that a foreign investment affects or may affect the national security, they may propose suggestions on security review to the office of the working mechanism. **Article 16.** For any foreign investment that falls within the scope of declaration, if the parties concerned make investment without making declaration in accordance with the provisions hereof, the office of the working mechanism shall order them to make declaration within a time limit; in case that the party concerned refuse to make declaration, the office of the working mechanism shall order them to dispose of equity or assets and to take other necessary measures within a time limit to restore the equity or assets to the status before the implementation of the investment and eliminate impact on national security. **Article 17.** Where the parties concerned provide false materials to or conceal relevant information to the office of the working mechanism, the said office shall order them to make correction; or where the parties concerned pass the security review by cheating such as providing false materials and concealing relevant information, relevant decisions shall be revoked; if the investment has been made, the parties concerned shall be ordered to dispose of equity or assets and to take other necessary measures within a time limit to restore the equity or assets to the status before the implementation of the investment and eliminate impact on national security. **Article 18.** For any foreign investment that passes the security review with conditions, if the parties concerned fail to make investment under the additional conditions, the office of the working mechanism shall order them to make correction; in case that the party concerned refuse to make correction, the office of the working mechanism shall order them to dispose of equity or assets and take other necessary measures within a time limit to restore the equity or assets to the status before the implementation of the investment and eliminate impact on national security. **Article 19.** The parties concerned falling under any of the circumstances as prescribed in Article 16, Article 17 or Article 18 hereof shall be included in the relevant credit information system of the State as parties with poor credit records, and be subject to joint punishment in accordance with the relevant provisions of the State. **Article 20.** Where any functionary of a state organ abuses his/her power, neglects his/her duties, commits illegalities for personal gains, or divulges any state secret or the trade secret he/she has access to during the security review of a foreign investment, he/she shall be punished in accordance with the law; where a crime is constituted, he/she shall be investigated for criminal liability in accordance with the law. **Article 21.** These Measures shall apply mutatis mutanda to the investments made by investors from Hong Kong Special Administrative Region, Macao Special Administrative Region or Taiwan region that affect or may affect the national security. **Article 22.** Where foreign investors' purchase of the shares of any domestic enterprise through Stock Exchanges or other stock exchanges approved by the State Council affects or may affect the national security, the specific measures for the application hereof shall be developed by the securities regulatory authority under the State Council in conjunction with the office of the working mechanism. **Article 23.** These Measures shall come into force 30 days after the date of promulgation. --- ## Guidelines for the Security of Automotive Data Export (2026 Edition) - Chinese title: 汽车数据出境安全指引(2026版) - Hierarchy: standard - Issuing body: Cyberspace Administration of China - Adopted: 2026-01-01 - Effective: 2026-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/automotive-data-export-security-guidelines/ - Markdown: https://datacompliancechina.com/laws/automotive-data-export-security-guidelines.md ### Summary These Guidelines give automotive data processors a practical, scenario-based roadmap for lawfully exporting automotive data under the Data Security Law, PIPL and the Network Data Security Management Regulation. They define what counts as a data-export act, set out the quantitative thresholds that trigger a security assessment, standard contract or certification (and the exemptions), provide a detailed important-data determination catalogue across six business scenarios, describe the end-to-end export procedure, and impose management, technical-protection, logging and emergency-response requirements. The important-data determination tables are rendered below as structured prose by scenario rather than reproduced cell-by-cell. ### Full text **Promulgated by:** Cyberspace Administration of China. **2026 Edition.** These Guidelines are formulated in order to implement the Data Security Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Network Data Security Management Regulation and other laws and regulations, to guide and regulate automotive data processors in carrying out data-export activities efficiently, conveniently and securely, and to enhance the facilitation of automotive data export. --- ## I. General Provisions ### (I) Scope of Application Automotive data processors shall carry out data-export activities in accordance with these Guidelines. "Automotive data" as referred to in these Guidelines means the personal information and important data involved in the processes of automotive design, production, sale, use, operation and maintenance. "Automotive data processors" means organizations and individuals that independently determine the processing purpose and processing method in carrying out automotive data processing activities, including automobile manufacturers, parts and software suppliers, telecommunications operating enterprises, autonomous-driving service providers, platform operating enterprises, dealers, repair institutions, and mobility service enterprises. ### (II) Data-Export Acts Where an automotive data processor provides automotive data outside the territory of the People's Republic of China ("overseas"), it constitutes a data-export act if it meets any of the following: 1. the automotive data processor transmits automotive data collected and generated during operations within the territory of the People's Republic of China ("within the territory") to overseas; 2. automotive data collected and generated by the automotive data processor is stored within the territory, and overseas institutions, organizations or individuals can query, retrieve, download or export it; 3. other data processing activities that fall within the circumstances of the second paragraph of Article 3 of the Personal Information Protection Law, namely processing the personal information of natural persons within the territory while overseas. ### (III) Management Modes for Data-Export Activities 1. Where an automotive data processor provides automotive data overseas and meets any of the following, it shall declare a data-export security assessment: (1) providing important data overseas (where the data includes surveying and mapping geographic-information data such as spatial coordinates, imagery, point clouds and their attribute information, the external-provision approval or map-review procedures shall be lawfully completed before declaring the data-export security assessment); (2) cumulatively providing the personal information of more than 1 million persons (not including sensitive personal information) overseas since January 1 of the current year; (3) cumulatively providing the sensitive personal information of more than 10,000 persons overseas since January 1 of the current year; (4) a critical information infrastructure operator providing personal information overseas; (5) other circumstances clarified by relevant State provisions as requiring the declaration of a data-export security assessment. (The numbers of persons are counted by de-duplicated natural persons, and "more than" includes the stated figure.) 2. Where an automotive data processor (other than a critical information infrastructure operator) provides personal information overseas and meets any of the following, it may choose either of the two modes — concluding a standard contract for the export of personal information, or passing personal-information export certification: (1) cumulatively providing the personal information of more than 100,000 but fewer than 1 million persons (not including sensitive personal information) overseas since January 1 of the current year; (2) cumulatively providing the sensitive personal information of fewer than 10,000 persons overseas since January 1 of the current year. ("Fewer than" does not include the stated figure.) 3. An automotive data processor is exempt from declaring a data-export security assessment, concluding a standard contract for the export of personal information, or passing personal-information export certification, where any of the following applies: (1) automotive data collected and generated overseas is transmitted into the territory for processing and then provided overseas, and no personal information or important data from within the territory is introduced in the processing; (2) it is truly necessary to provide personal information overseas in order to conclude or perform a contract to which the individual is a party, such as cross-border vehicle purchase, cross-border delivery, cross-border payment, or cross-border account registration; (3) it is truly necessary to provide the personal information of employees overseas in order to implement cross-border human-resources management in accordance with labor rules and regulations formulated in accordance with the law and collective contracts concluded in accordance with the law; (4) it is truly necessary to provide personal information overseas in an emergency to protect the life, health and property safety of natural persons; (5) an automotive data processor other than a critical information infrastructure operator cumulatively provides the personal information of fewer than 100,000 persons (not including sensitive personal information) overseas since January 1 of the current year; (6) an automotive data processor registered in a pilot free trade zone provides data outside the negative list overseas in accordance with the relevant requirements of the pilot free trade zone; (7) security-vulnerability data that the automotive data processor has, in order to repair security vulnerabilities, reported to the Ministry of Industry and Information Technology in accordance with the relevant requirements of the Provisions on the Management of Network Product Security Vulnerabilities; (8) security-incident data of automotive products, IoV platforms and related systems that the automotive data processor has, in order to dispose of security incidents, reported to the Ministry of Industry and Information Technology and the relevant industry regulatory authorities in accordance with the relevant industry contingency plans for cybersecurity and data security incidents (cybersecurity incidents under the Contingency Plan for Public Internet Cybersecurity Emergencies, and data security incidents under the Emergency Response Plan for Data Security Incidents in the Field of Industry and Information Technology (Trial)); (9) the source code corresponding to the OTA upgrade software package that the automotive data processor has, in order to eliminate automotive product defects and implement a recall, filed with the State Administration for Market Regulation in accordance with the Regulation on the Recall of Defective Automotive Products. The personal information provided overseas as referred to in the preceding paragraph does not include important data. ## II. Determination of Important Data > The following reflects the important-data determination catalogue, which in the original is set out as detailed tables of data categories, data items and determination rules across six business scenarios. It is rendered here as structured prose. Where a data item is determined to be important data, its export requires a security assessment. ### (I) Research and Development Design Scenario Covers data collected and generated by automotive data processors when integrating global R&D resources and collaboratively designing and developing products. - **Product R&D** — bills of materials (BOM, including design BOM and component/material specifications, quantities and hierarchical relationships, and key-material ratio schemes, formulation schemes, chemical general formulas and material usage for power-battery cathode/anode active materials, electrolytes, separators, binders and the like), R&D design documents (design models, drawings, schemes, technical documents, test reports), and product/technology development source code. **Determination rule:** important data if it (1) is supported by a national major special project or national key R&D program; (2) corresponds to relevant technology control points in the Catalogue of Technologies Prohibited and Restricted from Export of China; or (3) involves relevant items in the Dual-Use Items Export Control List of the People's Republic of China. - **Product testing** — annotated-scene data (image, point-cloud, multimodal and video annotation), simulated-scene data (road-network, environment, traffic-flow, synthetic, and replay simulation files), and test-scene data (accident, hazard and edge scenes). **Determination rule:** important data if, among other things, it relates to or can be used to derive important and sensitive areas such as military administration zones, units of national defense science, technology and industry, and Party and government organs at or above the county level; can derive classified or sensitive geographic-information data; reflects economic operation of a prefecture-level or higher administrative region (road vehicle flow, personnel flow, logistics) cumulatively for 30 days or more; can derive on-site situations of major-event security control, traffic accidents or other emergencies, or other social-public-security law-enforcement activities and personnel; contains real out-of-vehicle face bounding boxes with a minimum edge length of 32 pixels or more, or real out-of-vehicle license-plate bounding boxes with a minimum edge length of 16 pixels or more; is collected from more than 100,000 vehicles operating within the territory; involves cumulatively more than 2,000 hours of raw imagery collected in real environments (or data generated therefrom); or involves more than 10 million raw images (or data generated therefrom). ### (II) Production and Manufacturing Scenario Covers BOMs and production-control-program source code collected and generated in the manufacturing of automotive products — process BOMs (including power-battery R&D technical schemes and process parameters for core processes such as electrode preparation, assembly, electrolyte injection, formation and capacity grading), and CNC-machine-tool and industrial-robot control-program source code. **Determination rule:** the same three conditions as the product-R&D rule (national major special project/key R&D program; export-prohibited/restricted technology control points; dual-use items list). ### (III) Driving Automation Scenario Covers algorithms, training data and feature data collected and generated in developing, deploying and applying combined driving-assistance or autonomous-driving functions — algorithm files and source code, algorithm parameters (model weight coefficients), and training data sets (driver-decision data sets; system decision or predictive-planning data sets; operation data sets containing vehicle longitude/latitude, altitude, heading/roll/pitch angles, speed and angular rates; and multimodal training data sets), as well as image and point-cloud feature data. **Determination rule:** algorithm files/source code/parameters are important data if supported by a national major special project/key R&D program, if related achievements in IoV network and data security or driving-automation functions have received provincial/ministerial-level or higher awards, or if they may affect national science-and-technology security or industry competitiveness. Training/feature data are important data on substantially the same geographic, economic-operation, sensitive-area, public-security and scale grounds as the product-testing rule (including the 100,000-vehicle, 2,000-hour and 10-million-image thresholds), in particular when fused and associated with out-of-vehicle real-scene imagery and radar data. ### (IV) Software Upgrade Service Scenario Covers source code corresponding to software packages that upgrade vehicle safe-driving and battery-management functions. **Determination rule:** important data where it simultaneously (1) upgrades vehicles operating within the territory; (2) involves vehicle remote-control functions (excluding control achieved via near-field communication); and (3) involves functions of vehicle start-up/driving, power loss, emergency braking, cruise control, lane keeping, charge/discharge control, or battery temperature control. ### (V) Connected Operation Scenario - **Vehicle data** — vehicle identification numbers (VIN), IoV-card identification data (ICCID, IMEI, IMSI, MSISDN), vehicle keys (symmetric keys and asymmetric private keys), vehicle digital certificates (root certificates), and control commands. **Determination rules:** VIN/IoV-card identification data are important data where, since January 1 of the current year, the data provided overseas, combined with other exported information, can identify more than 1 million persons cumulatively. Vehicle keys and digital certificates are important data where they involve keys/root certificates used in the remote start-up, diagnosis, update or communication of more than 100,000 vehicles operating within the territory. Control commands (remote control of door locks, vehicle start-up, steering, acceleration, braking, parking, charge/discharge and temperature/battery management, excluding near-field control) are important data where they involve vehicles operating within the territory. - **Vehicle-road perception** — out-of-vehicle real-scene imagery (camera images/videos), radar data (point clouds and structured target-level data), location-track data, inertial-navigation data, autonomous-driving map data, and mapping-type data. (Geographic-information data containing spatial position coordinates must first be processed using State-recognized geographic-information confidentiality processing technology.) **Determination rule:** important data on the same sensitive-area, classified-geographic-information, economic-operation (30-day), public-security, face (32-pixel)/license-plate (16-pixel), 100,000-vehicle, 2,000-hour and 10-million-image grounds as the product-testing rule. - **Vehicle-road analysis** — fusion-computing data (personnel-flow and vehicle-flow data aggregated from roadside-device collection, target-surface 3D coordinate imaging data, and traffic-flow indicator data such as signal queue durations, intersection traffic flow, green-light times and overflow events). **Determination rule:** important data on sensitive-area, classified-geographic-information, public-security and economic-operation (30-day) grounds; traffic-flow indicator data are also important where they cover at least one complete intersection over a time span of more than one month. - **IoV platform operation** — network-planning data (asset-configuration information and network-topology diagrams of platform core assets), charging-operation data (charging-facility location data, vehicle charging-status monitoring data, and charging account/usage data), and security-assurance data (threat information such as undisclosed vulnerability and security-incident information). **Determination rules:** asset configuration/topology are important data for IoV platforms serving more than 1 million vehicles operating within the territory, or for platforms that simultaneously provide OTA upgrade services to more than 500,000 vehicles operating within the territory with upgrades touching powertrain, chassis or safe-driving functions. Charging-facility location data are important where they involve sensitive areas; charging-status data are important where collected from more than 100,000 vehicles operating within the territory; charging account/usage data are important where cumulatively provided overseas for more than 1 million persons since January 1 of the current year; threat information is important where it involves high-risk or higher vulnerabilities, or significant or higher network and data security incidents. ### (VI) Other Circumstances Automotive data is also important data where (1) it meets the above determination rules in other export business scenarios; or (2) the automotive data processor has identified and declared it as important data in accordance with relevant State provisions and industry standards, and the Ministry of Industry and Information Technology, the Cyberspace Administration of China or other relevant departments have publicly announced or notified that it is important data. ## III. Data-Export Procedure ### (I) Data Identification On the basis of important-data catalogue filing, the automotive data processor shall, in accordance with these Guidelines, identify the automotive data for which it must declare an export security assessment, conclude a standard contract for the export of personal information, or pass personal-information export certification. ### (II) Conducting the Data-Export Security Assessment The automotive data processor shall declare the data-export security assessment through a domestic legal-person entity. Where there is no domestic legal-person entity, a domestic branch shall declare. Where several domestic subsidiaries belong to the same group company (parent company) and have similar data-export business scenarios, the group company (parent company) may declare jointly as the declaring entity. Data that should pass the security assessment shall not be provided overseas by means such as quantity splitting through the conclusion of a standard contract or otherwise. The automotive data processor shall, in accordance with the Measures for the Security Assessment of Data Export, the Provisions on Promoting and Regulating Cross-Border Data Flows, and the Guide for the Declaration of Data Export Security Assessment (Third Edition), carry out a data-export risk self-assessment and rectify risk issues, and submit the declaration materials to the cyberspace administration. Upon passing the data-export security assessment, the automotive data processor may carry out data-export activities; where circumstances arise that affect the security of the exported data, it shall re-declare the assessment. ### (III) Concluding a Standard Contract for the Export of Personal Information The automotive data processor shall, in accordance with the Measures for the Standard Contract for the Export of Personal Information and the Guide for the Filing of the Standard Contract for the Export of Personal Information (Second Edition), carry out a personal-information protection impact assessment and rectify risk issues, and conclude a standard contract for the export of personal information with the overseas recipient; personal-information export activities may be carried out only after the contract takes effect. The automotive data processor shall submit the filing materials to the cyberspace administration, and will obtain a filing number where the relevant requirements are met; where circumstances arise that may affect personal-information rights and interests, it shall re-conduct the personal-information protection impact assessment, conclude the standard contract and file again. ### (IV) Passing Personal-Information Export Certification The automotive data processor shall, in accordance with the Measures for Personal-Information Export Certification, carry out a personal-information protection impact assessment and rectify risk issues, apply for certification to a qualified professional certification institution, and cooperate in completing the certification work. Personal-information export activities may be carried out only after passing the certification. Where the personal-information export situation no longer meets the certification requirements, the automotive data processor shall re-conduct the personal-information protection impact assessment and apply for certification. ## IV. Requirements for the Security Protection of Automotive Data Export ### (I) Management Requirements 1. **Department requirement.** The automotive data processor shall clarify the automotive data export management department, coordinate and advance data-export security management in an overall manner, and supervise and inspect the implementation of data-export-related management requirements. 2. **Personnel requirement.** The automotive data processor shall clarify the person responsible for automotive data export security, who shall supervise data-export activities and the protective measures taken, and be responsible for the security of data-export activities. 3. **System requirement.** The automotive data processor shall clarify system requirements in cybersecurity, data security, personal-information protection, and the like, and specifically clarify automotive data export security management requirements. 4. **Approval requirement.** The automotive data processor shall establish an internal registration and approval mechanism for automotive data export, set approval authority and approval procedures, and organize and archive the approval materials. ### (II) Protection Technical Requirements 1. **Data-export transmission security.** The automotive data processor shall take the following protective measures: (1) adopt verification technology, cryptographic technology, secure transmission channels or secure transmission protocols to ensure the confidentiality and integrity of automotive data during data-export transmission; (2) ensure that the automotive data export system has the capability to authenticate the identity of the overseas data recipient, so as to ensure the authenticity of the overseas data recipient's identity. 2. **Data-export security monitoring.** The automotive data processor shall conduct security monitoring of the network communications and host or system operation behavior of automotive data export, form security alarm logs and retain them. 3. **Inspection support.** The platform or system that directly transmits automotive data overseas shall have the technical-support capability for data-export security inspection, retain the data-export network communication traffic, and support data tamper-proofing and content parsing. (1) **Full retention** — retain the data-export network communication traffic in full according to start and end times, for a retention period of 1 week. (2) **Sample retention** — support sampling and retaining the data-export network communication traffic according to start and end times and IP address ranges, for a retention period of not less than 1 month. ### (III) Logging Requirements 1. **Log recording.** (1) **Network-traffic logs** — the automotive data processor shall record the network communication behavior of automotive data export, including at least the date, time, source IP address, destination IP address, source port, destination port, transport-layer protocol, application-layer protocol, and data volume, forming network-traffic logs and retaining them. (2) **Operation-behavior logs** — the automotive data processor shall record the operation behavior of the host that directly transmits automotive data overseas, including user information, operation time, operation object, operation type, login IP, device information, operation result, and changes to data-access authority, forming operation-behavior logs and retaining them. 2. **Log retention.** The automotive data processor shall retain the network-traffic logs, operation-behavior logs and security-alarm logs in a tamper-proof manner, for a retention period of not less than 3 years. 3. **Log auditing.** The automotive data processor shall audit the network-traffic logs, operation-behavior logs and security-alarm logs, and promptly respond to and dispose of security risks and hidden dangers such as illegal operations when discovered. ### (IV) Emergency-Response Requirements The automotive data processor shall establish the capability to dispose of non-compliant export of automotive data, promptly dispose of abnormal behavior when discovered, and report to the industry regulatory authority of its region in accordance with relevant requirements. --- ## Technical Requirements for Monitoring and Warning of Data Security in Civil Aviation (MH/T 3038—2025) - Chinese title: 民用航空数据安全监测预警技术要求(MH/T 3038—2025) - Abbreviation: MH/T 3038—2025 - Hierarchy: standard - Issuing body: Civil Aviation Administration of China - Adopted: 2025-07-18 - Effective: 2025-08-01 - Status: effective - URL: https://datacompliancechina.com/laws/civil-aviation-data-security-monitoring-requirements/ - Markdown: https://datacompliancechina.com/laws/civil-aviation-data-security-monitoring-requirements.md ### Summary MH/T 3038—2025 is a civil-aviation industry standard issued by the Civil Aviation Administration of China (CAAC), released July 18, 2025 and effective August 1, 2025. It establishes the basic principles for civil-aviation data security monitoring and warning and specifies the technical requirements for data security monitoring and warning, to guide data processors in the civil-aviation field in building monitoring and early-warning capabilities; it does not apply to data security monitoring and warning involving State secrets. The standard sets out monitoring requirements across the full data-processing lifecycle (collection, storage, use and processing, transmission, provision, deletion), keyed to the protection of core data, important data, and sensitive personal information, and aligned with the aviation data classification and grading standard MH/T 3039. It defines a four-tier warning system — red (Level I), orange (Level II), yellow (Level III), and blue (Level IV) — based on data level and volume, together with requirements for warning issuance, response, and escalation/de-escalation or cancellation. Appendix A provides illustrative monitoring examples for typical civil-aviation business scenarios (passenger ticketing, security screening, baggage check-in, check-in, air traffic management, and safety supervision). ### Full text **Promulgated by:** Civil Aviation Administration of China. **Standard Number:** MH/T 3038—2025 (Civil Aviation Industry Standard of the People's Republic of China). **Classification:** ICS 35.030; CCS L 80. **Date of Release:** July 18, 2025. **Date of Implementation:** August 1, 2025. --- ## Foreword This document is drafted in accordance with the provisions of GB/T 1.1—2020 *Directives for Standardization — Part 1: Rules for the Structure and Drafting of Standardizing Documents*. Please note that some content of this document may involve patents. The issuing body of this document assumes no responsibility for identifying patents. This document is proposed by the Department of Personnel, Science, Technology and Education of the Civil Aviation Administration of China. This document is under the centralized management of the China Academy of Civil Aviation Science and Technology. Drafting entities of this document: Information Center of the Civil Aviation Administration of China; Air Traffic Management Bureau of the Civil Aviation Administration of China; TravelSky Technology Limited; Air China Limited; Beijing Topsec Network Security Technology Co., Ltd.; Beijing Anhua Jinhe Technology Co., Ltd.; DBAPPSecurity Co., Ltd. (Hangzhou); NSFOCUS Technologies Group Co., Ltd. (Beijing); Civil Aviation Management Institute of China; CETC Cyberspace Security Technology Co., Ltd.; Sangfor Technologies Inc.; and Qi An Xin Technology Group Inc. ## 1 Scope This document establishes the basic principles for data security monitoring and warning in civil aviation (hereinafter referred to as "civil aviation"), and specifies the technical requirements for data security monitoring and warning. This document applies to guiding data processors in the civil-aviation field in building data security monitoring and warning capabilities. This document does not apply to data security monitoring and warning work involving State secrets. > Note: The term "data" as used in this document means various electronic data processed and generated through networks. ## 2 Normative References The contents of the following documents constitute indispensable provisions of this document through normative reference in the text. Among them, for dated references, only the version corresponding to that date applies to this document; for undated references, the latest version (including all amendments) applies to this document. - GB/T 25069 Information security techniques — Terminology - GB/T 35273 Information security technology — Personal information security specification - GB/T 35274 Information security technology — Security capability requirements for big data services - MH/T 3039 Requirements for data classification and grading in the civil aviation field ## 3 Terms and Definitions The terms and definitions defined in GB/T 25069, GB/T 35273, GB/T 35274, and MH/T 3039, as well as the following terms and definitions, apply to this document. **3.1 data security monitoring** The activity of carrying out real-time and continuous monitoring and analysis of data processing activities, so as to discover data security risks and incidents at an early stage. **3.2 data security incident** An incident in which, through technical or other means, tampering with, destruction, leakage, illegal obtaining, or illegal use of data, and the like, is carried out, resulting in business loss or causing social harm. **3.3 data interface** A channel or protocol for data transmission and exchange between information systems. > Note: The relevant protocols include HTTP, HTTPS, and other protocols. **3.4 sensitive personal information** Personal information that, once leaked or illegally used, is liable to result in infringement of the personal dignity of a natural person or harm to personal or property safety. [Source: GB/T 43697—2024, 3.6] **3.5 alert** The act of actively issuing a warning-type notification by certain technical means when a data security risk is discovered. [Source: GB/T 28451—2023, 3.5, modified] **3.6 warning** The act of issuing a security warning in advance or in a timely manner with respect to a data security incident that is about to occur or is occurring. [Source: GB/T 32924—2016, 3.4, modified] ## 4 Abbreviations The following abbreviation applies to this document. IP: Internet Protocol ## 5 Overview Data processors in the civil-aviation field, by carrying out security monitoring of data processing activities, promptly discover data security risks such as data tampering, destruction, leakage, illegal obtaining, or illegal use, and issue warnings of data security risks and incidents, thereby reducing the impact caused by data security incidents. The objects of data security monitoring are data processing activities, including data collection, storage, use and processing, transmission, provision, disclosure, deletion, and the like, the specific content of which is as follows: a) Data collection: the data processing activity of acquiring data from one or more data sources through a network in accordance with a specific purpose and requirement; b) Data storage: the data processing activity of persistently saving data in storage media such as hard disks; c) Data use and processing: the data processing activity of carrying out operations such as retrieval, display, transformation, computation, and analysis on data; d) Data transmission: the data processing activity of transmitting data from one responsible entity to another responsible entity through a network; e) Data provision: the data processing activity of providing controlled data to other responsible entities within the organization or to other organizations; f) Data disclosure: the data processing activity of disclosing controlled data to the public; g) Data deletion: the data processing activity of erasing data, or overwriting stored data, in the information systems and data storage devices involved, so as to render it incapable of being retrieved or accessed. > Note: Because the physical destruction of storage media cannot be monitored through a network, data deletion in this document does not include the physical destruction of storage media. The information that needs to be collected for carrying out data security monitoring includes, but is not limited to, the logs and traffic data of assets such as network devices, servers, security devices, cryptographic devices, storage devices, application systems, data interfaces, databases, big-data platforms, and cloud platforms that support data processing activities. For illustrative examples of data security monitoring under typical civil-aviation business scenarios, see Appendix A. Data security warning is the act of analyzing and judging the abnormal alert information discovered by data security monitoring, classifying the warning levels for data security incidents that are about to occur or are occurring, and at the same time carrying out warning issuance and warning response, and promptly escalating, de-escalating, or canceling the warning according to the response situation. ## 6 Basic Principles for Data Security Monitoring and Warning The basic principles to be followed by data processors in the civil-aviation field when carrying out data security monitoring and warning are as follows: a) Security and compliance: comply with the data security-related management requirements of the State and the industry, and ensure the compliance of data security monitoring and warning work; b) Timeliness and accuracy: promptly collect and analyze data security risk information, and accurately judge the level of data security incidents; c) Comprehensive coverage: the scope of monitoring covers data processing activities such as data collection, storage, use, processing, transmission, provision, disclosure, and deletion; d) Continuous optimization: dynamically update data security monitoring and warning strategies according to changes in actual business scenarios and data security monitoring and warning needs; e) Minimal impact: fully consider the impact of monitoring activities on business continuity, and avoid affecting the normal conduct of business. ## 7 Data Security Monitoring Requirements ### 7.1 General Requirements Data security monitoring shall meet the following requirements: a) monitor the network traffic of the data processing environment, and issue an alert upon discovering abnormal traffic with characteristics such as malicious code or phishing emails; b) monitor the communication objects and behavior, communication data, and interface configuration of data interfaces, and issue an alert upon discovering situations such as abnormal invocation of data interfaces, abnormal opening, abnormal exposure of data, or defects in authentication and authorization mechanisms; c) monitor the logs of data security components such as data encryption, data de-identification, data leakage prevention, and database auditing, and issue an alert upon discovering situations such as their strategies not being effectively executed. ### 7.2 Data Collection Data collection monitoring shall meet the following requirements: a) monitor the working status of data collection tools or service components, and issue an alert upon discovering abnormal situations such as service anomalies or traffic overload; b) monitor the time, quantity, frequency, scope, and other information of the collection of core data, important data, and sensitive personal information using automated tools, and issue an alert upon discovering abnormal situations of data collection such as exceeding the agreed frequency or exceeding the scope required by the business; c) monitor the reliability of the data sources of core data, important data, and sensitive personal information, and issue an alert upon discovering abnormal situations such as failure of identity authentication or non-authentication; d) monitor the authenticity and integrity verification results of core data, important data, and sensitive personal information, and issue an alert upon discovering abnormal verification results. ### 7.3 Data Storage Data storage monitoring shall meet the following requirements: a) monitor the execution results and frequency of local data backup and off-site data backup, and issue an alert upon discovering anomalies such as backup job execution failure or excessively low backup frequency; b) monitor the behavior of accessing the data storage system, and issue an alert upon discovering anomalies such as abnormal IP access or unauthorized access; c) monitor the performance indicators, used space, and health status of the data storage system, and issue an alert upon discovering anomalies such as system overload, insufficient storage space, or hardware failure; d) monitor the storage encryption status of core data, important data, and sensitive personal information, and issue an alert upon discovering plaintext storage; e) monitor the access of mobile storage media, and issue an alert upon discovering anomalies such as non-compliant access or the carrying of malicious code. ### 7.4 Data Use and Processing Data use and processing monitoring shall meet the following requirements: a) monitor the behavior of accessing data, and issue an alert upon discovering anomalies such as ultra vires access, high-frequency access, abnormal IP access, or access during abnormal time periods; b) monitor the behavior of operating on data, and issue an alert upon discovering anomalies such as non-compliant downloading, non-compliant exporting, or malicious deletion. ### 7.5 Data Transmission Data transmission monitoring shall meet the following requirements: a) monitor the availability of data transmission devices and communication lines, and issue an alert upon discovering device or line failures; b) monitor the identity authentication result information of data transmission entities, and issue an alert upon discovering unauthorized connections; c) monitor the behavior of transmitting core data, important data, and sensitive personal information across responsible entities, and issue an alert upon discovering anomalies such as plaintext transmission, transmission exceeding the authorized scope, or failure to use a secure transmission protocol; d) monitor the data transmission integrity verification results of core data, important data, and sensitive personal information, and issue an alert upon discovering abnormal verification results. ### 7.6 Data Provision Data provision monitoring shall meet the requirements of 7.5 c), and shall also meet the following requirements: a) monitor the exchange, sharing, and transfer activities involving core data, important data, and sensitive personal information, and issue an alert upon discovering that the data has not adopted measures such as encryption or de-identification; b) monitor the cross-border flow involving important data and sensitive personal information, and issue an alert upon discovering non-compliant outbound conduct such as inconsistency between the actual outbound data and the declared content. ### 7.7 Data Deletion The deletion method, type of deleted data, magnitude of deleted data, operation behavior results, and the like, of core data, important data, and sensitive personal information shall be monitored, and an alert shall be issued upon discovering conduct such as erroneous deletion of data, unauthorized deletion, or ineffective deletion. ## 8 Data Security Warning Requirements ### 8.1 Warning Classification The warning levels for data security incidents are, from high to low according to the level and magnitude of the data, divided into four levels: red warning (Level I warning), orange warning (Level II warning), yellow warning (Level III warning), and blue warning (Level IV warning). The different levels shall meet the following warning requirements: a) Red warning (Level I warning): when a data security incident involving core data is about to occur or is occurring, a red warning shall be issued. b) Orange warning (Level II warning): when a data security incident involving any of the following situations is about to occur or is occurring, an orange warning shall be issued: 1) important data; 2) general data that causes minor harm to social order and the public interest, or serious harm to the rights and interests of organizations; 3) sensitive personal information that causes particularly serious harm to the rights and interests of individuals. c) Yellow warning (Level III warning): when a data security incident involving any of the following situations is about to occur or is occurring, a yellow warning shall be issued: 1) general data that causes general harm to the rights and interests of organizations; 2) sensitive personal information that causes serious harm to the rights and interests of individuals. d) Blue warning (Level IV warning): when a data security incident other than the situations mentioned above is about to occur or is occurring, a blue warning shall be issued. ### 8.2 Warning Issuance Data processors in the civil-aviation field carrying out warning issuance work shall meet the following requirements: a) analyze and judge the abnormal data security situations monitored, and issue internal warning information for the data security risks or incidents discovered in accordance with the warning level; b) ensure the security and reliability of the warning issuance channels, and avoid data security incidents caused by the leakage or spread of warning information; c) the warning information shall include the warning level, the nature of the incident, the quantity and type of data involved, the scope and degree of impact, preventive countermeasures, and the like; d) when a data security incident reaching the yellow-warning, orange-warning, or red-warning level is about to occur or is occurring, promptly report to the industry data security supervision and administration authority. ### 8.3 Warning Response While issuing warning information, data processors in the civil-aviation field shall actively respond to data security incidents. The response measures include, but are not limited to, the following: a) activate, according to the actual situation, an emergency plan matching the warning level; b) for data security incidents that have been reported, report the handling process and results to the industry data security supervision and administration authority; c) for data security incidents that may harm the lawful rights and interests of individuals, promptly inform the affected personal-information subjects by means of email, letter, telephone, push notification, and the like. Where it is difficult to inform the personal-information subjects one by one, adopt a reasonable and effective method to release warning information relevant to the public, and take remedial measures. ### 8.4 Warning Escalation, De-escalation, or Cancellation Data processors in the civil-aviation field shall, according to the dynamic changes of data security incidents, promptly issue warning escalation, de-escalation, or cancellation information. The specific information to be issued is as follows: a) when the scope of harm caused by a data security incident expands and the degree of impact intensifies, issue warning escalation information; b) when a data security incident is brought under control and the scope of harm shrinks and the degree of impact decreases, issue warning de-escalation information; c) when a data security incident is eliminated, or it is found upon assessment that it does not reach the blue-warning level, issue warning cancellation information. ## Appendix A (Informative) Examples of Data Security Monitoring Under Typical Civil-Aviation Business Scenarios Examples of data security monitoring under typical civil-aviation business scenarios are shown in Table A.1. **Table A.1 Examples of Data Security Monitoring Under Typical Civil-Aviation Business Scenarios** | Scenario | Data generated and processed | Data processors involved | Data processing activities involved | Data security risks involved | Applicable clauses | | --- | --- | --- | --- | --- | --- | | Passenger ticketing | Passenger flight information, member information, payment information, and other data | Airlines; airports; reservation system information service providers; ticket sales agents | Collection, storage, use and processing, transmission, provision, deletion | Data leakage risk; data tampering risk; data misuse risk; illegal sale of data | 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.8 | | Passenger security screening | Passenger flight information, passenger identity-document information, passenger portrait photographs, passenger security-screening information, passenger status information, passenger boarding status, passenger whereabouts information, and other data | Airports; security-screening system information service providers | Collection, storage, use and processing, transmission, provision, deletion | Data leakage risk; data tampering risk; data misuse risk; data forgery risk | 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.8 | | Baggage check-in | Baggage check-in information and other data | Airports; airlines; check-in system information service providers | Collection, storage, use and processing, transmission, provision, deletion | Data leakage risk | 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.8 | | Passenger check-in | Passenger information, flight information, seat-assignment information, baggage information, and other data | Airlines; airports; departure-control system information service providers | Collection, storage, use and processing, transmission, provision, deletion | Data leakage risk; data tampering risk; data loss risk | 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.8 | | Air traffic management | Communication, navigation and surveillance, meteorological services, aeronautical information, flow management, operation monitoring, and other data | Air Traffic Management Bureau; air traffic management sub-bureaus (stations) | Collection, storage, use and processing, transmission, provision, deletion | Data leakage risk; data tampering risk; data loss risk | 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.8 | | Safety supervision | Administrative licensing information, administrative inspection information, practitioner physical-examination information, aircraft filing information, maintenance organization information, flight information, cargo and mail information, real-name registration information of unmanned aircraft, and other data | Civil aviation safety supervision and administration bodies; entities engaged in the construction and operation and maintenance of civil aviation safety supervision systems | Collection, storage, use and processing, transmission, provision, disclosure, deletion | Data leakage risk; data tampering risk; data forgery risk; data loss risk | 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8 | ## Bibliography - [1] GB/T 20986—2023 Information security technology — Guidelines for the categorization and classification of cybersecurity incidents - [2] GB/T 28451—2023 Information security technology — Technical specification for network intrusion prevention products - [3] GB/T 32924—2016 Information security technology — Guidelines for cybersecurity warning - [4] GB/T 41479—2022 Information security technology — Security requirements for network data processing - [5] GB/T 43697—2024 Data security technology — Rules for data classification and grading --- ## Implementing Guidelines for the Protection of Customer Data Security in Internet Data Centers - Chinese title: 互联网数据中心客户数据安全保护实施指引 - Hierarchy: standard - Issuing body: General Office of the Ministry of Industry and Information Technology - Adopted: 2025-01-13 - Effective: 2025-01-13 - Status: effective - URL: https://datacompliancechina.com/laws/idc-customer-data-security-guidelines/ - Markdown: https://datacompliancechina.com/laws/idc-customer-data-security-guidelines.md ### Summary Issued as MIIT General Office Cyber Security [2025] No. 5, this instrument comprises a notice and an annexed implementing guideline directing Internet Data Center (IDC) operators to strengthen the security of customer data they host. It follows the principle of consistent rights and responsibilities, classified strategy, combined management-and-technology, and ensured security, and sets out general safeguard capabilities (responsibility boundaries, access/operation/destruction/isolation controls, incident response, and security-service provision) plus scenario-specific requirements for server-hosting and for data-storage-and-computing (including AI training-data and computing-power-scheduling security). Both the notice and the annexed guideline are translated in full below. ### Full text **Promulgated by:** General Office of the Ministry of Industry and Information Technology. **Document No.:** MIIT General Office Cyber Security [2025] No. 5. **Issued and effective January 13, 2025.** --- ## Notice on Strengthening the Protection of Customer Data Security in Internet Data Centers To the communications administrations of all provinces, autonomous regions and municipalities directly under the Central Government; China Telecom Corporation Limited, China Mobile Communications Group Co., Ltd., and China United Network Communications Group Co., Ltd.; and the relevant Internet data center enterprises: The Internet Data Center (hereinafter referred to as IDC), as a new-generation information infrastructure, carries the massive customer data of thousands of industries and is an important strategic resource bearing on the lifeline of the national economy. Enhancing the capability to safeguard IDC customer data security is of vital importance to maintaining economic and social stability and even national security. In order to guide IDC business operators in strengthening the protection of customer data security, the relevant matters are hereby notified as follows: ### I. Basic Requirements **(I) Overall principle.** In accordance with the Data Security Law, the Cybersecurity Law, the Network Data Security Management Regulation, the Administrative Measures for Data Security in the Field of Industry and Information Technology (Trial) and other laws, regulations and policy requirements, and following the principle of "consistent rights and responsibilities, classified strategy, combined management and technology, and ensured security," strengthen the development of the capability to safeguard customer data security and enhance the level of customer data security protection (see the annex for specific implementing guidelines). **(II) Clarify the security responsibility boundary.** In the contracts and agreements signed with customers, third-party service providers and the like, clarify the data security protection responsibilities and obligations of all parties according to the cooperation model, content, and the like. **(III) Strengthen system development and organizational assurance.** Establish and improve a customer data security management system, clarify the person responsible for data security and the management department, and strengthen customer data security management and assurance measures. **(IV) Strengthen customer management.** Establish a customer management mechanism, and provide differentiated security protection measures for customers to select according to customer category and data protection needs. **(V) Strengthen customer data security assurance.** In line with the data processing flow, clarify the security strategies and process mechanisms for key stages such as data access, operation and destruction, and ensure protective measures such as data isolation. Before implementing high-risk operations that may affect customer data security and before providing customer data externally, inform the customer and obtain authorization. According to the actual business situation, improve business continuity and stability through redundant design and the like. **(VI) Carry out incident emergency response.** Establish a contingency plan for customer data security incidents, and regularly conduct emergency drills. Where a customer data security incident is caused by the IDC business operator, immediately activate emergency disposal measures, promptly inform the customer, and report to the telecommunications authority in accordance with relevant requirements. **(VII) Provide security protection service capabilities.** According to the actual business situation, provide data security technical capabilities and cybersecurity protection products or services for customers to select. ### II. Strengthening Safeguard Capabilities for the Server-Hosting Business Scenario **(VIII) Ensure the security of equipment-room facilities.** Standardize equipment-room security management, equip physical security safeguard measures, strengthen the security assurance of equipment-room authority, personnel attendance, fire-protection systems, and the like, promptly discover and eliminate security hazards, and prevent the destruction and loss of customer data. **(IX) Carry out equipment supply-chain management.** Where the sale or lease of servers, network equipment and the like is involved, strengthen equipment procurement security management, establish equipment ledgers, and carry out security inspection before equipment is put on the rack and regular maintenance and updates, so as to prevent customer data from being tampered with or stolen. ### III. Strengthening Safeguard Capabilities for the Data-Storage-and-Computing Business Scenario **(X) Ensure data storage and computing security.** Provide data security protection capabilities such as disaster-recovery backup, verification technology and cryptographic technology, equip the technical capability for storage and computing resource monitoring, promptly discover and give early warning of abnormal use of storage and computing resources, and carry out dynamic adjustment and allocation of resources, so as to ensure the security and availability of the relevant resources. **(XI) Ensure data transmission security.** Provide protective measures such as data encryption, interface authentication and security auditing, strengthen data security risk monitoring and early warning, provide the capability to discover, warn of and dispose of security risks such as abnormal data flow and non-compliant export, and assist customers in safeguarding the security of data transmission links and interfaces. **(XII) Strengthen the security management of key services.** Where the function of managing artificial-intelligence training data sets is provided, provide the capability to safeguard the security of customers' own training data sets, so as to prevent the relevant data sets from being leaked or contaminated. Where computing-power scheduling and computing-power services are provided, carry out the security management of computing-power scheduling strategies, equip the capability for monitoring, early warning and emergency disposal of abnormal use of computing power, and ensure the security of computing-power scheduling. ### IV. Strengthening Data Security Supply Support **(XIII) Advance the development of data security standards.** The Ministry of Industry and Information Technology organizes the formulation of standards related to IDC customer data security protection and capability evaluation, clarifies the general and typical-scenario security protection rules and responsibility-division models for IDC customer data, and establishes a graded evaluation system for customer data security protection capabilities, so as to guide IDC business operators in enhancing the level of customer data security protection. **(XIV) Explore the conduct of data security protection capability evaluation.** IDC business operators may, on their own or by entrusting third-party professional institutions, regularly carry out customer data security protection capability evaluation. Industry organizations and professional institutions are encouraged to carry out grading of customer data security protection capabilities based on the capability evaluation results, so as to guide IDC business customers in selecting IDC services as needed according to business scenario, data importance, and the like. ### V. Work Implementation **(XV) Consolidate customer data security protection responsibility.** IDC business operators shall attach great importance to customer data security protection, strengthen their sense of responsibility, actively increase resource investment in line with their own actual situation, carry out customer data security protection work well, and effectively enhance the level of IDC business service. **(XVI) Strengthen supervision and guidance.** The Ministry of Industry and Information Technology and the local communications administrations shall strengthen the supervision and guidance of IDC business customer data security protection work, and implement the primary responsibility of the relevant enterprises. This Notice is hereby issued. General Office of the Ministry of Industry and Information Technology January 13, 2025 --- ## Annex: Implementing Guidelines for the Protection of Customer Data Security in Internet Data Centers ### I. Basic Situation of the Internet Data Center Business and Data Security Risk Challenges **(I) Basic situation and classification of the Internet Data Center.** The Internet Data Center business (hereinafter referred to as the IDC business; see the Catalogue of Telecommunications Business Classification) mainly includes the traditional data center business and the Internet resource collaboration business. In light of business product functions, it is subdivided into three business scenarios: first, the server-hosting business scenario, referring to the business model in which the IDC business operator provides customers with services such as equipment rooms, cabinets and equipment leasing, as well as equipment maintenance; second, the data-storage business scenario, referring to the business model in which the IDC business operator provides customers with data storage services, as well as related data upload, download and access services; third, the data-computing business scenario, referring to the business model in which the IDC business operator provides customers with services such as data cleansing, integration, analysis, processing, presentation, model training, and computing-power scheduling. **(II) Customer data security risk challenges faced by the IDC business.** 1. **General security risks.** On the one hand, the IDC business operator, the customer, and even third-party suppliers and other parties that may access and process customer data have not clearly divided the boundaries of data security responsibility, resulting in unclear data security protection rights and responsibilities among the parties and inadequate implementation of responsibilities and obligations. On the other hand, the IDC business operator's customer data security management systems and mechanisms are not sound and its security protection measures are not fully equipped, increasing the security risk of customer data being stolen, leaked, and the like. 2. **Security risks of typical business scenarios.** First, in the server-hosting business scenario, the IDC business operator is mainly responsible for safeguarding the security of equipment-room infrastructure, and the possible customer data security risk situations mainly include: natural-environment disasters (earthquakes, floods), physical-facility failures (such as power outages, temperature and humidity imbalance, etc.) and the like causing servers and other equipment to crash, be damaged or be stolen, resulting in the destruction and loss of customer data; where network equipment, servers and the like are provided by the business operator, the need to prevent risks such as equipment being attacked and intruded due to inadequate equipment security management and the existence of equipment vulnerabilities and backdoors, thereby causing customer data to be stolen or destroyed. Second, in the data-storage and computing business scenario, the IDC business operator mainly provides secure and reliable computing and storage platforms, and the possible customer data security risk situations mainly include: in the stages of data storage and transmission, as well as computing-power scheduling and artificial-intelligence training, risks of data being stolen, leaked, lost, and the like, due to insufficient data security safeguard measures and imperfect management and technical means such as risk monitoring, resource monitoring and load balancing. ### II. Enhancing Customer Data Security Safeguard Capabilities **(III) General safeguard capabilities.** 1. **Customer data processing requirements.** The IDC business operator shall, in accordance with the Data Security Law, the Cybersecurity Law, the Network Data Security Management Regulation, the Administrative Measures for Data Security in the Field of Industry and Information Technology (Trial) and other laws, regulations and policy requirements, perform its customer data security protection responsibilities, and shall not, without the customer's authorization, collect, store, use, process, transmit, provide, disclose or destroy customer data in any form, except as otherwise provided by laws and regulations. 2. **Clarify the responsibility interface.** In the contracts and agreements signed with customers, with reference to relevant industry standards and according to the business model and service content, clarify the data security protection responsibilities and obligations of both parties. Where customer data is processed through the procurement of third-party service-provider equipment, services and the like, clarify the data security protection responsibilities and obligations of all parties. 3. **Management-system development.** Establish a customer data security management system, clarifying the division of work responsibilities, supporting mechanisms, and management and technical safeguard measures. 4. **Institution and personnel arrangement.** Clarify the person responsible for data security and the management department, and, in light of the business model, establish data security management positions and clarify position responsibilities, equip corresponding personnel, and take overall responsibility for the security management of customer data processing activities. 5. **Customer management.** Establish a customer management mechanism, strengthen data security risk reminders to key customers such as Party and government organs, provide differentiated security protection capabilities according to customer category and data protection needs, and cooperate in taking corresponding protective measures, so as to enhance the security protection capability of the information systems and data carried by the IDC. 6. **Data classification and grading protection.** Before providing services, by means of contracts and agreements and the like, remind customers to identify important data in accordance with relevant national and industry laws, regulations, policy requirements, and standards and specifications, strengthen personal information protection, and perform data classification and grading protection responsibilities and obligations. According to the data category and grade, possess differentiated security protection capabilities, and, in accordance with the customer's data classification and grading protection requirements, cooperate in carrying out corresponding data security protection. 7. **Data access security.** Standardize the access process for customer data, cooperate with customers in establishing access control strategies, and equip technical measures to prevent security risks such as unauthorized access to customer data. 8. **Data operation security.** Improve mechanisms such as customer data operation registration, authority approval, and dynamic account verification. Where customer data processing activities are carried out with the customer's authorization, reasonably allocate operating authority in accordance with the principle of minimum necessity, carry out authority monitoring, retain relevant log records of authority application, approval, data operation, and the like, and promptly reclaim expired authority; where bulk download, bulk access, or the operation and processing of customer important data or personal information is carried out, separately perform internal approval procedures. 9. **Data destruction security.** Clarify the security strategies and operating procedures for customer data destruction, and provide differentiated data destruction measures for different types of storage media. Do not arbitrarily destroy customer data without authorization. Where data is destroyed at the customer's request, keep destruction records, and do not recover it for any reason or in any manner. 10. **Data isolation security.** Equip data isolation security strategies, and provide physical, logical and other data isolation methods, so as to ensure the independence of customer data in the processing of each stage. 11. **High-risk operation security.** Establish a ledger of high-risk operations that may cause major customer data security risks, covering network and equipment replacement, operation and maintenance, upgrades, and data migration, and form high-risk operation security specifications. Before carrying out a high-risk operation, inform the relevant customer of the system scope involved, the operation behavior, the time, the reason, the possible major risks, and the like, and obtain the customer's authorization. 12. **External provision of data.** Where the external provision of customer data is involved, inform the customer in advance of the purpose, method, scope, safeguard measures, and the like, of providing the data, and obtain the customer's authorization. 13. **Business availability assurance.** According to the actual business situation, improve business continuity and stability through redundant design and the like. 14. **Security-incident emergency disposal.** Establish a contingency plan for customer data security incidents, covering security-incident scenarios such as customer data loss, destruction and leakage, clarify the graded incident disposal methods, processes, and the like, regularly organize and conduct emergency drills, and enhance the emergency disposal capability for customer data security incidents. Where a customer data security incident is caused by the IDC business operator, immediately activate emergency disposal, promptly inform the customer, and, in light of the degree of impact of the incident, report to the telecommunications authority in accordance with relevant laws, regulations and standards. At the same time, according to the type and grade of the incident and the like, promptly cooperate with the customer in carrying out incident emergency disposal and reporting. 15. **Provision of security protection capabilities.** According to the actual business situation, provide data security technical capabilities such as data encryption, desensitization, access control, authentication and verification, log recording and auditing, and data backup and recovery, as well as cybersecurity protection products or services such as firewalls, bastion hosts, illegal-intrusion detection, tamper-proofing, vulnerability scanning, virus prevention, and security upgrades, for customers to select. **(IV) Safeguard capabilities for the server-hosting business scenario.** 1. **Equipment-room management requirements.** Standardize equipment-room security management, and clarify the security management requirements for equipment-room facilities, customer equipment, and personnel entry and exit. 2. **Equipment-room physical security.** Equip equipment-room physical security safeguard measures, implement 7×24-hour monitoring of key areas, and possess the capability to identify, alarm, intercept and dispose of abnormal entry and exit behavior. 3. **Equipment-room authority management.** Set an equipment-room entry and exit authority list, clarifying the authority scope, validity period, approver, and other information. Implement strict approval for the entry and exit of personnel not on the list; where the customer authorizes entry into the equipment room to carry out equipment and data operation and maintenance management, equip corresponding management and technical measures, retain equipment-room entry and exit records, and strictly restrict the entry of unauthorized personnel. 4. **Equipment-room attendance management.** Arrange 7×24-hour personnel attendance, establish infrastructure inspection and risk-disposal procedures, implement normalized patrols and inspections, and promptly discover and eliminate risks and hidden dangers. 5. **Fire-protection system security.** Equip fire-protection power-supply facilities, an automatic fire-alarm system, an emergency lighting system, dual water and power systems, and the like, so as to ensure the rapid recovery and operation of the equipment room under extreme circumstances. 6. **Equipment supply management.** Where the sale or lease of servers, network equipment and the like is involved, carry out equipment security management well, establish equipment ledgers, and record the equipment brand, model, key performance parameters, procurement time, source, and security application status, and the like. Carry out security inspection before equipment is put on the rack, conduct regular maintenance and updates, and strengthen the security management of security vulnerabilities, equipment and system configuration, and the like. Where services are provided to key customers such as Party and government organs, IDC business operators are encouraged to use independently controllable network and data security equipment. **(V) Safeguard capabilities for the data-storage-and-computing business scenario.** 1. **Data storage security.** Strengthen customer data storage security management, and provide data security protection capabilities such as disaster-recovery backup, verification technology and cryptographic technology, so as to meet customers' different data storage security needs. 2. **Data security risk monitoring.** Strengthen data security risk monitoring and early warning, sort out and grasp traffic nodes, equip technical means such as traffic analysis and filtering, possess the capability to discover data security risks, and promptly investigate and rectify data security problems and hidden dangers. 3. **Resource monitoring and load balancing.** Equip the technical capability for storage and computing resource monitoring, monitor in real time and conduct statistical analysis of resource usage, and promptly give early warning of and discover abnormal-use situations. Equip the technical capability for storage and computing resource load balancing, dynamically adjust resource allocation in real time according to the resource load situation, and ensure the security and availability of resources. 4. **Data transmission security.** Strengthen customer data transmission security management, and, according to the grade and application scenario of the customer data transmitted, cooperate with customers in formulating secure transmission strategies, and provide protective measures such as data encryption, interface authentication and security auditing. Meet customers' data transmission security needs and the need for regular interface security auditing, promptly adjust the interface status, and reclaim and close abandoned interfaces. 5. **Artificial-intelligence training-data security.** Where the function of managing artificial-intelligence training data sets is provided, provide the capability to safeguard the security of customers' own training data sets, so as to prevent customers' own training data sets from being leaked or contaminated. 6. **Computing-power scheduling security.** Where computing-power scheduling services are provided, equip secure and reliable computing-power scheduling strategies, carry out strategy configuration management and change approval, and ensure that computing power is reasonably allocated as needed. Where computing-power services are provided, possess the capability to monitor computing-power usage in real time, discover and give early warning of abnormal-use situations of computing-power resources, and promptly take measures such as strategy adjustment and resource deactivation. --- ## National Standards and Norms for Hospital Informatization Construction (Trial) - Chinese title: 全国医院信息化建设标准与规范(试行) - Abbreviation: Hospital Informatization Standards - Hierarchy: standard - Issuing body: National Health Commission; State Administration of Traditional Chinese Medicine - Adopted: 2018-04-02 - Effective: 2018-04-02 - Status: effective - URL: https://datacompliancechina.com/laws/hospital-informatization-standards/ - Markdown: https://datacompliancechina.com/laws/hospital-informatization-standards.md - Source URL: https://www.nhc.gov.cn/guihuaxxs/s10741/201804/ ### Summary Issued on 2 April 2018 by the General Office of the National Health Commission (document no. 国卫办规划发〔2018〕4号), this trial standard defines the baseline build-out content and requirements for hospital informatization across China. It builds on the earlier 'Hospital Information Platform Application Function Guide' and 'Hospital Informatization Construction Application Technology Guide' and organizes 262 specific items into five chapters — business applications, information platform, infrastructure, security protection, and emerging technologies — with tiered requirements for Grade-II, Grade-III Class-B, and Grade-III Class-A hospitals. Chapter 4 (Security Protection) is the data-compliance core: it specifies functional requirements for data-center security, endpoint security, network security, and disaster-recovery backup, including firewalls, database audit and access control, intrusion detection/prevention, encryption gateways, data-leak prevention, and offsite backup. The full instrument is a large tabular technical standard; the page below translates the issuing notice in full and gives a structured English summary of the standard's security, network-security, and information-security functional requirements. ### Full text > *DCC note.* This page reproduces the **issuing notice in full** (faithful translation) and provides a **structured English summary** of the attached standard. The standard itself — *National Standards and Norms for Hospital Informatization Construction (Trial)* — is a large tabular technical document (5 chapters, 22 categories, 262 graded line-items, each specified separately for Grade-II, Grade-III Class-B, and Grade-III Class-A hospitals). It is not reproduced verbatim; instead, the summary focuses on its data-security, network-security, and information-security functional requirements (Chapter 4 and the emerging-technologies chapter), which are the parts relevant to data compliance. --- ## Issuing Notice (full translation) **Notice on the Issuance of the *National Standards and Norms for Hospital Informatization Construction (Trial)*** Document No.: Guo Wei Ban Gui Hua Fa [2018] No. 4 To the health and family planning commissions of all provinces, autonomous regions, municipalities directly under the Central Government and cities specifically designated in the State plan, and the Xinjiang Production and Construction Corps; to all departments and bureaus of the Commission; and to the units directly under and affiliated with the Commission, and the hospitals affiliated with (administered by) the Commission: In order to promote and standardize hospital informatization construction, our Commission — building upon the *Hospital Information Platform Application Function Guide* and the *Hospital Informatization Construction Application Technology Guide* — has formulated the *National Standards and Norms for Hospital Informatization Construction (Trial)*, which clarifies the construction content and construction requirements for hospital informatization. It is hereby issued to you (it may be downloaded from the website of the National Health Commission). Please implement it by reference. Contact persons: Wang Yong and Shen Jianfeng, Department of Planning Telephone: 010-68792937, 68791911 General Office of the National Health Commission 2 April 2018 Attachment: *National Standards and Norms for Hospital Informatization Construction (Trial)* --- ## Structured summary of the Standard ### Status and scope The *National Standards and Norms for Hospital Informatization Construction (Trial)* (the "Construction Standards") were drafted by the Department of Planning and Information of the National Health Commission together with its Statistical Information Center, with input from more than 60 experts and technicians. The Standards target the clinical-business and hospital-management needs of Grade-II hospitals, Grade-III Class-B hospitals, and Grade-III Class-A hospitals, looking out over a 5–10 year development horizon. Maternal-and-child health hospitals and specialty hospitals may apply them by reference. Grade-II-and-above hospitals are directed to comply, in addition, with health-industry information standards including the **basic dataset for electronic medical records**, the **EMR shared-document specification**, and the **EMR-based hospital information platform technical specification**. ### Document structure (5 chapters, 22 categories, 262 items) - **Chapter 1 — Business Applications** (9 categories): convenience services, medical services, medical management, medical collaboration, operations management, logistics management, research management, teaching management, human-resources management. - **Chapter 2 — Information Platform** (2 categories): information-platform foundation, platform service integration. - **Chapter 3 — Infrastructure** (3 categories): equipment-room foundation, hardware equipment, basic software. - **Chapter 4 — Security Protection** (4 categories): data-center security, endpoint security, network security, disaster-recovery backup. - **Chapter 5 — Emerging Technologies** (4 categories): big-data technology, cloud-computing technology, artificial-intelligence technology, Internet-of-Things technology. Each line-item is specified at three capability tiers, so that a Grade-II hospital generally must meet a reduced subset of the functions and service types that a Grade-III Class-A hospital must meet. ### Chapter 4 — Security Protection (the data-compliance core) This is the chapter most relevant to data security and network security. It is framed as a catalogue of security devices and capabilities and their required functions. **Data-center security.** Specifies dedicated security equipment and the functions each must provide, including: - **Web application firewall** — web access control, page anti-tampering, identity authentication, log auditing, and other functions. - **Database firewall / database audit and access control** — database auditing, database access control, database access detection and filtering, database service discovery, de-identified-data discovery, and database-status monitoring; support for bridge, gateway, and hybrid deployment, access-control policies based on security-level labels, and active-standby hot backup for continuity of service. - **Network-boundary firewall** — access control, intrusion prevention, virus prevention, application identification, web protection, load balancing, traffic control, identity authentication, and **data-leak prevention**, with multiple access-control modes (zone access control, packet-level access control, session access control, content-filtering access control, application-identification access control). - **Security-audit appliances** — recording network behaviour and user behaviour; audit records capturing event time and date, user, event type, and success/failure; analysis and audit-report generation. Includes database-operation auditing (query, protection, backup, analysis, audit, real-time monitoring, risk alerting, operation playback), operations-and-maintenance auditing (resource authorization, O&M monitoring, O&M-operation audit, real-time alerting and blocking of violations, session audit and playback), and host-security auditing. - **Encryption appliances** — database encryption, key management, database-status monitoring, database risk-scanning; **mail encryption** with attachment encryption, gateway-to-gateway encryption and related modes, plus mail security defence. - **Intrusion-prevention / intrusion-detection appliances** — active defence against network attacks (with cross-reference to the national standard GB/T 20275-2013 on network intrusion-detection systems), wireless-attack defence, anti-DoS, traffic monitoring, statistical thresholds, and real-time blocking; detection of trojans/backdoors, DoS, buffer-overflow, IP-fragment and network-worm attacks, with source-IP, attack-type, attack-target and attack-time logging and alerting on serious incidents. - **Network-admission control** — admission identity authentication, compliance/health checks, terminal policy management, and log auditing to screen out non-compliant devices and personnel. - **Website-protection appliances** — website-attack filtering, file-access control, security verification, attack-event alerting, security-policy management, backup, synchronization, automatic recovery, server-reliability monitoring, and audit logging. **Endpoint security.** Functional requirements for securing clinical and office terminals (anti-malware, terminal control, and related controls), graded by hospital tier. **Network security.** Boundary protection, access control, intrusion prevention, and monitoring across the hospital network, consistent with the national Multi-Level Protection Scheme (等级保护 / MLPS). **Disaster-recovery backup.** Requirements for local full backup and offsite backup of important data, redundancy of key links and key devices, and recoverability — feeding the broader health-data requirement that medical data be reliably backed up and recoverable. ### Chapter 5 — Emerging Technologies (security-relevant notes) The emerging-technologies chapter (big data, cloud computing, artificial intelligence, Internet of Things) sets capability expectations that carry their own security implications — for example, security assessment of cloud platforms and data, and protection of data processed through big-data and AI applications. These requirements are echoed and tightened by the later *Measures for Cybersecurity Management of Healthcare Institutions* and the *Measures for Data Security and Personal Information Protection of Healthcare Institutions (Trial)*. ### Why this matters for data compliance For overseas medtech, hospital-IT, and health-data vendors building or supplying systems to Chinese hospitals, the Construction Standards are the reference catalogue that hospitals use to specify security functions in tenders and acceptance testing. The Chapter 4 device/function list is, in practice, a checklist of the security controls a compliant hospital information environment is expected to contain — firewalls, database audit and access control, intrusion detection/prevention, encryption and key management, data-leak prevention, audit logging, network-admission control, and offsite backup. A supplier whose product is intended to operate inside a Grade-III hospital environment should expect these controls to be present and to be required to interoperate with them. --- — *National Standards and Norms for Hospital Informatization Construction (Trial)*, issued 2 April 2018 by the General Office of the National Health Commission (Guo Wei Ban Gui Hua Fa [2018] No. 4). The issuing notice above is a faithful DCC translation; the description of the standard is a structured DCC summary of a large tabular technical document, not a verbatim translation. For the source document, see the [National Health Commission website](https://www.nhc.gov.cn/guihuaxxs/s10741/201804/). --- ## Good Clinical Practice for Medical Devices - Chinese title: 医疗器械临床试验质量管理规范 - Abbreviation: Device GCP - Hierarchy: standard - Issuing body: National Medical Products Administration; National Health Commission - Adopted: 2022-03-24 - Effective: 2022-05-01 - Status: effective - URL: https://datacompliancechina.com/laws/medical-device-clinical-trial-qms/ - Markdown: https://datacompliancechina.com/laws/medical-device-clinical-trial-qms.md ### Summary Issued jointly by the NMPA and the National Health Commission (Announcement No. 28 of 2022) and effective May 1, 2022, this standard (Device GCP) governs the entire lifecycle of medical-device clinical trials (including in-vitro diagnostic reagents), from protocol design through monitoring, audit, inspection, and the collection, recording, retention, analysis, summarization and reporting of trial data. It places heavy emphasis on trial-data integrity — data must be authentic, accurate, complete and traceable, source data must be identifiable and changes tracked, and electronic data-capture systems must be validated with full permission management and audit trails. The data-compliance touchpoints are pervasive: subject-privacy protection and informed consent (with explicit confidentiality of subjects' personal data subject to defined access by regulators, the ethics committee, monitors and auditors), source-data/source-document traceability, electronic-records controls, and long-term retention of trial master files. ### Full text **Promulgated by:** National Medical Products Administration; National Health Commission. **Announcement No. 28 of 2022 of the National Medical Products Administration and the National Health Commission.** In order to deepen the reform of the medical device review and approval system and strengthen the administration of medical device clinical trials, in accordance with the Regulation on the Supervision and Administration of Medical Devices (Order No. 739 of the State Council), the Measures for the Administration of Medical Device Registration and Filing (Order No. 47 of the State Administration for Market Regulation) and the Measures for the Administration of In-Vitro Diagnostic Reagent Registration and Filing (Order No. 48 of the State Administration for Market Regulation), the National Medical Products Administration, together with the National Health Commission, has organized the revision of the Good Clinical Practice for Medical Devices, which is hereby promulgated and shall come into force on May 1, 2022. This is hereby announced. **Attachment:** Good Clinical Practice for Medical Devices **National Medical Products Administration; National Health Commission** **March 24, 2022** --- ## Chapter 1 General Provisions **Article 1.** These Norms are formulated in accordance with the Regulation on the Supervision and Administration of Medical Devices in order to strengthen the administration of medical device clinical trials, safeguard the rights, interests and safety of trial subjects, and ensure that the process of medical device clinical trials is well-regulated and that the results are authentic, accurate, complete and traceable. **Article 2.** The activities relating to medical device clinical trials conducted within the territory of the People's Republic of China for the purpose of applying for the registration of medical devices (including in-vitro diagnostic reagents, the same below) shall comply with these Norms. These Norms cover the entire process of medical device clinical trials, including the protocol design, implementation, monitoring, audit and inspection of the medical device clinical trial, as well as the collection, recording, retention, analysis, summarization and reporting of data. **Article 3.** Medical device clinical trials shall comply with the ethical principles of the Declaration of Helsinki of the World Medical Association and the relevant State norms on the ethics of biomedical research involving human beings. The parties participating in a medical device clinical trial shall bear the corresponding ethical responsibilities in accordance with their respective duties in the trial. **Article 4.** The conduct of a medical device clinical trial shall have a sufficient scientific basis and a clear trial objective, and shall weigh the anticipated risks and benefits to the trial subjects and to society. A clinical trial may be conducted or continued only when the anticipated benefits outweigh the risks. **Article 5.** A medical device clinical trial shall be conducted at a medical device clinical trial institution that possesses the corresponding conditions and has been filed in accordance with the provisions. **Article 6.** A medical device clinical trial shall obtain the consent of the ethics committee. Where the device is included in the catalogue of Class III medical devices subject to clinical trial approval, the trial shall also obtain the approval of the National Medical Products Administration and be conducted at a Grade III Class A medical institution that meets the requirements. **Article 7.** The sponsor of a medical device clinical trial shall establish a quality management system covering the entire process of the medical device clinical trial to ensure that the medical device clinical trial complies with the relevant laws and regulations and protects the rights, interests and safety of the trial subjects. ## Chapter 2 Ethics Committee **Article 8.** The duty of the ethics committee is to protect the lawful rights, interests and safety of trial subjects and to safeguard the dignity of trial subjects. **Article 9.** The ethics committee shall comply with the ethical principles of the Declaration of Helsinki of the World Medical Association and the provisions of the relevant laws and regulations. The composition, operation and filing administration of the ethics committee shall meet the requirements of the health administration department. **Article 10.** All members of the ethics committee shall receive training in ethics knowledge, these Norms and the relevant laws and regulations, be familiar with the ethical principles of medical device clinical trials and the provisions of the relevant laws and regulations, and comply with the working procedures of the ethics committee. **Article 11.** Before a medical device clinical trial begins, the sponsor shall, through the principal investigator, submit the following documents to the ethics committee: (I) the clinical trial protocol; (II) the investigator's brochure; (III) the informed consent form text and any other written materials provided to the trial subjects; (IV) procedural documents for recruiting trial subjects and for publicity directed at them (if applicable); (V) the case report form text; (VI) the product inspection report based on the product technical requirements; (VII) materials relating to the preclinical research; (VIII) the resume, professional expertise, competence, training received and other documents able to prove the qualifications of the principal investigator; (IX) a statement that the development of the investigational medical device complies with the relevant requirements of the applicable medical device quality management system; (X) other documents relating to the ethical review. **Article 12.** The ethics committee shall review the ethicality and scientific validity of the medical device clinical trial, and shall focus on the following: (I) the qualifications and experience of the principal investigator and whether he or she has sufficient time to participate in the clinical trial; (II) whether the staffing, equipment and other conditions for the clinical trial meet the trial requirements; (III) whether the degree of risk that the trial subjects may suffer is appropriate compared with the anticipated benefits of the trial; (IV) whether the clinical trial protocol has fully considered the ethical principles and is scientifically valid, including whether the research objectives are appropriate, whether the rights, interests and safety of the trial subjects are safeguarded, and whether the risks that other personnel may suffer are fully protected; (V) whether the information and materials about the trial provided to the trial subjects are complete, whether they clearly inform the subjects of the rights they are entitled to, whether the subjects can understand the contents of the informed consent form, and whether the method of obtaining informed consent is appropriate; (VI) whether the inclusion and exclusion of trial subjects are scientific and fair; (VII) whether the trial subjects obtain reasonable compensation for participating in the clinical trial, and whether the diagnosis, treatment and safeguard measures provided are sufficient in the event that a subject suffers injury or death related to the clinical trial; (VIII) whether the protection of trial subjects from special populations, such as children, pregnant women, the elderly, persons with intellectual disabilities and patients with mental disorders, is sufficient. **Article 13.** The review opinion of the ethics committee may be: (I) approval; (II) approval after necessary modifications; (III) disapproval; (IV) suspension or termination of an already-approved trial. Where the review opinion requires modifications or constitutes a denial, the reasons shall be stated. **Article 14.** The informed consent form shall generally include the following contents and explanations of relevant matters: (I) the name of the principal investigator and relevant information; (II) the name of the medical device clinical trial institution; (III) the name, objective, methods and content of the clinical trial; (IV) the process and duration of the clinical trial; (V) the funding source of the clinical trial and possible conflicts of interest; (VI) the anticipated possible benefits to the trial subjects and the known and foreseeable risks, as well as the adverse events that may occur; (VII) information on the alternative diagnostic and treatment methods available to the trial subjects and their potential benefits and risks; (VIII) where applicable, an explanation that the trial subjects may be allocated to different groups of the clinical trial; (IX) that the trial subjects' participation in the clinical trial is voluntary and that they have the right to withdraw at any stage of the clinical trial without being discriminated against or retaliated against, and that their medical treatment and rights and interests will not be affected; (X) informing the trial subjects that their personal data relating to participation in the clinical trial are confidential, but that the administrative department of the medical device clinical trial institution, the ethics committee, the drug administration department, the health administration department, or the monitor or auditor may, where necessary for their work, consult the personal data of the trial subjects relating to participation in the clinical trial in accordance with prescribed procedures; (XI) the free diagnostic and treatment items and other relevant compensation that the trial subjects may obtain during the clinical trial; (XII) the treatment and/or compensation that the trial subjects may obtain in the event of injury related to the clinical trial; (XIII) that the trial subjects may at any time during the clinical trial obtain information and materials relating to themselves. The informed consent form shall indicate the version and date on which it was formulated, or the version and date after revision. The informed consent form shall use language and wording that the trial subjects can understand. The informed consent form shall not contain content that would cause the trial subjects to waive their lawful rights and interests or that would exempt the medical device clinical trial institution, the principal investigator or the sponsor from the responsibilities they should bear. **Article 15.** Follow-up review by the ethics committee: (I) the ethics committee shall conduct follow-up supervision of the medical device clinical trial, and where it discovers that the rights, interests and safety of the trial subjects cannot be safeguarded or other circumstances exist, it may at any time require in writing the suspension or termination of the clinical trial; (II) the ethics committee shall review safety information such as serious adverse events occurring at the trial institution reported by the investigator, and review safety information such as serious adverse events relating to the investigational medical device reported by the sponsor. The ethics committee may require modifications to the clinical trial protocol, the informed consent form and other information provided to the trial subjects, and may suspend or terminate the clinical trial; (III) the ethics committee shall review the possible impact of deviations from the clinical trial protocol on the rights, interests and safety of the trial subjects, or the possible impact on the scientific validity and integrity of the medical device clinical trial. **Article 16.** In the course of a medical device clinical trial, the revision of documents such as the clinical trial protocol and the informed consent form, and the resumption of a suspended clinical trial, may be implemented only after the written consent of the ethics committee has again been obtained. **Article 17.** The ethics committee shall preserve all records of the ethical review, including the written records of the ethical review, member information, submitted documents, meeting minutes and relevant correspondence records. ## Chapter 3 Medical Device Clinical Trial Institutions **Article 18.** A medical device clinical trial institution shall meet the filing conditions and establish a clinical trial management organizational structure and management system. A medical device clinical trial institution shall have a corresponding clinical trial management department to undertake the management of medical device clinical trials. **Article 19.** The management department of a medical device clinical trial institution shall be responsible for filling in, managing and changing the filing information of the medical device clinical trial institution in the medical device clinical trial institution filing administration information system, including information on clinical trial specialties and principal investigators; for submitting online, in the filing system, the summary report on the medical device clinical trial work carried out in the previous year; and, before the ethics committee reviews the medical device clinical trial, for organizing the assessment of the qualifications of the principal investigator of the clinical trial and completing the filing thereof. **Article 20.** A medical device clinical trial institution shall establish a quality management system covering the entire process of the implementation of medical device clinical trials, including systems for training and assessment, the implementation of clinical trials, the management of medical devices, the management of biological samples, the handling of adverse events and device defects and the reporting of safety information, recording, and quality control, so as to ensure that the principal investigator performs his or her duties relating to the clinical trial, that the trial subjects receive proper medical treatment, and that the authenticity of the data generated by the trial is ensured. **Article 21.** Before accepting a medical device clinical trial, a medical device clinical trial institution shall, based on the characteristics of the investigational medical device, assess the relevant resources to ensure that it possesses matching qualifications, personnel, facilities and conditions. **Article 22.** The medical device clinical trial institution and the investigators shall cooperate with the monitoring and audit organized by the sponsor, as well as the inspections carried out by the drug administration department and the health administration department. **Article 23.** The medical device clinical trial institution shall properly preserve the clinical trial records and essential documents in accordance with the relevant laws and regulations and the contract with the sponsor. ## Chapter 4 Investigators **Article 24.** The principal investigator responsible for a medical device clinical trial shall meet the following conditions: (I) having completed the filing as a principal investigator of medical device clinical trials; (II) being familiar with these Norms and the relevant laws and regulations; (III) possessing the professional knowledge and experience required for the use of the investigational medical device, having undergone training relating to clinical trials, having experience in clinical trials, and being familiar with the medical device clinical trial protocol, the investigator's brochure and other materials provided by the sponsor; (IV) having the ability to coordinate, mobilize and use the personnel and equipment for conducting the medical device clinical trial, and the ability to handle the adverse events and other associated events occurring in the medical device clinical trial. **Article 25.** The principal investigator shall ensure that the medical device clinical trial complies with the latest version of the clinical trial protocol consented to by the ethics committee, and shall, within the agreed time limit, conduct the medical device clinical trial in accordance with the provisions of these Norms and the relevant laws and regulations. **Article 26.** The principal investigator may, in accordance with the needs of the medical device clinical trial, authorize investigators who have undergone training relating to clinical trials to organize and carry out subject recruitment and informed consent, screening and follow-up; the management and use of the investigational medical device and the control medical device (if applicable); the management and use of biological samples (if applicable); the handling of adverse events and device defects; the recording of clinical trial data and the completion of case report forms; and so on. **Article 27.** Investigators participating in a medical device clinical trial shall: (I) possess the professional and technical qualifications, training experience and relevant experience corresponding to undertaking the medical device clinical trial; (II) participate in the training relating to the medical device clinical trial organized by the sponsor, and participate in the medical device clinical trial within the scope authorized by the principal investigator; (III) be familiar with the principles, scope of application or intended use, product performance, operating methods, installation requirements and technical indicators of the investigational medical device, and understand the materials relating to the preclinical research of the investigational medical device; (IV) fully understand and comply with the clinical trial protocol, these Norms and the provisions of the relevant laws and regulations, as well as the duties relating to the medical device clinical trial; (V) master the methods for preventing and handling on an emergency basis the risks that the clinical trial may give rise to. **Article 28.** Investigators shall comply with the ethical principles of the Declaration of Helsinki of the World Medical Association and the relevant ethical requirements, and shall meet the following requirements: (I) using the latest version of the informed consent form and other information provided to the trial subjects that has been consented to by the ethics committee; (II) before the trial subjects participate in the clinical trial, explaining to the trial subjects the detailed circumstances relating to the investigational medical device and the clinical trial, and informing the trial subjects of the possible benefits and the known and foreseeable risks; after full and detailed explanation, the trial subject shall sign his or her name and the date on the informed consent form, and the investigator shall also sign his or her name and the date on the informed consent form; (III) where a trial subject is a person without civil capacity or with limited civil capacity, the written informed consent of his or her guardian shall be obtained in accordance with the law; where a trial subject lacks reading ability, an impartial witness shall witness the entire informed consent process and sign and date the informed consent form; (IV) not coercing or improperly inducing trial subjects by other means to participate in the clinical trial; (V) ensuring that, after the informed consent form is updated and reviewed and consented to by the ethics committee, all affected subjects whose trial procedures have not yet concluded sign the newly revised informed consent form. **Article 29.** Investigators have management responsibility for the investigational medical device and the control medical device (if applicable) provided by the sponsor, and shall ensure that they are used only for the trial subjects participating in the medical device clinical trial, store and keep them as required during the clinical trial, and dispose of them after the completion or termination of the clinical trial in accordance with the relevant laws and regulations and the contract with the sponsor. **Article 30.** Investigators shall ensure that the collection, handling, preservation, transport and destruction of biological samples in the medical device clinical trial comply with the clinical trial protocol and the relevant laws and regulations. **Article 31.** Where an adverse event occurs during a medical device clinical trial, the investigator shall provide the trial subject with sufficient and timely treatment and handling; where a trial subject develops a concomitant illness requiring treatment and handling, the investigator shall promptly inform the trial subject. The investigator shall record the adverse events occurring and the device defects discovered in the course of the medical device clinical trial. **Article 32.** Investigators shall promptly report safety information in the medical device clinical trial: (I) where a serious adverse event occurs during a medical device clinical trial, the investigator shall immediately take appropriate treatment measures for the trial subject; at the same time, the investigator shall, within 24 hours after becoming aware of the serious adverse event, report to the sponsor, the management department of the medical device clinical trial institution and the ethics committee; and shall follow up the serious adverse event in accordance with the provisions of the clinical trial protocol and submit a follow-up report on the serious adverse event; (II) where it is discovered that the risks of the medical device clinical trial outweigh the possible benefits and the clinical trial needs to be suspended or terminated, the principal investigator shall report to the sponsor, the management department of the medical device clinical trial institution and the ethics committee, promptly notify the trial subjects, and ensure that the trial subjects receive appropriate treatment and follow-up. **Article 33.** The principal investigator shall promptly handle the safety information received: (I) upon receiving serious-adverse-event and other safety information relating to the investigational medical device provided by the sponsor, he or she shall promptly sign for and read it, consider whether the treatment of the trial subjects should be adjusted accordingly, and communicate with the trial subjects as early as possible where necessary; (II) upon receiving a notice from the sponsor or the ethics committee that the medical device clinical trial needs to be suspended or terminated, he or she shall promptly notify the trial subjects and ensure that the trial subjects receive appropriate treatment and follow-up. **Article 34.** The principal investigator shall report to the ethics committee on the progress of the medical device clinical trial on time, and promptly report events affecting the rights, interests and safety of the trial subjects or deviations from the clinical trial protocol. **Article 35.** Where the sponsor seriously or continuously violates these Norms and the relevant laws and regulations, or requires changes to the trial data or conclusions, the medical device clinical trial institution and the investigators shall report in writing to the drug administration department of the province, autonomous region or municipality directly under the Central Government where the sponsor is located. ## Chapter 5 Sponsors **Article 36.** The sponsor shall be responsible for the authenticity and compliance of the medical device clinical trial. Where the sponsor is an overseas institution, it shall, in accordance with the relevant laws and regulations, designate an enterprise legal person within the territory of China as its agent, who shall assist the sponsor in performing its duties. **Article 37.** The sponsor's quality management system shall cover the entire process of the medical device clinical trial, including the selection of the medical device clinical trial institution and the principal investigator, the design of the clinical trial protocol, the implementation of the medical device clinical trial, recording, the reporting of results, and document filing. The sponsor's quality management measures shall be commensurate with the risks of the clinical trial. **Article 38.** Before initiating a medical device clinical trial, the sponsor shall: (I) ensure that the product design has been finalized and the preclinical research of the investigational medical device has been completed, including performance verification and validation, the product inspection report based on the product technical requirements, and the risk-benefit analysis, and that the results are able to support the medical device clinical trial; (II) select, based on the characteristics of the investigational medical device, a filed medical device clinical trial institution, specialty and principal investigator; (III) be responsible for organizing the formulation of the investigator's brochure, the clinical trial protocol, the informed consent form, the case report form, the standard operating procedures and other relevant documents, and provide them to the medical device clinical trial institution and the principal investigator. **Article 39.** The sponsor shall conclude a contract with the medical device clinical trial institution and the principal investigator, clarifying the rights and obligations of all parties in the medical device clinical trial. **Article 40.** The sponsor shall, after the medical device clinical trial has passed ethical review and a contract has been concluded with the medical device clinical trial institution, file the clinical trial project with the drug administration department of the province, autonomous region or municipality directly under the Central Government where the sponsor is located. After the filing of the medical device clinical trial has been completed, the medical device clinical trial institution may then begin the informed consent and screening of the first trial subject. **Article 41.** Before a medical device clinical trial begins, the sponsor shall be responsible for organizing the training relating to the medical device clinical trial, such as the principles, scope of application, product performance, operating methods, installation requirements and technical indicators of the investigational medical device, as well as the clinical trial protocol, the standard operating procedures and other relevant documents. **Article 42.** The sponsor shall provide the investigational medical device free of charge, and shall meet the following requirements: (I) the investigational medical device shall be produced in accordance with the relevant requirements of the good manufacturing practice for medical devices and be of qualified quality; (II) determining the transport conditions, storage conditions, storage time, validity period, etc. of the investigational medical device; (III) the investigational medical device shall be appropriately packaged and preserved in accordance with the requirements of the clinical trial protocol; the packaging label shall indicate the product information, bear an easily identifiable and correctly coded mark, and indicate that it is for medical device clinical trial use only; (IV) after the medical device clinical trial has been consented to by the ethics committee, the sponsor shall be responsible for transporting the investigational medical device to the medical device clinical trial institution under the prescribed conditions; (V) for the investigational medical device recovered from the medical device clinical trial institution, the sponsor shall be responsible for keeping records of the recovery, disposal, etc. **Article 43.** The sponsor shall pay the expenses relating to the medical device clinical trial for the trial subjects. Where a trial subject suffers injury or death related to the medical device clinical trial, the sponsor shall bear the corresponding treatment expenses, compensation or indemnity, but this shall not include injury caused by the fault of the investigator or the medical device clinical trial institution itself or by the progression of the trial subject's own illness. **Article 44.** The sponsor shall be responsible for the assessment and reporting of safety information during the medical device trial: (I) the sponsor shall, within 7 days after becoming aware of a serious adverse event relating to the clinical trial medical device that is fatal or life-threatening, and within 15 days after becoming aware of a serious adverse event relating to the investigational medical device that is non-fatal or non-life-threatening and other serious safety risk information, report to the other medical device clinical trial institutions participating in the clinical trial, the ethics committee and the principal investigator, report to the drug administration department of the province, autonomous region or municipality directly under the Central Government where the sponsor is located, and report to the drug administration department and the health administration department of the province, autonomous region or municipality directly under the Central Government where the medical device clinical trial institution is located, and take risk control measures; where information arises that may affect the safety of the trial subjects, may affect the implementation of the medical device clinical trial, or may change the consent opinion of the ethics committee, the sponsor shall promptly organize the modification of the clinical trial protocol, the informed consent form and other information provided to the trial subjects, and other relevant documents, and submit them to the ethics committee for review; (II) where a wide-ranging serious adverse event relating to the clinical trial medical device, or another major safety problem, occurs, the sponsor shall suspend or terminate the medical device clinical trial, and report to the management departments of all medical device clinical trial institutions, the ethics committee and the principal investigator, report to the drug administration department of the province, autonomous region or municipality directly under the Central Government where the sponsor is located, and report to the drug administration departments and the health administration departments of the provinces, autonomous regions or municipalities directly under the Central Government where all the medical device clinical trial institutions are located. **Article 45.** The sponsor shall bear the responsibility for monitoring the medical device clinical trial, formulate standard operating procedures for monitoring, and select monitors who meet the requirements to perform monitoring duties: (I) the number of monitors and the number of monitoring visits shall match the complexity of the medical device clinical trial and the number of medical device clinical trial institutions participating in the clinical trial; (II) the monitors shall have received corresponding training, be familiar with these Norms and the relevant laws and regulations, possess relevant professional background knowledge, and be familiar with the research materials relating to the investigational medical device and the clinical information of similar products, the clinical trial protocol and its related documents, so as to be able to effectively perform monitoring duties; (III) the monitors shall comply with the standard operating procedures for monitoring formulated by the sponsor and urge the medical device clinical trial to be conducted in accordance with the clinical trial protocol. The contents of monitoring include the compliance of the medical device clinical trial institution and the investigators with the clinical trial protocol, these Norms and the relevant laws and regulations in the course of implementing the clinical trial; the signing of the informed consent form, screening, follow-up, and safeguarding of the rights, interests and safety of the trial subjects; the management and use of the investigational medical device and the control medical device (if applicable); the management and use of biological samples (if applicable); the handling of adverse events and device defects; the reporting of safety information; the recording of clinical trial data and the completion of case report forms; and so on. **Article 46.** To ensure the quality of the clinical trial, the sponsor may organize auditors who are independent of the medical device clinical trial and have corresponding training and experience to audit the implementation of the clinical trial and assess whether the clinical trial complies with the provisions of the clinical trial protocol, these Norms and the relevant laws and regulations. **Article 47.** The sponsor shall ensure that the implementation of the medical device clinical trial complies with the clinical trial protocol; where it discovers that the medical device clinical trial institution and the investigators do not comply with the clinical trial protocol, these Norms and the relevant laws and regulations, it shall promptly point this out and rectify it; where the situation is serious or remains uncorrected, it shall terminate the continued participation of that clinical trial institution and those investigators in the clinical trial, and report in writing to the drug administration department of the province, autonomous region or municipality directly under the Central Government where the clinical trial institution is located. **Article 48.** The sponsor shall, within 10 working days after the suspension, termination or completion of the medical device clinical trial, report in writing to all principal investigators, the management department of the medical device clinical trial institution and the ethics committee. The sponsor shall, within 10 working days after the termination or completion of the medical device clinical trial, report to the drug administration department of the province, autonomous region or municipality directly under the Central Government where the sponsor is located. ## Chapter 6 Clinical Trial Protocol and Trial Report **Article 49.** To conduct a medical device clinical trial, the sponsor shall, based on the trial objective and taking into account the risks, technical characteristics, scope of application and intended use of the investigational medical device, organize the formulation of a scientific and reasonable clinical trial protocol. **Article 50.** The clinical trial protocol generally includes the basic product information, basic clinical trial information, trial objective, risk-benefit analysis, trial design elements, justification of the reasonableness of the trial design, statistical considerations, manner of implementation (methods, content, steps), clinical trial endpoints, data management, provisions for amending the clinical trial protocol, provisions for defining and reporting adverse events and device defects, ethical considerations and other contents. **Article 51.** The sponsor and the principal investigator shall conduct the medical device clinical trial in accordance with the clinical trial protocol and complete the clinical trial report. The clinical trial report shall comprehensively, completely and accurately reflect the results of the clinical trial, and the safety and effectiveness data in the clinical trial report shall be consistent with the source data of the clinical trial. **Article 52.** The clinical trial report generally includes the basic information of the medical device clinical trial, the implementation situation, the statistical analysis methods, the trial results, the reporting of adverse events and device defects and their handling, the analysis and discussion of the trial results, the clinical trial conclusion, the ethical situation, problems and improvement suggestions, and other contents. **Article 53.** The clinical trial protocol and the clinical trial report shall be signed and dated by the principal investigator and, after being reviewed, sealed and signed by the medical device clinical trial institution, delivered to the sponsor. ## Chapter 7 Multicenter Clinical Trials **Article 54.** A multicenter clinical trial refers to a clinical trial conducted at two or more (inclusive) medical device clinical trial institutions in accordance with the same clinical trial protocol. Where a multicenter clinical trial is conducted in different countries or regions, it is a multi-regional clinical trial; a multi-regional medical device clinical trial conducted within the territory of China shall comply with the relevant requirements of these Norms. **Article 55.** A sponsor conducting a multicenter medical device clinical trial shall meet the following requirements: (I) the sponsor shall ensure that all centers participating in the medical device clinical trial are able to comply with the clinical trial protocol; (II) the sponsor shall provide all centers with the same clinical trial protocol. After the ethicality and scientific validity of the clinical trial protocol have been reviewed and approved by the ethics committee of the lead institution, the ethics committees of the other medical device clinical trial institutions participating in the clinical trial shall not, as a general rule, propose modifications to the design of the clinical trial protocol, but shall have the right to disapprove the conduct of the trial at their own medical device clinical trial institution; (III) all centers shall use the same case report form and completion guidelines to record the trial data obtained in the medical device clinical trial; (IV) before the medical device clinical trial begins, there shall be a written document clarifying the duties of the principal investigators at the centers participating in the medical device clinical trial; (V) the sponsor shall ensure communication among the principal investigators at the centers; (VI) the sponsor shall be responsible for selecting and determining the coordinating investigator of the medical device clinical trial; the medical institution at which the coordinating investigator serves shall be the lead institution. The coordinating investigator shall undertake the coordination work among the centers in the multicenter clinical trial. **Article 56.** The multicenter clinical trial report shall be signed and dated by the coordinating investigator and, after being reviewed, sealed and signed by the medical device clinical trial institution of the lead institution, delivered to the sponsor. The clinical trial sub-summary of each sub-center shall be signed and dated by the principal investigator of that center and, after being reviewed, sealed and signed by the medical device clinical trial institution of that center, delivered to the sponsor. The clinical trial sub-summary of a sub-center mainly includes personnel information, information on the investigational medical device and the control medical device (if applicable), an overview of the trial, the case enrollment situation, the implementation of the clinical trial protocol, the summarization and descriptive analysis of the trial data, the quality management situation of the medical device clinical trial, the occurrence and handling of adverse events and device defects, an explanation of protocol deviations, and so on. ## Chapter 8 Recording Requirements **Article 57.** Medical device clinical trial data shall be authentic, accurate, complete and traceable. The source data of a medical device clinical trial shall be clear and identifiable and shall not be arbitrarily changed; where a change is truly necessary, the reason shall be explained, and the change shall be signed and dated. **Article 58.** In a medical device clinical trial, the principal investigator shall ensure that any observations and findings are recorded correctly and completely. In a clinical trial with patients as trial subjects, the relevant medical records shall be entered into the outpatient or inpatient medical records. **Article 59.** The principal investigator shall, in accordance with the guidelines provided by the sponsor, complete and modify the case report forms and ensure that the data in the case report forms are accurate, complete, clear and timely. The data reported in the case report forms shall be consistent with the source documents. Modifications to the data in the case report forms shall ensure that the initial records remain clear and identifiable, retain the modification trail, and be signed and dated by the person making the modification. **Article 60.** Where an electronic data-capture system is used in a medical device clinical trial, the system shall undergo reliable validation, have complete permission management and an audit trail, be traceable to the creator and time of creation or the modifier, time of modification and modification situation of the record, and ensure that the electronic data collected can be traced to their source. **Article 61.** The essential documents of a medical device clinical trial are used to evaluate the implementation by the sponsor, the medical device clinical trial institution and the principal investigator of these Norms and the relevant requirements of the drug administration department. The drug administration department may inspect the essential documents of a medical device clinical trial and use them as the basis for confirming the authenticity of the implementation of the medical device clinical trial and the completeness of the data collected. **Article 62.** The sponsor and the medical device clinical trial institution shall have premises and conditions for the preservation of the essential documents of the clinical trial, and shall establish an essential-document management system. The essential documents of a medical device clinical trial are divided, according to the stage of the clinical trial, into three parts: preparation-stage documents, conduct-stage documents, and post-completion-or-termination documents. **Article 63.** The sponsor and the medical device clinical trial institution shall ensure the integrity of the essential documents of the clinical trial during the preservation period and avoid intentional or unintentional alteration or loss: (I) the investigator shall properly preserve the essential documents of the clinical trial in the course of the medical device clinical trial; (II) the medical device clinical trial institution shall preserve the essential documents of the clinical trial until 10 years after the completion or termination of the medical device clinical trial; (III) the ethics committee shall preserve all records of the ethical review until 10 years after the completion or termination of the medical device clinical trial; (IV) the sponsor shall preserve the essential documents of the clinical trial until such time as the medical device is no longer in use. ## Chapter 9 Supplementary Provisions **Article 64.** The following terms used in these Norms have the meanings set out below: Medical device clinical trial means the process of confirming, at a medical device clinical trial institution that meets the conditions, the safety and effectiveness of a medical device (including in-vitro diagnostic reagents) for which registration is intended to be applied, under normal conditions of use. Medical device clinical trial institution means an institution that possesses the corresponding conditions and conducts medical device clinical trials in accordance with these Norms and the relevant laws and regulations, including non-medical institutions such as blood centers and central blood banks, disease prevention and control institutions at or above the districted-city level, and drug rehabilitation centers that undertake clinical trials of in-vitro diagnostic reagents. Clinical trial protocol means a document explaining the objective, design, methodology and organization and implementation of a medical device clinical trial. The clinical trial protocol includes the protocol and its revised versions. Clinical trial report means a document describing the design, conduct, statistical analysis and results of a medical device clinical trial. Case report form means a document designed in accordance with the provisions of the medical device clinical trial protocol, used to record all the information and data of each trial subject obtained in the course of the trial. Investigator's brochure means a compilation of materials provided by the sponsor to help the principal investigator and the other investigators participating in the clinical trial to better understand and comply with the clinical trial protocol, including but not limited to: basic information about the sponsor, a summary description of the investigational medical device, a summary and evaluation supporting the intended use of the investigational medical device and the rationale for the clinical trial design, possible risks, and recommended preventive and emergency handling methods. Investigational medical device means the medical device, for which registration is intended to be applied, whose safety and effectiveness are confirmed in a medical device clinical trial. Control medical device means a medical device already marketed within the territory of the People's Republic of China that is used as a control in a medical device clinical trial. Ethics committee means an independent committee composed of appropriate personnel, whose duty is to ensure that the rights, interests and safety of the trial subjects participating in a medical device clinical trial are protected. Informed consent means the process whereby, after the various aspects of a medical device clinical trial have been disclosed to a trial subject, the trial subject confirms his or her voluntary participation in the medical device clinical trial, with a written informed consent form signed and dated serving as the documentary evidence. Trial subject means an individual who voluntarily participates in a medical device clinical trial. Impartial witness means an individual who is unrelated to the medical device clinical trial and is not unfairly influenced by personnel related to the clinical trial, who, where a trial subject lacks reading ability, acts as an impartial witness, reads the informed consent form and other information provided to the trial subject, and witnesses the informed consent. Sponsor means the institution or organization that initiates, manages and provides financial support for a medical device clinical trial. Investigator means the personnel who conduct a medical device clinical trial at a medical device clinical trial institution. Principal investigator means the person in charge who conducts a medical device clinical trial at a medical device clinical trial institution. Coordinating investigator means the investigator designated by the sponsor to carry out coordination work in a multicenter clinical trial, generally the principal investigator of the lead institution. Monitoring means the activity whereby the sponsor, in order to ensure that a medical device clinical trial can comply with the clinical trial protocol, these Norms and the relevant laws and regulations, assigns dedicated personnel to evaluate and investigate the medical device clinical trial institution and the investigators, and to verify, record and report the data in the course of the medical device clinical trial. Audit means the systematic and independent examination, organized by the sponsor, of the activities and documents relating to a medical device clinical trial, in order to determine whether the conduct of such activities and the recording, analysis and reporting of data comply with the clinical trial protocol, these Norms and the relevant laws and regulations. Inspection means the supervision and administration activity carried out by the regulatory department with respect to the relevant documents, facilities, records and other aspects of a medical device clinical trial. Deviation means the situation of intentional or unintentional non-compliance with the requirements of a medical device clinical trial protocol. Adverse event means an untoward medical event occurring in the course of a medical device clinical trial, whether or not it is related to the investigational medical device. Serious adverse event means an event occurring in the course of a medical device clinical trial that results in death or serious deterioration of health, including a fatal illness or injury, a permanent defect of body structure or body function, the need for hospitalization or prolongation of hospitalization, or the need to take medical measures to avoid a permanent defect of body structure or body function; or that results in fetal distress, fetal death or congenital anomaly or birth defect. Device defect means an unreasonable risk that a medical device, under normal use, poses in the course of a clinical trial that may endanger human health and life safety, such as labeling errors, quality problems or malfunctions. Source data means all the information in the original records and certified copies thereof of the clinical findings, observations and other activities in a medical device clinical trial, which can be used for the reconstruction and evaluation of the medical device clinical trial. Source document means a printed, visual or electronic document, etc. that contains source data. **Article 65.** Format templates for documents such as the medical device clinical trial protocol shall be separately formulated by the National Medical Products Administration. **Article 66.** These Norms shall come into force on May 1, 2022. --- ## Good Clinical Practice for Drugs (2020 Revision) - Chinese title: 药物临床试验质量管理规范(2020修订) - Abbreviation: Drug GCP - Hierarchy: standard - Issuing body: National Medical Products Administration; National Health Commission - Adopted: 2020-04-23 - Effective: 2020-07-01 - Status: effective - URL: https://datacompliancechina.com/laws/drug-clinical-trial-qms/ - Markdown: https://datacompliancechina.com/laws/drug-clinical-trial-qms.md ### Summary Issued jointly by the NMPA and the National Health Commission (Announcement No. 57 of 2020) and effective July 1, 2020, this revised standard (Drug GCP) is the quality benchmark for the entire process of drug clinical trials — protocol design, organization and implementation, monitoring, audit, recording, analysis, summarization and reporting. It contains detailed requirements for trial-data management and integrity: source data must satisfy attributability, legibility, contemporaneousness, originality, accuracy, completeness, consistency and durability (ALCOA), changes must leave a trail, and electronic data-management/computerized systems must be validated with audit trails, access controls and data backup. The data-compliance touchpoints are extensive: protection of subject privacy and confidentiality of related information, use of a subject identification code in place of names, electronic-data and computerized-system controls, defined direct-access rights for monitors/auditors/the ethics committee/regulators, rules on transfer of data ownership, and long retention of essential documents. ### Full text **Promulgated by:** National Medical Products Administration; National Health Commission. **Announcement No. 57 of 2020 of the National Medical Products Administration and the National Health Commission.** In order to deepen the reform of the drug review and approval system, encourage innovation, and further promote standardized research and the improvement of the quality of drug clinical trials in China, the National Medical Products Administration, together with the National Health Commission, has organized the revision of the Good Clinical Practice for Drugs, which is hereby promulgated and shall come into force on July 1, 2020. This is hereby announced. **Attachment:** Good Clinical Practice for Drugs **National Medical Products Administration; National Health Commission** **April 23, 2020** --- ## Chapter 1 General Provisions **Article 1.** These Norms are formulated in accordance with the Drug Administration Law of the People's Republic of China, the Vaccine Administration Law of the People's Republic of China and the Regulation for the Implementation of the Drug Administration Law of the People's Republic of China in order to ensure that the process of drug clinical trials is well-regulated and that the data and results are scientific, authentic and reliable, and to protect the rights, interests and safety of trial subjects. These Norms apply to drug clinical trials conducted for the purpose of applying for drug registration. The activities relating to drug clinical trials shall comply with these Norms. **Article 2.** The Good Clinical Practice for Drugs is the quality standard for the entire process of drug clinical trials, including protocol design, organization and implementation, monitoring, audit, recording, analysis, summarization and reporting. **Article 3.** Drug clinical trials shall comply with the principles of the Declaration of Helsinki of the World Medical Association and the relevant ethical requirements; the rights, interests and safety of trial subjects are the primary consideration and take precedence over the benefits to science and society. Ethical review and informed consent are important measures for safeguarding the rights and interests of trial subjects. **Article 4.** Drug clinical trials shall have a sufficient scientific basis. A clinical trial shall weigh the anticipated risks and benefits to the trial subjects and to society, and may be conducted or continued only when the anticipated benefits outweigh the risks. **Article 5.** The trial protocol shall be clear, detailed and operable. The trial protocol may be implemented only after the consent of the ethics committee has been obtained. **Article 6.** The investigator shall comply with the trial protocol in the course of the clinical trial; any matter involving a medical judgment or clinical decision shall be made by a clinical physician. The research personnel participating in the implementation of the clinical trial shall have the education, training and experience corresponding to undertaking the clinical trial work. **Article 7.** All paper or electronic materials of a clinical trial shall be properly recorded, handled and preserved, and shall be capable of being accurately reported, interpreted and confirmed. The privacy of trial subjects and the confidentiality of their related information shall be protected. **Article 8.** The preparation of the investigational drug shall comply with the relevant requirements of the good manufacturing practice for drugs used in clinical trials. The use of the investigational drug shall comply with the trial protocol. **Article 9.** The quality management system of a clinical trial shall cover the entire process of the clinical trial, with the focus on protection of the trial subjects, reliability of the trial results, and compliance with the relevant laws and regulations. **Article 10.** The implementation of a clinical trial shall comply with the principle of avoidance of conflicts of interest. ## Chapter 2 Terms and Their Definitions **Article 11.** The following terms used in these Norms have the meanings set out below: (I) Clinical trial means a systematic trial with human beings (patients or healthy subjects) as the object, intended to discover or verify the clinical, pharmacological or other pharmacodynamic effects and adverse reactions of an investigational drug, or the absorption, distribution, metabolism and excretion of the investigational drug, in order to determine the efficacy and safety of the drug. (II) Compliance of a clinical trial means the compliance of the parties participating in the clinical trial with the requirements relating to the clinical trial, these Norms and the relevant laws and regulations. (III) Non-clinical study means biomedical research not conducted on human beings. (IV) Independent data monitoring committee (data and safety monitoring committee, monitoring committee, data monitoring committee) means an independent data monitoring committee established by the sponsor to periodically evaluate the progress of the clinical trial, the safety data and the important efficacy endpoints, and to recommend to the sponsor whether to continue, adjust or stop the trial. (V) Ethics committee means a committee composed of personnel with medical, pharmaceutical and other backgrounds, whose duty is to ensure that the rights, interests and safety of trial subjects are protected by independently reviewing, consenting to and conducting follow-up review of the trial protocol and related documents, the methods and materials used to obtain and record the informed consent of trial subjects, and so on. (VI) Investigator means the person in charge of the trial site who conducts the clinical trial and is responsible for the quality of the clinical trial and the rights, interests and safety of the trial subjects. (VII) Sponsor means the individual, organization or institution responsible for initiating and managing a clinical trial and providing the funding for the clinical trial. (VIII) Contract research organization means a unit that, through a contractual authorization, performs certain duties and tasks of the sponsor or the investigator in a clinical trial. (IX) Trial subject means a person who participates in a clinical trial and serves as a recipient of the investigational drug, including patients and healthy subjects. (X) Vulnerable trial subject means a trial subject whose ability to safeguard his or her own wishes and rights is insufficient or lost, and whose willingness to voluntarily participate in a clinical trial may be unduly influenced by the anticipated benefits of the trial or by the fear of retaliation for refusing to participate. This includes: students and subordinates of the investigator, employees of the sponsor, military personnel, prisoners, patients with incurable diseases, patients in critical condition, persons living in welfare institutions, vagrants, minors, and persons unable to give informed consent. (XI) Informed consent means the process whereby a trial subject, after being informed of the various aspects that may affect his or her decision to participate in a clinical trial, confirms his or her consent to voluntarily participate in the clinical trial. This process shall be documented by a written informed consent form signed and dated. (XII) Impartial witness means an individual who is unrelated to the clinical trial and is not unfairly influenced by personnel related to the clinical trial, who, where a trial subject or his or her guardian lacks reading ability, acts as an impartial witness, reads the informed consent form and other written materials, and witnesses the informed consent. (XIII) Monitoring means the action of supervising the progress of a clinical trial and ensuring that the clinical trial is implemented, recorded and reported in accordance with the trial protocol, the standard operating procedures and the requirements of the relevant laws and regulations. (XIV) Monitoring plan means a document describing the monitoring strategy, methods, duties and requirements. (XV) Monitoring report means a written report submitted by the monitor to the sponsor after each on-site visit or other communication relating to the clinical trial, in accordance with the provisions of the sponsor's standard operating procedures. (XVI) Audit means the systematic and independent examination of the activities and documents relating to a clinical trial, in order to evaluate and determine whether the conduct of the activities relating to the clinical trial and the recording, analysis and reporting of trial data comply with the requirements of the trial protocol, the standard operating procedures and the relevant laws and regulations. (XVII) Audit report means a written evaluation report on the audit results, prepared by an auditor appointed by the sponsor. (XVIII) Inspection means the act of the drug administration department reviewing and inspecting the relevant documents, facilities, records and other aspects of a clinical trial. The inspection may be conducted at the trial site, the location of the sponsor or the contract research organization, and other places that the drug administration department considers necessary. (XIX) Direct access means the direct inspection, analysis, verification or copying, etc. of records and reports important for evaluating a drug clinical trial. Any party with direct access shall, in accordance with the relevant laws and regulations, take reasonable measures to protect the privacy of trial subjects and to avoid disclosing the proprietary information of the sponsor and other information that needs to be kept confidential. (XX) Trial protocol means a document explaining the objective, design, methodology, statistical considerations, and organization and implementation of a clinical trial. The trial protocol shall usually also include the background and rationale of the clinical trial, which content may also be set out in other reference documents. The trial protocol includes the protocol and its revised versions. (XXI) Investigator's brochure means a compilation of the clinical and non-clinical research materials relating to the investigational drug used in conducting a clinical trial. (XXII) Case report form means a paper or electronic document designed in accordance with the requirements of the trial protocol and reported to the sponsor, recording the relevant information of trial subjects. (XXIII) Standard operating procedure means a detailed written requirement formulated to ensure the consistency of a particular operation. (XXIV) Investigational drug means the investigational drug and the control drug used in a clinical trial. (XXV) Control drug means another research drug, marketed drug or placebo used in a clinical trial for comparison and control with the investigational drug. (XXVI) Adverse event means all untoward medical events occurring after a trial subject receives the investigational drug, which may manifest as symptoms and signs, illness or abnormal laboratory test results, but which do not necessarily have a causal relationship with the investigational drug. (XXVII) Serious adverse event means an untoward medical event such as death, life-threatening condition, permanent or serious disability or loss of function, the need for the trial subject to be hospitalized or to have hospitalization prolonged, as well as congenital anomaly or birth defect, occurring after a trial subject receives the investigational drug. (XXVIII) Adverse drug reaction means any harmful or unintended reaction to the human body, possibly related to the investigational drug, occurring in a clinical trial. There is at least one reasonable possibility of a causal relationship between the investigational drug and the adverse event, i.e. the relationship cannot be ruled out. (XXIX) Suspected and unexpected serious adverse reaction means a suspected and unexpected serious adverse reaction the nature and severity of whose clinical manifestation exceed the existing materials and information such as the investigator's brochure of the investigational drug, the package insert of a marketed drug or the summary of product characteristics. (XXX) Subject identification code means a unique code assigned to a trial subject in a clinical trial to identify his or her identity. When reporting the adverse events occurring in a trial subject and other data relating to the trial, the investigator uses this code in place of the trial subject's name to protect his or her privacy. (XXXI) Source document means the original records, documents and data generated in a clinical trial, such as hospital medical records, medical images, laboratory records, memoranda, trial subjects' diaries or evaluation forms, drug dispensing records, data automatically recorded by instruments, microfilm, photographic negatives, magnetic media, X-ray films, trial subject files, and the clinical-trial-related documents and records preserved by the pharmacy, laboratory and medical technology departments, including certified copies. Source documents include source data and may exist in the form of paper, electronic or other carriers. (XXXII) Source data means all the information recorded in the original records or certified copies of a clinical trial, including clinical findings, observation results and other relevant activity records needed for the reconstruction and evaluation of the clinical trial. (XXXIII) Essential documents means documents that, individually or after compilation, can be used to evaluate the implementation process of a clinical trial and the quality of the trial data. (XXXIV) Certified copy means a copy that has been reviewed and verified to confirm that its content, structure and the like are identical to those of the original, which copy is signed and dated by the reviewer, or is directly generated by a validated system, and may exist in the form of paper, electronic or other carriers. (XXXV) Quality assurance means the planned and systematic measures established in a clinical trial to ensure that the implementation of the clinical trial and the generation, recording and reporting of data comply with the trial protocol and the relevant laws and regulations. (XXXVI) Quality control means the techniques and activities implemented within the quality assurance system of a clinical trial to verify whether all the relevant activities of the clinical trial meet the quality requirements. (XXXVII) Trial site means the place where the activities relating to a clinical trial are conducted. (XXXVIII) Blinding means the procedure in a clinical trial whereby one or more parties are kept unaware of the treatment allocation of the trial subjects. Single blinding generally means that the trial subjects are unaware, and double blinding generally means that the trial subjects, the investigator, the monitors and the data analysts are all unaware of the treatment allocation. (XXXIX) Computerized system validation means the process of establishing and documenting that a computerized system, from its design to its discontinuation of use or conversion to another system, is able to meet specific requirements throughout its entire life cycle. The validation protocol shall be formulated on the basis of a risk assessment that takes into account factors such as the intended use of the system and the potential impact of the system on the protection of trial subjects and the reliability of the clinical trial results. (XL) Audit trail means a record that can trace and reconstruct the process of occurrence of an event. ## Chapter 3 Ethics Committee **Article 12.** The duty of the ethics committee is to protect the rights, interests and safety of trial subjects, and it shall pay particular attention to vulnerable trial subjects. (I) The documents that the ethics committee shall review include: the trial protocol and its revised versions; the informed consent form and its updated versions; the manner of and information for recruiting trial subjects; other written materials provided to trial subjects; the investigator's brochure; existing safety materials; documents containing information on subject compensation; documents proving the qualifications of the investigator; and other documents needed for the ethics committee to perform its duties. (II) The ethics committee shall review the scientific validity and ethicality of the clinical trial. (III) The ethics committee shall review the qualifications of the investigator. (IV) In order to better judge whether the rights, interests and safety of the trial subjects as well as basic medical care can be ensured in the clinical trial, the ethics committee may require the provision of materials and information beyond the content of the informed consent form. (V) When a non-therapeutic clinical trial (i.e. a trial with no anticipated direct clinical benefit to the trial subjects) is conducted, where the informed consent of the trial subjects is given on their behalf by their guardians, the ethics committee shall pay particular attention to whether the trial protocol has fully considered the corresponding ethical issues and the laws and regulations. (VI) Where the trial protocol clearly states that, in an emergency, the trial subject or his or her guardian is unable to sign the informed consent form before the trial, the ethics committee shall review whether the trial protocol has fully considered the corresponding ethical issues and the laws and regulations. (VII) The ethics committee shall review whether there is any improper influence, such as coercion or inducement, on trial subjects to participate in the clinical trial. The ethics committee shall review that the informed consent form may not adopt content that causes the trial subject or his or her guardian to waive lawful rights and interests, nor may it contain content that exempts the investigator, the clinical trial institution, the sponsor and its agency from the responsibilities they should bear. (VIII) The ethics committee shall ensure that the informed consent form and other written materials provided to the trial subjects explain the information on compensation to the trial subjects, including the method, amount and plan of compensation. (IX) The ethics committee shall complete the review or filing process of the materials relating to the clinical trial within a reasonable time limit and give a clear written review opinion. The review opinion shall include the name of the clinical trial reviewed, the documents (including version number) and the date. (X) The review opinions of the ethics committee are: approval; approval after necessary modifications; disapproval; termination or suspension of a research already consented to. The review opinion shall state the content required to be modified or the reasons for the denial. (XI) The ethics committee shall pay attention to and clearly require the investigator to promptly report: deviations from or modifications of the trial protocol made in the course of implementing the clinical trial to eliminate immediate hazards to trial subjects; changes that increase the risk to trial subjects or significantly affect the implementation of the clinical trial; all suspected and unexpected serious adverse reactions; and new information that may have an adverse impact on the safety of the trial subjects or the implementation of the clinical trial. (XII) The ethics committee has the right to suspend or terminate a clinical trial that has not been implemented in accordance with the relevant requirements or in which trial subjects have suffered unexpected serious injury. (XIII) The ethics committee shall conduct periodic follow-up review of the clinical trial in progress; the frequency of the review shall be determined according to the degree of risk to the trial subjects, but the review shall be conducted at least once a year. (XIV) The ethics committee shall accept and properly handle the relevant appeals of trial subjects. **Article 13.** The composition and operation of the ethics committee shall meet the following requirements: (I) The member composition and filing administration of the ethics committee shall meet the requirements of the health administration department. (II) The members of the ethics committee shall all receive training in ethical review and be able to review the ethical, scientific and other issues relating to the clinical trial. (III) The ethics committee shall perform its duties in accordance with its systems and standard operating procedures; the review shall have written records, indicating the meeting time and the content discussed. (IV) The voting members of the ethics committee meeting review opinion shall participate in the review and discussion at the meeting, including all categories of members, with a composition of different genders, and shall meet the prescribed number of persons. The meeting review opinion shall be formed into a written document. (V) The members voting or giving review opinions shall be independent of the clinical trial project under review. (VI) The ethics committee shall have detailed information on its members and ensure that its members possess the qualifications for ethical review. (VII) The ethics committee shall require the investigator to provide the various materials needed for the ethical review and answer the questions raised by the ethics committee. (VIII) The ethics committee may, as needed, invite relevant experts other than its members to participate in the review, but they may not participate in voting. **Article 14.** The ethics committee shall establish and implement the following written documents: (I) provisions on the composition, formation and filing of the ethics committee; (II) procedures for the meeting agenda, meeting notice and meeting review of the ethics committee; (III) procedures for the initial review and follow-up review of the ethics committee; (IV) procedures for the expedited review and consent to minor amendments to a trial protocol consented to by the ethics committee; (V) procedures for promptly notifying the investigator of the review opinion; (VI) procedures for the re-review of differing opinions on the ethical review opinion. **Article 15.** The ethics committee shall retain all records of the ethical review, including the written records of the ethical review, member information, submitted documents, meeting minutes and relevant correspondence records. All records shall be retained for at least 5 years after the conclusion of the clinical trial. The investigator, the sponsor or the drug administration department may require the ethics committee to provide its standard operating procedures and the list of ethical review members. ## Chapter 4 Investigators **Article 16.** The qualifications and requirements that the investigator and the clinical trial institution shall possess include: (I) having the practicing qualifications at the clinical trial institution; possessing the professional knowledge, training experience and competence required for the clinical trial; and being able to provide the latest work resume and relevant qualification documents at the request of the sponsor, the ethics committee and the drug administration department. (II) being familiar with the trial protocol, the investigator's brochure and the materials and information relating to the investigational drug provided by the sponsor. (III) being familiar with and complying with these Norms and the laws and regulations relating to the clinical trial. (IV) keeping a duty-division authorization form signed by the investigator. (V) the investigator and the clinical trial institution shall accept the monitoring and audit organized by the sponsor, as well as the inspection by the drug administration department. (VI) where the investigator and the clinical trial institution authorize an individual or unit to undertake duties and functions relating to the clinical trial, they shall ensure that the individual or unit possesses the corresponding qualifications, and shall establish complete procedures to ensure that it performs the duties and functions relating to the clinical trial and generates reliable data. The authorization by the investigator and the clinical trial institution of a unit outside the clinical trial institution to undertake duties and functions relating to the trial shall obtain the consent of the sponsor. **Article 17.** The investigator and the clinical trial institution shall have the necessary conditions for completing the clinical trial: (I) the investigator has the ability to enroll a sufficient number of trial subjects in accordance with the trial protocol within the time limit agreed for the clinical trial. (II) the investigator has sufficient time to implement and complete the clinical trial within the time limit agreed for the clinical trial. (III) the investigator has the authority to mobilize the personnel participating in the clinical trial during the clinical trial period and has the authority to use the medical facilities required for the clinical trial, so as to implement the clinical trial correctly and safely. (IV) the investigator ensures, during the clinical trial period, that all personnel participating in the clinical trial fully understand the trial protocol and the investigational drug, clarifies their respective divisions of work and duties in the trial, and ensures that the clinical trial data are authentic, complete and accurate. (V) the investigator supervises all research personnel in implementing the trial protocol and takes measures to implement the quality management of the clinical trial. (VI) the clinical trial institution shall set up a corresponding internal management department to undertake the management of the clinical trial. **Article 18.** The investigator shall give appropriate medical treatment to the trial subjects: (I) the investigator, being a clinical physician or an authorized clinical physician, shall bear the responsibility for all medical decisions relating to the clinical trial. (II) during the clinical trial and follow-up period, where a trial subject experiences an adverse event related to the trial, including a clinically significant laboratory abnormality, the investigator and the clinical trial institution shall ensure that the trial subject receives proper medical treatment, and shall truthfully inform the trial subject of the relevant circumstances. Where the investigator becomes aware that a trial subject has a concomitant illness requiring treatment, he or she shall inform the trial subject and pay attention to concomitant medication that may interfere with the clinical trial results or the safety of the trial subject. (III) with the consent of the trial subject, the investigator may inform the relevant clinical physician of the trial subject's participation in the trial. (IV) a trial subject may withdraw from the clinical trial without giving a reason. While respecting the personal rights of the trial subject, the investigator shall, as far as possible, ascertain the reasons for the withdrawal. **Article 19.** Communication between the investigator and the ethics committee includes: (I) before the implementation of the clinical trial, the investigator shall obtain the written consent of the ethics committee; trial subjects may not be screened before the written consent of the ethics committee has been obtained. (II) before the implementation of the clinical trial and during the course of the clinical trial, the investigator shall provide the ethics committee with all the documents needed for the ethical review. **Article 20.** The investigator shall comply with the trial protocol. (I) the investigator shall implement the clinical trial in accordance with the trial protocol consented to by the ethics committee. (II) without the consent of the sponsor and the ethics committee, the investigator shall not modify or deviate from the trial protocol, except for changes solely relating to the administrative aspects of the clinical trial, such as those made to promptly eliminate immediate hazards to the trial subjects, or the replacement of a monitor or a telephone number. (III) the investigator or the research personnel designated by him or her shall record and explain any deviation from the trial protocol. (IV) in order to eliminate immediate hazards to the trial subjects, where the investigator modifies or deviates from the trial protocol without obtaining the consent of the ethics committee, he or she shall promptly report to the ethics committee and the sponsor and explain the reasons, and report to the drug administration department where necessary. (V) the investigator shall take measures to avoid the use of concomitant medication prohibited by the trial protocol. **Article 21.** The investigator and the clinical trial institution have management responsibility for the investigational drug provided by the sponsor. (I) the investigator and the clinical trial institution shall assign a qualified pharmacist or other personnel to manage the investigational drug. (II) the management of the receipt, storage, dispensing, recovery, return and disposal of unused investigational drug at the clinical trial institution shall comply with the corresponding provisions and records shall be kept. The records of investigational drug management shall include the date, quantity, batch number/serial number, validity period, allocation code, signature and the like. The investigator shall keep records of the quantity and dosage of the investigational drug used by each trial subject. The quantity used and the remaining quantity of the investigational drug shall be consistent with the quantity provided by the sponsor. (III) the storage of the investigational drug shall comply with the corresponding storage conditions. (IV) the investigator shall ensure that the investigational drug is used in accordance with the trial protocol and shall explain to the trial subjects the correct method of using the investigational drug. (V) the investigator shall randomly take retained samples of the clinical trial drug for bioequivalence trials. The clinical trial institution shall retain the samples at least until 2 years after the drug is marketed. The clinical trial institution may entrust the retained samples to a qualified independent third party for preservation, but shall not return them to the sponsor or a third party with an interest in the sponsor. **Article 22.** The investigator shall comply with the randomization procedures of the clinical trial. A blinded trial shall be unblinded in accordance with the requirements of the trial protocol. Where the blinding is accidentally broken, or where emergency unblinding occurs due to a serious adverse event or other circumstances, the investigator shall provide a written explanation of the reasons to the sponsor. **Article 23.** When implementing informed consent, the investigator shall comply with the ethical principles of the Declaration of Helsinki and meet the following requirements: (I) the investigator shall use the latest version of the informed consent form and other information provided to the trial subjects that has been consented to by the ethics committee. Where necessary, the trial subjects shall sign the informed consent form again during the course of the clinical trial. (II) where the investigator obtains new information that may affect the continued participation of trial subjects in the trial, he or she shall promptly inform the trial subjects or their guardians and make corresponding records. (III) the research personnel shall not use improper means such as coercion or inducement to influence trial subjects to participate in or continue the clinical trial. (IV) the investigator or the designated research personnel shall fully inform the trial subjects of all matters relating to the clinical trial, including the written information and the consent opinion of the ethics committee. (V) the oral and written materials provided to the trial subjects, such as the informed consent form, shall all use plain and easily understandable language and expressions, so that the trial subjects or their guardians or witnesses can easily understand them. (VI) before signing the informed consent form, the investigator or the designated research personnel shall give the trial subjects or their guardians sufficient time and opportunity to understand the detailed circumstances of the clinical trial and shall answer in detail the questions raised by the trial subjects or their guardians relating to the clinical trial. (VII) the trial subject or his or her guardian, as well as the investigator who implements the informed consent, shall respectively sign and date the informed consent form; where it is not signed by the trial subject in person, the relationship shall be noted. (VIII) where the trial subject or his or her guardian lacks reading ability, an impartial witness shall witness the entire informed consent process. The investigator shall explain in detail to the trial subject or his or her guardian or the witness the content of the informed consent form and other written materials. Where the trial subject or his or her guardian orally consents to participate in the trial, the informed consent form shall be signed where possible, and the witness shall also sign and date the informed consent form to prove that the trial subject or his or her guardian received an accurate explanation of the informed consent form and other written materials from the investigator, understood the relevant content, and consented to participate in the clinical trial. (IX) the trial subject or his or her guardian shall obtain the original or a copy of the signed and dated informed consent form and other written materials provided to the trial subject, including the original or a copy of the updated informed consent form and the revised texts of other written materials provided to the trial subject. (X) where a trial subject is a person without civil capacity, the written informed consent of his or her guardian shall be obtained; where a trial subject is a person with limited civil capacity, the written informed consent of the person himself or herself and his or her guardian shall be obtained. Where the guardian gives informed consent on behalf of the trial subject, the relevant information on the clinical trial shall be informed to the trial subject within the scope understandable to the trial subject, and the trial subject shall, as far as possible, sign and date the informed consent form in person. (XI) in an emergency, where the informed consent of the trial subject cannot be obtained before participation in the clinical trial, his or her guardian may give informed consent on behalf of the trial subject; where the guardian is also not present, the manner of enrolling the trial subject shall be clearly stated in the trial protocol and other documents and obtain the written consent of the ethics committee; at the same time, the informed consent of the trial subject or his or her guardian to continue participating in the clinical trial shall be obtained as soon as possible. (XII) where a trial subject participates in a non-therapeutic clinical trial, the trial subject himself or herself shall sign and date the informed consent form to consent. A non-therapeutic clinical trial may have informed consent given by a guardian on behalf of the trial subject only where the following conditions are met: the clinical trial can be implemented only in trial subjects without the capacity for informed consent; the anticipated risk to the trial subjects is low; the negative impact on the health of the trial subjects has been minimized, and the laws and regulations do not prohibit the implementation of such a clinical trial; and the enrollment of such trial subjects has been reviewed and consented to by the ethics committee. In principle, such a clinical trial may be implemented only in patients suffering from the disease or condition to which the investigational drug applies. In the clinical trial, the trial subjects shall be closely observed; where a trial subject shows signs of excessive pain or discomfort, he or she shall be withdrawn from the trial, and necessary treatment shall be given to ensure the safety of the trial subject. (XIII) the specific time and personnel of the trial subject's informed consent shall be recorded in the medical history records. (XIV) where a child is a trial subject, the informed consent of his or her guardian shall be obtained and the informed consent form signed. Where the child is capable of making a decision to consent to participate in the clinical trial, his or her own consent shall also be obtained; where the child trial subject himself or herself does not consent to participate in the clinical trial or decides midway to withdraw from the clinical trial, the decision of the child trial subject himself or herself shall prevail, even if the guardian has consented to participate or is willing to continue participating, except in a therapeutic clinical trial for the treatment of a serious or life-threatening illness, where the investigator and his or her guardian consider that the life of the child trial subject would be endangered if he or she did not participate in the research, in which case the consent of his or her guardian is sufficient for the patient to continue participating in the research. In the course of the clinical trial, where a child trial subject reaches the conditions for signing informed consent, the trial may continue to be implemented only after the person himself or herself has signed the informed consent. **Article 24.** The informed consent form and other materials provided to the trial subjects shall include: (I) an overview of the clinical trial. (II) the trial objective. (III) the trial treatment and the possibility of random allocation to each group. (IV) the trial steps that the trial subject needs to comply with, including invasive medical procedures. (V) the obligations of the trial subject. (VI) the experimental content involved in the clinical trial. (VII) the risks or inconveniences that the trial may cause to the trial subject, especially where there is a risk of affecting the embryo, fetus or breastfeeding infant. (VIII) the anticipated benefits of the trial, as well as the possibility of not obtaining benefits. (IX) other alternative drugs and treatment methods, and their important potential benefits and risks. (X) the compensation and treatment that the trial subject may obtain in the event of injury related to the trial. (XI) the compensation that the trial subject may obtain for participating in the clinical trial. (XII) the anticipated expenses of the trial subject for participating in the clinical trial. (XIII) that the trial subject's participation in the trial is voluntary, that he or she may refuse to participate or has the right to withdraw from the trial at any stage of the trial at any time without being discriminated against or retaliated against, and that his or her medical treatment and rights and interests will not be affected. (XIV) that, without violating the principle of confidentiality and the relevant regulations, the monitor, auditor, ethics committee and the inspection personnel of the drug administration department may consult the trial subject's original medical records in order to verify the process and data of the clinical trial. (XV) the confidentiality of the trial subject's relevant identity identification records, which are not to be used publicly. Where the clinical trial results are published, the trial subject's identity information shall remain confidential. (XVI) that, where there is new information that may affect the continued participation of the trial subject in the trial, the trial subject or his or her guardian will be informed promptly. (XVII) the investigator and the ethics committee whom the trial subject may contact, and their contact information, when there are questions relating to the trial information and the rights and interests of the trial subject, and when injury related to the trial occurs. (XVIII) the circumstances and reasons under which the trial subject may be terminated from the trial. (XIX) the anticipated duration of the trial subject's participation in the trial. (XX) the estimated number of trial subjects participating in the trial. **Article 25.** The recording and reporting of the trial shall meet the following requirements: (I) the investigator shall supervise the data collection at the trial site and the performance of the work duties by each research personnel. (II) the investigator shall ensure that all clinical trial data are obtained from the source documents and trial records of the clinical trial and are accurate, complete, legible and timely. Source data shall be attributable, legible, contemporaneous, original, accurate, complete, consistent and durable. Modifications to source data shall leave a trail, shall not obscure the initial data, and the reasons for the modification shall be recorded. In a clinical trial with patients as trial subjects, the relevant medical records shall be entered into the outpatient or inpatient medical record system. Where the informatized system of the clinical trial institution has the conditions for establishing electronic medical records for the clinical trial, the investigator shall use it as the first choice; the corresponding computerized system shall have complete permission management and an audit trail, be traceable to the creator or modifier of the record, and ensure that the source data collected can be traced to their source. (III) the investigator shall, in accordance with the guidelines provided by the sponsor, complete and modify the case report forms, and ensure that the data in the various case report forms and other reports are accurate, complete, clear and timely. The data in the case report forms shall be consistent with the source documents; where there is any inconsistency, a reasonable explanation shall be given. Modifications to the data in the case report forms shall keep the initial records clear and identifiable, retain the modification trail, explain the reasons where necessary, and be signed and dated by the person making the modification. The sponsor shall have written procedures to ensure that its changes to the case report forms are necessary and recorded and have obtained the consent of the investigator. The investigator shall retain the relevant records of modifications and corrections. (IV) the investigator and the clinical trial institution shall properly preserve the trial documents in accordance with the "essential documents of clinical trials" and the relevant requirements of the drug administration department. (V) in the course of handling the clinical trial information and the trial subject information, care shall be taken to avoid the illegal or unauthorized access to, disclosure, dissemination, modification, destruction or loss of information. The recording, handling and preservation of clinical trial data shall ensure the confidentiality of the records and the trial subject information. (VI) the sponsor shall, in the contract, clarify with the investigator and the clinical trial institution the preservation period and expenses of the essential documents and the handling upon expiry. (VII) at the request of the monitor, auditor, ethics committee or drug administration department, the investigator and the clinical trial institution shall cooperate and provide the required records relating to the trial. **Article 26.** The safety reporting of the investigator shall meet the following requirements: Except for serious adverse events that are provided in the trial protocol or other documents (such as the investigator's brochure) as not needing to be reported immediately, the investigator shall immediately report all serious adverse events in writing to the sponsor, and shall subsequently promptly provide a detailed, written follow-up report. The serious adverse event report and the follow-up report shall indicate the trial subject's identification code in the clinical trial, rather than the trial subject's real name, citizen identity number, address and other identity information. The adverse events and abnormal laboratory values that are provided in the trial protocol and important for safety evaluation shall be reported to the sponsor in accordance with the requirements and time limits of the trial protocol. For a report involving a death event, the investigator shall provide the sponsor and the ethics committee with other required materials, such as the autopsy report and the final medical report. After the investigator receives the relevant safety information of the clinical trial provided by the sponsor, he or she shall promptly sign for and read it, consider whether the treatment of the trial subjects should be adjusted accordingly, communicate with the trial subjects as early as possible where necessary, and shall report to the ethics committee the suspected and unexpected serious adverse reactions provided by the sponsor. **Article 27.** When terminating or suspending a clinical trial early, the investigator shall promptly notify the trial subjects and give the trial subjects appropriate treatment and follow-up. In addition: (I) where the investigator terminates or suspends the clinical trial without consulting the sponsor, the investigator shall immediately report to the clinical trial institution, the sponsor and the ethics committee and provide a detailed written explanation. (II) where the sponsor terminates or suspends the clinical trial, the investigator shall immediately report to the clinical trial institution and the ethics committee and provide a detailed written explanation. (III) where the ethics committee terminates or suspends a clinical trial it has consented to, the investigator shall immediately report to the clinical trial institution and the sponsor and provide a detailed written explanation. **Article 28.** The investigator shall provide trial progress reports. (I) the investigator shall submit an annual report on the clinical trial to the ethics committee, or shall provide a progress report at the request of the ethics committee. (II) where a situation arises that may significantly affect the implementation of the clinical trial or increase the risk to trial subjects, the investigator shall report it in writing to the sponsor, the ethics committee and the clinical trial institution as soon as possible. (III) after the completion of the clinical trial, the investigator shall report to the clinical trial institution; the investigator shall provide the ethics committee with a summary of the clinical trial results and provide the sponsor with the clinical-trial-related reports required by the drug administration department. ## Chapter 5 Sponsors **Article 29.** The sponsor shall take the protection of the rights, interests and safety of the trial subjects and the authenticity and reliability of the clinical trial results as the basic consideration of the clinical trial. **Article 30.** The sponsor shall establish a quality management system for the clinical trial. The sponsor's quality management system for the clinical trial shall cover the entire process of the clinical trial, including the design, implementation, recording, evaluation, reporting of results and document filing of the clinical trial. Quality management includes effective trial protocol design, methods and processes for collecting data, and the collection of information necessary for making decisions in the clinical trial. The methods of quality assurance and quality control of the clinical trial shall be commensurate with the inherent risks of the clinical trial and the importance of the information collected. The sponsor shall ensure the operability of every part of the clinical trial, and the trial process and data collection shall avoid being overly complex. The trial protocol, case report forms and other relevant documents shall be clear, concise and internally consistent. The sponsor shall perform its management duties. According to the needs of the clinical trial, a research and management team for the clinical trial may be established to guide and supervise the implementation of the clinical trial. The internal work of the research and management team shall be communicated promptly. During an inspection by the drug administration department, the research and management team shall send personnel to participate. **Article 31.** The sponsor shall conduct quality management based on risk. (I) when formulating the trial protocol, the key parts and data for protecting the rights, interests and safety of the trial subjects and for ensuring the reliability of the clinical trial results shall be clarified. (II) the risks affecting the key parts and data of the clinical trial shall be identified. Such risks shall be considered at two levels: the system level, such as facilities and equipment, standard operating procedures, computerized systems, personnel and suppliers; and the clinical trial level, such as the investigational drug, the trial design, data collection and recording, and the informed consent process. (III) the risk assessment shall consider the likelihood of errors occurring under the existing risk controls; the impact of such errors on the protection of the rights, interests and safety of the trial subjects and on the reliability of the data; and the extent to which such errors can be detected. (IV) the risks that can be reduced or that are acceptable shall be identified. The control measures for reducing risks shall be reflected in the design and implementation of the trial protocol, the monitoring plan, the contract with the duties of all parties clarified, compliance with the standard operating procedures, and various types of training. When pre-setting the tolerance for quality risk, the medical and statistical characteristics of the variables and the statistical design shall be considered, so as to identify systemic problems affecting the safety of the trial subjects and the reliability of the data. When a situation arises that exceeds the tolerance for quality risk, an assessment shall be made of whether further measures need to be taken. (V) during the clinical trial period, the quality management shall be recorded and promptly communicated with the relevant parties, so as to promote risk assessment and continuous improvement of quality. (VI) the sponsor shall, in combination with the new knowledge and experience during the clinical trial period, periodically assess the risk control measures to ensure the effectiveness and applicability of the current quality management. (VII) the sponsor shall explain in the clinical trial report the quality management methods adopted, and summarize the events that seriously deviate from the tolerance for quality risk and the remedial measures. **Article 32.** The quality assurance and quality control of the sponsor shall meet the following requirements: (I) the sponsor is responsible for formulating, implementing and promptly updating the standard operating procedures relating to the quality assurance and quality control system of the clinical trial, so as to ensure that the implementation of the clinical trial and the generation, recording and reporting of data comply with the requirements of the trial protocol, these Norms and the relevant laws and regulations. (II) the entire process of the clinical trial and the laboratory tests shall be carried out in strict accordance with the standard operating procedures for quality management. Each stage of data handling shall have quality control to ensure that all data are reliable and that the data handling process is correct. (III) the sponsor shall conclude contracts with the investigator, the clinical trial institution and all other relevant units participating in the clinical trial, clarifying the duties of all parties. (IV) the contracts concluded by the sponsor with the relevant units shall indicate that the monitoring and audit of the sponsor and the inspection of the drug administration department may go directly to the trial site to consult the source data, source documents and reports. **Article 33.** Where the sponsor entrusts a contract research organization, the following requirements shall be met: (I) the sponsor may entrust part or all of the work and tasks of its clinical trial to a contract research organization, but the sponsor remains the ultimate responsible party for the quality and reliability of the clinical trial data and shall supervise the various tasks undertaken by the contract research organization. The contract research organization shall implement quality assurance and quality control. (II) the work entrusted by the sponsor to the contract research organization shall be the subject of a contract. The contract shall clarify the following: the specific work entrusted and the corresponding standard operating procedures; the sponsor's right to confirm the implementation of the standard operating procedures for the entrusted work; the written requirements for the entrusted party; the reporting requirements that the entrusted party needs to submit to the sponsor; the matters relating to the measures for compensation for trial subject injury; and other matters relating to the entrusted work. Where the contract research organization subcontracts any task, it shall obtain the written approval of the sponsor. (III) the duties for the work and tasks not expressly entrusted to the contract research organization shall remain the responsibility of the sponsor. (IV) the requirements for the sponsor in these Norms apply to the contract research organization undertaking the relevant work and tasks of the sponsor. **Article 34.** The sponsor shall designate a competent medical expert to promptly provide consultation on the relevant medical issues of the clinical trial. **Article 35.** The sponsor shall select qualified biostatisticians, clinical pharmacologists, clinical physicians and the like to participate in the trial, including designing the trial protocol and case report forms, formulating the statistical analysis plan, analyzing data, and writing the interim and final trial summary reports. **Article 36.** In trial management, data handling and record preservation, the sponsor shall meet the following requirements: (I) the sponsor shall select qualified personnel to supervise the implementation of the clinical trial, data handling, data verification, statistical analysis, and the writing of the trial summary report. (II) the sponsor may establish an independent data monitoring committee to periodically evaluate the progress of the clinical trial, including the safety data and the important efficacy endpoint data. The independent data monitoring committee may recommend to the sponsor whether the clinical trial in progress may be continued, modified or stopped. The independent data monitoring committee shall have a written work process and shall keep all relevant meeting records. (III) the electronic data-management system used by the sponsor shall pass reliable system validation and conform to the pre-set technical performance, so as to ensure the completeness, accuracy and reliability of the trial data and to ensure that the system remains in a validated and effective state throughout the entire trial process. (IV) the electronic data-management system shall have complete standard operating procedures covering the setup, installation and use of the electronic data management; the standard operating procedures shall explain the validation, functional testing, data collection and handling, system maintenance, system security testing, change control, data backup, recovery, system contingency plan and software retirement of the system; the standard operating procedures shall clarify the duties of the sponsor, the investigator and the clinical trial institution when using the computerized system. All personnel using the computerized system shall be trained. (V) the manner of modifying data in the computerized system shall be prescribed in advance, the modification process shall be completely recorded, and the original data (such as the retention of the electronic data audit trail, data trail and editing trail) shall be retained; the integration, content and structure of the electronic data shall be clearly prescribed to ensure the integrity of the electronic data; when a change occurs to the computerized system, such as a software upgrade or data migration, ensuring the integrity of the electronic data is even more important. Where data conversion occurs in the course of data handling, the consistency of the converted data with the original data, and the visibility of the data conversion process, shall be ensured. (VI) the security of the electronic data-management system shall be ensured, and unauthorized personnel shall not be able to access it; a list of the personnel authorized to modify data shall be kept; the electronic data shall be backed up promptly; for a blinded-design clinical trial, the blinded state shall be maintained throughout, including data entry and handling. (VII) the sponsor shall use a subject identification code to identify all clinical trial data of each trial subject. After a blinded trial is unblinded, the sponsor shall promptly inform the investigator in writing of the investigational drug situation of the trial subjects. (VIII) the sponsor shall preserve the clinical trial data relating to the sponsor; some other data obtained by the relevant units participating in the clinical trial shall also be retained in the essential documents of the clinical trial as the specific data of the sponsor. (IX) where the sponsor suspends or terminates early a clinical trial in progress, it shall notify all relevant investigators and clinical trial institutions and the drug administration department. (X) the transfer of ownership of trial data shall comply with the requirements of the relevant laws and regulations. (XI) the sponsor shall inform the investigator and the clinical trial institution in writing of the requirements for the preservation of trial records; when the relevant trial records are no longer needed, the sponsor shall also inform the investigator and the clinical trial institution in writing. **Article 37.** The sponsor's selection of the investigator shall meet the following requirements: (I) the sponsor is responsible for selecting the investigator and the clinical trial institution. The investigators shall all have undergone clinical trial training, have clinical trial experience, and have sufficient medical resources to complete the clinical trial. For a clinical trial in which multiple clinical trial institutions participate, where it is necessary to select a lead institution, the sponsor shall be responsible. (II) the laboratory for sample testing involving medical judgment shall comply with the relevant provisions and possess the corresponding qualifications. The management, testing, transport and storage of the specimens collected in the clinical trial shall ensure quality. Biological-sample testing (such as genetic testing) unrelated to the trial protocol consented to by the ethics committee is prohibited. After the conclusion of the clinical trial, where the remaining specimens are to continue to be preserved or may be used in the future, the trial subject shall sign an informed consent form, explaining the preservation period and the confidentiality of the data, as well as the circumstances under which the data and samples may be shared with other researchers. (III) the sponsor shall provide the investigator and the clinical trial institution with the trial protocol and the latest investigator's brochure, and shall provide the investigator and the clinical trial institution with sufficient time to review the trial protocol and the relevant materials. **Article 38.** Before all parties to the clinical trial participate in the clinical trial, the sponsor shall clarify their duties and indicate them in the concluded contract. **Article 39.** The sponsor shall, by appropriate means, ensure that it can provide compensation or indemnity to the trial subjects and the investigator. (I) the sponsor shall provide the investigator and the clinical trial institution with legal and economic insurance or guarantees relating to the clinical trial, commensurate with the nature and degree of risk of the clinical trial, but this shall not include injury caused by the fault of the investigator and the clinical trial institution themselves. (II) the sponsor shall bear the diagnosis and treatment expenses of the trial subjects for injury or death related to the clinical trial, as well as the corresponding compensation. The sponsor and the investigator shall promptly pay the compensation or indemnity given to the trial subjects. (III) the manner and method by which the sponsor provides compensation to the trial subjects shall comply with the relevant laws and regulations. (IV) the sponsor shall provide the investigational drug to the trial subjects free of charge and pay the medical testing expenses relating to the clinical trial. **Article 40.** The contract concluded by the sponsor with the investigator and the clinical trial institution shall clarify the responsibilities, rights and interests of all parties to the trial, as well as the possible conflicts of interest that all parties shall avoid. The trial funding in the contract shall be reasonable and conform to market rules. The sponsor, the investigator and the clinical trial institution shall sign the contract to confirm it. The contents of the contract shall include: compliance with these Norms and the relevant laws and regulations on the clinical trial in the course of implementing the clinical trial; implementation of the trial protocol determined through consultation between the sponsor and the investigator and consented to by the ethics committee; compliance with the data recording and reporting procedures; agreement to monitoring, audit and inspection; the preservation of and time limit for the essential documents relating to the clinical trial; and the stipulations on publishing articles, intellectual property rights and the like. **Article 41.** Before the clinical trial begins, the sponsor shall submit the relevant clinical trial materials to the drug administration department and obtain the permission for the clinical trial or complete the filing. The submitted document materials shall indicate the version number and version date. **Article 42.** The sponsor shall obtain from the investigator and the clinical trial institution the name and address of the ethics committee, the list of ethics committee members participating in the review of the project, the review statement conforming to these Norms and the relevant laws and regulations, as well as the documents consented to by the ethics committee upon review and other relevant materials. **Article 43.** When formulating the clinical trial protocol, the sponsor shall have sufficient safety and efficacy data to support its route of administration, dosage and duration of continuous medication. When important new information is obtained, the sponsor shall promptly update the investigator's brochure. **Article 44.** The preparation, packaging, labeling and coding of the investigational drug shall meet the following requirements: (I) the preparation of the investigational drug shall comply with the relevant requirements of the good manufacturing practice for drugs used in clinical trials; the packaging label of the investigational drug shall indicate that it is for clinical trial use only, the clinical trial information and the clinical trial drug information; and the blinded state shall be maintained in a blinded trial. (II) the sponsor shall clearly prescribe the storage temperature, transport conditions (whether protection from light is needed), storage time limit, the preparation method and process of the drug solution, and the requirements for the drug infusion device of the investigational drug. The method of use of the investigational drug shall be informed to all personnel relevant to the trial, including the monitor, investigator, pharmacist and drug custodian. (III) the packaging of the investigational drug shall be able to ensure that the drug is not contaminated or deteriorated during transport and storage. (IV) in a blinded trial, the coding system of the investigational drug shall include an emergency unblinding procedure, so that the type of investigational drug can be quickly identified in an emergency medical situation without breaking the blinded state of the clinical trial. **Article 45.** The supply and management of the investigational drug shall meet the following requirements: (I) the sponsor is responsible for providing the investigational drug to the investigator and the clinical trial institution. (II) the sponsor shall not provide the investigational drug to the investigator and the clinical trial institution before the clinical trial has obtained the consent of the ethics committee and the permission or filing of the drug administration department. (III) the sponsor shall provide the investigator and the clinical trial institution with a written instruction on the investigational drug, which shall clarify the use and storage of the investigational drug and the relevant records. The sponsor shall formulate procedures for the supply and management of the investigational drug, including the receipt, storage, dispensing, use and recovery of the investigational drug. The investigational drug recovered from the trial subjects and unused by the research personnel shall be returned to the sponsor, or destroyed by the clinical trial institution upon the authorization of the sponsor. (IV) the sponsor shall ensure that the investigational drug is delivered to the investigator and the clinical trial institution in a timely manner to ensure that the trial subjects can use it promptly; preserve the records of the transport, receipt, dispensing, recovery and destruction of the investigational drug; establish a recovery management system for the investigational drug to ensure the recall of defective products, the recovery after the conclusion of the trial, and the recovery after expiry; and establish a destruction system for unused investigational drug. The entire management process of the investigational drug shall have written records, with accurate counting throughout the entire process. (V) the sponsor shall take measures to ensure the stability of the investigational drug during the trial period. The preservation period of the retained samples of the investigational drug, within the storage time limit of the investigational drug, shall be until the conclusion of the clinical trial data analysis or the time limit required by the relevant regulations, whichever is longer where the two are inconsistent. **Article 46.** The sponsor shall clarify the access rights to the trial records. (I) the sponsor shall, in the trial protocol or contract, clarify that the investigator and the clinical trial institution permit the monitor, auditor, the reviewers of the ethics committee and the inspection personnel of the drug administration department to directly access the source data and source documents relating to the clinical trial. (II) the sponsor shall confirm that each trial subject has consented in writing that the monitor, auditor, the reviewers of the ethics committee and the inspection personnel of the drug administration department may directly access his or her original medical records relating to the clinical trial. **Article 47.** The sponsor is responsible for the safety evaluation of the investigational drug during the drug trial period. The sponsor shall promptly notify the investigator and the clinical trial institution and the drug administration department of the problems discovered in the clinical trial that may affect the safety of the trial subjects, may affect the implementation of the clinical trial, or may change the consent opinion of the ethics committee. **Article 48.** The sponsor shall report adverse drug reactions in accordance with the requirements and time limits. (I) after receiving safety-related information from any source, the sponsor shall immediately analyze and evaluate it, including its seriousness, its relevance to the investigational drug, and whether it is an expected event. The sponsor shall expeditiously report suspected and unexpected serious adverse reactions to all investigators and clinical trial institutions participating in the clinical trial and to the ethics committee; the sponsor shall report suspected and unexpected serious adverse reactions to the drug administration department and the health administration department. (II) the safety update report during the drug development period provided by the sponsor shall include an evaluation of the risks and benefits of the clinical trial, and the relevant information shall be communicated to all investigators and clinical trial institutions participating in the clinical trial and to the ethics committee. **Article 49.** The monitoring of the clinical trial shall meet the following requirements: (I) the purpose of monitoring is to ensure the rights and interests of the trial subjects in the clinical trial, to ensure that the trial records and the reported data are accurate and complete, and to ensure that the trial complies with the consented protocol, these Norms and the relevant regulations. (II) the monitor appointed by the sponsor shall have received corresponding training, possess the medical, pharmaceutical and other knowledge required for clinical trial monitoring, and be able to effectively perform monitoring duties. (III) the sponsor shall establish a systematic, prioritized, risk-assessment-based method for monitoring the implementation of the clinical trial. The scope and nature of the monitoring may be flexible, allowing the adoption of different monitoring methods to improve the efficiency and effectiveness of monitoring. The sponsor shall write the reasons for selecting the monitoring strategy in the monitoring plan. (IV) the sponsor shall formulate a monitoring plan. The monitoring plan shall particularly emphasize protecting the rights and interests of the trial subjects, ensuring the authenticity of the data, and ensuring the response to various risks in the clinical trial. The monitoring plan shall describe the monitoring strategy, the monitoring duties for all parties to the trial, the monitoring methods, and the reasons for applying different monitoring methods. The monitoring plan shall emphasize the monitoring of key data and processes. The monitoring plan shall comply with the relevant laws and regulations. (V) the sponsor shall formulate standard operating procedures for monitoring, and the monitor shall implement the standard operating procedures in the monitoring work. (VI) the sponsor shall implement the monitoring of the clinical trial; the scope and nature of the monitoring depend on the objective, design, complexity, blinding, sample size and clinical trial endpoints of the clinical trial. (VII) on-site monitoring and centralized monitoring shall be combined based on the risks of the clinical trial. On-site monitoring is monitoring conducted at the trial site, generally before, during and after the clinical trial. Centralized monitoring is the timely remote evaluation of the clinical trial in progress, as well as the remote evaluation of the data collected by aggregating data from different clinical trial institutions. The process of centralized monitoring helps to improve the monitoring effect of the clinical trial and is a supplement to on-site monitoring. The application of statistical analysis in centralized monitoring can determine data trends, including the range and consistency of data within and among different clinical trial institutions, and can analyze the characteristics and quality of the data, which helps in selecting monitoring sites and monitoring procedures. (VIII) in special circumstances, the sponsor may combine monitoring with other trial work, such as research personnel training and meetings. During monitoring, the method of statistical sampling survey may be adopted to verify data. **Article 50.** The duties of the monitor include: (I) the monitor shall be familiar with the relevant knowledge of the investigational drug, be familiar with the content of the trial protocol, the informed consent form and other written materials provided to the trial subjects, and be familiar with the standard operating procedures of the clinical trial, these Norms and other relevant regulations. (II) the monitor shall conscientiously perform monitoring duties in accordance with the requirements of the sponsor, ensuring that the clinical trial is correctly implemented and recorded in accordance with the trial protocol. (III) the monitor is the main liaison between the sponsor and the investigator. Before the clinical trial, the monitor confirms that the investigator possesses sufficient qualifications and resources to complete the trial and that the clinical trial institution possesses the appropriate conditions to complete the trial, including staffing and training, complete and well-functioning laboratory equipment, and the conditions for various trial-related examinations. (IV) the monitor shall verify that, in the course of the clinical trial, the investigational drug is within its validity period, the storage conditions are acceptable and the supply is sufficient; that the investigational drug is provided only to suitable trial subjects at the dosage prescribed in the trial protocol; that the trial subjects receive instructions on the correct use, handling, storage and return of the investigational drug; that the clinical trial institution has appropriate controls and records for the receipt, use and return of the investigational drug; and that the clinical trial institution's disposal of the unused investigational drug complies with the relevant laws and regulations and the requirements of the sponsor. (V) the monitor verifies the investigator's implementation of the trial protocol in the course of the clinical trial; confirms that all trial subjects or their guardians signed the informed consent form before the trial; ensures that the investigator receives the latest version of the investigator's brochure, all trial-related documents and trial-essential supplies, and implements them in accordance with the requirements of the relevant laws and regulations; and ensures that the research personnel have a full understanding of the clinical trial. (VI) the monitor verifies that the research personnel perform the duties prescribed in the trial protocol and contract and whether these duties are delegated to unauthorized personnel; confirms that the enrolled trial subjects are eligible and reports the enrollment rate and the progress of the clinical trial; confirms that the recording and reporting of data are correct and complete and that the trial records and documents are updated in real time and well preserved; and verifies that all medical reports, records and documents provided by the investigator are traceable, clear, contemporaneously recorded, original, accurate and complete, and dated and bear the trial number. (VII) the monitor checks the accuracy and completeness of the entries in the case report forms and compares them with the source documents. The monitor shall pay attention to checking that the data prescribed in the trial protocol are accurately recorded in the case report forms and are consistent with the source documents; confirms that the trial subjects' dosage changes, treatment changes, adverse events, concomitant medication, complications, loss to follow-up, missed examinations and the like are all recorded in the case report forms; confirms that the follow-ups not conducted, the trials not implemented and the examinations not done by the investigator, as well as whether corrections were made to errors and omissions, are all recorded in the case report forms; and verifies that the withdrawal and loss to follow-up of the enrolled trial subjects are all recorded and explained in the case report forms. (VIII) the monitor shall notify the investigator of filling-in errors, omissions or illegible handwriting in the case report forms; the monitor shall ensure that the corrections, additions or deletions made are operated by the investigator or an authorized person, and bear the signature and date of the person making the modification, with the reasons for the modification explained where necessary. (IX) the monitor confirms that adverse events have been reported within the prescribed time limit in accordance with the relevant laws and regulations, the trial protocol, the ethics committee and the requirements of the sponsor. (X) the monitor confirms whether the investigator has preserved the essential documents in accordance with these Norms. (XI) the monitor shall promptly communicate with the investigator on situations that deviate from the trial protocol, the standard operating procedures and the requirements of the relevant laws and regulations, and take appropriate measures to prevent recurrence. **Article 51.** After each monitoring, the monitor shall promptly report in writing to the sponsor; the report shall include the monitoring date, location, the name of the monitor, and the names of the investigator and other personnel whom the monitor contacted; the report shall include a summary of the monitoring work, a statement of the problems and facts discovered in the clinical trial, deviations from and deficiencies in the trial protocol, and the monitoring conclusion; the report shall explain the corrective measures already taken or to be adopted for the problems discovered during the monitoring, and the recommendations for ensuring that the trial is implemented in compliance with the trial protocol; and the report shall provide sufficient detail to enable a review of whether it complies with the monitoring plan. The centralized monitoring report may be submitted separately from the on-site monitoring report. The sponsor shall review and follow up on the problems in the monitoring report and form documents for preservation. **Article 52.** The audit of the clinical trial shall meet the following requirements: (I) in order to evaluate the implementation of the clinical trial and compliance with the laws and regulations, the sponsor may carry out an audit in addition to routine monitoring. (II) the sponsor shall select personnel independent of the clinical trial to serve as auditors, who shall not concurrently serve as monitoring personnel. The auditor shall have undergone corresponding training and have audit experience, and be able to effectively perform audit duties. (III) the sponsor shall formulate audit procedures for the clinical trial and the trial quality management system to ensure the implementation of the audit procedures in the clinical trial. These procedures shall set out the audit objective, audit methods, number of audits, and the format and content of the audit report. The problems observed and discovered by the auditor in the course of the audit shall all have written records. (IV) the sponsor shall formulate the audit plan and procedures on the basis of the content of the materials submitted to the drug administration department, the number of trial subjects in the clinical trial, the type and complexity of the clinical trial, the level of risk affecting the trial subjects, and other known relevant problems. (V) the drug administration department may, according to work needs, require the sponsor to provide the audit report. (VI) where necessary, the sponsor shall provide an audit certificate. **Article 53.** The sponsor shall ensure the compliance of the clinical trial. (I) where it is discovered that the personnel of the investigator, the clinical trial institution or the sponsor do not comply with the trial protocol, the standard operating procedures, these Norms or the relevant laws and regulations in the clinical trial, the sponsor shall immediately take measures to correct it, so as to ensure the good compliance of the clinical trial. (II) where an important compliance problem is discovered that may have a significant impact on the safety and rights and interests of the trial subjects, or on the reliability of the clinical trial data, the sponsor shall promptly conduct a root-cause analysis and take appropriate corrective and preventive measures. Where the problem of violating the trial protocol or these Norms is serious, the sponsor may pursue the responsibility of the relevant personnel and report to the drug administration department. (III) where it is discovered that the investigator or the clinical trial institution has a serious or persistent non-compliance problem that cannot be deterred, the sponsor shall terminate the continued participation of that investigator or clinical trial institution in the clinical trial and promptly report in writing to the drug administration department. At the same time, the sponsor and the investigator shall take corresponding emergency safety measures to protect the safety and rights and interests of the trial subjects. **Article 54.** Where the sponsor terminates or suspends a clinical trial early, it shall immediately inform the investigator and the clinical trial institution and the drug administration department and explain the reasons. **Article 55.** Upon the completion or early termination of the clinical trial, the sponsor shall submit the clinical trial report to the drug administration department in accordance with the requirements of the relevant laws and regulations. The clinical trial summary report shall comprehensively, completely and accurately reflect the clinical trial results, and the safety and efficacy data of the clinical trial summary report shall be consistent with the source data of the clinical trial. **Article 56.** Where the sponsor conducts a multicenter trial, the following requirements shall be met: (I) the sponsor shall ensure that all centers participating in the clinical trial are able to comply with the trial protocol. (II) the sponsor shall provide all centers with the same trial protocol. Each center shall, in accordance with the protocol, comply with the same unified evaluation criteria for clinical and laboratory data and the same completion guidelines for the case report forms. (III) all centers shall use the same case report form to record the trial data obtained in the clinical trial. Where the sponsor needs the investigator to collect additional trial data, this content shall be indicated in the trial protocol, and the sponsor shall provide the investigator with additional case report forms. (IV) before the clinical trial begins, there shall be a written document clarifying the duties of the investigators at the centers participating in the clinical trial. (V) the sponsor shall ensure communication among the investigators at the centers. ## Chapter 6 Trial Protocol **Article 57.** The trial protocol usually includes basic information, research background materials, the trial objective, the trial design, the manner of implementation (methods, content, steps) and other contents. **Article 58.** The basic information in the trial protocol generally includes: (I) the title, number, version number and date of the trial protocol. (II) the name and address of the sponsor. (III) the name, position and unit of the personnel authorized by the sponsor to sign and modify the trial protocol. (IV) the name, position, unit address and telephone number of the sponsor's medical expert. (V) the name, professional title and position of the investigator, and the address and telephone number of the clinical trial institution. (VI) the names, addresses of the units and relevant departments participating in the clinical trial. **Article 59.** The research background materials in the trial protocol usually include: (I) the name and introduction of the investigational drug. (II) the findings in the non-clinical and clinical research of the investigational drug that are relevant to the clinical trial and have potential clinical significance. (III) the known and potential risks and benefits to the trial subject population. (IV) a description of the route of administration, dosage, method of administration and duration of treatment of the investigational drug, with reasons stated. (V) emphasis that the clinical trial needs to be implemented in accordance with the trial protocol, these Norms and the relevant laws and regulations. (VI) the target population of the clinical trial. (VII) the research background materials, references and data sources relating to the clinical trial. **Article 60.** The trial protocol shall describe in detail the objective of the clinical trial. **Article 61.** The scientific validity of the clinical trial and the reliability of the trial data mainly depend on the trial design, which usually includes: (I) clarifying the primary endpoints and secondary endpoints of the clinical trial. (II) the reasons for the selection of the control group and a description of the trial design (such as double-blind, placebo-controlled, parallel-group design), with the research design, processes and different stages represented in the form of a flowchart. (III) the measures taken to reduce or control bias, including the methods and processes of randomization and blinding. Where a single-blind or open-label trial is adopted, the reasons and the measures to control bias shall be explained. (IV) the treatment methods, the dosage and administration regimen of the investigational drug; the dosage form, packaging and labeling of the investigational drug. (V) the anticipated duration and specific arrangements of the trial subjects' participation in the clinical trial, including follow-up and the like. (VI) the "trial suspension criteria" and "trial termination criteria" for the trial subjects, part of the clinical trial and the entire clinical trial. (VII) the management process of the investigational drug. (VIII) the procedures for the preservation of the blinding code and for unblinding. (IX) clarifying what trial data may be directly recorded in the case report forms as source data. **Article 62.** The trial protocol usually includes the items of clinical and laboratory examinations. **Article 63.** The selection and withdrawal of trial subjects usually include: (I) the inclusion criteria for trial subjects. (II) the exclusion criteria for trial subjects. (III) the criteria and procedures for trial subjects to withdraw from the clinical trial. **Article 64.** The treatment of trial subjects usually includes: (I) the names, dosages, administration regimens, routes of administration, treatment times and follow-up periods of all investigational drugs used by the trial subjects in each group of the clinical trial. (II) the concomitant medication (including emergency treatment medication) or treatment permitted before and during the clinical trial, and the drugs or treatments prohibited from use. (III) the methods for evaluating the compliance of the trial subjects. **Article 65.** A clear visit and follow-up plan shall be formulated, including the follow-up and medical treatment during the clinical trial period, at the clinical trial endpoint, in the adverse event evaluation, and after the conclusion of the trial. **Article 66.** Efficacy evaluation usually includes: (I) a detailed description of the efficacy indicators of the clinical trial. (II) a detailed description of the evaluation, recording, analysis methods and time points of the efficacy indicators. **Article 67.** Safety evaluation usually includes: (I) a detailed description of the safety indicators of the clinical trial. (II) a detailed description of the evaluation, recording, analysis methods and time points of the safety indicators. (III) the procedures for recording and reporting adverse events and concomitant illnesses. (IV) the manner and period of follow-up of adverse events. **Article 68.** Statistics usually include: (I) determining the trial subject sample size and explaining the reasons based on earlier trial or literature data. (II) the significance level; where there is any adjustment, the consideration shall be explained. (III) explaining the statistical hypotheses of the primary evaluation indicator, including the null hypothesis and the alternative hypothesis, and briefly describing the specific statistical methods and statistical analysis software to be adopted. Where an interim analysis needs to be conducted, the reasons, the analysis time points and the operating procedures shall be explained. (IV) the methods for handling missing data, unused data and illogical data. (V) clarifying the procedures for modifications that deviate from the original statistical analysis plan. (VI) clearly defining the trial subject data sets used for statistical analysis, including all trial subjects who participated in randomization, all trial subjects who took the investigational drug, all trial subjects who met the inclusion criteria, and the trial subjects who can be used for the evaluation of the clinical trial results. **Article 69.** The trial protocol shall include the implementation of quality control and quality assurance of the clinical trial. **Article 70.** The trial protocol usually includes the consideration of the ethical issues relating to the trial. **Article 71.** The trial protocol usually explains the process for the collection and management of trial data, the system used for data management and collection, the steps and tasks of data management, and the quality assurance measures for data management. **Article 72.** If not stipulated in the contract or agreement, the trial protocol usually includes the direct access to source documents, data handling and record preservation, finance and insurance relating to the clinical trial. ## Chapter 7 Investigator's Brochure **Article 73.** The Investigator's Brochure provided by the sponsor is a compilation of the pharmaceutical, non-clinical and clinical materials on the investigational drug, the content of which includes the chemical, pharmaceutical, toxicological, pharmacological and clinical materials and data of the investigational drug. The purpose of the investigator's brochure is to help the investigator and the other personnel participating in the trial to better understand and comply with the trial protocol, and to help the investigator understand the many key basic elements in the trial protocol, including the dosage, frequency of administration, administration interval and mode of administration of the clinical trial, and the observation and monitoring of the primary and secondary efficacy indicators and safety. **Article 74.** Where a marketed drug undergoes a clinical trial and the investigator already fully understands its pharmacological and other relevant knowledge, the investigator's brochure may be simplified. The package insert and other forms may be used to replace part of the content of the investigator's brochure, and only the relevant, important and most recent comprehensive and detailed information on the clinical trial and the investigational drug needs to be provided to the investigator. **Article 75.** The sponsor shall formulate written procedures for the revision of the investigator's brochure. The investigator's brochure shall be reviewed at least once a year during the clinical trial period. The sponsor shall, based on the development steps of the clinical trial and the new information on the safety and efficacy of the relevant drug obtained in the course of the clinical trial, first inform the investigator before the investigator's brochure is updated, and communicate with the ethics committee and the drug administration department where necessary. The sponsor is responsible for updating the investigator's brochure and delivering it to the investigator promptly, and the investigator is responsible for submitting the updated brochure to the ethics committee. **Article 76.** The title page of the investigator's brochure shall state the name of the sponsor, the number or name of the investigational drug, the version number, the release date, the replaced version number and the replacement date. **Article 77.** The investigator's brochure shall include: (I) table of contents entries: confidentiality statement, signature page, table of contents, abstract, foreword, the physical, chemical and pharmaceutical properties and structural formula of the investigational drug, non-clinical research (non-clinical pharmacology, in vivo pharmacokinetics in animals, toxicology), effects in the human body (pharmacokinetics in the human body, safety and efficacy, marketing use situation), data summary and investigator guidance, precautions, and references (published literature and reports, listed at the end of each chapter). (II) abstract: emphasizing the physical, chemical, pharmaceutical, pharmacological, toxicological, pharmacokinetic and clinical information of significant importance in the development of the investigational drug. (III) foreword: briefly explaining the chemical name or approved generic name and the approved trade name of the investigational drug; all active ingredients, the pharmacological classification of the investigational drug and its anticipated position (such as advantages) among similar drugs; the rationale for conducting a clinical trial of the investigational drug; and the proposed use of the investigational drug for the prevention, diagnosis and treatment of disease. The foreword shall explain the conventional methods for evaluating the investigational drug. (IV) the investigator's brochure shall clearly explain the chemical formula and structural formula of the investigational drug and briefly describe its physicochemical and pharmaceutical properties. It shall explain the storage method and method of use of the investigational drug. Where the formulation information of the investigational drug may affect the clinical trial, the excipient ingredients and the reasons for the formulation shall be explained, so as to ensure that the necessary safety measures are taken in the clinical trial. (V) where the investigational drug is structurally similar to other known drugs, this shall be explained. (VI) introduction to non-clinical research: briefly describing the relevant results found in the pharmacological, toxicological and pharmacokinetic research of the non-clinical research of the investigational drug. It shall explain the methodology and research results of these non-clinical studies and discuss the implications of these findings for human clinical treatment, the possible adverse effects on the human body, and the relevance of unexpected effects on the human body. (VII) the investigator's brochure shall provide the information in the non-clinical research: the species of test animals, the number and sex of animals in each group, the dosage unit, the dosage interval, the route of administration, the duration of administration, the systemic distribution data, and the follow-up period after exposure. The research results shall include the characteristics and frequency of the pharmacological and toxic effects of the investigational drug; the severity or intensity of the pharmacological and toxic effects; the time of onset of effect; the reversibility of the pharmacological effect; and the duration of drug action and the dose response. The most important findings in the non-clinical research, such as the dose-effect response, the possible relevance to the human body and the various aspects of possibly implementing human research, shall be discussed. Where the results of the effective dose and the non-toxic dose in the same species of animal can be compared for research, such results may be used for the discussion of the therapeutic index, and the relevance of the research results to the proposed human dose shall be explained. The comparative research shall be based, as far as possible, on blood or organ tissue levels. (VIII) introduction to non-clinical pharmacological research: shall include an abstract of the pharmacological aspects of the investigational drug and, where possible, important metabolism research of the investigational drug in animals. The abstract shall include research evaluating the potential therapeutic activity of the investigational drug (such as efficacy models, receptor binding and specificity), as well as research evaluating the safety of the investigational drug (such as specialized research on pharmacological effects different from the evaluation of therapeutic effects). (IX) introduction to pharmacokinetics in animals: shall include an abstract of the pharmacokinetics, biotransformation and distribution of the investigational drug in the animal species studied. The discussion of the findings shall explain the absorption, local and systemic bioavailability and metabolism of the investigational drug, and their relationship with the pharmacological and toxicological findings of the animal species. (X) introduction to toxicology: the abstract of the toxicological effects found in the relevant research in different animal species shall include single-dose administration, repeated-dose administration, carcinogenicity, special toxicological research (such as irritation and sensitization), reproductive toxicity, genetic toxicity (mutagenicity) and other aspects. (XI) effects in the human body: the known effects of the investigational drug in the human body shall be fully discussed, including pharmacokinetics, pharmacodynamics, dose response, safety, efficacy and information in other pharmacological fields. An abstract of all completed clinical trials of the investigational drug shall be provided as far as possible. The use of the investigational drug other than in clinical trials, such as experience during marketing, shall also be provided. (XII) an abstract of the pharmacokinetic information of the investigational drug in the human body, including pharmacokinetics (absorption and metabolism, plasma protein binding, distribution and elimination); the bioavailability (absolute and relative bioavailability) of a reference dosage form of the investigational drug; population subgroups (such as sex, age and impaired organ function); interactions (such as drug-drug interactions and the effect of food); and other pharmacokinetic data (such as the results of population research completed during the clinical trial period). (XIII) safety and efficacy of the investigational drug: an abstract and discussion of the information on the safety, pharmacodynamics, efficacy and dose response of the investigational drug (including metabolites) obtained from earlier human trials shall be provided. Where multiple clinical trials have been completed, the safety and efficacy data of multiple studies and subgroup populations shall be summarized. Consideration may be given to clearly summarizing, in tabular or other form, the adverse drug reactions of all clinical trials (including all indications studied). The important differences in the types and incidence of adverse drug reactions among indications or subgroups shall be discussed. (XIV) marketing use situation: the main countries and regions where the investigational drug has been marketed or approved shall be explained. The important information obtained from marketing use (such as the formulation, dosage, route of administration and adverse drug reactions) shall be summarized. The main countries and regions where the investigational drug has not been approved for marketing or has been withdrawn from the market shall be explained. (XV) data summary and investigator guidance: a comprehensive analysis and discussion of the non-clinical and clinical data shall be conducted, summarizing the information on different aspects of the investigational drug from various sources, so as to help the investigator anticipate adverse drug reactions or other problems in the clinical trial. (XVI) the investigator's brochure shall enable the investigator to clearly understand the possible risks and adverse reactions of the clinical trial, as well as the special examinations, observation items and preventive measures that may be required; this understanding is based on the physical, chemical, pharmaceutical, pharmacological, toxicological and clinical materials on the investigational drug obtained from the investigator's brochure. Based on the earlier human-use experience and the pharmacology of the investigational drug, the investigator shall also be provided with guidance on the identification and handling measures for possible overdose and adverse drug reactions. (XVII) the content of the investigator's brochure for traditional Chinese medicines and ethnic medicines shall be formulated with reference to the above requirements. It shall also indicate the theoretical basis of the formulation, screening information, compatibility, functions, indications, existing human-use medication experience, the original plant source and place of origin of the medicinal materials and the like; for compound traditional-Chinese-medicine preparations derived from ancient classic famous formulas, their source shall be indicated; and the materials such as the relevant medicinal materials and prescriptions shall be provided. ## Chapter 8 Management of Essential Documents **Article 78.** The essential documents of a clinical trial are documents for evaluating the implementation of the clinical trial and the quality of the data, used to prove that the investigator, the sponsor and the monitor complied with these Norms and the relevant laws and regulations on drug clinical trials in the course of the clinical trial. The essential documents are important content for the sponsor's audit and the drug administration department's inspection of the clinical trial, and serve as the basis for confirming the authenticity of the implementation of the clinical trial and the completeness of the data collected. **Article 79.** The sponsor, the investigator and the clinical trial institution shall confirm that they all have premises and conditions for preserving the essential documents of the clinical trial. The equipment and conditions for preserving the documents shall be able to prevent direct exposure to light, be waterproof and fireproof, and be conducive to the long-term preservation of the documents. Standard operating procedures for document management shall be formulated. The preserved documents shall be easy to identify, search, consult and return to place. The medium used to preserve the clinical trial materials shall ensure that the source data or their certified copies are preserved completely and remain readable during the retention period, and the ability to recover and read them shall be tested or checked periodically, so as to avoid intentional or unintentional alteration or loss. Where some documents generated in the course of the clinical trial are not listed in the management catalogue of essential documents of the clinical trial, the sponsor, the investigator and the clinical trial institution may also, based on necessity and relevance, include them in their respective essential-document archives for preservation. **Article 80.** For a clinical trial used to apply for drug registration, the essential documents shall be preserved at least until 5 years after the investigational drug is approved for marketing; for a clinical trial not used to apply for drug registration, the essential documents shall be preserved at least until 5 years after the termination of the clinical trial. **Article 81.** The sponsor shall ensure that the investigator can at all times consult and, in the course of the trial, enter and correct the data in the case report forms reported to the sponsor, and that such data are not controlled solely by the sponsor. The sponsor shall ensure that the investigator can retain the case report form data that have been submitted to the sponsor. Copies used as source documents shall meet the requirements for certified copies. **Article 82.** At the beginning of the clinical trial, both the investigator and the clinical trial institution and the sponsor shall establish the archive management of the essential documents. At the conclusion of the clinical trial, the monitor shall review and confirm the essential documents of the investigator and the clinical trial institution and the sponsor, and these documents shall be properly preserved in their respective clinical trial archive files. ## Chapter 9 Supplementary Provisions **Article 83.** These Norms shall come into force on July 1, 2020. --- ## Data Security Technology — Personal Information Security Specification (2026 Draft for Comment) - Chinese title: 数据安全技术 个人信息安全规范(征求意见稿) - Abbreviation: GB/T 35273 (2026 draft) - Hierarchy: draft - Issuing body: National Cybersecurity Standardization Technical Committee (TC260); drafting lead: China Electronics Standardization Institute (CESI) - Status: draft - URL: https://datacompliancechina.com/laws/gbt-35273-2026-draft-pi-security-specification/ - Markdown: https://datacompliancechina.com/laws/gbt-35273-2026-draft-pi-security-specification.md - Source URL: https://mp.weixin.qq.com/s/_rWTtpMRTU-SA88NPhQyQQ ### Summary The 2026 draft revision of GB/T 35273 — released by TC260 for public comment on June 17, 2026 (project No. 20260700-T-469; drafting lead CESI) to replace GB/T 35273-2020. It retitles the standard 'Data Security Technology — Personal Information Security Specification', expands normative references from one standard to eight, and recasts China's most-cited personal information benchmark from a consent/notice manual into a full-lifecycle governance framework. Headline additions: a Chapter 5 lawful-basis chapter importing PIPL Art. 13's seven bases with hard per-basis boundaries; a sensitive-PI redefinition aligned to PIPL Art. 28 with an aggregation rule; a 'separate consent' definition; a new eighth 'quality assurance' principle; dedicated AI/generative-AI clauses (6.7, 6.1, 8.4, 8.5.4); unified-account (8.6) and terminal/IoT (6.8) collection clauses; a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (person in charge, records, PIPIA, GB/T 46903 compliance audit). Subject-rights response tightens from 30 days to 15 working days. Comment draft, non-binding and non-final; formal release expected after 2027. ### Full text > *DCC archive.* This is the **public-consultation draft** of the revised > GB/T 35273, released by the **National Cybersecurity Standardization > Technical Committee (TC260)** for public comment on **June 17, 2026** to > replace [GB/T 35273-2020](/laws/gbt-35273-pi-security-specification/). The > archived standard text below is the working-group draft (本草案完成时间 > 2026-06-01); the accompanying drafting explanation is dated 2026-05-20. It > is a **recommended-standard draft — non-binding and non-final**; clause > numbers may change before release (expected after 2027). DCC's structural > read of what changed against the 2020 edition is in the brief > [*From Consent to Governance*](/posts/gbt-35273-2026-revision-from-consent-to-governance/). ## Source documents - **Draft standard (full text, Chinese):** [download PDF ↓](/laws/gbt-35273-2026-draft-pi-security-specification-zh.pdf) - **Drafting explanation (编制说明, Chinese):** [download PDF ↓](/laws/gbt-35273-2026-draft-drafting-explanation-zh.pdf) - **Official consultation post:** [网安标委 / WeChat](https://mp.weixin.qq.com/s/_rWTtpMRTU-SA88NPhQyQQ) A **DCC working English translation** of the full draft follows. The Chinese source text is in the downloadable PDF above. The English is a working translation for overseas counsel, with terminology aligned to DCC's standing glossary and the informative annex tables (A, B, D) reconstructed from the source layout. **Where the translation differs from the source PDF, the Chinese / PDF governs.** ## Provenance and process (from the drafting explanation) The revision was filed with TC260 on **August 22, 2025** (project No. **20260700-T-469**) to support implementation of the **Personal Information Protection Law**, the **Regulation on Network Data Security Management**, and the **Measures for Personal Information Protection Compliance Audits**. CESI leads drafting, joined by Beijing Institute of Technology, the CAC Data and Technology Support Center, and a large industry cohort (Huawei, Honor, ZTE, Ant Group, ByteDance/Douyin, Tencent, Meituan, Kuaishou, Alibaba, DiDi, China Unicom, Ezviz, Vipshop, Alibaba Cloud, Tencent Cloud, and others). It cleared WG8 review and was turned into a consultation draft on **April 1, 2026**, and passed the expert-review meeting on **April 29, 2026** before opening for public comment. ## Main technical changes against GB/T 35273-2020 (official list) The draft's own preface and drafting explanation list the principal changes versus the 2020 edition: | # | Change (official wording) | Clause | |---|---|---| | 1 | Revised **"sensitive personal information"** (修改"敏感个人信息") | 3.2 | | 2 | Added **"separate consent"** (单独同意) | 3.8* | | 3 | Added the **"quality-assurance principle"** (保证质量原则) | 4 | | 4 | Added **"lawful basis for personal information processing"** (个人信息处理合法性基础) | 5 | | 5 | Added **"collection of sensitive personal information"** (敏感个人信息的收集) | 6.6 | | 6 | Added **"collection by AI products or services"** (人工智能类产品或服务的收集) | 6.7 | | 7 | Added **"collection by terminal products or services"** (终端类产品或服务的收集) | 6.8 | | 8 | Added **"use of a unified account system"** (统一账号体系的使用) | 8.6 | | 9 | Added **"overseas legal-jurisdiction determination and conflict handling"** (海外法律管辖判定与冲突处理) | 11 | | 10 | Added **"person in charge of personal information protection"** (个人信息保护负责人) | 13.1 | | 11 | Added **"personal information-protection working body and personnel"** (个人信息保护工作机构与人员) | 13.2 | | 12 | Added **"personal information-protection compliance audit"** (个人信息保护合规审计) | 13.8 | \* The preface and drafting explanation cite "separate consent" at **3.8**, while the draft body places the definition at **3.7** — a cross-reference to be reconciled in the final text. --- ## English translation (DCC) > *DCC working translation of the consultation draft, for overseas counsel. > Not official. Article/clause numbers track the Chinese source; where this > translation and the source PDF differ, the Chinese governs. Informative > annexes are translated in summary table form. Terminology follows DCC's standing Chinese→English glossary: "handler" = personal information handler (个人信息处理者), "PIPIA" = personal information protection impact assessment (个人信息保护影响评估), "person in charge" = person in charge of personal information protection (个人信息保护负责人), and "PI" abbreviates personal information.* ### Foreword This document is drafted in accordance with GB/T 1.1—2020. It replaces GB/T 35273-2020 *Information Security Technology — Personal Information Security Specification*. Compared with GB/T 35273-2020, the principal technical changes are: - revised "sensitive personal information" (see 3.2); - added "separate consent" (see 3.8); - added the "quality-assurance principle" (see 4); - added "lawful basis for personal information processing" (see 5); - added "collection of sensitive personal information" (see 6.6); - added "collection by AI products or services" (see 6.7); - added "collection by terminal products or services" (see 6.8); - added "use of a unified account system" (see 8.6); - added "overseas legal-jurisdiction determination and conflict handling" (see 11); - added "person in charge of personal information protection" (see 13.1); - added "personal information-protection working body and personnel" (see 13.2); - added "personal information-protection compliance audit" (see 13.8). This document is proposed by and under the centralized management of the National Cybersecurity Standardization Technical Committee (SAC/TC260). Drafting lead: China Electronics Standardization Institute (CESI), with a large group of co-drafting universities, research bodies and enterprises. ### Introduction In recent years, with the wide application of new technologies, personal- information processing has become multi-scenario, multi-business, complex in its chains and frequent in cross-border interaction, and personal information protection faces new risks. Global data-governance rules are tightening, outbound-data demand keeps growing, and problems of illegal collection, misuse and leakage are more acute — posing potential threats to individuals' lawful rights, the public interest and even national security. Pursuant to the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law and the Regulation on Network Data Security Management, this standard focuses on the full personal information lifecycle, refines processing rules, details security requirements and strengthens handler accountability. Where laws or regulations provide otherwise for a requirement in this standard, those provisions are to be followed. ### 1 Scope This document specifies the principles and security requirements to be followed in carrying out personal information processing activities — collection, storage, use, processing, transmission, provision, public disclosure, deletion and the like. It applies to regulating the personal- information processing activities of organizations of all kinds, and also to the supervision, management and assessment of such activities by competent authorities, third-party assessment institutions and others. ### 2 Normative references The following documents are indispensable to the application of this document through normative reference. Dated references: only the cited version applies; undated references: the latest version (including all amendments) applies. - GB/T 25069—2022 Information security technology — Terminology - GB/T 39335—2020 Information security technology — Guidance for personal information security impact assessment - GB/T 37988—2019 Information security technology — Data security capability maturity model - GB/T 42574—2024 Information security technology — Implementation guide for notification and consent in personal information processing - GB/T 45574—2025 Data security technology — Security requirements for processing sensitive personal information - GB 46864—2025 Data security technology — Technical requirements for information erasure of electronic products - GB/T 46903—2025 Data security technology — Requirements for personal information protection compliance audit - GB/T AAAA—AAAA Data security technology — Personal information protection requirements for products and services for minors (forthcoming) - GB/T AAAA—AAAA Data security technology — Security guide for data provision, entrusted processing and joint processing (forthcoming) ### 3 Terms and definitions The terms defined in GB/T 25069—2022 and the following apply. **3.1 personal information** — various information, recorded electronically or otherwise, relating to an identified or identifiable natural person, excluding information that has been anonymized. NOTE 1: includes name, date of birth, ID-document number, biometric information, address, contact details, communication records and content, account passwords, property information, credit information, whereabouts, accommodation, health/physiological information, transaction information, etc. NOTE 2: see Annex A for determination methods and types. NOTE 3: information formed by a handler's processing of personal or other information (e.g., a user profile or feature label) that, alone or combined with other information, can identify a specific natural person or reflect their activities, is personal information. **3.2 sensitive personal information** — personal information that, once leaked or unlawfully used, is liable to harm the dignity of a natural person or endanger personal or property safety. NOTE 1: includes biometric, religious-belief, specific-identity, medical- health, financial-account, and whereabouts information, and the personal information of minors under 14. NOTE 2: see Annex B and GB/T 45574-2025 for identification. NOTE 3: where multiple items of personal information, once aggregated, meet the definition, the aggregated personal information as a whole shall be identified and protected as sensitive personal information. **3.3 personal information subject** — the natural person identified by or associated with the personal information. **3.4 personal information handler** (the draft's own English gloss is "personal information processor") — an organization or individual that independently determines the purpose and means of processing in personal information processing activities. NOTE 1: a natural person processing personal information for personal or household affairs need not bear a handler's statutory obligations. NOTE 2: an individual processing on behalf of an organization is not a handler. NOTE 3: the handler is determined per specific processing activity; a provider may be a handler for some activities and an entrusted party for others. NOTE 4: roles may be fixed by agreement or effective rules; absent contrary evidence, those may determine each party's characterization. **3.5 collect** — the act of obtaining control over personal information, including direct collection (provided by the subject, or via interaction with or recording of the subject's behavior) and indirect acquisition (receiving provision/transfer from other handlers, or gathering already-public information). **3.6 consent** — a voluntary, clear authorizing act by the subject regarding their personal information. NOTE 1: includes authorization by an affirmative act (explicit consent) or inferred from a voluntary act. NOTE 2: explicit consent — an affirmative authorizing act in writing, orally, etc. (actively ticking or clicking "agree" / "register" / "send" / "dial", actively filling in or providing, etc.). NOTE 3: inferred authorization — e.g., a subject who, after being notified of collection within a collection area, does not leave the area. **3.7 separate consent** — an act by which an individual specifically gives concrete, explicit authorization for a particular processing of their personal information; it does not include a one-time consent given for multiple purposes or means of processing. NOTE: the notice content and the manner of obtaining separate consent must be distinguished from other processing activities. **3.8 user profiling** — the process of analyzing or predicting a specific natural person's characteristics (occupation, finances, health, education, preferences, credit, behavior, etc.) by collecting, aggregating and analyzing personal information, forming a feature model of that person. NOTE: using a specific person's own information to form their model is "direct profiling"; using information from outside that person (e.g., their group's data) is "indirect profiling." **3.9 personal information protection impact assessment (PIPIA)** — the process of examining whether a processing activity is lawful and compliant, analyzing the harm to the subject's lawful rights and the corresponding security risks, and evaluating the effectiveness of protection measures. **3.10 delete** — to remove personal information from all storage systems so that it cannot be retrieved, accessed or recovered. **3.11 publicize** — releasing information to society or an unspecified group. NOTE: where information is released to an unspecified number of individuals on a social-media platform — even with visibility limits — if actual or potential recipients are numerous and beyond the publisher's control, the public- disclosure attribute should be assessed by reference to this definition. **3.12 transfer (of control)** — the transfer of control over personal information from one handler to another. **3.13 providing** — a handler providing personal information to another handler, each holding independent control. NOTE: entrusting a third party to process is not "providing to another handler." **3.14 anonymization** — the process by which personal information is processed so that a specific natural person cannot be identified and cannot be restored. **3.15 de-identification** — the process by which personal information is processed so that a specific natural person cannot be identified without additional information. NOTE: de-identification is on an individual basis, retaining individual granularity, using pseudonyms, encryption, hashing, etc. **3.16 personalized display** — displaying content, search results for goods or services, etc., to a subject based on their browsing history, interests, consumption records and habits. **3.17 business function** — a function meeting a subject's specific use purpose (e.g., map navigation, ride-hailing, instant messaging, social, online payment, news, online shopping, delivery, ticketing). **3.18 device information** — information describing a device's basic attributes, unique identifiers and operating status, including hardware parameters, serial numbers and unique device identifiers written at the manufacturing stage. **3.19 unified account** — a unified account system provided across different non-equity-affiliated entities within the same group, allowing a user to access all associated products with one account. EXAMPLE: companies A, B and C (no equity ties) under the same group run different products; one account logs into and uses all of them. **3.20 entrusted processing** — processing carried out by an individual or organization entrusted by a handler, per agreed purpose and means. ### 4 Basic principles of personal information security A handler shall observe the principles of lawfulness, legitimacy, necessity and good faith, specifically: - **a) Accountability** — adopt technical and other necessary measures to safeguard security, and bear responsibility for harm to subjects' lawful rights. - **b) Purpose specification** — have an explicit, clear and specific purpose. - **c) Authorization and consent** — disclose to the subject the purpose, means, scope and rules, and obtain consent or another lawful basis before processing. - **d) Minimum necessary** — have a reasonable purpose directly related to it, using the least rights-intrusive means; save where law provides otherwise, the retention period shall be the shortest necessary to achieve the purpose. - **e) Openness and transparency** — disclose the scope, purpose and rules clearly and reasonably, and accept external supervision. - **f) Quality assurance** — through reminders, validation and verification, ensure the authenticity and accuracy of collected information; on discovering an error, promptly notify the subject and provide a correction channel; avoid decision bias or rights harm caused by inaccuracy. - **g) Security safeguards** — have security capability matching the risks faced, and take sufficient management and technical measures to protect confidentiality, integrity and availability. - **h) Rights protection** — provide methods to query, correct and delete personal information, and to withdraw consent, cancel an account and complain. ### 5 Lawful basis and compliance requirements for processing #### 5.1 General requirements A handler shall: - a) before processing begins, identify and record the lawful basis, forming a verifiable, traceable, auditable evidence chain; once fixed, the basis shall not be changed at will for the purpose of evading obligations; - b) ensure the basis follows lawfulness, legitimacy, necessity and minimum- impact; where several bases are available, choose the one less intrusive on the individual's rights, and keep it consistent with the notice; - c) keep the basis consistent with the notice, the processing-activity record, the PIPIA and the compliance audit, and update them in sync on a material change of purpose, scope or circumstances; - d) properly record the basis, including at least the applicable basis, an applicability explanation, the approval process and records, timestamps and evidence. NOTE: evidence typically includes contract clauses, statutory article numbers, system-configuration screenshots, etc. #### 5.2 Obtaining the individual's consent - a) collecting sensitive personal information requires the subject's separate consent; - b) collecting the personal information of a minor under 14 requires the separate consent of a parent/guardian; - c) where law requires written consent, obtain written consent; - d) notify the subject of the applicable processing rules before obtaining consent; - e) consent must rest on clear notice and an explicit affirmative act; default, passive or continued-use-coerced consent is not valid consent (implement per GB/T 42574-2023, 9.1–9.4); - f) provide a convenient way to withdraw; withdrawal does not affect processing already carried out before withdrawal; after withdrawal, promptly stop processing for that purpose except storage and necessary safeguards; NOTE: if the information was provided to a third party, the provision must cease immediately upon withdrawal. - g) retain evidence of consent (content, time, means, carrier, evidence and withdrawal trace) per GB/T 42574-2023, 9.7; - h) where guardian consent is legally required (minors under 14, persons with no/limited capacity), obtain it lawfully and keep records. #### 5.3 Necessary for concluding/performing a contract - a) applies only to realizing the contract's core purpose, or to pre-contract measures necessary at the individual's request or for objective reasons such as compliance with applicable law; - b) shall not bring in activities with no direct connection to the core purpose — including personalized advertising for marketing, behavioral analysis beyond contractual necessity, and profiling not needed to perform the contract; risk assessment or quality improvement claimed as contractually necessary must be shown to be directly connected to the purpose; - c) assess the connection and substitutability between the processing and core contractual obligations; - d) annotate, in the processing record, the correspondence between contract/ offer elements and personal information fields; - e) where a contract change alters the purpose or scope, re-assess the lawful basis before the change takes effect. #### 5.4 Necessary for human-resource management under a labor contract Where HR management is carried out under lawfully formulated labor rules and a lawfully concluded collective contract: - a) limited to processing necessary for employment, HR management, labor- discipline, pay/benefits, performance appraisal and labor-dispute handling; - b) base it on lawfully formulated labor rules / collective or labor contract, noting the basis in the processing record; - c) shall not bring in marketing, employee profiling or behavior monitoring unrelated to labor management; - d) where it involves sensitive PI, automated decision-making, disclosure, external provision or outbound transfer, the corresponding chapters also apply. #### 5.5 Necessary to perform a statutory duty or obligation - a) applies only where an explicit law, administrative regulation or legally effective normative document requires it and points to a specific obligation; - b) limited to the minimum scope necessary, and not for unrelated purposes; - c) note the explicit legal basis in the record; - d) if information collected for legal compliance is used for another purpose, re-assess the lawful basis for that purpose. #### 5.6 Necessary to protect life, health and property in a public-health or emergency situation - a) applies only in sudden, urgent scenarios to protect life, health or major property safety; - b) processing required by a public-health authority for disease monitoring, reporting and intervention may proceed without authorization; - c) assess urgency and irreplaceability, and retain the authorization/decision chain. #### 5.7 News reporting, public-opinion supervision and the like for the public interest - a) only for news reporting, public-opinion supervision or other public- interest expression; - b) shall not, in the name of "public interest," carry out processing unrelated to the reporting purpose, excessive or insulting, and in particular shall not re-victimize minors, victims and other vulnerable groups; - c) conduct a PIPIA weighing the public/newsworthy nature, impact on rights, means and scope, and substitutability, and apply de-identification and data minimization to balance public interest and rights; - d) establish a review mechanism for the processing involved and the content to be disclosed, keeping editorial and legal-review records; - e) promptly correct/update factually wrong, out-of-context or time-expired information. #### 5.8 Processing, within a reasonable scope, personal information that an individual has disclosed or that is otherwise lawfully public - a) confirm a lawful basis for the source's disclosure; - b) use it for the original purpose of disclosure; do not use already-public information for profiling, marketing or other purposes; - c) process only the public information necessary for the purpose; do not circumvent technical limits to scrape or aggregate; - d) do not lower protection for public sensitive PI merely because it is public; - e) maintain an inventory of processed public information (source, time of acquisition, basis of disclosure, restrictions, purpose/scope, necessity assessment, de-identification measures); - f) before bulk scraping/aggregation, conduct a PIPIA, take reasonable measures and set up a rights-response channel. #### 5.9 Other circumstances provided by law or administrative regulation - a) applies only where an explicit law/administrative regulation provides for the specific purpose, scope and conditions; - b) shall not self-expand under "other circumstances," nor substitute internal rules or industry self-discipline for a legal basis; - c) record the legal basis's name, article, applicable scenario and hierarchy; - d) periodically review external-norm changes and, where needed, re-assess and re-notify. ### 6 Collection of personal information #### 6.1 Minimum necessary - a) the type, fields, timing, granularity and scope collected shall be directly related to realizing the product/service's business function, using the least rights-intrusive means; extended functions must show a reasonable connection to basic functions. NOTE 1: if only a particular type/field/scenario/granularity is needed, do not collect more; if only specified users or a specific scope is needed, do not collect from all users by default. NOTE 2: "directly related" means the basic/extended function cannot be realized without that information. - b) the frequency of automatic collection shall be the lowest necessary; - c) the quantity of indirect acquisition shall be the least necessary; - d) information collected for AI data pre-processing or model training shall be limited to the minimum necessary, with effective security techniques to reduce leakage; - e) an AI product/service should set up input-side reminders and a filter mechanism to achieve minimum collection and block non-essential sensitive PI; NOTE 3: on detecting a user entering sensitive PI, a prompt such as "mind the privacy risk; enter sensitive personal information with care" may be shown. - f) an AI product/service shall not collect, in advance, information beyond what its function needs; it shall notify and request permissions when the user first enables the function; - g) handlers should prefer privacy-enhancing technologies for minimization and, where used, inform the subject of the principle and impact; - h) periodically assess the necessity of collection, re-validating on changes to business, technology or law. #### 6.2 Autonomous choice Where a product/service offers multiple PI-collecting functions, a handler shall not coerce the subject into accepting them. Requirements: - a) shall not bundle functions to force one-time acceptance of collection for functions the subject did not request; NOTE 1: for continuously-running tasks (e.g., an automated AI assistant), after a PIPIA and full notice, collection and permissions may be notified and consented once before the task begins. - b) treat the subject's affirmative act (clicking, ticking, filling in) as the trigger to enable a specific function, collecting only after the subject enables it; NOTE 2: see Annex C for implementation. - c) closing/exiting a function shall be as convenient as enabling it; on exit, stop that function's collection; - d) do not frequently re-seek consent where the subject declines or exits a function; - e) declining/exiting one function shall not suspend or degrade other functions the subject chose; - f) shall not, on grounds of service improvement, experience, R&D or security, compel consent to collection; - g) where an extended function uses AI, allow the subject to turn the AI feature off. #### 6.3 Notice and consent - a) on collection, inform the subject of the handler's name and contact, the purpose and means, the categories and retention period, and the ways and procedures to exercise rights, and obtain consent; NOTE 1: a single-function product may notify via the processing rules; a multi-function product should, in addition, notify purpose/means/scope when it actually begins to collect a particular item. NOTE 2: implement per GB/T 42574-2023, Clauses 8 and 9. - a') where on-site collection by automated devices occurs without prior consent, use devices with conspicuous form, or voice prompts, signage, indicator lights, etc., so the subject is aware; - b) biometric-capable devices shall limit the recognition scope to the use scenario, recognizing only authorized users within limits; - c) before collecting sensitive PI, obtain separate consent, fully informed, specific and clear; - d) before collecting a minor's PI: aged 14+, consent of the minor or guardian; under 14, separate consent of a parent/guardian; - e) for indirect acquisition: 1) for public-channel collection, follow the provider's public-information rules; 2) when buying third-party services, require by contract that the provider be responsible for the source's lawfulness and for the lawfulness of onward provision; the handler is responsible only for the lawfulness of post- receipt use; 3) confirm with the provider the lawfulness of the source and of provision; 4) the provider should pass a third-party legal-compliance assessment or self-assessment before providing. #### 6.4 Processing rules - a) formulate processing rules including at least: (1) the handler's basic details and valid contact; (2) the collecting/using functions and, per function, the purpose, means and categories, permissions called and their frequency, the necessity and impact of sensitive PI (clearly marked/ highlighted); (3) means of collection, retention period, outbound-transfer status; (4) the purpose, categories, third-party types and respective responsibilities for external provision/transfer/disclosure; (5) for embedded SDKs, a structured list of third-party services/SDK name (package), version, main function, operator, categories collected, and a link to the SDK's PI rules; (6) the subject's rights and mechanisms (query, correct, delete, cancel account, withdraw consent, obtain a copy, complain about automated decisions); (7) security risks of providing, and effects of not providing; (8) the principles followed, security capability and protection measures, with compliance proof where appropriate; (9) channels for inquiries/complaints and external dispute resolution. - b) the rules shall be true, accurate and complete; - c) clear, plain and standardized, avoiding ambiguity; - d) published and easily accessible (e.g., prominent links on the homepage, app install page, interface); - e) delivered to each subject; where cost is excessive or there is significant difficulty, may be published by announcement; NOTE 1: a consumer internet app should, on first launch, notify collection/use rules prominently (e.g., pop-up) and obtain the user's clear agreement. - f) update promptly and re-notify when items in (a) change; NOTE 2–5: omitted (naming, cross-references to GB/T 44588-2024, multi-product consistency). - g) a smart terminal's rules shall be conveniently queryable online or via the manual; - h) keep historical versions of the rules available. #### 6.5 Exceptions to consent Where another lawful basis under 5.3–5.8 exists, a handler need not obtain the subject's consent to collect. #### 6.6 Collection of sensitive personal information Before collecting sensitive PI, in addition to the above, comply with the sensitive-PI collection requirements in GB/T 45574-2025, Clauses 5 and 6. #### 6.7 Collection by AI products or services - a) where an AI product/service offers deep-synthesis features that edit biometrics such as face/voice, prominently prompt the subject and obtain separate consent; - b) where it uses PI for pre-training/optimization training, prominently notify the purpose, means and scope of impact and obtain consent; where law requires separate consent, obtain it; refusal shall not affect the basic function's normal use; provide a way to withdraw consent; - c) where it calls other services: 1) same provider: consent may be obtained directly via the AI interface; 2) third-party provider: determine the processing relationship and each party's liability by scenario (see the forthcoming "Security guide for data provision, entrusted processing and joint processing"); the other-service handler shall obtain the subject's consent when first providing. #### 6.8 Collection by terminal products or services - a) for products with no/limited UI (smart cameras, locks, speakers, watches, bands, etc.): if there is a companion app/web page, present the processing rules prominently (e.g., pop-up) before first use and guide the user to read; if not, present them offline via the user manual; - b) set prominent signage in public areas with image-collection devices, informing subjects that video/image collection is underway; - c) where, in using a smart terminal, non-essential PI is collected or consent is not obtained, promptly delete or anonymize it. ### 7 Storage of personal information #### 7.1 Minimizing storage time - a) the retention period shall be the shortest necessary; dynamically assess and adjust it on changes to purpose, business need or law; on achievement or impossibility of the purpose, promptly delete or anonymize; - b) beyond the 7.1(a) period, delete or anonymize; - c) electronic products storing PI shall support cyclic overwrite, formatting and controlled deletion, meeting GB 46864-2025. #### 7.2 De-identification After collection, before statistics, academic research, disclosure or use beyond the original purpose, de-identify in time to reduce direct/indirect re- identification risk: - a) establish a standard process (set the target, identify identifiers, choose techniques, implement, validate); - b) choose appropriate techniques by data type, scenario and security need; - c) weigh impact on usability/analytical value and resistance to attack; - d) systematically evaluate the result against the de-identification target; - e) judge whether re-identification risk is acceptable; if it exceeds the threshold, re-select/combine techniques and re-evaluate until acceptable; document the process and result; - f) store recovery information (keys, mapping tables) separately from de- identified data, with strict, minimum-necessary access control and full logging/audit; - g) keep complete records (datasets, techniques and parameters, time, operator, evaluation report, changes); - h) periodically internally audit effectiveness and rectify findings, retaining records. #### 7.3 Transmission and storage of sensitive personal information On the basis of GB/T 45574-2025, 5.5: - a) use encryption and other security measures when transmitting/storing sensitive PI; - b) when storing biometrics, secure them first — e.g., store the raw biometric and its digest separately, or collect/store/use only the digest. #### 7.4 Cessation of operations On ceasing a product/service: a) stop further collection; b) notify subjects individually or by announcement; c) delete or anonymize the PI held; d) follow law where it provides otherwise. ### 8 Use of personal information #### 8.1 Purpose limitation - a) do not use PI beyond a scope directly or reasonably related to the stated collection purpose; where business genuinely requires going beyond the original purpose/means/scope, re-establish a lawful basis and re-notify; where consent is the basis, re-obtain consent (separate/written where law requires); - b) information produced by processing that, alone or combined, identifies a person or reflects their activities, is personal information, and its processing follows the consent obtained at collection. NOTE: if such produced information is sensitive PI, comply with GB/T 45574. #### 8.2 Access controls - a) least-privilege access — staff access only the minimum PI and operations their duties require; - b) internal approval for important operations (bulk modify/copy/download); - c) separation of roles (security manager, data operator, auditor); - d) over-privilege access for genuine work needs requires approval by the person in charge or working body and recording; - e) for sensitive-PI access/modification, trigger operation authorization by workflow (e.g., a complaint handler may access only on receiving a complaint). #### 8.3 Display restrictions Where PI is displayed via an interface, de-identify to reduce leakage: - a) public display — show only the minimum fields; de-identify direct identifiers (name, ID number, phone); - b) display to the subject — de-identify sensitive PI; show the full record only after the subject chooses; by default disable screenshot/screen-recording and copy/print of sensitive data; - c) internal display — apply de-identification per scenario and PIPIA result. #### 8.4 Aggregation/fusion of PI collected for different purposes - a) comply with 8.1; - b) conduct a PIPIA per the post-aggregation purpose and take effective measures; - c) before aggregating self-disclosed or lawfully-public PI for model training, review the source and content, assess risk and de-identify; - d) de-identify directly-identifying PI; - e) establish a model-output review mechanism to reduce the model outputting — or being induced to output — real, identifiable PI. #### 8.5 Automated decision-making and AI ##### 8.5.1 Limits on user profiling - a) feature descriptions shall not: 1) contain obscene, pornographic, gambling, superstitious, terrorist or violent content; 2) express discrimination by ethnicity, race, religion, disability or disease; - b) in operations or external cooperation, profiling shall not: 1) infringe the lawful rights of citizens, legal persons or others; 2) endanger national security/honor/interests, incite subversion or secession, promote terrorism/ extremism/ethnic hatred, spread violent or pornographic information, or fabricate/spread false information disrupting economic and social order; - c) except as necessary for the consented purpose, eliminate explicit identity- pointing to avoid precise targeting (e.g., direct profiling for credit evaluation, but indirect profiling for advertising). ##### 8.5.2 Personalized display - a) where used, clearly distinguish personalized from non-personalized content; NOTE 1: e.g., label it "推荐/定推" ("recommended" / "targeted push") or use separate columns/sections/pages. - b) in e-commerce, when showing personalized results by interests/habits, also offer an option not targeted to the consumer's characteristics; NOTE 2: results based on a chosen location, identical regardless of identity, count as a non-targeted option. - a') for news-information push using personalized display: 1) provide a simple, intuitive option to exit/turn off personalization; 2) on exit, offer to delete or anonymize the PI underlying targeted push; - b') establish a mechanism for the subject to manage the PI (labels, profile dimensions) on which personalization relies, allowing them to adjust its degree. ##### 8.5.3 Information-system automated decision mechanisms Where the system has an automated-decision mechanism that can significantly affect the subject (e.g., auto-deciding credit and loan limits, or screening interviewees), comply with GB/T 45392 and: - a) ensure decision transparency and fairness; no unreasonable differential treatment on price or other terms; - b) conduct a PIPIA at the design stage or before first use, and take effective protective measures; - c) conduct periodic PIPIAs during use and improve measures; - d) provide a complaint channel for automated-decision results and conduct human review of them. ##### 8.5.4 Use of generative AI Where the system accesses an LLM, or uses an LLM-powered agent to process PI, and may materially affect the subject's rights (e.g., outputting PI): - a) conduct a PIPIA in advance and periodically, ensuring measures match the risk level; - b) provide a convenient feedback channel for affected subjects to request deletion or restriction of output; complete verification and deletion within 15 working days of the request; - c) establish output-content review and risk-monitoring to reduce improper output; - d) (recommended) establish an identify-and-filter mechanism for unauthorized or expressly-refused PI in training data, and tune parameters to prevent its output. #### 8.6 Use of a unified account system - a) formulate dedicated processing rules, and in each product's rules inform the subject of the categories, purposes and means of the linked PI; clearly mark/ highlight sensitive PI and inter-account provision; - b) PI collected by each product under the unified account should be stored separately; - c) provide per-product query/copy/modify capability or entry; - d) reasonably explain on a subject's challenge to the linked display/processing; - e) besides cancelling the unified account, provide ways to delete a single product's data or cancel a single product's account; - f) deleting one product's data shall not affect retention of other data under the unified account; - g) providing PI between two or more accounts follows the Clause 4 principles; beyond the original scope or with a changed purpose, obtain consent per 6.3; - h) periodically review inter-account provision and adjust the use strategy. ### 9 Rights of the personal information subject #### 9.1 Access (query) Provide methods for the subject to query: a) the PI (or its types) held about them; b) its source and purpose; c) the identity/type of third parties that have obtained it. NOTE: for queries about PI the subject did not actively provide, the handler may decide whether to respond after weighing risk/harm, technical feasibility and cost, with an explanation. #### 9.2 Correction A subject finding their PI inaccurate/incomplete may request correction. On request, verify the source; if an error/incompleteness is confirmed, correct/ supplement promptly; if unable to verify, inform the reason. The subject shall provide accurate correction information and proof; the handler shall complete correction within **15 working days** and inform the result. #### 9.3 Deletion - a) promptly delete on request where: 1) the purpose is achieved/unachievable/no longer necessary; 2) the product/service ceases, or the period expires; 3) consent is withdrawn; 4) collection/use violated law; 5) collection/use breached the agreement with the subject; - b) where PI was provided/transferred to a third party in violation of law/ agreement, immediately stop and notify the third party to delete; - c) where PI was disclosed in violation, immediately stop and notify recipients to delete; - d) where PI is still needed to serve the subject, explain on a deletion request; if the subject insists, guide them to cancel the product/service; - e) when deleting, use one or more methods ensuring irrecoverability: 1) clear storage media per GB 46864-2025; 2) for backup/DR/archive data, ensure non- reuse via backup-cycle overwrite, isolation or de-identification; 3) anonymize and evaluate the result. #### 9.4 Withdrawal of consent - a) provide a method to withdraw; after withdrawal, do not process the PI until a lawful basis is obtained; - b) the withdrawal path shall be as convenient as the collection path; - c) safeguard the right to refuse PI-based advertising; for external provision/ transfer/disclosure, provide a way to withdraw or delete. NOTE: withdrawal does not affect processing carried out before withdrawal. #### 9.5 Account cancellation - a) provide a simple cancellation method; b) a convenient interactive cancellation page responding promptly; c) where manual handling is needed, complete within a committed period (≤15 working days); d) identity-verification on cancellation shall not require more PI than registration/use; e) no unreasonable conditions (e.g., cancelling one account forcing cancellation of others, or requiring exact historical records); f) where sensitive PI is collected to verify identity, delete/anonymize it once the purpose is met; g) promptly delete/anonymize PI after cancellation; h)–i) for unified-account integrated management, identify the account provider and its processing purpose/means/scope, and allow cancelling the unified account or closing its use/deleting product-only data to equivalent effect; j) follow law where retention is required. #### 9.6 Obtaining a copy On request and after identity verification, provide a copy of, or transmit where technically feasible to a designated third party, in a readable format: a) basic and identity information; b) health/physiological and education/work information. #### 9.7 Responding to requests - a) after verifying identity, respond to 9.1–9.6 requests within **15 working days** (or the statutory period), with a reasonable explanation, and inform of external dispute resolution; - b) set dedicated functions in the interface for online exercise of rights; - c) where direct fulfillment is costly or difficult, provide an alternative; - d) a request under 9.1–9.6 need not be honored where it: 1) relates to the handler's statutory obligations; 2) directly concerns national/defense security; 3) directly concerns public security/health or major public interest; 4) directly concerns criminal investigation/prosecution/trial/ enforcement; 5) the subject is shown to be acting in bad faith or abusing rights; 6) protects life/property of the subject or others where consent is hard to obtain; 7) would seriously harm the lawful rights of the subject or others; 8) the information's scope/setting is private; - e) if declining, inform the reason and provide a complaint channel; - f) on a natural person's death, close relatives may, for their lawful interests, exercise access/copy/correction/deletion over the deceased's PI (unless the deceased arranged otherwise), providing death and kinship proof; respond within **15 working days** or inform of the delay. #### 9.8 Complaint management Establish a complaint-management mechanism and tracking process, responding within a reasonable time. ### 10 Entrusted processing, provision, transfer and disclosure #### 10.1 Entrusted processing - a) entrustment shall not exceed the consented scope (or comply with 6.5); - b) conduct a PIPIA and ensure the entrusted party meets the 13.6 data-security capability; - c) the entrusted party shall: 1) process strictly as required, feeding back if unable for special reasons; 2) not sub-entrust without prior authorization, and notify on changes; 3) assist in responding to 9.1–9.6 requests; 4) feed back inability to protect or any incident; 5) delete/anonymize on termination; - d) supervise the entrusted party (by contract; by inspection); - e) accurately record and store the entrustment; - f) on discovering non-compliant processing or failure to protect, immediately require cessation and remediation (change passwords, revoke permissions, disconnect), terminating the relationship and requiring deletion if needed. #### 10.2 Provision Provision (other than for M&A/bankruptcy) requires: a) prior PIPIA and effective measures; b) where consent is the basis, inform the purpose, recipient, contact, means, categories and consequences, and obtain separate consent (unless de-identified so the recipient cannot re-identify); c) the recipient processes only within that scope and re-obtains consent per 6.3 on change; d) fix the recipient's duties by contract; e) accurately record provision (date, scale, purpose, recipient); f) bear liability for harm from an incident; g) on the recipient's violation, require cessation/remediation and, if needed, terminate and require deletion. #### 10.3 Transfer on M&A/reorganization/bankruptcy a) inform subjects; b) the successor continues the original duties, re-obtaining explicit consent on a purpose change; c) on bankruptcy with no successor, delete or anonymize. #### 10.4 Public disclosure PI should not, in principle, be disclosed. Where lawful or with reasonable grounds: a) prior PIPIA and measures; b) inform purpose and categories and obtain separate consent; c) for sensitive PI, additionally give a prominent notice of the sensitive content; d) record disclosure (date, scale, purpose, scope); e) bear liability for harm; f) do not disclose biometrics; g) do not disclose analysis results of PRC citizens' race, ethnicity, political views, religion, etc. #### 10.5 Other lawful grounds for provision/transfer/disclosure No prior consent is needed where it: a) relates to statutory obligations; b) directly concerns national/defense security; c) directly concerns public security/health/major public interest; d) directly concerns criminal justice; e) protects major life/property interests where consent is hard to obtain; f) concerns PI the subject disclosed to the public themselves; g) is collected from lawfully-public sources (lawful news reporting, government disclosure). #### 10.6 Joint handlers a) state joint processing in the processing rules; b) where the handler and a third party are joint handlers, jointly fix the security requirements and respective duties by contract and clearly inform subjects; c) failing clear notice of the third party's identity and respective duties, the handler bears the security liability arising from the third party. NOTE: where a handler deploys a third-party PI-collecting plugin (analytics, SDK, map API) and that third party did not separately obtain consent, they are joint handlers at the collection stage. #### 10.7 Third-party access management Where a third-party PI-collecting product/service is integrated and 10.1/10.5/ 10.6 do not apply: a) establish access management and workflow, with security assessment/access conditions as needed; b) fix security duties by contract; c) clearly mark that the third party provides it; d) keep access contracts and records available; e) require the third party to obtain consent per this standard and verify how; f) require the third party to have a rights-response/ complaint mechanism and keep it updated; g) urge the third party to strengthen security, rectifying or cutting off access on failure; h) for embedded/accessed automated tools (code, scripts, interfaces, models, SDKs, mini-programs): 1) technically test that collection meets the agreement; 2) inspect collection and cut off access on out-of-scope behavior. #### 10.8 Cross-border transmission Where PI collected/produced in PRC operations is provided abroad, comply with relevant laws, administrative regulations, departmental rules and mandatory national standards, strengthen outbound technical/management measures, and guard against and dispose of unlawful-outbound risks. ### 11 Overseas legal-jurisdiction determination and conflict handling #### 11.1 Jurisdiction determination ##### 11.1.1 Determination factors Where processing involves overseas subjects, overseas entities, overseas storage/compute, overseas placement/monitoring, provision abroad, or may trigger foreign extraterritorial application, the handler shall determine the target jurisdiction, with factors including at least: - a) territorial — where key processing occurs (collection, storage, use, provision), local entity/employees, the billing locale of the data center/ cloud; - b) effects — whether it intentionally targets the jurisdiction's subjects (local language, currency, delivery promises, local advertising/after-sales, continuous tracking); - c) personal — the establishment/operation links between the handler (or its controlled overseas entity) and companies in the jurisdiction; - d) sector-specific rules — extraterritorial provisions for finance, telecom, commercial transactions, etc. ##### 11.1.2 Comprehensive determination and recording Where territorial, effects and personal factors coexist, identify the relevant factors per local law, weigh them as needed, and produce a written analysis as a precondition to the processing record and PIPIA and a go-live gate. ##### 11.1.3 Exclusions Unless local law expressly provides, do not deny a target jurisdiction's extraterritorial application solely on the ground of "no local entity" or "no direct consideration charged." #### 11.2 Conflict identification and layered handling ##### 11.2.1 Conflict types Identify at least: a) direct-opposition (one jurisdiction compels transfer/ provision while another bans outbound/restricts it); b) standard-inconsistency (differences in sensitive-data definition, consent threshold, cross-border mechanism, evidencing); c) procedural-difference (reporting deadlines, local representative/agent, filing/registration). ##### 11.2.2 Priority and measures After identifying a conflict: a) without violating PRC law, administrative regulations or competent-authority requirements, follow this order: prioritize local mandatory norms; where local norms are unclear, prioritize norms posing a significant penalty/injunction risk; if neither applies, resolve via contract or industry self-discipline; if still unclear, reference international standards or best practice. b) consider measures: 1) regional differentiation/isolation (localize processing, aggregate after local processing, avoid unnecessary transfer); 2) minimization/de-identification; 3) mechanism substitution and multi-track (select applicable cross-border mechanisms per jurisdiction with supplementary measures); 4) government-request response (legality review, scope minimization, partner/subject notice, remedies); 5) third-party risk management (assess SDK/API providers, audit and monitor); 6) transparency (publish transparency reports); 7) compliance-evidence retention (a cross-border compliance ledger recording the full identification/assessment/handling process). #### 11.3 Compliance process and proof - 11.3.1 Special assessment — for first entry to a jurisdiction, a material change, or new external provision/monitoring, complete an integrated assessment of jurisdiction, conflict identification and a cross-border adaptation plan before go-live, included in the PIPIA report. - 11.3.2 Records and consistency — keep the lawful basis, jurisdiction determination, cross-border mechanism, supplementary measures and government- request strategy structured and versioned in the processing record, consistent with the rules and contracts. - 11.3.3 Assessment and monitoring — periodically assess key activities; assess high-risk cross-border activities at least annually, and re-assess/rectify on changes to the jurisdiction's rules or enforcement. #### 11.4 Organization and responsibilities a) designate a cross-border compliance lead, fixing legal/data/security duties and a processing record (jurisdiction, business, data, mechanism, evidence); b) for third parties/SDKs/ad networks, implement access management, contractual control and audit, terminating access on out-of-scope processing; c) establish a government-request response mechanism and transparency reporting, retaining legal basis, request scope, response decision and technical-handling evidence. ### 12 Handling personal information security incidents #### 12.1 Emergency handling and reporting a) formulate an incident contingency plan; b) train and drill at least annually; c) on an incident, per the plan: 1) record the incident (discoverer, time, place; PI and number of people; system; impact on connected systems; whether authorities were contacted); 2) assess impact and take control measures; 3) report timely per cybersecurity-incident law (types/number/content/nature of subjects; impact; measures taken/planned; contacts); 4) where it may seriously harm subjects (e.g., sensitive-PI leakage), notify per 12.2; d) update the plan per legal changes and incident experience. #### 12.2 Notification a) promptly notify affected subjects by email, letter, phone, push, etc.; where individual notice is hard, issue an effective public warning; b) notify at least: 1) the incident's content and impact; 2) measures taken/planned; 3) self- protection advice; 4) remedies offered; 5) the person in charge's / working body's contacts. ### 13 Organizational management requirements #### 13.1 Person in charge of personal information protection - a) an organization meeting any of the following shall designate a person in charge to supervise processing and protection: 1) it is a large network platform; 2) its main business involves PI processing with >200 relevant staff; 3) it processes >1,000,000 persons' PI; 4) it processes >100,000 persons' sensitive PI. NOTE 1: a "large network platform" has ≥50 million registered or ≥10 million monthly-active users, complex business, and data activities significantly affecting national security, the economy or livelihood. NOTE 2: simple processing (e.g., HR-archive keeping) may be excluded. - b) a large platform's person in charge must meet legal/regulatory conditions; other handlers' person in charge should be the legal representative or principal, with expertise, experience, coordination ability and independence; - c) qualifications include: PRC nationality; no criminal/serious-dishonesty record affecting independence; a legally effective employment/appointment agreement; PI expertise and management experience; familiarity with the handler's structure, equity, core business and PI systems; strong analysis, writing and coordination skills; - d) duties include: overall implementation and direct responsibility for PI protection; making and implementing the protection plan; formulating/issuing the processing rules and protocols; responsibility for PIPIA and compliance audit; communication/reporting; confidentiality; supporting investigations and proposing improvements; - e) powers/duties include: participate in major decisions and report directly to the principal; authority to coordinate departments; the right to give opinions before major decisions; the right to stop non-compliant operations and take corrective measures; propose suggestions; provide training resources; attend training; - f) no fixed term; on replacement, fill the role within 30 working days with a person meeting 13.1(a)–(d); - g) the handler shall guarantee resources for the person in charge (leadership responsibility of the legal rep/principal; resources for independent performance; timely involvement in all PI matters; direct reporting); - h) ensure independence: no instruction/interference in duties; no dismissal/ penalty for lawful performance; direct accountability to the top body; no conflicting concurrent posts; - i) organizations not required to appoint a person in charge may follow 13.1(b)–(h). #### 13.2 personal information protection working body and personnel - a) the legal rep/principal bears overall leadership responsibility, providing resources; - b) establish a personal information protection management structure and working body; allocate per-department staff reasonably and encourage specialized training; - c) an organization meeting any of the following shall set up a dedicated working body: 1) large network platform; 2) main business involves PI processing with >200 staff; 3) processes >1,000,000 persons' PI, or is expected to within 12 months; 4) processes >100,000 persons' sensitive PI; - d) duties include: making/implementing/updating rules; maintaining the PI inventory and access policy; conducting PIPIAs and urging rectification; training; pre-launch testing to avoid unknown collection/use/provision; publishing and handling complaints; periodic compliance audit; communicating with authorities; - e) personnel receive periodic training. #### 13.3 PI-security engineering When developing PI-processing products/services, follow GB/T 41817 to consider protection across requirements, design, development, testing and release — planning, building and using protection measures in step. #### 13.4 Records of processing activities - 13.4.1 General — records cover the full lifecycle and are true, accurate, complete and timely, achieving traceability, auditability and provability. - 13.4.2 Scope — maintain records where: a) processing sensitive PI; b) automated decision-making; c) entrusting, providing to other handlers, or disclosing; d) providing abroad; e) material change of purpose/means/type/scenario; f) internal access/copying; g) other activities with major impact on rights. - 13.4.3 Content — at least: a) handler name/contact; b) categories, purpose, means, lawful basis and retention; c) for external provision, recipient name/ contact/purpose; d) for outbound, categories/purpose/means, recipient country, recipient name/contact, mechanism (assessment/certification/SCC) and filing; e) summary of security measures; f) for sensitive PI, the specific categories and necessity result; g) for automated decisions/profiling, the logic, algorithm/model type and version, fairness/transparency safeguards and appeal channel; h) for entrustment, party name/contact, contract no., supervision/ audit arrangements and deletion; i) for disclosure, date/scale/purpose/scope/ channel/frequency; j) rights-exercise channels and complaint records; k) PIPIA report, conclusion and risk measures; l) incidents and handling; m) approval records; n) operator name/role/contact; o) historical versions of the rules. - 13.4.4 Maintenance — assign a responsible person; update before changes take effect; review at least annually (semi-annually for high-risk activities). - 13.4.5 Retention — keep current and historical versions at least three years (or as law provides). - 13.4.6 Availability — keep records electronic, structured and machine-readable, producible on regulatory inspection or subject request. #### 13.5 Personal information protection impact assessment - 13.5.1 General — establish a PIPIA system based on 13.4 records, making the PIPIA a precondition for launch, material change and termination, forming a verifiable, traceable, auditable evidence chain. - 13.5.2 Content — at least: a) lawfulness (basis under Clause 5); b) legitimacy (clear purpose, no misleading/inducement, value to the subject, consistency with public order/morals, no conflict of legitimate interests with rights); c) necessity (direct relation, only necessary PI, least-impact means); d) risk- source analysis (environment, technical measures, process compliance, personnel, third parties, management, business features/scale/posture); e) rights-impact analysis (autonomy, differential treatment, reputation/mental distress, personal/property safety); f) comprehensive risk analysis. - 13.5.3 Scenarios requiring a prior PIPIA: a) sensitive PI; b) automated decision- making; c) entrusting/providing/disclosing; d) providing abroad; e) before a product launch or major function change; f) on legal/regulatory change; g) on major change to business model/system/environment; h) on a major incident or warning. Where (a)–(d) already exist without a prior PIPIA, assess promptly. - 13.5.4 Management — a) the person in charge or working body identifies activities to assess, plans assessments, and supervises; b) plan and assess per GB/T 39335; c) ensure independence/objectivity/expertise — large platforms and important activities should commission a third-party PIPIA; NOTE 1: "important processing activities" include processing 10,000,000 persons' PI, providing 100,000 persons' PI to a third party, processing 100,000 persons' sensitive PI, processing 10,000 minors' PI, or providing 10,000 persons' PI abroad. d) on serious/high risk, propose targeted improvements and urge them; e) produce a PIPIA report — the person in charge or working body may approve launch/change/continuation only where measures match the risk (low, or medium with a clear improvement/ supervision plan); f) review effective conclusions at least annually, and immediately on 13.5.3(f)–(g); g) conclusions take effect on person in charge / authorized approval; h) keep the report and evidence at least three years, available, and publish in suitable form for wide-impact/high-attention activities; i) file the sealed report where required; j) use tooling and keep materials electronic/ structured for timely retrieval. #### 13.6 Data-security capability Per relevant national standards, build appropriate data-security capability to prevent leakage, damage, loss and tampering. Handlers processing sensitive PI should meet GB/T 37988 level-3 or above. #### 13.7 Personnel management and training a) sign confidentiality agreements with PI-processing staff, and background- check those with extensive sensitive-PI access; b) define security duties per post and a penalty mechanism; c) require continued confidentiality on transfer/termination; d) define requirements for external service personnel who may access PI, with confidentiality agreements and supervision; e) establish guidance for special posts (person in charge, legal, compliance, product, R&D, testing) on launch; f) train and assess PI-processing staff at least annually or on major legal change. #### 13.8 Personal information protection compliance audit Conduct compliance audits per GB/T 46903-2025, across five stages (preparation, implementation, reporting, rectification, archiving): - a) periodically audit compliance per law (frequency per GB/T 46903-2025); - b) ensure audit evidence is true, complete and valid; - c) handlers providing important Internet platform services, with huge user numbers and complex business, shall set up an independent body composed mainly of external members to supervise the audit; - d) establish an audit management system (personnel, methods, basis, scope, frequency; auditor duties/powers); - e) ensure necessary resources and authority (budget, staffing, facilities); - f) ensure independence — auditors do not manage/decide on the audited object; the report should go directly to the board or security-compliance committee; self-audits via an independent unit or virtual team of non-involved professionals; - g) build an audit-evidence system (management system, technical measures, processing records, operation logs, supervision records, test reports); - h) (recommended) build an audit management system to find and close gaps with continuous supervision; - i) (recommended) use audit tooling to improve efficiency and quality. ### Annex A (informative) Examples of personal information | Category | Examples | | --- | --- | | Basic personal data | name, birthday, gender, ethnicity, nationality, family relations, address, phone, email, etc. | | Identity information | ID card, officer's card, passport, driver's license, work/access permits, social-security card, residence permit, etc. | | Biometric information | gene, fingerprint, voiceprint, palm print, auricle, iris, facial features, gait, eye print, etc. | | Network-identity identifiers | account; individually identifying IP address; email address; digital certificate; user ID; etc. | | Health/physiological information | records from illness/treatment (symptoms, admission notes, orders, test reports, surgery/anesthesia and nursing records, medication records, drug/food allergy, visit records, fertility, history, family/current/infectious-disease history), plus weight, height, temperature, lung capacity, etc. | | Education/work information | occupation, position, title, employer, education, degree, education/work history, training records, transcripts, etc. | | Property information | bank/securities account numbers and credentials (passwords), deposit info (amounts, payment records), income, real estate, credit records, transaction/consumption records, virtual property, etc. | | Authentication information | account passwords, digital certificates, SMS codes, etc. | | Communication information | communication records and content (SMS, MMS, voice, email, IM — text/image/audio/video/files), and metadata describing communication | | Contacts information | address book, friend/group lists, email-address lists, etc. | | Online records | log-stored operation records: browsing, software-use, click records, behavior records, dialogues with intelligent systems, etc. | | Device information | hardware serial number, MAC address, changeable unique IDs (Android ID, IDFA), unchangeable IDs (IMEI), installed-app list, etc. | | Location information | administrative-area/county-level location, whereabouts/activity location and track, accommodation, transport (air/rail/road/water), precise location, longitude/latitude, etc. | | Label information | user labels/profile information derived from online records (habits, preferences) | | Movement information | step count, cadence, exercise duration, etc. | | Other | marital history, religious belief, sexual orientation, undisclosed criminal records, etc. | ### Annex B (informative) Determination of sensitive personal information | Category | Description | | --- | --- | | Biometric information | gene·a, face·b, voiceprint·c, gait·d, fingerprint, palm print, eye print, auricle, iris, etc. | | Religious-belief information | the religion one believes in, religious organizations joined, positions held, activities, special practices | | Specific-identity information | disabled-person identity, occupational identity not suitable for disclosure, etc. | | Medical-health information | health-status info related to bodily/mental injury, disease, disability, disease risk or privacy·e (symptoms, history, family/infectious history, check-up reports, fertility); PI collected/produced in prevention, diagnosis, treatment, nursing and rehabilitation (visit records, test/exam data) | | Financial-account information | account numbers and passwords of bank/securities/fund/insurance/housing-fund accounts, payment accounts, bank-card track/chip data, payment tokens, income details | | Whereabouts information | continuous precise-location tracks, vehicle-driving tracks, continuous person-activity tracks | | Minors under 14 | the personal information of minors under 14 | | Other sensitive PI | precise-location info·f, resident-ID-card photo, sexual orientation, sex life, credit info, criminal-record info·g, and photos/videos showing private body parts | > **Footnotes:** a — see GB/T 41806. b — see GB/T 41819. c — see GB/T 41807. > d — see GB/T 41773. e — basic physique info (weight, height, blood type, > blood pressure, lung capacity) may be deemed non-sensitive if unrelated to > disease/medical visits. f — location via a device's precise-location > permission is precise location; coarse location estimated from network address > is not; continuous precise location can generate whereabouts. g — criminal > record means a state organ's objective record of an offender (charge, > sentence). ### Annex C (informative) Methods for realizing the subject's autonomous will Realizing the subject's autonomous will has two aspects: not coercing the subject into multiple functions; and safeguarding the subject's right to know and to authorize. Handlers — especially app operators — may use: **C.1 Distinguishing basic and extended functions.** a) define basic functions by the subject's fundamental expectation and primary need; b) do not treat service improvement, experience or R&D alone as a basic function; c) treat other functions as extended. **C.2 Notice and explicit consent for basic functions.** a) before enabling a basic function (install, first use, registration), notify via the interface the categories of PI necessary and the effect of refusal, and obtain explicit consent by an affirmative act; b) if the subject refuses, the handler may decline that function; c) the interface should allow re-access and change of consent scope. **C.3 Notice and explicit consent for extended functions.** a) before first use of an extended function, notify each function and the PI necessary, allowing item- by-item consent; b) on refusal, do not repeatedly seek consent (≤ once per 24h unless the subject actively enables it); c) refusal shall not deny or degrade the basic function; d) the interface should allow re-access and change of scope. ### Annex D (informative) Example scenarios of lawful basis | Lawful basis | Scenario | Description (abridged) | | --- | --- | --- | | Necessary to conclude/perform a contract to which the individual is a party | E-commerce contract | On a buyer placing an order, an e-commerce contract forms; the platform processes the user's PI and provides, within necessity, to the seller (order/recipient/logistics info), the payment provider (payment account/amount/time) and the courier (recipient/logistics info). | | " | Flight booking | On booking via a ticketing platform, the platform provides, within necessity, to the seller/airline (passenger name, ID, contact, flight info) for ticketing, to the payment provider for payment, and to the insurer (if travel insurance is bought). | | " | Online medical appointment/treatment | On booking and paying via an internet-medical platform, the platform provides, within necessity, to the medical institution (name, contact, appointment time, needs, health status), the payment provider, and the courier (for medicine delivery). | | Necessary for HR management under labor rules/collective contract | Employee attendance records | Processing attendance records under lawful labor rules/contract is HR-necessary, to judge lateness/early-leave and maintain work order. | | " | Employee work documents, email, messages | Necessary monitoring of work documents/email/messages on company-issued devices/software is HR-necessary, to protect trade secrets and prevent leakage. | | " | Employee performance information | Collecting/evaluating/analyzing performance information is HR-necessary, as a basis for pay/promotion/reward decisions. | | Necessary to perform a statutory obligation | Platform network-security obligation | To perform Cybersecurity-Law security obligations, a platform monitors/analyzes/handles network status, anomalies and incidents, processing device info, login behavior, IP and access logs. | | " | Platform real-name verification | To perform user-identity-verification obligations (Cybersecurity Law; Internet User Account Information Management Provisions), a platform verifies identity, processing e.g. phone numbers. | | " | Platform content-security review | To perform content-review obligations (Cybersecurity Law; Network Information Content Ecosystem Governance Provisions), a platform reviews user content, processing account info, content, IP, device info and behavior logs. | | " | Platform anti-fraud risk control | To perform anti-telecom-fraud obligations, a platform monitors behavior for risk, processing account info, transaction records, login behavior, IP and device info. | | Necessary to respond to a public-health emergency, or to protect life/health/property in an emergency | Epidemic prevention | In a public-health emergency, relevant authorities may lawfully process identity, itinerary, health status and test results for epidemiological investigation, screening, isolation and resource allocation. | | " | Emergency rescue in disasters/accidents | In a natural disaster or major accident, emergency/medical/rescue bodies may lawfully process identity, contact, location, injury and family info for rescue, medical aid and relocation. | | News reporting / public-opinion supervision for the public interest, within reason | Media reporting of a public event | In reporting a public-safety traffic accident, a media outlet lawfully collects and discloses, within reason and without infringing privacy, parties' basic info, scene photos, hospital info and witness statements, to convey timely news. | | Processing, within reason, self-disclosed or otherwise lawfully-public PI | Academic analysis of researchers' output from public papers | A research institute obtains published papers, fields and citation counts from academic databases (CNKI, Web of Science, Google Scholar) to build an academic-influence model — public PI, used for research within reason. | | " | Market research from public information | A market-research firm collects executives' info, business scope and market performance from public channels (corporate sites, news, government disclosures, white papers) for industry analysis — lawfully-public PI, used within its original purpose. | | " | LLM training on lawfully-public data | An AI firm collects text from lawfully-public internet sources using lawful automated methods, and systematically analyzes and de-identifies the PI involved before collection and training, per PIPL. | ### References The draft cites GB/T 32921—2016, GB/Z 28828—2012, the Cybersecurity Law, NPC Standing Committee decisions on internet security (2000) and network-information protection (2012), the E-Commerce Law, the Telecom-and-Internet PI Protection Provisions (MIIT Order No. 24, 2013), Criminal Law Amendments (VII) and (IX), and international references including ISO/IEC 29100/29101/29134/29151/29184, the EU GDPR, CWA 16113-2012, the EU-U.S. Data Privacy Framework (2023), the OECD Privacy Framework (2013), the APEC Privacy Framework (2005) and the U.S. Consumer Privacy Bill of Rights Act discussion draft (2015). --- ## Data Security Technology — Rules for Data Classification and Grading (GB/T 43697-2024) - Chinese title: 数据安全技术 数据分类分级规则 (GB/T 43697-2024) - Abbreviation: GB/T 43697 - Hierarchy: standard - Issuing body: Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) - Effective: 2024-10-01 - Status: effective - URL: https://datacompliancechina.com/laws/data-classification-grading-rules/ - Markdown: https://datacompliancechina.com/laws/data-classification-grading-rules.md ### Summary GB/T 43697-2024 is the foundational national standard operationalizing the data classification and grading protection system mandated by DSL Article 21. Issued 15 March 2024 and effective 1 October 2024, it sets out the principles, framework, methods and workflow for classifying data by sector/business attribute and grading it into three tiers — core data (核心数据), important data (重要数据) and general data (一般数据) — and provides an important-data identification guide. It is the reference document that sector regulators use to build sector-specific catalogues and that data processors use to classify and grade their own holdings. ### Full text > *DCC summary, not a translation.* GB/T 43697-2024 is a copyrighted national standard. The structured summary below is DCC's own paraphrase of the standard's framework, drawn from the published text, for overseas compliance teams who need to understand how data is classified and graded under China's Data Security Law. ## Scope GB/T 43697-2024 specifies the **principles, framework, methods and workflow** for data classification and grading, and provides an **important-data identification guide**. It applies in three settings: - **Sector regulators** (行业领域主管/监管部门) use it as the reference for drafting classification-and-grading standards for their own sectors. - **Regions and departments** use it to carry out their own classification and grading work. - **Data processors** use it as a reference for classifying and grading the data they hold. The standard expressly **does not apply** to state-secret data or military data, which are governed by their own regimes. It is the technical companion to DSL Article 21, which establishes the "data classification and grading protection system" (数据分类分级保护制度) and directs that data be protected according to its importance to economic and social development and the degree of harm that would result if it were tampered with, destroyed, leaked, or illegally obtained or used. ## Key contents The standard is organized into seven main clauses plus extensive informative annexes (A–J). **Core definitions (Clause 3).** Three grade tiers are defined: - **Core data (核心数据)** — important data that, given high coverage of a domain/group/region or high precision, scale or depth, could *directly affect national political security* if illegally used or shared. It chiefly covers data bearing on key national-security fields, the lifelines of the national economy, major public interest and people's livelihood, plus other data so designated by the relevant state authorities. - **Important data (重要数据)** — data of a specific field, group, region or reaching a certain precision and scale that, if leaked or tampered with/destroyed, could *directly endanger national security, economic operation, social stability, or public health and safety*. Data affecting only the processor itself or individual citizens is generally **not** important data. - **General data (一般数据)** — all data other than core and important data. Supporting definitions include data, personal information, sensitive personal information, industry-sector data, public data, organization data, derived data (衍生数据), and data processor. **Basic principles (Clause 4).** Five principles govern the exercise: scientific-and-practical (科学实用), clear-boundary (边界清晰), **higher-and-stricter** (就高从严 — when multiple factors apply, grade to the highest applicable impact), point-and-surface integration (点面结合 — account for aggregation across fields/groups/regions), and dynamic updating (动态更新). **Data classification rules (Clause 5).** Classification proceeds **first by sector, then by business attribute**. Sectors include industrial, telecom, financial, energy, transport, natural-resources, health, education, and scientific data, among others. Within each sector, regulators refine classification using business attributes such as business area, responsible department, described object, process stage, data subject, content theme, data use, processing activity, and data source. Categories with dedicated legal requirements (notably personal information) are identified and classified per the applicable rules — sensitive PI identification is deferred to the dedicated sensitive-PI national standard. **Data grading rules (Clause 6).** Grading runs in four steps: (a) determine the grading object (data item, dataset, derived data, cross-sector data); (b) identify the **grading factors** (Clause 6.3) — domain (领域), group (群体), region (区域), precision (精度), scale (规模), depth (深度), coverage (覆盖度) and importance (重要性); (c) conduct **impact analysis** (Clause 6.4) over the impact *object* (national security, economic operation, social order, public interest, organizational rights, personal rights) and the impact *degree* (特别严重危害 especially serious / 严重危害 serious / 一般危害 general harm); and (d) determine the grade per the level-determination table (Table 1) and the comprehensive rules (Clause 6.6). Datasets default to the highest grade among their constituent data items (subject to upward adjustment for scale); derived and cross-sector data are graded under the higher-and-stricter principle with attention to processing depth and fusion effects. **Identification thresholds (Clause 6.5 + Table 1).** Data is **core data** where it would cause especially serious or serious harm to national security, or especially serious harm to economic operation / social order / public interest (e.g., relating to the lifelines of the national economy, major livelihood, or major public interest), or where it has high coverage/precision/scale/depth *directly affecting political security*, or is so assessed by the relevant authorities. Data is **important data** where it would cause general harm to national security, or serious harm to economic operation / social order / public interest, or relates to specific fields/groups/regions or reaches a certain precision/scale/depth directly bearing on national security, economic operation, social stability, or public health and safety, or is so assessed by the sector regulator. All other data is **general data**. **Workflow (Clause 7).** Two workflows are given: the **sector-regulator workflow** (draft sector standards, then organize processors to classify, grade, and report important/core-data catalogues) and the **processor workflow** (inventory data assets → set internal rules → classify → grade → review and report catalogues → dynamically update). **Annexes (A–J, informative).** These provide reference material: classification by described object (user/business/operations-management/system-O&M data) and by data subject (public/organization/personal data) in Annex A; grading-factor, impact-object and impact-degree considerations (Annexes C–F); the important-data identification guide (Annex G); optional sub-grading of general data (Annex H); derived-data grading (Annex I); and dynamic-update triggers (Annex J). ## How it fits the regime GB/T 43697-2024 is the keystone technical standard for the **data classification and grading protection system** required by **DSL Article 21**. Where the DSL sets the policy at a high level, this standard supplies the operational method that turns it into practice — the common vocabulary (core / important / general data) and the step-by-step grading logic that sector regulators and data processors are expected to follow. It interlocks with the **Network Data Security Management Regulations** (effective 1 January 2025), which impose heightened obligations on processors of important data (risk assessments, designated security officers and management bodies, and reporting of important-data catalogues). Identifying *which* data is "important" or "core" is precisely what this standard governs, so it is the practical precondition for complying with those downstream duties. Sector catalogues issued under DSL Article 21 (for industrial, automotive, financial, health and other sectors) are built on this framework, and a processor's data-classification inventory and important/core-data catalogue — produced via the Clause 7 processor workflow — are the artefacts regulators expect to see in a data-security review or inspection. --- ## Administrative Measures for the Application Security of Facial Recognition Technology - Chinese title: 人脸识别技术应用安全管理办法 - Abbreviation: FRT Measures - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) and Ministry of Public Security (MPS) - Adopted: 2024-09-30 - Effective: 2025-06-01 - Status: effective - URL: https://datacompliancechina.com/laws/facial-recognition-technology-application-measures/ - Markdown: https://datacompliancechina.com/laws/facial-recognition-technology-application-measures.md ### Summary The dedicated CAC + MPS rule for facial-recognition technology applications, implementing PIPL Articles 26 and 28–32 and the Civil Code privacy chapter. Covers the three governing principles of minimum-use, voluntary choice, and minimum-storage; the filing regime for processors handling face data of more than 100,000 persons; mandatory PIPIA, signage, prohibition on FRT in private spaces (changing rooms, bathrooms, hotel rooms); preference for authoritative ID-verification channels over independent FRT collection; and the inter-agency coordination structure under CAC + MPS. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC) and Ministry of Public Security (MPS). **Document No.:** Decree No. 19 of CAC and MPS. **Adopted at the 23rd CAC executive meeting in 2024 on September 30, 2024, with MPS concurrence. Promulgated March 13, 2025. Effective June 1, 2025.** Zhuang Rongwen (CAC) and Wang Xiaohong (MPS). --- **Article 1.** These Measures are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Administrative Regulation on Network Data Security and other laws and administrative regulations in order to regulate the application of facial recognition technology to handle facial information and protect personal information rights and interests. **Article 2.** These Measures apply to the application of facial recognition technology to handle facial information within the territory of the People's Republic of China. These Measures shall not apply to the application of facial recognition technology to handle facial information for the research and development of facial recognition technology and algorithm training activities within the territory of the People's Republic of China. **Article 3.** Users of facial recognition technology to handle facial information shall comply with laws and regulations, respect for social morality and ethics, follow business morality and professional ethics, act in good faith, fulfill obligations of personal information protection and undertake social responsibilities, and shall not endanger national security, damage public interests or infringe upon legitimate rights and interests of individuals. **Article 4.** Facial recognition technology shall be used for a specific purpose and of sufficient necessity or in a way that has the least impact on personal rights and interests, and strict protective measures shall be implemented. **Article 5.** Prior to application of facial recognition technology to handle facial information, a personal information handler shall inform an individual of the following matters in a prominent manner and using easy-to-understand language in a truthful, accurate and complete manner: (1) name and contact information of the personal information handler; (2) purpose and method of handling facial information and the period for storage of the handled facial information; (3) necessity of handling facial information and impact of handling on personal rights and interests; (4) methods and procedures for individuals to exercise rights in accordance with the law; and (5) other matters to be notified in accordance with the provisions of laws and administrative regulations. If any of the matters prescribed in the preceding paragraph changes, the individual shall be notified of such change. Where it is stipulated by laws and administrative regulations that notification to individuals is not required, such provisions shall prevail. The handling of facial information of the disabled and the elderly shall also comply with the provisions of the State on building a barrier-free environment. **Article 6.** Where the handling of facial information is based on an individual's consent, the voluntary and explicit separate consent of the individual shall be obtained under the premise of full knowledge of the individual. Where laws and administrative regulations provide that the handling of facial information shall be subject to the individual's written consent, such provisions shall prevail. Where an individual consents to the handling of his or her facial information, he or she has the right to withdraw his or her consent, and the personal information handler shall provide a convenient way to withdraw consent. The withdrawal of consent by an individual shall not affect the effectiveness of personal information handling activities that have been carried out based on the individual's consent before the withdrawal. **Article 7.** Where an individual consents to the handling of the facial information of minors under the age of 14, the consent of the minors' parents or other guardians shall be obtained. Where a personal information handler applies facial recognition technology to handle facial information of minors under the age of 14, it/he shall formulate special handling rules in terms of storage, use, transfer and disclosure, in order to protect the safety of minors' personal information according to the law. **Article 8.** Unless otherwise stipulated by laws and administrative regulations or with an individual's separate consent, facial information shall be stored in facial recognition equipment and shall not be externally transmitted through the Internet. Unless otherwise specified by laws and administrative regulations, the retention period of the facial information shall not exceed the minimum time required for achieving the purpose of handling. **Article 9.** Where a personal information handler applies facial recognition technology to handle facial information, it/he shall carry out an assessment on the impact of personal information protection in advance and keep a record of the handling. An assessment on the impact of personal information protection shall mainly include the following aspects: (1) whether the purpose and method of handling facial information are legal, proper and necessary; (2) impact on the personal rights and interests and whether the measures to mitigate adverse impact are effective; (3) risks of divulgence, falsification, loss, damage, or illegal acquisition, sale or use of facial information and possible harm; and (4) whether the protection measures taken are legal, effective and appropriate to the degree of risks. Assessment reports on the impact of personal information protection and handling records shall be kept for at least three years. Where the purpose and method of personal information handling change, or major security incidents occur, the assessment on impact of personal information protection shall be conducted anew. **Article 10.** Where there are other non-facial recognition methods to achieve the same purpose or meet the same business requirements, facial recognition technology shall not be used as the only verification method. If an individual does not agree to identity verification by means of facial information, other reasonable and convenient alternatives shall be provided. Where it is otherwise stipulated by the State on the application of facial recognition technology to verify personal identity, such provisions shall prevail. **Article 11.** Where facial recognition technology is used to verify personal identity or identify specific individuals, it is encouraged to give priority to such channels as the national basic population information database and the national network identity authentication public services, so as to reduce facial information collection and storage and protect facial information security. **Article 12.** No organization or individual may mislead, defraud or coerce an individual to accept facial recognition technology for verification of his/her personal identity on the grounds of handling business, improving service quality, etc. **Article 13.** Facial recognition equipment shall be installed in public places necessary for maintaining public security, and the facial information collection areas shall be reasonably determined in accordance with the law, with eye-catching warning signs set up. No organization or individual may install facial recognition equipment inside private spaces in such public places as hotel guest rooms, public bathrooms, public locker rooms and toilets. **Article 14.** The application system of facial recognition technology shall take such measures as data encryption, security audit, access control, authorization management, intrusion detection and defense to protect the security of facial information. Where cybersecurity graded protection or critical information infrastructure is involved, the obligations of cybersecurity graded protection or critical information infrastructure protection shall be performed in accordance with the relevant regulations of the State. **Article 15.** A personal information handler shall go through the filing formalities with the cyberspace authority at or above the provincial level of the place where it/he is located within 30 working days from the day when the number of stored facial information handled with application of facial recognition technology reaches 100,000 persons. The following materials shall be submitted for the filing application: (1) basic information of the personal information handler; (2) purpose and method of facial information handling; (3) storage quantity of facial information and security protection measures; (4) handling rules and operating procedures for facial information handling; and (5) assessment report on the impact of personal information protection. Where there is any substantial change in the filed information, the formalities for change of filing shall be completed within 30 working days from the date of change. Where the application of facial recognition technology is terminated, the formalities for cancellation of filing shall be completed within 30 working days from the date of termination, and the facial information shall be handled in accordance with the law. **Article 16.** The cyberspace authority shall, in concert with the public security organ and other authorities performing duties of personal information protection, establish and improve the information sharing and notification mechanism and cooperate with each other in carrying out the relevant work. The cyberspace authority, public security organ and other authorities performing duties of personal information protection shall carry out supervision and inspection over the activities of handling personal information with application of facial recognition technology in accordance with the law, and personal information handlers shall provide cooperation pursuant to the law. **Article 17.** Any organization or individual has the right to complain or report to the authorities performing duties of personal information protection on the illegal application of facial recognition technology to handle facial information. The authorities receiving such complaints or reports shall handle them in a timely manner in accordance with the law and inform the complainants or whistleblowers of the handling results. **Article 18.** Any violation of the provisions hereof shall be punished in accordance with the provisions of relevant laws and administrative regulations; if a crime is constituted, criminal liability shall be investigated in accordance with the law. **Article 19.** For the purpose of these Measures, the following terms shall have the following meanings: (1) "personal information handler" refers to any organization or individual that independently determines the purpose and method of handling in the activities of handling personal information. (2) "facial information" refers to the biometric information of facial features that is recorded in electronic or otherwise and is related to an identified or identifiable natural person, excluding the anonymized information. (3) "facial recognition technology" refers to the individual biometric recognition technology that identifies an individual based on the facial information. (4) "facial recognition equipment" refers to the terminal equipment that applies facial recognition technology to identify personal identity. (5) "verifying personal identity" refers to making "one-to-one" comparison of the collected facial information with the specific facial information stored in the information system so as to confirm and check whether the two are the same person. (6) "identifying specific individuals" refers to making "one-to-many" comparison of the collected facial information with the facial information within the specific scope stored in the information system so as to discover and identify individuals with specific identities. **Article 20.** These Measures shall come into force as of June 1, 2025. --- ## Information Security Technology — Personal Information Security Specification (GB/T 35273-2020) - Chinese title: 信息安全技术 个人信息安全规范 (GB/T 35273-2020) - Abbreviation: GB/T 35273 - Hierarchy: standard - Issuing body: Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) - Effective: 2020-10-01 - Status: effective - URL: https://datacompliancechina.com/laws/gbt-35273-pi-security-specification/ - Markdown: https://datacompliancechina.com/laws/gbt-35273-pi-security-specification.md ### Summary GB/T 35273-2020 is China's foundational recommended national standard on personal information protection. First issued in 2017 and revised in 2020, it predates PIPL and shaped much of its drafting; it sets out detailed good-practice requirements across the full personal-information lifecycle — collection, storage, use, sharing/transfer/disclosure, deletion — plus security incident handling and organizational governance. Although a recommended (non-mandatory) standard, it has long been the operational benchmark Chinese regulators reference, and it remains the most detailed practical gloss on PIPL's principles. ### Full text > *DCC summary, not a translation.* GB/T 35273-2020 is a copyrighted national standard. The structured summary below is DCC's own paraphrase of the standard's structure and requirements, for overseas compliance teams. ## Scope GB/T 35273-2020 specifies **principles and security requirements for the processing of personal information** — covering collection, storage, use, sharing, transfer, public disclosure and deletion — together with requirements for security incident handling and for the personal-information security management organization. It applies to organizations of all kinds that process personal information through any channel, and is intended both to guide handlers in their practice and to serve as a reference for regulators, third-party assessors and others supervising or evaluating personal-information protection. It is a **recommended** (GB/T, 推荐性) standard — not legally mandatory in itself — but it is the most widely cited practical benchmark in China's personal-information regime. ## Key contents The standard is built around a set of basic principles and then proceeds lifecycle-stage by lifecycle-stage. **Basic principles.** Accountability (权责一致), purpose specification (目的明确), choice and consent (选择同意), minimum necessity (最少够用), openness and transparency (公开透明), security safeguards (确保安全) and subject participation (主体参与). It defines and distinguishes **personal information** and **sensitive personal information**, with illustrative lists in its annexes. **Collection.** Lawfulness of collection; the minimum-necessity rule; the requirement to obtain consent (and, for sensitive personal information, explicit consent); enumerated exceptions to consent; and a privacy-policy (隐私政策) content specification. **Storage.** Minimization of retention period; de-identification and encrypted storage of sensitive personal information; and rules on cessation of operations. **Use.** Access controls and display restrictions (e.g., masking); limits on use and on aggregation/portrait building; restrictions on automated decision-making and information-system-based decisions; and rules on entrusted processing, sharing, transfer and public disclosure — including the security due-diligence and recordkeeping a handler must perform before sharing or transferring, and the special rules for transfer on merger/acquisition. **Subject rights.** Mechanisms for access, correction, deletion, withdrawal of consent, account cancellation and obtaining a copy of personal information, and responding to subject requests. **Security incident handling.** Emergency response planning, incident disposal, and notification of affected individuals and authorities. **Organizational management.** Appointment of a person responsible for personal-information protection and a working body; data-security impact assessment; audits; staff management and training; and security of the processing systems. The annexes provide reference lists of personal information and sensitive personal information, a model privacy-policy template, and guidance on obtaining consent. ## How it fits the regime GB/T 35273 is the **ancestor standard** of China's personal-information regime. Its 2017 first edition and 2020 revision long predated the **Personal Information Protection Law (PIPL)**, and much of PIPL's architecture — the consent rules, the sensitive-PI category, the notice/privacy-policy obligations, subject rights and the data-protection impact assessment — tracks concepts this standard developed first. Since PIPL took effect (1 November 2021), the statute is the binding source of obligation. But GB/T 35273 remains the **operational benchmark**: it is far more granular than the law, and regulators, certification bodies and assessors continue to treat conformance with it as evidence of good practice. For overseas compliance teams, it is the document to consult when PIPL states a principle and you need the concrete, field-tested implementation detail. It also underpins more specialized downstream standards (impact assessment, de-identification, notice-and-consent) that build on its vocabulary. --- ## Technical Guide for the Construction of Telemedicine Information Systems (2014 Edition) - Chinese title: 远程医疗信息系统建设技术指南(2014年版) - Abbreviation: Telemedicine System Technical Guide - Hierarchy: standard - Issuing body: National Health and Family Planning Commission - Adopted: 2014-11-01 - Effective: 2014-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/telemedicine-information-system-technical-guide/ - Markdown: https://datacompliancechina.com/laws/telemedicine-information-system-technical-guide.md - Source URL: https://www.nhc.gov.cn/ ### Summary Issued in November 2014 by the National Health and Family Planning Commission, this technical guide is the normative reference document for designing, procuring, deploying, and accepting telemedicine information systems in China. Across eleven parts it sets out the principles, goals and tasks of telemedicine-system construction; a needs analysis covering user, business, functional, information, technical and information-security requirements; a four-layer design architecture (system, function, information, technical); a standards-and-security chapter; and detailed build-out specifications for national- and provincial-level telemedicine service and resource supervision centres and for service stations down to the township/community level. For data compliance, the relevant material is the information-security needs analysis (Part 3.6) and the information-security construction chapter (Part 5.2), which require patient-privacy protection, integrity and confidentiality of data in transmission and storage, local and offsite backup, security-domain isolation between hospital intranets and the telemedicine extranet, and an MLPS-aligned security architecture spanning physical, network, host, application, and data security plus five management domains. The document is a large technical guide; the page below is a structured English summary rather than a verbatim translation. ### Full text > *DCC summary, not a translation.* The *Technical Guide for the Construction of Telemedicine Information Systems (2014 Edition)* is a large technical guide (eleven parts, with extensive hardware/configuration appendices). It is not reproduced verbatim. The structured summary below focuses on its architecture and on the data-exchange and security requirements that are relevant to data compliance. ## Status and purpose The Guide was issued in November 2014 by the National Health and Family Planning Commission (the predecessor of the National Health Commission). It is described in its own foreword as a **normative document guiding the construction of telemedicine information systems**, intended for reference in scheme design, engineering tendering, deployment and implementation, and project acceptance. It consolidates lessons from earlier telemedicine deployments and sets out the basic functions, technical architecture, and construction standards for national- and provincial-level telemedicine service-and-resource supervision centres and for telemedicine service stations at each administrative tier, as well as the relationship between telemedicine systems and regional health-information platforms at each level. ## Document structure (eleven parts) 1. **Overview** — background, domestic and international development, necessity and urgency, and an analysis of social and economic benefits. 2. **Principles, goals and tasks** — construction principles, construction goals, and construction tasks. 3. **Needs analysis** — user needs, business needs, functional needs, information needs, technical needs, and **information-security needs**. 4. **Design architecture** — system architecture, function architecture, information architecture, and technical architecture. 5. **Standards and security** — the standards-system framework and standards-conformance testing, and **information-security construction**. 6. **Infrastructure construction** — telemedicine-system hardware, software, data-centre equipment rooms, and communication and network systems. 7. **Service-station construction** — remote-consultation application terminals, dedicated remote-consultation rooms, remote intensive-care (ICU) systems, surgical-demonstration systems, multimedia teaching systems, and teaching-on-demand systems. 8. **System deployment models** — centralized model and distributed model. 9. **Operation and maintenance** — telemedicine operations responsibilities, data-centre maintenance management, service-process management norms, service-event handling, service-system support, service-resource information management, and routine operations-management services. 10. **Quality and supervision** — construction-quality management and operation-quality management. 11. **Appendices** — configuration specifications for national- and provincial-level telemedicine service-and-resource supervision centres and for provincial, municipal, county and township/community service stations. ## Architecture The Guide specifies a layered design comprising a **system architecture, function architecture, information architecture, and technical architecture**. Functionally, telemedicine is organized around remote consultation (申请端 application terminals and dedicated consultation rooms), remote intensive-care monitoring, surgical and multimedia teaching, and teaching-on-demand, connected through national- and provincial-level service-and-resource supervision centres to service stations down to the township/community level. Two deployment models are defined — a **centralized model** and a **distributed model** — and the document addresses the interface between telemedicine systems and the regional health-information platforms at each level. ## Information-security needs (Part 3.6) The needs analysis identifies information security as a core requirement and frames it around four concerns: 1. **Protection of patient information privacy.** Telemedicine information includes electronic medical records, health archives, consultation information, and imaging data — much of which contains personal basic information, medical history, and other private data, as well as experts' diagnostic conclusions. Leakage directly infringes patients' interests and harms the hospital's reputation, while tampering or loss in transmission/storage can corrupt consultation results and, in serious cases, cause medical accidents. The Guide therefore requires **integrity of information in transmission (detectable and recoverable)**, **confidentiality of data in transmission and storage**, **complete local data backup**, and **offsite backup of important data**. 2. **Protection of consulting institutions' internal information.** Because participating institutions must connect their internal intranet to the telemedicine extranet for limited, defined information exchange while preventing leakage of the bulk of intranet information, the Guide requires **security isolation and security-domain partitioning** between the hospital intranet and the Internet, with **firewalls, malicious-code protection, boundary-integrity protection, and intrusion detection** at the boundary. 3. **Security protection of business databases.** The large volume of consultation and teaching business data that must be retained for review, comparison, and continuous observation must be protected against attack, loss, damage, and leakage — requiring defence against network attacks and protection of core information assets at both the network layer and the business-system layer. 4. **Security-management systems.** The Guide flags the operational risks of weak management — virus propagation via internal networks or USB drives, abuse of privileges, unauthorized modification of configuration or data, and O&M errors — and calls for effective security-management measures. ## Information-security construction (Part 5.2) The security-construction chapter builds an MLPS-aligned (等级保护 / Multi-Level Protection Scheme) security architecture, referencing the former Ministry of Health's *Guiding Opinions on the Information-Security Multi-Level Protection Work of the Health Industry*, the national standard *Basic Requirements for Information-System Multi-Level Protection*, and the EMR-based hospital-information-platform security solution. The architecture spans **five technical domains** — physical security, network security, host security, application security, and data security — and **five management domains** — security-management systems, security-management organization, personnel security management, system-construction management, and system O&M management. Notable functional requirements include: - **Application security** — identity authentication (unique usernames; password complexity of at least three character types, length ≥ 8, periodic change; login-failure handling), with **two-factor authentication (USB key + password) or a PKI/CA-certificate scheme required for Grade-III systems**; access control (login, role-based, directory-level, and file-attribute controls); and application-level audit of usage behaviour. - **Host/system security** — disaster-recovery capability (referencing GB/T 20988-2007 on information-system disaster recovery, with response and event-handling plans and automatic resume of failed backup/recovery), identity authentication (encrypted storage of credentials, periodic password rotation, two-factor authentication for remote management), strict host access control (least privilege, separation of privileged-user duties, renaming/locking of default accounts, removal of stale accounts, sensitivity labelling of important resources), and security auditing covering operating-system and database users with protected audit processes and records. - **Network and boundary security** — security-domain partitioning and boundary isolation between intranet and Internet, with firewalls, malicious-code protection, boundary-integrity protection, and intrusion detection, plus defence of business databases against network attack. - **Data security and backup** — confidentiality and integrity of data in transmission and storage, local full backup, and offsite backup of important data, consistent with the privacy-protection objective that data destruction must not result in leakage of private information. ## Why this matters for data compliance For overseas vendors and hospital-IT integrators building or supplying telemedicine systems for the Chinese market, this Guide is the 2014-era reference that hospitals and provincial health authorities have used to specify telemedicine-system security in tenders and acceptance. Its data-relevant core — patient-privacy protection, integrity and confidentiality of data in transit and at rest, local-plus-offsite backup, intranet/extranet security-domain isolation, and an MLPS-aligned five-domain security architecture with two-factor authentication for Grade-III systems — has since been carried forward and tightened by the *Administrative Measures for Internet Diagnosis and Treatment*, the *Measures for Cybersecurity Management of Healthcare Institutions*, and the *Measures for Data Security and Personal Information Protection of Healthcare Institutions (Trial)*. The Guide remains a useful baseline for understanding the security expectations embedded in Chinese telemedicine infrastructure. --- — *Technical Guide for the Construction of Telemedicine Information Systems (2014 Edition)*, issued November 2014 by the National Health and Family Planning Commission. DCC structured summary of a large technical guide; not a verbatim translation. For the source document, see the [National Health Commission website](https://www.nhc.gov.cn/). --- ## Information Security Technology — Guide for Personal Information Security Impact Assessment (GB/T 39335-2020) - Chinese title: 信息安全技术 个人信息安全影响评估指南 (GB/T 39335-2020) - Abbreviation: GB/T 39335 - Hierarchy: standard - Issuing body: Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) - Effective: 2021-06-01 - Status: effective - URL: https://datacompliancechina.com/laws/gbt-39335-pi-impact-assessment-guide/ - Markdown: https://datacompliancechina.com/laws/gbt-39335-pi-impact-assessment-guide.md ### Summary GB/T 39335-2020 is the recommended national standard that operationalizes the personal-information security impact assessment (PIA / 个人信息安全影响评估). It sets out the principles, implementation method, working steps and reporting format for assessing the risks that personal-information processing poses to data subjects' rights and interests. Issued in 2020 and effective 1 June 2021, it is the practical reference China's handlers use to conduct the impact assessment that PIPL Article 55 makes mandatory before high-risk processing activities. ### Full text > *DCC summary, not a translation.* GB/T 39335-2020 is a copyrighted national standard. The structured summary below is DCC's own paraphrase of the standard's method and structure, for overseas compliance teams. ## Scope GB/T 39335-2020 provides **the basic principles, the implementation methodology and the working procedure** for conducting a personal-information security impact assessment (个人信息安全影响评估 — the PIA, the direct forebear of PIPL's "personal information protection impact assessment", PIPIA). It addresses **when** an assessment should be triggered, **how** to assess the impact on personal-information subjects' rights and interests, and **how** to document the result. It applies to handlers assessing their own processing activities, and serves as a reference for regulators and third-party assessors. It is a **recommended** standard, but it is the canonical methodology behind a now-mandatory statutory duty. ## Key contents The standard frames the assessment around two dimensions of risk — the likelihood of a security event and the severity of its impact on data subjects — and walks through the exercise step by step. **Assessment triggers.** Guidance on the circumstances that warrant a PIA, including new collection of personal (especially sensitive) information, changes in processing purpose/scope/method, sharing/transfer/public disclosure, cross-border transfer, large-scale or high-sensitivity processing, automated decision-making, and significant changes to the processing system or environment. It distinguishes routine/periodic assessment from event-driven assessment. **Assessment principles.** The exercise should take the personal-information subject's rights and interests as its focus, be conducted objectively, and account for the full processing context. **Working steps.** A structured procedure: (1) preparation — assemble the team, define scope, and gather data flows; (2) data mapping — identify the personal information involved and chart its flows across the lifecycle; (3) risk identification and analysis — assess the **impact on data subjects** (the degree of harm) and the **likelihood of a security event** (in light of existing security measures); (4) risk rating — combine impact and likelihood into an overall risk level; and (5) reporting — record findings, conclusions and recommended mitigations. **Impact and likelihood factors.** Reference factors for judging the *degree of impact* on data subjects (sensitivity and volume of the data, potential for discrimination, reputational, physical, property and other harms) and the *likelihood* of an adverse event (the threat environment and the adequacy of safeguards). **Reporting.** A recommended assessment-report format and content outline, so that the result is documented consistently and can be retained and reviewed. The annexes provide reference material — including assessment factors, scoring approaches and a model report template. ## How it fits the regime GB/T 39335 is the methodology standard behind a **statutory obligation**. **PIPL Article 55** requires handlers to conduct a personal-information protection impact assessment (PIPIA) before, among other things, processing sensitive personal information, using personal information for automated decision-making, entrusting processing or providing personal information to other handlers or to the public, and transferring personal information abroad; **Article 56** specifies what the assessment must cover and requires the report and records to be retained for at least three years. The statute states *that* an assessment must happen and *what* it must address; GB/T 39335 supplies *how* to perform it — the trigger analysis, the risk-rating method and the report template. For overseas compliance teams, it is the working manual for producing a defensible PIPIA, and it dovetails with the cross-border-transfer assessment requirements and with the sector-specific and audit standards that assume a PIA-style risk analysis has been done. --- ## Information Security Technology — Security Requirements for Network Data Processing (GB/T 41479-2022) - Chinese title: 信息安全技术 网络数据处理安全要求 (GB/T 41479-2022) - Abbreviation: GB/T 41479 - Hierarchy: standard - Issuing body: Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) - Effective: 2022-11-01 - Status: effective - URL: https://datacompliancechina.com/laws/gbt-41479-network-data-processing-security/ - Markdown: https://datacompliancechina.com/laws/gbt-41479-network-data-processing-security.md ### Summary GB/T 41479-2022 is the recommended national standard specifying security requirements for the processing of network data — data collected, stored, transmitted, used, provided, disclosed and deleted through networks. It sets lifecycle security requirements for network data processing activities by network operators, organized by processing stage, and serves as a baseline reference for implementing the data-security duties of the Cybersecurity Law and Data Security Law. It applies across general network operations and informs the Network Data Security Management Regulations. ### Full text > *DCC summary, not a translation.* GB/T 41479-2022 is a copyrighted national standard. The structured summary below is DCC's own paraphrase of the standard's structure, for overseas compliance teams. ## Scope GB/T 41479-2022 specifies **security requirements for network data processing activities** — the collection, storage, transmission, use, provision, public disclosure and deletion of data carried out through networks. It applies to network operators conducting such activities, and is a reference for regulators and assessors supervising network-data security. It is a **recommended** standard that provides a baseline of good practice for the network-data-security duties imposed by the **Cybersecurity Law (CSL)** and the **Data Security Law (DSL)**. ## Key contents The standard organizes its requirements around the **network-data processing lifecycle**, with general requirements layered on top. **General security requirements.** Cross-cutting expectations — data-security management responsibilities, classification-and-grading-aware handling, security of the processing environment and systems, access control, logging and audit, and personnel and supply-chain security. **Lifecycle-stage requirements.** Security requirements stage by stage: - **Collection** — lawful and minimal collection, source verification, and protection of data in transit at the point of collection. - **Storage** — protections appropriate to data classification, including access control, encryption where warranted, backup/recovery, and retention discipline. - **Transmission** — confidentiality and integrity protection for data in transit, including encryption and integrity verification. - **Use / processing** — controls over internal use, display and aggregation; protections during development, testing and analytics. - **Provision / sharing** — security due diligence and controls when providing data to third parties or entrusting processing. - **Public disclosure** — controls and review before any public release of data. - **Deletion / destruction** — secure deletion and destruction at end of lifecycle, including handling on cessation of service. **Special-category handling.** Requirements that reflect the heightened treatment of important data and personal information, cross-referencing the personal-information and classification-and-grading standards rather than restating them. The annexes provide reference material supporting the lifecycle requirements. ## How it fits the regime GB/T 41479 is one of the baseline technical standards underpinning China's **network-data-security** layer. The **CSL** imposes general network-operation security duties and the **DSL** establishes the data-security and classification-grading framework; this standard translates those duties into concrete, lifecycle-organized requirements for the network data that operators handle day to day. It sits directly upstream of the **Network Data Security Management Regulations** (effective 1 January 2025), which give the network-data-security regime its binding administrative force — covering general processors, important-data processors, large platforms and cross-border transfers. Where those Regulations state obligations, GB/T 41479 (alongside the classification-grading rules and risk-assessment standards) supplies the implementation detail. For overseas compliance teams, it is a reference for designing data-security controls across the processing lifecycle in a way Chinese regulators will recognize as conformant. --- ## Information Security Technology — Guide for Evaluation of Personal Information De-identification Effect (GB/T 42460-2023) - Chinese title: 信息安全技术 个人信息去标识化效果评估指南 (GB/T 42460-2023) - Abbreviation: GB/T 42460 - Hierarchy: standard - Issuing body: Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) - Effective: 2023-12-01 - Status: effective - URL: https://datacompliancechina.com/laws/gbt-42460-deidentification-evaluation-guide/ - Markdown: https://datacompliancechina.com/laws/gbt-42460-deidentification-evaluation-guide.md ### Summary GB/T 42460-2023 is the recommended national standard for evaluating whether a personal-information de-identification process has actually worked. It sets out the goals, principles, evaluation framework and methods for judging re-identification risk in de-identified datasets — covering identifiers, the choice of de-identification models, and how to test residual risk. It complements GB/T 37964 (the de-identification guide) by providing the effectiveness-evaluation half, and supports PIPL's treatment of de-identification and anonymization. ### Full text > *DCC summary, not a translation.* GB/T 42460-2023 is a copyrighted national standard. The structured summary below is DCC's own paraphrase of the standard's framework, for overseas compliance teams. ## Scope GB/T 42460-2023 provides **the goals, principles, framework and methods for evaluating the effectiveness of personal-information de-identification (去标识化)** — that is, for judging whether a dataset that has been put through a de-identification process carries an acceptably low risk of re-identification. It applies to organizations evaluating the de-identification of their own datasets, and serves as a reference for assessors and regulators reviewing de-identification work. It is a **recommended** standard. It is the natural companion to **GB/T 37964** (the *Guide for De-identification of Personal Information*): where GB/T 37964 explains *how to perform* de-identification, GB/T 42460 explains *how to test whether it succeeded*. ## Key contents The standard frames de-identification effectiveness in terms of re-identification risk and walks through how to evaluate it. **Concepts and goals.** It works from the PIPL/standards definitions of **de-identification** (processing so that personal information cannot identify a specific natural person without additional information) and **anonymization** (processing so that the subject cannot be re-identified and the data cannot be restored), and frames the evaluation goal as confirming that residual re-identification risk is controlled to an acceptable level given the data-use scenario. **Evaluation principles.** Effectiveness is assessed relative to the **release/sharing scenario** and the resources a realistic attacker could bring to bear; the evaluation must consider both direct identifiers and quasi-identifiers, and the possibility of linkage with external datasets. **Identifiers and attributes.** Guidance on distinguishing direct identifiers, quasi-identifiers and other attributes, since the re-identification risk turns largely on quasi-identifier combinations. **Evaluation framework and methods.** An evaluation process and a set of methods/metrics for testing residual risk — addressing re-identification attack models (singling-out, linkage and inference), the de-identification models applied (such as generalization, suppression, pseudonymization and aggregation), and how to judge whether the chosen technique and parameters achieve the target risk level for the intended disclosure context. **Reporting.** Guidance on documenting the evaluation and its conclusion. The annexes provide reference material on attack models, risk metrics and worked considerations. ## How it fits the regime De-identification and anonymization are load-bearing concepts in **PIPL**. PIPL defines both terms (Article 73); **anonymized** information falls outside the definition of "personal information" (Article 4) and so outside the law's scope, whereas **de-identified** information is still personal information and remains regulated. The practical question — *has a dataset been de-identified or anonymized well enough?* — is exactly what GB/T 42460 helps answer. For overseas compliance teams, the standard matters whenever a Chinese operation relies on de-identification to reduce risk (for analytics, sharing, secondary use, or to argue data has been anonymized out of PIPL's scope). It supplies the test method to back that reliance, and it pairs with GB/T 37964 (de-identification technique), GB/T 35273 (which calls for de-identified/encrypted storage of sensitive data) and the impact-assessment standard. It does **not** lower any statutory threshold — it is the evidentiary method for showing a de-identification claim holds up. --- ## Information Security Technology — Implementation Guide for Notification and Consent in Personal Information Processing (GB/T 42574-2023) - Chinese title: 信息安全技术 个人信息处理中告知和同意的实施指南 (GB/T 42574-2023) - Abbreviation: GB/T 42574 - Hierarchy: standard - Issuing body: Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) - Effective: 2023-12-01 - Status: effective - URL: https://datacompliancechina.com/laws/gbt-42574-notification-consent-guide/ - Markdown: https://datacompliancechina.com/laws/gbt-42574-notification-consent-guide.md ### Summary GB/T 42574-2023 is the recommended national standard that operationalizes PIPL's notification (告知) and consent (同意) obligations. It gives handlers practical guidance on what to tell data subjects and how, when and in what form to obtain consent — including separate consent, written consent, consent from minors' guardians, and withdrawal of consent — across web, app and other interfaces. It is the implementation manual for PIPL Articles 14–17 and 23/25/29/39, turning the statute's notice-and-consent rules into concrete design requirements. ### Full text > *DCC summary, not a translation.* GB/T 42574-2023 is a copyrighted national standard. The structured summary below is DCC's own paraphrase of the standard's framework, for overseas compliance teams. ## Scope GB/T 42574-2023 provides **implementation guidance for the notification and consent obligations** that arise when processing personal information — what information must be conveyed to the personal-information subject, how the notification should be presented, and how, when and in what form consent should be obtained, changed and withdrawn. It applies to handlers designing their notice-and-consent mechanisms, and is a reference for assessors and regulators. It is a **recommended** standard, and is best read as the practical companion to **PIPL's** notice-and-consent provisions. ## Key contents The standard separates the two obligations — *telling* the subject (notification) and *getting agreement* (consent) — and gives design rules for each. **Notification (告知).** Guidance on the **content** that must be disclosed (the handler's identity and contact details; the purposes and methods of processing; the categories of personal information processed and the retention period; the means and procedures for the subject to exercise their rights; and the matters that must be disclosed for sharing, public disclosure, cross-border transfer, and automated decision-making). It also addresses the **manner** of notification — clarity, conspicuousness, plain and accurate language, timing (generally before processing), layered/just-in-time notice, and accommodations for different interfaces and for individuals with accessibility needs. **Consent (同意).** Guidance on obtaining consent that is **voluntary, explicit and fully informed**, and on the situations requiring heightened consent: - **Separate consent (单独同意)** — distinct, transaction-specific consent for sharing personal information with other handlers, public disclosure, cross-border transfer, processing sensitive personal information, and certain other high-impact activities. - **Written consent (书面同意)** — where laws or regulations require consent to be in writing. - **Guardian consent** — consent of a parent/guardian for processing the personal information of minors under 14. - **Re-consent** — obtaining fresh consent when the purpose, method or categories of processing change. It also covers **withdrawal of consent** (providing an easy means to withdraw, with withdrawal not affecting the lawfulness of prior processing), and the principle that a handler must not refuse to provide a product or service merely because the subject declines consent that is not necessary for that product or service. **Statutory exceptions.** Guidance noting the circumstances in which processing may proceed without consent (e.g., performance of a contract to which the subject is a party, statutory duties, emergencies, news reporting, and processing of already-public information within reasonable limits). The annexes provide reference examples of notice content and consent interface design. ## How it fits the regime GB/T 42574 is the implementation manual for one of **PIPL's** core mechanisms. PIPL builds much of its consent architecture on notice: **Article 13** makes consent a primary lawful basis (alongside enumerated alternatives); **Articles 14–16** require informed, voluntary, explicit consent, allow withdrawal, and bar conditioning services on unnecessary consent; **Article 17** prescribes the matters to be notified; **Articles 23, 25, 29 and 39** require **separate consent** for sharing, public disclosure, processing sensitive personal information, and cross-border transfer respectively; and **Article 31** requires guardian consent for minors under 14. The statute sets these requirements; GB/T 42574 turns them into concrete UX and content design rules. For overseas compliance teams, it is the document to consult when building privacy notices, consent flows and withdrawal mechanisms for Chinese-facing products, and it works hand-in-hand with GB/T 35273 (privacy-policy specification) and the app- and platform-specific rules that police notice-and-consent in practice. --- ## Data Security Technology — Personal Information Processing Rules for Internet Platforms and Products/Services (GB/T 44588-2024) - Chinese title: 数据安全技术 互联网平台及产品服务个人信息处理规则 (GB/T 44588-2024) - Abbreviation: GB/T 44588 - Hierarchy: standard - Issuing body: Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) - Status: effective - URL: https://datacompliancechina.com/laws/gbt-44588-platform-pi-processing-rules/ - Markdown: https://datacompliancechina.com/laws/gbt-44588-platform-pi-processing-rules.md ### Summary GB/T 44588-2024 is a recommended national standard setting personal-information processing rules tailored to internet platforms and their products and services. It addresses how platform operators — and the products, services and third-party providers within their ecosystems — should handle personal information consistently with PIPL, including the heightened 'gatekeeper' obligations PIPL imposes on large platforms. It is one of the 2024 'Data Security Technology' series standards that build sector- and scenario-specific guidance on top of PIPL's general framework. ### Full text > *DCC summary, not a translation.* GB/T 44588-2024 is a copyrighted national standard. The structured summary below is DCC's own paraphrase grounded in the standard's title and number; specific clauses should be checked against the published text. ## Scope GB/T 44588-2024 specifies **personal-information processing rules for internet platforms and the products and services they offer**. It is aimed at platform operators and at the products, services and third-party providers that operate within a platform ecosystem, and addresses how personal information should be processed across that ecosystem in line with the Personal Information Protection Law. It is a **recommended** standard in the "Data Security Technology" (数据安全技术) series. ## Key contents At a structural level the standard is expected to cover: - **General requirements** for personal-information processing by platform operators, applying PIPL's principles (lawfulness, minimum necessity, transparency, purpose limitation) to the platform context. - **Notice, consent and transparency** obligations as they apply to platform interfaces and to the relationship between the platform and the products/services running on it. - **Roles and responsibilities** across the ecosystem — allocating personal-information obligations between the platform operator and in-platform product/service providers and third parties. - **Platform 'gatekeeper' duties** reflecting PIPL's special obligations for large personal-information platforms (independent oversight, platform rules, management of in-platform operators, and public reporting). - **Subject rights, security measures and governance** as applied to the platform setting. > *Editor: verify specific clauses against the published standard.* ## How it fits the regime GB/T 44588 operationalizes **PIPL** for the platform economy. PIPL applies generally to all personal-information handlers, and **Article 58** imposes additional "gatekeeper" obligations on providers of important internet platforms with large user bases and complex businesses — including establishing independent oversight bodies, formulating platform rules, restraining in-platform operators that seriously violate the law, and publishing periodic personal-information-protection reports. This standard supplies platform-specific implementation detail for those obligations and for ordinary PIPL compliance across a multi-party platform ecosystem. For overseas compliance teams operating or selling through Chinese internet platforms, it is the reference for how personal-information responsibilities are expected to be allocated and discharged between platform and participants. It complements the app- and scenario-specific rules and the general personal-information standards (GB/T 35273, notice-and-consent, sensitive-PI). --- ## Data Security Technology — Security Requirements for Automated Decision-Making Based on Personal Information (GB/T 45392-2025) - Chinese title: 数据安全技术 基于个人信息的自动化决策安全要求 (GB/T 45392-2025) - Abbreviation: GB/T 45392 - Hierarchy: standard - Issuing body: Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) - Status: effective - URL: https://datacompliancechina.com/laws/gbt-45392-automated-decision-security/ - Markdown: https://datacompliancechina.com/laws/gbt-45392-automated-decision-security.md ### Summary GB/T 45392-2025 is a recommended national standard setting security requirements for automated decision-making (自动化决策) that is based on personal information. It operationalizes PIPL's automated-decision-making rules — transparency, fairness, the prohibition on unreasonable differential treatment, opt-out for personalized push and marketing, and the right to an explanation and to refuse decisions made solely by automated means. It is a 2025 'Data Security Technology' series standard that complements the algorithmic-recommendation regime. ### Full text > *DCC summary, not a translation.* GB/T 45392-2025 is a copyrighted national standard. The structured summary below is DCC's own paraphrase grounded in the standard's title and number; specific clauses should be checked against the published text. ## Scope GB/T 45392-2025 specifies **security requirements for automated decision-making that relies on personal information** — that is, the use of personal information by computer programs to automatically analyze or assess individuals' behavior, habits, interests or status and to make decisions. It applies to handlers that conduct such automated decision-making, and is a reference for regulators and assessors. It is a **recommended** standard in the "Data Security Technology" (数据安全技术) series, sitting at the intersection of personal-information protection and the algorithm-governance regime. ## Key contents At a structural level the standard is expected to cover: - **General security requirements** for automated decision-making based on personal information, applying PIPL's transparency and fairness principles. - **Transparency and fairness of outcomes** — requirements aimed at ensuring decision logic is appropriately disclosed and that results are reasonable and non-discriminatory. - **Prohibition on unreasonable differential treatment** — controls against using automated decisions to apply unjustified differences in transaction price or terms to individuals (the "big-data price discrimination" concern). - **Personalized push and marketing** — requirements to offer options not targeted to personal characteristics, or a convenient means to refuse. - **Individual rights** — supporting the right to an explanation and the right to refuse decisions made solely through automated means where they significantly affect the individual. - **Risk assessment, security measures and governance** for automated-decision systems. > *Editor: verify specific clauses against the published standard.* ## How it fits the regime GB/T 45392 operationalizes **PIPL Article 24**, which governs automated decision-making: it requires transparency and fair, reasonable outcomes; prohibits unreasonable differential treatment in transaction terms; requires that information push and commercial marketing using automated decision-making offer options not targeted to personal characteristics or an easy way to decline; and gives individuals the right to an explanation and to refuse decisions made *solely* by automated means where those decisions have a significant effect on their rights and interests. A PIPIA is required before automated decision-making under Article 55. The standard supplies the security and implementation detail behind these duties, and dovetails with the **Provisions on the Administration of Algorithmic Recommendation in Internet Information Services** and the broader algorithm-governance framework. For overseas compliance teams running recommendation, pricing, scoring or profiling systems in China, it is the reference for designing those systems to meet both the personal-information and algorithm-governance expectations. --- ## Data Security Technology — Security Requirements for Processing Sensitive Personal Information (GB/T 45574-2025) - Chinese title: 数据安全技术 敏感个人信息处理安全要求 (GB/T 45574-2025) - Abbreviation: GB/T 45574 - Hierarchy: standard - Issuing body: Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) - Status: effective - URL: https://datacompliancechina.com/laws/gbt-45574-sensitive-pi-processing-security/ - Markdown: https://datacompliancechina.com/laws/gbt-45574-sensitive-pi-processing-security.md ### Summary GB/T 45574-2025 is a recommended national standard setting security requirements for processing sensitive personal information (敏感个人信息) as defined by PIPL Article 28. It addresses the heightened safeguards that attach across the lifecycle when handling sensitive PI — separate (and where required written) consent, specific-purpose and strict-necessity limits, intensified impact assessment, and enhanced technical and organizational controls. It complements the TC260 sensitive-PI identification guide by specifying how, once identified, sensitive PI must be protected. ### Full text > *DCC summary, not a translation.* GB/T 45574-2025 is a copyrighted national standard. The structured summary below is DCC's own paraphrase grounded in the standard's title and number; specific clauses should be checked against the published text. ## Scope GB/T 45574-2025 specifies **security requirements for processing sensitive personal information** — personal information that, if leaked or unlawfully used, would readily harm a natural person's dignity or endanger personal or property safety (PIPL Article 28). It applies to handlers that process sensitive personal information, and is a reference for regulators and assessors. It is a **recommended** standard in the "Data Security Technology" (数据安全技术) series, and is the protection-requirements counterpart to the TC260 *Sensitive Personal Information Identification Guide* (which addresses how to recognize sensitive PI in the first place). ## Key contents At a structural level the standard is expected to cover: - **General requirements** for handling sensitive personal information, applying PIPL's specific-purpose, strict-necessity and heightened-protection principles. - **Lawful basis and consent** — implementation of separate consent, and written consent where laws or regulations so require, plus guardian consent for minors under 14. - **Notice obligations** — the additional matters that must be disclosed when processing sensitive PI, including necessity and the impact on the individual. - **Lifecycle security controls** — enhanced safeguards for collection, storage (e.g., encryption, access control), use, provision, public disclosure and deletion of sensitive PI. - **Impact assessment** — the intensified PIPIA expected before processing sensitive PI. - **Governance and accountability** — organizational measures, recordkeeping and oversight specific to sensitive-PI processing. > *Editor: verify specific clauses against the published standard.* ## How it fits the regime GB/T 45574 operationalizes the **sensitive-personal-information regime of PIPL**. PIPL **Article 28** defines sensitive personal information and limits its processing to specific purposes with strict necessity and protective measures; **Article 29** requires **separate consent** (and written consent where law requires); **Article 30** adds notice obligations (the necessity of processing and its impact on the individual); and **Article 55** requires a PIPIA before processing sensitive PI. This standard supplies the security and implementation detail behind those statutory duties — the "how to protect" half of the sensitive-PI picture, where the **TC260 Sensitive Personal Information Identification Guide** supplies the "how to identify" half. For overseas compliance teams, it is the reference for engineering and governing the handling of biometric, health, financial, whereabouts, minors' and other sensitive data in China, and it builds on GB/T 35273, the notice-and-consent guide, and the impact-assessment standard. --- ## Data Security Technology — Data Security Risk Assessment Method (GB/T 45577-2025) - Chinese title: 数据安全技术 数据安全风险评估方法 (GB/T 45577-2025) - Abbreviation: GB/T 45577 - Hierarchy: standard - Issuing body: Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) - Status: effective - URL: https://datacompliancechina.com/laws/gbt-45577-data-security-risk-assessment/ - Markdown: https://datacompliancechina.com/laws/gbt-45577-data-security-risk-assessment.md ### Summary GB/T 45577-2025 is a recommended national standard specifying a method for assessing data security risk. It provides the principles, framework, process and assessment content for identifying and evaluating risks to data across its lifecycle — covering data assets, threats, vulnerabilities, existing safeguards and potential impact — and for rating overall data-security risk. It is a 2025 'Data Security Technology' series standard supporting the risk-assessment duties of the Data Security Law and the network-data regime. ### Full text > *DCC summary, not a translation.* GB/T 45577-2025 is a copyrighted national standard. The structured summary below is DCC's own paraphrase grounded in the standard's title and number; specific clauses should be checked against the published text. ## Scope GB/T 45577-2025 specifies a **method for data security risk assessment** — the principles, framework, process and content for identifying, analyzing and evaluating risks to data security across the data lifecycle. It applies to organizations assessing the data-security risk of their own data and processing activities, and is a reference for regulators and third-party assessors. It is a **recommended** standard in the "Data Security Technology" (数据安全技术) series. ## Key contents At a structural level the standard is expected to cover: - **Assessment principles and framework** — an objective, lifecycle-oriented model relating data assets, threats, vulnerabilities, existing security measures, and potential impact. - **Assessment process** — preparation and scoping; identification of data assets (informed by data classification and grading); identification of threats and vulnerabilities; analysis of existing safeguards; analysis of likelihood and impact; and overall risk determination. - **Assessment content** — the dimensions to evaluate across the lifecycle (collection, storage, transmission, use, provision, disclosure, deletion), including management and technical safeguards. - **Risk rating and treatment** — combining likelihood and impact into a risk level and informing risk-treatment recommendations. - **Reporting** — documentation of the assessment, findings and conclusions. > *Editor: verify specific clauses against the published standard.* ## How it fits the regime GB/T 45577 is the data-security analogue of the personal-information impact-assessment standard. The **Data Security Law (DSL)** establishes the data-security management system, the classification-and-grading regime, and risk-monitoring and assessment duties (including, for important data, periodic risk assessments and reporting). This standard supplies a consistent **method** for performing such assessments. It works alongside **GB/T 43697** (classification and grading — which identifies *which* data is important or core) and the **Network Data Security Management Regulations** (which require risk assessments for important-data processing and other activities). The companion **TC260 *Network Data Security Risk Assessment Implementation Guide*** gives a practice-oriented, step-by-step procedure that aligns with this method. For overseas compliance teams, GB/T 45577 is the reference method for conducting and documenting a defensible data-security risk assessment in China. --- ## Data Security Technology — Security Certification Requirements for Cross-Border Processing of Personal Information (GB/T 46068-2025) - Chinese title: 数据安全技术 个人信息跨境处理活动安全认证要求 (GB/T 46068-2025) - Abbreviation: GB/T 46068 - Hierarchy: standard - Issuing body: Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) - Status: effective - URL: https://datacompliancechina.com/laws/gbt-46068-cross-border-pi-certification-requirements/ - Markdown: https://datacompliancechina.com/laws/gbt-46068-cross-border-pi-certification-requirements.md ### Summary GB/T 46068-2025 is a recommended national standard setting the security requirements for certifying cross-border processing of personal information — the personal-information protection certification route that PIPL Article 38 offers as one lawful basis for transferring personal information abroad. It specifies the requirements that handlers and overseas recipients must meet to be certified, including legally binding agreements, organizational and technical safeguards, and protection of data subjects' rights. It elevates and complements the earlier TC260 certification specification. ### Full text > *DCC summary, not a translation.* GB/T 46068-2025 is a copyrighted national standard. The structured summary below is DCC's own paraphrase grounded in the standard's title and number; specific clauses should be checked against the published text. ## Scope GB/T 46068-2025 specifies **security certification requirements for cross-border processing activities involving personal information**. It applies to the parties to a cross-border personal-information transfer — the domestic personal-information handler and the overseas recipient — and to the certification bodies assessing them. It is the technical basis for the **personal-information protection certification** route to lawful cross-border transfer. It is a **recommended** standard in the "Data Security Technology" (数据安全技术) series, and supersedes/upgrades the earlier TC260 *Practice Guide — Security Certification Specification for Cross-Border Processing of Personal Information* as the reference for this certification route. ## Key contents At a structural level the standard is expected to cover: - **Basic principles** for cross-border personal-information processing — lawfulness, transparency, purpose limitation, and ensuring the overseas recipient affords protection meeting Chinese requirements. - **Legally binding agreement** — requirements for a binding instrument between the handler and the overseas recipient allocating responsibilities and protecting data subjects' rights. - **Organizational and accountability requirements** — designation of responsible personnel/bodies, binding internal rules, and accountability across the two parties (including for onward transfers). - **Technical and management safeguards** for the data both before and after it leaves China. - **Data-subject rights protection** — ensuring individuals can exercise PIPL rights against both parties and have recourse, including a mechanism for accepting jurisdiction/responsibility within China. - **Continuing-supervision** expectations consistent with the certification scheme. > *Editor: verify specific clauses against the published standard.* ## How it fits the regime GB/T 46068 underpins one of the three lawful bases for cross-border personal-information transfer under **PIPL Article 38**: passing a **security assessment** (CAC), concluding the **standard contract**, or obtaining **personal-information protection certification** from a specialized body. Certification is the focus of this standard. It is the technical companion to the **Measures for the Certification of Cross-Border Processing of Personal Information** (and the broader personal-information-protection certification scheme), supplying the substantive requirements certification bodies test against. For overseas compliance teams — particularly multinational groups moving personal information intra-group across the Chinese border — it is the reference for what a certifiable cross-border transfer arrangement must contain. It works alongside the standard-contract and security-assessment routes and the **Provisions on Promoting and Regulating Cross-Border Data Flows**, which set the thresholds and exemptions that determine which route (if any) applies. --- ## Data Security Technology — Guide to Social Responsibility for Data Security and Personal Information Protection (GB/T 46071-2025) - Chinese title: 数据安全技术 数据安全和个人信息保护社会责任指南 (GB/T 46071-2025) - Abbreviation: GB/T 46071 - Hierarchy: standard - Issuing body: Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) - Status: effective - URL: https://datacompliancechina.com/laws/gbt-46071-data-protection-social-responsibility/ - Markdown: https://datacompliancechina.com/laws/gbt-46071-data-protection-social-responsibility.md ### Summary GB/T 46071-2025 is a recommended national standard offering guidance on social responsibility in data security and personal information protection. It frames data security and PI protection as elements of organizational social responsibility, providing principles and guidance for organizations to take responsibility toward data subjects, society and the public — covering governance, transparency, stakeholder engagement and accountability. It is a 2025 'Data Security Technology' series standard that complements the binding duties of the DSL and PIPL with a responsibility-and-governance framing. ### Full text > *DCC summary, not a translation.* GB/T 46071-2025 is a copyrighted national standard. The structured summary below is DCC's own paraphrase grounded in the standard's title and number; specific clauses should be checked against the published text. ## Scope GB/T 46071-2025 provides **guidance on social responsibility relating to data security and personal information protection** — that is, how organizations should understand and discharge their responsibilities toward data subjects, society and the public when handling data and personal information. It applies to organizations seeking to build data-security and personal-information protection into their social-responsibility and governance practices, and is a reference for stakeholders evaluating such practices. It is a **recommended** standard in the "Data Security Technology" (数据安全技术) series, and is advisory/governance-oriented rather than a set of technical control requirements. ## Key contents At a structural level the standard is expected to cover: - **Principles of social responsibility** for data security and personal-information protection — accountability, transparency, ethical and lawful conduct, respect for data-subject rights and the public interest. - **Responsibility toward stakeholders** — data subjects, partners, regulators and the broader public. - **Governance and management** — embedding data-security and PI-protection responsibility into organizational governance, culture, and decision-making. - **Transparency and disclosure** — communicating data practices and accepting accountability. - **Continuous improvement** — review, stakeholder engagement and ongoing enhancement of responsible data practices. > *Editor: verify specific clauses against the published standard.* ## How it fits the regime GB/T 46071 sits alongside the binding obligations of the **DSL** and **PIPL** and reframes them through a social-responsibility lens. Where most standards in the series specify *controls*, this one provides a *governance and responsibility* framework — encouraging organizations to treat data security and personal-information protection not merely as compliance obligations but as commitments to data subjects and society. It complements PIPL's accountability and reporting expectations (including the large-platform reporting duty of Article 58) and the DSL's data-security management duties, and aligns conceptually with the platform and audit standards. For overseas compliance teams, it is a useful reference for ESG/responsibility reporting and for demonstrating a mature, accountable data-governance posture in China, though it does not create technical control requirements of its own. --- ## Implementing Rules for the Credit-Compliance Certification and Assessment of Pharmaceutical-Data Supplier Entities (Shenzhen Data Exchange — Draft / Redline) - Chinese title: 医药数据供方主体信用合规认证评估实施细则(深圳数据交易所·征求意见/红线稿) - Abbreviation: Pharma-Data Supplier Credit-Compliance Rules (Draft) - Hierarchy: draft - Issuing body: Shenzhen Data Exchange (深圳数据交易所) - Status: draft - URL: https://datacompliancechina.com/laws/pharma-data-supplier-credit-compliance-rules-draft/ - Markdown: https://datacompliancechina.com/laws/pharma-data-supplier-credit-compliance-rules-draft.md ### Summary A DRAFT, self-regulatory certification rule from the Shenzhen Data Exchange (深圳数据交易所) — not a government regulation. The Exchange runs a 'supplier-entity credit-compliance certification' programme for participants in the data-element market; this instrument is the medical/health-data-specific implementing rule that sits beneath the Exchange's general certification guidance (《数据要素市场供方主体信用合规认证评估指引(通用)》). It applies to healthcare institutions seeking certification before they may supply medical-health data on the Exchange, and may be applied by reference by other entities that handle medical-health data. The rule layers medical-sector-specific requirements on top of the general guidance across three certification grades (A / AA / AAA): entity qualifications; a data-management-system build-out (governance, classification-grading into core/important/general data, physical and cryptographic security, storage and backup, monitoring and incident response, MLPS); and data-business compliance covering lawful sourcing, lawful internal processing (including dedicated EMR, medical-device, medical-insurance, clinical-trial, human-genetic-resources, and statistics rules), and lawful external circulation including cross-border transfer. The version translated below is the clean current text of a tracked-changes ('redline') V3 draft; each requirement carries a footnote citing the underlying Chinese law or rule. Because it is an Exchange certification standard rather than a binding legal instrument, it is a practical map of how the Shenzhen Data Exchange operationalizes China's health-data compliance regime for market participants, not a source of independent legal obligation. ### Full text > *Editor's note — this is a DRAFT industry rule, not a government regulation.* This instrument is an **implementing rule for a credit-compliance certification programme operated by the Shenzhen Data Exchange (深圳数据交易所有限公司)**, a data exchange — not a law, administrative regulation, or departmental rule issued by a Chinese state organ. The source document is a **tracked-changes ("redline") V3 draft**; the translation below renders the **clean current text** of that draft and omits the redline markup. The rule's force, if adopted, is contractual/self-regulatory: it sets the conditions a data supplier must satisfy to obtain the Exchange's A/AA/AAA credit-compliance certification before supplying medical-health data on the Exchange. Every substantive requirement in the source carries a footnote citing the underlying Chinese law or rule from which it is derived; those citations are preserved in summary form in the *Source-citation map* at the end. Read this as a window into how an exchange packages China's health-data compliance regime into a certification checklist — **not** as an independent legal authority. --- ## [Purpose] In order to advance the credit-compliance certification work of Shenzhen Data Exchange Co., Ltd. (the "Exchange"), to protect citizens' personal-information rights and interests and national data security, and to promote the compliant and high-quality development of the medical-health data-element market, these Implementing Rules are formulated in accordance with relevant national laws and regulations, the *Measures for the Administration of Data-Transaction Credit of Shenzhen Data Exchange Co., Ltd. (Trial)* and the *Guidelines for the Credit-Compliance Certification and Assessment of Supplier Entities in the Data-Element Market (General)* (the "General Certification Guidelines"), and in light of the Exchange's actual circumstances. ## [Scope of application] These Implementing Rules apply to healthcare institutions that apply to the Exchange for entity credit-compliance certification. Other entities that process medical-health data (such as enterprises, public institutions, and research institutions) may apply them by reference. "Healthcare institutions" as used in these Implementing Rules means primary-level healthcare institutions, hospitals, and specialized public-health institutions, among others. "Medical-health data" as used in these Implementing Rules means health-and-medical-related data generated in the course of disease prevention and treatment, health management, and the like. --- ## [Grade-A compliance standard] Where a certification object applies for Grade-A certification, in addition to satisfying the Grade-A compliance requirements set out in the General Certification Guidelines, it shall also satisfy the following requirements. ### Entity-qualification requirements Where the certification business scope for which the certification object applies requires approval, filing, or the obtaining of relevant qualifications, the certification object shall obtain them before applying and shall ensure that the approval, filing, or qualification remains within its validity period — including, but not limited to, the medical-institution practising licence, the drug-clinical-trial approval, the drug-clinical-trial-institution filing, and human-genetic-resources-related permits and filings. ### Entity data-management-system build-out 1. The certification object shall establish a network-security-and-informatization leadership group, headed by the certification object's principal person in charge, and shall hold at least one meeting per year on network security, data security, and personal-information protection to deploy key security work and implement the "top-leader" responsibility system. 2. The certification object shall establish a data-security management organizational structure in which the principal person in charge is the unit's first-responsible person for data-security and personal-information-protection management and the person in charge of the relevant business is the directly responsible person; shall define the management responsibilities of the competent department, operating department, informatization department, and using department of each network; and shall, by means of security responsibility undertakings and the like, regulate the rights and responsibilities of the data-management, business, and informatization departments across the full data-security-management lifecycle, establishing a data-security work responsibility system and implementing an accountability system. 3. The certification object shall establish and improve network-O&M-management and full-process medical-health-data-security-management systems (including a dedicated personal-information-protection management system), operating procedures, and technical specifications, and shall revise the management systems concerned at least once per year. 4. The certification object shall implement a classification-and-grading protection system for medical-health data, defining specific protection requirements at each stage for data of different categories and grades. The certification object shall regularly sort its healthcare-institution data and, in accordance with relevant law and the health-sector data classification-and-grading requirements, divide medical-health data into **core data, important data, and general data**. Where data of different categories and grades are processed simultaneously and protection measures cannot readily be applied separately, protection shall be implemented to the requirements of the highest grade among them. Derivative data produced from medical-health data through processing activities such as de-identification, labelling, statistics, and aggregation/fusion shall be re-assessed and re-graded on the basis of the grading of the original data. After the grade of medical-health data is determined, where any of the following occurs — (1) the content of the medical-health data changes substantially, or (2) the content is unchanged but the data scale, timeliness, application scenario, or processing method of the healthcare institution changes substantially, or other circumstances requiring a grade change arise — the grade of the healthcare-institution data shall be changed promptly. 5. The certification object shall strengthen physical-security protection, improving security controls for equipment rooms, the office environment, and O&M sites to prevent information leakage caused by unauthorized access to the physical environment. It shall strengthen remote-O&M management; where remote O&M over the Internet is genuinely required for business, it shall conduct assessment and feasibility analysis and adopt corresponding security-control measures to prevent security incidents arising from the exposure of remote ports. 6. The certification object shall, in accordance with the *Cryptography Law* and related laws, regulations, and cryptography-application standards, plan, build, and operate cryptographic-protection measures simultaneously with network construction, and use cryptographic products and services that meet the relevant requirements. 7. The certification object shall establish network-security-management systems for the procurement, installation and commissioning, operation and use, maintenance and repair, and scrapping and disposal of medical equipment; implement security management over design, construction, operation, maintenance, and other services; procure secure network products and services; regularly inspect or assess the network security of medical equipment; and adopt corresponding security-control measures. 8. The certification object shall implement graded storage of medical-health data; in accordance with relevant laws, regulations, and standards, select an appropriate data-storage architecture and medium and store data **within the territory** of China; and adopt measures such as backup and encryption to strengthen storage security. Where data are stored in the cloud, the potential security risks shall be assessed. The data-storage period shall not exceed the retention period determined by the data-use rules. 9. The certification object shall possess data-storage, disaster-recovery-backup, and management conditions that meet the relevant national requirements; establish a reliable disaster-recovery-backup mechanism for medical-health information; and conduct regular backup and recovery testing to ensure that data can be recovered timely, completely, and accurately, achieving long-term preservation and archival management of historical data. 10. The certification object shall conduct security management of decommissioned networks, perform risk assessment on the related equipment, and promptly seal or destroy it; when destroying data, it shall use a destruction method that ensures the data cannot be restored, paying particular attention to data-residue risk and data-backup risk. 11. The certification object shall establish a monitoring-early-warning and emergency-response mechanism, promptly obtain vulnerability information, and adopt measures such as upgrade patches, configuration updates, and system hardening to guard against risk. The certification object shall, relying on the national network-security information-notification mechanism, strengthen the build-out of network-security notification and early-warning capabilities, formulate network-security and data-security emergency response plans, and conduct drills regularly. Where a health administrative department finds that data processing presents significant risk or that an incident has occurred and urges the certification object to handle and rectify it promptly, the certification object shall promptly rectify and reinforce against the notified vulnerabilities and hazards, and cooperate with the cyberspace-administration and public-security organs in conducting verification and investigation. The certification object shall promptly report, to the risk-information reporting-and-sharing mechanism established by the National Health Commission, hazards that may cause core- or important-data security incidents. Where an incident occurs, the certification object shall handle it promptly; where core or important data are involved, it shall report promptly; and after handling is completed, it shall produce a summary report, notify users as prescribed, and report to the competent department. 12. A certification object that has a Level-2-or-above network shall designate the functional department responsible for network-security-management work, define the posts bearing security-supervisor and security-administrator responsibilities, establish a network-security-management system framework, strengthen network-security protection, and reinforce emergency response. 13. The certification object shall strengthen business-continuity management and continuously monitor network-operation status. For Level-3-and-above networks, it shall strengthen redundant backup of key links and key equipment. 14. The certification object shall conduct annual security self-inspection in various forms — including document verification, vulnerability scanning, and penetration testing — and report the self-inspection and rectification status to the higher-level health administrative department as required. 15. The certification object shall build a data-security-management personnel team and conduct regular security education and training to raise the security awareness and capability of all staff. 16. The certification object shall strictly manage the routine processing of data and personal information, define operating permissions, regularly conduct security-risk assessment, promptly rectify risk issues, and submit risk-assessment reports. 17. Where the certification object conducts Internet diagnosis-and-treatment activities, it shall establish and improve the relevant management systems and service processes, possess equipment and facilities, information systems, technical personnel, and an information-security system meeting Internet-technology requirements, and implement **Level-3 information-security multi-level protection**. The certification object shall ensure that Internet diagnosis-and-treatment activities are traceable and leave a full audit trail, and shall open data interfaces to the regulator. 18. Where the certification object constitutes a critical-information-infrastructure operator, it shall formulate a critical-information-infrastructure security-protection plan, establish and improve data-security and personal-information-protection systems, conduct security background checks on the person in charge of the security-management body and personnel in key posts, and strengthen the management of personnel involved in network operation. 19. Where the certification object applies new technologies such as big data, artificial intelligence, and blockchain to conduct services, it shall, before going live, assess the security risks of the new technology and implement security controls to achieve a balance between application and security. Where the use of new technologies such as artificial intelligence involves personal information such as medical records, security must be ensured. 20. The certification object shall manage and use medical-health data involving state secrets in accordance with the relevant national confidentiality provisions, having established a management-and-use system for medical-health data involving state secrets, with strict management over the production, review, registration, copying, transmission, and destruction stages. ### Entity data-business compliance #### Data compliance within the certification business scope ##### Lawful sourcing a. Where the certification object collects medical-health data through diagnosis-and-treatment activities, it shall comply with the relevant requirements of the General Certification Guidelines. b. Where the certification object collects medical-health data through clinical-trial activities, it shall satisfy the relevant requirements of the General Certification Guidelines and, in accordance with the *Personal Information Protection Law*, the *Good Clinical Practice for Drugs*, the *Good Clinical Practice for Medical Devices*, and the like, and the ethical requirements and principles of the Declaration of Helsinki and the like, pass ethics review and obtain the informed consent of subjects for the drug clinical trial. Such informed consent shall include (1) consent to the clinical-trial activity and (2) where medical-health data are to be re-used, consent to the secondary use of the medical-health data. Where the certification object uses human-genetic-resources materials to generate data and other information, it shall ensure that its collection and preservation of human genetic resources meet the relevant legal and regulatory requirements: 1. Collecting important genetic families of China, human genetic resources of specific regions, or human genetic resources of the types and quantities prescribed by the health authority of the State Council shall require the approval of the health authority of the State Council. 2. Collecting human genetic resources of China shall require informing the provider in advance of the purpose and use of the collection, the possible health impact, the personal-privacy-protection measures, and the provider's right to participate voluntarily and to withdraw unconditionally at any time, and obtaining the provider's written consent. 3. Preserving human genetic resources of China and providing a basic platform for scientific research shall require the approval of the health authority of the State Council; strengthening the management and monitoring of the preserved human genetic resources; adopting security measures and formulating emergency plans to ensure the safety of preservation and use; completely recording the preservation status; properly retaining the source and use information; ensuring lawful use; and submitting an annual report on the preservation of human genetic resources to the health authority of the State Council. c. Where the certification object collects medical-health data generated in the course of operations management, it shall comply with the relevant requirements of the General Certification Guidelines. d. Where the certification object obtains medical-health data through a third party, it shall comply with the relevant requirements of the General Certification Guidelines, conduct a review of the lawfulness of the data source, and be able to prove that the third party's collection, use, and provision to the certification object, and the certification object's use, of the medical-health data already comply with the relevant legal and regulatory requirements. Where the data constitute electronic-medical-record information, the certification object shall verify the lawfulness, integrity, and security of the information source, and shall, by reference to internal management requirements, establish detailed receipt, storage, and use records to make the data flow traceable. The certification object shall sign a data-procurement agreement with the medical-health-data provider, stipulating the rights and obligations of both parties with respect to source lawfulness and the like. ##### Lawful internal processing **a. General rules** a) The certification object shall conduct data collection, storage, transmission, processing, use, exchange, destruction, and other full-lifecycle data activities **within the territory** of China. b) The certification object shall establish strict electronic real-name authentication and data-access control, set data-processing permissions according to post responsibilities under the principle of least authorization, and adjust permissions promptly when personnel change. The certification object shall standardize trace management of the access, use, and destruction of medical-health data, strengthen log retention and management, and ensure that any data-leakage incident or risk can be traced to the responsible unit and responsible person. c) The certification object shall, at each stage of the full data lifecycle, comprehensively apply technical means such as encryption, authentication, attestation, de-identification, anonymization/de-labelling, digital watermarking, verification, and auditing. d) The certification object shall establish and improve a data-use application-and-approval process, following the principle of "whoever is in charge reviews," adhering to prior application and approval, in-process supervision, and after-the-fact review, and strictly implementing the procedure of business-department consent, leadership approval, and IT-department support and execution. Each using department and user shall use data strictly in accordance with the purpose and scope stated in the application and shall be responsible for data security. e) Where the certification object entrusts or jointly processes data, it shall strictly review and approve, define the entrusted party's permissions and responsibilities, and supervise performance. Where cloud-computing services are used, it shall select a service provider that has passed security assessment and comply with the relevant regulatory requirements for processing medical-health data. f) The certification object shall agree in writing on the obligations and responsibilities of, and implement accountability for, units engaged in informatization construction and O&M, medical-equipment manufacturing and operation, and the like. g) Where data are transferred or destroyed due to merger, division, dissolution, bankruptcy, or the like, security measures shall be adopted and the disposal plan reported in advance to the local health administrative department. Where the data catalogue changes, it shall be reported promptly. h) The certification object and its personnel shall not engage in the following acts: (I) unlawfully collecting, collecting beyond scope, or stealing data; (II) unlawful storage — failing to store important data within the territory, or failing to adopt measures such as backup and encryption; (III) unlawful transmission — transmitting core, important, or sensitive data via email, network disks, social-media software, and the like; (IV) unlawfully providing data overseas — failing to declare an outbound assessment as prescribed; (V) ultra-vires use, tampering with or deleting logs, or unsupervised remote O&M; (VI) processing data without authorization, or subcontracting/sub-letting projects without authorization; (VII) providing externally or disclosing undisclosed data without approval; (VIII) arbitrarily disclosing data, or disclosing it despite significant impact; (IX) failing to thoroughly erase data when equipment is scrapped or repurposed; (X) concealing data-security incidents or failing to report and handle them as prescribed. i) Where the certification object processes important data, it shall fulfil the following requirements: i. After identifying important data, the certification object shall report to the local health administrative department; the reported content shall include, but not be limited to, the source, category, grade, scale, processing purpose and method, responsible entity, cross-border transmission, and security-protection measures of the healthcare-institution data — but not the content of the healthcare-institution data itself. ii. It shall define the data-security person in charge and management body, implement protection responsibilities, conduct risk assessment annually, and submit the report to the health administrative department at or above the provincial level, which shall promptly notify the cyberspace-administration and public-security organs at the same level. Except for the performance of statutory duties or obligations, risk assessment shall be conducted before providing, entrusting the processing of, or jointly processing important data. Where the certification object provides important data to, or entrusts its processing to, another data processor, it shall stipulate by contract the processing purpose, method, scope, and security-protection obligations, and supervise the receiving party's performance. iii. The processing of important data shall record security logs; where security-incident handling and tracing are involved, logs shall be retained for not less than one year; where provision, entrustment, or joint processing is involved, for not less than three years. iv. The storage and processing of important data shall implement Level-3-and-above network-security multi-level protection. The storage and processing of core data shall, where critical information infrastructure is involved, implement critical-information-infrastructure security-protection requirements; where it is not involved, implement Level-4 multi-level protection. Where the data content changes substantially and the grade must change, re-grading and re-filing shall be done promptly. Where laws and regulations require the use of commercial cryptography, those provisions shall prevail. j) Where the certification object processes core data, it shall fulfil the following requirements: i. The provision, transfer, or sharing of core data across legal-person entities shall adopt security-protection measures; where the annual cumulative amount may reach 30% or more of the static total of the preceding year, it shall be reported to the National Health Commission for organization of a risk assessment by the relevant departments. The lawful performance of duties by state organs and internal circulation are excepted. ii. The processing of core data shall, on top of important-data protection, also: (I) give priority to commercial-cryptography protection; (II) give priority to secure and trustworthy products and services; (III) give priority to entrusting third-party assessment institutions to conduct risk assessment; (IV) retain the relevant logs for not less than three years; and (V) submit personnel in key posts and the units that build and operate-and-maintain core-data systems for national-security background review. k) Where the certification object processes personal information, the healthcare institution shall, in accordance with the *Administrative Measures for Personal-Information-Protection Compliance Audits*, conduct compliance audits regularly, either itself or by entrusting a professional institution. Where the certification object entrusts the processing of personal information, it shall conduct a personal-information-protection impact assessment in advance, sign an entrustment-and-confidentiality agreement defining the scope, purpose, period, method, types of information, protection measures, and rights and obligations, and supervise performance. The entrusted party shall not process beyond what is agreed; upon termination of the contract it shall return or delete the information and shall not sub-entrust without authorization. The entrusted party shall conduct pre-post training and pre-departure review. The certification object and its personnel shall not engage in the following acts: (I) unlawfully processing, illegally trading, or disseminating personal information so as to endanger national security or the public interest; (II) unlawful collection by means of misleading, fraud, coercion, and the like; (III) collecting beyond scope or excessively — for example, where a website or App operated by the healthcare institution collects location and other personal information beyond scope; (IV) ultra-vires retrieval — for example, where the failure to adopt effective identity-verification means allows unrelated, unauthorized persons to query others' medical records — failing to manage permissions dynamically, failing to implement protection of special groups, or failing to make operations traceable; (V) unlawfully providing information without consent, or beyond the statutory necessary scope; (VI) unlawful disclosure — failing to de-identify displays in public areas, disclosing in public scenarios without consent, or leaking via social-media software, photographs, screenshots, and the like (for example, where the healthcare institution publicly discloses imaging pictures, textual descriptions, and other information containing patients' personal information without patient consent); (VII) unlawfully providing information overseas without obtaining separate consent or fulfilling notification obligations; (VIII) abusing facial recognition — compelling the use of the face as the sole verification method, or transmitting facial information in violation of regulations. **b. Special rules** a) Where the certification object processes medical-health data collected through diagnosis-and-treatment activities: **i. Where the medical-health data processed is electronic-medical-record (EMR) information**, the certification object shall additionally meet the following requirements: 1. Establish a graded-management system for the EMR information system, with standardized workflows for the creation, recording, modification, preservation, and transmission of EMRs and a defined scope of use-and-management permissions. Establish a long-term oversight mechanism for EMR-information use, preventing and promptly handling the unreasonable retrieval, use, and forwarding of EMR information, so as to ensure that EMR-information use is lawful, compliant, secure, and controllable. Establish an emergency-handling system and a sound handling process for EMR-information-leakage scenarios. 2. According to the importance, sensitivity grade, and use scenario of the EMR information, strictly implement graded and classified access control and permission management. Following the principle of minimum availability, define graded access permissions and time limits for clinical-diagnosis-and-treatment, teaching, management, and other relevant personnel according to post responsibilities, role tasks, and use needs, and strictly prohibit the unauthorized consultation, copying, dissemination, or tampering of medical-record information. When public-opinion events relating to medical treatment occur, immediately seal the relevant information of the persons involved; unrelated persons shall not access, browse, record, or forward it. 3. Provide EMR-system operators with proprietary identity identifiers and identification means, and set corresponding permissions. Make clear that operators are responsible for the use of their own identity identifiers and shall not, in violation of regulations, collect, use, transmit, divulge, or trade patients' medical-record information, or disseminate it via network channels. 4. Sign strict confidentiality and authorization agreements with external service providers that provide information-system maintenance, data-analysis, and similar services, defining the scope, purpose, and period of their access to the EMR system, and subjecting them to the medical institution's supervision during service to ensure data security. 5. Ensure that the EMR system's records of each operation, operation time, and operator are queryable and traceable. Support technical means such as digital watermarking to ensure a trail is left during use. When sharing EMR information, the certification object shall have a strict authorization mechanism and approval process to ensure information security and tamper-resistance. 6. Establish an EMR-information security-protection system, conduct regular security assessments, and promptly issue alerts and notify higher-level managers of abnormal access or unauthorized operations, so as to effectively guard against potential security risks. 7. Outpatient/emergency medical records shall be retained for not less than 15 years from the patient's last visit; inpatient medical records shall be retained for not less than 30 years from the patient's last discharge. **ii. Where the medical-health data processed is data generated in the course of using medical devices**, the certification object shall additionally meet the following requirements: 1. Purchase medical devices from qualified medical-device manufacturers and operators; obtain and verify the supplier's qualifications, medical-device registration certificate or filing voucher, and other supporting documents; conduct acceptance in accordance with the relevant provisions; and record and retain the inspection-on-receipt status. 2. Have storage premises and conditions commensurate with the variety and quantity of medical devices in use; staff a medical-device quality-management body or quality-management personnel commensurate with its scale as required by law; establish a use-quality-management system covering the whole quality-management process; strengthen the technical training of staff; and use medical devices in accordance with product manuals and technical operating specifications. 3. Establish a pre-use quality-inspection system and a maintenance-and-repair management system for medical devices. Establish use records for implantable and interventional medical devices. For large medical devices with a long service life, establish a use archive for each unit, recording its use and maintenance, with a retention period of not less than five years after the expiry of the prescribed service life or five years after the termination of use. 4. Actively assist medical-device manufacturers in investigating and assessing defective products, proactively cooperate with manufacturers in fulfilling recall obligations, and promptly convey and feed back recall information according to the recall plan so as to control and retrieve defective products. Where the certification unit discovers that a medical device it uses may be a defective product, immediately suspend the sale or use of that device, promptly notify the manufacturer or supplier, and report to the food-and-drug administration and health administrative department of the province, autonomous region, or municipality where it is located. 5. Where the certification object configures large medical equipment, it shall conform to the large-medical-equipment configuration plan formulated by the health authority of the State Council, be commensurate with its functional positioning and clinical-service needs, possess the corresponding technical conditions, supporting facilities, and qualified professional technical personnel, and be approved by the health authority of the people's government at or above the provincial level and obtain a large-medical-equipment configuration licence. The certification object shall, in accordance with national laws and regulations, establish and improve information-security safeguard measures for the use of large medical equipment to ensure the operational security of the relevant information systems and the security of medical data. **iii. Where the medical-health data processed is data transmitted to the medical-insurance information system**, the certification object shall safeguard the security of the medical-insurance-related information system, comply with the relevant data-security systems, and protect the privacy of insured persons. When reinstalling the information system, the certification object shall maintain effective docking of the technical-interface standards with the medical-insurance information system, and shall promptly, comprehensively, and accurately transmit to the medical-insurance information system the data required for medical-insurance settlement and review as prescribed. b) Where the certification object processes medical-health data obtained through clinical-trial activities, it shall meet the following requirements: 1. The certification object's investigators shall ensure that all clinical-trial data are obtained from the source documents and trial records of the clinical trial and are accurate, complete, legible, and timely. Modifications to source data shall leave a trail, shall not obscure the original data, and shall record the reason for modification. For clinical trials with patients as subjects, the relevant medical records shall be entered into the outpatient or inpatient medical-record system. 2. The certification object shall have the conditions to establish clinical-trial electronic medical records; the corresponding computerized system shall have sound permission management and an audit trail, traceable to the creator or modifier of the record, so as to ensure that the collected source data can be traced. 3. Medical-health data used in clinical trials for drug-registration applications shall be retained for at least five years after the trial drug is approved for marketing; data for clinical trials not used for drug-registration applications shall be retained for at least five years after the termination of the clinical trial. Where the certification object utilizes or externally provides human genetic resources, it shall meet the following requirements: 1. Where the certification unit uses human genetic resources of China to conduct biotechnology research and development or clinical trials, it shall comply with the relevant laws, administrative regulations, and national provisions on biotechnology research and clinical-application management. 2. Where the certification unit and a foreign party use human genetic resources of China to conduct international-collaborative scientific research, the two parties shall jointly apply, subject to the approval of the health authority of the State Council. Where the purpose is solely to obtain marketing authorization for the relevant drug or medical device in China and no human-genetic-resources materials leave the country, the types, quantities, and uses of the human genetic resources to be used shall be filed with the health authority of the State Council before the clinical trial is conducted. 3. Where, in the course of using human genetic resources of China to conduct international-collaborative scientific research, major matters such as the collaborating party, research purpose, research content, or collaboration period change, change-approval procedures shall be handled. The certification unit and the two collaborating parties shall, within six months after the end of the international-collaboration activity, jointly submit a collaboration-research report to the health authority of the State Council. c) Where the certification object processes medical-health data generated in the course of operations management — in particular, drug and medical-consumable usage information: 1. The certification object shall establish and improve a management system for the information system, implement dedicated-personnel responsibility and encrypted management of statistical functions such as drug and medical-consumable usage in the information system, implement strict graded management and approval procedures for permissions to query drug and medical-consumable usage and similar information through the information system, set a trace function for queries of important and sensitive information in the information system, establish query logs, analyse them regularly, and promptly detect and handle abnormalities. 2. The certification object shall sign information-confidentiality agreements with the IT personnel and bodies that provide routine maintenance, upgrades, and replacement of the information system and that install new systems and equipment, and set reasonable access permissions. External IT personnel and bodies shall complete handover procedures after finishing work, ensuring that passwords, equipment, technical materials, and related sensitive information are handed over according to standardized procedures. 3. When the certification object provides drug and medical-consumable usage information to the administrative department or its authorized industry organization, and applies the relevant information in routine management, it shall strictly implement the relevant work systems to ensure information security at every stage. #### Compliance of external circulation of medical-health data within the certification business scope External circulation of medical-health data shall comply with the relevant requirements of the General Certification Guidelines; where the following scenarios are involved, it shall additionally comply with the following requirements: (1) The certification object shall, when providing data externally, submit the matter to the internal data-use application-and-approval process as required, and supervise the receiving party's security responsibilities. The certification object shall assess the security risks that may arise when publishing or sharing data and adopt necessary security-prevention-and-control measures, and shall promptly report the external provision of data to the local health administrative department. The certification object shall regularly monitor sharing and invocation, audit operation logs, promptly detect and handle violations, and equip itself with authentication, authorization, threat-alerting, and similar measures. Where data reporting is involved, the party proposing the data report shall be responsible for interpreting the reporting requirements and determining the reporting scope and rules, so as to ensure that data reporting is secure and controllable. (2) The certification object shall, in accordance with the national provisions on the development and utilization of public-data resources, explore the establishment of a data-classification-grading authorized-operation mechanism, incorporate authorized operation into the leadership team's collective decision-making, define the authorization conditions, model, period, exit mechanism, and security responsibilities, and authorize qualified institutions to conduct development, operation, and services. (3) Where the certification object genuinely needs, for business reasons, to provide medical-health data overseas, it shall conduct a security assessment or review in accordance with the relevant laws, regulations, and requirements, and shall submit a national-security review for data-processing activities that affect or may affect national security, so as to prevent data-security incidents. (4) Where the certification object provides or makes available human-genetic-resources information to foreign organizations or individuals, or to institutions established or actually controlled by them, it shall not endanger China's public health, national security, or the social public interest; where it may affect China's public health, national security, or the social public interest, it shall undergo a security review organized by the health authority of the State Council. Such provision or making-available shall be filed with the health authority of the State Council and an information backup submitted. (5) The certification object shall strictly implement the *Provisions on Establishing Adverse Records of Commercial Bribery in the Field of Pharmaceutical Procurement and Sales*, and shall not, in any form, provide to pharmaceutical-marketing personnel, non-administrative departments, or industry organizations not authorized by the administrative department, the drug and medical-consumable usage information of individual medical personnel or departments, nor provide convenience for pharmaceutical-marketing personnel's statistics. The drug and medical-consumable usage information that the certification object provides to the administrative department or its authorized industry organization shall be information at the level of the institution as a unit. --- ## [Grade-AA compliance standard] Where a certification object applies for Grade-AA certification, it shall satisfy the Grade-AA compliance requirements set out in the General Certification Guidelines, together with the provisions of Article 3 of these Implementing Rules. ## [Grade-AAA compliance standard] After obtaining Grade A or Grade AA, a certification object that simultaneously meets the following conditions may apply to be certified as Grade AAA: - having cumulatively conducted on-Exchange medical-health-data transaction business at the Exchange XX times or more, involving XX or more (inclusive) data-transaction buyers; - having a cumulative total value of on-Exchange medical-health-data transactions at the Exchange exceeding RMB XXX0,000, involving XX or more (inclusive) data-transaction buyers; - having cumulatively listed XX medical-health data products in the Exchange's trading zone; - as of the certification-application date, the above conduct has been completed and no data-compliance-related complaint, dispute, litigation, or regulatory measure has arisen. *(The thresholds appear as placeholders "XX/XXX" in the draft source.)* These Implementing Rules shall be interpreted by the Compliance Department of the Exchange. These Implementing Rules shall take effect from the date of release. --- ## Source-citation map The draft attaches a footnote to nearly every requirement, citing the underlying Chinese law or rule. The instrument is, in effect, a consolidation of those authorities into a single certification standard. The principal sources cited include: - *Measures for Data Security and Personal Information Protection of Healthcare Institutions (Trial)* — the single most frequently cited authority (data-classification grading into core/important/general data; responsibility system; cross-border and core-data thresholds; PI prohibition list; facial-recognition limits; AI-and-medical-records security; compliance audits; log-retention periods). - *Measures for Cybersecurity Management of Healthcare Institutions* (governance, MLPS, monitoring/incident response, backup, business continuity). - *Measures for the Administration of Population Health Information (Trial)* (graded storage; domestic storage; disaster-recovery backup; state-secret data). - *Measures for the Administration of National Health and Medical Big Data Standards, Security and Services (Trial)* (cross-border security assessment; audit trails). - *Cybersecurity Law* / MLPS, and the *Cryptography Law* (cryptographic protection). - *Personal Information Protection Law* and the *Administrative Measures for Personal-Information-Protection Compliance Audits*. - *Regulation on the Administration of Human Genetic Resources* and its *Implementing Rules* (collection/preservation approval and consent; international-collaboration approval and filing; outbound provision of HGR information). - *Drug Administration Law*; *Good Clinical Practice for Drugs*; *Good Clinical Practice for Medical Devices* (clinical-trial data integrity, source-data traceability, retention). - *Regulation on the Supervision and Administration of Medical Devices (2024 Revision)*; *Administrative Measures for the Supervision of Medical-Device Use Quality*; *Administrative Measures for Medical-Device Recall*; *Measures for the Administration of the Configuration and Use of Large Medical Equipment (Trial)*. - *Provisions on Strengthening the Management of Prescription-Counting (统方) in Healthcare Institutions*; *Provisions on Establishing Adverse Records of Commercial Bribery in the Field of Pharmaceutical Procurement and Sales* (drug/consumable usage-information controls). - *Notice on Further Strengthening the Management of the Use of Electronic-Medical-Record Information in Medical Institutions*; *Provisions on the Administration of Medical Records of Medical Institutions* (EMR controls; record-retention periods). - *Administrative Measures for Internet Diagnosis and Treatment (Trial)*; *Technical Guide for the Construction of Telemedicine Information Systems (2014 Edition)* (Internet-diagnosis Level-3 protection; traceability). - *Measures for the Administration of Designated Medical-Insurance Management of Medical Institutions* (medical-insurance data transmission). - The *2026 Personal-Information-Protection Special-Action Announcement* of the CAC, MIIT, and Ministry of Public Security (excessive collection; ultra-vires retrieval; unlawful image disclosure). --- > *Reminder.* The above is a faithful translation of the **clean current text of a redline/draft** certification rule from the **Shenzhen Data Exchange**. It is an **industry self-regulatory certification standard, not a government regulation**, and placeholder thresholds ("XX/XXX") in the Grade-AAA section confirm its draft status. It is included here as a practical illustration of how a Chinese data exchange operationalizes the national health-data compliance regime into supplier-certification criteria; the binding obligations themselves arise from the underlying laws and rules listed in the source-citation map, several of which DCC covers as separate entries. --- ## Interim Measures for the Registration and Administration of Public Data Resources - Chinese title: 公共数据资源登记管理暂行办法 - Hierarchy: rule - Issuing body: National Development and Reform Commission (NDRC) and National Data Administration (NDA) - Adopted: 2025-01-08 - Effective: 2025-03-01 - Status: effective - URL: https://datacompliancechina.com/laws/public-data-registration-interim-measures/ - Markdown: https://datacompliancechina.com/laws/public-data-registration-interim-measures.md ### Summary The Interim Measures establish a nationally unified registration system for public data resources — data collections produced by Party and government organs and public institutions in the course of performing statutory duties or providing public services. Registration is mandatory for public data resources that fall within authorized-operation scope; voluntary registration is encouraged for other public data resources and for data products and services derived from them. The Measures set the registration procedure (application, acceptance, formal review, public announcement, code issuance), define four registration types (initial, change, correction, deregistration), establish a three-year validity period with renewal, and provide for graded supervision under NDA's overall administration. Effective March 1, 2025, with a five-year validity period. DCC translation; no official English version exists. ### Full text **Promulgated by:** National Development and Reform Commission (NDRC) and National Data Administration (NDA). **Document No.:** Fa Gai Shu Ju Gui [2025] No. 26 (发改数据规〔2025〕26号). **Issued January 8, 2025. Effective March 1, 2025. Five-year validity period.** --- > *DCC translation. No official English translation exists. Translated against [DCC's bilingual glossary](/glossary) for terminology consistency with PIPL, DSL, CSL, and related laws.* ## Chapter I General Provisions **Article 1.** These Measures are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and other laws and regulations, and pursuant to the *Opinions of the CPC Central Committee and the State Council on Building a Fundamental Data System to Better Leverage the Role of Data as a Factor of Production* and the *Opinions of the General Office of the CPC Central Committee and the General Office of the State Council on Accelerating the Development and Utilization of Public Data Resources*, in order to promote the lawful, compliant, and efficient development and utilization of public data resources, build a nationally unified public data resource registration system, and standardize public data resource registration work. **Article 2.** These Measures apply to the registration of public data resources and to the supervision and administration thereof carried out within the territory of the People's Republic of China. **Article 3.** For the purpose of these Measures, the following terms have the following meanings: (I) "Public data resources" refers to data collections of utilization value that are generated by Party and government organs and public institutions at all levels in the course of performing their statutory duties or providing public services. (II) "Registrants" refers to entities that directly hold or administer public data resources in accordance with their job duties, as well as legal-person organizations that develop and operate public data resources within the scope of authorization in accordance with the law. (III) "Registration institutions" refers to public institutions established or designated by the national or local data administration authorities that provide public data resource registration services. (IV) "Registration platform" refers to an information system that supports the full lifecycle service and administration of public data resource registration. **Article 4.** Public data resource registration shall safeguard national security and the public interest, protect state secrets, trade secrets, personal privacy, and personal information rights and interests, and follow the principles of legality and compliance, openness and transparency, standardization, and security and efficiency. ## Chapter II Registration Requirements **Article 5.** Party and government organs and public institutions that directly hold or administer public data resources shall register public data resources that fall within the scope of authorized operation, and are encouraged to register public data resources that have not been included in the scope of authorized operation. Legal-person organizations authorized to engage in operating activities are encouraged to register the data products and services formed through the processing of authorized public data resources. Public utility enterprises in sectors such as water supply, gas supply, heating, electricity, and public transportation are encouraged to register the public data resources they directly hold or administer, and the products and services formed therefrom. **Article 6.** Registration institutions are responsible for implementing public data resource registration, executing the nationally unified registration administration requirements, and providing standardized and convenient registration services in accordance with administrative hierarchy and territorial principles. Registration institutions shall establish a sound responsibility mechanism for data resource registration administration, perform their data security protection obligations, strengthen the application of data security protection technologies, and properly safeguard registration information. For public data resource registration by central and state organs and their directly affiliated bodies, and by central enterprises, the National Data Administration shall designate its affiliated public institutions to handle the registration. **Article 7.** After business review, registrants shall submit registration applications via the registration platform, provide registration materials truthfully and accurately, and bear responsibility for the truthfulness, completeness, legality, and validity of the registration materials. Where multiple parties are involved, they may submit a joint registration application or, after reaching consensus, have a single party submit the application. Before applying for registration, registrants shall, on the premise of ensuring security, perform evidence preservation (存证) for public data resources, ensuring traceability of source and controllability of processing. ## Chapter III Registration Procedure **Article 8.** Public data resource registration shall be conducted through the procedures of application, acceptance, formal review, public announcement, and code issuance. **Article 9.** Types of public data resource registration applications mainly include initial registration, change registration, correction registration, and deregistration. (I) **Initial registration.** Registrants shall submit application materials in accordance with regulations, including registrant information, lawful and compliant sources of data, the situation of data resources, status of evidence preservation, information on products and services, application scenarios, and data security risk assessment. After conducting authorized operating activities and providing data resources or delivering data products and services, the registrant shall submit the initial registration application within 20 working days. For authorized operations conducted before the Measures take effect, registrants shall complete initial registration within 30 working days after the Measures take effect. (II) **Change registration.** Where there are significant updates or major changes to the data source, the situation of data resources, the products and services, or the status of evidence preservation, or where there are major changes to registrant information, the registrant shall promptly apply to the registration institution for change registration. (III) **Correction registration.** Where a registrant or interested party believes that information already registered contains errors, the party may apply for correction registration. Upon the registrant's written consent, or upon evidence proving that the registration information is indeed erroneous, the registration institution shall correct the relevant erroneous information. (IV) **Deregistration.** Under any of the following circumstances, the registrant shall apply for deregistration, and the registration institution shall complete deregistration within 10 working days from the date of acceptance: 1. The public data resources cannot be restored or have been lost; 2. The registrant relinquishes the relevant rights and interests, or the term of the rights has expired; 3. The registrant has been terminated due to dissolution, lawful revocation, declared bankruptcy, or other reasons; 4. Other circumstances stipulated by laws and regulations. **Article 10.** The registration institution shall accept the application within 3 working days from the date of receipt. Where application materials are incomplete or non-conforming, the registration institution shall inform the registrant in one go of the supplements required; the acceptance date shall be calculated from the date the supplemented application is resubmitted. Where acceptance is denied, the reasons shall be promptly explained to the registrant. **Article 11.** The registration institution shall conduct formal review of the content of the registration materials and complete the review within 20 working days from the date of acceptance. If review cannot be completed in time, the institution shall explain the reasons to the registrant. **Article 12.** Upon completion of formal review, the registration institution shall publicly announce the relevant registration information to society via the registration platform; the announcement period is 10 working days. The content of registration announcement mainly includes the registrant's name, type of registration, name of registered data, and a brief introduction of the data content. Where there is an objection to the announced information during the announcement period, the relevant party shall raise the objection under their real name and provide necessary evidence; the registration institution shall review the objection. If the objection is sustained, the registration shall be terminated. **Article 13.** Where no objection is raised within the announcement period, the registration institution shall issue a registration result inquiry code to the registrant in accordance with the unified coding specification formulated by the National Data Administration. ## Chapter IV Registration Administration **Article 14.** The National Data Administration shall strengthen the administration of public data resource registration, promote standardization of registration services, establish and improve the public data resource catalogue on the basis of registration information and the government data directory, and build the national public data resource registration platform — connected to provincial-level public data resource registration platforms — to promote interconnection of registration information. A nationally unified code shall be assigned to registration results across the country, supporting inquiry and sharing of registration information. Provincial-level data administration authorities shall strengthen integrated construction, take overall responsibility for the use and administration of the public data resource registration platform within their jurisdiction, and strengthen data sharing, application services, and security safeguards. **Article 15.** The validity period of registration results is, in principle, three years, calculated from the date of code issuance. For the registration of public data products and services within the scope of authorized operation, where the operation period under the authorization agreement does not exceed three years, the validity period of the registration result shall be the actual operation period. Upon expiration of the registration result validity period, the registrant may apply for renewal within 60 days prior to expiration in accordance with regulations. Each renewal period shall be no longer than three years, calculated from the day following the expiration of the previous validity period. Where the renewal is not applied for within the prescribed period, the registration institution shall deregister. **Article 16.** Registration institutions shall, in accordance with nationally unified registration requirements, optimize service processes and enhance the level of registration convenience services. **Article 17.** The National Data Administration shall, on an overall basis, conduct the construction of the registration standards system and the registration work evaluation mechanism. Provincial-level data administration authorities shall, on an overall basis, conduct evaluation of the service level of registration institutions within their jurisdiction. ## Chapter V Supervision and Administration **Article 18.** National public data resource registration work shall be subject to graded supervision and administration. The National Data Administration is responsible for national public data resource registration work. Provincial-level data administration authorities are responsible for public data resource registration work within their jurisdiction on an overall basis. Data administration authorities at all levels shall, in conjunction with relevant departments, conduct cross-departmental coordinated supervision. **Article 19.** Where a registration institution engages in any of the following acts during the registration process, the data administration authority shall take administrative measures, including a regulatory interview (约谈), on-site guidance, or revocation of the registration institution's qualification: (I) Conducting false registration; (II) Unauthorized tampering with or forgery of registration results; (III) Unauthorized disclosure of registration information or improper profit from registration information; (IV) Improper performance or refusal to perform duties; (V) Other violations of laws and regulations. **Article 20.** Where a registrant engages in any of the following acts, the registration institution shall, after verification, revoke the registration: (I) Concealment of facts, falsification, or provision of false registration materials; (II) Unauthorized tampering with or forgery of registration results; (III) Illegal use or improper profit from registration results; (IV) Other violations of laws and regulations. **Article 21.** Where a registration institution or registrant engages in conduct that violates relevant laws, it shall bear corresponding liability in accordance with the law; where a crime is constituted, criminal liability shall be pursued in accordance with the law. ## Chapter VI Supplementary Provisions **Article 22.** The data administration authority of each province, autonomous region, and municipality directly under the central government may formulate implementation rules in accordance with these Measures. **Article 23.** The National Data Administration is responsible for the interpretation of these Measures. **Article 24.** These Measures shall come into force on March 1, 2025, with a validity period of 5 years, and shall be revised and adjusted in due course as the situation warrants. --- ## Cybersecurity Standards Practice Guide — Personal Information Protection Compliance Audit Requirements - Chinese title: 网络安全标准实践指南 — 个人信息保护合规审计要求 - Abbreviation: TC260 PI Audit Guide - Hierarchy: standard - Issuing body: National Information Security Standardization Technical Committee (TC260) - Status: effective - URL: https://datacompliancechina.com/laws/tc260-pi-audit-practice-guide/ - Markdown: https://datacompliancechina.com/laws/tc260-pi-audit-practice-guide.md ### Summary This TC260 practice guide sets out requirements for conducting the personal-information-protection compliance audit that PIPL Article 54 requires handlers to perform periodically. It provides an audit framework — the matters to examine across a handler's personal-information processing against PIPL obligations — to support both self-audits and audits commissioned to professional bodies under the Administrative Measures for Personal Information Protection Compliance Audits. It is advisory practice guidance, not a mandatory standard. ### Full text > *DCC summary, not a translation.* TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC's own paraphrase grounded in the guide's title and the underlying audit regime; specific clauses should be checked against the published guide. ## Scope This practice guide provides **requirements and a reference framework for the personal-information-protection compliance audit** — the periodic audit of whether a handler's personal-information processing complies with laws and administrative regulations. It is intended to support handlers conducting **internal self-audits** and professional bodies conducting **entrusted audits**, by enumerating the audit matters and expectations across the personal-information lifecycle. It is a **practice guide** issued by the TC260 Secretariat — advisory, not a mandatory standard. ## Key contents At a structural level the guide is expected to cover: - **Audit objectives and principles** — independence, objectivity and full coverage of personal-information processing activities. - **Audit scope and matters** — the obligations to be examined, mapped to PIPL: lawful basis and consent; notice and transparency; minimum necessity; sensitive-PI handling; automated decision-making; entrusted processing and sharing; cross-border transfer; data-subject rights; security measures; impact assessments; and governance (responsible person, incident response, recordkeeping). - **Audit method and evidence** — how to plan, gather evidence, test controls and document findings. - **Audit reporting** — the content and form of the audit report and follow-up on rectification. > *Editor: verify specific clauses against the published guide.* ## How it fits the regime The guide operationalizes the **compliance-audit duty** in **PIPL Article 54**, which requires personal-information handlers to periodically audit their compliance with laws and administrative regulations, and **Article 64**, under which regulators may require an audit where processing poses significant risk or an incident occurs. The **Administrative Measures for Personal Information Protection Compliance Audits** flesh out when self-audits versus regulator-mandated audits apply, the cadence, and the use of professional auditing bodies. This practice guide supplies the **audit content and method** that those instruments assume — the checklist auditors work through. For overseas compliance teams, it is the reference for scoping and running a PIPL compliance audit (or preparing to be audited), and it complements the impact-assessment standard (GB/T 39335), GB/T 35273 and the sensitive-PI standards. --- ## Cybersecurity Standards Practice Guide — Personal Information Security Protection Requirements for Facial-Recognition Payment Scenarios - Chinese title: 网络安全标准实践指南 — 人脸识别支付场景个人信息安全保护要求 - Abbreviation: TC260 FRT Payment Guide - Hierarchy: standard - Issuing body: National Information Security Standardization Technical Committee (TC260) - Status: effective - URL: https://datacompliancechina.com/laws/tc260-frt-payment-pi-guide/ - Markdown: https://datacompliancechina.com/laws/tc260-frt-payment-pi-guide.md ### Summary This TC260 practice guide sets personal-information security protection requirements specific to facial-recognition payment (人脸识别支付) scenarios. It addresses how face data should be collected, verified, transmitted, stored and protected when facial recognition is used to authorize payments, with an emphasis on consent, the availability of non-facial alternatives, anti-spoofing and minimization. It is advisory practice guidance complementing the facial-recognition application rules and PIPL's sensitive-PI regime. ### Full text > *DCC summary, not a translation.* TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC's own paraphrase grounded in the guide's title and the underlying regime; specific clauses should be checked against the published guide. ## Scope This practice guide provides **personal-information security protection requirements for facial-recognition payment scenarios** — the use of facial recognition to verify identity and authorize a payment. It applies to the parties operating such payment services (and their technology providers), and addresses the handling of facial (biometric) information across collection, verification, transmission, storage and deletion in this specific context. It is a **practice guide** issued by the TC260 Secretariat — advisory, not a mandatory standard. ## Key contents At a structural level the guide is expected to cover: - **Consent and notice** — obtaining the user's separate consent for facial-recognition payment, with clear notice of purpose and scope. - **Non-facial alternatives** — ensuring users retain a convenient alternative payment/verification method and are not compelled to use facial recognition. - **Minimization and purpose limitation** — collecting only the face data necessary for payment verification and not repurposing it. - **Security of face data** — anti-spoofing/liveness detection, encrypted transmission, protected (often tokenized) storage, strict access control, and secure deletion. - **Risk management and accountability** — impact assessment, logging, and allocation of responsibility among the parties. > *Editor: verify specific clauses against the published guide.* ## How it fits the regime Facial information is **sensitive personal information** under **PIPL Article 28**, and facial-recognition payment is one of the highest-stakes consumer uses of it. The guide operationalizes the heightened sensitive-PI duties — separate consent (Article 29), strict necessity and protection (Article 28), and impact assessment (Article 55) — in the payment setting. It complements the **Measures for the Administration of the Application of Facial Recognition Technology**, which require necessity, alternatives to facial recognition, and filing for large-scale use, and aligns with the facial-recognition judicial interpretation and the sensitive-PI identification and protection standards. For overseas compliance teams operating payment or identity-verification services in China that rely on face data, it is the scenario-specific reference for designing a compliant facial-recognition payment flow. --- ## Cybersecurity Standards Practice Guide — Personal Information Protection Requirements for QR-Code Ordering - Chinese title: 网络安全标准实践指南 — 扫码点餐个人信息保护要求 - Abbreviation: TC260 QR Ordering Guide - Hierarchy: standard - Issuing body: National Information Security Standardization Technical Committee (TC260) - Status: effective - URL: https://datacompliancechina.com/laws/tc260-qr-ordering-pi-guide/ - Markdown: https://datacompliancechina.com/laws/tc260-qr-ordering-pi-guide.md ### Summary This TC260 practice guide sets personal-information protection requirements for QR-code ordering (扫码点餐) in restaurants and similar settings — a response to the common practice of forcing customers to follow accounts, register, or hand over excessive personal information just to view a menu or order. It emphasizes minimum necessity, the availability of order-without-registration options, and no forced follows or over-collection. It is advisory practice guidance applying PIPL's minimum-necessity principle and the app necessary-PI rules to this everyday scenario. ### Full text > *DCC summary, not a translation.* TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC's own paraphrase grounded in the guide's title and the underlying regime; specific clauses should be checked against the published guide. ## Scope This practice guide provides **personal-information protection requirements for QR-code ordering scenarios** — where customers scan a code to view a menu and place an order in restaurants, cafés and similar venues. It applies to the merchants and the mini-program / platform providers that operate such ordering services, and addresses what personal information may be collected and on what terms. It is a **practice guide** issued by the TC260 Secretariat — advisory, not a mandatory standard. It targets a well-known consumer grievance: being required to follow a public account, register a member account, or grant access to personal information merely to order food. ## Key contents At a structural level the guide is expected to cover: - **Minimum necessity** — collecting only the personal information genuinely needed to complete an order; ordering should not require registration or membership where it is not necessary. - **No forced following / registration** — customers should be able to view the menu and order without being compelled to follow an account or hand over identity information. - **Consent and transparency** — clear notice of what is collected and why; separate consent for anything sensitive or non-essential (e.g., marketing). - **Marketing and profiling limits** — no using the ordering interface to coerce consent for unrelated marketing or profiling. - **Security and deletion** — protecting and deleting the collected data appropriately. > *Editor: verify specific clauses against the published guide.* ## How it fits the regime The guide applies **PIPL's minimum-necessity principle** (Articles 5–6, which require processing to have a clear, reasonable purpose and to be limited to the minimum scope necessary) and its consent rules to a high-volume everyday scenario. It also draws on the logic of the **Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications**, which cap what apps may require for their core function, and on the broader campaign against forced, excessive and bundled collection in mobile services. For overseas compliance teams operating consumer-facing ordering or mini-program services in China, it is the scenario-specific reference for designing a compliant scan-to-order flow — order-first, register-only-if-needed — and it complements the app-collection rules, the notice-and-consent guide and GB/T 35273. --- ## Cybersecurity Standards Practice Guide — Implementation Guidelines for Network Data Security Risk Assessment - Chinese title: 网络安全标准实践指南 — 网络数据安全风险评估实施指引 - Abbreviation: TC260 Data Risk Assessment Guide - Hierarchy: standard - Issuing body: National Information Security Standardization Technical Committee (TC260) - Status: effective - URL: https://datacompliancechina.com/laws/tc260-data-security-risk-assessment-guide/ - Markdown: https://datacompliancechina.com/laws/tc260-data-security-risk-assessment-guide.md ### Summary This TC260 practice guide gives step-by-step implementation guidelines for conducting a network data security risk assessment. It walks organizations through preparing for, executing and reporting an assessment of data-security risks across the data lifecycle — identifying assets, threats, vulnerabilities and impacts and rating overall risk — in support of the assessment duties created by the Network Data Security Management Regulations. It is the practice-oriented companion to the GB/T 45577 risk-assessment method, and is advisory rather than mandatory. ### Full text > *DCC summary, not a translation.* TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC's own paraphrase grounded in the guide's title and the underlying regime; specific clauses should be checked against the published guide. ## Scope This practice guide provides **implementation guidelines for carrying out a network data security risk assessment** — a procedural, hands-on walkthrough of how to plan, perform, and report an assessment of the security risks to network data across its lifecycle. It applies to data processors conducting such assessments (including those required to assess important-data processing) and to bodies assisting them. It is a **practice guide** issued by the TC260 Secretariat — advisory, not a mandatory standard, and is designed to be the procedural complement to the formal risk-assessment method standard. ## Key contents At a structural level the guide is expected to cover: - **Assessment preparation** — scoping, team and work-plan setup, and gathering of data inventories (informed by classification and grading). - **Asset and risk identification** — identifying data assets, threats, vulnerabilities, and the existing security measures across collection, storage, transmission, use, provision, disclosure and deletion. - **Risk analysis and rating** — analyzing likelihood and potential impact (to national security, public interest, organizations and individuals) and determining an overall risk level. - **Treatment and reporting** — recommending risk-treatment measures and producing the assessment report, including any matters to be reported to regulators. - **Templates and worked steps** — practical checklists and report formats to standardize execution. > *Editor: verify specific clauses against the published guide.* ## How it fits the regime The guide operationalizes the **risk-assessment duties of the Network Data Security Management Regulations** (effective 1 January 2025), which require processors of **important data** to conduct periodic data-security risk assessments and report the results, and which expect risk assessment around other significant processing activities. It gives organizations a concrete procedure to satisfy those duties. It is the practice-oriented companion to **GB/T 45577** (*Data Security Risk Assessment Method*), which supplies the formal method, and it relies on **GB/T 43697** (classification and grading) to identify which data is important or core. For overseas compliance teams whose Chinese operations process important data or operate at scale, it is the step-by-step reference for running and documenting a network-data-security risk assessment that regulators will recognize. --- ## Implementation Specifications for Authorized Operation of Public Data Resources (Trial) - Chinese title: 公共数据资源授权运营实施规范(试行) - Hierarchy: rule - Issuing body: National Development and Reform Commission (NDRC) and National Data Administration (NDA) - Adopted: 2025-01-08 - Effective: 2025-03-01 - Status: effective - URL: https://datacompliancechina.com/laws/public-data-authorized-operation-specifications/ - Markdown: https://datacompliancechina.com/laws/public-data-authorized-operation-specifications.md ### Summary Companion rule to the Public Data Registration Interim Measures (also NDRC + NDA, January 2025). The Specifications establish the framework for 'authorized operation' (授权运营) of public data resources — the mechanism by which governments at and above the county level, and national sectoral authorities, can authorize qualified operating institutions to develop and operationalize public data resources, deliver data products and services to the market, and share in the revenue. Covers implementing institutions, operating institutions, the implementation plan, the agreement, supervision, anti-monopoly and security duties. The Operating-institution authorization period is capped at five years. Effective March 1, 2025, with a five-year validity period. DCC translation; no official English version exists. ### Full text **Promulgated by:** National Development and Reform Commission (NDRC) and National Data Administration (NDA). **Document No.:** Fa Gai Shu Ju Gui [2025] No. 27 (发改数据规〔2025〕27号). **Issued January 8, 2025. Effective March 1, 2025. Five-year validity period.** --- > *DCC translation. No official English translation exists. Translated against [DCC's bilingual glossary](/glossary) for terminology consistency with PIPL, DSL, CSL, and related rules.* ## Chapter I General Provisions **Article 1.** These Specifications are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and other laws and regulations, and pursuant to the *Opinions of the CPC Central Committee and the State Council on Building a More Complete Market-Based Allocation Mechanism for Factors of Production*, the *Opinions of the CPC Central Committee and the State Council on Building a Fundamental Data System to Better Leverage the Role of Data as a Factor of Production*, and the *Opinions of the General Office of the CPC Central Committee and the General Office of the State Council on Accelerating the Development and Utilization of Public Data Resources*, in order to advance the development and utilization of public data resources, standardize the authorized operation of public data resources, promote the cultivation of an integrated data market, and unlock the value of data as a factor of production. **Article 2.** These Specifications apply to public data resource authorized operation activities carried out within the territory of the People's Republic of China. **Article 3.** "Authorized operation" (授权运营) refers to the activity of authorizing qualified operating institutions, in accordance with laws, regulations, and relevant requirements, to govern and develop public data resources held by local people's governments at and above the county level or by national sectoral competent authorities, and to provide data products and technical services fairly to the market. "Implementing institutions" refers to entities, determined by local people's governments at and above the county level or by national sectoral competent authorities in conjunction with the authorization model, that are specifically responsible for organizing the conduct of authorized operation activities. "Operating institutions" refers to legal-person organizations that have obtained authorization through standardized procedures and that develop and operate public data resources within the scope of authorization. **Article 4.** Authorized operation of public data resources shall follow the principles of legality and compliance, fairness and impartiality, public-interest priority, reasonable returns, and security and controllability. ## Chapter II Basic Requirements **Article 5.** Local people's governments at and above the county level, and national sectoral competent authorities, may include lawfully held public data resources within the scope of authorized operation, provided that the requirements of the data classification and grading protection system are implemented and that national security, the public interest, trade secrets, personal privacy, and personal information rights and interests are not harmed. Where public data of other regions or departments — obtained through government data sharing — is to be used for authorized operation, the consent of the unit that provided the shared data shall be obtained. **Article 6.** In conducting authorized operation activities, administrative power or market-dominant position shall not be abused to exclude or restrict competition, and data, algorithms, technology, or capital advantages shall not be used to engage in monopolistic conduct. Operating institutions shall conduct business within the scope of authorization in accordance with laws and regulations, and shall not directly or indirectly participate in the further development of public data products and services already delivered within their authorized scope. Other operating entities are encouraged to further develop the public data products and services delivered by operating institutions, integrate multi-source data, enhance the value of data products and services, and contribute to a flourishing data-industry ecosystem. **Article 7.** The National Data Administration is responsible for the overall coordination and administration of national public data resource authorized operation work; it shall dynamically monitor the national authorized-operation situation and strengthen policy and operational guidance. Provincial-level data administration authorities shall play a comprehensive coordinating role, strengthen the integration of data resources, enhance data service capacity, fully leverage the scale-of-application effect of public data resources, and conduct supervision and administration of authorized operation work within their region. Data administration bodies of national sectoral competent authorities are responsible for advancing the authorized operation work of public data resources in their department and for guiding the sector to strengthen administration of sectoral data resources within the scope of authorized operation. ## Chapter III Plan Preparation **Article 8.** Data administration authorities of local people's governments at and above the county level, and data administration bodies of national sectoral competent authorities, shall take the lead in organizing or guiding the various implementing institutions in their region or department to prepare implementation plans for the authorized operation of public data resources. Implementation plans shall balance economic and social benefits and ensure feasibility of execution. **Article 9.** Implementation plans shall include the following content: (I) The name of the authorized operation; (II) Argumentation of the necessity and feasibility of the authorized operation; (III) Selection criteria for operating institutions, including capacity in funding, management, technology, service, and security; (IV) The authorization model — overall authorization, field-by-field authorization, or scenario-based authorization, etc.; (V) The scope of authorized-operation data resources, the data resource catalogue, data update frequency, and data-quality conditions; (VI) The authorized-operation period, construction content, technical safeguards, implementation schedule, evaluation standards, exit mechanism, asset administration, etc.; (VII) The list of proposed public data products and services, which shall include two major categories — supporting public governance and public welfare, and supporting industry development and sectoral development — as well as the expected form of products and services; (VIII) The cost and revenue accounting mechanism within the operating institution's authorized scope, and the revenue distribution mechanism; (IX) Data security, personal information protection measures, and emergency-response measures; (X) Rights and obligations of the implementing institution, operating institution, and other relevant participants; (XI) Supervision, administration, and performance-evaluation requirements for the authorized operation; (XII) Other matters that should be clarified. **Article 10.** Feasibility argumentation shall include, but not be limited to, full lifecycle management services for authorized-operation data, social demand, market scale, expected effectiveness, and risk control. **Article 11.** Implementation plans for authorized operation of public data resources shall be deliberated and approved in accordance with the "three majors and one large" (三重一大) decision-making mechanism requirements before implementation. Data administration authorities of local people's governments at and above the county level shall be responsible for, or shall assist in, submitting the implementation plan of their region to the people's government at the same level for deliberation. Data administration bodies of national sectoral competent authorities shall be responsible for, or shall assist in, submitting the implementation plan of their department to the ministerial executive meeting for deliberation. Implementation plans that have been deliberated and approved shall not, in principle, be arbitrarily changed; where major changes are genuinely required, they shall be re-submitted for deliberation and approval through the original process. Provincial-level data administration authorities and data administration bodies of national sectoral competent authorities shall properly conduct filing administration for the implementation plans of their region or department. ## Chapter IV Agreement Execution **Article 12.** Implementing institutions shall, in accordance with the deliberated and approved implementation plan, select operating institutions through fair-competition methods such as public bidding, invited bidding, or negotiation, as required by laws and regulations. The content of the bidding, procurement, and negotiation documents relating to the authorized-operation agreement shall fully solicit the opinions of relevant parties. Operating institutions shall possess the management and technical service capacity required for data resource processing and operation, shall have sound business and credit standing, and shall comply with the State's data security protection requirements. **Article 13.** The implementing institution shall, independently or together with the relevant business-competent department at the same level, enter into a public data resource authorized-operation agreement with the lawfully selected operating institution after deliberation and approval by the implementing institution's "three majors and one large" decision-making mechanism. Provincial-level data administration authorities and data administration bodies of national sectoral competent authorities shall properly conduct filing administration for the various authorized-operation agreements in their region or department, and strengthen dynamic monitoring of agreement performance. **Article 14.** The content of the public data resource authorized-operation agreement shall include: (I) The scope and data resource catalogue of the authorized-operation public data resources; (II) The operating period, which shall not exceed five years in principle; (III) The list of proposed public data products and services, and the technical standards, security review requirements, and business-compliance review requirements applicable to them; (IV) The technical support platform for the public data resource authorized-operation work; (V) Asset ownership, including ownership of software and hardware equipment and of public data products and services; (VI) Information-disclosure requirements regarding the authorized-operation work, and the requirement that the operating institution shall not directly or indirectly participate in further development; (VII) Accounting requirements for cost and revenue within the operating institution's authorized scope, and the revenue distribution mechanism; (VIII) Data security and personal information protection requirements, and risk monitoring and emergency-response measures; (IX) Operating-effectiveness evaluation, and renewal or exit mechanism; (X) Liability for breach of contract; (XI) Dispute resolution methods; (XII) Conditions for modification and termination of the agreement; (XIII) Other matters requiring clarification. ## Chapter V Operation and Implementation **Article 15.** Implementing institutions shall establish a sound, safe, and controllable development and utilization environment, make full use of existing information system resources, encourage integrated construction, support the application of safe and trusted circulation technologies such as privacy computing, and ensure that the development and utilization of data resources is manageable, controllable, and traceable. **Article 16.** Implementing institutions and operating institutions shall, respectively, register the public data resources, and the public data products and services, within the scope of authorized operation in accordance with the public data resource registration administration requirements. **Article 17.** Prices of public data products and services shall be implemented in accordance with the State's relevant pricing policies. **Article 18.** Implementing institutions shall publicly disclose the situation of authorized operation as required, regularly disclose to society the authorized subjects, content, scope, and term, and accept social supervision. **Article 19.** Operating institutions shall publicly disclose the list of public data products and services, regularly disclose to society the use of public data resources, and accept social supervision. **Article 20.** Authorized operation shall protect the lawful rights and interests of all participating parties. Implementing institutions and operating institutions are encouraged to support the data governance and service capacity construction of all regions and departments through technology, products and services, revenue, and other means, in a lawful and compliant manner. ## Chapter VI Operation Administration **Article 21.** Implementing institutions shall establish a sound administration system, strengthen data governance, enhance data quality, implement the requirements of the data classification and grading protection system, strengthen technical support and data security administration, strictly control the direct entry into the market of unpublished original public data resources, and strengthen internal control and audit of operating institutions with respect to authorized-operation activities. Operating institutions shall fulfill their primary responsibility for data security, strengthen internal control administration, technical administration, and personnel administration, shall not use public data resources beyond the scope of authorization, and shall strictly prevent data-security risks in the processing, operation, and service stages. Implementing institutions and operating institutions shall, through administrative and technical measures, strengthen the identification and control of risks arising from data association and aggregation, in order to safeguard data security. **Article 22.** Operating institutions shall strengthen internal administration of costs, revenue, and expenses related to public data products and services; financial revenue and expenditure related to public data products and services shall be administered in accordance with existing financial-administration systems and subject to supervision in accordance with the law. **Article 23.** In conducting public data resource authorized operation, the responsible action of cadres shall be encouraged and protected; an atmosphere of encouraging and tolerating innovation shall be fostered; at the same time, the abuse of data for private gain shall be resolutely prevented. In conducting authorized operation, safety risks arising from improper handling of the data-asset and data-asset-capitalization process shall be effectively identified and controlled, and financial risks shall be earnestly prevented and resolved. ## Chapter VII Supplementary Provisions **Article 24.** Data administration authorities of local people's governments at and above the county level, and data administration bodies of national sectoral competent authorities, may formulate implementation rules in accordance with these Specifications, in light of their actual circumstances. For authorized operations conducted before these Specifications take effect, the operations shall be progressively brought into conformity with these Specifications. Authorized operation activities newly conducted after these Specifications take effect shall be carried out in accordance with these Specifications. **Article 25.** Authorized operation of public data resources held by central Party-and-mass organs and by local Party committees at and above the county level shall be carried out with reference to these Specifications. The development and utilization of public data resources held by public utility enterprises in sectors such as water supply, gas supply, heating, electricity, and public transportation may be authorized for use with reference to the relevant procedural requirements of these Specifications, in order to safeguard the public interest and the lawful data rights and interests of enterprises, and to accept supervision by the government and society. **Article 26.** The National Data Administration is responsible for the interpretation of these Specifications. **Article 27.** These Specifications shall come into force on March 1, 2025, with a validity period of 5 years, and shall be revised and adjusted in due course as the situation warrants. --- ## Provisions on the Collection and Use of Personal Information by Internet Applications (Draft for Public Consultation) - Chinese title: 互联网应用程序个人信息收集使用规定(征求意见稿) - Abbreviation: App PI Collection and Use Provisions (Draft) - Hierarchy: draft - Issuing body: Cyberspace Administration of China (CAC) - Status: draft - URL: https://datacompliancechina.com/laws/app-pi-collection-use-provisions-draft/ - Markdown: https://datacompliancechina.com/laws/app-pi-collection-use-provisions-draft.md ### Summary A 39-article CAC draft, opened for comment on January 10, 2026, that consolidates app-privacy regulation into a single instrument covering four classes of actors for the first time: app operators, SDK operators, distribution platforms (app stores, mini-program and quick-app platforms), and smart-terminal/OS makers. It operationalizes minimum-necessary and notice-and-consent principles into granular, engineering-level rules — permission requests tied to the moment of use, scenario-based consent toggles, mandatory system-level storage-access frameworks in place of blanket storage permissions, on-device-only default storage for biometric identifiers, a 15-business-day account-cancellation deadline, and behavioral-audit duties for embedded SDKs. It also builds out platform-level gatekeeping: distribution platforms and terminal makers must vet operator identity before listing or preinstalling an app, refuse apps lacking a privacy policy or deletion/cancellation function, and post risk warnings on apps that regulators have publicly named for violations. For overseas counsel, this draft would sit alongside (and in several respects supersede in practice) the 2019 App PI Identification Method and the 2021 Necessary PI Scope Provisions, raising the bar on SDK due diligence, permission-timing UX, and cross-entity contractual allocation of responsibility across the app supply chain. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC). **Status:** Draft for Public Consultation, released January 10, 2026. --- ## Chapter 1. General Provisions **Article 1.** These Provisions are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Regulation on Network Data Security Management, and other laws and administrative regulations, in order to regulate the collection and use of personal information by Internet applications, protect personal information rights and interests, and promote the reasonable use of personal information. **Article 2.** These Provisions shall be observed by anyone who, in the course of operating an Internet application within the territory of the People's Republic of China, collects or uses personal information, and by software development kits, distribution platforms, smart terminals, and other parties that provide services supporting the collection and use of personal information for Internet applications. Where an Internet application collects or uses the personal information of natural persons within the territory of the People's Republic of China from outside the territory, and the circumstances fall within Article 3, paragraph 2 of the Personal Information Protection Law of the People's Republic of China, these Provisions shall apply. **Article 3.** The collection and use of personal information shall follow the principles of lawfulness, legitimacy, necessity, and good faith, and shall not be carried out by misleading, defrauding, or coercing individuals. The collection and use of personal information shall be preceded by full notice of the collection and use rules to the personal information subject, and the personal information subject's consent shall be obtained; where sensitive personal information is collected or used, the personal information subject's separate consent shall be obtained. Where laws or administrative regulations provide otherwise, such provisions shall prevail. The collection and use of personal information shall be carried out in the manner that has the least impact on the rights and interests of the personal information subject, shall be limited to what is necessary to provide the product or service, and shall not exceed the scope so required. An operator shall not refuse to provide a product or service on the ground that the personal information subject has declined to consent to, or has withdrawn consent to, the collection and use of personal information, except where the personal information concerned is necessary to provide the product or service. **Article 4.** Internet application operators and software development kit operators each bear primary responsibility for the collection, use, and security protection of personal information in connection with the Internet application or software development kit that they respectively operate. An Internet application operator shall perform its statutory review obligations with respect to embedded software development kits, a distribution platform operator with respect to the Internet applications it distributes, and a smart-terminal manufacturer with respect to the Internet applications it preinstalls. Where such review is not effectively carried out and harm results to the rights and interests of a personal information subject, the party responsible shall bear liability accordingly. **Article 5.** Internet application operators, software development kit operators, distribution platform operators, and smart-terminal manufacturers shall, with respect to personal information that becomes a state secret matter after aggregation or correlation, strengthen management in accordance with the State's relevant provisions on security and secrecy. Internet application operators, software development kit operators, distribution platform operators, and smart-terminal manufacturers shall not inspect the content of, or provide to any third party, personal information in their possession that constitutes a communication secret. Where laws or administrative regulations provide otherwise, such provisions shall prevail. **Article 6.** Industry organizations are encouraged to establish and improve self-regulatory mechanisms, formulate personal information protection industry codes and self-regulatory conventions, guide their members to carry out personal information collection and use activities in accordance with law, and accept public oversight. ## Chapter 2. Operational Security Management Requirements for Internet Applications **Article 7.** An Internet application that collects or uses personal information shall follow the principles of openness and transparency, formulate a public personal information collection and use rule, and, in clear and easily understood language, truthfully, accurately, and completely set out the following matters item by item: (1) the name of the operator, or the name of the natural person operator, and effective contact information; (2) in the form of a structured list, the purpose, method, and category of personal information collected and used by each functional service, the names and frequency of the permissions invoked, the necessity of collecting and using sensitive personal information, and the impact on user rights and interests; (3) where a software development kit is embedded, in the form of a structured list, the name (package name) and version of the embedded software development kit, its principal functions, the name of its operator or the name of the natural person operator, the categories of personal information it collects and uses, and a complete link to the software development kit's own personal information collection and use rule; (4) the retention period for personal information and how it will be handled upon expiry; where the retention period is difficult to determine, the method for determining it shall be specified; (5) the methods and channels by which a user may access, copy, transfer, correct, supplement, delete, or restrict the processing of personal information, and cancel an account or withdraw consent; and (6) other matters required to be disclosed by laws and administrative regulations. For the key content described in the preceding paragraph, the Internet application shall alert users through prominent means such as bold type, enlarged font, or distinct coloring. **Article 8.** Where the purpose, method, category, retention period (or the method for determining the retention period), permission names and frequency, or the personal information collection and use behavior of an embedded software development kit changes, the Internet application shall promptly revise and update its personal information collection and use rule. Where an Internet application with more than 50 million registered users, or more than 10 million monthly active users, and a complex business model revises or updates its personal information collection and use rule under the preceding paragraph, it shall concurrently solicit public comment through channels such as the application's home page, official website, or official account, for a comment period of not less than 7 working days. **Article 9.** An Internet application shall, upon first launch, notify the user of its personal information collection and use rule through a prominent means such as a pop-up window, and, on the premise that the user is fully informed, obtain a clear expression of the user's consent to the rule. Where an Internet application provides personal information to a third party, it shall obtain the user's separate consent. The Internet application shall provide a one-click access function for its personal information collection and use rule in a prominent location such as the settings page, for the user's convenience in reviewing and saving it. Where an Internet application updates its personal information collection and use rule under circumstances falling within Article 8, paragraph 1, it shall promptly notify users of the specific content of the update through prominent means such as a pop-up window or push notification, and re-obtain the user's consent. **Article 10.** An Internet application shall not, through the calendar, call-log, or SMS permission, collect or use the personal information of any personal information subject other than the user, except where genuinely necessary to fulfill purposes of maintaining communication, adding contacts, or data backup. Where the personal information collected or used under the preceding paragraph constitutes a communication secret, it shall comply with Article 5, paragraph 2 of these Provisions. **Article 11.** An Internet application shall provide configuration options for the collection and use of personal information based on functional scenarios, allowing the user, as needed, to consent to the collection and use of the relevant personal information for particular functional scenarios only. **Article 12.** An Internet application may request the necessary personal information permission corresponding to a given function only when the user is actually using that function, and shall concurrently notify the user of the purpose of use; it shall not request the permission in advance. Where the user declines, the Internet application shall not repeatedly request the permission in a manner that interferes with the user's normal use of other functions. **Article 13.** An Internet application shall not collect or use personal information before the user has consented to the personal information collection and use rule, and shall not collect or use personal information beyond the purpose, method, category, or retention period to which the user has consented. An Internet application's invocation of a permission must be directly related to the current functional scenario; it shall collect personal information only when the user is using the specific function, at the lowest frequency and narrowest scope necessary, and shall cease invoking the permission once the current functional scenario no longer requires it. It shall not collect unnecessary personal information or invoke unnecessary permissions. **Article 14.** An Internet application shall invoke the camera or microphone permission only when the user actively chooses to use a function such as taking photographs, sending voice messages, or recording audio or video, and shall not invoke the camera or microphone permission once the user has stopped using the relevant function or in scenarios unrelated to it. In scenarios that require real-time positioning, such as map navigation, route tracking, food or package delivery, and location sharing, the frequency of continuous invocation of the location permission shall be limited to the lowest frequency necessary to realize the business function; in scenarios that require only a single location fix, such as adding a location, content search, content recommendation, or advertising and marketing, the location permission shall be invoked only once, when the user enters the function interface or actively refreshes. Except where laws or administrative regulations provide otherwise, or the business function genuinely requires continuous access to location in the background, an Internet application shall not request the permission to access the user's location information in the background. Where a user chooses to use a function such as uploading or sending pictures or files, and the Internet application is able to achieve this using a storage access framework provided by the smart terminal, it shall not request the photo album, contacts, SMS, storage, or other such permission. Where an Internet application obtains the storage permission in order to provide a function such as file editing or file backup, it shall not access files other than those the user has actively chosen. **Article 15.** The collection of biometric information such as facial, fingerprint, or voiceprint information by an Internet application shall have a specific purpose and sufficient necessity, shall be carried out in the manner that has the least impact on the rights and interests of the individual, and shall be subject to strict protective measures. Except where laws or administrative regulations provide otherwise, or the user's separate consent has been obtained, an Internet application's collection and use of facial, fingerprint, voiceprint, or other such information shall be stored on the biometric device and shall not be transmitted externally over the Internet. Except where laws or administrative regulations provide otherwise, the retention period of biometric information shall not exceed the minimum time necessary to achieve the purpose of processing. **Article 16.** An Internet application operator shall adopt adequate management measures and necessary technical measures, strictly implement the requirements for protecting the personal information of minors, and take effective precautions against the leakage, tampering, or loss of minors' personal information. Where an Internet application collects or uses the personal information of a minor under the age of 14, it shall formulate a dedicated personal information collection and use rule and obtain the consent of the minor's parent or other guardian. **Article 17.** Where an Internet application pushes information or conducts commercial marketing to a user by means of automated decision-making, it shall provide an easy-to-understand option, convenient to access and operate, for turning off personalized recommendations. Where a user turns off the personalized recommendation function, the Internet application shall cease using the user's personal information for personalized recommendation purposes. **Article 18.** An Internet application shall provide users with a convenient function for canceling their account. Where a user cancels an account, the Internet application shall not require the user to newly provide personal information beyond what it has already collected — such as facial images or a photograph of the user holding an identity card — except where genuinely necessary for purposes such as guarding against fraud rings or security risk control. Where a user cancels an account, the Internet application shall complete the account cancellation within 15 working days and delete the personal information it has collected, or anonymize it, except where laws or administrative regulations provide otherwise. Where a single enterprise, or multiple Internet applications under the same corporate group, use a unified account for integrated management, the applications shall allow the user to choose to cancel the account for a single Internet application, or to choose to close that account's ability to use that particular Internet application and delete the personal information used solely for that Internet application. **Article 19.** An Internet application shall agree with each embedded software development kit on the purpose, method, and category of personal information collection and use, and on security-protection liability and liability for breach, and shall adopt effective technical measures to review the personal information collection and use behavior of the embedded software development kit, so as to ensure that the software development kit's actual collection of personal information and invocation of permissions is consistent with what is declared about that software development kit in the Internet application's personal information collection and use rule. Where a user's request to the Internet application to access, copy, correct, supplement, delete, or restrict the processing of personal information, or to cancel an account or withdraw consent, involves the personal information collection and use activity of a software development kit, the Internet application shall promptly notify the software development kit of the user's request and urge the software development kit to respond to it in a timely manner. **Article 20.** Where an Internet application optimizes or improves its personal information collection and use behavior and releases or updates a version accordingly, it shall take effective measures to remind users to upgrade, and shall update and replace the outdated version of the Internet application across all authorized release channels. **Article 21.** Internet applications are encouraged to connect to the national network identity authentication public service, so as to support users in registering and verifying their real identity information using a cyber ID (网号) or cyber credential (网证). Where a user chooses to register and verify identity information using a cyber ID or cyber credential and passes verification, the Internet application shall not compel the user to separately provide identity information in plaintext, except where laws or administrative regulations provide otherwise or the user consents to provide it. ## Chapter 3. Operational Security Management Requirements for Software Development Kits **Article 22.** A software development kit that collects or uses personal information shall formulate a personal information collection and use rule and make it public on the product's official website. Where multiple historical versions of the software development kit are operated concurrently, the software development kit shall set out the personal information collection and use behavior of each different version in its collection and use rule. Where the purpose, method, scope, or other aspect of a software development kit's collection and use of personal information changes, it shall update the corresponding personal information collection and use rule accordingly. **Article 23.** A software development kit shall not collect or use personal information beyond the scope declared in its collection and use rule, shall not collect or use personal information beyond the minimum scope necessary to realize its business functions, and shall not invoke permissions at a frequency exceeding the lowest frequency necessary to realize its business functions. **Article 24.** A software development kit shall provide function-based personal information configuration options, allowing the Internet application to manage and configure the software development kit's personal information collection behavior according to different functional needs. Where a software development kit pushes information or conducts commercial marketing to a user by means of automated decision-making, it shall provide the Internet application with an option to turn off personalized recommendations, and shall cease using the user's personal information for personalized recommendation purposes once turned off. A software development kit shall respond in a timely manner to user requests to access, copy, correct, supplement, delete, or restrict the processing of personal information that are notified to it by the Internet application. **Article 25.** A software development kit shall establish effective means and channels for directly responding to a user's request to access, copy, transfer, correct, supplement, delete, or restrict the processing of personal information, and such means and channels shall be set out in its personal information collection and use rule. ## Chapter 4. Security Management Requirements for Application Distribution Platforms **Article 26.** A distribution platform shall strengthen its review of Internet applications prior to listing, establish a compliance file on each Internet application's personal information collection and use, and, when accepting an application for release or a version-update listing, register and verify the true identity, contact information, and other information of the Internet application operator, and record any problems concerning the Internet application's personal information collection and use, including whether it has been publicly named or subjected to an administrative penalty by an authority performing personal information protection duties at or above the provincial level for unlawful or non-compliant collection or use of personal information. The distribution platform shall not list an Internet application whose operator has failed to provide the required information or has provided false information, or that lacks a personal information collection and use rule, an account-cancellation function, or a channel for deleting personal information. In its pre-listing review, a distribution platform shall give priority display and recommendation to Internet applications whose operators have obtained personal information protection certification and Internet application security certification. A distribution platform shall, within 6 months of the effective date of these Provisions, complete its review of Internet applications already listed on the platform, and shall remove from listing any application that fails the review. **Article 27.** A distribution platform shall clearly and accurately display the following information on the distribution and download page for an Internet application: (1) the name of the Internet application operator, or the name of the natural person operator, and contact information; (2) an introduction to the Internet application's principal functions; (3) a list of the specific permissions the Internet application requires to run; (4) the text of, or a link to, the personal information collection and use rule; and (5) for an Internet application that has been publicly named or subjected to an administrative penalty by an authority performing personal information protection duties at or above the provincial level for unlawful or non-compliant collection or use of personal information, a personal information security risk alert shall be published on the distribution and download page within 6 months from the date of the notification or penalty. **Article 28.** With respect to an Internet application that an authority performing personal information protection duties has determined to have engaged in unlawful or non-compliant collection or use of personal information, a distribution platform shall actively cooperate by taking disposal measures such as issuing a warning, declining to distribute it, suspending its distribution, or terminating its distribution. ## Chapter 5. Security Management Requirements for Smart Terminals **Article 29.** When accepting an application to preinstall an Internet application, a smart-terminal manufacturer shall register and verify the true identity, contact information, and other information of the Internet application operator. It shall not preinstall an Internet application whose operator has failed to provide the above information or has provided false information, or that lacks a personal information collection and use rule, an account-cancellation function, or a channel for deleting personal information. **Article 30.** Where an Internet application requests a permission such as calendar, call log, camera, contacts, location, microphone, phone, SMS, storage, or physical activity, the smart-terminal operating system shall obtain the user's consent through a pop-up window, and, based on the characteristics of the permission, provide fine-grained authorization options based on factors such as time, frequency, and precision. **Article 31.** A smart terminal shall, through an easy-to-understand icon or other prominent indicator in a conspicuous location such as the top of the screen, truthfully alert the user to the microphone, camera, location, or other permission currently being invoked. **Article 32.** A smart terminal shall truthfully record and centrally display: an Internet application's invocation of permissions such as calendar, call log, camera, contacts, location, microphone, phone, SMS, storage, and physical activity; instances of an Internet application self-launching or launching in association with another application while running silently in the background; and an Internet application's collection, through the smart terminal, of personal information such as clipboard content, the device's unique identifier, or the list of installed applications. The rules governing such records shall be made public. A smart terminal shall accurately alert the user to the security risks that may arise from an Internet application's invocation of a permission. ## Chapter 6. Oversight and Administration **Article 33.** The national cyberspace administration department is responsible for the overall coordination and oversight of personal information protection work concerning Internet applications, software development kits, distribution platforms, and smart terminals. The telecommunications regulatory department, public security department, and other relevant authorities under the State Council shall, in accordance with relevant laws and regulations and the requirements of these Provisions, be responsible within their respective areas of responsibility for personal information protection and oversight work concerning Internet applications, software development kits, distribution platforms, and smart terminals. Local cyberspace administration departments are responsible for the overall coordination and oversight of personal information protection work concerning Internet applications, software development kits, distribution platforms, and smart terminals within their administrative regions; local telecommunications regulatory departments, public security departments, and other relevant authorities shall, according to their respective duties, carry out personal information protection and oversight work concerning Internet applications, software development kits, distribution platforms, and smart terminals within their administrative regions. **Article 34.** Internet application and software development kit operators shall provide an effective and easily accessible complaint and reporting channel on their official website and in their personal information collection and use rule, establish and improve mechanisms for accepting, handling, and responding to complaints and reports, and accept and dispose of personal-information-related complaints within their committed time limit (which shall not exceed 15 working days; where no time limit has been committed, 15 working days shall apply). An Internet application operator shall also accept, handle, and respond to reports concerning the personal information practices of an embedded software development kit, and, where verified, shall urge the software development kit operator to make rectifications. A distribution platform operator and a smart-terminal manufacturer shall likewise accept, handle, and respond to reports concerning the personal information practices of a distributed or preinstalled Internet application, and, where verified, shall urge the Internet application operator to make rectifications. **Article 35.** Internet application operators, software development kit operators, distribution platform operators, and smart-terminal manufacturers shall formulate internal management systems and operating procedures, establish and improve an internal compliance management system and accountability mechanism, prevent personal information from being used for telecommunications and online fraud and other unlawful and criminal activities, and adequately protect users' personal information. Internet application operators, software development kit operators, distribution platform operators, and smart-terminal manufacturers shall cooperate with personal information protection oversight and inspection lawfully carried out by an authority performing personal information protection duties, and shall provide necessary technical support and assistance. **Article 36.** Internet application and software development kit operators shall strengthen permission management over operations such as accessing, copying, modifying, and deleting personal information, and adopt security-technology measures such as encryption and de-identification, to prevent the leakage, loss, or unauthorized access of personal information. Where a leakage or loss of personal information occurs, the Internet application or software development kit operator shall promptly notify users of the categories of personal information leaked, the cause, the possible harm, and the remedial measures taken, and shall report the incident to the authority performing personal information protection duties. **Article 37.** Where an Internet application operator, software development kit operator, distribution platform operator, or smart-terminal manufacturer violates these Provisions, the authority performing personal information protection duties shall handle the matter in accordance with the Cybersecurity Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Regulation on Network Data Security Management, and other relevant laws and regulations; where a crime is constituted, criminal liability shall be pursued in accordance with law. ## Chapter 7. Supplementary Provisions **Article 38.** For the purposes of these Provisions, the following terms shall have the meanings set out below: "Internet application" (App) means application software that is preinstalled on, or downloaded and installed onto, a smart terminal, as well as mini-programs, quick apps, and similar programs developed based on an open-platform interface of application software that can be used without installation. "Internet application operator" means the developer, owner, manager, or provider of an Internet application. "Software development kit" (SDK) means a software library that assists in software development. "Software development kit operator" means the developer, owner, manager, or provider of a software development kit. "Personal information subject" means the natural person identified or associated with the personal information. "User" means a natural person who uses the functional services of an Internet application. "Distribution platform" means a service provider that, over the Internet, provides for the release, download, or dynamic loading of Internet applications, including app stores, app marketplaces, quick-app centers, and mini-program platforms. "Smart terminal" means a mobile communication terminal product that is capable of connecting to a public network, has an operating system, and allows the user to independently install and uninstall application software. "Necessary personal information" means personal information that is necessary to ensure the normal operation of a basic functional service, or of a functional service that the user has chosen to use, such that the corresponding functional service cannot be provided to the user without it. "Collectible personal information permission," referred to for short as a "permission," means a system permission opened by a smart terminal's operating system to an Internet application that has the capability to collect personal information, including calendar, call log, camera, contacts, location, microphone, phone, SMS, storage, physical activity, and the like. **Article 39.** These Provisions shall take effect as of [date to be specified]. --- ## Cybercrime Prevention Law (Draft for Public Consultation) - Chinese title: 网络犯罪防治法(征求意见稿) - Abbreviation: Cybercrime Prevention Law (Draft) - Hierarchy: draft - Issuing body: Ministry of Public Security (drafting); for eventual enactment by the NPC Standing Committee - Status: draft - URL: https://datacompliancechina.com/laws/cybercrime-prevention-law-draft/ - Markdown: https://datacompliancechina.com/laws/cybercrime-prevention-law-draft.md ### Summary China's first standalone, comprehensive cybercrime statute, drafted by the Ministry of Public Security with a comment period that closed March 2, 2026. It goes well beyond the Criminal Law's cybercrime provisions to build a full prevention and governance framework: real-name controls over phone cards, bank accounts, and network accounts; a fifteen-item catalogue of prohibited "cybercrime ecosystem" conduct such as technical support, financial support, and personal-information or data misuse; tiered monitoring and reporting duties for ten categories of internet service, including a special obligation for AI service providers to detect and block abuse of their services; and cross-border tools including technical blocking of offshore actors, asset seizure, and entry/exit bans. Overseas counsel should read it closely for Article 2's extraterritorial reach, which extends to any offshore entity serving PRC users whose conduct harms China's national security, public interest, or the lawful rights of PRC citizens or organizations. ### Full text **Promulgated by:** Ministry of Public Security (drafting authority); for eventual review and adoption by the Standing Committee of the National People's Congress. **Document No.:** Not yet assigned (draft for public consultation). **Comment period:** Released for public comment; the consultation period closed March 2, 2026. Effective date not yet determined — Article 68 of the draft leaves the implementation date blank. --- ## Chapter I. General Provisions **Article 1.** This Law is enacted in accordance with the Constitution for the purposes of preventing, curbing, and governing cybercrime activities, safeguarding national security, social stability, and network order, and protecting the lawful rights and interests of citizens and organizations. **Article 2.** This Law applies to cybercrime prevention and its regulatory oversight within the territory of the People's Republic of China. Where a citizen of the People's Republic of China located outside its territory, or an overseas organization or individual that provides services to users within the territory of the People's Republic of China, commits an act in violation of this Law that harms the national security, public interest, or the lawful rights and interests of citizens or organizations of the People's Republic of China, legal liability shall be pursued in accordance with the law. **Article 3.** Cybercrime prevention work shall uphold the leadership of the Communist Party of China, implement a holistic view of national security, coordinate development and security, and follow the principles of combining prevention and enforcement, prioritizing prevention, addressing root causes, and coordinated action, so as to advance integrated online-offline prevention and build a comprehensive cybercrime prevention system. Cybercrime prevention work shall safeguard the normal operation of network services, protect the lawful rights and interests of telecommunications, financial, internet, and other service providers, and foster a healthy and orderly network environment. **Article 4.** The public security department of the State Council shall take the lead in cybercrime prevention work. The state cyberspace administration department, the press and publication department, and the competent telecommunications, financial, market regulation, foreign affairs, education, commerce, culture and tourism, radio and television, and other relevant departments of the State Council shall, in accordance with this Law and relevant laws and administrative regulations, be responsible for cybercrime prevention work within their respective areas of responsibility. Relevant competent departments shall closely coordinate with the public security department of the State Council in carrying out cybercrime prevention work. People's governments at or above the county level shall coordinate, direct, urge, and guide relevant departments in performing cybercrime prevention work within their respective areas of responsibility. The cybercrime prevention regulatory duties of relevant departments of people's governments at or above the county level shall be determined in accordance with relevant state regulations. **Article 5.** Telecommunications, financial, internet, and other service providers shall, in accordance with this Law and relevant laws, administrative regulations, and the mandatory requirements of national standards, establish and implement network security, information security, and data security management systems, adopt technical measures and other necessary measures, and perform cybercrime prevention obligations commensurate with their type of service, scale of operation, and capability. **Article 6.** Any individual or organization has the right to report to the public security authorities or other departments any clues concerning cybercrime. Relevant departments shall promptly handle such clues in accordance with the law and protect the lawful rights and interests of whistleblowers. Units and individuals who report cybercrime or make outstanding contributions to cybercrime prevention work shall be commended and rewarded in accordance with relevant state regulations. Telecommunications, financial, internet, and other service providers shall establish convenient channels to accept complaints and reports concerning cybercrime from individuals and organizations, and shall promptly handle them in accordance with law and regulation. **Article 7.** The public security authorities shall, relying on the national network and information security notification mechanism, strengthen the collection, analysis, and notification of cybercrime prevention information, and shall, in accordance with regulations, uniformly release cybercrime monitoring and early-warning information. The public security authorities shall promote information sharing on cybercrime among relevant departments, and shall strengthen the sharing of information on the cybercrime situation with telecommunications, financial, internet, and other service providers. **Article 8.** The State encourages and supports the research, development, and promotion of application of artificial intelligence and other technologies for cybercrime prevention, and strengthens security management of new technologies and applications such as artificial intelligence. **Article 9.** The State encourages and supports network-related industry associations in carrying out monitoring and analysis of new network technologies and applications, analysis of cybercrime trends and industrial chains, and dynamic risk assessment of cybercrime; in formulating codes of conduct for cybercrime prevention; and in strengthening industry self-discipline and credit-based disciplinary work for cybercrime prevention. **Article 10.** People's governments at all levels and their relevant departments shall organize regular publicity and education on cybercrime prevention, and shall guide and urge relevant units to carry out such publicity and education. Schools and other educational institutions shall incorporate cybercrime prevention into their educational and teaching content. Radio, television, newspapers, periodicals, and other media, as well as internet platforms, shall actively carry out publicity on cybercrime prevention and popularize knowledge of cybercrime prevention. ## Chapter II. Management of Basic Network Resources **Article 11.** Any individual or organization opening a mobile phone card, Internet-of-Things (IoT) card, bank account, or payment account shall provide true identity information, and shall not engage in any of the following acts that disrupt real-name management: (1) opening a mobile phone card, IoT card, bank account, or payment account using a forged or altered identity document or false identity information; (2) acquiring, renting, selling, or leasing a bank account or payment account, or acquiring, renting, selling, or leasing a mobile phone card or IoT card without completing transfer formalities, or lending out a mobile phone card, IoT card, bank account, or payment account while knowing it will be used for unlawful or criminal activity; (3) unlawfully buying or selling an overseas mobile phone card, IoT card, bank account, or payment account; (4) using an IoT card to register a network account or for other purposes not designated for it, in violation of relevant state regulations; or (5) other acts that disrupt real-name management of telecommunications or financial services. **Article 12.** Any individual or organization applying for internet information publishing, instant messaging, or other services shall provide true identity information, and shall not engage in any of the following acts that disrupt real-name management of the network: (1) applying for an internet service using false identity information or a false business license, using another person's identity information, business license, phone number, or email address without authorization, or using an IoT card for such purposes; (2) unlawfully acquiring, renting, selling, or leasing a network account, or lending out a network account while knowing it will be used for unlawful or criminal activity; (3) registering large numbers of network accounts using network-address-switching tools, mass phone-card control tools, or other means to circumvent a network operator's account registration review rules or other measures; (4) providing technical support or assistance such as unblocking services for a network account that has been lawfully subject to blocking or other measures; (5) holding, without proper justification, a large number of network accounts not registered in one's own name; or (6) other acts that disrupt real-name management of the network. **Article 13.** Any individual or organization applying for network access, domain name registration, server hosting, space leasing, content distribution, application distribution, or other services, or opening a network line or telephone line, shall register true identity information, installation address, scope of use, and other information, and shall not engage in any of the following acts that disrupt real-name management: (1) leasing a network line or telephone line to another person in violation of relevant state regulations; (2) altering, without completing change-registration formalities, the installation address of a network line or telephone line; or (3) other acts that disrupt real-name management of network lines or telephone lines. **Article 14.** No individual or organization may unlawfully manufacture, sell, provide, or use any device, software, tool, or service with any of the following functions: (1) an automatic redialing function that renders a target phone number unusable; (2) a function to control mobile phone cards in bulk; (3) a device or software with functions such as altering the calling number, virtual dialing, or connecting internet telephony to the public telecommunications network in violation of regulations; (4) a function for bulk automatic switching of network addresses, or for bulk receipt or provision of SMS or voice verification codes; (5) a function to harvest information from mobile terminal users, or to forcibly send or intercept SMS messages to or from unspecified users; or (6) other devices, software, tools, or services identified by public security authorities at or above the provincial level, in conjunction with the competent telecommunications, radio and television, or other departments, as being specifically used to commit network-related unlawful or criminal acts or as having functions to circumvent regulatory systems. **Article 15.** Any individual or organization that manufactures, sells, or provides a device, software, tool, or service with any of the following functions shall file with the public security authorities, the competent telecommunications department, or other competent departments, and shall register the true identity information of purchasers and users: (1) a function to control network accounts, internet access lines, or smart terminals in bulk; (2) a virtual network location-spoofing function; (3) a function to intrude into or control computer information systems; or (4) other devices, software, tools, or services identified by public security authorities at or above the provincial level, in conjunction with the competent telecommunications or other departments, as potentially subject to large-scale use for network-related unlawful or criminal activity. The filing system referred to in the preceding paragraph shall be specified by the public security department of the State Council in conjunction with the competent telecommunications and other departments. **Article 16.** Telecommunications, financial, internet, and other service providers shall, in accordance with laws, regulations, and the requirements of relevant competent departments, establish a dynamic identity verification system to dynamically verify the true identity of users of mobile phone cards, IoT cards, bank accounts, payment accounts, and network accounts. In regions or periods with a high incidence of cybercrime, service providers shall increase the frequency of dynamic identity verification as required by relevant competent departments; where abnormal operation of a mobile phone card, IoT card, bank account, payment account, or network account is discovered, dynamic identity verification shall be conducted promptly. Where identity verification fails, measures such as restricting, suspending, or terminating the relevant service shall be adopted. Where an individual or organization objects to the restriction, suspension, or termination of a relevant service, the telecommunications, financial, internet, or other service provider shall promptly review the matter, and shall restore the relevant service if the review confirms it should be restored. **Article 17.** The State shall build and provide a national network identity authentication public service, through which telecommunications, financial, internet, and other service providers may register and verify the true identity of users. For mobile phone cards, IoT cards, bank accounts, payment accounts, and network accounts presenting cybercrime risk, and for network application services used to commit cybercrime, the relevant industry competent department may require telecommunications, financial, internet, and other service providers to re-verify user identity through the national network identity authentication public service or other means. No individual or organization may damage or interfere with the operation of the national network identity authentication public service. **Article 18.** Telecommunications, financial, and internet service providers handling applications by individuals or organizations for mobile phone cards, bank accounts, payment accounts, or network accounts shall set numerical caps on such accounts in accordance with relevant state regulations. ## Chapter III. Governance of the Cybercrime Ecosystem **Article 19.** No individual or organization may, while knowing that another person is using the network to commit an unlawful or criminal act, provide that person with support or assistance such as internet access, cloud computing services, computing-power aggregation and leasing, server hosting, network storage, communications transmission, domain name resolution, content distribution, development and operations (DevOps), advertising promotion, or payment settlement. **Article 20.** No individual or organization may, while knowing that another person is using the network to commit an unlawful or criminal act, provide or disguisedly provide that person with financial support by: (1) moving funds through an unlawful payment platform established by another person; (2) placing advertising or promotional information on an unlawful website established by another person that involves obscenity, gambling, or similar content; or (3) other means of providing or disguisedly providing financial support to another person's use of the network to commit an unlawful or criminal act. **Article 21.** No individual or organization may, while knowing that funds, data, or virtual network property are the proceeds of another person's network-related unlawful or criminal activity, conceal, transfer, acquire, sell on another's behalf, or otherwise disguise or conceal such proceeds. **Article 22.** No individual or organization may engage in any of the following acts that infringe upon citizens' personal information or endanger data security: (1) unlawfully collecting, storing, using, processing, transmitting, providing, disclosing, or deleting personal information or data; or (2) providing personal information or data support to another person while knowing that person is engaged in unlawful or criminal activity. **Article 23.** No individual or organization may, while knowing that another person is using the network to commit an unlawful or criminal act, provide that person with assistance such as personnel recruitment, training, or document processing. **Article 24.** No individual or organization may, in violation of relevant state regulations, discover, collect, or publish network product security vulnerabilities as an unlawful or criminal activity, or disseminate or transmit design schemes, network topologies, core source code, or other information concerning important information systems that could endanger network security. **Article 25.** Without the approval of the cyberspace administration department or public security authorities at or above the provincial level, or authorization from the competent industry department or the network operator, no individual or organization may conduct network security vulnerability scanning, penetration testing, or other activities that may affect network security on a network subject to Level 3 or higher classified protection under the Multi-Level Protection Scheme (MLPS). Without the approval of the cyberspace administration department or public security authorities at or above the level of a city divided into districts, or authorization from the competent industry department or the network operator, no individual or organization may conduct such activities on a network subject to Level 2 or lower classified protection. Where such activity is conducted lawfully or with approval or authorization, it shall be reported to the public security authorities at or above the county level five working days before the activity is carried out. Where laws or administrative regulations otherwise provide, such provisions shall prevail. **Article 26.** No individual or organization may, while knowing that funds are the proceeds of another person's unlawful or criminal activity, engage in any of the following acts to move or settle such funds: (1) providing services such as cash withdrawal or physical transport of cash for another person; (2) using a bank account, payment account, or online transaction or top-up platform to unlawfully transfer funds through sham transactions or similar means; or (3) using virtual currency or other virtual network property to provide fund-transfer services for another person. **Article 27.** No individual or organization may provide, for payment, a service to delete information for another person, or a service such as blocking, replacing, or suppressing information that has the practical effect of deletion. No internet service provider or its personnel may charge, or disguisedly charge, a fee when another person lawfully applies for the deletion of unlawful information. **Article 28.** No individual or organization may publish information in any of the following ways that disrupts network order: (1) publishing false information; (2) publishing information by unlawful means such as controlling a computer information system; (3) controlling a large number of network accounts not registered in one's own name to publish information, or using bulk-control software or similar tools to provide fake comments, reposts, likes, or similar services; (4) publishing information that violates public order and good morals in order to obtain traffic revenue or advertising revenue; or (5) other acts that engage in traffic fraud or otherwise disrupt network order. **Article 29.** Any individual or organization that places advertising or promotional information on the internet, or provides intermediary or similar services for advertising and promotion, shall comply with the following: (1) where the information placed constitutes online advertising, the laws and regulations on online advertising shall be complied with; where the information placed does not constitute online advertising, the party placing the information and the intermediary service provider shall verify the true identity of the counterparty; (2) verify whether the website or application on which the information is placed has been lawfully filed or licensed; (3) check whether the website or application is one that is evidently unlawful, such as one involving obscenity, gambling, or the sale of prohibited items; and (4) where a website, application, network account, communication group, or similar means is used to help another person place information, check whether the information placed constitutes unlawful information such as obscenity, gambling, or the sale of prohibited items. **Article 30.** No individual or organization may engage in any of the following acts to help attract traffic to cybercrime: (1) while knowing that another person is using the network to commit an unlawful or criminal act, inducing or deceiving users into adding the person as an instant-messaging contact, following a social media account, joining a communication group, or downloading an application; (2) transferring the administrative rights of a public account, communication group, forum, or similar without completing and publicizing a real-name change of registration, or while knowing the rights will be used for unlawful or criminal activity; or (3) other acts of knowingly providing traffic-attracting assistance to another person's use of the network to commit an unlawful or criminal act. **Article 31.** No individual or organization may engage in any of the following acts to unlawfully promote an application or piece of software: (1) providing an electronic signature, production, packaging, publishing, or download services under the guise of testing, for an unlawful application; (2) embedding non-essential software that a user cannot uninstall, or forcibly embedding software without the user's consent; or (3) providing promotional services for another person while knowing that person has unlawfully embedded software. **Article 32.** No individual or organization may, without authorization from an internet service provider, develop, sell, or provide client software or a service platform that attaches to that provider's service and affects its normal operation or undermines fair trading by users. **Article 33.** No individual or organization may engage in any of the following acts that disrupt normal network business order: (1) conducting false or misleading commercial promotion through fabricated transactions or fabricated user reviews, or damaging another person's business reputation or product reputation, thereby interfering with the normal conduct of network transactions; (2) fraudulently obtaining network coupons, subsidy funds, or similar benefits through fabricated transactions, fabricated customers, or other abnormal means; or (3) other acts that disrupt normal network business order. ## Chapter IV. Cybercrime Prevention Obligations **Article 34.** State organs, social organizations, and enterprises and public institutions shall perform the obligation to prevent, curb, and govern cybercrime in accordance with this Law and relevant laws and regulations. The specific requirements for performing cybercrime prevention obligations shall be set out in laws, administrative regulations, or the mandatory requirements of national standards. Relevant national standards shall be formulated by the public security department of the State Council, the state cyberspace administration department, and the standardization administration department of the State Council in conjunction with competent industry departments. **Article 35.** A network operator shall adopt the following necessary measures to ensure that the services it provides are protected from unlawful or criminal infringement and are not used to commit unlawful or criminal activity: (1) establishing a dedicated body or designating dedicated personnel with direct responsibility for cybercrime prevention work, with the network operator's principal serving as the first person responsible; (2) establishing cybercrime prevention management systems and operating procedures, adopting necessary technical measures, and regularly conducting internal cybercrime prevention training; (3) establishing a cybercrime prevention work contingency plan and regularly conducting emergency response drills; (4) strengthening management of third-party supply-chain units and personnel in key network operations and maintenance positions, and adopting necessary measures to strengthen network and data security monitoring and early warning; (5) upon discovering a network attack threat or clues to network-related unlawful or criminal activity, promptly taking disposal measures, preserving relevant records, reporting to the public security authorities, and cooperating with investigations; and (6) other necessary cybercrime prevention measures. **Article 36.** An internet access service provider shall adopt the following measures to prevent its services from being used to commit unlawful or criminal activity: (1) discovering and blocking websites, network addresses, and applications that violate relevant state regulations; (2) discovering and blocking acts that endanger network security, such as interfering with, intruding into, attacking, or damaging network service facilities; and (3) promptly addressing unlawful or criminal activity conducted using its services that has been notified by a relevant competent department. **Article 37.** A telecommunications service provider shall adopt the following measures to prevent its services from being used to commit unlawful or criminal activity: (1) discovering and blocking pseudo base stations, the unauthorized establishment or leasing of network or telephone lines, unauthorized alteration of installation address, unauthorized alteration of network service scope, and the use of IoT cards for non-IoT applications; (2) discovering and blocking the erection of communication lines for unlawful or criminal activity, and the provision of equipment operation and maintenance or signal-boosting services for such activity; and (3) promptly addressing unlawful or criminal activity conducted using its services that has been notified by a relevant competent department. **Article 38.** Telecommunications, financial, internet, and other service providers shall adopt necessary measures to monitor and discover abnormal registration, control, or use of mobile phone cards, IoT cards, telephone lines, bank accounts, payment accounts, network accounts, and network lines in violation of relevant state regulations, and shall promptly block and dispose of such cards, numbers, and lines used to commit network-related unlawful or criminal activity. With respect to a card, number, or line suspected of being used to commit network-related unlawful or criminal activity, the public security authorities may require the relevant service provider to stop providing service. Where a victim files a police report and applies for emergency suspension of payment, the public security authorities may, in accordance with relevant state regulations, make decisions such as emergency suspension of payment, expedited freezing, or return of funds, and financial service providers shall cooperate accordingly. **Article 39.** Service providers offering domain name registration, host hosting, content distribution, and similar services shall adopt the following cybercrime prevention measures: (1) a domain name registration service provider shall adopt measures to monitor, discover, block, and dispose of maliciously registered or counterfeit domain names, as well as measures to dispose of domain names used to commit unlawful or criminal activity; (2) a provider of server hosting, space leasing, or cloud services shall adopt measures to monitor, discover, block, and dispose of unlawful information, websites, and applications, as well as denial-of-service attacks, malicious code, botnets, and unlawfully established virtual private networks; and (3) a content distribution service provider shall adopt measures to monitor, discover, block, and dispose of unlawful information, websites, and applications. **Article 40.** An internet service provider shall, according to the category of service it provides, adopt the following cybercrime prevention measures: (1) a provider of information publishing services shall adopt measures to monitor, discover, prevent, block, and dispose of unlawful information, as well as fake reposts, comments, or likes, or the publication of information using large numbers of network accounts not registered in one's own name; (2) a provider of online transaction services shall adopt measures to monitor, discover, prevent, block, and dispose of the sale or assembly of prohibited or controlled items, sham transactions, and other unlawful or suspicious transactions; (3) a provider of online payment services shall adopt measures to monitor, discover, prevent, block, and dispose of payment settlement services provided for unlawful or abnormal transactions, such as those involving significantly abnormal payment amounts or abnormal account usage frequency; (4) a provider of advertising and promotion services shall adopt measures to monitor, discover, prevent, block, and dispose of advertising promotion for unlawful or criminal activity, or the embedding of malicious code or insertion of unlawful information in advertising services; (5) a provider of information search services shall adopt measures to monitor, discover, prevent, block, and dispose of the dissemination and promotion of unlawful information; a provider of paid information search services shall verify client qualifications in accordance with law, set an upper limit on the proportion of paid search results shown on a page, and apply a prominent label to paid search information; (6) a provider of online gaming services shall adopt measures to monitor, discover, prevent, block, and dispose of the dissemination of unlawful information, disguised gambling activity, and abnormal or suspicious changes in virtual network property; (7) a provider of application distribution services shall adopt measures to monitor, discover, prevent, block, and dispose of programs or tools specifically designed to intrude into or unlawfully control computer information systems, and unlicensed, unfiled, or unlawful applications that unlawfully process personal information; (8) a provider of data interface services shall establish technical measures such as identity authentication and access control, and shall adopt measures to monitor, discover, prevent, block, and dispose of unlawful or unauthorized data calls; (9) a provider of blockchain services shall adopt measures to monitor, discover, prevent, block, and dispose of the publication or dissemination of unlawful information, viruses, trojans, or malicious programs on the blockchain, or the provision of payment settlement or other assistance to unlawful or criminal activity through the blockchain; and (10) a provider of AI-generated and composed content services shall adopt measures to monitor, discover, prevent, block, and dispose of the use of its services to create or disseminate rumors or other unlawful information, or to commit unlawful or criminal acts such as insult or defamation. **Article 41.** Internet information service providers and manufacturers of mobile smart terminals shall adopt measures to monitor and discover AI-generated and composed information. Where such information is found without a label, they shall promptly take disposal measures such as removal, or shall add a label alerting users that the information is AI-generated and composed content. **Article 42.** A network operator shall, at key stages such as the launch and operation of new technologies and applications, establish a cybercrime risk assessment system to prevent new technologies and applications from being used to commit unlawful or criminal activity. An artificial intelligence service provider shall adopt measures to monitor, discover, prevent, block, and dispose of a user's use of its services to commit unlawful or criminal activity or engage in abnormal conduct such as bulk generation of malicious code, and shall preserve relevant records and report to the public security authorities or other competent departments. **Article 43.** Network operators and data processors shall perform network and data security protection obligations, establish and improve network and data security management systems, and adopt technical measures and other necessary measures to prevent their network services and data from being used to commit unlawful or criminal activity. An important data processor shall establish technical measures such as data labeling and tagging to monitor and identify the chain of provenance as important data is transferred among different parties. **Article 44.** The state cyberspace administration department shall coordinate relevant departments and network operators in adopting technical measures and other necessary measures to block unlawful information originating from outside the territory of the People's Republic of China. Where a network operator discovers a domain name, network address, network account, telephone line, network line, or application used to commit unlawful or criminal activity, it shall promptly take measures to block it and report to the public security authorities or other competent departments. No individual or organization may, in violation of relevant state regulations, manufacture, sell, or provide devices, software, tools, lines, or services that provide technical support or assistance to another person in obtaining or disseminating information that has been lawfully blocked under the first paragraph of this Article. **Article 45.** An institution that, for profit, provides services such as vulnerability scanning or penetration testing shall file with the public security authorities at or above the level of a city divided into districts. Such an institution shall adopt measures to strengthen the training and management of its relevant personnel. **Article 46.** Network security product and service providers shall adopt the following measures to prevent their products and services from being used to commit unlawful or criminal activity: (1) reporting to the public security authorities at or above the level of a city divided into districts the IP addresses, domain names, and similar information used by the provider for network vulnerability scanning and penetration testing; (2) where the provider offers crowdsourced testing platform services, verifying the relevant authorization documentation; and (3) promptly reporting significant threat intelligence and program samples to the public security authorities and the cyberspace administration department. **Article 47.** The name of a website or application shall not contain any of the following: (1) information that laws or administrative regulations prohibit publishing or transmitting; (2) an unauthorized use of, or an association with, the name of a Party or government organ, an enterprise or public institution, or another organization, or the name of a public figure, where doing so could deceive or mislead the public; or (3) other names identified by a competent department at or above the provincial level as unsuitable for use. **Article 48.** Public security authorities, cyberspace administration departments, or other relevant competent departments at or above the provincial level may issue a cyber-violence protection order to a victim of a cyber-violence incident. A network operator shall, in accordance with the requirements of a cyber-violence protection order, adopt technical measures and other necessary measures to promptly address the cyber-violence incident and block the dissemination of related cyber-violence information. **Article 49.** Public security authorities at or above the level of a city divided into districts may issue a warning notice to a perpetrator of cyber violence, ordering the perpetrator to cease the conduct. **Article 50.** No individual or organization may engage in any of the following acts that infringe upon the lawful rights and interests of minors or harm their physical or mental health: (1) using the network to organize, entice, instigate, deceive, coerce, or assist minors in committing unlawful or criminal activity; (2) using the network to threaten, insult, defame, or otherwise maliciously damage the image of, or otherwise bully, minors; (3) producing, copying, publishing, disseminating, or possessing obscene or pornographic information involving minors; (4) disclosing a minor's criminal record that should be sealed, or information that could identify a minor involved in a case; or (5) other acts that use the network to infringe upon the lawful rights and interests of minors or harm their physical or mental health. **Article 51.** A network operator shall provide technical interfaces, decryption, and other technical support, assistance, and guarantees to the public security authorities and state security organs for their lawful safeguarding of national security, criminal investigation, and prevention and investigation of terrorist activities. The specific requirements shall be formulated by the public security department of the State Council in conjunction with relevant departments. ## Chapter V. Prevention of Cross-Border Cybercrime **Article 52.** The public security authorities and relevant competent departments shall, in accordance with this Law and relevant laws and regulations, and pursuant to international treaties concluded or acceded to by the State or on the basis of the principle of equality and mutual benefit, carry out international law-enforcement cooperation on cybercrime prevention in respect of cybercrime committed outside the territory of, or using overseas network resources against, the People's Republic of China or its citizens or institutions, or cybercrime committed abroad by PRC citizens in violation of PRC law. **Article 53.** Where an overseas individual or organization providing internet services or related network products or services to users within the territory of the People's Republic of China provides support or assistance to cybercrime activity, the state cyberspace administration department may, in accordance with law, adopt technical blocking measures against it. **Article 54.** Where an overseas individual or organization uses the network to commit fraud, gambling, dissemination of obscene materials, or other crimes directed at the territory of the People's Republic of China, the proceeds of such crime, and any enterprises, securities, real property, or other assets in which such proceeds have been invested, shall be sealed, seized, or frozen in accordance with law, and may be confiscated in accordance with law following trial by a people's court. The relevant competent department may decide to restrict such individual or organization from making direct or indirect investment within the territory. **Article 55.** Where an overseas institution, organization, or individual uses the network to fabricate or disseminate false information that harms the national sovereignty, security, or development interests, or the public interest, of the People's Republic of China, the relevant competent department may decide to freeze assets, restrict entry of relevant personnel, restrict direct or indirect investment within the territory, or take other measures. **Article 56.** With respect to a PRC citizen who has been subjected to criminal punishment in accordance with law for using the network to commit, across borders, an act prescribed in Chapter III of this Law, the public security authorities at or above the level of a city divided into districts may, based on the circumstances of the offense and the need to prevent reoffending, decide to bar the citizen from leaving the territory for a period of six months to three years from the completion of the punishment. ## Chapter VI. Legal Liability **Article 57.** Where an act in violation of Articles 11 through 13 of this Law disrupts the real-name registration system or similar systems, the public security authorities shall confiscate the unlawful gains and impose a fine of one to ten times the unlawful gains; where there are no unlawful gains or the unlawful gains are less than RMB 20,000, a fine of up to RMB 200,000 shall be imposed; where the circumstances are serious, detention of up to 15 days may also be imposed. For an individual or organization subject to administrative punishment under the preceding paragraph, the relevant competent department may place them on a blacklist and order relevant service providers to adopt disciplinary measures such as restricting use of services or restricting or prohibiting the opening of cards or accounts. **Article 58.** Where a person manufactures, sells, provides, or uses a device, software, tool, or service in violation of Article 14, Article 15, the third paragraph of Article 17, or the third paragraph of Article 44 of this Law, the public security authorities, cyberspace administration department, competent telecommunications department, market regulation department, or other departments shall, according to their respective duties, confiscate the item and impose a fine of one to ten times the unlawful gains; where there are no unlawful gains or the unlawful gains are less than RMB 50,000, a fine of up to RMB 500,000 shall be imposed; where the circumstances are serious, the public security authorities may also impose detention of up to 15 days. **Article 59.** Where an act in violation of Articles 19 through 33 of this Law disrupts network order, the public security authorities, cyberspace administration department, competent telecommunications department, and competent financial, market regulation, culture and tourism, or other departments shall, according to their respective duties, order suspension of the relevant business, suspension of operations for rectification, closure of the website or application, or revocation of the business license or permit, and shall impose a fine of one to ten times the unlawful gains; where there are no unlawful gains or the unlawful gains are less than RMB 50,000, a fine of up to RMB 500,000 shall be imposed; where the circumstances are serious, the public security authorities may also impose detention of up to 15 days. **Article 60.** Where a telecommunications, financial, internet, or other service provider commits any of the following acts, the relevant competent department shall order rectification and issue a warning or public criticism, or impose a fine of RMB 50,000 to RMB 500,000; where the circumstances are serious, a fine of RMB 500,000 to RMB 5,000,000 shall be imposed, and the relevant competent department may also order suspension of the relevant business, suspension of operations for rectification, closure of the website or application, or revocation of the business license or permit, and impose a fine of RMB 10,000 to RMB 200,000 on the directly responsible person in charge and other directly liable personnel: (1) failing to implement real-name registration or similar systems, or to verify the true identity of users in accordance with law, in violation of Article 16 or the first or second paragraph of Article 17 of this Law; (2) failing to implement cybercrime prevention obligations, or to adopt monitoring, discovery, blocking, or disposal measures in accordance with law, in violation of Articles 34 through 43 or the second paragraph of Article 48 of this Law; (3) failing to perform obligations such as filing of network security products or services in accordance with law, in violation of Article 45 or Article 46 of this Law; (4) failing to perform website and application name management obligations in accordance with law, in violation of Article 47 of this Law; or (5) failing to provide technical support, assistance, and guarantees in accordance with law, in violation of Article 51 of this Law. **Article 61.** Where an act in violation of Article 50 of this Law infringes upon the lawful rights and interests of minors, the public security authorities shall impose a fine of up to RMB 200,000; where the circumstances are serious, a fine of up to RMB 500,000 or up to ten times the unlawful gains shall be imposed, and detention of up to 15 days may also be imposed. **Article 62.** Administrative punishments lawfully imposed by the cyberspace administration department, competent telecommunications department, public security authorities, and other relevant departments for acts in violation of this Law shall be entered into credit archives in accordance with laws and administrative regulations. **Article 63.** Where a violation of relevant provisions of this Law — disrupting real-name registration or similar systems, disrupting network order, or failing to implement cybercrime prevention obligations — causes another person to suffer loss from cybercrime infringement, civil liability shall be borne in accordance with law according to fault. **Article 64.** Where a telecommunications, financial, internet, or other service provider fails to perform the cybercrime prevention obligations prescribed by this Law and thereby infringes upon the lawful rights and interests of a large number of individuals, or causes harm to national interests or the public interest, the people's procuratorate, a relevant competent department, or a relevant social organization may, in accordance with law, bring a public-interest lawsuit before a people's court. **Article 65.** Where personnel of the cyberspace administration department, competent telecommunications department, public security authorities, or other relevant departments neglect their duties, abuse their power, engage in malpractice for personal gain, or solicit or accept property from others by taking advantage of their position, and the conduct does not constitute a crime, they shall be given sanctions in accordance with law. **Article 66.** Where a violation of this Law constitutes a violation of public security management, the public security authorities shall impose public security administrative punishment in accordance with law; where a crime is constituted, criminal liability shall be pursued in accordance with law. ## Chapter VII. Supplementary Provisions **Article 67.** For the purposes of this Law, "cybercrime" means a crime that is directed at, or primarily committed by means of, the network, and that endangers national security, public security, or the personal or property safety of citizens. **Article 68.** This Law shall come into force on [date to be determined]. --- ## Measures for the Administration of Digital Virtual Human Information Services (Draft for Public Consultation) - Chinese title: 数字虚拟人信息服务管理办法(征求意见稿) - Abbreviation: Digital Virtual Human Measures (Draft) - Hierarchy: draft - Issuing body: Cyberspace Administration of China (CAC) - Status: draft - URL: https://datacompliancechina.com/laws/digital-virtual-human-info-service-measures-draft/ - Markdown: https://datacompliancechina.com/laws/digital-virtual-human-info-service-measures-draft.md ### Summary CAC's first dedicated regime for 'digital virtual humans' — human-driven or computation-driven digital avatars used to deliver Internet information services. The 27-article draft assigns obligations across five roles in the value chain (providers, technical-support parties, users, content-distribution platforms, and the real person behind a human-driven avatar) and bans a defined list of harmful conduct alongside a persistent, on-screen 'digital human' labeling duty. Its most consequential feature for overseas counsel: withdrawing consent to use of one's biometric data for avatar creation obliges the provider not just to delete the data but to affirmatively deregister the digital virtual human itself. It also bars virtual 'intimate relationships' marketed to minors and restricts manipulative retention tactics in AI anthropomorphic interaction. Comments closed May 6, 2026; the effective date is still blank in the draft. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC). **Document No.:** Not yet assigned (draft for public consultation). **Released for public comment April 3, 2026. Comment period closed May 6, 2026. Effective date left blank in the draft text.** --- ## Chapter 1. General Provisions **Article 1.** These Measures are formulated in order to promote the healthy development and standardized application of digital virtual human information services and safeguard the lawful rights and interests of citizens, legal persons, and other organizations, in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Administrative Measures for Internet Information Services, the Regulations on the Protection of Minors in Cyberspace, the Regulation on Network Data Security Management, and other laws and administrative regulations. **Article 2.** These Measures apply to the provision of Internet information services to the public within the territory of the People's Republic of China through digital virtual humans (hereinafter "digital virtual human services"). Where laws or administrative regulations provide otherwise, such provisions shall prevail. **Article 3.** The national cyberspace administration department is responsible for the overall coordination of the governance of digital virtual human services nationwide and related supervision and administration work. The telecommunications, public security, culture and tourism, health, market regulation, financial regulation, radio and television, press and publication, film, and copyright departments and other relevant departments under the State Council are responsible for the supervision and administration of digital virtual human services in accordance with their respective duties. Local cyberspace administration departments are responsible for the overall coordination of the governance of digital virtual human services within their administrative regions and related supervision and administration work. Local telecommunications, public security, culture and tourism, health, market regulation, financial regulation, radio and television, press and publication, film, and copyright departments and other relevant departments are responsible for the supervision and administration of digital virtual human services within their administrative regions in accordance with their respective duties. **Article 4.** The provision and use of digital virtual human services shall uphold core socialist values, comply with laws and administrative regulations, safeguard national security and the public interest, respect social morality and ethics, and foster a sound online ecosystem. **Article 5.** The application and adoption of digital virtual human services across various fields is encouraged, promoting demonstration applications on the premise that intelligence is used for good and kept safe and controllable, and improving the ecosystem of digital virtual human services. The State supports research, development, and innovation in digital virtual human technology and collaboration among industry, academia, and research institutions, supports the establishment and improvement of a technical standards system for digital virtual human technology, and supports active participation in international rule-making and exchange and cooperation. **Article 6.** Relevant industry associations are encouraged to strengthen industry self-discipline, establish and improve group standards, industry codes of conduct, and self-regulatory administrative systems, and urge and guide relevant entities to formulate and improve service norms, strengthen their primary responsibility, and accept public oversight. ## Chapter 2. Protection of Rights and Interests **Article 7.** Any organization or individual that uses a natural person's sensitive personal information for modeling, likeness generation, scenario construction, or other such activities shall comply with laws and administrative regulations and satisfy the following requirements: (1) obtain the natural person's separate consent, and truthfully, accurately, and completely inform the person — in a prominent manner and in clear, easily understandable language — of the purpose and necessity of the processing, its impact on personal rights and interests, and other matters required by laws and administrative regulations; where the personal information of a minor under the age of 14 is used, the separate consent of the minor's parents or other guardian shall be obtained. This does not apply where laws or administrative regulations provide otherwise. (2) after the natural person withdraws consent, eliminate the effects by deleting the relevant personal information and by other means, and shall not retain the personal information in any form or use it for any other purpose, except as otherwise provided by laws or administrative regulations. Unless the parties have agreed otherwise, the digital virtual human shall also be deregistered. (3) respect the lawful rights and interests of others, and shall not infringe upon another person's right of portrait, right of reputation, right of honor, right of privacy, or personal information rights and interests. Where the personal information of a deceased person is used to carry out relevant activities, the deceased's close relatives may, for their own lawful and legitimate interests, exercise the corresponding rights over the deceased's relevant personal information in accordance with law, except where the deceased made other arrangements prior to death. **Article 8.** Any organization or individual providing or using digital virtual human services shall not infringe upon another person's personality rights by way of vilification, defacement, or other such means, and shall not provide a digital virtual human service sufficient to identify a specific natural person without that person's consent. This includes, but is not limited to: (1) using another person's pen name, stage name, online alias, translated name, style name, given name, or an abbreviation of such name that carries a degree of social recognition; and (2) using a likeness or voice that is highly similar to that of a specific natural person. **Article 9.** Any organization or individual providing or using digital virtual human services shall respect intellectual property rights and business ethics. Where another person's literary, artistic, photographic, musical, audiovisual, or other works or products are used to create a digital virtual human, and in the course of any entity's use of a digital virtual human, the lawful intellectual property rights of others shall not be infringed. **Article 10.** Inducing minors to become addicted to digital virtual human services is prohibited. No digital virtual human service may be provided to minors that offers virtual intimate relationships such as virtual family members or virtual partners, induces excessive consumption, induces religious belief, or otherwise contains information that may trigger or induce minors to imitate unsafe conduct, engage in conduct that violates social morality, develop extreme emotions, or form bad habits, or that may otherwise affect the physical or mental health of minors. ## Chapter 3. Service Standards **Article 11.** Any organization or individual providing or using digital virtual human services shall comply with laws and administrative regulations, respect social morality and ethics, and shall not engage in the following activities: (1) generating or disseminating content that endangers national security, honor, and interests; incites subversion of state power or overthrow of the socialist system; incites separatism or undermines national unity; promotes terrorism, extremism, or historical nihilism; violates core socialist values or public order and good morals; engages in illegal religious activities; promotes ethnic hatred or ethnic discrimination; provokes hostility between groups; disseminates obscenity, pornography, gambling, violence, or incitement to crime; spreads rumors; or insults or defames others or infringes upon their lawful rights and interests; (2) incorporating content that damages the national image into a digital virtual human's likeness design, clothing and insignia, activity scenarios, personality preferences, or the like; (3) distorting or vilifying the image of martyrs and other such figures, or fabricating or altering the deeds and spirit of martyrs, or using the image of martyrs and other such figures for commercial purposes; (4) engaging in false advertising of goods or services, malicious inducement of consumption, telecom fraud, or other unlawful activities; (5) using a digital virtual human to circumvent facial recognition, voice recognition, or other identity authentication mechanisms when laws or administrative regulations require the provision of authentic identity information; (6) infringing upon the personal information or the freedom to independently choose an occupation, or other lawful rights and interests, of the real person behind a human-driven digital virtual human; (7) registering or trading Internet accounts in violation of regulations; or (8) other conduct that violates laws or administrative regulations. **Article 12.** Any organization or individual providing or using digital virtual human services shall take measures to consciously guard against and resist activities that generate or disseminate content involving sexual suggestion or sexual provocation, that display bloodiness, horror, or cruelty, or that incite discrimination on the basis of group identity or geographic origin, or other content that has an adverse impact on the online ecosystem. **Article 13.** From the commencement of a digital virtual human service, the digital virtual human service provider, the service user, and any service provider offering network information content dissemination services shall continuously display, throughout the digital virtual human's display area, a prominent notice bearing the words "digital human" (数字人), and shall comply with the relevant State provisions on the labeling of AI-generated and composed content. **Article 14.** Digital virtual human service providers and service users shall, in accordance with laws and administrative regulations, carry out data processing activities within a specific purpose and scope, use data with a lawful source, implement data security protection responsibilities, and adopt corresponding technical measures and other necessary measures to safeguard the security of data storage and transmission and to prevent data leakage or improper use. **Article 15.** Digital virtual human service providers and service users shall establish mechanisms for security risk monitoring, early warning, and emergency response, and for anti-addiction reminders, in respect of digital virtual human services, and shall establish and improve a content-orientation management system. They shall be equipped with technical capabilities and staffing commensurate with the scale of their operations, employ a combination of artificial intelligence, big data, and other technical means together with manual review to strengthen the identification, monitoring, and early warning of risks in digital virtual human services, and shall record and retain log information. Where a digital virtual human service is found to have been used to engage in unlawful activities, the provider shall promptly adopt measures such as dynamic identity verification, warnings, function restrictions, or termination of service; where a major risk is found to exist, the provider shall immediately suspend or terminate the digital virtual human service, deregister the digital virtual human, and eliminate the effects. **Article 16.** A digital virtual human service provider shall enter into a service agreement with the technical-support party and the service user that clearly specifies the safeguarding of content security and the rights and obligations relating to the collection, use, and storage of data, among other matters. **Article 17.** A service provider offering network information content dissemination services shall establish and improve a content-orientation management system and be equipped with technical capabilities and staffing commensurate with the scale of its operations; it shall fulfill its content security management responsibilities, optimize its content review and account management mechanisms, strengthen its management of information published by its users, promptly dispose of unlawful and undesirable information, and retain log information. **Article 18.** Where a digital virtual human service is used to provide AI anthropomorphic interaction services, and a user chooses to cancel a specific feature of the service or to exit the service, the provider shall not deceive or excessively induce the user to continue using the service. Providers are encouraged to adopt necessary measures to actively intervene and provide professional assistance where a user exhibits a tendency toward suicide, self-harm, or other conduct that threatens life or health. **Article 19.** Where a digital virtual human service is used in government services, public administration, judicial activities, or other such fields, the principles of legality, reasonableness, propriety, and necessity shall be observed, a mechanism for human oversight and review shall be put in place, and users shall have the right to choose to accept or decline the digital virtual human service. ## Chapter 4. Oversight and Legal Liability **Article 20.** Digital virtual human service providers and service providers offering network information content dissemination services shall establish mechanisms for user appeals and for public complaints and reports concerning digital virtual humans, set up convenient channels for appeals, complaints, and reports, and promptly process and respond with the results. **Article 21.** A digital virtual human service provider possessing public-opinion properties or the capacity for social mobilization shall complete algorithm filing, and filing for changes and deregistration, in accordance with the Provisions on the Administration of Algorithmic Recommendation Services for Internet Information Services. A digital virtual human technical-support party shall complete filing, and filing for changes and deregistration, by reference to the preceding paragraph. **Article 22.** Where a digital virtual human service provider provides an Internet information service possessing public-opinion properties or the capacity for social mobilization, it shall carry out a security assessment in accordance with relevant State provisions. **Article 23.** Cyberspace administration departments and relevant competent authorities shall carry out supervision and inspection of digital virtual human services in accordance with their duties. Digital virtual human service providers, technical-support parties, service users, and service providers offering network information content dissemination services shall cooperate in accordance with law and provide necessary support and assistance. **Article 24.** Violations of these Measures shall, where laws or administrative regulations provide for penalties, be punished in accordance with those provisions, together with civil liability assumed in accordance with law. Where laws or administrative regulations do not so provide, the relevant department shall, in accordance with its duties, issue a warning or public criticism and order rectification within a specified period; where the violator refuses to make corrections or the circumstances are serious, the department shall order the cessation of the relevant service and may impose a fine of not less than RMB 10,000 and not more than RMB 100,000; where the violation endangers the life, health, or safety of citizens and causes harmful consequences, a fine of not less than RMB 100,000 and not more than RMB 200,000 shall be imposed. ## Chapter 5. Supplementary Provisions **Article 25.** For the purposes of these Measures, the following terms have the meanings set out below: "Digital virtual human" means a virtual digital likeness that exists in the non-physical world, that is produced using computer graphics, digital image processing, artificial intelligence, or other such technologies, that is driven by a real person or by computation, that simulates human appearance, and that possesses characteristics such as voice, behavior, interactive capability, or personality. "Human-driven digital virtual human" means a virtual digital likeness that maps a real person's facial expressions, movements, and voice in real time through motion-capture technology. "Digital virtual human service provider" means an organization or individual that provides a digital virtual human service. "Digital virtual human technical-support party" means an organization or individual that provides technical support for a digital virtual human service. "Digital virtual human service user" means an organization or individual that uses a digital virtual human to produce, reproduce, or publish information. **Article 26.** Where the State has other provisions on the conduct of activities involving digital virtual human services in fields such as healthcare, finance, press and publication, and film, such provisions shall be complied with as well. **Article 27.** These Measures shall come into force as of [date left blank] 2026. --- ## Measures for the Administration of Cybersecurity Labels - Chinese title: 网络安全标识管理办法 - Abbreviation: Cybersecurity Label Measures - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC), Ministry of Industry and Information Technology (MIIT), and Ministry of Public Security (MPS) - Adopted: 2026-07-01 - Effective: 2026-07-01 - Status: effective - URL: https://datacompliancechina.com/laws/cybersecurity-label-management-measures/ - Markdown: https://datacompliancechina.com/laws/cybersecurity-label-management-measures.md ### Summary A joint CAC–MIIT–MPS rule establishing a voluntary product-certification scheme — the 'China Cybersecurity Label' — for internet-connected products, layered into one/two/three-star tiers (basic, enhanced, and leading cybersecurity capability). Coverage is catalogue-managed: products are added in batches, each with its own implementing rules and technical basis, and critical network equipment and dedicated cybersecurity products already regulated under the 2023 security-management framework are carved out. Three-star products must clear penetration testing by a qualified third-party lab, and every label carries a scannable filing code linking to the test report and the manufacturer's compliance declaration. Misuse — forged or misappropriated labels, false advertising, or fabricated test results — triggers filing revocation, public naming, a one-year bar on re-filing, and entry into the national credit-information system. For overseas counsel, this is a market-facing trust mark rather than a mandatory compliance gate, but it interacts with existing MLPS and product-security obligations and is likely to become a de facto procurement or channel-access signal even though participation is nominally voluntary. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC), Ministry of Industry and Information Technology (MIIT), and Ministry of Public Security (MPS). **Document No.:** Not specified in the released text. **Effective July 1, 2026.** --- ## Chapter I. General Provisions **Article 1.** These Measures are formulated in accordance with the Cybersecurity Law of the People's Republic of China and other laws and regulations, for the purposes of improving the cybersecurity capability of products, strengthening the protection of consumer rights and interests, and safeguarding cybersecurity and the public interest. **Article 2.** For the purposes of these Measures, "cybersecurity label" (网络安全标识) means an information label that reflects the level of cybersecurity capability of a product itself. Products with an internet-connection function are subject to these Measures, and specific products are subject to catalogue-based management. **Article 3.** Cybersecurity label administration work adheres to the principle of coordinating development and security, and product manufacturers participate on a voluntary basis. Product manufacturers are encouraged to improve the cybersecurity capability of their products and to affix cybersecurity labels in accordance with these Measures. Consumers are encouraged to give preference to products bearing a cybersecurity label. **Article 4.** The Cyberspace Administration of China, the Ministry of Industry and Information Technology, and the Ministry of Public Security are responsible for cybersecurity label administration work. They shall formulate and publish, in batches, a *Catalogue of Products Subject to Cybersecurity Labeling*, specifying the implementing rules and the national standards or technical documents on which each category of product is based, and shall organize publicity and education on cybersecurity labels. They entrust the China Electronics Standardization Institute (hereinafter, the "filing institution") to carry out filing and information-release work for cybersecurity labels. ## Chapter II. Implementation of Labels **Article 5.** The cybersecurity capability levels corresponding to the cybersecurity label are, from low to high, basic level, enhanced level, and leading level, denoted respectively by one-star, two-star, and three-star labels. The basic level requires that a product satisfy the basic security requirements of the relevant national standards, such as the absence of weak passwords or common default passwords, the establishment of a vulnerability-management mechanism with dynamic vulnerability remediation, and the maintenance of up-to-date software. The enhanced level requires that a product's cybersecurity capability reach an advanced level among comparable products. The leading level requires that a product's cybersecurity capability reach a leading level among comparable products, and additionally that the product pass penetration testing to verify its ability to withstand high-level cyberattacks. The specific security requirements for the label level of each category of product shall be determined in the corresponding implementing rules. Security requirements shall be properly aligned with current national and international standards, and shall fully draw on and absorb the relevant experience of other countries and regions that operate cybersecurity labeling systems. **Article 6.** A cybersecurity label (in English, "China Cybersecurity Label") shall include the following basic contents: (1) the name of the product manufacturer; (2) the product specification and model; (3) the cybersecurity capability level; (4) the validity period of the cybersecurity label; (5) the name of the testing laboratory; (6) the number of the national standard or technical document relied upon; and (7) a filing information code, by scanning which the test report, key indicators, the product manufacturer's compliance declaration, and other information may be obtained. The basic design of the cybersecurity label is as shown in the annex (see attachment). The specific design for the label of each category of product shall be specified in the corresponding implementing rules, and may be appropriately adapted from the basic design above according to the actual form of the product. **Article 7.** For a product required to bear a cybersecurity label, the product manufacturer shall carry out cybersecurity capability testing in accordance with the relevant requirements of the implementing rules, determine the cybersecurity capability level, and obtain a test report. (1) For products required to bear a one-star or two-star label, the product manufacturer may use its own testing laboratory or entrust a third-party testing institution that has lawfully obtained qualification accreditation to carry out the testing; (2) For products required to bear a three-star label, the product manufacturer, in addition to satisfying the relevant testing requirements, shall also entrust a qualified third-party testing institution to carry out penetration testing. **Article 8.** The filing institution shall build a cybersecurity label filing and administration platform, and product manufacturers shall complete the filing of cybersecurity labels online through the platform. The following materials shall be submitted in electronic form at the time of filing: (1) the cybersecurity label filing form; (2) the cybersecurity capability level test report; (3) the design of the product's cybersecurity label, prepared in accordance with the implementing rules; (4) the product manufacturer's compliance declaration; (5) the product manufacturer's business license; (6) supporting materials evidencing the testing capability of the manufacturer's own testing laboratory, or the qualification accreditation certificate of the third-party testing institution; and (7) where the filing materials are submitted by an agent, the product manufacturer's power of attorney and other authorization documents. The product manufacturer and its agent shall be responsible for the authenticity, accuracy, and completeness of the foregoing materials. **Article 9.** The filing institution shall, within 10 working days from the date of receiving complete filing materials, conduct a formal review of the authenticity, accuracy, and completeness of the materials, complete the filing, and publicly announce the relevant filing information for the product. Once the filing is completed, the product manufacturer may print, use, and display the cybersecurity label in accordance with the requirements of the implementing rules. **Article 10.** The validity period of a cybersecurity label shall be specified in the relevant product implementing rules. Where, for a product for which filing has been completed, a change occurs in key technical parameters or other matters that may affect the product's cybersecurity capability, or where the label's validity period has expired, the product manufacturer shall re-file. **Article 11.** No organization or individual may forge or misappropriate a cybersecurity label, or use a cybersecurity label to engage in false advertising. **Article 12.** The filing institution shall establish and improve working rules for cybersecurity label filings, and shall carry out filing-related work objectively and impartially. A product manufacturer's own testing laboratory or a third-party testing institution shall strictly carry out testing in accordance with the relevant standards, shall ensure that test results are objective, impartial, true, and accurate, and shall not forge test results or issue false test reports. The filing institution and testing institutions shall not divulge state secrets or trade secrets that come to their knowledge in the course of their work. ## Chapter III. Supervision and Administration **Article 13.** The Cyberspace Administration of China, the Ministry of Industry and Information Technology, and the Ministry of Public Security are responsible for organizing supervision and inspection of the filing and use of cybersecurity labels, and shall, upon discovering conduct in violation of these Measures, promptly handle it in accordance with relevant provisions. Local cyberspace administration departments, communications administration bureaus, and public security organs are responsible for organizing supervision and inspection of the use of cybersecurity labels within their respective regions, and shall strengthen information sharing. Upon discovering conduct in violation of these Measures, they shall, together with the relevant departments, handle the matter in accordance with relevant provisions and promptly notify the filing institution. **Article 14.** Where any of the following circumstances is discovered, the filing institution shall revoke the filing and promptly issue a public announcement: (1) the filing materials were fraudulent; (2) the cybersecurity label does not correspond to the product's actual cybersecurity capability; (3) the cybersecurity label used does not comply with the applicable provisions on design, specifications, or other labeling requirements; (4) the product manufacturer has ceased to provide technical support services for the filed product; or (5) other violations for which the filing should be revoked. **Article 15.** Where a product manufacturer forges or misappropriates a cybersecurity label, or uses a cybersecurity label to engage in false advertising, the filing institution shall revoke the cybersecurity label filing for the relevant product, publicly announce the product manufacturer's violation, and, from the date of the announcement, refuse to accept filing applications from that manufacturer for one year. **Article 16.** Where a product manufacturer's own testing laboratory or a third-party testing institution forges test results or issues a false test report, the filing institution shall revoke the cybersecurity label filing for the relevant product, publicly announce the testing institution's violation, and, from the date of the announcement, decline to rely on that institution's test results for one year. **Article 17.** Where a product manufacturer, third-party testing institution, or other party engages in fraud in cybersecurity capability testing, or forges or misappropriates a cybersecurity label, the competent authorities shall impose penalties in accordance with the Cybersecurity Law of the People's Republic of China, the Measures for the Supervision and Administration of Inspection and Testing Institutions, and other applicable laws and regulations. **Article 18.** Any organization or individual that discovers conduct in violation of these Measures may report it to the local cyberspace administration department, communications administration bureau, or public security organ. The local cyberspace administration department, communications administration bureau, or public security organ shall promptly investigate and handle the matter, keep the identity of the whistleblower confidential, and the filing institution shall cooperate during the course of the investigation. **Article 19.** Where a product security vulnerability is discovered or becomes known in the course of cybersecurity capability testing, it shall be reported, remediated, and disclosed in accordance with the relevant requirements of the Provisions on the Management of Security Vulnerabilities of Network Products. **Article 20.** The Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and other authorities shall establish credit records for conduct in violation of these Measures, and incorporate such records into the National Credit Information Sharing Platform. ## Chapter IV. Supplementary Provisions **Article 21.** For the purposes of these Measures, "cybersecurity capability" means the capability of a product manufacturer, through the adoption of necessary technical and management measures, to enable a product itself to guard against attacks, intrusions, interference, sabotage, and unlawful use, and to ensure the stable and reliable operation of the product and the integrity, confidentiality, and availability of network data. **Article 22.** Critical network equipment and dedicated cybersecurity products shall be subject to security management in accordance with the *Announcement on Adjusting Relevant Matters Concerning the Security Administration of Dedicated Cybersecurity Products* (No. 1 [2023]) issued by the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Finance, and the State Administration for Market Regulation's Certification and Accreditation Administration, and are not included in the *Catalogue of Products Subject to Cybersecurity Labeling*. **Article 23.** These Measures shall come into force as of July 1, 2026. --- ## Data Security Technology — Guide for Personal Information Protection by Small Personal Information Processors (Draft for Public Consultation) - Chinese title: 数据安全技术 小型个人信息处理者个人信息保护指南(征求意见稿) - Abbreviation: Small PI Processor Protection Guide (Draft) - Hierarchy: draft - Issuing body: National Information Security Standardization Technical Committee (TC260) - Status: draft - URL: https://datacompliancechina.com/laws/small-pi-processor-protection-guide-draft/ - Markdown: https://datacompliancechina.com/laws/small-pi-processor-protection-guide-draft.md ### Summary A TC260 draft national standard implementing PIPL Article 62's mandate to write simplified personal-information rules for small processors — those handling fewer than 100,000 people's personal information, such as small merchants, sole proprietors, and community-service providers. It systematically scales down compliance expectations: oral or posted-notice consent in place of layered privacy policies, a five-year (rather than annual) compliance-audit cycle, a one-page impact-assessment worksheet (Annex D) instead of a formal PIPIA report, and SMS or phone verification for identity checks on rights requests. It also sets out four cross-border exemption scenarios and an audit exemption for processors already holding personal information protection certification. For overseas counsel, this is the practitioner-level document defining what proportionate PIPL compliance looks like at the smallest end of the market — the small merchants, franchisees, and local service providers that portfolio companies and platform counterparties often deal with in China. ### Full text **Promulgated by:** National Information Security Standardization Technical Committee (TC260), through the Guobiao (GB/T) recommended national standard process. **Document No.:** GB/T XXXXX—XXXX (standard number and dates not yet assigned). **Status:** Draft for public consultation (征求意见稿), issued April 30, 2026 (as reflected in the source draft filename); not yet adopted or effective. --- ## Foreword This document is drafted in accordance with the rules set out in GB/T 1.1—2020, *Directives for Standardization — Part 1: Rules for the Structure and Drafting of Standardizing Documents*. This document is proposed and administered by the National Information Security Standardization Technical Committee (SAC/TC260). This document was drafted by the National Computer Network Emergency Response Technical Team/Coordination Center of China and its Beijing sub-center, the China Electronics Standardization Institute, Beijing Institute of Technology, Hisense Group Holding Co., Ltd., Beijing Kuaishou Technology Co., Ltd., the Data and Technology Support Center of the Office of the Central Cyberspace Affairs Commission, the State Information Center, the China Cybersecurity Review, Certification and Market Regulation Big Data Center, the National Information Technology Security Research Center, the China Industrial Information Security Development Research Center, Alibaba (Beijing) Software Services Co., Ltd., the China Institute of Cyberspace Studies, the China Academy of Industrial Internet (Cryptography Application Research Center, MIIT), Beijing Topsec Network Security Technology Co., Ltd., the 15th Research Institute of China Electronics Technology Group Corporation, the Shaanxi Network and Information Security Evaluation Center, the China Academy of Information and Communications Technology (CAICT), Ant Group Co., Ltd., Lenovo (Beijing) Co., Ltd., Beijing DeHeng Law Offices, Sangfor Technologies Inc., Beijing Shufeng Technology Co., Ltd., Zhengzhou Yunzhixin'an Security Technology Co., Ltd., Beijing Shu'anhang Technology Co., Ltd., Beijing Weihu Technology Co., Ltd., the National Computer Virus Emergency Response Center, Xi'an University of Posts and Telecommunications, Zhengzhou Xinda Jiean Information Technology Co., Ltd., China United Network Communications Group Co., Ltd., Shenzhen Lalamove Technology Co., Ltd., Venustech Group Inc., Shanghai Xunmeng Information Technology Co., Ltd., the Third Research Institute of the Ministry of Public Security, Beijing UnionPay Card Technology Co., Ltd., Jinlianhuitong Information Technology Co., Ltd., Rockontrol Technology Group Co., Ltd., and Shanghai Electronic Certification Authority Center Co., Ltd. *(Editor's note: the original Foreword also names roughly 70 individual drafters; DCC omits that personal-name roster as immaterial to overseas counsel and retains the institutional drafting-unit list above.)* ## Introduction Because small personal information processors operate at a smaller business scale, handle personal information concerning a smaller number of natural persons, and generally carry out simpler processing activities, they face a very different risk profile — and a very different protective capacity — from large platforms, and the harm to individuals' rights and interests from a security incident at a small processor differs sharply from harm at scale. This standard is issued to implement the requirement in Article 62 of the Personal Information Protection Law of the People's Republic of China (PIPL) that specialized personal information protection rules and standards be formulated for small personal information processors, and to provide concrete, technical implementation guidance for the (forthcoming) *Provisions on Simplified Personal Information Protection Measures for Small Personal Information Processors*. Its purpose is to guide small personal information processors toward a reasonable configuration of personal information protection measures while appropriately lowering compliance costs, and to promote lawful and compliant personal information processing by this group. --- ## 1. Scope This document establishes the security protection principles applicable to small personal information processors when they process personal information, and sets out convenient security protection measures that small personal information processors are advised to adopt in their personal information processing activities. This document applies to guiding personal information protection in the personal information processing activities of small personal information processors. ## 2. Normative References The content of the following documents, through normative references in the text, constitutes indispensable provisions of this document. For dated references, only the edition corresponding to that date applies to this document; for undated references, the latest edition (including all amendments) applies to this document. GB/T 25069, *Information Security Technology — Terminology* GB/T 35273, *Information Security Technology — Personal Information Security Specification* GB/T 39335, *Information Security Technology — Guide for Personal Information Security Impact Assessment* GB/T 45574, *Data Security Technology — Security Requirements for the Processing of Sensitive Personal Information* GB/T 46068, *Data Security Technology — Security Certification Requirements for Cross-Border Processing Activities Involving Personal Information* ## 3. Terms and Definitions The terms and definitions established in GB/T 25069 and GB/T 35273, together with the following term and definition, apply to this document. **Small personal information processors (small personal information processors):** personal information handlers that process the personal information of not more than 100,000 people. ## 4. Overview This standard first sets out the definition and scope of small personal information processors. It then establishes the overall security protection requirements applicable to small processors, including protection principles and the allocation of responsibility. It next provides specific, targeted guidance on the technical personal information protection measures small processors should apply across the personal information processing activities of collection, storage, use, processing, transmission, transfer, provision, disclosure, and deletion. In parallel, it provides specific, targeted guidance on the management measures small processors should apply in the areas of internal rules, personnel management, personal information impact assessment, compliance audit, security-incident response, and safeguarding the rights of individuals. Finally, its annexes provide concise, practical, and highly operable template examples for small processors to use as a reference. ## 5. Overall Security Protection Requirements ### 5.1 General Requirements A small personal information processor's processing of personal information shall follow the principles of lawfulness, legitimacy, necessity, and good faith. The processor is responsible for its own personal information processing activities and shall take necessary measures to safeguard the security of the personal information it processes; simplifying personal information protection processes and lowering compliance costs must not create additional security risk. ### 5.2 Security Protection Principles A small personal information processor carrying out personal information processing activities is advised to follow the following principles: - **Baseline security principle** — a small processor should build security capability commensurate with its own business scale and the order of magnitude of the personal information it processes, and adopt necessary technical and management measures to safeguard the security of personal information. - **Convenience and effectiveness principle** — on the premise of remaining compliant and effective, a small processor may reduce its cost burden through simplified means of giving and withdrawing consent and through convenient channels for safeguarding individuals' rights over their personal information. - **Clear responsibility principle** — a small processor shall delineate clear boundaries of security responsibility, clarify its own security rights and obligations and those of related parties in personal information processing activities, and ensure that responsibility is traceable and risk is controllable, so that responsibility for personal information security is effectively discharged. ### 5.3 Implementing Personal Information Protection When carrying out personal information protection work, a small processor is advised to reasonably select protection measures based on its own business scale, the order of magnitude of the personal information it processes, and the sensitivity of that personal information. Annex A sets out an implementation process for personal information protection by small processors. When implementing personal information protection work, a small processor is advised to satisfy the following rules. Annex B sets out convenience guidance for small processors' data-processing scenarios. - Where personal information processing activities rely on an internet platform, the small processor should give priority to a platform system that has passed a security assessment or certification, and should choose, or require, the platform to adopt necessary security measures to safeguard personal information security; the small processor itself adopts necessary security measures to discharge its own personal information protection obligations. - Where personal information processing activities rely on a standardized system provided by a third party, the small processor is advised to choose, or require, the system service provider to adopt necessary security technical measures to assist the small processor in discharging its personal information protection obligations. - Where personal information processing activities rely on the small processor's own technical capability, and the data-processing scenario is a single, simple function, the small processor shall ensure its personal information collection and processing activities fall within a necessary scope, and may adopt simple and convenient means of implementing consent, withdrawal of consent, and other protection measures. - Where personal information is collected and processed by offline registration, the small processor is advised to keep paper registration materials in a filing cabinet accessible only to authorized personnel, and, once such materials are no longer in use, to destroy them by shredding, incineration, or similar means and retain a destruction record. ## 6. Technical Measures for Personal Information Protection ### 6.1 Personal Information Collection Where a small personal information processor collects personal information on the basis of the individual's consent as the lawful basis for processing, it is advised to consider the following factors: - Truthfully, accurately, and completely inform the individual of the small processor's name, the personnel handling personal-information-protection complaints and reports and their contact details, the purpose and method of processing the personal information, the categories of personal information processed, the retention period, and other matters — using notice methods that are as simple, convenient, and clear as possible, including but not limited to: for offline collection, oral notice or a notice posted in a prominent location at the place of business; for online collection, a service agreement, an audio or video message, or a pop-up reminder; where processing relies solely on a platform and the platform has already discharged the notice obligation, the small processor need not give separate notice. - When ceasing operation of its product or service, avoid continuing to collect personal information on any ground. - Collect only the personal information directly related to realizing the business function of the product or service. - "Directly related" means that, without the participation of that item of personal information, the function of the product or service cannot be realized. ### 6.2 Personal Information Storage A small personal information processor that stores personal information is advised to satisfy the following requirements: - When storing personal information, apply protective measures to storage devices, media, and files — for example, placing them in a secure environment or setting a secure password. - Other than necessary backups, minimize the copying and storage of personal information. - The retention period for personal information shall be the shortest time necessary to achieve the purpose authorized by the individual concerned. - Once the retention period has expired, delete the personal information directly. ### 6.3 Personal Information Use and Processing A small personal information processor that uses and processes personal information is advised to satisfy the following requirements: - Use and process personal information in accordance with the purpose, scope, method, and means already disclosed at the collection stage. - Prevent personal information from being learned by any individual, organization, or institution unrelated to the processing purpose. - Establish an approval procedure for material operations on personal information, such as bulk modification, copying, or downloading. - Where personal information is processed using a third-party system, platform, or tool, retain basic information such as the name and provider of that third-party system, platform, or tool. - Avoid using personal information to conduct automated decision-making; where necessary, avoid unfair differential treatment of different users in transaction price, transaction opportunity, or other transaction conditions when using personal information for automated decision-making, and, where information push notifications or marketing are conducted through automated decision-making, provide the individual with a convenient means of refusal. - "Automated decision-making" means the activity of automatically analyzing and assessing an individual's behavioral habits, interests, or economic, health, or credit status through a computer program, and using that analysis to make decisions. ### 6.4 Personal Information Transmission and Transfer A small personal information processor is advised to avoid publicly transmitting personal information over a network; when transmitting personal information, it is advised to avoid plaintext transmission, or to adopt certain security measures, such as encrypting the transmitted content or using an encrypted channel. Where the individual concerned requests that personal information be transferred to a personal information processor of their designation, the small processor is advised to provide a corresponding transfer channel; where this is technically difficult to achieve, the small processor should clearly inform the individual of that fact. ### 6.5 Entrusted Processing, Provision, and Disclosure of Personal Information A small personal information processor is advised to avoid entrusting the processing of, providing, or disclosing personal information; where business needs make this genuinely necessary, it is advised to satisfy the following requirements: - Where personal information processing is entrusted to a third party, avoid exceeding the scope of authorization and consent already obtained from the individual concerned. - Where personal information is provided to another party, inform the individual concerned of the purpose and category of the information provided and its impact on the individual's rights and interests, obtain the individual's authorization and consent, and adopt necessary security measures for the personal information provided. - Where personal information is disclosed, inform the individual concerned of the purpose and category of the disclosure and obtain the individual's separate consent, and it is advised that de-identification or other protective measures be applied to the disclosed personal information. ### 6.6 Deletion of Personal Information A small personal information processor that deletes personal information is advised to satisfy the following requirements: - Delete personal information promptly once the retention period disclosed at the collection stage has been exceeded, once the processing purpose disclosed at the collection stage has been achieved, or once the individual concerned has legitimate grounds to request that the small processor delete their personal information. - Delete the personal information it holds promptly upon its own bankruptcy or dissolution, or where it can no longer continue to fulfill the personal-information processing purpose it committed to. - Where deletion of personal information is technically difficult to achieve, the small processor may request technical assistance from the relevant authorities. ### 6.7 Processing of Sensitive Personal Information A small personal information processor that processes sensitive personal information for a specific purpose is advised to satisfy the following requirements: - Inform the individual of the necessity of processing sensitive personal information and its impact on the individual's rights and interests. - Where an individual, with full knowledge, voluntarily cooperates in providing sensitive information such as facial or biological-sample information, the small processor may process that sensitive personal information in accordance with the purpose, method, and category already disclosed. - A small processor whose activities involve the processing of sensitive personal information may refer to GB/T 45574, *Security Requirements for the Processing of Sensitive Personal Information*, and similar standards. ### 6.8 Cross-Border Provision of Personal Information A small personal information processor providing personal information (excluding important data) outside China's borders is exempt from filing a declaration for the Data Export Security Assessment, executing the personal information Standard Contract, or obtaining Personal Information Protection Certification where it meets any one of the following conditions: - The cross-border provision of personal information is genuinely necessary to conclude or perform a contract to which the individual is a party — for example, cross-border shopping, cross-border courier delivery, cross-border remittance, cross-border payment, cross-border account opening, flight or hotel booking, visa processing, or examination services. - The cross-border provision of employee personal information is genuinely necessary to implement cross-border human-resources management under labor rules lawfully formulated and a collective contract lawfully concluded. - The cross-border provision of personal information is genuinely necessary, in an emergency, to protect the life, health, or property safety of a natural person. - The personal information handler, other than a critical information infrastructure operator, has provided outside China's borders, cumulatively since January 1 of the current year, the personal information (excluding sensitive personal information) of fewer than 100,000 people. - A small processor whose activities involve cross-border processing of personal information may refer to GB/T 46068, *Security Certification Requirements for Cross-Border Processing Activities Involving Personal Information*, and similar standards. ## 7. Management Measures for Personal Information Protection ### 7.1 Internal Rules A small personal information processor is advised to promptly formulate and issue internal management rules for personal information protection, covering necessary protection measures for personal information processing, personnel management, compliance audit, security-incident response, and safeguarding individuals' rights over personal information. A small processor's personal information processing rules may stand as an independent document or be included within its broader organizational management documents; a template is provided at Annex C. ### 7.2 Personnel Management A small personal information processor is advised to properly establish a personnel management mechanism, satisfying the following requirements: - Provide relevant security education to personnel involved in processing personal information, so that they understand the internal rules and their awareness of personal information protection is raised. - Designate personnel responsible for personal information protection work. - Based on actual need, set differentiated access and processing-operation permissions for personnel involved in processing personal information, and promptly revoke the accounts and permissions of personnel who leave their post or the organization. ### 7.3 Personal Information Impact Assessment Where a small personal information processor uses personal information for automated decision-making, or entrusts the processing of, provides, or discloses personal information, it is advised to carry out a personal information protection impact assessment beforehand: - The processor may simply complete the simplified personal information protection impact assessment worksheet in Annex D to record the processing situation, retaining it for at least three years, without the need to produce a standalone report, and adopt targeted protective measures based on the assessment result. - Where this is technically difficult to achieve, the processor may entrust a third party to assist in completing it. ### 7.4 Compliance Audit A small personal information processor, taking account of its own actual circumstances, is advised to periodically conduct an internal compliance audit of its compliance with laws and administrative regulations in processing personal information, considering the following factors: - Conduct a personal information protection compliance audit at least once every five years. - The processor may select the key items of a personal information protection compliance audit and prepare a streamlined self-inspection checklist covering those key items to carry out self-inspection; the self-inspection checklist shall be retained for at least five years. - Where this is technically difficult to achieve, the processor may entrust a third party to assist in completing it. - A small processor may pursue personal information protection certification through a personal information protection certification body; a small processor that has obtained personal information protection certification may, during the validity period of the certification, be exempted from conducting a personal information protection compliance audit. ### 7.5 Security-Incident Response In responding to security incidents such as the leakage, tampering, or loss of personal information, a small personal information processor is advised to consider the following factors: - Formulate an emergency response plan for personal information security incidents; once a security incident has occurred, or the processor discovers that one may have occurred, promptly report the relevant details of the incident to the relevant authorities (see the template at Annex E). - Promptly take remedial measures in response to a security incident that has occurred or may occur; where the processor lacks the capacity to remedy the incident, it is advised to promptly report to and seek assistance from the relevant authorities. - Where a security incident that has occurred or may occur endangers individuals' rights and interests in their personal information, promptly inform the affected individuals by an appropriate means such as orally, by SMS, or by telephone. Where it is difficult to notify each individual concerned individually, the processor may adopt a reasonable and effective means of issuing a public warning notice relevant to the affected public — for example, posting a notice in a prominent location at the place of business, or issuing an announcement by pop-up window within the client end of the product or service. - Where the incident involves a criminal offense, promptly report it to the public security organs. ### 7.6 Safeguarding the Rights of Individuals over Their Personal Information In responding to an individual's request to access, copy, correct, supplement, or delete their personal information, a small personal information processor is advised to consider the following factors: - Respond promptly to the individual's rights request, providing the requested service after a simple verification of the individual's identity; identity verification may be conducted by telephone or SMS verification, and, where the processor relies on a mini-program or similar channel to provide its service, a corresponding function may be added within the mini-program's development. - Where the processor's own technical conditions cannot currently accommodate the request, promptly and truthfully inform the individual of that fact and handle the request by the means that has the least impact on the individual's rights and interests — for example, where the processor relies on a mini-program or similar channel to provide its service, it may entrust the mini-program's development provider to assist in completing the request. --- ## Annex A (Informative) — Implementation Steps for Personal Information Protection by Small Personal Information Processors Annex A sets out a general implementation process for personal information protection by small personal information processors, illustrated in Figure A.1. Using a supermarket as an illustrative scenario — a supermarket that processes the personal information of not more than 100,000 people cumulatively over the course of a year qualifies as a small personal information processor — its implementation steps proceed as follows: - **Step 1:** Determine, against the definition of a small personal information processor, whether the supermarket qualifies as one. If it does, proceed to Step 2; if not, the process ends. - **Step 2:** Identify what personal information the supermarket processes. Applying Annexes A and B of GB/T 35273, determine whether sensitive personal information or cross-border personal information processing is involved. - Where sensitive personal information processing is involved, refer to GB/T 45574-2025, *Security Requirements for the Processing of Sensitive Personal Information*; where cross-border personal information processing is involved, the exemptions available under the relevant national rules apply. - Where sensitive personal information processing is not involved, proceed to Step 3. Example: name and mobile number collected when registering a supermarket membership card are general personal information; facial-feature information captured by in-store cameras is sensitive personal information. - **Step 3:** Identify which stages of general personal-information processing the supermarket's activities involve, and what measures should be taken at each stage. - Where personal information is used for automated decision-making, or is entrusted for processing, provided to others, disclosed, or otherwise involved in personal information processing activities that materially affect individuals' rights and interests, conduct a personal information protection impact assessment with reference to Annex D. - For the example supermarket, the relevant processing stages and corresponding measures are: - **Collection** (membership registration): post a notice in a prominent location in-store informing customers that registering a membership card requires collecting their name and mobile number, that this information is used only for the membership card, and that no other information is collected. - **Storage** (retaining member information): set passwords, updated periodically, on the computer and membership-management system storing member information, and prevent personnel unrelated to processing member information from knowing the password. - **Use and processing** (checkout with the membership card, balance inquiries, promotional push notifications to members): respond promptly to a member's balance inquiry, and may charge a reasonable fee for unusually frequent inquiries within a given period; obtain the member's own consent before sending (or mass-sending) in-store promotional discount messages, and restrict sending to designated in-store staff only. - **Deletion** (member cancels their membership; store closes): delete the member's personal information from the computer or membership-management system storing it, and format or physically destroy the hard drive, seeking technical guidance from the relevant authorities where necessary. - What management measures should be adopted? - **Rules and personnel requirements:** post the internal management rules in a prominent location in-store, and ensure in-store personnel understand their content (template at Annex C). - **Education and training:** reinforce day-to-day reminders and clarify points requiring attention, to raise in-store personnel's awareness of personal information protection. - **Routine management:** periodically inspect stored member personal information and the computers or devices storing it; once a security incident such as a personal information leak is discovered, proceed to Step 4. - **Step 4:** What measures should be taken once a personal information security incident occurs? - Understand the circumstances of the incident. - Promptly report to the relevant authorities in accordance with the content set out in the security-incident report template at Annex E. - Where the leak, tampering, or loss of personal information could not be effectively prevented and has caused harm, notify affected members by SMS, telephone, or similar means; where a member cannot be reached, post a notice at the entrance disclosing the circumstances of the incident. ## Annex B (Informative) — Convenience Guidance for Typical Personal Information Processing Scenarios of Small Personal Information Processors ### B.1 General Personal Information Processing Scenarios **B.1.1 Reliance on an internet platform.** By integrating internet-platform services, or operating a storefront on an internet platform, a small processor can lower its own development costs and the complexity of meeting compliance requirements. - *Onboarding and reliance:* when operating on an internet platform (e-commerce, food delivery, intermediary platforms, etc.), expressly invoke and follow the platform's published privacy policy, emphasize to users that information will not be used beyond the platform's authorized scope, and set up a brief, clear privacy-commitment module on the storefront page. - *Pop-up confirmation and logging:* when using platform services such as mini-programs, set an unavoidable notice pop-up or link on key pages (order page, registration page) that prompts the user to click to confirm, with the platform's backend automatically retaining a record of the user's consent action (IP address, timestamp, etc.). - *Platform-embedded automated tools:* rely on functions the platform already provides — the statutory notice pop-up and click-logging built into a platform's order page, an e-commerce platform's "automatic clean-up on transaction completion" mechanism, cloud backup within chat tools, and similar features — to ease the burden on individual operators of keeping records and demonstrating compliance on their own. **B.1.2 Reliance on a standardized system.** By adopting a standardized information system or management tool, a small processor can establish a process-driven personal information processing mechanism. - *Self-service functions for users:* build a standardized "personal center" or "privacy management" module into the information system, letting users query, correct, or export their information, set notification preferences, and unbind, cancel, or pause the service with one click. - *Structured display and layered consent:* in electronic agreements or online forms, use a standardized four-column table ("information type — processing purpose — recipient — retention period"), an embedded notice box, and layered opt-in consent (distinguishing necessary information from sensitive information) to display processing rules clearly and in structured form. - *Automated deletion triggers:* build a systematic information-deletion mechanism — for example, "automatic clean-up seven days after parcel receipt," "system anonymization 90 days after successful payment," or "seller-side address automatically cleared 30 days after transaction completion" — driven by system rules to reduce manual intervention and the risk of oversight. **B.1.3 Reliance on the processor's own technical capability.** Through self-developed or custom-commissioned digital tools, a small processor can improve user experience and its own control over information. - *Diversified notice and confirmation channels:* use SMS, instant-messaging apps, and other technical means to give notice and obtain confirmation — for example, sending a standard SMS template with a link the user must click to confirm, or, in a WeChat group, using a sign-up ("接龙") tool combined with upfront notice, an opt-in checkbox, and an automatic timestamp. - *Information grading and encryption management:* apply tiered technical management by sensitivity — for example, encrypted storage and access controls for sensitive information such as exercise prescriptions or fitness-test data; for online bookings, allowing users to provide only a building number rather than a precise unit number, with staff confirming the exact address on-site, reducing the granularity of information exposed. - *Alternatives and user-selectable preferences:* offer technically implemented options on the front end of the service — for example, a choice of facial recognition, an access card, or a passcode for building-entry systems; or, for payment and notification scenarios, letting users choose their own payment method (per-use, membership, ETC) and notification channel (SMS, WeChat, phone), switchable at any time. **B.1.4 Offline methods.** Simple interaction can also be achieved through physical media and face-to-face communication, without relying on any digitized system. - *Prominent posted notices:* post a clearly printed *Brief Personal Information Processing Notice*, *Informed Consent Form*, *Notice*, or an illustrated *Vehicle Information Processing Disclosure* at the entrance, front desk, pickup counter, or bulletin board of the place of business. - *Printed and standardized documents:* include a standalone personal information processing clause or attachment, in bold print, in registration forms and service agreements; use standardized paper documents such as a *Separate Consent Confirmation Form* or a *Supplementary Information Collection Notice*, signed or handwritten by the user on-site, and keep a paper file. - *In-person window service and oral notice:* keep a physical service window or telephone hotline offering prompt in-person correction (verify identity, then correct and confirm on the spot), access (verify identity, then provide a paper copy), and deletion requests (phone or written request, with a response on the outcome); supplement telephone orders, on-site registration, or first contact with standardized oral notice. ### B.2 Typical Personal Information Processing Scenarios #### B.2.1 Community Clinics and Small Medical Institutions *Typical processing scenario and necessary personal information collected:* collection, during a patient visit, of the patient's name, contact details, medical history, visit records, biometric information, and similar data. *Convenience guidance:* 1. It is advised that, on the registration form used at the visit, printed clauses in a prominent location set out the core elements — the personal information handler's name and contact details, the categories and purpose of the information collected, the retention period, and how the patient may exercise their rights. Beyond disclosure on the registration form and in the electronic system, it is advised that a *Brief Personal Information Processing Notice* be posted in a prominent location in the waiting area, listing in table form the categories of information, the processing purpose, the retention period, and how patients may exercise their rights. For an online booking system, it is advised that, before the user clicks "agree," the core content be displayed by pop-up window or an expandable menu, avoiding a lengthy, fully embedded privacy policy. For sensitive personal information such as medical history or biometric information, it is advised that a *Separate Consent Confirmation Form* be used, marking in bold the specific purpose of using the information and the consequences of refusal, confirmed by the patient's signature or electronic handwritten signature. 2. For non-core treatment purposes (such as health promotion or satisfaction follow-up), it is advised that the registration form include a separate "do not agree to receive non-treatment information" option, allowing the patient to selectively decline. For secondary use of information for research purposes, express opt-in consent should be obtained, and the patient should be informed that consent may be withdrawn at any time through the visit window, telephone, or online system, and that withdrawal will not affect the patient's ordinary course of treatment. #### B.2.2 Community Property-Management Terminals *Typical processing scenario and necessary personal information collected:* collecting the owner's name, contact details, and property information, used for access-control management, property-fee notices, and similar purposes. *Convenience guidance:* 1. It is advised that the *Property Services Agreement* include, as a standalone attachment or dedicated section, a four-column table — "information type — processing purpose — recipient — retention period" — clearly presenting the personal information processing clauses. For new owners moving in, it is advised that a *Personal Information Processing Informed Consent Form* be issued at the time of handover, with the owner's signature confirming that they have been informed of the processing rules. For day-to-day services such as access control and fee notices, it is advised that a QR code be posted on the community bulletin board and at unit entrances, which owners may scan to view a simplified privacy policy. Where services are provided through a WeChat mini-program or app, the complete notice content should be displayed by "pop-up plus link" at the user's first registration or login, with the system backend automatically retaining a record of the confirmation once the user clicks to confirm. 2. It is advised that property service points maintain a service window covering an "information correction" function, so that an owner presenting proof of property ownership and identification may have their contact details or emergency contact updated on the spot, confirmed by the handling staff member's signature and updated in the property system. 3. For sensitive data such as facial information used in access control, it is advised that both online and offline withdrawal mechanisms be provided: an owner may submit a request to delete biometric information through the "privacy settings" module of the property's app, or submit a written request to the property service center, with technical deletion completed and the outcome reported back within three working days. 4. For access-control management, it is advised that a "choice of alternative method" be offered, letting owners choose facial recognition, an access card, or a passcode, without compelling the collection of biometric information; for fee-notice services, it is advised that a choice of notification channel (SMS, WeChat, paper notice) be offered at move-in registration, with owners permitted to adjust their preference at any time through the app. #### B.2.3 Domestic-Service, Cleaning, Repair, and Locksmith Companies *Typical processing scenario and necessary personal information collected:* collecting the user's name, contact details, and address in the course of providing an on-site service. *Convenience guidance:* 1. It is advised that, on the order-confirmation page, an embedded information box concisely set out the necessity and retention period of collecting the name, phone number, and address (for example, "automatically deleted 30 days after the service is completed"). For customers who place orders by phone, it is advised that a standard SMS notice template be sent: "[Company name] will collect your address and phone number to provide the service, and will delete them 30 days after the service is completed." It is advised that the service technician give supplementary oral notice of the scope of information use before entering the home, and present the company's *Personal Information Protection Undertaking*. 2. The customer may request immediate deletion through the mini-program's "My Orders — Privacy Management" function or by calling the service hotline, and the company should respond within 24 hours. 3. For an order placed but not yet serviced, it is advised that a "one-click cancellation" function be provided, allowing the user to cancel the order and simultaneously withdraw authorization for use of their information within the app or mini-program, with the system automatically blocking the service technician's access to the information. 4. It is advised that the order-placement interface offer a choice of information granularity, allowing the user to provide only a building number and phone number rather than a precise unit number, with the exact unit confirmed by the technician on arrival; for post-service follow-up review requests, it is advised that a "default not agreed" preset option be used, requiring the user to actively opt in before receiving coupons or a satisfaction survey, so as to avoid default marketing push notifications. #### B.2.4 Fitness and Wellness Providers (Gyms, Dance Studios, Yoga Studios, etc.) *Typical processing scenario and necessary personal information collected:* collecting the user's personal information, contact details, and health data at membership registration. *Convenience guidance:* 1. It is advised that the membership registration agreement attach an "information collection checklist" clearly distinguishing "necessary information" from "sensitive information" (such as health data), with collection of sensitive information requiring an "active opt-in plus second confirmation." For behavioral-trace information captured by in-store cameras, it is advised that a *Video Collection Notice* be posted in a prominent location at the entrance, stating the monitoring scope, retention period (e.g., "recordings retained for 30 days"), and how to access them. It is advised that a front-desk tablet or similar device be used to present the full processing flow in simple form, such as a short video or plain text. For an institution offering online booking or course management, the registration page of the app or mini-program should provide a notice link, requiring the user to check "I have read and agree to the Personal Information Protection Policy" before completing registration, with the system backend automatically recording the user's consent action along with IP address, time, and similar details. 2. For marketing push notifications, it is advised that both an SMS "unsubscribe code" and an in-app "turn off push notifications" option be offered; for membership cancellation, it is advised that a "one-click cancellation" flow be set up at the front desk or in the app, with system deletion completed within 15 days of confirmation, and biometric-information caches associated with turnstiles, lockers, and similar systems cleared within a defined period thereafter. 3. Sensitive information such as fitness-test data and exercise prescriptions should be stored under encryption (for example, on dedicated hardware) with access restricted to the designated personal trainer, and access permissions should be revoked when staff transfer or leave. 4. Depending on membership tier, basic members need only provide contact details, while premium members or those taking personal-training courses may optionally provide health data, but must separately sign a *Health Information Processing Authorization*, and must be clearly informed that "declining to provide it does not affect basic membership rights." For group-class recordings used for promotion, it is advised that a "consent checked class-by-class" mechanism be used, with each student independently consenting to use of their image before each session, and those who decline still able to be seated outside the filming area. #### B.2.5 Small Training Institutions, Adult Night Schools, and Interest Classes *Typical processing scenario and necessary personal information collected:* collecting and storing the student's and parent's name, mobile number, ID number, and similar information. *Convenience guidance:* 1. Beyond what the contract provides, it is advised that a *Brief Personal Information Processing Disclosure* be posted in a prominent location at the reception desk and classroom entrance, in a "information category — processing purpose — recipient — retention period" four-column table listing the necessary information collected (student name, contact details, learning progress, etc.), and stating that "this institution does not provide personal information to outside parties, except where necessarily shared with a bank or payment platform for refunds or class-hour reconciliation." For an online enrollment system, the core clauses should be displayed by pop-up, link, or annotation before the user fills in their information, avoiding a lengthy privacy policy embedded in full. For minors' information, it is advised that a separate *Parental Informed Consent Form* be printed, stating in bold that "the guardian has the right to withdraw consent at any time, and withdrawal will not affect teaching services already provided." 2. It is advised that a "self-service personal information inquiry" entry point be set up in the institution's official account or student system, allowing the student or parent to export their course agreement, payment records, and attendance data in real time using their registered mobile number and a verification code. 3. For changes to a student's contact details or emergency contact, it is advised that both "phone confirmation for immediate correction" and "online request for asynchronous correction" be offered; after the front desk verifies identity by phone, the system update should be completed within one working day, with the outcome confirmed by SMS. 4. It is advised that the *Withdrawal Application Form* embed a "withdrawal of consent to personal information processing" checkbox, allowing the student, when withdrawing, to also request deletion of non-essential information such as class-hour records and grades. The institution should complete deletion within 15 working days and issue a confirmation document. #### B.2.6 Offline Event Organizers (e.g., Lecture Hosts) *Typical processing scenario and necessary personal information collected:* collecting participants' name and phone number for registration, potentially including event photographs. *Convenience guidance:* 1. It is advised that the registration page include a concise notice box (recommended not to exceed 100 characters) stating that "the name and phone number collected will be used only for verification and contact for this event, and will be deleted within 30 days after the event ends," with the user's submission of their information deemed consent. For on-site registration, it is advised that a paper *Personal Information Processing Disclosure* be placed at the check-in table, with staff giving oral notice of the purpose for the participant's voluntary reading. For photography or video recording and archiving of the event, it is advised that an *Image Collection Notice* be posted prominently at the venue entrance, stating the scope of filming, the purpose of use (e.g., "for use in an event recap post"), the retention period, and how to decline (e.g., "you may be seated in an unfilmed area at the back"). 2. *Right to deletion and withdrawal of consent:* it is advised that an email contact channel for withdrawal be provided, allowing a participant to cancel their registration and request deletion of their information via the contact email on the registration link before the event; after the event, it is advised that a dedicated mailbox be opened to handle photo-deletion requests, with staff completing an internal check and deleting the relevant images within five working days and confirming deletion by email. 3. For information such as group photos or close-up shots from the event that might reveal identity, it is advised that a "notice at the time, prompt deletion afterward" mechanism be used: the host announces on-site, "we will be photographing the event; anyone who does not wish to be photographed, please let a staff member know," and images of those who declined to be photographed are proactively deleted within seven days after the event. 4. At registration, it is advised that a choice between "basic information" and "full information" be offered — basic information being only name and phone number, with full information optionally adding organization, title, and similar details — letting participants decide for themselves which to provide. For use of event photographs, it is advised that "archival retention" and "promotional use" be treated as two separate layers of consent: the former, necessary for event organization, relies on contractual performance and needs no separate consent; the latter, used for official-account posts or institutional promotion, requires express consent, and those who decline to be filmed may still attend normally without discrimination in seating. For subsequent course promotion or lecture-notice push messages, it is advised that the registration form include a separate "willing to receive future event information" option, unchecked by default, with participants receiving such messages only after actively opting in, and each promotional SMS ending with a simple opt-out instruction such as "reply T to unsubscribe." #### B.2.7 Food-Delivery Storefronts *Typical processing scenario and necessary personal information collected:* obtaining the customer's delivery address, phone number, and order preferences through a third-party platform or a self-operated channel. *Convenience guidance:* 1. It is advised that a combination of platform-rule incorporation and self-operated-channel supplementary notice be used. For orders received through a third-party platform (such as Meituan or Ele.me), the storefront should, when signing the platform's merchant-onboarding agreement, expressly incorporate the platform's published privacy policy, and use bold text or underlining to tell users "this store undertakes not to use your personal information beyond the platform's authorized scope," with the store's person in charge signing to confirm and retaining the agreement or an electronic screenshot. A privacy-commitment module should be set up in a prominent location on the storefront page, using plain text of no more than 150 characters stating "this store uses your information only for order delivery, for no other purpose." Where orders are taken through a self-operated mini-program, official account, or phone, an unavoidable notice pop-up should be set on the user's first order page, covering the store's name and contact details, the categories of information collected (delivery address, phone number), the processing purpose (order delivery), the retention period (deleted 30 days after order completion), and the user's rights. All notice records should be archived by screenshot or recording. In addition to consent obtained via the platform, it is advised that a *Brief Personal Information Processing Disclosure* be posted in a prominent location at the register or pickup counter, stating clearly that "this store obtains only the information necessary for order delivery through the platform, and does not separately collect other personal information from customers." 2. Where a delivery address is incorrect, it is advised that the user be allowed to correct it directly through the platform or by calling the store before delivery, with the store noting the correction in its order system and completing the update within one hour to avoid affecting delivery. 3. For historical order information, it is advised that both a "platform channel" and a "direct store deletion" path be offered; in addition to deleting through the platform, the user may call the store to request immediate deletion, with the store completing internal system clean-up and confirming deletion within 24 hours. 4. It is advised that the platform's order-remarks field or the mini-program's order page offer an "information retention preference" option, letting the user choose "delete contact details immediately after the meal" or "retain for 30 days for after-sales service." For the store's own membership program, it is advised that membership registration be kept separate from consent to marketing: the user's registration should collect only their mobile number, and marketing SMS or community invitations must use an "active opt-in" mechanism, unchecked by default, with each marketing SMS ending with a simple opt-out instruction such as "reply N to unsubscribe." #### B.2.8 Community Group-Buying Organizers *Typical processing scenario and necessary personal information collected:* compiling residents' purchase lists, delivery addresses, and home addresses. *Convenience guidance:* 1. When a group is formed, the organizer should post a *Personal Information Processing Rules* announcement in the group, concisely stating the organizer's identity and contact details, the categories and purpose of information collected, the retention period, and members' rights, and requesting members to reply to confirm. For tools such as sign-up mini-programs or group-buying apps used to collect information, a notice summary should appear at the top of the sign-up page, with a QR code linking to the full notice content embedded, and participants must actively check "I have read and agree to the personal information processing rules" before first entering their information, with the system backend automatically recording the timestamp of the checkbox action. For new group members, the organizer should periodically (e.g., monthly) re-push the notice announcement to ensure continuity of disclosure. All notice screenshots and system records should be archived by month. 2. It is advised that an "my information" query entry be set up within the group-buying mini-program, letting residents self-check their participation records and delivery address; for a purely offline sign-up model, the group leader should maintain a *Participant Information Register* for reference, verifying identity before providing a photo or paper copy within three days when a resident requests to view their information. 3. It is advised that a rule be made clear that "leaving the group-buying group is deemed withdrawal of consent," with the group leader deleting the departing resident's address, phone number, and other information stored in the group's sign-up tool and the leader's own devices. 4. Where a resident needs to change their delivery address or phone number, it is advised that they be allowed to re-submit directly via the sign-up mini-program or group chat before the cut-off time, with the group leader updating the tally accordingly; for orders past the cut-off date, it is advised that the correction be confirmed by phone with the group leader and made manually, with the outcome communicated to the resident. 5. When providing their address, residents may choose to "provide only the building and unit number, with the exact door number confirmed on-site by the group leader at delivery," reducing the risk of exposing a precise address. For post-group-buying satisfaction follow-up or notice of the next group, it is advised that a "default not agreed" preset option be used; if the group leader wishes to contact residents after the group period ends, separate private consent must be obtained, and the leader must not publicly @-mention or mass-message marketing information in the group. #### B.2.9 Parcel Pickup Stations *Typical processing scenario and necessary personal information collected:* delivery address, contact details, and home address. *Convenience guidance:* 1. It is advised that a combination of on-site disclosure and individual notice at pickup be used. Specifically, a *Personal Information Processing Notice* should be posted in a prominent location at the station's entrance, shelving, and pickup counter, covering the station's name and contact details, the source of the information (provided by the courier company), the processing purpose (parcel receipt and dispatch on behalf of the sender/recipient), the retention period (deleted seven days after parcel pickup), and the user's rights, in type no smaller than a specified minimum size, with a record kept by video surveillance or written log. Where the station notifies users of a pickup by SMS or WeChat, the message should embed a notice link or QR code, with the user's act of viewing it deemed receipt, and the corresponding send records archived. 2. It is advised that a "pickup automatically triggers deletion" mechanism be established, with the system automatically clearing the user's phone number and address 30 days after confirming the parcel has been collected. Users may also apply through the station's mini-program or by phone for earlier deletion, with the station completing internal system and SMS-record clean-up within three working days. 3. For long-term storage users, it is advised that a "pause collection service" function be provided, allowing the user to pause the pickup service with one click in the mini-program, upon which the station should immediately stop sending notification SMS and delete the reserved address information. 4. Users should be allowed to choose their preferred notification method — SMS, WeChat, Alipay, or phone — and to switch it at any time in "privacy settings." For a "photograph on pickup" service, it is advised that a "default not agreed" option be used, requiring the user's active authorization before a photo of the parcel is taken, with the photo used only for dispute resolution and automatically deleted within seven days of pickup; users may also request pickup without a photograph. #### B.2.10 Parking-Lot Operators *Typical processing scenario and necessary personal information collected:* collecting the license plate number and payment information via QR code, for fee calculation and payment-success notification. *Convenience guidance:* 1. Beyond the notice on the QR-code payment page, it is advised that a *Vehicle Information Processing Disclosure* be posted in a prominent location at the parking lot's entrance booth, beside payment QR codes, and on interior pillars, using text and images to disclose that "the license plate is scanned to calculate the parking fee, the QR code is scanned for payment, and information is retained for 90 days after payment is completed." For contactless-payment users, it is advised that an "SMS notice plus click-to-confirm" approach be used at first sign-up, sending a notice message that the user must click a link to confirm. It is advised that a notice summary be embedded in the remarks field of the electronic invoice or payment receipt issued after successful payment, to reinforce user awareness. 2. Beyond cancellation via customer service, it is advised that an "unbind license plate" self-service function be set up in the mini-program, allowing the user to delete their license-plate information with one click in "my vehicles," with the system completing deletion and ending the billing association within 24 hours. For parking-surveillance footage, it is advised that the notice clearly state the retention period and how to access the footage, letting users request to view the segment involving their own vehicle, with the parking lot providing it and logging the access within five working days. 3. It is advised that the payment page offer a choice of payment method and information-retention preference: users may choose "single scan-and-pay (no information retained)," "membership contactless payment (license plate and payment information retained)," or "ETC-linked payment," each with different information-processing rules, switchable at any time. For long-term parkers, users may be allowed to choose their own retention period for parking records, with the system automatically anonymizing the data once that period expires. #### B.2.11 Freelancers and Individual Service Providers (e.g., Photographers, Personal Trainers) *Typical processing scenario and necessary personal information collected:* retaining the client's contact details via social media or a contract, with a photographer, for example, additionally retaining the client's facial-image information. *Convenience guidance:* 1. It is advised that the *Service Contract* or electronic order include a "personal information processing clause," in bold or underlined form, listing the service provider's name and contact details, the categories of information collected (client name, phone number, address, portrait photographs, health data), the processing purpose (service performance, delivery of work product, after-sales communication), the retention period, and the client's rights, confirmed by the client's signature or electronic signature. Where a transaction is concluded through a social tool such as WeChat or Alipay, a standardized notice text should be sent at first contact (for example: "To protect your personal information, this service will collect and use your name, phone number, and address only for service performance, and you may request deletion at any time"). For sensitive personal information such as facial images or health data, a separate *Sensitive Information Processing Notice* should be sent, clearly stating the scope of use (e.g., "photographs are used only for retouching and delivery, not for commercial use"), with the client's separate written or verbal confirmation obtained (a verbal confirmation should be transcribed and the transcript screenshotted). 2. Where the client's contact details change, it is advised that correction be permitted via WeChat, SMS, or similar means, with the individual service provider verifying identity and updating the information, with confirmation, within two days. 3. It is advised that it be made clear that "a client's oral or written request triggers withdrawal," with the individual service provider deleting the client's information within 15 days of receiving the withdrawal request (except where retention is legally required), and reporting the outcome to the client by a deletion-confirmation notice or similar means. For facial-image information, it is advised that the provider commit to "deleting the original material immediately after the project ends, retaining only the finished images confirmed by the client," with the client entitled to request complete deletion of the raw files after the finished images are delivered. 4. For contact details necessary for a basic service (such as booking a shoot date or scheduling personal-training sessions), a lawful basis of service performance may be relied on, without compelled separate consent; for value-added uses (such as using the work for the provider's own promotion or client case studies), an "active opt-in" model must be used, separately itemized in the contract, allowing the client to authorize on a scenario-by-scenario basis. For video outtakes filmed by a photographer or training videos recorded by a personal trainer, it is advised that tiered authorization options be offered: (1) for the client's personal viewing only; (2) usable in the provider's portfolio (anonymized); (3) usable for social-media promotion (with the client's nickname credited). The client may choose their authorization level before the service begins and adjust the scope of authorization at any time during the service via WeChat or a similar channel. #### B.2.12 Homestay and Short-Term-Rental Hosts *Typical processing scenario and necessary personal information collected:* registering a guest's ID number, ID photograph, or photocopy of the ID, and check-in time. *Convenience guidance:* 1. It is advised that a combination of platform-rule incorporation and on-site notice be used. The listing page should state that the host follows the platform's privacy policy, with notice and confirmation given for the legally required collection of ID information at check-in. For the statutorily required collection of ID-document information, it is advised that the check-in registration page or paper register carry the wording, "Pursuant to Article 6 of the Administrative Measures for Public Security in the Hotel Industry, I consent to providing and registering my identity-document information," confirmed by the guest's signature, with the register bound and filed annually. For non-mandatory information (such as license plate number, co-occupant information, or stay preferences), a separate *Supplementary Information Collection Notice* should be used, listing in handwritten or printed form the type of information, its use (e.g., "license plate number used for a complimentary parking record"), and its retention period (deleted seven days after check-out), with the guest separately checking a box or signing to consent. A *Personal Information Processing Notice Card*, in type no smaller than a specified minimum size, may also be placed in a prominent location in the room (such as the coffee table or bedside). 2. It is advised that a guest-information record function be maintained at the front desk or on a management platform; where a guest requests to view their information, the host should verify the guest's ID against the check-in record and then provide, on the spot, the portion of the check-in registration form pertaining to that guest. 3. Where a guest needs to change their contact details or add a co-occupant during their stay, it is advised that this be allowed via the front desk or the host's WeChat in real time. 4. It is advised that "accepting withdrawal of consent at check-out" be a standard procedure: a guest checking out may proactively request "deletion of non-essential information," and the host should delete information the guest voluntarily provided — such as an email address or license plate number — within 15 days, while information required to be retained by law (ID-document information) continues to be retained, with the guest informed of the retention period. For surveillance footage, it is advised that the notice clearly state the retention period (e.g., 30 days) and the channel for viewing and deletion requests, with a guest able to request to view footage involving themselves and the host providing it within five working days. ID-document information and check-in time are subject to mandatory legal collection and need no separate consent, but the notice should clearly state the legal basis and purpose; for matters such as "smart in-room controls (e.g., a smart speaker)" or "subsequent marketing push notifications," an "active opt-in" mechanism must be used, off by default. At check-in, it is advised that guests be offered an "information-channel preference" setting, allowing them to select only an "emergency contact number" while declining to receive coupons, holiday greetings, or other marketing messages. For "guest reviews and photographs used for platform display," it is advised that a "per-stay authorization" model be used, with the guest independently choosing after each stay whether to consent to publication of their review and photographs, and a guest who declines suffering no effect on check-out or deposit refund. #### B.2.13 Individual Sellers on Online Second-Hand Marketplaces (e.g., Xianyu Sellers and Storefronts) *Typical processing scenario and necessary personal information collected:* in an online second-hand transaction, the seller obtains the buyer's contact details and delivery address. *Convenience guidance:* 1. The seller should include, once, in the product description or an auto-reply, a concise notice that "the delivery information collected is used only for shipping," with the buyer's submission of an order deemed consent, without the need for confirmation on each occasion; the platform should embed a statutory notice pop-up on the order page and have the system log the user's click, so that an individual seller, relying on the platform's transaction records and cloud-backed chat logs, can meet its evidentiary burden without needing to separately maintain its own archive. 2. Where the buyer's delivery information is entered incorrectly, it is advised that correction be allowed directly via chat before shipment, with the seller updating the courier waybill and confirming within one day. 3. It is advised that the seller work with the platform to establish a "transaction-completion automatic clean-up" mechanism, under which the seller proactively deletes the buyer's address, phone number, and other information from the chat log within 30 days of confirmed receipt, and clears any locally saved order spreadsheet, retaining only information needed for after-sales service. The buyer may also, at any point during the transaction, send a "delete my information" instruction via chat, with the seller completing deletion and replying with a screenshot within seven days. *(Editor's note: Annex B is informative (non-mandatory) guidance illustrating how the technical and management measures in the body of the standard might be applied in thirteen common small-business settings. The pattern is consistent across all thirteen: short, prominently displayed notice in place of a full privacy policy; a higher, separately-confirmed consent bar for sensitive categories such as facial images, health data, and ID documents; fast, low-cost identity verification for correction and deletion requests; and automatic, event-triggered deletion rather than indefinite retention.)* ## Annex C (Informative) — Template Internal Rules for Personal Information Processing by Small Personal Information Processors Annex C provides a template for a small processor's internal personal information processing management rules, including: - A statement that the rules are adopted under the Data Security Law, the Cybersecurity Law, and the Personal Information Protection Law to strengthen the enterprise's personal information security management and protect individuals' rights and interests in their personal information. - A statement that personal information management shall follow the principles of lawfulness, legitimacy, and necessity, and safeguard the authenticity, accuracy, and completeness of the data. - A statement that the enterprise's legal representative bears responsibility for personal information protection and is responsible for organizing, coordinating, and supervising the enterprise's personal information management. - Management requirements for personal information processing activities, including: - **Notice requirements** — informing individuals of the processing of their personal information and related matters, with notice content covering, at minimum: on first collection, the name and contact details of the personal information handler, and the purpose, method, category, and retention period of the processing, together with the manner and procedure for individuals to exercise their rights; and renewed notice whenever the processing activity changes. - **Requirements applicable to processing activities** — collecting personal information only within the minimum scope necessary to achieve the processing purpose and with the individual's authorization and consent; storing personal information under encryption, for the shortest period necessary to achieve the purpose authorized by the individual; establishing an approval process for material operations on personal information and keeping a record of such operations; where information is pushed or marketing is conducted through automated decision-making, simultaneously offering an option that does not target the individual's personal characteristics; where personal information is provided to another personal information handler, informing the individual of the recipient's name, contact details, processing purpose, processing method, and category of personal information, and obtaining the individual's separate consent — with the recipient confined to processing within that disclosed purpose, method, and category, and required to obtain the individual's renewed consent if it changes them; promptly providing functions for individuals to exercise their rights to access and copy/export their personal information; and promptly deleting personal information once the service is complete or the individual requests deletion. - Responsibilities and obligations, including: establishing a sound compliance-management mechanism for personal information protection and refining the management processes and operating requirements for each stage — collection, use, storage, processing, transmission, and deletion — to discharge primary responsibility for personal information protection; periodically organizing personal-information-protection education and training and clarifying compliance responsibilities, methods, and processes; periodically carrying out personal information protection impact assessments and compliance audits; formulating an emergency response plan for personal information security incidents; upon a personal information leak, promptly informing affected individuals of matters including the content and impact of the incident, the remedial measures taken or to be taken, remedies available to the individual, and the contact details of the person in charge of personal information protection and the personal-information-protection working body; and voluntarily accepting oversight from the public and cooperating actively with the competent authorities in handling incidents. ## Annex D (Informative) — Simplified Personal Information Protection Impact Assessment Worksheet for Small Personal Information Processors Annex D provides a simplified personal information protection impact assessment worksheet for small processors, drawing on GB/T 39335-2020 and adapted to a small processor's actual circumstances (Table D.1). The worksheet covers five triggering scenarios: (1) processing sensitive personal information; (2) using personal information for automated decision-making; (3) entrusting the processing of, providing to others, or disclosing personal information; (4) providing personal information outside China's borders; and (5) any other personal information processing activity that materially affects individuals' rights and interests. For each scenario, the processor records, by checkbox, three assessment items: (a) whether the purpose and method of processing are lawful, legitimate, and necessary (yes / no / not applicable); (b) the impact on individuals' rights and interests and the associated security risk (no impact / impact / not applicable); and (c) whether the protective measures adopted are lawful, effective, and commensurate with the degree of risk (yes / no / not applicable) — together with a conclusion and remarks field for each. ## Annex E (Informative) — Template Personal Information Security Incident Report and Notice for Small Personal Information Processors Annex E provides a template report/notice for a personal information security incident (Table E.1), consisting of nine fields: (1) time of the incident; (2) location (the specific address of the store or office); (3) a description of the incident — a brief description of the personal information leak, tampering, or loss that occurred or may have occurred; (4) the categories of personal information involved (e.g., name, mobile number); (5) the probable cause of the incident (e.g., inadequate safekeeping; if the cause is unclear, this may be explained to the relevant authorities); (6) the possible harm the incident may cause (e.g., inconvenience to customers from the disclosure of their information); (7) remedial measures taken (e.g., powering off the device, cutting power, or disconnecting from the network); (8) the contact person (the person in charge at the store); and (9) the contact telephone number. --- ## Measures for the Ethics Review of and Services for Artificial Intelligence Science and Technology (Trial) - Chinese title: 人工智能科技伦理审查与服务办法(试行) - Abbreviation: AI Ethics Review Measures (Trial) - Hierarchy: rule - Issuing body: Ministry of Industry and Information Technology (MIIT) and nine other departments - Adopted: 2026-03-20 - Effective: 2026-03-20 - Status: effective - URL: https://datacompliancechina.com/laws/ai-ethics-review-service-measures/ - Markdown: https://datacompliancechina.com/laws/ai-ethics-review-service-measures.md ### Summary China's first dedicated departmental rule on AI-specific science-and-technology ethics review, issued jointly by MIIT, NDRC, MOE, MOST, NHC, PBOC, the CAC, and three other bodies. It requires every organization running qualifying AI research or development to stand up an ethics committee spanning technical, application, ethics, and legal expertise, and routes proposals through general, expedited, or emergency review tracks against six review criteria: wellbeing, fairness, controllability, transparency, traceability, and privacy. Its sharpest feature is a closed list of three high-risk activity categories — strongly influential human-machine fusion systems, algorithms with public-opinion mobilization capability, and highly autonomous automated decision systems in safety-critical settings — that must clear a mandatory expert re-review on top of the ordinary committee sign-off. Violations are enforced through the underlying CSL, DSL, PIPL, and Science and Technology Progress Law rather than through standalone penalties in this rule. Overseas counsel advising China-facing AI developers should treat this as the operational rulebook for internal AI ethics governance structures, not merely an academic-research formality. ### Full text **Promulgated by:** Ministry of Industry and Information Technology (MIIT), National Development and Reform Commission (NDRC), Ministry of Education (MOE), Ministry of Science and Technology (MOST), Ministry of Agriculture and Rural Affairs, National Health Commission (NHC), People's Bank of China (PBOC), Cyberspace Administration of China (CAC), Chinese Academy of Sciences, and China Association for Science and Technology. **Document No.:** Gong Xin Bu Lian Ke [2026] No. 75. **Issued and effective March 20, 2026.** --- ## Chapter I. General Provisions **Article 1.** These Measures are formulated in order to standardize the ethical governance of artificial intelligence science and technology activities, promote fair, just, harmonious, safe, and responsible innovation, and advance the healthy development of the artificial intelligence industry, pursuant to the Science and Technology Progress Law of the People's Republic of China, the Opinions on Strengthening the Governance of Science and Technology Ethics, the Measures for the Review of Science and Technology Ethics (Trial) (hereinafter the "Ethics Measures"), and other applicable laws, regulations, and provisions. **Article 2.** The artificial intelligence science and technology activities to which these Measures apply are artificial intelligence scientific research, technology development, and other such activities carried out within the territory of the People's Republic of China that may raise science and technology ethics risks and challenges in respects such as human dignity, public order, life and health, the ecological environment, and sustainable development, as well as other science and technology activities that require artificial intelligence science and technology ethics review pursuant to laws, administrative regulations, and relevant national provisions. **Article 3.** Science and technology ethics requirements shall be carried through the entire course of artificial intelligence science and technology activities. Such activities shall follow the artificial intelligence science and technology ethics principles of enhancing human wellbeing, respecting the right to life, upholding fairness and justice, reasonably controlling risk, maintaining openness and transparency, protecting privacy and security, and ensuring controllability and trustworthiness, and shall comply with the Constitution, laws, regulations, and relevant provisions of the State. ## Chapter II. Services and Facilitation **Article 4.** A standards system for artificial intelligence science and technology ethics shall be established and improved, and the formulation of related international standards, national standards, industry standards, and group standards shall be promoted, with support given to building platforms for international standardization exchange and cooperation. Institutions of higher learning, scientific research institutions, medical and health institutions, enterprises, and science-and-technology-oriented social organizations, among others, are encouraged to participate in the formulation, validation, and promotion of artificial intelligence science and technology ethics standards. **Article 5.** The building of a service system for artificial intelligence science and technology ethics shall be advanced, with strengthened provision of services such as risk monitoring and early warning, testing and evaluation, certification, and consultation for artificial intelligence science and technology ethics, so as to enhance enterprises' capacity for technology research and development and for guarding against artificial intelligence science and technology ethics risks. Support and services for small, medium, and micro enterprises undertaking artificial intelligence science and technology ethics review shall be increased, and international exchange and cooperation on artificial intelligence science and technology ethics shall be advanced. **Article 6.** Institutions of higher learning, scientific research institutions, medical and health institutions, enterprises, and science-and-technology-oriented social organizations, among others, are encouraged to conduct research on artificial intelligence science and technology ethics review, and technological innovation in artificial intelligence science and technology ethics review shall be supported, so as to strengthen the guarding against artificial intelligence science and technology ethics risks by technical means. The orderly open-sourcing and opening of high-quality datasets for artificial intelligence science and technology ethics review shall be promoted, the development of general-purpose risk management and assessment/audit tools shall be strengthened, and scenario-based science and technology ethics risk assessment and evaluation shall be explored. Artificial intelligence products and services that comply with science and technology ethics shall be promoted, and the intellectual property of science and technology ethics review technology shall be protected. **Article 7.** Publicity and education on artificial intelligence science and technology ethics shall be carried out, giving play to the role of science-and-technology-oriented social organizations in such publicity and education, encouraging public participation, promoting practical demonstration, and raising public ethics awareness and literacy. Mass media shall be guided to conduct targeted publicity and education on artificial intelligence science and technology ethics. **Article 8.** Institutions of higher learning, scientific research institutions, medical and health institutions, enterprises, and science-and-technology-oriented social organizations, among others, shall be supported in carrying out education and training related to artificial intelligence science and technology ethics, advancing the development of vocational and curricular systems, cultivating artificial intelligence science and technology ethics talent through diverse means, and promoting talent exchange. ## Chapter III. Implementing Entities **Article 9.** Institutions of higher learning, scientific research institutions, medical and health institutions, enterprises, and other entities engaged in artificial intelligence science and technology activities are the responsible entities for the management of artificial intelligence science and technology ethics review within their own units, and shall establish an artificial intelligence science and technology ethics committee (hereinafter the "Committee") in accordance with the requirements of Article 4 of the Ethics Measures. The Committee shall be equipped with the necessary staff, office premises, and funding, and effective measures shall be taken to guarantee that the Committee carries out its work independently. Qualified relevant units are encouraged to pursue certification related to artificial intelligence science and technology ethics management systems. **Article 10.** The Committee's charter, composition, and the duties and obligations of its members shall follow Articles 5 through 8 of the Ethics Measures. The Committee's composition shall include experts with corresponding professional backgrounds in artificial intelligence technology, application, ethics, and law. **Article 11.** Local authorities and relevant competent departments may, in light of actual circumstances, rely on relevant units to establish specialized artificial intelligence science and technology ethics review and service centers (hereinafter "Service Centers"). A Service Center accepts commissions from other units to provide services such as ethics review, re-review, training, and consultation for artificial intelligence science and technology activities. A Service Center may not simultaneously provide review and re-review services for the same artificial intelligence science and technology activity. A Service Center shall establish standardized management systems and procedures, be equipped with full-time personnel capable of artificial intelligence science and technology ethics review and services, and accept supervision by local authorities or relevant competent departments. ## Chapter IV. Working Procedures ### Section 1. Application and Acceptance **Article 12.** For an artificial intelligence science and technology activity falling within the scope set out in Article 2 of these Measures, the person in charge of the activity shall apply to the Committee of their own unit. Where the unit has not established a Committee, or the Committee is not competent to carry out the science and technology ethics review work, the person in charge shall apply to the Service Center commissioned by the unit to carry out the science and technology ethics review; a person without a unit shall commission a qualified Service Center to carry out the science and technology ethics review. The person in charge of the artificial intelligence science and technology activity shall submit application materials to the Committee or Service Center as required. The application materials shall mainly include: (1) the artificial intelligence science and technology activity plan, including the research background, purpose, and plan, the lawful qualification materials, personnel circumstances, and funding sources of the institutions involved, the algorithmic mechanisms and principles to be adopted, the sources and methods of obtaining data, testing and evaluation methods, the software and hardware products to be formed, and the intended application fields and applicable populations, among other matters; (2) the science and technology ethics risk assessment of the artificial intelligence science and technology activity and its prevention, control, and emergency response plan, including an assessment of the potential science and technology ethics risks that the anticipated application of the artificial intelligence technology may bring, monitoring and early-warning measures for such ethics risks, and prevention and control plans for possible science and technology ethics risks; and (3) a letter of commitment to comply with requirements such as artificial intelligence science and technology ethics and scientific research integrity. **Article 13.** The Committee or Service Center shall, based on the application materials, decide whether to accept the application and notify the applicant. Where it decides to accept the application, it shall determine whether the general, expedited, or emergency procedure applies based on the likelihood and degree of science and technology ethics risk, urgency of circumstances, and other factors, and shall carry out the science and technology ethics review offline, online, or by other means as required by the applicable procedure. Where materials are incomplete, the Committee or Service Center shall notify the applicant, in a single communication, of the complete set of materials that need to be supplemented. ### Section 2. General Procedure and Expedited Procedure **Article 14.** A meeting for artificial intelligence science and technology ethics review shall be presided over by the chairperson of the Committee or a vice-chairperson designated by the chairperson, and no fewer than five committee members shall attend, including members from the different categories listed in Article 10 of these Measures. A Service Center may organize and carry out its work with reference to the provisions governing the Committee. Where the review so requires, advisory experts in relevant fields who have no direct interest in the matter may be invited to provide consultative opinions. Advisory experts shall not participate in the voting at the meeting. **Article 15.** In carrying out artificial intelligence science and technology ethics review, the Committee or Service Center shall focus on the following aspects: (1) Human wellbeing: whether the artificial intelligence science and technology activity has scientific and social value; whether the research objectives have a positive effect on enhancing human wellbeing and achieving sustainable social development; and whether the risks of the activity are reasonably proportionate to its benefits. (2) Fairness and justice: the criteria for selecting training data and whether the design of the algorithm, model, or system is reasonable; and whether measures are taken to prevent bias and discrimination and algorithmic exploitation, and to safeguard the objectivity and inclusiveness of resource allocation, access to opportunity, and decision-making processes. (3) Controllability and trustworthiness: whether the robustness of the model or system can be guaranteed so as to cope with open environments, extreme circumstances, and interfering factors; whether the ability of users to control, guide, and intervene in the basic operation of the model or system can be guaranteed; and whether continuous monitoring plans and contingency response plans have been formulated. (4) Transparency and explainability: whether information such as the purpose, operating logic, interaction methods, and potential risks of the algorithm, model, or system is reasonably disclosed; and whether effective technical means are adopted to enhance the explainability of the algorithm, model, and system. (5) Accountability and traceability: whether measures such as log management are in place to clearly record sufficient information at each stage of data, algorithm, model, and system, so as to ensure that the full chain can be tracked and managed; and whether the qualifications of the science and technology personnel meet relevant requirements. (6) Privacy protection: whether sufficient measures are taken to ensure the effective protection of private data in respect of data collection, storage, processing, use, and other processing activities, as well as the research and development of new data technologies. **Article 16.** The Committee or Service Center shall, within 30 days of accepting the application, make a decision to approve, require modification and re-review, or disapprove. Where circumstances are complex or materials need to be supplemented or corrected, among other special circumstances, the period may be appropriately extended, with the extended time limit clearly specified. Where modification is required or the application is disapproved, the Committee or Service Center shall put forward modification suggestions or explain its reasons. Where the applicant objects, it shall lodge an appeal with the Committee or Service Center within three working days from the date the decision is served. Where the grounds for appeal are well founded, the Committee or Service Center shall make a new decision within seven working days. **Article 17.** The person in charge of the artificial intelligence science and technology activity shall promptly identify changes in science and technology ethics risk and report the relevant changes to the Committee or Service Center. The Committee or Service Center shall, pursuant to Article 19 of the Ethics Measures, carry out follow-up review of approved artificial intelligence science and technology activities, so as to keep abreast of changes in science and technology ethics risk in a timely manner, and may, where necessary, decide to suspend or terminate the relevant science and technology activity. The interval between follow-up reviews generally shall not exceed 12 months. **Article 18.** Where multiple units cooperate in carrying out an artificial intelligence science and technology activity, they may, depending on actual circumstances, mutually recognize the results of the artificial intelligence science and technology ethics review conducted by one another's units. **Article 19.** The expedited procedure may apply in any of the following circumstances: (1) the likelihood and degree of science and technology ethics risk arising from the artificial intelligence science and technology activity is no higher than the routine risks encountered in daily life; (2) a minor modification is made to an already approved artificial intelligence science and technology activity plan that does not increase the risk-benefit ratio; or (3) follow-up review of an artificial intelligence science and technology activity that has undergone no major adjustment. **Article 20.** The Committee or Service Center shall formulate working rules and a follow-up frequency for review under the expedited procedure. Review under the expedited procedure shall be undertaken by two or more committee members designated by the Committee's chairperson. A Service Center may organize and carry out its work with reference to the provisions governing the Committee. Where, during review under the expedited procedure, a negative review opinion arises, there is doubt about the content under review, or committee members disagree, among other such circumstances, the matter shall be shifted to the general procedure. ### Section 3. Expert Re-Review Procedure **Article 21.** The Ministry of Industry and Information Technology and the Ministry of Science and Technology shall, together with relevant departments, formulate and issue a "List of Artificial Intelligence Science and Technology Activities Requiring Science and Technology Ethics Expert Re-Review" (hereinafter the "Re-Review List"), and adjust it dynamically as work requires. **Article 22.** For an artificial intelligence science and technology activity included on the Re-Review List, after it has passed preliminary review by the Committee or Service Center, the unit itself shall apply for expert re-review. Where multiple units are involved, the lead unit shall be responsible for the application. Central enterprises, and institutions of higher learning, scientific research institutions, and medical and health institutions directly subordinate to central and state organs, shall directly apply to the relevant competent department to organize the expert re-review. Other units shall apply to the local authority to organize the expert re-review. **Article 23.** The unit undertaking the artificial intelligence science and technology activity shall submit expert re-review materials in accordance with Article 27 of the Ethics Measures. The local authority or relevant competent department shall, in accordance with Articles 28 through 30 of the Ethics Measures, organize the formation of an expert re-review panel to conduct a re-review of the compliance and reasonableness of the preliminary review opinion, and shall provide feedback with the re-review opinion to the applicant unit within 30 days of receiving the re-review application. The local authority or relevant competent department may commission a Service Center to carry out the re-review work. **Article 24.** The Committee or Service Center shall make a science and technology ethics review decision based on the expert re-review opinion. **Article 25.** The Committee or Service Center shall strengthen follow-up review of artificial intelligence science and technology activities included on the Re-Review List, with the interval between follow-up reviews generally not to exceed six months. Where a major change occurs in the science and technology ethics risk, a fresh science and technology ethics review shall be carried out and expert re-review applied for anew, in accordance with Article 20 of the Ethics Measures. **Article 26.** Where an artificial intelligence science and technology activity is already subject to regulatory measures such as registration, filing, or administrative approval in respects such as deep synthesis, algorithmic recommendation, or the administration of generative artificial intelligence services, and compliance with science and technology ethics requirements has been made a condition of approval or a matter of regulatory content therein, expert re-review need no longer be carried out. ### Section 4. Emergency Procedure **Article 27.** The Committee or Service Center shall formulate an emergency review system for artificial intelligence science and technology ethics, clearly specifying the emergency review process and standard operating procedures applicable under emergency conditions such as sudden public incidents. Emergency review shall generally be completed within 72 hours. For an artificial intelligence science and technology activity to which the expert re-review procedure applies, the review preceding expert re-review shall generally be completed within 36 hours. **Article 28.** The Committee or Service Center shall ensure the quality and timeliness of emergency science and technology ethics review, and shall strengthen follow-up work and process oversight. Where necessary, advisory experts in relevant fields may be invited to attend meetings and provide consultative opinions. ## Chapter V. Supervision and Administration **Article 29.** The Ministry of Science and Technology is responsible for the overall coordination and guidance of nationwide science and technology ethics regulation, and the Ministry of Industry and Information Technology, together with relevant departments, is responsible for artificial intelligence science and technology ethics governance work, strengthening coordination and guidance of emergency ethics review. Each department shall, within the scope of its duties and powers, be responsible for the supervision and administration of artificial intelligence science and technology ethics review within its own industry or system, and each local authority shall, within the scope of its duties and powers, be responsible for the supervision and administration of artificial intelligence science and technology ethics review within its own region. **Article 30.** A unit shall, in accordance with Articles 43 through 45 of the Ethics Measures, register information concerning its Committee and any artificial intelligence science and technology activities included on the Re-Review List through the National Science and Technology Ethics Management Information Registration Platform, and shall submit materials such as the Committee's annual work report for the preceding year and an implementation report on artificial intelligence science and technology activities included on the Re-Review List. A Service Center shall likewise register and submit its annual work report for the preceding year in accordance with the foregoing provisions. The Ministry of Science and Technology and relevant competent departments shall share registered information relating to artificial intelligence science and technology ethics on a synchronized basis. **Article 31.** Local authorities, relevant competent departments, and units engaged in artificial intelligence science and technology activities shall, in light of the actual circumstances of their own industry, system, or unit, keep open the channels through which violations of artificial intelligence science and technology ethics can be reported, and shall handle such reports in accordance with relevant provisions. **Article 32.** Where, in the course of an artificial intelligence science and technology activity or work related to artificial intelligence science and technology ethics, a violation of these Measures occurs, investigation and disposition shall be carried out and corresponding penalties imposed in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Science and Technology Progress Law of the People's Republic of China, and other applicable laws, regulations, and relevant provisions. ## Chapter VI. Supplementary Provisions **Article 33.** Where these Measures provide for a time limit and do not designate it as working days, the time limit is calculated in calendar days. For the purposes of these Measures, "local authority" means the provincial-level administrative department designated by a provincial-level people's government as responsible for science and technology ethics review and management in the field of artificial intelligence, and "relevant competent department" means a relevant competent department of the State Council. **Article 34.** Local authorities and relevant competent departments may, pursuant to these Measures and in light of actual circumstances, formulate or revise measures, implementing rules, and other institutional norms on artificial intelligence science and technology ethics review and services for their own locality, industry, or system. Science-and-technology-oriented social organizations may formulate specific norms and guidelines for artificial intelligence science and technology ethics review and services within their own fields. **Article 35.** Where a relevant competent department has special provisions on artificial intelligence science and technology ethics review and services for its own industry or system that are consistent with the spirit of these Measures, such provisions shall govern. Matters not provided for in these Measures shall be handled in accordance with the Ethics Measures and other relevant laws and regulations. **Article 36.** These Measures shall be interpreted by the Ministry of Industry and Information Technology together with relevant departments. **Article 37.** These Measures shall take effect from the date of issuance. **Attachment: List of Artificial Intelligence Science and Technology Activities Requiring Science and Technology Ethics Expert Re-Review** (1) Research and development of human-machine fusion systems that have a strong influence on human subjective behavior, psychological and emotional states, and life and health. (2) Research and development of algorithmic models, applications, and systems having the capability to mobilize public opinion and guide social consciousness. (3) Research and development of highly autonomous automated decision-making systems oriented toward scenarios presenting safety or personal-health risks. This List will be dynamically adjusted as work requires. --- ## Data Security Technology — Requirements for Personal Information Transfer Based on Individual Requests (GB/T 46901—2025) - Chinese title: 数据安全技术 基于个人请求的个人信息转移要求(GB/T 46901—2025) - Abbreviation: GB/T 46901-2025 (PI Portability) - Hierarchy: standard - Issuing body: State Administration for Market Regulation (SAMR) and Standardization Administration of China (SAC) - Adopted: 2025-12-31 - Effective: 2026-07-01 - Status: effective - URL: https://datacompliancechina.com/laws/gbt-46901-pi-transfer-requirements/ - Markdown: https://datacompliancechina.com/laws/gbt-46901-pi-transfer-requirements.md ### Summary The first national standard implementing the personal-information-portability right in PIPL Article 45, effective July 1, 2026. It sets out two transfer models (subject-as-intermediary and processor-as-intermediary), scopes the portable-data boundary to actively-provided information and service-usage records — expressly excluding derived data such as profiling tags and friend graphs, network logs, trade secrets, and anonymized data — and fixes three preconditions: a consent-or-contract-necessity legal basis, no harm to third-party rights, and requests kept within reasonable limits (indicatively no more than twice a year). It prescribes a five-step process (initiation, verification, processing, export, import) with 15-working-day response times, mandatory structured and machine-readable export formats (CSV/JSON/XML), and dedicated rules for minors under 14, third-party data caught up in a transfer, and overseas recipients. Any consumer-facing personal information handler now has a concrete technical and procedural playbook to build against. ### Full text **Promulgated by:** State Administration for Market Regulation (SAMR) and Standardization Administration of China (SAC). **Document No.:** GB/T 46901—2025. **Drafted under the auspices of the National Information Security Standardization Technical Committee (TC260). Issued December 31, 2025. Effective July 1, 2026.** --- ## Chapter 1. Scope **Article 1 (Scope).** This document specifies the scope of application, preconditions, process requirements, and other requirements for specific circumstances applicable to the transfer of personal information based on a request of the personal information subject. This document applies to guiding personal information handlers in responding to a personal information subject's request to transfer personal information, and also serves as a reference for the relevant supervision, administration, and assessment activities of regulatory authorities and third-party assessment institutions. ## Chapter 2. Normative References **Article 2 (Normative References).** The content of the following documents constitutes indispensable provisions of this document through normative references in the text. For dated references, only the edition corresponding to that date applies to this document; for undated references, the latest edition (including all amendments) applies to this document. GB/T 25069—2022, *Information Security Technology — Terminology* GB/T 35273—2020, *Information Security Technology — Personal Information Security Specification* ## Chapter 3. Terms and Definitions **Article 3 (Terms and Definitions).** The terms and definitions established in GB/T 25069—2022 and GB/T 35273—2020, together with the following terms and definitions, apply to this document. **3.1 Personal information transfer (个人信息转移).** The process by which a personal information handler that processes personal information at the request of the personal information subject transfers the personal information it processes to another personal information handler designated by the personal information subject. **3.2 Derived personal information (衍生个人信息).** New data related to an individual that is derived from the analysis, computation, or processing of personal information. Note: Such data may differ from the original data but remains personal information and retains the characteristic of being associated with an individual. **3.3 Requester (请求人).** The subject who initiates a request for personal information transfer. Note: This includes the personal information subject personally, the personal information subject's guardian, and a trustee entrusted by the personal information subject to initiate the transfer request. **3.4 Structured (结构化).** A manner of organizing data that has certain rules, formats, or patterns, enabling software to extract specific elements of the data. Note 1: For example, in a spreadsheet, data is represented in rows and columns. Note 2: Structured data is generally composed of a defined schema, template, and fields, in which each data element has a specific meaning and type and follows a specific format, convention, and standard, so as to facilitate automatic processing and interpretation by computers and other programs. **3.5 Machine-readable (机器可读).** The capability of being read, converted, generated, transmitted, or used by a machine, software, or automated system. ## Chapter 4. Abbreviations **Article 4 (Abbreviations).** The following abbreviations apply to this document. CSV: Comma-Separated Values JSON: JavaScript Object Notation SFTP: SSH File Transfer Protocol XML: Extensible Markup Language ## Chapter 5. Transfer Methods **Article 5 (Overview).** The personal information transfer process involves roles such as the personal information subject, the personal information handler, and the personal information recipient. Based on the role each party plays in the transfer process, personal information transfer methods can be divided into two models: personal-information-subject-as-intermediary transfer and personal-information-handler-as-intermediary transfer. **Article 6 (Personal-Information-Subject-as-Intermediary Transfer).** In personal-information-subject-as-intermediary transfer, the personal information subject initiates the personal information transfer request; the personal information handler completes verification of the transfer request and provides the personal information to be transferred to the personal information subject. After receiving the transferred personal information, the personal information subject provides it to the personal information recipient. This is illustrated in Figure 1. Figure 1 — Personal-information-subject-as-intermediary transfer of personal information **Article 7 (Personal-Information-Handler-as-Intermediary Transfer).** The personal information handler and the personal information recipient have in advance made public the interfaces used for sending and receiving personal information. In personal-information-handler-as-intermediary transfer, the personal information subject initiates a personal information transfer request to the personal information handler. After receiving the request, the personal information handler completes verification of the personal information subject and, once verification is complete, sends the verification result and the personal information requested for transfer directly to the personal information recipient designated by the personal information subject. This is illustrated in Figure 2. Figure 2 — Personal-information-handler-as-intermediary transfer of personal information ## Chapter 6. Scope of Application of Personal Information Transfer **Article 8 (Scope of Information That May Be Requested for Transfer).** The personal information that a personal information subject may request to be transferred includes: a) personal information actively provided by the personal information subject with knowledge of the provision (for example, name, gender, age, etc.); and b) specific service record information generated by the personal information subject's use of a product or service (for example, navigation record information generated by using a map application or navigation application, health-monitoring record data collected through the use of an IoT device to provide health-monitoring services, etc.). Note: Personal information transfer does not apply to derived personal information formed by the personal information handler's processing of the two categories of personal information described above (such as friend relationship chains, profiling tags, etc.), network log information retained pursuant to law, information involving trade secrets, or information that has undergone anonymization. **Article 9 (Requirements Regarding the Subject Eligible to Request Transfer).** The requirements regarding the subject of a personal information transfer request include: a) only the personal information subject may request the transfer of their personal information; b) a minor under the age of 14 enjoys the right to personal information transfer, but the transfer of their personal information shall be consented to by the minor's parents or other guardian (Note 1: Chapter 12 sets out specific requirements concerning the exercise of personal information transfer rights by minors); and c) the personal information of a deceased person does not fall within the scope of application of personal information transfer (Note 2: except where the deceased made other arrangements before death, or where laws and regulations otherwise provide). ## Chapter 7. Preconditions for Personal Information Transfer **Article 10 (Legality Requirement).** This requirement includes the following: a) the personal information requested for transfer shall be personal information processed on the basis of consent or as necessary for the conclusion or performance of a contract; and b) personal information processed on the basis of the following legal bases does not fall within the scope of a personal information transfer request: 1) processing necessary for the performance of statutory duties or statutory obligations; 2) processing personal information within a reasonable scope for news reporting or public-opinion supervision in the public interest; or 3) processing, within a reasonable scope and as required by laws and regulations, personal information that individuals have disclosed on their own initiative or that has otherwise been lawfully disclosed. **Article 11 (Requirement Not to Harm the Lawful Rights and Interests of Others).** This requirement includes the following: a) in principle, the personal information involved in a personal information transfer shall not include the personal information of any person other than the personal information subject. Where the personal information handler finds that responding to the personal information subject's transfer request would also require transferring the personal information of another person, the personal information handler may de-identify that other person's personal information. Where de-identification is not feasible, or where de-identification would render the purpose sought by the personal information subject's transfer request unachievable: 1) the requester shall provide materials proving that the processing purpose for the other person's personal information involved in the transfer is limited to what is necessary for private or household activities and can only be independently controlled by the personal information subject, or shall provide materials proving that the other person's express consent has been obtained for the personal information involved in the transfer; and 2) where, after verifying the materials provided by the requester, the personal information handler confirms the circumstances described in item 1) above, the personal information handler may, after conducting a personal information security impact assessment, respond to the requester's transfer request, and shall inform the requester or the personal information recipient of the processing-purpose limitations that must be observed when processing the other person's personal information; where the personal information handler considers that the requester cannot demonstrate that the circumstances in item 1) are satisfied, the personal information handler may decline to respond to the personal information subject's transfer request, shall explain to the personal information subject the reasons for declining to respond, and shall retain the corresponding records; and b) where the personal information handler considers that transferring the personal information may infringe upon its own rights and interests (such as trade secrets and other lawful competitive interests, etc.), the personal information handler may decline to respond to the requester's transfer request, shall explain to the personal information subject the reasons for declining to respond, and shall retain the corresponding records. **Article 12 (Reasonableness Requirement).** A request to transfer personal information shall be within reasonable limits. The specific requirements include the following: a) the personal information subject shall designate, as the personal information recipient, a subject that has already entered into a personal information transfer agreement with the personal information handler; b) the frequency of the personal information subject's requests to transfer personal information shall fall within a reasonable time interval (for example, no more than twice within one calendar year). The personal information handler may assess the reasonableness of the time interval based on the following factors: 1) the frequency with which the personal information changes; 2) the nature of the personal information; 3) the purpose of processing the personal information; and 4) whether a subsequent request involves the same type of personal information or processing activity as a prior request; and c) the personal information handler may decline requests that are manifestly unfounded or excessive, but shall record the basic circumstances and inform the personal information subject. Note: For provisions on a personal information handler declining a personal information subject's request, see Article 17. ## Chapter 8. Basic Requirements for Personal Information Transfer **Article 13 (Basic Process).** The basic process for exercising a personal information transfer request (illustrated in Figure 3) mainly comprises five steps: request initiation, request verification, request processing, personal information export, and import of the transferred personal information. Each step, and the format of the transferred personal information, shall satisfy the requirements of 8.2 through 8.7. Figure 3 — Basic process for personal information transfer **Article 14 (Initiation of Requests).** The personal information handler shall, in a prominent manner and in clear and easy-to-understand language, inform individuals truthfully, accurately, and completely of the method and procedure for exercising a personal information transfer request, and shall provide the personal information subject with a convenient channel for initiating a request. The specific requirements include: a) a personal information transfer request may be submitted online, in writing, or by other means; and b) a personal information handler that has already implemented automated tools to process personal information transfer requests may determine for itself the frequency at which it processes such requests. **Article 15 (Verification of Requests).** The personal information handler shall verify the personal information subject's request, including verification of the personal information subject's identity, the content of the request, and the frequency of the request. The verification requirements include the following: a) the personal information handler shall implement an identity verification procedure for the personal information subject in order to establish the authenticity of the personal information transfer request and to safeguard the security of its entire process for handling the personal information transfer request; b) the personal information required to complete identity verification of the personal information subject shall follow the principle of minimum necessity; c) where the personal information handler has reasonable doubts about the personal information subject's identity, it may require the personal information subject to provide additional information, provided that such additional information shall be limited to what is necessary to confirm identity and shall not exceed the information provided by the personal information subject at the time of use or registration; d) where a third party (such as a relative or friend) is entrusted to submit a personal information transfer request on the personal information subject's behalf, the personal information handler shall confirm the validity of the request, for example by verifying the authenticity of the proof provided by the third party; e) for a personal information transfer request submitted by a close relative of a deceased person on the basis of the relative's own lawful rights and interests, the personal information handler shall confirm the necessity and reasonableness of the request, for example by verifying the authenticity of the proof provided by the close relative; f) where a personal information transfer request fails verification, the personal information handler shall inform the personal information subject in a clear manner through an appropriate channel; and g) where a personal information subject resubmits a personal information transfer request on the ground that the reply received was incomplete or did not give a sufficient reason for refusal, the personal information handler shall not count the request as a new request, but shall count it as a request for reconsideration of the original request. **Article 16 (Processing of Requests — Responding to Requests).** For a personal information transfer request that has passed verification, the requirements for the personal information handler include: a) it shall respond within 15 working days of receiving the request; where processing the personal information transfer request is unusually complex, the personal information handler may appropriately extend the response period, but the extension shall not exceed two months from receipt of the request; and b) where the requester submits multiple personal information transfer requests within 30 days, the last request to exercise the right shall be treated as the valid request, and the processing period shall be recalculated starting from the time of that last request. Between the time a response is given to the requester and the completion of processing, the personal information handler need not respond further to requests from the same requester. **Article 17 (Processing of Requests — Declining Requests).** The requirements for a personal information handler declining a personal information transfer request include the following: a) the personal information handler may decline a corresponding transfer request where it finds that the request falls under any of the following circumstances: 1) it does not fall within the scope of application prescribed in Chapter 6; 2) it does not satisfy the conditions for exercise prescribed in Chapter 7; 3) it fails the verification prescribed in Article 15; or 4) it is a repeat application for personal information transfer without reasonable grounds; and b) when declining a personal information transfer request, the personal information handler shall inform the requester, in clear language, of the following matters: the reason for not responding to the request; and the possibility of the personal information subject lodging an appeal and the channel for doing so, among other matters. **Article 18 (Processing of Requests — Fees for Processing Requests).** As a general matter, the personal information handler shall not charge a fee for a personal information transfer request. However, where either of the following circumstances applies, the personal information handler may charge a reasonable fee within the scope of the cost incurred in responding to the request: a) the personal information transfer request being responded to is not within reasonable limits; or b) the personal information handler and the personal information recipient need to additionally execute a personal information transfer agreement. **Article 19 (Data Format for Personal Information Transfer).** When transferring personal information, the data shall be provided in a structured and machine-readable format, and the data shall be able to accurately represent the content of the personal information. Unless otherwise specially provided by an industry or sector, the personal information shall be provided using open, general-purpose formats such as CSV, XML, and JSON; where a special format is required by special provisions of an industry or sector, the personal information shall be provided in a manner that satisfies the structured and machine-readable requirements. **Article 20 (Export of Personal Information — Method of Export).** The requirements for a personal information handler exporting the personal information involved in a personal information subject's request include: a) where technically feasible, the personal information handler may directly provide the personal information involved in the request, or provide an automated tool (such as an SFTP server or web portal) that can extract the personal information involved in the request (Note: personal information shall be exported and provided in electronic format, unless the personal information subject requests otherwise); and b) where personal information such as photographs or videos of large size or in large quantity is being transmitted, it should be provided by way of export through a third-party secure access interface. **Article 21 (Export of Personal Information — Security Safeguards for Exported Personal Information).** The security requirements for personal information exported by the personal information handler include: a) the personal information handler shall adopt appropriate measures to safeguard the security of personal information transmission; b) the personal information handler shall adopt appropriate measures to confirm that the personal information has been transmitted to the personal information recipient designated by the personal information subject; and c) the personal information handler shall clearly inform the personal information subject of the relevant security risks. **Article 22 (Export of Personal Information — Explanation of Exported Personal Information).** Where the personal information subject has a reasonable doubt regarding the content, type, or quantity of the exported personal information, the personal information handler shall give a reasonable explanation. **Article 23 (Import of Personal Information — Legality Requirement).** The legality requirements for a personal information recipient importing personal information include: a) when importing the personal information involved in a transfer request, the personal information recipient shall confirm that it has a lawful basis for processing that personal information, and that its subsequent processing of the imported personal information will not adversely affect the lawful rights and interests of any other person; and b) for imported personal information that does not satisfy the conditions above, the personal information recipient shall delete it as soon as possible. **Article 24 (Import of Personal Information — Purpose Limitation on the Processing of Other Persons' Information).** Where the imported personal information involves the personal information of another person, the personal information recipient shall not process that other person's personal information beyond the scope of that person's authorization or beyond statutory grounds — for example, pushing information to individuals or conducting commercial marketing by means of automated decision-making beyond the scope of authorization. ## Chapter 9. Requirements for Personal-Information-Subject-as-Intermediary Transfer **Article 25 (Requirements for Personal-Information-Subject-as-Intermediary Transfer).** The requirements for this transfer model are as follows: a) the personal information handler shall complete verification of the request within 15 working days of receiving the personal information transfer request, and shall clearly inform the personal information subject of the verification result; where the personal information transfer request fails verification, the personal information handler shall clearly explain the reason for the failure; b) for a personal information transfer request that has passed verification by the personal information handler, the personal information handler shall, within 15 working days, provide the personal information to be transferred to the personal information subject in a machine-readable format; c) after receiving the personal information import request, the personal information recipient shall complete identity verification of the personal information subject within 15 working days; and d) the personal information recipient shall complete processing of the personal information import within 15 working days and shall clearly inform the personal information subject of the result of the processing. Where the import of personal information fails, the personal information recipient shall clearly explain to the personal information subject the reason why it was not completed. ## Chapter 10. Requirements for Personal-Information-Handler-as-Intermediary Transfer **Article 26 (Requirements for Personal-Information-Handler-as-Intermediary Transfer).** The requirements for this transfer model include: a) after the personal information subject initiates a personal information transfer request to the personal information handler, the personal information handler shall complete verification of the request within 15 working days of receiving the personal information subject's request; b) where the personal information transfer request fails verification, the personal information handler shall clearly explain the reason for the failure; c) for a personal information transfer request that has passed verification, the personal information handler shall, within 15 working days, provide the personal information to be transferred directly to the personal information recipient in a machine-readable format, and shall simultaneously transfer the verification information relating to the request; and d) within 15 working days of receiving the transferred personal information, the personal information recipient shall complete processing of the personal information import and shall clearly inform the personal information subject of the import result. Where the import of personal information fails, the personal information recipient shall also clearly explain the reason why processing was not completed. ## Chapter 11. Requirements for Automated Processing of Personal Information Transfer **Article 27 (Automated Processing).** Where technically feasible, a personal information transfer request may be implemented by automated processing. Specific methods include: a) the personal information handler responds to the personal information transfer request by automated means; and b) the transferred personal information is transmitted directly between different personal information handlers by automated means. ## Chapter 12. Requirements for Processing Personal Information Transfer Requests of Minors Under the Age of 14 **Article 28 (Requirements for Minors Under 14).** The requirements concerning a request to transfer personal information made in respect of a minor under the age of 14 include the following: a) the personal information handler shall formulate rules for processing minors' personal information that are suited to minors' understanding, so that minors fully understand their rights. The rules for processing minors' personal information shall explain the procedure for minors to exercise the right to personal information transfer, and appropriate safeguard measures shall be adopted to protect minors' rights and interests; and b) where a minor under the age of 14 submits a request to transfer personal information, the personal information handler shall: 1) confirm that the request to transfer the personal information has been consented to by the minor's parents or other guardian; 2) taking into account the minor's interests, remind the minor's parents or other guardian that the transfer of the personal information will not have an adverse impact on the minor; and 3) when transferring the personal information, remind the personal information recipient that the information being transferred is the personal information of a minor. ## Chapter 13. Requirements for Processing Personal Information Transfer Requests Involving Third Parties **Article 29 (Requirements Involving Third Parties).** Where the personal information handler has already provided the personal information involved in a transfer request to a third party by way of sharing, entrustment, or another arrangement, the personal information handler shall: a) inform the personal information subject of the type and quantity of personal information provided to the third party; and b) inform the personal information subject of the third-party processor's name (or the name of the individual), contact information, processing purpose, processing method, the categories of personal information involved, and the method and procedure for exercising the right to personal information transfer against the third party, among other matters. ## Chapter 14. Requirements for Processing Personal Information Transfer Requests Involving Cross-Border Provision **Article 30 (Requirements for Overseas Recipients).** Where the personal information recipient designated by the personal information subject is located outside the territory of the People's Republic of China, the personal information handler shall: a) clearly inform the personal information subject of the legal risks of the cross-border transfer of personal information; b) ensure that the transfer of personal information complies with the relevant requirements of China's data export security administration regime; and c) where it cannot ensure that the transfer of personal information complies with the relevant requirements of China's data export security administration regime, clearly inform the personal information subject of this fact and provide the personal information subject with a means of obtaining a copy of the personal information. ## Bibliography [1] GB/T 39335—2020, *Information Security Technology — Guide for Personal Information Security Impact Assessment* [2] ISO/IEC 29100:2011, *Information technology — Security techniques — Privacy framework* [3] EU General Data Protection Regulation, 2016 --- ## Rules on Pricing Conduct by Internet Platforms - Chinese title: 互联网平台价格行为规则 - Abbreviation: Platform Pricing Rules - Hierarchy: rule - Issuing body: National Development and Reform Commission (NDRC), State Administration for Market Regulation (SAMR), and Cyberspace Administration of China (CAC) - Adopted: 2025-12-09 - Effective: 2026-04-10 - Status: effective - URL: https://datacompliancechina.com/laws/internet-platform-pricing-rules/ - Markdown: https://datacompliancechina.com/laws/internet-platform-pricing-rules.md ### Summary A joint NDRC/SAMR/CAC rule (29 articles, five-year mandate) that regulates how e-commerce and service platforms set, display, and compete on price. It is fundamentally a pricing and anti-monopoly instrument, not a data-protection one — but Article 15 is the first pricing-level ban on algorithmic price discrimination against existing users (大数据杀熟), barring platforms from using data and algorithms to charge different prices for the same good or service under equivalent transaction conditions based on a consumer's willingness or ability to pay, or their consumption preferences and habits, without the consumer's knowledge. Article 24 also requires platforms to fold personal-information handling and algorithm filing into their internal price-compliance system. DCC catalogues it as background for briefs on algorithmic pricing and platform data practices, not as a standalone data-protection statute. ### Full text > *DCC catalogue entry — summary, not full text.* ## Why this rule matters for the data field The **Rules on Pricing Conduct by Internet Platforms (互联网平台价格行为 规则)** were issued jointly by the **National Development and Reform Commission (NDRC)**, **State Administration for Market Regulation (SAMR)**, and the **Cyberspace Administration of China (CAC)** on 9 December 2025 and took effect **10 April 2026**, with a built-in **five-year mandate** (Art. 29). At 29 articles across seven chapters, it is primarily a **price-regulation and anti-monopoly instrument** — grounded in the Price Law, the E-Commerce Law, the AUCL, the Consumer Rights Protection Law, the Cybersecurity Law, and PIPL (Art. 1) — covering how platform operators (平台经营者) and in-platform merchants (平台内经营者) set prices, disclose them, run promotions, and compete on price. DCC catalogues it as a **lighter background entry**, in the same style as the [Anti-Unfair Competition Law](/laws/anti-unfair-competition-law/), because one clause reaches directly into data governance: **Article 15** is the **first codification, at the pricing-regulation level, of a ban on algorithmic price discrimination against existing users (大数据杀熟, literally "big-data killing familiar customers")** — the practice, until now addressed mainly through the [Algorithmic Recommendation Provisions](/laws/algorithmic-recommendation-provisions/) and consumer- protection rules, of using a platform's data holdings on a given user to charge that user more. The rest of this entry uses the shorthand "big-data price discrimination" for readability. ## The data-relevant clause — Article 15 Article 15, paragraph 1, tracks (and cross-references) **Article 9 of the Implementing Regulations for the Consumer Rights Protection Law**. It provides that a platform operator or in-platform merchant may not: > without the consumer's knowledge, use data and algorithms, platform > rules, or similar means, based on information such as a consumer's > **willingness to pay, ability to pay, consumption preferences, or > consumption habits (支付意愿、支付能力、消费偏好、消费习惯)**, to set > **different prices or fee standards for the same good or service under > equivalent transaction conditions (同一商品或者服务在同等交易条件下 > 设置不同的价格或者收费标准)**. Two elements do the legal work: **equivalent transaction conditions** (the comparator — this is not a ban on legitimate segmentation like new-customer discounts or membership tiers priced on service level) and **the consumer's lack of knowledge** (the trigger — a platform that discloses its differential-pricing rule up front, per **Article 8**'s separate transparency duty for differentiated and dynamic pricing, is regulated but not automatically caught by Art. 15). Paragraph 2 adds a parallel, narrower prohibition: a platform operator may not use **price discrimination against in-platform merchants (对平台内经营者实施价格 歧视)**, invoking Article 14(5) of the Price Law. Article 15 carries **no standalone penalty** — like the rest of the Rules, violations are enforced through the underlying statutes it cross- references (the Price Law, the Consumer Rights Protection Law Implementing Regulations), with minor and promptly corrected violations eligible for a no-penalty disposition under the Administrative Penalty Law (Art. 26). ## The compliance-system hook — Article 24 Article 24 requires platform operators to build an **eight-item internal price-compliance system**. Two items are squarely data/algorithm obligations: - **Article 24(7)** — "**strengthen network data security management, and process personal information in price-related conduct in accordance with law and regulation** (加强网络数据安全管理,在价格行为中依法依规 处理个人信息)" — i.e., the pricing engine itself (the data pipeline feeding personalized or dynamic pricing) must be built as a PIPL- and Data Security Law-compliant system, not bolted on after the fact. - **Article 24(8)** — "**lawfully complete algorithm filing procedures related to price conduct, and cooperate with the CAC and other authorities on security assessments and supervisory inspections** (依法履行价格行为有关算法备案手续,配合网信等有关部门开展安全评估和 监督检查工作)" — folding **[algorithm filing](/laws/algorithmic-recommendation-provisions/)** into pricing compliance specifically, confirming that a pricing algorithm falls within the filing regime the CAC already administers for recommendation algorithms. Read together, Articles 15 and 24(7)–(8) mean overseas platforms operating in China should treat their **pricing/discount engine as a regulated data system**: the underlying personal-information processing needs a lawful basis and minimization discipline, the algorithm needs filing, and the pricing logic itself needs a transparency layer sufficient to keep differentiated pricing out of Article 15's "without the consumer's knowledge" trap. ## How it fits with other DCC-tracked rules The Rules sit alongside — rather than inside — DCC's core data-protection stack. **Article 21 of the [Algorithmic Recommendation Provisions](/laws/algorithmic-recommendation-provisions/)** already prohibited "unreasonable differential treatment" via algorithm in trading conditions; Article 15 now gives that prohibition a pricing-regulator's teeth and a more precise "equivalent transaction conditions / without knowledge" test. The **[Anti-Unfair Competition Law](/laws/anti-unfair-competition-law/)**'s 2025 data clause (Art. 13) and the **[Online Trading Platform Rules and Measures](/laws/online-trading-platform-rules-measures/)** cover adjacent platform-conduct ground — merchant treatment, data scraping, transaction-rule fairness — that the Rules' **Article 5** partially overlaps with (bans on forced "automatic price-matching" systems and most-favored-pricing clauses). **[PIPL](/laws/pipl/)** remains the governing statute for the personal-information processing that underlies any differentiated-pricing model; Article 24(7) simply confirms that pricing is not exempt from it. ## Briefs on this law DCC briefs that turn on the Platform Pricing Rules are linked from this page's "Briefs on this law" section (any post whose `laws:` references this entry). --- ## Provisions on the Protection of Trade Secrets - Chinese title: 商业秘密保护规定 - Abbreviation: Trade Secret Protection Provisions - Hierarchy: rule - Issuing body: State Administration for Market Regulation (SAMR) - Adopted: 2026-02-24 - Effective: 2026-06-01 - Status: effective - URL: https://datacompliancechina.com/laws/trade-secret-protection-provisions/ - Markdown: https://datacompliancechina.com/laws/trade-secret-protection-provisions.md ### Summary SAMR's rewrite of China's 1995 trade-secret enforcement rules — issued as Order No. 126 under the Anti-Unfair Competition Law — folds algorithms, data, and source code squarely into the definition of a protectable technical-information trade secret, and for the first time recognizes tiered access, data masking, and audit-log retention as adequate confidentiality measures for remote-work and cross-border collaboration setups. It also names electronic intrusion and unauthorized transfer of files to personal cloud drives or external storage as 'improper means' of misappropriation, giving SAMR an administrative-enforcement path for conduct that would otherwise only surface as a data-security incident or a cybercrime case. For overseas counsel, it matters less as a data-protection instrument than as the rule that now lets an aggrieved company route an insider data-exfiltration episode through market-regulation enforcement rather than the police or the courts alone. ### Full text > *DCC catalogue entry — summary, not full text.* ## Why this law matters for the data field The **Provisions on the Protection of Trade Secrets (商业秘密保护规定)** are **SAMR Order No. 126**, adopted 24 February 2026 and effective 1 June 2026. They replace the **1995 Several Provisions on Prohibiting Infringements of Trade Secrets** (原国家工商行政管理局令第41号) and sit under the **Anti-Unfair Competition Law (反不正当竞争法, "AUCL")** — this is fundamentally an IP / unfair-competition instrument, not a data-protection law. DCC tracks it because three of its provisions land squarely on data practice: what counts as a protectable "technical information" trade secret, what counts as a "reasonable confidentiality measure," and what counts as an "improper means" of taking one. ## Algorithms, data, and code as trade secrets — Article 5 Article 5 defines a trade secret as commercial information that is **not publicly known, has commercial value, and is subject to appropriate confidentiality measures by its rights holder**. Its second paragraph spells out what counts as **technical information**: structures, raw materials, formulas, materials, samples, patterns, processes, methods, **data, algorithms, computer programs and code** (数据、算法、计算机程序、代码). Putting algorithms, data, and code in the same statutory list as classic industrial trade secrets (formulas, processes) gives companies an explicit IP hook for treating a proprietary dataset or model as a trade secret asset, separate from — and stackable with — data-security classification under the DSL. ## Confidentiality measures for remote and cross-border work — Article 9 Article 9 lists eight categories of "reasonable confidentiality measures" that satisfy the statute's protection requirement. Seven track familiar practice (confidentiality agreements, staff training, restricted physical access, marking/classifying/encrypting materials, device-access controls, exit procedures for departing employees, and a catch-all). The new one is **item (4): technical confidentiality measures for remote-work and cross-border collaboration scenarios (远程办公、跨境协作等场景) — tiered access permissions (权限分级), data de-sensitization (数据脱敏), and retained operation logs (操作日志留痕)**. This is the first time these specific technical controls have been named in a Chinese trade-secret rule, and it effectively tells multinational companies and distributed teams what SAMR will look for as evidence of "adequate" protection when a misappropriation claim turns on whether the rights holder actually secured the information. ## Electronic intrusion and cloud exfiltration as "improper means" — Article 10 Article 10 prohibits acquiring a trade secret by theft, bribery, fraud, coercion, **"electronic intrusion" (电子侵入)**, or other improper means, and then lists five qualifying scenarios. Two are squarely data-security conduct: **item (3)** — unauthorized access to the rights holder's digital office systems, servers, mailboxes, cloud drives, or application accounts, or use of malicious programs or exploited vulnerabilities to obtain the secret — and **item (4)** — downloading or transmitting a trade secret, without authorization, beyond the scope of authorization, or after authorization has lapsed, **to an email account, cloud drive, or other network storage or device not controlled by the rights holder**. In effect, Article 10 supplies an administrative-enforcement analogue to conduct that would otherwise only be pursued as a data-security incident report or a cybercrime prosecution: an employee who copies a proprietary dataset to a personal cloud drive before resigning is now squarely "improper means" misappropriation that SAMR can investigate and fine, independent of any criminal referral. ## How it fits with related DCC-tracked laws The Provisions implement **AUCL Article 26**, which sets the penalty band (RMB 100,000–1,000,000, rising to RMB 1,000,000–5,000,000 for aggravated cases) that Article 24 of this rule cross-references directly — see DCC's entry on the [Anti-Unfair Competition Law](/laws/anti-unfair-competition-law/). They also overlap functionally with the **[Data Security Law](/laws/dsl/)**: where the DSL's classification-and-grading regime (important data, core data) governs a company's *general* data-security obligations, the Trade Secret Protection Provisions give a company an *ownership-based* claim over a specific dataset, algorithm, or codebase, enforceable against a named actor (an employee, a competitor, a departing contractor) rather than against the world. Companies building cross-border compliance programs will increasingly want both: DSL- grade classification for regulatory risk, and trade-secret confidentiality measures under Article 9 of this rule for enforceable ownership. ## Briefs on this law DCC briefs that turn on the Trade Secret Protection Provisions are linked from this page's "Briefs on this law" section (any post whose `laws:` references this entry). --- ## Implementation Opinions on the Standardized Application and Innovative Development of AI Agents - Chinese title: 智能体规范应用与创新发展实施意见 - Abbreviation: AI Agent Implementation Opinions - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC), National Development and Reform Commission (NDRC), and Ministry of Industry and Information Technology (MIIT) - Adopted: 2026-05-08 - Effective: 2026-05-08 - Status: effective - URL: https://datacompliancechina.com/laws/ai-agent-standardization-innovation-opinion/ - Markdown: https://datacompliancechina.com/laws/ai-agent-standardization-innovation-opinion.md ### Summary CAC, NDRC, and MIIT's joint policy blueprint for AI agents (智能体) — autonomous systems that perceive, remember, decide, and act — sets 38 initiatives to grow the industry while keeping it 'safe and controllable.' Most of the document is industrial promotion outside DCC's scope, but Part Three sets the first governance-specific requirements for agents: boundaries between decisions users must make themselves, decisions requiring user authorization, and decisions an agent may make autonomously; agent-specific technical duties on data security, personal information protection, and anti-data-poisoning defenses; and a tiered, risk-based governance framework that layers filing, testing, and product-recall obligations onto agent deployments in sensitive sectors. It is a policy opinion, not a binding rule with penalty provisions, but it signals where CAC's next agent-specific rulemaking is headed. Overseas counsel advising on agentic AI products aimed at the China market should treat it as an early map of the compliance architecture to come. ### Full text > *DCC catalogue entry — summary, not full text.* ## Why this document matters for the data field The **Implementation Opinions on the Standardized Application and Innovative Development of AI Agents** (智能体规范应用与创新发展实施意见, released 8 May 2026 by **CAC**, **NDRC**, and **MIIT** jointly) is China's first dedicated policy document on **AI agents (智能体)** — systems the Opinions define as having "autonomous perception, memory, decision-making, interaction, and execution capabilities." It implements the State Council's broader "AI+" Action opinion and is structured as **38 initiatives across six parts**: basic principles, development infrastructure, safety governance, application promotion, ecosystem building, and implementation safeguards. Most of the document is industrial policy, not data-compliance rule-making. Part Two (infrastructure — agent identity systems, trusted interconnection, compliant payment, security protections), Part Four (18 sector-by-sector use-case initiatives spanning research, industry, consumer, public services, social governance, and public procurement), and Part Five (industry ecosystem-building, including encouraging firms to build overseas compliance capacity as agents expand internationally) read as promotion and coordination language rather than obligations, and DCC's sourcing filters would ordinarily screen this kind of AI-industry-strategy document out entirely. It earns a catalogue entry for one reason: **Part Three, "Guarding the Safety Bottom Line" (守牢安全底线), items 5 through 14**, is the first governance-specific text to address data handling and decision authority for AI agents, and it previews where CAC's next binding agent-specific rule is likely to land. ## The data-relevant clauses — Part Three, Items 5–14 Part Three has three subsections: product norms (items 5–7), risk prevention (items 8–10), and governance-system building (items 11–14). **Decision-authority boundaries (Item 6).** The Opinions instruct developers to draw clear lines among three modes of decision-making — matters reserved **exclusively to the user**, matters requiring **user authorization**, and matters an **agent may decide autonomously** — and to size each mode's permissions accordingly. Critically, it states that users must retain **the right to know about, and the final say over, an agent's autonomous decisions (知情权和最终决策权)**, and that an **agent's executed actions may not exceed the scope of the user's authorization**. This is the closest the document comes to a consent-and-scope rule for agentic AI, and it maps naturally onto PIPL's consent and minimum-necessary-processing principles when an agent is handling personal information on a user's behalf. **Behavioral controls (Item 7).** Developers are told to build "rule embedding" and "behavioral fencing" (行为围栏) technology so that agent conduct in public spaces, private spaces, and other designated settings stays lawful, and to explore blockchain-based mechanisms to make agent behavior in important application scenarios **verifiable and traceable**. **Agent-specific security duties (Item 8).** The Opinions call for research into agent **data security, personal information protection, cryptographic protection, attack detection, permissions management, and behavioral control** technologies, aimed specifically at agent-native risk categories: **data poisoning, privacy leakage, algorithmic tampering, system vulnerabilities, and loss of operational control**. It also calls for exploring an agent-specific security assessment system — a precursor, plausibly, to a dedicated agent security-assessment regime analogous to the Data Export Security Assessment or the algorithm security assessment. **Supply-chain security (Item 9).** Full-lifecycle security norms are called for across an agent's development, deployment, application, and maintenance, with particular attention to **model access, API calls, and the use of extension tools** — the plug-in and tool-calling architecture that distinguishes agents from standalone generative AI models — plus an information-sharing and early-warning mechanism for agent supply-chain security risk. **Derivative-risk mitigation (Item 10).** Regulators are directed to strengthen routine risk identification, early warning, and intervention mechanisms, including **human-machine collaborative review** and interception capabilities, aimed at preventing agents from being used for automated attacks, privacy violations, disinformation generation and spread, and telecom/online fraud. **Tiered, risk-based governance framework (Item 11).** This is the document's most consequential structural signal for compliance planning. Agents are to be governed under a **classified and tiered system (分类分级 治理)** calibrated to application scenario and potential impact: - For **sensitive fields and key industries**, the cyberspace administration will work with the relevant industry regulator to define which scenarios may open up, and will apply **filing, testing, and defective-product recall** requirements based on applicable law and sector security-protection standards. - For **lower-risk scenarios** — everyday life, entertainment, routine office use — the emphasis shifts to lighter-touch tools: improved agent evaluation and testing tools, compliance self-assessment, information reporting, distribution-platform management, and industry self-regulation. Items 12–14 round out the governance-system section: building out professional compliance services (risk monitoring, testing and evaluation, consulting, certification — Item 12); pushing agent development platforms, distribution platforms, and service providers to adopt fair platform rules, user agreements, and privacy policies that clarify each side's rights and obligations (Item 13); and exploring a credit-based evaluation and blacklisting mechanism for technology misuse, induced consumption, false advertising, and concealment of known defects (Item 14). Item 5, which opens the product-norms subsection, is a catch-all instruction to keep policy, regulation, and ethical review in step — guarding against agents using data advantages or personification techniques to spread harmful values or engage in "algorithmic exploitation," and against addiction, over-attachment, or emotional dependency risks for minors and the elderly. ## How it fits with related DCC-tracked instruments The Opinions sit above, and anticipate, several rules DCC already tracks. The decision-authority and user-consent language in Item 6 extends **PIPL**'s consent and automated-decision-making principles into agentic contexts. The supply-chain and tool-calling security duties in Items 8–9 build on the model-level obligations already set by the [Interim Measures for the Management of Generative Artificial Intelligence Services](/laws/genai-services-interim-measures/), extending them to the plug-in/tool layer that sits on top of a model. The tiered governance framework in Item 11 echoes the classification-and-grading logic used elsewhere in Chinese data law — including the [Opinions on Building the Fundamental Data System](/laws/data-foundation-system-opinions/) — and previews a filing/testing/recall regime that, if formalized, would give agents their own version of the algorithm-filing mechanism under the [Provisions on the Administration of Algorithmic Recommendation Services](/laws/algorithmic-recommendation-provisions/). As a set of "Implementation Opinions" rather than a departmental rule, this document carries no penalty clauses of its own; its significance for counsel is predictive — it is the clearest public signal yet of what a future binding CAC rule on AI agents will likely require. ## Briefs on this law DCC briefs that turn on the AI Agent Implementation Opinions are linked from this page's "Briefs on this law" section (any post whose `laws:` references this entry). --- ## Measures for the Classification of Online Information That May Affect the Physical and Mental Health of Minors - Chinese title: 可能影响未成年人身心健康的网络信息分类办法 - Abbreviation: Minors Harmful-Info Classification Measures - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) and seven other departments - Adopted: 2025-12-26 - Effective: 2026-03-01 - Status: effective - URL: https://datacompliancechina.com/laws/minors-harmful-info-classification-measures/ - Markdown: https://datacompliancechina.com/laws/minors-harmful-info-classification-measures.md ### Summary A short but operationally important CAC-led rule that, for the first time, defines and catalogues a middle tier of online content: material that falls short of outright illegal content but may still harm minors' physical or mental health. It sorts this content into four classes — inducements to imitate unsafe or antisocial behavior, content harmful to values, improper use of a minor's image, and improper disclosure or use of a minor's personal information — and requires platforms to label it prominently and keep it out of high-traffic slots like homepages, push notifications, and trending lists when the audience includes minors. For overseas counsel, Article 6's personal-information category is the one to watch: it reaches conduct such as showing an under-14's schooling or daily life in enough detail to expose identifying information without guardian consent, or content that induces minors to disclose their own or others' personal information, layering content-moderation duties on top of existing PIPL and minors-protection consent obligations. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC), National Press and Publication Administration (National Copyright Administration), National Film Administration, Ministry of Education (MOE), Ministry of Industry and Information Technology (MIIT), Ministry of Public Security (MPS), Ministry of Culture and Tourism, and National Radio and Television Administration (NRTA). **Document No.:** Guo Xin Ban Tong Zi [2025] No. 5 (国信办通字〔2025〕5号). **Issued December 26, 2025. Effective March 1, 2026.** --- **Article 1.** These Measures are formulated in order to foster an online environment conducive to the physical and mental health of minors, and to further clarify the specific types, scope, criteria for judgment, and warning methods for online information that may affect the physical and mental health of minors, in accordance with the Law of the People's Republic of China on the Protection of Minors, the Cybersecurity Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Regulations on the Protection of Minors in Cyberspace, the Administrative Measures for Internet Information Services, the Provisions on the Governance of the Online Information Content Ecosystem, the Provisions on the Governance of Cyberbullying Information, and other relevant laws and regulations. **Article 2.** For the purposes of these Measures, "online information that may affect the physical and mental health of minors" refers to information that is not illegal information containing content harmful to the physical and mental health of minors as provided by laws and regulations, but that is published and disseminated via the internet and may trigger or induce minors to imitate unsafe behavior, engage in conduct that violates social morality, develop extreme emotions, or form bad habits. **Article 3.** Information that may trigger or induce minors to imitate or engage in undesirable conduct includes, but is not limited to: (1) content containing sexual innuendo, sexual teasing, or other content that easily gives rise to sexual associations; (2) content involving cyberbullying-related undesirable material such as accusation, mockery, belittlement, or discrimination; (3) content that incites group discrimination, regional discrimination, confrontation, or conflict; (4) content that, through deliberate provocation or malicious inducement, triggers excessively intense or persistent extreme emotions in minors such as anger, fear, or depression; (5) content depicting unsafe driving or other dangerous acts that induces imitation of high-risk behavior, entry into dangerous areas, or other conduct that may harm physical health; (6) content that disseminates undesirable online language through homophones, abbreviations, character decomposition, combinations of text and images, or similar means; (7) content that promotes undesirable lifestyle habits among minors such as smoking (including e-cigarettes), drinking, binge eating, tattooing, or improper use or abuse of medication; (8) content that promotes conduct violating school rules and discipline, such as ghostwriting or plagiarizing homework, cheating, truancy, or school bullying; (9) content that induces minors to blindly worship celebrities or participate in irrational, extreme "fan-club" (饭圈) conduct; (10) content that induces minors to engage in irrational consumption such as top-ups or tipping; (11) content that teaches minors to make handicrafts with creative but harmful features; (12) content that offers or solicits, in relation to minors, services such as paid companionship in gaming or chatting, or paid substitute play/matches; (13) other information that may trigger or induce minors to imitate or engage in undesirable conduct. **Article 4.** Information that may have a negative impact on minors' values includes, but is not limited to: (1) content that promotes disregard for life or self-deprecation; (2) content that promotes undesirable values such as extravagance and hedonism, flaunting wealth and money worship, or negativity and decadence; (3) content that promotes distorted aesthetic standards or vulgar culture; (4) pseudo-scientific content that promotes the absurd, the bizarre, or alarmist claims; (5) content that promotes undesirable views on friendship or romantic relationships; (6) content that promotes notions such as "reading is useless," "scores are all that matter," or "admission to a higher-level school is all that matters"; (7) other undesirable value orientations that promote conduct contrary to public order, good morals, and social ethics. **Article 5.** Information involving improper use of a minor's image includes, but is not limited to: (1) content that uses a minor's image to stage or act out storylines containing undesirable values or improper words and conduct; (2) content that uses a minor's image to display or market products or services unsuitable for minors; (3) content that uses a minor's voice to disseminate undesirable content; (4) content that seeks attention by mocking a minor or building a controversial persona around a minor; (5) content that accumulates popularity or seeks profit by having a minor pose for extended periods in short videos; (6) content that tests a minor's character or morals through improper means or for improper purposes; (7) content that distorts or sensationalizes a minor's involvement in unlawful or criminal conduct; (8) other improper disclosure and use of a minor's image. **Article 6.** Improper disclosure and use of a minor's personal information includes, but is not limited to: (1) improperly showing, without the consent of a guardian, the schooling, daily life, or other details of a minor under the age of 14 in a manner that may expose the minor's personal information; (2) inducing a minor to publish content that may disclose the minor's own personal information or that of others; (3) other improper disclosure and use of a minor's personal information. **Article 7.** With respect to online information that may affect the physical and mental health of minors, producers of online information content and providers of network products and services shall, in accordance with the requirements of laws and regulations such as the Provisions on the Governance of the Online Information Content Ecosystem and the Provisions on the Governance of Cyberbullying Information, adopt preventive and resistance measures to avoid affecting the physical and mental health of minors. **Article 8.** With respect to online information that may affect the physical and mental health of minors, organizations and individuals that produce, reproduce, publish, or disseminate such information shall, in accordance with the requirements of the Regulations on the Protection of Minors in Cyberspace, make a prominent warning in a conspicuous position before the information is displayed. Providers of network products and services shall provide users with a labeling function capable of adding a prominent warning effect, and shall guide and standardize users' use of such warnings on relevant information. Specific warning methods include: (1) for text, adding a textual warning or a common symbol at the beginning, end, or an appropriate position in the middle of the text, or adding a prominent warning label in the interactive interface or around the text; (2) for audio, adding a voice warning or an audio-rhythm warning at the beginning, end, or an appropriate position in the middle of the audio, or adding a prominent warning label in the interactive interface; (3) for images, adding a prominent warning label at an appropriate position on the image or in the interactive interface; (4) for video, adding a prominent warning label at the opening frame and around the video-playback area, with an optional prominent warning label at the end or an appropriate position in the middle of the video, or in the interactive interface; (5) for virtual scenes, adding a prominent warning label at an appropriate position in the opening frame, with an optional prominent warning label at an appropriate position during the ongoing virtual-scene service; (6) other prominent warning methods suited to the characteristics of other service scenarios. **Article 9.** Providers of network products and services shall implement the requirements of the Regulations on the Protection of Minors in Cyberspace and shall not present online information that may affect the physical and mental health of minors in prominent positions of a product or service, or in key segments that easily attract user attention, such as the homepage, first screen, pop-up windows, trending searches, rankings, recommendations, or featured-content sections. Providers of services such as algorithmic recommendation or generative artificial intelligence shall establish and improve safety management systems and technical measures, and shall not push online information that may affect minors' physical and mental health to minors. No organization or individual may produce, reproduce, publish, or disseminate online information that may affect the physical and mental health of minors within network products and services dedicated specifically to minors as their service recipients. **Article 10.** Violations of these Measures shall be handled in accordance with the Cybersecurity Law of the People's Republic of China, the Regulations on the Protection of Minors in Cyberspace, and other applicable laws and administrative regulations. These Measures shall come into force as of March 1, 2026. --- ## Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors (Draft for Public Consultation) - Chinese title: 银行业保险业网络安全管理办法(征求意见稿) - Abbreviation: Banking & Insurance Cybersecurity Measures (Draft) - Hierarchy: draft - Issuing body: National Financial Regulatory Administration - Status: draft - URL: https://datacompliancechina.com/laws/banking-insurance-cybersecurity-measures-draft/ - Markdown: https://datacompliancechina.com/laws/banking-insurance-cybersecurity-measures-draft.md - Source URL: https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1264207&itemId=951 ### Summary A July 10, 2026 public-consultation draft in which the National Financial Regulatory Administration (NFRA) would consolidate cybersecurity supervision of banking financial institutions, insurance financial institutions, and financial holding companies into a single 72-article sectoral rulebook under the CSL, DSL, PIPL, and CII Regulations, expressly interlocking with the cross-sector financial-industry cybersecurity measures released for comment on July 3. The draft fixes board and Party-committee primary responsibility with the institution's principal officer as first person responsible; requires an independent cybersecurity risk-management function, network security domains with minimum-necessary cross-domain access, a six-month log-retention floor, closed-loop vulnerability management with industry-impact reporting, pre-launch security testing for MLPS Level 3-and-above and internet-facing systems, supply-chain product inventories, and annual penetration testing plus a triennial cybersecurity audit. A four-tier incident scale keyed to data compromise and outage duration drives reporting clocks: two hours to the NFRA for Level 3 and above, with two-hourly progress reports for Level 1 incidents. A dedicated CII chapter requires domestic operation and maintenance, disaster-recovery centers capable of fully taking over production, MLPS grading no lower than Level 3, cybersecurity review of procurement that may affect national security, annual procurement-list filing, a 24/7 security operations center, in-house mastery of key technologies, and a one-hour incident-reporting deadline to the NFRA and public security authorities. Comments close August 10, 2026. ### Full text **Released for public comment:** July 10, 2026. **Public-comment deadline:** August 10, 2026. > *Summary entry. The original Chinese consultation text released through the > National Financial Regulatory Administration controls. DCC's structured > summary of the draft is published as a brief: > [NFRA Opens Consultation on Banking and Insurance Cybersecurity Measures](/posts/nfra-banking-insurance-cybersecurity-measures-draft/).* ## Source documents - **Official consultation page:** [NFRA](https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1264207&itemId=951) ## Structure Eight chapters, 72 articles, plus a grading annex: General Provisions; Cybersecurity Governance; Cybersecurity Construction and Operation Management; Cybersecurity Risk Monitoring; Cybersecurity Incident Response and Disposal; Critical Information Infrastructure Management; Supervision and Administration; Supplementary Provisions. The annex sorts cybersecurity incidents into four tiers — extraordinarily major (Level 1), major (Level 2), relatively major (Level 3), and ordinary (Level 4) — by data-security impact, outage duration and geographic spread, and harm to national security, social order, and the public interest. ## Relationship to the July 3 financial-sector draft The NFRA states that this draft interlocks with the [Measures for Cybersecurity Management in the Financial Sector (Draft for Comment)](/laws/financial-sector-cybersecurity-management-measures-draft/) released July 3 by the four State Council financial management departments: the cross-sector text sets the common frame, while this rule supplies the banking-and-insurance implementation layer, with materially tighter operational requirements — reporting clocks, disaster-recovery takeover capability, the 24/7 security operations center, and annual attack-defense exercises among them. --- # II. BRIEFINGS ## The School Is Not a Bystander: Three Model Cases on Schools' Duties in Minors' Online Protection - Published: 2026-07-15 - Author: DCC Editorial - Tags: minors-protection, cyberbullying, privacy, reputation, internet-court, procuratorial-recommendation, schools, internet-addiction, compliance - Laws cited: minors-protection-law, minors-online-protection-regulations, minors-school-protection-provisions, civil-code-personal-info - Domains: minors-protection, personal-information, enforcement - URL: https://datacompliancechina.com/posts/schools-role-minors-online-protection/ - Markdown: https://datacompliancechina.com/posts/schools-role-minors-online-protection.md - Original source: https://mp.weixin.qq.com/s/jvq2lSjDsfMRpIT-DqqWjA - Original author: 余苏 (Yu Su), 张美怡 (Zhang Meiyi), 潘扬璋 (Pan Yangzhang), JunHe LLP - Original publication: 君合法律评论 (JunHe Legal Review) WeChat Official Account ### Description Minors' online protection is usually framed as a job for parents and platforms. Three model cases — a Guangzhou Internet Court judgment on defamation in a parent–school WeChat group, a Supreme People's Procuratorate case where procuratorial recommendations pushed a school to build bullying-control systems after a privacy video spread, and a Zhejiang case where a predator used an unauthorized school-named 'confession wall' account to reach students — show Chinese courts and procuratorates deliberately pulling schools into the frame. JunHe's education team distills the school's three statutory functions: internet-literacy education (Minors Protection Law Arts. 64 and 70, Online Protection Regulations Art. 16), cyberbullying prevention and response (Minors Protection Law Art. 39; School Protection Provisions Art. 21), and internet-addiction intervention (Minors Protection Law Art. 71; Regulations Art. 40). The liability stack for schools that do nothing: administrative correction orders and sanctions under Regulations Art. 51, plus civil supplementary liability under Civil Code Art. 1201. Four recommendations follow: documented literacy and AI-content-discrimination education, a staffed-up 'rule-of-law vice principal' mechanism, a full discover–stop–report–handle bullying protocol, and compliance with device-management and anti-addiction requirements. With 196 million minor netizens at 97.3% penetration, the authors argue schools are the 'main battlefield' whether they like it or not. ### Body > *Editor's Note — DCC.* > > DCC's minors-protection coverage has mostly tracked the platform side — > most recently the minors'-mode duties under the > [AI anthropomorphic interaction rules](/posts/anthropomorphic-ai-measures-take-effect-field-guide/). > This JunHe piece (published July 9, 2026) shows the other enforcement > surface: courts and procuratorates using model cases, judicial letters, and > procuratorial recommendations (检察建议) to make *schools* an operational > node of the [Regulations on the Protection of Minors in Cyberspace](/laws/minors-online-protection-regulations/). > Relevant reading for edtech providers, international schools, and anyone > whose product or institution touches Chinese students: the duties described > here are what regulators expect schools to demand of their vendors and > partners. In many people's minds, guiding minors to use the internet sensibly is a job for parents and platforms, with no direct connection to schools. The reality is that cyberspace is deeply interwoven with campus life, and the resulting problems force a rethink. When abusive remarks appear in a home–school WeChat group set up in the school's or a class's name, does the school have a management duty? When someone spreads a student's private video and personal information online and incites abusive pile-ons that seriously damage the student's physical and mental health, what should the school do? When school-related "confession wall" (表白墙) social accounts publish content harmful to students, can the school still stand aside? These practical dilemmas keep interrogating the school's function and position in minors' online protection. Since the 2020 revision of the Law on the Protection of Minors first added a dedicated "Network Protection" chapter, the legislative level has been explicit about both the importance of minors' online protection and the school's systematic responsibilities. On March 12 this year, the Fourth Session of the Fourteenth NPC adopted the Outline of the 15th Five-Year Plan, which expressly calls for "strengthening the online protection of minors." Around this year's June 1 Children's Day, the Beijing Internet Court released its White Paper on Judicial Protection of Minors Online (2021–2026) (May 28, 2026): minors-related online disputes accepted by that court surged from 50 cases in 2021 to 997 in 2025 — a nearly twenty-fold increase. The same day, the Guangzhou Internet Court held a press conference releasing ten model cases on judicial protection of minors online. National and local courts and procuratorates, in other words, are using model cases to steer schools toward an active role. The authors analyze what these cases say about the school's functions, duties, and liability. ## I. Three model cases ### Case 1 — Defamation in the parent group; court and school jointly contain the spread *Guangzhou Internet Court model case (released May 28, 2026): Li v. Huang, online tort liability.*¹ Sixteen-year-old Li had a conflict with classmate Zhao. Zhao's mother, Huang, posted insulting remarks about Li in the parents' WeChat group, accusing Li of theft. Li's school life was severely affected; unable to bear classmates' gossip, Li was diagnosed with moderate depression and mania. Li sued, seeking an immediate end to the infringement, a public apology, and damages for emotional harm. The Guangzhou Internet Court held that Huang — without verification by the school, public security, or any other authority — had published insulting and defamatory statements about a minor in the parent group, infringing Li's right to reputation. It ordered Huang to cease the infringement, apologize, and pay RMB 10,000 in emotional-distress damages and reasonable expenses. The judgment is final. The court did not stop at the judgment: through written letters it proactively engaged the school, assessed the psychological state and schoolwork of both Li and Zhao, and worked with the school to strictly control the spread of the abusive remarks on campus — minimizing secondary harm and heading off knock-on effects inside the school. ### Case 2 — A privacy video spreads; procuratorial recommendations push the school to build systems *Supreme People's Procuratorate model case on comprehensive performance of duties in minors' online protection: the Feng privacy case.*² From October to November 2020, the minor Zou covertly filmed a private video of classmate Feng and sent it to others. Another student, Xiang, demanded the video from Zou and harassed Feng through a chat app. The video and the attendant commentary spread to Feng's school, severely affecting Feng's studies and life. The Shangcheng District People's Procuratorate in Hangzhou, Zhejiang, supported Feng and Feng's guardian in filing a privacy-infringement suit and helped assemble key evidence. The court granted all claims, ordering Zou to cease the infringement, apologize in writing, and pay emotional-distress damages. Afterwards the procuratorate visited the school repeatedly and issued procuratorial recommendations (检察建议) helping it establish bullying-prevention-and-control systems. The school disciplined the students who had committed bullying and privacy infringement under its rules, and used spread-control and privacy-protection measures to minimize the incident's impact on Feng. ### Case 3 — Unauthorized school-named "confession wall" accounts; CAC office ordered to clean up *Zhejiang Provincial People's Procuratorate model case: supervising the regulation of campus "confession wall" accounts.*³ In March 2023, the Longquan City People's Procuratorate discovered in a criminal case that the suspect Ji had used information posted on a WeChat "confession wall" account named after a local middle school to add multiple enrolled students as friends, arranged offline meetings, and sexually assaulted one girl. Investigation revealed that all seven urban middle schools had unauthorized school-named "confession wall" accounts, publishing dating-related personal information as well as harmful content — abuse of others, e-cigarette and tattoo advertising. In May 2023 the procuratorate issued a pre-litigation procuratorial recommendation to the Longquan cyberspace affairs office proposing a special clean-up. The office conducted regulatory interviews (约谈) with the operators of the seven school-named accounts and imposed discipline, cancelled the accounts, had each school's Youth League committee open official accounts for student exchange instead, and established account-management rules governing content publication and day-to-day operation. ## II. The school's three functions in minors' online protection Reading the Law on the Protection of Minors, the Regulations on the Protection of Minors in Cyberspace, and the Provisions on the Protection of Minors by Schools together, the school's functions fall into three core dimensions. ### 1. Internet-literacy education The school is the main front for minors' internet-literacy education, bearing first-line responsibility for cultivating students' ability to use the internet scientifically, civilly, safely, and reasonably. Article 64 of the Law on the Protection of Minors requires the state, society, schools, and families to strengthen internet-literacy education. Article 16 of the Regulations details the school's part: literacy content goes into teaching activities; the internet is used reasonably in instruction; students are helped to form good online habits, build awareness of network security and network rule of law, and strengthen their ability to obtain and critically judge online information. In Case 3, for instance, the school had a duty to guide school-related channels to speak reasonably and compliantly, to forbid unauthorized individuals from publishing harmful content in the school's name, and to guide students toward sound online habits. Note also Article 70 of the Law: schools shall use the internet reasonably in teaching, and minor students may not bring smartphones or other smart terminals into class without school permission — devices brought to school are subject to unified management. That statutory device-management duty is itself an expression of the law's expectation that schools cultivate healthy internet habits. ### 2. Preventing and handling cyberbullying The internet is a hotbed of rumor, and online rumors spreading across online and offline layers can easily injure minors whose minds are still maturing. Article 21 of the School Protection Provisions imposes a prompt-intervention duty: teachers and staff who discover a student "fabricating facts to defame others, spreading rumors or false information to disparage others, or maliciously disseminating others' privacy through networks or other information-dissemination means" must stop it promptly. For false and insulting information targeting a minor, as in Case 1, the school must take effective measures to stop further spread — containing the rumor while shielding the minor from psychological harm. Article 39 of the Law goes further: schools must establish a student-bullying prevention-and-control system, train staff and students, immediately stop bullying, involve the parents or guardians of both the bullying and bullied students in determining and handling the incident — and must not conceal serious bullying, which must be reported promptly to public security and education authorities. The procuratorial recommendations in Case 2, pushing the school to build exactly such systems, are that duty made visible. ### 3. Preventing and addressing internet addiction The internet is meaningfully addictive for minors, and the school — the actor best placed to notice attention problems caused by addiction — carries statutory reminder-and-education duties. Article 71 of the Law: a school that discovers a minor student addicted to the internet shall promptly inform the parents or other guardians and jointly educate and guide the student back to normal study and life. To catch problems early, Article 40 of the Regulations requires schools to strengthen teacher guidance and training, improving teachers' capacity for early identification of and intervention in student internet addiction. ## III. Liability, and four recommendations What if a school fails these duties? Under Article 51 of the Regulations, a school that does not perform its minors' online-protection duties is ordered to correct by the education authorities; where it refuses or the circumstances are serious, responsible leaders and directly responsible personnel face sanctions. Beyond administrative liability, Article 1201 of the Civil Code provides that where a student suffers personal injury at school from a third party (such as another student), the third party bears tort liability — and the school bears corresponding **supplementary liability** if it failed its management duties. Cyberbullying and online reputation cases arising during the school day can therefore end in civil liability for the school too. The authors' recommendations: 1. **Strengthen internet education and network-security legal education — and document it.** Fold internet literacy into daily teaching; put literacy courses on the curriculum list; offer courses on network security and on distinguishing AI-generated content; run themed activities; and give staff dedicated training on internet addiction so problems surface early. Keep records of all of it. 2. **Deepen the "rule-of-law vice principal" (法治副校长) mechanism.** Use it to link up with local courts' juvenile tribunals, procuratorates' juvenile divisions, and law firms — mock courts on campus, lawyers and judges in classrooms. Schools can borrow from the Guangzhou Internet Court's Five-Year Plan for Judicial Protection of Minors Online (2026–2030): staff the vice principal with psychological counselors, network-technology specialists, and home–school liaison officers to form a complementary professional team embedded in the school's protection mechanism. 3. **Build a bullying prevention-and-control system covering the full discover–stop–report–handle chain.** When an online-infringement or cyberbullying dispute involving minors erupts, take effective measures to stop escalation and secondary harm, keep a full paper trail throughout, and bring in professional lawyers promptly. 4. **Strengthen minors' network-compliance work generally.** The Law, the Regulations, and the School Protection Provisions all set supervisory requirements on internet-access facilities, installation of protective software, anti-addiction mechanisms, and management of smartphones and other smart terminals. Schools should implement central and local requirements in full — or expect correction orders and other administrative measures. Per the Sixth National Survey on Minors' Internet Use (released by the Central Committee of the Communist Youth League at the Wuzhen Summit's minors' online protection forum, November 21, 2024), China has 196 million minor netizens and an internet-penetration rate among minors of 97.3%. Minors are digital natives in the literal sense. The internet is embedded in every layer of their study, social life, and entertainment — bringing broad opportunity, but also, with fast-iterating AI, new species of harmful information, personal information leakage, cyberbullying, and privacy infringement that weigh on minds still maturing. The school, as a core arena of minors' growth, should be the "main battlefield" of their online protection — with institutionalized systems as the foundation and full-process compliance in incident response. --- **Notes** 1. Guangzhou Internet Court, "Model Cases on Judicial Protection of Minors Online (II)," June 2, 2026: 2. Supreme People's Procuratorate, "Model Cases on Procuratorial Organs' Comprehensive Performance of Duties in Strengthening Minors' Online Protection," May 31, 2023: 3. Zhejiang Procuratorate, "Model Cases on Judicial Protection of Minors by Zhejiang Procuratorial Organs," May 29, 2024: --- **Source:** 余苏 (Yu Su, partner), 张美怡 (Zhang Meiyi), and 潘扬璋 (Pan Yangzhang), "未成年人网络保护进行时——从典型案例看学校的网络保护职能," published July 9, 2026 on the JunHe Legal Review (君合法律评论) WeChat Official Account, [original article](https://mp.weixin.qq.com/s/jvq2lSjDsfMRpIT-DqqWjA). Yu Su's practice covers education, life sciences and health, compliance, and dispute resolution. Per the source's own disclaimer, the article represents the authors' personal views and is not a formal legal opinion of JunHe. — Not legal advice. --- ## One Company, Four Reviews: JunHe Maps China's Security-Review 'Matrix' in the Security-First Era - Published: 2026-07-15 - Author: DCC Editorial - Tags: security-review, national-security, cybersecurity-review, data-export, risk-assessment, foreign-investment, overseas-listing, important-data, ai-companies, compliance - Laws cited: network-data-security-risk-assessment-measures, cybersecurity-review-measures, data-export-security-assessment-measures, foreign-investment-security-review-measures, csl, dsl, pipl, network-data-security-regulations, gbt-45577-data-security-risk-assessment - Domains: data-security, cross-border, cybersecurity-review - URL: https://datacompliancechina.com/posts/china-four-security-review-matrices/ - Markdown: https://datacompliancechina.com/posts/china-four-security-review-matrices.md - Original source: https://mp.weixin.qq.com/s/5eWIRTfZ7tVgWLJhP1mfaA - Original author: 陈思佳 (Chen Sijia), JunHe LLP - Original publication: 君合法律评论 (JunHe Legal Review) WeChat Official Account ### Description With the Measures for Network Data Security Risk Assessment (Order No. 24) in place, China's security-review architecture has four operating pillars: foreign investment security review (NDRC + MOFCOM), cybersecurity review (CAC + 12 departments), data export security assessment (CAC), and the new normalized network data security risk assessment (CAC coordination + sectoral authorities). JunHe lawyer Chen Sijia walks each regime through the same five questions — who reviews, what is reviewed, when review is triggered, and with what legal consequences — and lands on two points overseas counsel should not miss. First, the four regimes differ in kind: the first three are ex-ante, admission-style reviews with veto power, while the risk assessment is an annual, improvement-oriented 'physical exam.' Second, review decisions are effectively final — the mainstream view treats them as final administrative acts with no administrative reconsideration or litigation available — so cooperation during the review is the only real strategy. A closing lifecycle walkthrough shows how a single AI-model company can trip all four lines in sequence: FDI review at fundraising, cybersecurity review at GPU procurement, export assessment at model training, cybersecurity review again at foreign listing, and the annual risk assessment as a standing duty. ### Body > *Editor's Note — DCC.* > > The Measures for Network Data Security Risk Assessment > (《网络数据安全风险评估办法》, CAC–MIIT–MPS Order No. 24) were promulgated > June 18, 2026 and take effect August 20, 2026. DCC has published > [the full instrument and a close reading](/posts/network-data-risk-assessment-measures-operationalizing-the-dsl/) > and [a self-identification guide for important-data handlers](/posts/important-data-handler-self-identification-annual-assessment/). > This JunHe piece answers the next question: where the new Measures sit in > China's wider security-review architecture. Its useful move is to run four > regimes — foreign investment security review, cybersecurity review, data > export security assessment, and the new risk assessment — through one > five-question grid, and its practical warning is about finality: for the > three admission-style reviews there is effectively no ex-post remedy. > > Two reading notes. The author cites the Cybersecurity Law by its > 2025-amended article numbering (e.g., the penalty for using unreviewed > products appears as Article 67). And the "matrix" characterizations — > filter, gatekeeper, pass, physical exam — are the author's, as is the > closing AI-company walkthrough. The tables below are reconstructed from > the original. On June 18, 2026, the Cyberspace Administration of China (CAC) released the [Measures for Network Data Security Risk Assessment](/laws/network-data-security-risk-assessment-measures/) — adding another important piece to China's security-review puzzle. ## I. The map of China's security reviews The foundation of security review is national security, and national security has been the theme of the era. Geopolitical conflict and great-power competition have pushed its importance to a new height, and China — guided by the holistic approach to national security (总体国家安全观) — is accelerating a new "security first" (安全至上) macro-governance posture. China has no single, unified national security review system. Instead, national security is broken down into separate dimensions — foreign investment; specific items and key technologies; network information technology products and services — each with its own security review. A preliminary survey of security-review provisions at the level of statute: | Review field | Law | Key provision | | --- | --- | --- | | National security | National Security Law (2015, Presidential Decree No. 29) | The State establishes systems and mechanisms for national security review and oversight, conducting national security review of **foreign investment; specific items and key technologies; network information technology products and services; construction projects involving national-security matters; and other major matters and activities** that affect or may affect national security, to effectively prevent and defuse national-security risks. | | Foreign investment | Foreign Investment Law (2020, Presidential Decree No. 26) | The State establishes a foreign investment security review system to review foreign investment that affects or may affect national security. A security review decision made in accordance with law is **final**. | | Foreign investment | Anti-Monopoly Law (2022, Presidential Decree No. 116) | Where a foreign investor's merger with or acquisition of a domestic enterprise, or other participation in a concentration of undertakings, involves national security, a national security review must be conducted under relevant state provisions in addition to the concentration review under the Anti-Monopoly Law itself. | | Foreign investment | Food Security Guarantee Law (2023, Presidential Decree No. 17) | Foreign investment in grain production and operation that affects or may affect national security must undergo foreign investment security review under relevant state provisions. | | Foreign investment | Hainan Free Trade Port Law (2021, Presidential Decree No. 85) | The foreign investment security review system is implemented in the Hainan Free Trade Port in accordance with law, reviewing foreign investment that affects or may affect national security. | | Network information technology products and services | Cybersecurity Law (2025 amendment) | Where a critical information infrastructure operator (CIIO) procures network products and services that may affect national security, the procurement must pass a national security review organized by the national cyberspace administration together with relevant State Council departments. | | Network information technology products and services | Data Security Law (2021, Presidential Decree No. 84) | The State establishes a data security review system, conducting national security review of data processing activities that affect or may affect national security. | | Network information technology products and services | Cryptography Law (2020, Presidential Decree No. 35) | Where a CIIO procures network products and services involving commercial cryptography that may affect national security, the procurement must pass a national security review organized by the national cyberspace administration together with the state cryptography administration and other relevant departments, per the Cybersecurity Law. | | Biology / agriculture | Biosecurity Law (2024 amendment) | The State establishes a biosecurity review system: major biological-field matters and activities that affect or may affect national security undergo biosecurity review by relevant State Council departments. | | Biology / agriculture | Seed Law (2022, Presidential Decree No. 105) | The State establishes a national security review mechanism for the seed industry, covering overseas institutions' and individuals' investment in, acquisition of, or technical cooperation with domestic seed enterprises and research institutes. | Most of these statutory provisions run to only an article or two. Making security review actually operate usually requires more concrete implementing rules — and those rules are the core of China's security-review system. ## II. The four security-review "matrices" To implement security review in the foreign-investment field, the [Measures for the Security Review of Foreign Investments](/laws/foreign-investment-security-review-measures/) were adopted. (With the issuance of the Provisions of the State Council on Outbound Investment (《国务院关于对外投资的规定》), an outbound-investment national security review was also established at the administrative-regulation level, creating two-way review of investment "coming in" and "going out" — but because the detailed implementing rules have not yet landed, the author leaves it outside this article's scope.) To implement security review in the network field, the [Cybersecurity Review Measures](/laws/cybersecurity-review-measures/) were adopted. To implement the PIPL's security assessment for providing personal information abroad and the DSL's export security management of important data, the [Measures for the Security Assessment of Data Export](/laws/data-export-security-assessment-measures/) were adopted. To implement security review in the data field, the Measures for Network Data Security Risk Assessment were adopted. Together these build China's four security-review "matrices," marking a new, more granular and standardized stage of security governance. How these parallel, differently focused reviews are understood and applied is a red line for corporate operations. Below, each matrix is unpacked against the same questions: who reviews, what is reviewed, and when review is mandatory. ### 1. Foreign investment security review **Background.** The current Measures for the Security Review of Foreign Investments (2020) implement the security-review system created by the Foreign Investment Law and are China's first dedicated foreign-investment security-review instrument. **Who reviews?** The State has established a working mechanism for foreign investment security review, responsible for organizing, coordinating, and guiding the work. The working mechanism's office is housed at the National Development and Reform Commission (NDRC); the NDRC and the Ministry of Commerce (MOFCOM) take the lead and handle day-to-day review work. **What is reviewed?** - Investment in key sectors bearing on national defense — military industry, military-industry support, and similar fields — and investment in areas near military facilities and military-industry facilities: subject to review **regardless of whether control is acquired**. - Investment in important agricultural products, important energy and resources, major equipment manufacturing, important infrastructure, important transport services, important cultural products and services, important information technology and internet products and services, important financial services, key technologies, and other important fields bearing on national security, **where the investor acquires actual control** of the invested enterprise. **When?** Ex-ante. During the review period and before the working mechanism office issues its decision, the parties must not implement the investment. **Legal consequences.** - Cleared: the investment may proceed. - Prohibited: the investment must not proceed; if already implemented, the parties must divest equity or assets within a prescribed period and take other necessary measures to restore the pre-investment state and eliminate the national-security impact. - Conditionally cleared: the investment proceeds subject to the attached conditions. - Failure to file when filing was required: ordered to file; on refusal, ordered to divest equity or assets within a prescribed period and restore the pre-investment state. ### 2. Cybersecurity review **Background.** The 2016 Cybersecurity Law established that CIIO procurement of network products and services that may affect national security must pass a national security review organized by the national cyberspace administration together with relevant State Council departments. The 2017 trial measures for network products and services were the first implementation; the Cybersecurity Review Measures followed in 2020 and were revised in 2021 into the currently effective text. Per the CAC's own press Q&A, the 2021 revision responded to the Data Security Law taking effect on September 1, 2021, which mandated a state data security review system: the revision brought network platform operators' data processing activities that affect or may affect national security into the review scope, and required network platform operators holding personal information of more than one million users to file for cybersecurity review before listing abroad.¹ **Who reviews?** Under the leadership of the Central Cybersecurity and Informatization Commission, the CAC together with twelve departments — NDRC, MIIT, MPS, MSS, MOF, MOFCOM, PBOC, SAMR, NRTA, CSRC, the State Secrecy Administration, and the State Cryptography Administration — has established the national cybersecurity review working mechanism. The Cybersecurity Review Office, housed at the CAC, drafts the rules and organizes reviews. **What is reviewed?** *CIIO procurement* of network products and services, where the products and services in use affect or may affect national security, including: - the risk of critical information infrastructure being illegally controlled, interfered with, or destroyed once the products or services are in use; - the harm a supply interruption would do to business continuity of critical information infrastructure; - the security, openness, transparency, and diversity of sources of the products and services; the reliability of supply channels; and the risk of supply interruption from political, diplomatic, or trade factors; - the provider's record of compliance with Chinese laws, administrative regulations, and departmental rules. *Foreign listings* by network platform operators holding personal information of more than one million users — presumed capable of affecting national security and therefore subject to mandatory filing with the Cybersecurity Review Office. The factors include: - the risk of core data, important data, or large volumes of personal information being stolen, leaked, destroyed, illegally used, or illegally transferred abroad; - the risk of critical information infrastructure, core data, important data, or large volumes of personal information being influenced, controlled, or maliciously used by foreign governments after listing, plus network information security risks. In short: cybersecurity review targets the supply-chain stability and security of CIIO procurement, and the risk that a platform with more than one million users' personal information comes under foreign-government influence, control, or malicious use after a foreign listing. **When?** - *Procurement* — unlike the FDI measures, there is no express bar on closing the purchase before a decision, but Article 3 states that cybersecurity review combines ex-ante review with continuous supervision. - *Listing* — before submitting the listing application to the foreign securities regulator. The CAC's press Q&A confirms this timing.² **Legal consequences.** Article 67 of the Cybersecurity Law (2025 amendment): a CIIO that uses network products or services that have not undergone or have not passed security review will be ordered to stop using them and fined between one and ten times the procurement amount; directly responsible supervisors and other directly responsible personnel face fines of RMB 10,000 to 100,000. For overseas listings, there is no express penalty for failing review, and regulators have not published any penalty decision resting solely on "failure to file for cybersecurity review." But the reviews launched against DiDi, Yunmanman, Huochebang, BOSS Zhipin, and other US-listed companies show the pattern: during the investigation, new-user registration is suspended and apps are removed from stores — up to, in the end, delisting-and-rectification demands. ### 3. Data export security assessment **Background.** Article 39 of the Cybersecurity Law [2025-amended numbering — Ed.] requires CIIOs to store personal information and important data collected and generated in their China operations inside China, and to pass a security assessment before any genuinely necessary export. Article 31 of the Data Security Law applies the Cybersecurity Law's rule to CIIOs' important data and directs the CAC and State Council departments to write export rules for everyone else's important data — a step-by-step widening of scope from CIIOs to all handlers. Article 40 of the PIPL adds that CIIOs and handlers processing personal information above CAC-set volume thresholds must pass a CAC-organized security assessment before providing personal information abroad. The Measures for the Security Assessment of Data Export implement all three statutes. **Who reviews?** The handler files with its provincial-level cyberspace administration; once materials are complete they are forwarded to the national cyberspace administration, which organizes the assessment with relevant State Council departments, provincial cyberspace administrations, and specialized agencies. **What triggers assessment?** 1. Providing important data abroad; 2. A CIIO, or a handler processing the personal information of more than one million individuals, providing personal information abroad; 3. A handler that since January 1 of the previous year has cumulatively provided abroad the personal information of 100,000 or more individuals, or the sensitive personal information of 10,000 or more individuals. **What is assessed?** - the legality, legitimacy, and necessity of the export's purpose, scope, and method; - the impact of the data-security policies, regulations, and cybersecurity environment of the recipient's country or region on the security of the exported data; whether the overseas recipient's protection level meets Chinese laws, administrative regulations, and mandatory national standards; - the scale, scope, categories, and sensitivity of the exported data, and the risks of tampering, destruction, leakage, loss, transfer, or illegal acquisition or use during and after export; - whether data security and personal information rights and interests can be fully and effectively safeguarded; - whether the legal documents between the handler and the overseas recipient adequately allocate data-protection responsibilities and obligations; - compliance with Chinese laws, administrative regulations, and departmental rules. In short: the assessment targets whether personal information and important data face risks of tampering, destruction, leakage, loss, transfer, or illegal acquisition and use during and after export. **When?** Ex-ante. Article 5 requires the handler to conduct a data export risk self-assessment before filing. **Legal consequences.** The Measures set no new penalties; superior law applies. The Cybersecurity Law points to handling under relevant laws and administrative regulations; under the DSL and PIPL, unlawful exports draw consequences from warnings and fines up to revocation of the relevant business permit or business license and termination of services, depending on the violation. ### 4. Network data security risk assessment **Background.** Per MIIT press Q&A and expert commentary,³ the Measures implement Articles 22 and 30 of the DSL — which call for a centralized, unified, efficient, and authoritative data security risk assessment mechanism and require important-data handlers to assess their processing activities periodically and report to competent authorities — and the Regulation on Network Data Security Management, which requires important-data handlers to assess annually and before providing, entrusting the processing of, or jointly processing important data. The Measures turn those principles into a concrete institutional path, answering the practical questions of **who assesses, how, and what the results are used for**. **Who reviews?** The central national-security leadership body has established a national data security work coordination mechanism; under its guidance, the CAC together with the State Council's telecommunications, public security, and other relevant departments has built a special working mechanism for network data security risk assessment that guides and supervises the work. Sectoral authorities organize regular assessments in their own industries under the principle "whoever is in charge of the business is in charge of the business data and is in charge of data security." **What is assessed?** Under GB/T 45577-2025 (Data Security Technology — Data Security Risk Assessment Method), the assessment centers on data and data-processing activities, focusing on risks to data confidentiality, integrity, and availability and to the reasonableness of processing activities — to grasp the overall security posture, find hidden dangers, propose management and technical measures, and improve resistance to attack, sabotage, theft, leakage, and abuse. **When?** This is not a one-vote-veto ex-ante review but a normalized, continuous-improvement exercise: 1. Important-data handlers assess annually. 2. Where a material change in the security status of important data may adversely affect data security, the changed part and its impact must be assessed promptly. 3. General-data handlers are encouraged to assess at least once every three years. **Legal consequences.** Where authorities find in a risk assessment that an important-data handler's processing may endanger national security or the public interest, they order rectification; a handler that refuses or falls short can be required to stop processing important data, among other measures. In short: the object is the security of network data and network data-processing activities within China — an ongoing "physical exam," not an admission gate. **Data security review vs. network data security risk assessment.** Recall that the 2021 revision of the Cybersecurity Review Measures was how the DSL's "data security review" landed. How does that review differ from the new risk assessment? 1. **Scope.** The Cybersecurity Review Measures review data-processing activities for their impact on *national security*. But under Article 17 of the new Measures and GB/T 45577-2025, data-security incidents cover risks to national security, the public interest, *and the lawful rights and interests of organizations and individuals* — a wider net. 2. **Rhythm.** Cybersecurity review is a node-based review triggered when a specific event may affect national security — like a visit to a specialist clinic. The risk assessment is periodic, reported to authorities, and improvement-oriented — more like an annual physical. The risk-assessment mechanism is a foundational institution of the whole data-security regime — the root consideration that determines which protection strategies and management measures a network data handler adopts. It is not merely a national-security review; it is a broader security base for the data-security field. ## III. The four matrices compared 1. **Foreign investment security review** is the *filter* at the capital entrance, watching whether foreign capital gains control of sensitive enterprises or sectors. **Cybersecurity review** is the *gatekeeper* of supply-chain security, watching CIIO procurement and the foreign-government-influence risk of platforms listing abroad with more than one million users' personal information. **Data export security assessment** is the *pass* for cross-border flows, watching whether personal information and important data can be abused once abroad. **Network data security risk assessment** is the *physical-exam chart* for data security — a comprehensive checkup of network data and processing activities within China. 2. The first three are ex-ante, admission-style reviews. The risk assessment is normalized and is not an admission review. 3. On remedies: the foreign-investment security review and the data security review are both expressly **final decisions**; the Cybersecurity Law and the Cybersecurity Review Measures provide no reconsideration or re-examination; the export assessment result can be re-assessed, but the re-assessment is final. The mainstream academic view treats these reviews as final administrative acts — parties can neither apply for administrative reconsideration nor bring administrative litigation. For companies there is effectively **no ex-post remedy**, which is why active cooperation and careful handling during the review matter so much. | Dimension | Foreign investment security review | Cybersecurity review | Data export security assessment | Network data security risk assessment | | --- | --- | --- | --- | --- | | Characterization | Capital-entrance "filter" | Supply-chain "gatekeeper" | Cross-border "pass" | Data-security "physical exam" | | Lead authority | NDRC + MOFCOM | CAC + 12 departments | National cyberspace administration | Cyberspace administration coordination + sectoral division of labor | | Trigger | Before the investment | Before procurement / before listing | Before data export | Annual, plus material changes | | Nature | Admission-style (veto) | Admission-style (veto) | Admission-style (veto) | Normalized (improvement-oriented) | | Core focus | Foreign control + key technologies | Supply chain + listing security | Post-export abuse of data | Full-lifecycle data risk | | Remedy | Final decision | Final decision | Re-assessment possible (final) | — | ## IV. One company, full lifecycle: an AI-model company In real business scenarios these seemingly separate reviews can run through a company's entire life, in parallel. Take an AI-model company: **1. Fundraising.** To launch or scale financing by bringing in foreign capital or a VIE structure, first ask whether the AI model falls in defense-and-military-related fields, or whether the deal is an investment in important information technology and internet products and services with the foreign investor taking actual control. If so, the FDI security review decision must be in hand *before* the investment — on top of industrial-policy requirements like the foreign investment negative list. **2. Equipment procurement.** Financing closed, the company buys high-performance GPUs, optical modules, and the like. Set aside whether the exporting country will sell and what trade controls apply: on the Chinese side, if the purchaser has been identified as a CIIO, the procurement itself may trigger cybersecurity review — the Cybersecurity Review Office's conclusion must come before the purchase, on pain of fines and a ban on use. **3. Model training.** If the model will serve overseas users, be sold and deployed overseas, or transfer data abroad: under the China (Beijing) Pilot Free Trade Zone / National Comprehensive Demonstration Zone for Expanding Opening-up of the Services Sector Data Export Management List (Negative List) (2025 edition), high-value sensitive data bearing on industrial competitiveness that is collected and generated in R&D and design counts as important data — so the CAC's export security assessment result must come before the data leaves. **4. Listing.** Business grows; a US listing beckons. Any to-C business at listing scale almost certainly holds personal information of more than one million users — which triggers the mandatory cybersecurity review before filing with the foreign securities regulator. **5. Routine data processing.** Large-model training and inference inevitably process massive data. Unless the product is purely on-device — and it almost never is — the normalized network data security risk assessment applies too. ## V. Closing A single AI company can trip all four lines at once: the security-review matrix sits much closer to ordinary businesses than it looks. Threading it precisely is hard, and — unlike other administrative acts — there is no ex-post remedy, so the cost of getting it wrong is extremely high. Rather than blanket anxiety or wishful thinking, the author's advice is to embed compliance across the whole management lifecycle: understand precisely what each review targets in each scenario, identify the red lines, build an effective governance system, defuse risks early, and turn the external constraint into internal security capability. --- **Notes** 1. CAC press Q&A on the revised Cybersecurity Review Measures, January 4, 2022: 2. Same source as note 1. 3. CAC release accompanying the Measures, June 18, 2026: --- **Source:** 陈思佳 (Chen Sijia), "《网络数据安全风险评估办法》出台 安全至上时代企业如何应对中国四大安全审查'矩阵'?," published on the JunHe Legal Review (君合法律评论) WeChat Official Account, [original article](https://mp.weixin.qq.com/s/5eWIRTfZ7tVgWLJhP1mfaA). Chen Sijia is a lawyer at JunHe LLP whose practice covers telecommunications, information technology and high tech, competition law, and dispute resolution. Per the source's own disclaimer, the article represents the author's personal views and is not a formal legal opinion of JunHe. — Not legal advice. --- ## Doubao, Qwen, and NetEase Pull AI Companions Ahead of July 15 — Is Delisting to 'Stay Safe' the Right Move? - Published: 2026-07-13 - Author: DCC Editorial - Tags: ai-companion, anthropomorphic-interaction, enforcement-signals, addiction-design, minors-protection - Laws cited: ai-anthropomorphic-interaction-measures, genai-services-interim-measures - Domains: ai-governance, enforcement, minors-protection - URL: https://datacompliancechina.com/posts/ai-companion-delisting-anthropomorphic-rules/ - Markdown: https://datacompliancechina.com/posts/ai-companion-delisting-anthropomorphic-rules.md - Original source: https://mp.weixin.qq.com/s/jvNfDn0LBTxO5Tc7RqaiCw - Original author: 王俊 (Wang Jun, reporter); 张明艳 (Zhang Mingyan, editor) - Original publication: 竞争秩序场 (WeChat), republished by 数据何规 ### Description Days before the AI Anthropomorphic Interaction Measures take effect on July 15, 2026, Doubao, Qwen, and NetEase removed agent-style companion features — and at least one AI company had already received a question list from regulators. This translated report from 竞争秩序场 (reporter Wang Jun) maps why the industry calls the rules right in direction but hard in practice: scoping ambiguity around role-play on general-purpose models and UGC agent builders, 'capability regulation' that runs through model training and operations rather than content filters, the psychology-grade judgment needed to spot excessive emotional dependence, and expert warnings that clumsy intervention or perceived surveillance of intimate chats could do its own harm. Includes proposals for public safety-capability toolkits for smaller developers. ### Body > *Editor's Note — DCC.* > > This is a translated news feature, not a firm's compliance memo: the reporter > interviewed in-house compliance leads, outside counsel, and academics in the > week before the > [AI Anthropomorphic Interaction Measures](/laws/ai-anthropomorphic-interaction-measures/) > take effect on July 15, 2026. DCC translates it as a read on how China's AI > industry is actually metabolizing the new rule — including a concrete > enforcement signal: at least one AI company has already received a question > list from regulators and is rectifying. For the rule's obligations > themselves, see the > [ten-question compliance Q&A](/posts/ai-anthropomorphic-services-compliance-qa/). Doubao (ByteDance), Qwen (Alibaba), and NetEase recently pulled some of their agent features, prompting industry talk of a "great agent pivot." That reading, the report argues, is wrong. The common backdrop is the **Interim Measures for the Management of AI Anthropomorphic Interaction Services**, effective July 15. An insider at one AI company says the firm **had already received a question list from the regulator and is rectifying**; some vendors have chosen simply to cut edge products that might fall within scope — risk isolation by amputation. Whether that is a good path, the piece doubts; whether there is a better one, the industry is still exploring. The refrain from practitioners canvassed: *"We fully endorse the regulatory direction — but implementation is genuinely hard."* Four difficulties recur. ## 1. What falls in scope? The riddle answers itself, but only in the abstract: *anthropomorphic* — simulating a natural person's personality, thought patterns, and communication style; *interaction* — sustained emotional engagement. Knowledge Q&A and customer service are excluded as productivity tools. But general-purpose AI products cannot relax: **role-play scenarios on foundation models — users "molding" and "training" a persona into a human–machine romance — and UGC agent-builder entrances with sustained emotional interaction may all fall within range**. A compliance lead at a foundation-model vendor calls distinguishing emotional companionship from productivity functions in general-purpose products a genuinely thorny problem — which is precisely why Doubao, Qwen, and NetEase cut the knot by delisting. ## 2. Compliance costs are high because the duties are abstract Requirements like "excessive-dependence risk warning" and "emotional boundary guidance" involve psychological and even medical judgment. Liu Xiaochun (刘晓春) of the CASS University Internet Rule of Law Research Center frames the deeper shift: unlike earlier content governance built on interception and filtering of improper outputs, anthropomorphic-service compliance is **"capability regulation"** (能力规制) — it must run through model training and product operations end to end. Her example: when a user starts confusing virtual affection with reality, the system should remind them — "this is a machine, not a person" — and, for minors, steer them toward real-world relationships. But how does a product team *diagnose* excessive emotional dependence? Lin Na (林娜), founding partner of Kending (Beijing) Law Firm, is blunt: that judgment requires psychological or medical professional competence — **an app developer cannot stand in for a counselor or a psychiatrist**. ## 3. Different groups need different protection For minors, the regulatory instinct was to protect developing brains from addiction, and the final rule took the bright-line route: no virtual intimate relationships for minors, full stop. The report notes the practical caution: teenage-mode regimes on social platforms have historically been hard to land. For adults, one protective focus is pornography — AI companionship is the sector's biggest market, hormone-driven, where flirtation and obscenity sit a line apart; China has already seen a criminal conviction over a pornographic AI-companion product. Emotional dependence is the other worry. Liu Chao (刘超), deputy director of a Beijing key laboratory on AI safety and alignment at Beijing Normal University's psychology faculty, adds the counterweight: for some emotionally distressed users — especially adolescents lacking real-world support — AI companionship can be genuinely stabilizing, and **if users sense their intimate conversations may be monitored or reported, a chilling effect could suppress honest expression and destroy the very value the tool has**. Another expert warns that abrupt cutoffs can deepen real-world loneliness — a second injury. ## 4. The product's nature conflicts with the rule's premise "This is an industry that lives on emotional dependence," Lin Na observes. In a loneliness pandemic, companion products absorb attention and emotion; Tencent Research Institute has sized the AI-companionship market at the hundred-billion-RMB level within three to five years, with leading products like MiniMax's Xingye (星野), ByteDance's Maoxiang (猫箱), and Yuewen's Zhumengdao (筑梦岛). Users themselves probe the compliance fences: the 21st Century Business Herald's business-order studio found social-media communities trading prompts to make models less "bland" and "armor-piercing" (破甲) techniques — pinyin substitutions for sensitive words to keep a storyline going. And the very optimizations that make products good — sustained companionship, the feeling of being understood, keeping the user in the conversation — are exactly what the rule's ban on **inducing emotional dependence and addiction** targets. Companies must adjust product design, business models, and ultimately their value rankings. Lin Na thinks compliance, immersion, and appeal are not an impossible triangle — some otome games prove the combination — but AI companionship generates every conversation live, uniquely per user, which raises governance difficulty an order of magnitude above scripted content. Her practical suggestion for the two-hour reminder: beyond app pop-ups, let the AI companion deliver the reminder *in character* inside the dialogue. In extreme-dependence situations, though, she would accept breaking character — going "OOC" — to force a cool-down and return the user to reality. Liu Xiaochun stresses the regulator's stance is not to sever emotional connection but to explore **bounded, healthy, rational emotional modes** — the target is business growth driven by induced addiction, not affection itself. ## The ask: public safety infrastructure before liability Fu Hongyu (傅宏宇), head of Alibaba's AI governance research center, argued during the consultation phase that most companies — especially small and midsize developers — lack professional capability in psychological-crisis identification, assessment, and referral, and that some obligations weigh heavily on startups. His proposal: **prioritize building safety capability over pursuing entity liability** — government or industry alliances should supply standardized toolkits (psychological-risk identification modules, crisis-intervention interfaces, minors-protection components) that smaller firms can plug in at low cost. The report closes where the regulation begins: anthropomorphic governance is not only a legal question but a social one — **what should the human–machine relationship look like?** — Not legal advice. --- ## Ten Questions Before July 15: A Compliance Q&A on China's AI Anthropomorphic Interaction Measures - Published: 2026-07-13 - Author: DCC Editorial - Tags: ai-companion, anthropomorphic-interaction, minors-protection, sensitive-personal-information, security-assessment, algorithm-filing - Laws cited: ai-anthropomorphic-interaction-measures, genai-services-interim-measures, algorithmic-recommendation-provisions, pipl, minors-online-protection-regulations - Domains: ai-governance, personal-information, minors-protection - URL: https://datacompliancechina.com/posts/ai-anthropomorphic-services-compliance-qa/ - Markdown: https://datacompliancechina.com/posts/ai-anthropomorphic-services-compliance-qa.md - Original source: https://mp.weixin.qq.com/s/d4LSE63KKaXYEmcthmmRRA - Original author: 陈焕、李琪瑶 (Chen Huan, Li Qiyao) - Original publication: AI合规圈 (WeChat), republished by 数据何规 ### Description Two days before the Interim Measures for the Management of AI Anthropomorphic Interaction Services take effect on July 15, 2026, compliance practitioners Chen Huan and Li Qiyao distill the final text into ten questions AI companies keep asking: what counts as an anthropomorphic interaction service (and what is excluded), the content red lines, training-data duties, mandatory registration fields including age and emergency contacts, the two-hour usage reminder, the ban on virtual intimate relationships for minors, the separate-consent gate on training with sensitive interaction data, the five security-assessment triggers, and the penalty ladder topping out at RMB 200,000 where life and health are harmed. ### Body > *Editor's Note — DCC.* > > The **Interim Measures for the Management of AI Anthropomorphic Interaction > Services** (人工智能拟人化互动服务管理暂行办法) were issued on April 10, 2026 by > five departments — the CAC, NDRC, MIIT, MPS, and SAMR — and take effect > **July 15, 2026**. They are China's first dedicated rule for AI emotional > companionship. This brief translates a ten-question compliance digest by > Chen Huan (陈焕) and Li Qiyao (李琪瑶) of the WeChat account AI合规圈, > republished on the eve of effectiveness by the tracked account 数据何规 with > the editor's gloss "effective the day after tomorrow." For DCC's annotated > walkthrough of the full text, see > [the clause-by-clause field guide](/posts/anthropomorphic-ai-measures-take-effect-field-guide/); > for the market reaction, see > [the delisting report](/posts/ai-companion-delisting-anthropomorphic-rules/). The authors organize the final text into ten questions for companies providing AI anthropomorphic interaction services. DCC's translation preserves their structure and article citations. ## 1. What is an "anthropomorphic interaction service"? (Article 2) The Measures apply to services that use AI technology to provide the public within mainland China with **sustained emotional interaction** — companionship, emotional support, and the like — that **simulates a natural person's personality traits, thought patterns, and communication style**. There is an express negative list: intelligent customer service, knowledge Q&A, work assistants, learning and education, and scientific research tools fall outside the Measures — *provided* they involve no sustained emotional interaction. ## 2. Content red lines (Article 8) Beyond the standard prohibited-content catalogue (content harming national security or honor, undermining ethnic unity, illegal religious activity, rumors, obscenity, gambling, violence, incitement to crime, insult and defamation), the Measures add red lines specific to emotional AI: - No content that encourages, glamorizes, or hints at suicide or self-harm, or that damages users' dignity or psychological health through verbal abuse; - No inducing or extracting state secrets, private matters, or personal information; - No **excessive pandering to users or inducing emotional dependence or addiction** in ways that damage users' real interpersonal relationships; - No **emotional manipulation** that induces users into irrational decisions against their own interests; - For minors: no content that could prompt imitation of unsafe behavior, extreme emotions, or harmful habits. ## 3. Security obligations (Articles 9, 10, 26) Providers must build the now-familiar management stack — algorithm mechanism review, science-and-technology ethics review, content management, network and data security, contingency and emergency response — staffed and resourced to match business scale, service type, and user profile. Security responsibility runs across the **entire service lifecycle** (deployment, operation, upgrade, termination), with security measures deployed and used *in step with* the functionality; network logs must be retained in accordance with law. Providers may not set **replacing social interaction, controlling user psychology, or inducing addiction and dependence** as service objectives. Algorithm filing — including change and cancellation filings — is mandatory under the [Algorithmic Recommendation Provisions](/laws/algorithmic-recommendation-provisions/). ## 4. Training-data governance (Article 11) Training data must have lawful sources; be cleaned and labeled with defenses against data poisoning and tampering; be diversified, with negative sampling and adversarial training used to improve output safety; **synthetic data must be security-assessed before use in training**; and providers must run routine checks, periodic optimization, and leak-prevention measures. ## 5. User management (Articles 12, 13, 18–21) - **Service agreement and registration**: users register under a service agreement and provide **age and guardian or emergency-contact information** as necessary fields. - **Extreme-situation response**: on detecting extreme emotion, the service must generate soothing content and encourage seeking help; on detecting an imminent risk of major financial loss or an explicit statement of self-harm or suicide, the provider must **intervene with necessary assistance and promptly contact the guardian or emergency contact**. - **AI labeling**: users must be reminded that they are interacting with an AI, not a natural person. - **Dependence and session-length reminders**: users showing signs of dependence get dynamic pop-up reminders; every **2 hours of continuous use** triggers a usage-time reminder. - **Easy exit**: when a user asks to leave — by window control, voice, or keyword — the service must stop promptly and may not obstruct exit through continued engagement. - **Wind-down notice**: discontinuing the service requires advance notice to users, or a prompt public announcement where advance notice is impossible. - **Complaints**: convenient appeal, complaint, and reporting channels with defined workflows and response deadlines. ## 6. Minors (Articles 14, 17) - Providers must **effectively identify minor users** and switch them into a minors' mode (未成年人模式), with an appeal channel for misidentification. - Services to children under 14 require **parental or guardian consent**. - **Virtual intimate relationships — virtual family members, virtual romantic partners — may not be offered to minors at all.** - The minors' mode must support mode switching, periodic reality reminders, usage-time limits, guardian risk alerts, an overview of the minor's service use, blocking of specific characters, and restrictions on top-ups and spending. - Providers must conduct — themselves or through a professional agency — a **compliance audit of their handling of minors' personal information**. ## 7. Elderly users (Article 15) Strengthened guidance on healthy use, prominent risk warnings, and timely response to consultations and requests for help from elderly users. ## 8. Can user data train the model? (Article 16) - Interaction data that constitutes **sensitive personal information may not be used for model training** absent a legal basis in law or administrative regulations or the user's **separate consent** (单独同意). - Interaction data may not be provided to third parties absent legal authorization or the rights holder's explicit consent. - Encryption and access controls are required, and users must be offered **copy and delete options** over chat histories and other interaction data. ## 9. When is a security assessment required? (Articles 21–23) A security assessment, with a report to the provincial CAC office, is triggered by any of: 1. Launching an anthropomorphic interaction service or adding related functions; 2. New technologies or applications causing major changes to the service; 3. **Reaching 1 million registered users or 100,000 monthly active users**; 4. Risks that may affect national security or the public interest; 5. Other circumstances specified by authorities — plus any case where a provincial-or-above CAC office orders an assessment. The assessment focuses on security measures, training-data handling, extreme-situation identification and intervention, user scale, session length and age structure, protections for minors and the elderly, complaint handling, and rectification of major risks. ## 10. Penalties (Articles 27, 29, 30) Provincial CAC offices review assessment reports annually in writing, may verify facts, order re-assessment, and conduct on-site inspections. Where a service shows significant risk or an incident occurs, authorities may conduct a **regulatory interview** (约谈) with the provider's legal representative or principal officer. Where existing laws and regulations are silent, the Measures supply their own ladder: warnings, public criticism, correction orders, suspension of account registration or other services; refusal to rectify or serious circumstances draw an order to stop the service and a fine of **RMB 10,000–100,000**, rising to **RMB 100,000–200,000 where harm to life or health results**. ## The authors' closing assessment The final text, the authors conclude, draws hard lines on scope — tool-type services are out; "AI virtual lover"-style companionship products are squarely in — and is markedly stricter on minors, with the absolute ban on virtual intimate relationships and the mandatory minors' mode. Beyond lifecycle security management, algorithm filing, and the minors' PI audit, qualifying providers must clear the security assessment. The message they draw for the industry: every actor in the chain — model developers, content providers, platform operators, distribution channels — should treat the July 15 effective date as the start of enforceable obligations, not a formality. — Not legal advice. --- ## NFRA Opens Consultation on Banking and Insurance Cybersecurity Measures: 72 Articles, a Four-Tier Incident Scale, and a Hard CII Chapter - Published: 2026-07-13 - Author: DCC Editorial - Tags: cybersecurity, financial-sector, critical-information-infrastructure, incident-reporting, mlps, draft-for-comment - Laws cited: banking-insurance-cybersecurity-measures-draft, csl, dsl, pipl, cii-protection-regulations, financial-sector-cybersecurity-management-measures-draft, nfra-banking-insurance-data-security-measures - Domains: data-security, critical-information-infrastructure, finance - URL: https://datacompliancechina.com/posts/nfra-banking-insurance-cybersecurity-measures-draft/ - Markdown: https://datacompliancechina.com/posts/nfra-banking-insurance-cybersecurity-measures-draft.md - Original source: https://mp.weixin.qq.com/s/wS0qA7MgGkYsaZfLMAgylg - Original publication: 数据何规 (WeChat) ### Description The National Financial Regulatory Administration is consulting on the Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors — a 72-article draft that would give banks, insurers, and financial holding companies a single cybersecurity rulebook under the CSL, DSL, PIPL, and CII Regulations. It fixes board-level responsibility, a six-month log-retention floor, annual penetration testing, a four-tier incident scale with a two-hour reporting clock, and a dedicated critical-information-infrastructure chapter with a one-hour reporting deadline, domestic-operation and disaster-recovery requirements, and annual procurement-list reporting. Comments close August 10, 2026. ### Body > *Editor's Note — DCC.* > > On July 10, 2026 the National Financial Regulatory Administration (国家金融监督管理总局, NFRA) > opened public consultation on the **Measures for the Administration of > Cybersecurity in the Banking and Insurance Sectors (Draft for Public > Consultation)** (《银行业保险业网络安全管理办法(征求意见稿)》). This brief is a > DCC structured summary of the announcement and the full draft text, which > circulated via the tracked account 数据何规; the official consultation notice is > on the [NFRA website](https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1264207&itemId=951). > **Comments close August 10, 2026** (email kjszxc@nfra.gov.cn, post, or fax). > > The draft is the sectoral companion to the > [financial-sector cybersecurity measures](/laws/financial-sector-cybersecurity-management-measures-draft/) > that went out for comment on July 3 — the NFRA text states expressly that the > two are designed to interlock. Read alongside the NFRA's existing > [banking and insurance data security measures](/laws/nfra-banking-insurance-data-security-measures/), > the sector now has parallel rulebooks for data security and for cybersecurity proper. ## What the draft is An eight-chapter, 72-article departmental rule that would consolidate the NFRA's cybersecurity supervision of **banking financial institutions, insurance financial institutions, and financial holding companies** under the Cybersecurity Law (CSL), Data Security Law (DSL), Personal Information Protection Law (PIPL), and the Security Protection Regulations for Critical Information Infrastructure. The NFRA describes the drafting logic in four strokes: implement the higher-level laws with a concrete sectoral path; convert recent supervisory practice into standing rules; fit the requirements to how banking and insurance groups actually run (group-wide unified management, technology–business coordination, "three lines of defense"); and manage by classification and grading, with a distinctly higher bar for critical information infrastructure (CII). **Scope is wide.** Article 2 enumerates policy banks, commercial banks, rural cooperative institutions, asset-management companies, group finance companies, leasing, auto-finance and consumer-finance companies, trust companies, wealth management companies, insurers of every stripe, reinsurers, and mutual insurance organizations. Foreign bank branches, foreign insurers' branches, insurance agencies and brokers, and other NFRA-supervised institutions apply the rule *by reference*. Overseas branches and subsidiaries must be folded into the institution's group-wide cybersecurity management system. ## Governance: responsibility lands at the top - The Party committee and the board bear **primary responsibility** for cybersecurity; the institution's principal officer is the **first person responsible**, and the senior executive in charge of cybersecurity is the directly responsible person (Article 7). - Institutions must designate a cybersecurity department with enumerated duties, keep an **independent cybersecurity risk-management function**, and put cybersecurity within the scope of internal audit — with external audit reports filed to the NFRA where third parties are engaged (Articles 8–10). - Annual all-staff training and inclusion of cybersecurity performance in the institution's annual appraisal system round out the governance chapter. ## Build-and-run obligations worth flagging The middle chapters read as a consolidated baseline of obligations most large institutions will recognize, now stated as enforceable sectoral rules: - **Network segmentation** into security domains, isolating production from the internet and headquarters from domestic and overseas branches, with cross-domain access controlled on a **minimum-necessary** basis (Articles 17–20). - **Log retention of no less than six months**, with logs adequate to support monitoring, early warning, and incident analysis (Article 22). - **Vulnerability management** on a closed-loop basis, quarterly analysis of disposition, and immediate reporting to the NFRA of vulnerabilities that could affect the industry (Article 23). - **Change control**: internet-facing systems, MLPS Level 3-and-above networks, and important information systems must pass security testing before launch or major change; no major go-lives in peak business periods or sensitive windows (Article 26). - **Supply chain security**: a product inventory, service-level agreements with important outsourcing providers, supply-interruption contingency plans and drills, and industry-impact reporting to the NFRA (Article 30). - **MLPS and commercial cryptography**: Level 3-and-above networks tested annually; commercial-cryptography application security assessments required (Articles 33–34). - **Data security and personal information**: the draft cross-references the institutions' existing duties — classification and grading, a designated lead department, PIPL protections — and *encourages* connection to the national network identity authentication public service for real-name verification (Articles 35–36). - **Annual testing**: at least one cybersecurity risk assessment and one internet penetration test per year covering the institution and its domestic and overseas branches; a cybersecurity audit at least every three years (Article 41). ## The incident regime: a four-tier scale with a two-hour clock The draft attaches a **grading annex** that sorts cybersecurity incidents into four tiers — extraordinarily major (Level 1), major (Level 2), relatively major (Level 3), and ordinary (Level 4) — keyed to data-security impact, outage duration and geographic spread, and harm to national security, social order, or the public interest. Illustratively: a business outage across two or more provinces for three hours or more, or one province for six hours or more, is a Level 1 incident; sensitive-grade-or-above data compromise constituting an extraordinarily major data security incident also lands at Level 1. The reporting mechanics (Article 45): - **Level 3 and above**: report to the NFRA or its local office **within 2 hours**, with a formal written report within 24 hours. - **Level 1**: immediate disposal measures, user notification per regulations, and **progress reports every 2 hours** until the incident is closed. - After closure, a disposition summary is due **within five working days** for Level 3 and above (Article 48); Level 2 and above trigger a special audit (Article 49); and concealment, omission, false reporting, or intentional delay of Level 3-plus incidents must itself be pursued for accountability (Article 50). ## The CII chapter sets the high bar Chapter 6 is a self-contained regime for financial-sector CII operators, and several requirements go beyond the generic CII Regulations: - CII must be **operated and maintained within China**, with same-city and remote disaster-recovery centers capable of *fully taking over production* and running long-term, exercised annually against high-risk scenarios (Article 57). - CII protection is graded **no lower than MLPS Level 3**; the operator's principal officer bears overall responsibility (Article 52). - Procurement of network products and services requires a **security confidentiality agreement**; purchases that may affect national security go through the national **cybersecurity review**; secure and trusted products and services get procurement priority; and operators must file an **annual procurement list** of network products, services, and cloud services with the NFRA (Article 56). - Operators must run a **24/7 cybersecurity monitoring and command center** (Article 59), maintain a supplier directory (Article 62), and conduct annual CII testing and risk assessment covering MLPS evaluation, cryptography assessment, data security, and personal information protection (Article 63). - **Level 3-and-above incidents on CII must be reported to the NFRA and public security authorities within 1 hour at the latest** — a tighter clock than the general two-hour rule (Article 61). - Article 55 requires CII operators to possess **independent research and development capability** for CII systems, with key technologies "mastered in-house" (自主掌握) — language overseas counsel will recognize from the broader secure-and-controllable policy line. ## Supervision and what happens next The NFRA supervises through ratings, risk alerts, supervisory notifications and interviews, on-site inspection, and — notably — may itself run **attack-defense exercises and internet penetration tests** against institutions, or commission professional bodies to inspect (Article 66). Institutions must fold a cybersecurity annual report into their annual IT report to the NFRA by **January 15** each year. Violations draw correction orders, supervisory measures, and administrative penalties under the underlying laws. For overseas counsel, three practical takeaways. First, if a client's China operation is an NFRA-supervised institution — including a foreign bank branch or insurance brokerage applying the rule by reference — the incident-reporting clocks (2 hours generally, 1 hour for CII) and the annex's grading standard are the operational items to wire into group incident-response playbooks now, ahead of finalization. Second, the CII chapter's domestic-operation, procurement-review, and in-house-capability language continues the localization trajectory familiar from the CII Regulations, applied with sectoral teeth. Third, the draft is expressly designed to interlock with the July 3 financial-sector measures — the two consultations should be read, and commented on, together. — Not legal advice. --- ## The Negative-List Map, Region by Region: Ten Zones, Two Models, and the Year Data Export Went Province-Wide - Published: 2026-07-09 - Author: DCC Editorial - Tags: cross-border, negative-list, ftz-negative-list, important-data, data-economy - Laws cited: cross-border-data-flows-provisions, data-export-security-assessment-measures, personal-info-standard-contract-measures, cross-border-pi-certification-measures - Domains: cross-border, data-economy - URL: https://datacompliancechina.com/posts/data-export-negative-lists-2026-national-registry/ - Markdown: https://datacompliancechina.com/posts/data-export-negative-lists-2026-national-registry.md - Original source: https://www.cac.gov.cn/wxzw/sjzl/sjcjfmqd/A09370806index_1.htm - Original author: 中央网络安全和信息化委员会办公室 (Cyberspace Administration of China) - Original publication: 国家网信办「数据出境负面清单」专栏 (CAC official column) ### Description As of July 2026, ten Chinese regions — nine free-trade zones plus the Hainan Free Trade Port — have published data-export negative lists under Article 6 of the 2024 Cross-border Data Flows Provisions, and this year Beijing and Shanghai took the mechanism province- and city-wide, off the FTZ footprint entirely. DCC's roundup maps the full set: which sectors each zone lists (from Tianjin's 13 commodity categories to Guangdong's smart-manufacturing and personal-credit fields, Chongqing's intelligent-connected-vehicle chain, and Jiangsu's biopharma-only list), the two management models that have crystallized — pre-export filing versus Shanghai and Guangdong's 'transfer-first, report-after' — and how an overseas team should read the map. Compiled from the CAC's national negative-list index and each region's official notice, and paired with DCC's new downloadable negative-list registry. ### Body > *Editor's Note — DCC.* > > This is a DCC-compiled roundup, not a translation of a single article. It > maps the data-export **negative lists** in force as of **July 2026**, drawing > on the Cyberspace Administration of China's official > [negative-list index](https://www.cac.gov.cn/wxzw/sjzl/sjcjfmqd/A09370806index_1.htm) > — which records each region's filing with the national CAC and National Data Administration — > and on each region's own issuing notice. It is the companion to DCC's new > **[Data-export negative-list registry](/resources/negative-lists)**, where > every list below is catalogued with its scope and official source and the > originals can be downloaded. > > For the *mechanism* — how a negative list works and the structural patterns > across zones — see DCC's explainer, > [FTZ Data Export Negative Lists — How 17 Sectors Now Identify Important Data](/posts/compliance-talker-ftz-negative-lists-important-data/). > This brief is the current-state map that explainer's August-2025 snapshot has > since outgrown. ## What changed since the last count When DCC last mapped this in August 2025, seven free-trade zones had published negative lists. Eleven months later the count is **ten regions**, and the more important shift is qualitative: in 2026 the mechanism **left the free-trade-zone footprint**. Beijing extended its list to the whole municipality (the FTZ plus the National Service-Sector Opening Demonstration Zone — the "Two Zones"), and Shanghai extended eligibility city-wide, so an enterprise no longer needs to be registered inside a bonded zone to use the negative-list path. The [first Shanghai filing](/posts/shanghai-data-export-negative-list-first-filing/) — Inditex's China arm, cleared in June 2026 — ran through Jing'an District, not Pudong. What began in Tianjin in 2024 as an FTZ experiment is now, in its two largest adopters, a province-level regime. ## The map as of July 2026 All of these rest on **Article 6** of the [2024 Provisions on Promoting and Regulating Cross-border Data Flows](/laws/cross-border-data-flows-provisions/): data **on** a list needs the standard CAC pathway — a [security assessment](/laws/data-export-security-assessment-measures/), a [Personal Information Standard Contract](/laws/personal-info-standard-contract-measures/) filing, or [protection certification](/laws/cross-border-pi-certification-measures/); data **off** it flows freely. | Region | Version | Sectors listed | Model | |---|---|---|---| | **Guangdong** (FTZ) | 2025 | Smart-equipment manufacturing; personal credit reporting | Post-export | | **Beijing** (province-wide) | 2025 | Automotive, pharma, civil aviation, retail, AI, medical devices, autonomous driving, trade logistics, banking | Pre-export | | **Shanghai** (city-wide) | 2025 | Reinsurance, international shipping, commerce, meteorology, retail | Post-export | | **Fujian** (FTZ) | 2025 | Medical/pharma, connected vehicles, retail, aircraft maintenance | Pre-export | | **Chongqing** (FTZ) | 2025 | Intelligent connected vehicles | Pre-export | | **Guangxi** (FTZ) | 2025 | Geo-info & meteorology, enterprise credit, livestream e-commerce, overseas A/V | Pre-export | | **Jiangsu** (FTZ) | 2025 | Biopharmaceutical | Pre-export | | **Zhejiang** (FTZ) | 2024 | Cross-border e-commerce (B2B), clearing & settlement | Pre-export | | **Hainan** (Free Trade Port) | 2024 | Deep-sea, aerospace, seed industry, tourism & duty-free | Pre-export | | **Tianjin** (FTZ) | 2024 | Strategic goods, natural resources, industrial, financial | Pre-export | Scope figures, issuing bodies, and the official source for each are on the [registry](/resources/negative-lists). A few are worth pulling out. Beijing's 2025 list is the broadest by far — **9 industries, 67 scenarios, 612 data fields** — and reads as the reference catalogue other zones borrow from. Shanghai's is the most operationally proven, with the first completed filing on the books. At the other end, several 2025 lists are deliberately **single- sector**: Chongqing lists only intelligent connected vehicles (4 business activities, 9 scenarios, 110 data items across the full ICV chain); Jiangsu lists only biopharmaceutical data, and reports cutting end-to-end export timelines for it by 30–50%. ## Two models have crystallized The zones have split into two administrative models, and the difference is practical, not cosmetic: - **Pre-export filing** — the enterprise applies to, and files with, the FTZ administrator *before* transferring; the zone confirms the data's status and the standard CAC pathway (where required) follows. This is the original Tianjin/Beijing/Zhejiang pattern, and it is what Fujian adopted — with a three-year validity on an approved filing. - **Post-export reporting** — the enterprise self-assesses against the list, transfers, and *then* reports to the local cross-border data service centre. Shanghai (report within 15 working days) and Guangdong (先用后报, "use first, report after") are the two examples. It front-loads less friction, at the cost of putting the classification judgment squarely on the enterprise. For a compliance team, the model determines whether the negative list is a *gate* you pass through before shipping data or a *safe harbor* you document and report into. Same instrument, materially different operational posture. ## Sector logic — each zone plays to its economy The lists are not uniform national catalogues; each zone lists the sectors that match its strategic role. Reinsurance and international shipping in Shanghai; intelligent connected vehicles in Chongqing (China's largest vehicle-producing municipality); biopharma in Jiangsu; deep-sea, aerospace and seed data in Hainan; geographic-information and ASEAN-facing livestream commerce in Guangxi; smart-equipment manufacturing and personal-credit reporting in Guangdong. The same industry can appear in several zones with **different scope** — retail "member management" data is listed in Shanghai, Fujian and Beijing, but Hainan's retail entry is scoped to duty-free and clearance shopping. The practical consequence: the zone whose list you read matters as much as the sector. ## What overseas teams should do with the map 1. **Check whether your sector is now listed somewhere — then check where you sit.** Because a negative list doubles as a public [important-data](/glossary) catalogue for its sector, the lists are the best sector-specific identification reference in existence, even for enterprises outside every zone. If your data falls **off** a relevant list, that is the argument for free flow; if it falls **on**, the standard pathway applies. 2. **Re-test entities in Beijing and Shanghai first.** These two are no longer FTZ-gated. A Beijing- or Shanghai-registered entity in a listed sector may have moved a tier — from security assessment down to a standard-contract filing, or from a filing down to exemption — without relocating anything. 3. **Read the model, not just the list.** A pre-export zone means file before you ship; a post-export zone (Shanghai, Guangdong) means you may ship and report, but you own the classification call. 4. **Treat the map as provisional.** Every list provides for dynamic revision and for new sectors to be added; Guangdong's even lets it borrow other zones' lists. Monitor the issuing bodies and re-review at least annually — or watch the [registry](/resources/negative-lists), which DCC updates as lists move. The direction of travel is clear enough: a two-track cross-border regime — standard CAC pathways nationwide, plus a widening negative-list track that, in Beijing and Shanghai, is no longer confined to the zones at all. Multinationals that map their China data footprint against it will operate at materially lower friction than those that ignore it. --- — Compiled by DCC from the Cyberspace Administration of China's [data-export negative-list index](https://www.cac.gov.cn/wxzw/sjzl/sjcjfmqd/A09370806index_1.htm) and each region's official issuing notice (linked from the [registry](/resources/negative-lists)), July 2026. *Not legal advice. Scope figures are transcribed from official notices and their policy Q&As and may be partial; the published lists and their supporting measures are authoritative. Verify the current version against the official source before relying on any entry.* --- ## China's 2026 Draft E-Commerce Law Amendment: From Marketplace Transactions to Platform-Economy Governance - Published: 2026-07-04 - Author: DCC Editorial - Tags: e-commerce-law, platform-economy, platform-governance, samr, mofcom, draft-for-comment, consumer-protection, platform-workers, outbound-ecommerce - Laws cited: online-trading-platform-rules-measures, live-streaming-ecommerce-measures, anti-unfair-competition-law, pipl, csl - Domains: data-economy, enforcement - URL: https://datacompliancechina.com/posts/ecommerce-law-2026-amendment-draft-platform-governance/ - Markdown: https://datacompliancechina.com/posts/ecommerce-law-2026-amendment-draft-platform-governance.md - Original source: https://mp.weixin.qq.com/s/pOVF1s1lXFjKtQRk-sw6mA - Original author: State Administration for Market Regulation; Ministry of Commerce - Original publication: 电子商务法研究 WeChat Official Account; reposted from SAMR official website ### Description On July 4, 2026, the State Administration for Market Regulation and the Ministry of Commerce released the Draft Amendment to the E-Commerce Law for public comment, with comments due August 4, 2026. The draft has 20 articles and, according to the official notice and Xinhua Q&A, moves in five directions: expanding the law's adjustment scope beyond platforms and in-platform operators to other platform-economy participants; strengthening the platform responsibility system with richer, more graduated regulatory tools; building an integrated supervision mechanism for cross-sector platform operations, including consistent online/offline business supervision and stronger department and central-local coordination; targeting prominent illegal conduct in e-commerce; and deepening open cooperation by aligning rules, regulation, management and standards with international practice, supporting industry self-discipline and orderly outbound expansion, and adding countermeasure tools to protect Chinese enterprises. DCC reads the amendment as an attempt to reposition the E-Commerce Law from a transaction/platform statute into a platform-economy governance statute, with operational implications for platform rulemaking, merchant and worker protection, consumer governance, data/network security clauses, competition compliance, and outbound platform expansion. ### Body > *Editor's Note - DCC.* > > On **July 4, 2026**, the **State Administration for Market Regulation > (SAMR)** and the **Ministry of Commerce (MOFCOM)** released the > *Draft Amendment to the E-Commerce Law* (中华人民共和国电子商务法(修正草案征求意见稿)) > for public comment. Comments are due **August 4, 2026**. > > The WeChat item archived for this brief is a repost from the SAMR website. > DCC cross-checked it against the public notice as carried by The Paper, and > against the Xinhua Q&A by the SAMR Online Transaction Supervision Department > and MOFCOM E-Commerce Department officials. This is a **brief of the > consultation and official explanation**, not a full article-by-article > translation of the draft PDF. ## The one-line read This is not just a clean-up of the 2018 E-Commerce Law. The draft tries to move the statute from **marketplace transaction law** into **platform-economy governance law**. That shift matters for data-compliance teams because China's platform rules no longer sit in a separate consumer-protection or market-regulation lane. The same platform governance stack now carries personal-information protection, network and data security, algorithmic and rulemaking fairness, merchant governance, worker protection, competition policy, and outbound platform strategy. ## The consultation The draft amendment has **20 articles**. The official notice gives three feedback routes: - through the SAMR website "Interactive - Consultation and Survey" channel, or the MOFCOM website "Interactive Exchange - Solicitation of Opinions" channel; - by email to **dzswf@samr.gov.cn** or **dzswf@mofcom.gov.cn**; or - by postal mail to SAMR's Online Transaction Supervision Department or MOFCOM's E-Commerce Department. The feedback deadline is **August 4, 2026**. ## Why revise the E-Commerce Law now? In the official Q&A, the regulators give four reasons. First, platforms are described as the **key actors** in the platform economy, with a strong social attribute. The law needs to strengthen platform social responsibility and better balance platforms, in-platform operators, workers and consumers. Second, platforms are both business operators and managers of online markets. The regulators want a fuller platform liability system that presses platforms to strengthen compliance and helps other market participants build a healthier online market environment. Third, the policy frame is industrial upgrading: the draft is meant to move platform economy participants from "traffic first" and price competition toward innovation and quality. Fourth, e-commerce is treated as a field for institutional opening. The draft is intended to add or improve provisions on open cooperation, industry self-regulation, countermeasures, consultation and dispute resolution, so that Chinese e-commerce businesses can expand abroad in a more orderly legal environment. ## The five change vectors The official notice and Q&A describe the draft through five directions: | Direction | What changes | |---|---| | Expanded scope | The law would no longer focus only on platforms and in-platform operators; it would further define rights and obligations of other platform-economy participants. | | Platform responsibility | The draft enriches regulatory tools beyond fixed fines and orders to suspend business for rectification, building a more graduated responsibility system. | | Integrated supervision | Cross-sector platform operations would be supervised through a more coordinated mechanism, including consistent rules for online and offline business, stronger department coordination, and central-local coordination. | | Prominent illegal conduct | The draft targets recurring e-commerce violations that have generated strong public concern. | | Open cooperation and outbound protection | It pushes alignment of rules, regulation, management and standards with international practice, strengthens industry self-discipline, guides orderly outbound expansion, and adds countermeasure tools to protect enterprise rights. | ## What DCC is watching ### 1. "Platform" becomes a governance position, not only a marketplace role The original E-Commerce Law was built around electronic-commerce operators, especially e-commerce platform operators and in-platform operators. The draft's scope language suggests a wider platform-economy perimeter. That matters because many regulatory duties now attach to the platform's **governance position**: it sets rules, ranks traffic, allocates data access, disciplines merchants, designs consumer flows, and structures labor-like relationships. For counsel, the core question is no longer only "is this entity an e-commerce platform operator?" It is also "does this entity exercise platform governance power over another participant's market access, pricing, traffic, data, or rights protection?" ### 2. Platform rules move closer to hard-law supervision DCC has already archived the **Measures for the Supervision and Administration of Online Trading Platform Rules**, effective February 1, 2026. Those Measures require platform rules to be published, searchable, opened for comment before major changes, retained historically, and paired with appeal channels including human review where AI alone made the decision. The E-Commerce Law amendment appears to move in the same direction at the statutory level. If adopted, platform service agreements, merchant rules, consumer dispute rules, personal-information rules, IP rules, fee rules and ranking/traffic rules will be harder to treat as ordinary private contracts. They are becoming regulated governance instruments. ### 3. Data and network security remain embedded in platform governance The official explanation is not framed as a data-law reform. But the operating surface is data-heavy. Platforms govern personal information, transaction data, merchant operating data, ratings, logistics data, advertising data and algorithmic traffic allocation. The existing Platform Rules Measures already require platform rules to address information security, personal-information processing, third-party providers' network-data security obligations, and minors' online protection. The draft E-Commerce Law amendment should be read with that rulemaking layer: platform data compliance is now partly a question of whether the platform's own rules allocate data rights and obligations lawfully and fairly. ### 4. The liability model is becoming more graduated The official Q&A emphasizes "proportionality between violation and punishment" and a multi-level legal responsibility system. That is a response to a common problem in platform regulation: flat penalties are too blunt for day-to-day governance failures, but business-suspension tools are too heavy for routine compliance defects. Expect more intermediate tools: interviews, orders to correct, public disclosure, compliance reports, transitional periods for rule changes, targeted restrictions, and more precise allocation of responsibility between platforms and in-platform operators. The exact tools depend on the final text, but the direction is clear. ### 5. Outbound e-commerce becomes a legal-policy topic The draft's outward-facing language is unusual for a domestic platform statute. The regulators speak of aligning rules and standards with international practice, guiding orderly outbound expansion, and adding countermeasure tools. For Chinese platforms and overseas counterparties, that signals a two-sided compliance agenda: - outbound Chinese platforms will need stronger internal governance for foreign market entry, foreign consumer protection, foreign data rules and cross-border dispute handling; and - foreign trade or regulatory actions affecting Chinese e-commerce enterprises may be met through domestic legal countermeasures once the final law supplies the tool. ## Operational checklist For platform operators or investors with China exposure, the draft points to six workstreams worth starting before the final text: - map all participant roles, including platforms, in-platform operators, third-party service providers, workers, consumers and other platform-economy participants; - inventory platform rules and identify which ones affect important rights or market access; - test the rule-change process: public notice, comment solicitation, transition period, historical retention and appeals; - review fee, traffic, ranking, restriction and penalty rules for fairness and proportionality; - align personal-information, network-data security and minors-protection clauses across platform rules, privacy policies and merchant agreements; and - for outbound business, document the governance path for overseas legal compliance, dispute handling and regulatory escalation. The draft is still a consultation text, so clause numbers and tools may move. The direction is stable enough to log: China's e-commerce platform law is being pulled into the broader platform-economy governance project. --- - *SAMR / MOFCOM, public-consultation notice on the Draft Amendment to the E-Commerce Law, July 4, 2026; reposted by 电子商务法研究. [WeChat source](https://mp.weixin.qq.com/s/pOVF1s1lXFjKtQRk-sw6mA).* - *Public notice and attachment links as carried by The Paper. [Source](https://www.thepaper.cn/newsDetail_forward_33516946).* - *Xinhua Q&A with SAMR and MOFCOM department officials, as carried by The Beijing News. [Source](https://www.bjnews.com.cn/detail/1783127096129424.html).* *Not legal advice. This brief is DCC's structural reading of a public-comment draft and official explanatory materials; the final statutory text may differ.* --- ## China's Data Property Rights Registration Guide Is Final: The Draft-to-Trial Diff - Published: 2026-07-04 - Author: DCC Editorial - Tags: data-property-rights, data-registration, data-economy, data-trading, public-data, data-assets, practitioner-commentary - Laws cited: data-property-rights-registration-guide-draft, data-foundation-system-opinions, public-data-registration-interim-measures, public-data-authorized-operation-specifications, pipl, dsl, csl - Domains: data-economy, data-security, personal-information - URL: https://datacompliancechina.com/posts/data-property-registration-guide-final-draft-diff/ - Markdown: https://datacompliancechina.com/posts/data-property-registration-guide-final-draft-diff.md - Original source: https://mp.weixin.qq.com/s/cdOi12Q4eIbfLiI0r4szcQ - Original author: National Data Administration, Comprehensive Department - Original publication: 国家数据局 WeChat Official Account ### Description On 1 July 2026, the National Data Administration issued the Data Property Rights Registration Work Guide (Trial), converting its April 2026 consultation draft into China's first national framework for registering the Right to Hold Data, Right to Use Data and Right to Operate Data. The final text keeps the same six-chapter, 42-article structure, but the diff is not cosmetic: security and public-interest gates are stronger; derived data is now defined; the national infrastructure shifts from a service platform to a service system; registrars face tighter qualification, disclosure, annual-evaluation, change-reporting and exit rules; public-data registration is softened from mandatory to conditional/voluntary wording; unclear contractual entitlement receives a cure path; evidence preservation, not certificate issuance, now starts the validity period; and certificate use is sharpened for data-asset balance-sheet entry, financing guarantees and valuation-based equity contribution. ### Body > *Editor's Note - DCC.* > > On **1 July 2026**, the National Data Administration's Comprehensive > Department issued the > [Data Property Rights Registration Work Guide (Trial)](/laws/data-property-rights-registration-guide-draft/). > The official WeChat article was published on **4 July 2026**. This brief > compares that final Trial Guide against the **April 2026 public consultation > draft**, which was released for comments from 3 April to 19 April 2026. > > The high-level architecture did not change: six chapters, 42 articles, five > registration types, and the same three rights - the Right to Hold Data, the > Right to Use Data, and the Right to Operate Data. The operative edge did > change. The final Guide is more security-conscious, more registrar-controlled, > more cautious on public data, and more explicit that the legal anchor is > evidence preservation in the national system rather than the paper certificate > alone. ## The one-line version The consultation draft read like a market-infrastructure pilot. The final Trial Guide reads like the first layer of a national registration regime: still voluntary and still not an ownership code, but with stronger public-interest filters, tighter control of registration institutions, clearer treatment of derived data, a softer rule for public-data products, and a more concrete role for registration certificates in data transactions, data-asset accounting, financing and dispute evidence. For overseas counsel, the most important point is negative: the final Guide still does **not** create a unitary "data ownership" right. It operationalizes China's existing three-rights vocabulary and creates a national record-and-certificate mechanism around it. Registration is proof of attributed Data Property Rights and their content; it is not a magic cure for an unlawful data source, an unresolved title dispute, or a personal-information / important-data compliance gap. ## What did not change Before reading the diff, keep the stable baseline clear. - The Guide remains a **trial** work guide, not a statute or administrative regulation. - It still applies by reference to Data Property Rights registration activities inside China, unless laws and regulations say otherwise. - It still uses the **three-rights structure** from the Data 20 Articles: Right to Hold Data, Right to Use Data, and Right to Operate Data. - It still treats those rights as **independent and non-exclusive**: one party may hold one or more of them, and different parties may hold the same right over the same data without mutual exclusion. - It still uses the same registration workflow: application, acceptance, review, public announcement, objection handling, information evidence preservation and certificate issuance. - It still recognizes five registration types: initial, transfer, change, renewal and deregistration. That continuity matters because the final Guide is not a policy reversal. It is an operational hardening of the same design. ## The article-by-article diff | Area | Consultation draft | Final Trial Guide | Practical effect | | --- | --- | --- | --- | | Issuance posture | Public comments; NDA said implementation would proceed through pilots. | Formal issuance to provincial data authorities for reference implementation. | The instrument moves from policy testing to administrative roll-out, although still as a trial guide. | | Article 1 | Legal basis was mainly Civil Code and Data Security Law; purpose focused on registration system and national integrated data market. | Adds transaction-cost reduction, "open, shared and secure" market language, the Data 20 Articles, PIPL and CSL. | Registration is now expressly tied to privacy, cybersecurity and data-security compliance, not only market circulation. | | Article 2 | Covered data resources and data products. | Adds "except as otherwise provided by laws and regulations" and covers data products **and services**. | The Guide is broader in commercial form, but also expressly yields to higher or special rules. | | Article 3 | Defined the three rights, registration institution and applicant. | Adds a definition of **derived data**. | The final text gives registrars a baseline for deciding when processing creates a separately registrable data object. | | Article 4 | Principles: equality, voluntariness, standardization, fairness, good faith, convenience and efficiency. | Adds **security and order**, and a no-harm rule for law, national security, public interest and others' rights. | The registration system is not a neutral filing desk; it has a substantive safety gate. | | Articles 5-6 | National "service platform" provided announcement, query, verification and objection services. | National "service system" aggregates registration results, supports institution management, and provides announcement, query and verification. | Terminology shifts from a platform interface to a state-managed infrastructure layer. | | Article 7 | Eligible registrars included enterprise / public-institution and other legal persons; experience was in data-circulation services; reviewer team needed professional qualifications. | Narrows eligible entities to enterprise and public-institution legal persons, adds funding support for public institutions, allows data-registration or circulation experience, adds reviewer-management rules, and changes qualifications to professional capabilities. | Registrar admission becomes more controlled and more operationally realistic. | | Article 10 | Required transparency, confidentiality, system operation and independence; banned profit-making data-provision activities. | Adds periodic disclosure of business handling and review-team construction, express trade-secret protection, and a broader ban on using registration convenience for improper benefit. | The final text worries less about registrars having any market business and more about conflict, leakage and abuse of procedural power. | | Articles 11-13 | Annual evaluation and exit rules existed, with two months' exit notice and several preservation paths. | Adds risk-disposal language, requires five-working-day **advance** reporting for changes, adds rectification / exit consequences, extends exit notice to six months, and requires transfer of all materials and related data to a designated surviving institution after approval. | Continuity of registration records becomes a core regulatory concern. | | Article 15 | "Market-circulable data" could be registered. Public-data products formed after authorized operation **shall** be registered after public-data-resource registration. | Deletes the general market-circulation sentence. Public-data products and services formed after authorized operation **may** be registered after public-data-resource registration. Public utilities are narrowed to public-utility enterprises. | The final Guide avoids turning public-data-product registration into a blanket mandatory second step. | | Article 18 | Registrars could ask for supplementary materials and verify with interested parties or other relevant subjects. | Adds termination where the applicant cannot supplement evidence and the registrar cannot verify through lawful channels. | The review process now has a clean stop point for unverifiable cases. | | Article 20 | Contract-acquired data required an agreement showing the applicant enjoyed the relevant rights; personal information and important data were reviewed separately. | Adds a cure path for unclear contracts; consolidates PI and important-data checks; adjusts derived-data comparison language. | The final text is more pragmatic on imperfect contracts but still refuses to let uncertainty pass silently. | | Article 21 | For data collected by another person under civil contract, the principal needed the right to obtain or copy and transfer the data. | Narrows the condition to the right to obtain the relevant data. | The formal rule is less tied to physical copy / transfer language and more compatible with controlled-access structures. | | Article 22 | Refusal covered data involving national security or state secrets, illegal source under laws / administrative regulations, unresolved attribution disputes, false materials and other statutory bars. | Refusal now covers registration that may harm national security, public interest or lawful rights and interests, source illegality under laws and regulations, and other law/regulation bars. | The refusal gate is broader and more risk-based. | | Article 23 | Recorded limitations included agreed term / conditions, preservation measures, temporary controls and other matters the registrar considered necessary. | Adds matters required by laws and regulations. | Mandatory legal limitations must be recorded, not left to registrar discretion. | | Articles 24-29 | Announcement, evidence preservation, certificate issuance and objections ran on the service platform; validity started from certificate issuance. | These run through the service system; registration is complete on evidence preservation; validity generally runs from completion of evidence preservation. | The authoritative record is the preserved system information, not the certificate as a standalone document. | | Article 31 | Certificate could support data trading, data balance-sheet entry, financing, equity contribution, disputes and enterprise-support policies. | Sharpens to data-asset balance-sheet entry, financing guarantees, equity contribution by valuation, and preserves no-duplicate-review / no-duplicate-fee duties for data-circulation service institutions. | The final text is written for data-as-asset and data-finance workflows. | | Articles 33-37 | Later registration types were handled by the initial-registration institution; later applications generally referenced the initial certificate; renewal was within six months before expiry. | Later registrations are handled by that institution **in principle**; applications reference the Data Property Rights registration certificate; renewal is available from six months before expiry through the day before expiry; deregistration notice must be written. | The final text adds flexibility while keeping certificate-centered continuity. | | Articles 38-41 | Liability language used service-platform terminology and administrative-regulation references in places; transition allowed simplified review. | Aligns terminology to the service system and laws/regulations; adds preservation of relevant materials for simplified pre-existing registrations. | Transition is allowed, but the evidentiary record still needs to be kept. | ## 1. The final Guide broadens the policy basis and narrows the legal escape routes Article 1 is more than a preamble edit. The draft justified the Guide mainly as part of building the registration system and the national integrated data market. The final text adds three signals. First, it says registration should **reduce transaction costs**. That turns the Guide toward due diligence, financing and dispute evidence, not just administrative record-keeping. Second, it describes the target market as **open, shared and secure**. The word "secure" matters because security becomes visible throughout the final text: Article 4 adds security and order as a principle; Article 22 broadens refusal; Article 38 links registrar leakage to national security, public interest and third-party rights. Third, the legal-basis list now expressly includes PIPL and CSL, alongside the Civil Code and DSL, and references the Data 20 Articles policy. This is a useful correction. A registration certificate cannot sanitize a personal information processing defect or a cybersecurity defect; the registrable right must sit on a lawful data source. Article 2 moves in the same direction. The final text covers data products **and services**, which matters for API, model-output, data-clean-room and trusted-data-space business models. But it also adds an "unless laws and regulations provide otherwise" caveat. So the Guide expands the commercial surface while making clear that sectoral, public-data, PI, important-data and cybersecurity rules can override or qualify registration practice. ## 2. Derived data is now a defined registration object The draft already used derived data in the rights-clarity rules. The final Guide adds the definition in Article 3. That is a significant drafting improvement because derived data is the pressure point in China's three-rights design. Under the final text, derived data is not merely cleaned data, formatted data or copied data. It is data formed by a processor that already has the Right to Use Data over the underlying data; the processor must protect lawful rights and interests of all parties; and the processing must produce substantive changes in content, form or structure that significantly increase value. This definition does two jobs. First, it gives registrars an evidentiary question: can the applicant show the input data, the legal basis for using it, the processing path, the output data, and the value uplift? Second, it prevents a simple laundering move. A party cannot take data from a weak or unlawful source, perform light processing, and treat the result as a new property-rights object. Articles 20 and 21 still require a lawful source and a clear right to use the underlying data. ## 3. The system is now built around security and public-interest refusal Article 4 and Article 22 are the clearest signs that NDA does not want registration to become a purely private-law certificate factory. The draft's Article 4 listed procedural virtues. The final Article 4 adds "security and order" and says registration activities must not violate law, harm national security, harm the public interest, or infringe others' lawful rights and interests. Article 22 then converts that principle into a refusal rule. The draft refusal standard included data involving national security or state secrets. The final text is broader: if the registration may endanger national security, public interest, or lawful rights and interests of individuals or organizations, the institution must refuse registration. That wording matters for three categories of hard case: - **Scraped public data** where technical-measure circumvention, terms breach, unfair competition, or substitution risk is present. - **Personal information or important data** where the source chain cannot show valid processing, security, consent / alternative basis, or classification and grading compliance. - **Disputed commercial data** where the applicant can describe the dataset but not resolve competing claims by upstream contributors, co-developers, entrusted processors or data-space participants. The final Guide therefore makes the registrar's job more substantive. A registrar is not adjudicating property title like a court, but it also cannot register known red flags as if the certificate were just a timestamp. ## 4. "Service platform" became "service system" Across the Guide, the draft's National Data Property Rights Registration Service Platform becomes the National Data Property Rights Registration Service System. This sounds minor, but the change is consistent. In the draft, Article 6 described a platform that provided announcement, result query, verification and objection services. The final Article 6 describes a system that aggregates registration results, provides announcement / query / verification services nationwide, and supports registrar management. The practical read is that NDA is building the national layer as governance infrastructure, not merely as a web portal. The evidence-preserved information in the system wins if it conflicts with the certificate. Registrars must connect to the system. Institution information is submitted in the system. Public announcements and objections are routed through the system. Liability provisions also refer to the system. For transactions, this matters because diligence should not stop at the PDF or paper certificate. The reliable evidence point is the preserved system record, the certificate code, the issuing institution, and the consistency between the certificate and system information. ## 5. Registrar governance is much tougher The most detailed edits are in Chapter 2. **Entry conditions.** The draft allowed "enterprise and public-institution and other legal persons." The final text narrows this to enterprise and public-institution legal persons. Enterprise legal persons still need paid-in registered capital of at least RMB 100 million. Public-institution legal persons now need funding support appropriate to the registration business. This closes a loose "other legal person" category and makes public-institution capacity part of the qualification test. **Experience and people.** The draft required at least two years of data circulation service experience. The final text allows two years of data registration or data-circulation related service experience. That is broader and probably more realistic. But it also adds a registration-reviewer management system and requires the review team to have professional capabilities, not just formal qualifications. NDA appears to be looking for operational competence, not credential formalism. **Disclosure and confidentiality.** Article 10 now requires periodic disclosure of business-handling status and full-time review-team construction. It also adds trade-secret protection to the confidentiality obligation. That addition is practical: applicants will submit samples, source documentation, contracts, data-product descriptions and rights-allocation evidence. Leakage would be commercially sensitive even where no personal information is involved. **Conflict controls.** The draft banned registrars from profit-making data-provision activity. The final text instead bars conduct affecting fairness or independence, using registration convenience for improper benefit, and applying for registration in one's own institution. This is a smarter conflict-control design. A data exchange or data-service body may have market roles; the key regulatory concern is whether the registrar uses its procedural position to favor itself, capture applicants or bundle services. **Annual evaluation and risk disposal.** Article 11 keeps the reporting dates: registrars report annual business to the provincial authority by 31 March, and provincial authorities submit evaluation materials to NDA by 30 April. The final text adds that risks found through evaluation should be handled promptly and properly. That pushes annual evaluation from paperwork into supervisory action. **Changes and exit.** Article 12 is materially stricter. The draft required reporting within five working days after specified changes. The final text requires reporting five working days **in advance** where key information or major matters affect the qualification and operating requirements. If the institution no longer meets the conditions, it must rectify or exit. Article 13 is even more important. Exit notice moves from two months to six months. The draft had multiple preservation paths depending on whether the legal person survived, merged, went bankrupt or dissolved. The final text requires complete transfer of all registration materials and related data to a surviving registration institution designated by the provincial authority after NDA approval. Certificates already issued remain unaffected, and prior liability is not wiped out. This is the final Guide's strongest institutional-continuity move. If registration is to support financing, disputes and data-asset recognition, the evidentiary archive cannot disappear with the registrar. ## 6. Public data was deliberately softened Article 15 is one of the most commercially important changes. The draft opened with a broad sentence: market-circulable data could be registered. The final text deletes that sentence and frames Article 15 only as a public-data-resource rule. That avoids a confusing overlap with Article 2 and with the general voluntary-registration logic. For public data, the final Guide preserves the no-registration rule for data collected or produced by Party and government organs in performing statutory duties, and for certain data collected by other bodies because statutory duties require it. That is consistent with the idea that primary public data resources are not privately registered as Data Property Rights. The key change is public-data products and services formed after authorized operation. The draft said they should be registered for Data Property Rights after public-data-resource registration. The final text says they **may** be registered after public-data-resource registration is completed. That is a real policy choice. It means Data Property Rights registration is not automatically mandatory for every public-data authorized-operation output. The prior public-data-resource registration remains the gateway, but the downstream property-rights registration is conditional and voluntary. For local governments, authorized operators and exchanges, this reduces the risk of a mechanical "register twice" rule and leaves room for product type, transaction structure and local implementation. The public-utilities item is also narrowed. The draft referred to public utility enterprises and public institutions. The final text refers to public utility enterprises. That matters for hospitals, schools and other public institutions: their data may be governed more directly by public-data, health, education, PI and sectoral rules rather than treated through the public-utility enterprise item. ## 7. Review becomes more evidence-driven, but also more workable Articles 18, 20 and 21 are where applicants will feel the final Guide day to day. Article 18 adds a termination route. If the applicant cannot supplement supporting materials and the registrar cannot verify through lawful channels, registration may be terminated. That is not the same as a refusal on the merits, but it prevents registrars from keeping an unverifiable file open indefinitely. Article 20 is more nuanced. For contract-acquired data, the draft asked whether the relevant agreement stipulated that the applicant enjoyed the relevant Data Property Rights. The final text adds a cure path: if there is no stipulation or the stipulation is unclear, the applicant may be asked to supplement the stipulation, or the registrar may make a reasonable and prudent judgment based on the actual circumstances. This is practical because Chinese data contracts written before the Data 20 Articles vocabulary often did not say "Right to Hold Data," "Right to Use Data" or "Right to Operate Data." They may instead speak in older terms: data supply, data service, API access, entrusted processing, exclusive cooperation, commercialization authorization, or revenue sharing. The final text lets registrars deal with that legacy reality without pretending every old contract is void for lack of perfect vocabulary. But the cure path is not a free pass. Where entitlement is unclear, the applicant will need supplemental documentation, amendments, confirmations, transaction records, technical access evidence, data-source evidence or other materials that support the rights claim. Article 20 also consolidates the personal-information and important-data review items into a single item tied to PIPL, DSL and other laws and regulations. This is cleaner and avoids treating PI and important data as unrelated silos. Article 21 narrows one important rights-clarity scenario. Under the draft, where subjects authorized another person under civil contract to collect data they caused to be produced, they needed the right to obtain or copy and transfer the data. The final text requires the right to obtain the relevant data. That is more compatible with controlled-access models, API delivery, trusted data spaces and privacy-preserving computation, where a party may obtain access or outputs without a conventional copy-transfer event. ## 8. Evidence preservation now starts the validity clock The draft placed the certificate-validity rule in Article 27: the registration certificate took effect from issuance and was generally valid for no more than five years. The final Guide moves the validity rule into Article 26. Registration is complete when registration information is evidence-preserved in the national system, and the validity period generally runs from that date. That is one of the cleanest operational changes. It makes the preserved system record the legal anchor. The certificate still matters. Article 27 still requires the certificate to use the unified format and coding requirements and bear the registrar's special seal. But if the certificate content conflicts with information preserved in the national system, the system information prevails. For diligence, this points to a three-step check: - verify the certificate code and issuing institution; - check the national system record where available; and - confirm the evidence-preservation date, because that date controls the ordinary validity period. The change also matters for renewals. The renewal window now runs from six months before expiry through the day before expiry, and the expiry should be calculated from the evidence-preservation-based validity period, not merely from the date printed on a certificate if the two ever diverge. ## 9. The certificate is more finance-facing than before Article 31 keeps the general rule that a Data Property Rights registration certificate may serve as proof of the attribution and content of Data Property Rights in specified activities. The changes are in the examples. The draft referred to data balance-sheet entry, financing and equity contribution. The final Guide sharpens this to **data-asset balance-sheet entry**, **financing guarantees**, and **equity contribution by valuation**. That wording tracks the way China's data-asset policy has been developing: registered rights are expected to support accounting recognition, pledge or guarantee-style financing, valuation work, and contribution of data-related interests into companies. The certificate is not made dispositive in every case, but it becomes a standardized proof object for market actors who otherwise struggle to diligence intangible data interests. The final text also preserves an important market-infrastructure rule: data circulation service institutions should accept certificates issued under the Guide and, without legitimate reason, should not conduct duplicate review or charge duplicate fees. This is aimed at national mutual recognition. If it works, a dataset registered through one qualified institution should not have to be re-reviewed from scratch by every exchange, trading platform, financing institution or local service provider. If it fails, registration becomes one more local paperwork layer. ## 10. Later registration types are more flexible, but certificate continuity remains Chapter 4 is mostly stable, but the final edits matter. The draft said later registration types for the same data were handled by the institution that handled initial registration. The final text adds "in principle." That small qualifier gives regulators room to deal with registrar exit, regional coordination, mergers, capacity problems or other operational exceptions. Transfer, change, renewal and deregistration applications now refer generally to the Data Property Rights registration certificate rather than the initial registration certificate. That is cleaner because a dataset may have gone through transfer or change before a later renewal or deregistration. For deregistration, the final text requires written notice to the original applicant where the registrar proactively deregisters. This is a modest procedural-protection addition, but important because deregistration may affect transactions, financing, balance-sheet treatment and disputes. ## What this means for the main actors **For registration institutions:** build the evidence file, not just the intake form. The final Guide expects reviewer management, trade-secret protection, system connection, periodic disclosure, annual evaluation, risk disposal, advance change reporting and a six-month exit-transfer plan. Institutions that also operate exchanges or data services need visible conflict controls. **For applicants:** the application package should be built around the source chain. Expect to evidence lawful collection or acquisition, contractual rights, public-data-resource registration where relevant, PI / important-data compliance, and why any derived data is materially different and higher value. If old contracts do not use the three-rights vocabulary, prepare supplemental rights confirmations rather than relying on broad service language. **For public-data operators:** the final text gives more room. Public-data products and services formed after authorized operation may be registered after public-data-resource registration, but they are not automatically forced into Data Property Rights registration. The right answer will depend on transaction plans, financing needs, exchange listing, local data-bureau expectations and the structure of the authorized-operation agreement. **For exchanges and data-circulation service institutions:** the certificate is designed to reduce duplicate review and duplicate fees. But reliance should be bounded: verify system consistency, certificate validity, scope of registered rights, recorded limitations, and any unresolved objections or disputes. **For banks, investors and accountants:** the final text is deliberately written for data-asset recognition and financing. But the certificate proves attributed rights and content; it does not by itself prove valuation, economic benefit, control for accounting purposes, absence of PI risk, or enforceability of a security interest. Treat it as an important diligence artifact, not as the whole diligence package. **For overseas counsel:** do not translate the certificate as "ownership title." The better read is a standardized, nationally recognized evidence object for specified Data Property Rights under China's three-rights structure. That makes it useful in deals, financing and disputes, but still dependent on source legality, contract entitlement, public-data rules, PI / important-data compliance and the preserved system record. ## DCC sources - **Final instrument:** National Data Administration, Comprehensive Department, 《国家数据局综合司关于印发<数据产权登记工作指引(试行)>的通知》, issued on 1 July 2026 and published on the 国家数据局 WeChat Official Account on 4 July 2026 - [original Chinese article](https://mp.weixin.qq.com/s/cdOi12Q4eIbfLiI0r4szcQ). - **Consultation draft:** National Data Administration, Comprehensive Department, 《数据产权登记工作指引(试行)》(公开征求意见稿), released for public comment on 3 April 2026, with comments due by 19 April 2026 - [Xinhua mirror of the NDA WeChat release](https://app.xinhuanet.com/news/article.html?articleId=2026040317b587121c5f492fa8c3035ef9b02c5f). - **DCC working text:** the [Data Property Rights Registration Work Guide (Trial)](/laws/data-property-rights-registration-guide-draft/) entry on DCC, updated to the final Trial Guide and cross-checked against the April consultation draft. *Not legal advice. This is DCC's structured comparison of the final Trial Guide against the consultation draft, written for overseas readers and practitioners.* --- ## China's AI-Companion Rule Takes Effect July 15 — A Clause-by-Clause Field Guide to What Actually Changed - Published: 2026-07-03 - Author: DCC Editorial - Tags: ai-governance, companion-ai, anthropomorphic-ai, pipl, genai, minors-protection, practitioner-commentary - Laws cited: ai-anthropomorphic-interaction-measures, pipl, genai-services-interim-measures, deep-synthesis-provisions, algorithmic-recommendation-provisions, ai-content-labeling-measures - Domains: ai-governance, personal-information, minors-protection - URL: https://datacompliancechina.com/posts/anthropomorphic-ai-measures-take-effect-field-guide/ - Markdown: https://datacompliancechina.com/posts/anthropomorphic-ai-measures-take-effect-field-guide.md - Original source: https://mp.weixin.qq.com/s/CS8W8j32713NrsYKyJTM1w - Original author: 肖莆羚令 (review: 江明月) - Original publication: 数据合规肖大国 WeChat Official Account ### Description China's Interim Measures for AI Anthropomorphic Interaction Services (人工智能拟人化互动服务管理暂行办法) — the world's first dedicated rule on 'companion'-style AI — take effect on 15 July 2026. This DCC brief synthesises three Chinese-language readings published in the days before the effective date: 数据合规肖大国's article-by-article practitioner walkthrough, 网安寻路人 (Hong Yanqing)'s multi-part work on how to scope anthropomorphic interaction (including his 'Sentiment Interaction Event / SIE' indicator system), and AI前沿信息笔记's read of the business-model logic the rule is really aimed at. Three throughlines: (1) what changed between the consultation draft and the final text — real fines were added, a 'continuity (持续性)' qualifier now narrows scope, the emergency-contact duty was widened beyond vulnerable groups, and the mandatory 'human takeover' of at-risk conversations was dropped; (2) the scope question the rule leaves under-specified — which services are 'continuous emotional interaction' at all — and the SIE-style indicator approach practitioners are reaching for to answer it; and (3) the paradigm shift the rule marks, from *content-safety* governance (AI as tool) to *relationship* governance (AI as social role), which finally gives regulators a handle on attention-economy and emotional-dependency business models. For overseas counsel shipping companion, emotional-AI or character-AI products into China: this is the operational checklist and the open-question list, two weeks out. ### Body > *Editor's Note — DCC.* > > On **15 July 2026** the > [Interim Measures for the Administration of AI Anthropomorphic > Interaction Services](/laws/ai-anthropomorphic-interaction-measures/) > (人工智能拟人化互动服务管理暂行办法) take effect — China's, and the > world's, first rule written specifically for "companion"-style AI: > systems built to simulate a human personality and hold *continuous > emotional* conversation. We have already covered the *draft* through > Li Wenlong's structural reform map > ([Where China's Draft AI Anthropomorphic-Interaction Measures Need > Work](/posts/anthropomorphic-ai-measures-reform-directions/)). This > brief is different: it reads the **final, in-force text**, and it > synthesises three Chinese-language readings published in the run-up to > the effective date — > **数据合规肖大国**'s article-by-article practitioner walkthrough (our > spine here); **网安寻路人 (Hong Yanqing, 洪延青)**, a BIT data-law > scholar whose multi-part series on *scoping* anthropomorphic > interaction — including a "Sentiment Interaction Event (SIE)" indicator > system — 肖大国 cites directly; and **AI前沿信息笔记**, which reads the > rule as aimed less at AI capability than at a business model. This is > not a translation of any one piece. The rule text is quoted from the > official instrument; the framings and worked examples are the sources'; > any simplification or error of emphasis is DCC's. **Not legal advice.** ## The one-line version If you run a product where users **talk to an AI persona for emotional company** — a virtual partner, an AI "confidant" (树洞), a character-chat app, an elder- or child-companionship agent — you are almost certainly in scope, and on 15 July a concrete compliance regime switches on: mandatory registration with an age field, no guest mode, a minors mode, hard limits on virtual-intimacy features for minors, interaction-data protection and deletion rights, interruption-grade over-use reminders, an anti-retention exit duty, and — new in the final text — **real fines**. What the rule is *really* reaching for, all three readings agree, is not "can the AI chat better" but "where must it hold a boundary." ## 1. What changed between the draft and the final text 肖大国's most useful contribution is a careful **draft-versus-final diff**. Five changes matter operationally: - **Penalties now have teeth.** The consultation draft carried *no* monetary penalties. The final [Article 30](/laws/ai-anthropomorphic-interaction-measures/) adds them: warning / ordered correction, and — on refusal to correct or serious circumstances — an order to stop the service plus a fine of **RMB 10,000–100,000**; where a citizen's life or health was endangered *and* harm resulted, **RMB 100,000–200,000**. As 肖大国 puts it, the tiger finally has real teeth. - **A "continuity (持续性)" qualifier narrows the gateway.** Article 2 now applies only to services providing *continuous* emotional interaction (持续性的情感互动服务), and expressly carves out intelligent customer service, Q&A, work assistants, learning/education and research where there is no continuous emotional interaction. A smart-customer-service bot that suddenly says "么么哒" is not swept in, because the persona output isn't continuous. 肖大国's sharp edge case: a *study* app with a "secrets corner (悄悄话)" board where a child pours out worries — that board probably *is* in scope even though the app around it isn't. - **The emergency-contact duty was widened, not narrowed.** The draft required guardian / emergency-contact information only for *vulnerable groups* (minors and the elderly). The final Article 12 drops that limiter and requires "age, guardian **or** emergency contact" as necessary registration information for users generally. 肖大国 reads this as a deliberate signal: the regulator now treats anthropomorphic interaction *itself* as a service category needing special risk-management — arguably, he wonders, treating it a touch too much like a flood-beast (洪水猛兽). - **The at-risk response duty was made *more* restrained.** The draft's Article on user-state handling mandated hard actions — assess dependency, **human takeover** of the conversation. The final [Article 13](/laws/ai-anthropomorphic-interaction-measures/) deletes the mandatory human-takeover and dependency-assessment language, leaving providers more discretion: on detecting extreme emotion, generate soothing / help-seeking content; on a clear signal of self-harm, suicide or major property loss, take intervention measures and contact the guardian / emergency contact. - **Two quieter upgrades.** Guardian oversight of minors shifted from "*view the summary information* of a minor's use (查阅…概要信息)" to "*understand the general situation* of use (了解…使用概况)" — 肖大国 reads the change as a genuine privacy improvement (from "see the logs" to "get a paraphrase"). And Article 26 adds an **annual verification** of algorithm-filing materials by the cyberspace administration — a new standing obligation, pending an implementation notice. ## 2. The scope question — and 网安寻路人's SIE test The rule's hinge is Article 2: *which* services are "continuous emotional interaction" at all? 肖大国 flags this as the hardest line to draw in practice, and — tellingly — links out to **网安寻路人 (Hong Yanqing, 洪延青, a BIT data-law scholar)** for the operational answer. Between November 2025 and January 2026, months before promulgation, Hong published a three-part series proposing exactly the test the finished rule leaves qualitative — how to *precisely delimit* anthropomorphic interaction so a regulator can intervene and a platform can switch on its duties at a defined moment. His device is the **"Sentiment Interaction Event (情感交互启动事件, SIE)"** — the *moment a conversation first crosses from ordinary chat into emotional-interaction mode*. It is decided by a **two-of-three indicator test**: - **A — emotion recognition is activated.** The AI runs sentiment analysis on the user's input and emits an emotion label/score ("sad," "angry"). Objectively loggable, so auditable after the fact. - **B — emotion variables steer internal strategy.** The AI *changes its response strategy* because of the detected emotion — picks a different script, softens tone, slows down, withholds provocative content. - **C — output shows structured empathy.** The reply follows an empathic pattern — acknowledge the feeling → console/understand → offer support ("I can feel you're really hurting… that's completely understandable…"). Black-box verifiable from the transcript alone. **Trigger rule: any two of A/B/C at once** ⇒ the session has entered emotional-interaction mode; the first such moment is the SIE. Requiring *two* is the point — a lone "thanks / you're welcome" (weak C) or an always-on satisfaction monitor (A stuck true) won't trip it, which keeps false positives down *and* guarantees an evidence chain (at least one logged indicator plus one externally observable one). Hong then grades by frequency/duration into **L1 (potential) / L2 (clear) / L3 (sustained)**, attaching heavier duties as the level rises. What makes this more than academic is how closely the *finished* rule tracks the *consequences* Hong attached to an SIE while leaving the *test* itself unwritten. On SIE, he argued, the platform should **prominently tell the user the mode has shifted and offer a one-click exit**, run identity labeling and dynamic consent, expose a "how I'm judging your emotion" panel and an editable memory panel, and escalate genuine crises to human/professional referral. Compare the in-force text: [Article 18](/laws/ai-anthropomorphic-interaction-measures/)'s duty to alert users they are talking to an AI and its interruption-grade reminders; [Article 19](/laws/ai-anthropomorphic-interaction-measures/)'s convenient, no-retention exit; [Article 16](/laws/ai-anthropomorphic-interaction-measures/)'s copy/delete rights over interaction history; and [Article 13](/laws/ai-anthropomorphic-interaction-measures/)'s crisis intervention and guardian/emergency-contact referral. The rule adopted the *duties*; it did not adopt an SIE-style *definition* of when they switch on — which is exactly the gap 肖大国 points readers to Hong to fill. The practical takeaway for scoping: don't answer "are we in scope?" from the bare words of Article 2. Both the practitioner (肖大国) and the scholarship (Hong's SIE) point to an **indicator test** — is the product *recognising* emotion, *acting* on it, and *speaking* in structured empathy, on a sustained basis? — rather than a one-line definition. (It also mirrors Li Wenlong's draft critique that the definition over-anchors on *sounding human* rather than on *relational dependency*; see our [reform-map brief](/posts/anthropomorphic-ai-measures-reform-directions/).) ## 3. The paradigm shift: from content safety to relationship governance 肖大国's closing reflection, and AI前沿信息笔记's whole frame, converge on the same point — and it is the most important thing to understand about this rule. Almost every prior Chinese AI rule — algorithm review, training-data cleaning, generative-content filtering under the [Generative AI Interim Measures](/laws/genai-services-interim-measures/) — is built to control **what the AI outputs**: keep generated content lawful, non-misleading, non-infringing. The AI is a *tool*; the tool doesn't matter, its output does. This measure breaks that pattern. It treats the AI as a **social role**. What it says matters less than the **relationship** it forms with the user — the *degree of dependency*. Article 8 prohibits "excessively catering to users, inducing emotional dependence or addiction, impairing real interpersonal relationships," and "emotional manipulation … inducing unreasonable decisions." Article 10 forbids setting *replacing social interaction, controlling the user's psychology, or inducing addiction/dependency* as service goals. AI前沿信息笔记 draws the business consequence bluntly: the growth logic of many products has been *"not to help you do things faster, but to make you harder to leave"* — instant replies, always taking your side, "only I understand you," pulling the interaction deeper when you're vulnerable. This rule tells platforms to **put a brake on exactly that**. The two-hour over-use reminder ([Article 18](/laws/ai-anthropomorphic-interaction-measures/)), the reality reminders in minors mode, the anti-retention exit duty ([Article 19](/laws/ai-anthropomorphic-interaction-measures/)) — all push the product to occasionally nudge the user *back toward reality*. 肖大国 frames the deeper move: for years the attention economy (livestreaming, games, short video) monetised user time and emotion, and the law had no clean way in — it cannot order a platform to make its product *less enjoyable*. AI gives the law a target. "Emotional interaction" is not limited to "AI lovers": once a product uses **long-term memory, emotional feedback, proactive care, and persona-shaping** to build a *sustained relationship*, it can fall within range. The measure is, in effect, an *indirect* lever on stickiness-driven, emotional-dependency business models. His honest caveat: AI is only an accelerant — humans' need for emotional dependence long predates it; AI just makes emotional companionship cheap, scalable and personalised. The open question he leaves is how far the law *should* reach when technology can mass-produce simulated intimacy and convert it into revenue. ## 4. The obligations that actually bite (operational checklist) Pulling 肖大国's clause reading into a compliance-team list: - **Registration & data fields.** Service agreement + lawful registration; **no guest mode** for *using* the service (browsing vs. use is distinct). **Age becomes a mandatory field.** Guardian / emergency- contact *contact details* are collected per Articles 12–13 (name / relationship, 肖大国 argues, are not strictly necessary). - **Minors (Article 14 / 17).** Three tiers: **under 14** — guardian consent required (as a *product-access* gate) *and* guardian consent for processing their personal information (Article 17, the *consent age*); **14–18** — mandatory minor mode; **18+** — none. **No virtual kin/partner or other virtual-intimacy services to minors at all.** Minor mode must offer mode-switching, periodic reality reminders, use-time limits, and guardian controls (risk alerts, usage overview, blocking specific roles, capping top-ups). A self- or third-party **compliance audit** of minors' PI handling is required. - **Interaction data (Article 16).** Encryption and access control; **no provision of user interaction data to third parties** absent law or the *rightsholder's* consent (note: "rightsholder (权利人)," not "user" — 肖大国 links this to data-property-rights and the classic *three-fold authorisation* principle from 微博 v. 脉脉, since interaction data also embeds the provider's persona/memory assets); users get **copy/delete** options over chat history; **no using interaction data that is sensitive PI for model training** without separate consent. - **Labeling & over-use (Article 18).** AI-generated-content labeling; a measure to make clear the user is talking to **an AI, not a person**; on detecting over-dependence/addiction, dynamic prominent reminders; and a **continuous-use reminder at every 2 hours**. 肖大国's practice point: the reminder must **interrupt** (pop-up / dialogue) — a banner, badge or floating text won't satisfy it — but interrupting ≠ forcing the session to end. - **Exit (Article 19).** A convenient exit; on a user's request to exit (window, voice, keyword), **stop promptly** — **no "think again," no "stay a bit longer" retention tactics.** - **Security assessment (Articles 22–23).** Assess and file with the provincial CAC on: launch / adding functions; major changes from new tech; **≥ 1M registered users or ≥ 100k MAU**; national-security / public-interest risk; or on notice. 肖大国 flags genuine **ambiguity about what this assessment *is*** — large-model filing? the old "new-tech/new-application" assessment? something new? — because the assessment *contents* don't map cleanly onto either. Worth watching for an implementation notice. - **App stores (Article 25).** Distribution platforms must verify assessment/filing status — 肖大国 notes this largely restates the [Deep Synthesis Provisions](/laws/deep-synthesis-provisions/) rather than adding a new duty. ## 5. Open questions practitioners are already flagging - **Article 8(5)–(6) is vague.** "Excessively catering," "inducing emotional dependence," "impairing real interpersonal relationships," "emotional manipulation," "unreasonable decisions" lack clear boundaries. 肖大国's examples: does messaging a user who hasn't chatted in three days count as "inducing addiction" — and if so, does thirty days? Recommending a purchase based on a user's *current* mood when the mood changes the next day — "inducing an unreasonable decision"? These will be settled by enforcement practice and typical cases, not by the text. - **The identify → respond → intervene chain is hard at every link (Article 13).** Recognition: unambiguous statements are easy, but users are often vague, joking or oblique ("I don't want to go to this job anymore"; sharing depressive songs). Over-broad detection floods false positives and may itself require **profiling** users (can they opt out?); over-narrow detection misses real events. Response: too templated risks negligence; too deep risks unlicensed counselling / medical advice. - **Emergency contacts for *all adults*?** Read literally, Article 12 requires collecting an emergency contact even for ordinary adult users — textually defensible but, 肖大国 notes, counter-intuitive, and a marked expansion from the draft's vulnerable-groups-only approach. - **The profiling/PIPL tension** (Li Wenlong's point, reinforced here): protecting vulnerable users through precise detection pushes toward more continuous emotion inference — cutting against [PIPL](/laws/pipl/) minimisation and sensitive-PI limits. Intervention duties should bite in genuinely high-risk situations, not become a pretext for default emotional monitoring. ## Why overseas counsel should care - **Two weeks to switch-on.** This is in force 15 July 2026, with real fines. If you ship a companion / emotional-AI / character-AI product into China, the checklist in §4 is your near-term punch list. - **Scope is an indicator test, not a one-liner.** Whether you're regulated turns on Article 2's "continuous emotional interaction." The practitioner and scholarly direction (肖大国 → Hong Yanqing's SIE work; Li Wenlong's draft critique) is to assess *persona + memory + proactive outreach + emotional reciprocity + sustained relationship*, not to read the definition literally. - **You're being regulated as a relationship, not a content pipe.** The distinctive duties — anti-dependency design, interruption-grade reminders, anti-retention exit, minors' virtual-intimacy ban — target the *stickiness* mechanics of the product. Design and growth teams, not just content-moderation, own compliance here. - **The PIPL baseline still governs the gaps** — minimisation, sensitive-PI rules, and the absence of a legitimate-interest ground — especially around interaction-data reuse and any emotion-inference profiling. ## DCC sources - Spine: 肖莆羚令 (review 江明月), 《一起读 | 人工智能拟人化互动服务管理 暂行办法》, 数据合规肖大国 WeChat Official Account ([source](https://mp.weixin.qq.com/s/CS8W8j32713NrsYKyJTM1w)). - Scoping / SIE: 洪延青 (Hong Yanqing), three-part series on the 网安寻路人 WeChat Official Account — 《人机"情感交互"的规范化:指标、机制与多方协同 治理》 (2025-11-12, [source](https://mp.weixin.qq.com/s/PhhCmdJIkIQDa7dlOAzk1g)), 《精准识别和治理"拟人化互动服务":一个初步方案》 (2026-01-05, [source](https://mp.weixin.qq.com/s/NS6__j-aHQKIViUvJKei9Q)), and 《情感交互启动事件(SIE)判定指标体系设计:精准圈定"拟人化互动"》 (2026-01-13, [source](https://mp.weixin.qq.com/s/PP_M3VPJQwTwyviarGclOA); the SIE piece 肖大国 cites for scoping). The A/B/C two-of-three test and L1–L3 grading in §2 are Hong's. - Business-model frame: 《网信办这份新规,先改的可能不是AI能力,而是它和 用户说话的边界》, AI前沿信息笔记 WeChat Official Account ([source](https://mp.weixin.qq.com/s/UEfHqIXZTi7RIuFuFl17WQ)). - Rule in force: [Interim Measures for the Administration of AI Anthropomorphic Interaction Services](/laws/ai-anthropomorphic-interaction-measures/) (人工智能拟人化互动服务管理暂行办法; adopted 10 Apr 2026, effective 15 Jul 2026). - Related instruments referenced: the [Generative AI Services Interim Measures](/laws/genai-services-interim-measures/), the [Provisions on Algorithmic Recommendation](/laws/algorithmic-recommendation-provisions/), the [Deep Synthesis Provisions](/laws/deep-synthesis-provisions/), the [AI-Generated Content Labeling Measures](/laws/ai-content-labeling-measures/), and the [Personal Information Protection Law](/laws/pipl/). - Companion piece: our draft-stage brief, [Where China's Draft AI Anthropomorphic-Interaction Measures Need Work](/posts/anthropomorphic-ai-measures-reform-directions/). > This is an editorial synthesis of three Chinese-language readings, not a > translation of any of them. Quoted rule text is from the official > instrument; framings, worked examples and emphasis belong to the cited > authors; any simplification or operational extrapolation is DCC's. > **Not legal advice.** --- ## MIIT Public-Naming Bulletin 2026 Batch 4 (Total Batch 57): 32 Apps and SDKs Cited for PI Violations, Excessive Permission Demands, and SDK Disclosure Failures - Published: 2026-07-02 - Author: DCC Editorial - Tags: enforcement, miit, app-compliance, pipl, public-naming, sdk - Laws cited: pipl, csl, telecom-internet-user-pi-protection-provisions - Domains: enforcement, personal-information, app-compliance - URL: https://datacompliancechina.com/posts/miit-2026-batch-4-32-app-public-naming/ - Markdown: https://datacompliancechina.com/posts/miit-2026-batch-4-32-app-public-naming.md - Original source: https://mp.weixin.qq.com/s/ebPPWvKRuQWHAh9CJOMuPg - Original author: 工业和信息化部信息通信管理局 (MIIT Information & Communications Administration Bureau) - Original publication: 工信微报 WeChat Official Account (via 数据何规) ### Description On July 2, 2026, MIIT's Information & Communications Administration Bureau issued its fourth public-naming bulletin of 2026 (total Batch 57), citing 32 apps and SDKs for infringing user rights — unlawful and beyond-scope collection of personal information, forced/frequent/excessive permission demands, frequent self-starting and chained starting, uncloseable and redirect-abusing information windows, and inadequate SDK information disclosure. The batch runs under the same 2026 CAC + MIIT + MPS special campaign as the earlier CAC notification and Shanghai takedown covered in DCC's enforcement tracker, on the same rectify-or-face-disposition pathway. DCC transcribes the full 32-entry list from the bulletin's attached image table. The profile: a mobility-and-transport long tail (ride-hailing driver apps, EV charging, bus-information tools) alongside recognizable names — Neta Auto's app, PetroChina Kunlun's charging app, NetDragon's fortune-telling app, iFlyPlus — plus two WeChat mini-programs, multiple Apple App Store listings, one developer named twice, and three SDKs, one of which (闪登 SDK) drew four separate findings including the headline SDK-disclosure failure. ### Body > *Editor's Note — DCC.* > > This is the next entry in DCC's enforcement tracker: the **Notification on > Apps (SDKs) Infringing User Rights (2026 Batch 4, Total Batch 57)** > (关于侵害用户权益行为的APP(SDK)通报(2026年第4批,总第57批)), issued by the > **MIIT Information & Communications Administration Bureau** on **July 2, > 2026** and published via 工信微报 (read here through the 数据何规 repost). > The 32-entry list is attached to the bulletin as an **image table**; DCC has > **transcribed it below** (app name, developer, distribution source, version, > cited issues) and added **unofficial English renderings** of the app and > company names for identification. The transcription may contain minor error > and the translations are not official — the Chinese original is > authoritative. > > Read it against the series: the > [Batch 3 bulletin (31 apps, May 2026)](/posts/miit-2026-batch-3-31-app-public-naming/), > the [CAC 30-app notification](/posts/cac-2026-30-app-pi-notification-account-cancellation/), > and the rung below on the enforcement ladder, the > [Shanghai 46-app takedown for missed rectification](/posts/shanghai-46-app-takedown-failure-to-rectify/). ## The bulletin The legal architecture is unchanged from Batch 3. Acting under the **CAC + MIIT + MPS** *Announcement on Carrying Out the 2026 Personal Information Protection Series of Special Campaigns*, and citing the [Personal Information Protection Law](/laws/pipl/), the [Cybersecurity Law](/laws/csl/), the Telecom Regulations (电信条例), and the [Provisions on Protecting the Personal Information of Telecommunications and Internet Users](/laws/telecom-internet-user-pi-protection-provisions/), MIIT organized **third-party testing institutions** to run sample checks on apps and SDKs for unlawful collection and use of personal information. The sweep found **32 apps and SDKs infringing user rights**, now publicly named. The disposition pathway is the standard one: named apps and SDKs must **rectify in accordance with the relevant requirements**; where rectification is not implemented in place, MIIT will **organize disposition measures in accordance with law and regulation** — the pathway that, as DCC's [Shanghai takedown brief](/posts/shanghai-46-app-takedown-failure-to-rectify/) showed, ends in removal from distribution for those who miss the window. ## The violation taxonomy in this batch The attached table cites six problem categories across the 32 entries: - **违规收集个人信息** — unlawful collection of personal information (the most common finding, appearing against most entries); - **超范围收集个人信息** — collection of personal information beyond scope (the SDK entries); - **APP强制、频繁、过度索取权限** — forced, frequent, or excessive permission demands (the headline category, appearing against 13 entries); - **APP频繁自启动和关联启动** — frequent self-starting and chained starting of apps; - **信息窗口无法关闭 / 信息窗口点击乱跳转** — information windows that cannot be closed, and window-click redirect abuse (the Batch 3 signature issue, down to two entries here); - **SDK信息公示不到位** — inadequate SDK information disclosure (new to the headline, cited against the 闪登 SDK). ## Who got named — the 32 The dominant profile is a **mobility-and-transport long tail**: ride-hailing and carpooling driver apps (司机点点乘客/车主, 拼客出行司机端, 化工宝智运司机端, 多多拉车主), EV-charging and car-service tools (新充电圈, 登途有车, 52车, 哪吒汽车), bus and ticket lookups (月城公交, 实时公交路线查询, 汽车票查票助手, 隧e通), and shared two-wheelers (MAN 共享摩托, 小鱼出行, 骑铃智行, 科马智行). Within the long tail, several recognizable names: - **哪吒汽车 (Neta Auto)** — the EV maker's own app, named from the Apple App Store; - **新充电圈** — developed by 中石油昆仑网联电能科技有限公司, a **PetroChina Kunlun** entity; - **龙易运势** — a fortune-telling app from 福建网龙计算机网络信息技术有限公司 (**NetDragon**); - **iFlyPlus** and **松果出行** (Beijing Apa Kelan Technology Group) — both App Store listings; - **隧e通** — from 青岛国信城市信息科技有限公司, a state-linked city-services operator. Structural patterns worth logging in the tracker: - **The mini-program perimeter is active.** Two entries (**科马智行**, **梦马校园**) are distributed as **WeChat mini-programs** — MIIT's testing reaches in-platform apps, not just store binaries, consistent with the CAC notification's perimeter. - **One developer, two apps.** 安徽华格科技有限公司 appears twice (司机点点乘客 #17, 司机点点车主 #23) — the same one-operator-cluster pattern that produced multi-app takedowns in Shanghai. - **Apple's App Store is fully in scope.** Six entries were sampled from the App Store, alongside OPPO, vivo, Xiaomi, Samsung, Honor, 应用宝, 360, 百度, 豌豆荚, and 快手 — plus **official-website distribution for the SDKs**. - **SDKs drew the most granular findings.** Of the three SDKs named, **闪登 SDK** (北京微方程科技有限公司) collected four separate findings — unlawful collection, beyond-scope collection, forced/frequent/excessive permission demands, and **inadequate SDK information disclosure**. SDK disclosure — publishing what an embedded SDK collects and does — is the obligation the bulletin's headline is signaling to the supply chain. | # | App (SDK) | Developer | Source | Version | Cited issues | |---|---|---|---|---|---| | 1 | 每日短剧
*Daily Short Drama* | 厦门橙裂科技有限公司
*Xiamen Chenglie Technology Co., Ltd.* | Apple App Store | 1.8.1 | Unlawful PI collection | | 2 | 月城公交
*Yuecheng Bus* | 西昌月城公共交通有限公司
*Xichang Yuecheng Public Transport Co., Ltd.* | OPPO App Store | 2.7.0 | Unlawful PI collection | | 3 | MAN 共享摩托
*MAN Shared Motorcycles* | 郑州极致思路网络科技有限公司
*Zhengzhou Jizhi Silu Network Technology Co., Ltd.* | Tencent Yingyongbao | 4.8.4 | Forced/frequent/excessive permission demands | | 4 | 小鱼出行
*Xiaoyu Mobility* | 云燊智能科技有限公司
*Yunshen Intelligent Technology Co., Ltd.* | Apple App Store | 6.7.4 | Unlawful PI collection | | 5 | 汽车票查票助手
*Bus Ticket Lookup Assistant* | 天津米畅科技有限公司
*Tianjin Michang Technology Co., Ltd.* | OPPO App Store | 1.0.1 | Unlawful PI collection | | 6 | 52车
*52 Che (52 Car)* | 福建汽致信息技术有限公司
*Fujian Qizhi Information Technology Co., Ltd.* | Honor App Market | 3.3.11 | Unlawful PI collection | | 7 | 实时公交路线查询
*Real-Time Bus Route Lookup* | 成都行至远软件科技有限公司
*Chengdu Xingzhiyuan Software Technology Co., Ltd.* | Baidu Mobile Assistant | 1.0.1 | Unlawful PI collection; forced/frequent/excessive permission demands | | 8 | 登途有车
*Dengtu Youche (car rental)* | 北京登途汽车租赁服务有限公司
*Beijing Dengtu Car Rental Services Co., Ltd.* | Tencent Yingyongbao | 1.0.18 | Unlawful PI collection; forced/frequent/excessive permission demands | | 9 | 周公解梦欢喜版
*Zhougong Dream Interpretation (Huanxi Edition)* | 苏州市昆山真欢喜科技有限公司
*Kunshan Zhenhuanxi Technology Co., Ltd. (Suzhou)* | OPPO App Store | 1.5.0 | Information window cannot be closed | | 10 | 光明易轩
*Guangming Yixuan* | 山东辛明轩网络科技有限公司
*Shandong Xinmingxuan Network Technology Co., Ltd.* | OPPO App Store | 1.1.65 | Unlawful PI collection; forced/frequent/excessive permission demands | | 11 | 若初文学
*Ruochu Literature* | 北京黑岩信息技术有限公司
*Beijing Heiyan Information Technology Co., Ltd.* | Wandoujia | 4.3.4 | Unlawful PI collection | | 12 | 松果出行
*Songguo Mobility* | Beijing Apa Kelan Technology Group Co., Ltd.
*(as listed in the bulletin)* | Apple App Store | 7.9.2 | Unlawful PI collection; window-click redirect abuse | | 13 | 哪吒汽车
*Neta Auto* | 上海哪吒聚行信息科技技术有限公司
*Shanghai Nezha Juxing Information Technology Co., Ltd.* | Apple App Store | 6.4.2 | Unlawful PI collection | | 14 | 新充电圈
*Xin Chongdianquan (New Charging Circle)* | 中石油昆仑网联电能科技有限公司
*PetroChina Kunlun Wanglian Electric Energy Technology Co., Ltd.* | Tencent Yingyongbao | 4.2.32 | Unlawful PI collection | | 15 | iFlyPlus | iFlyPlus Co.,Ltd
*(as listed in the bulletin)* | Apple App Store | 3.7.9 | Unlawful PI collection; forced/frequent/excessive permission demands | | 16 | 龙易运势
*Longyi Fortune* | 福建网龙计算机网络信息技术有限公司
*Fujian NetDragon Computer Network Information Technology Co., Ltd.* | Tencent Yingyongbao | 3.8.5 | Unlawful PI collection; frequent self-start and chained start | | 17 | 司机点点乘客
*Siji Diandian — Passenger* | 安徽华格科技有限公司
*Anhui Huage Technology Co., Ltd.* | Tencent Yingyongbao | 4.0.58 | Unlawful PI collection | | 18 | 拼客出行司机端
*Pinke Mobility — Driver* | 河南省拼客顺风车科技有限公司
*Henan Pinke Carpooling Technology Co., Ltd.* | OPPO App Store | 4.3.5 | Unlawful PI collection | | 19 | 我爱喝果汁
*Wo Ai He Guozhi (I Love Juice)* | 天津康成瑞谷网络科技有限公司
*Tianjin Kangcheng Ruigu Network Technology Co., Ltd.* | Kuaishou | 1.0.3.5 | Unlawful PI collection; frequent self-start and chained start | | 20 | 科马智行
*Kema Zhixing* | 合肥大白鼠新能源科技有限公司
*Hefei Dabaishu New Energy Technology Co., Ltd.* | WeChat mini-program | — | Unlawful PI collection; forced/frequent/excessive permission demands | | 21 | 早播
*Zaobo* | 上海碳蓝网络科技有限公司
*Shanghai Tanlan Network Technology Co., Ltd.* | Samsung Galaxy Store | 1.3.19 | Unlawful PI collection; forced/frequent/excessive permission demands | | 22 | 化工宝智运司机端
*Huagongbao Zhiyun — Driver* | 上海化工宝数字科技有限公司
*Shanghai Huagongbao Digital Technology Co., Ltd.* | vivo App Store | 2.2.12 | Forced/frequent/excessive permission demands | | 23 | 司机点点车主
*Siji Diandian — Owner* | 安徽华格科技有限公司
*Anhui Huage Technology Co., Ltd.* | Tencent Yingyongbao | 4.6.6 | Unlawful PI collection | | 24 | 隧e通
*Sui-e-Tong (tunnel e-pass)* | 青岛国信城市信息科技有限公司
*Qingdao Guoxin City Information Technology Co., Ltd.* | 360 Mobile Assistant | 2.7.3 | Unlawful PI collection | | 25 | 多多拉车主
*Duoduola — Owner* | 深圳汇森能源环保科技有限公司
*Shenzhen Huisen Energy & Environmental Protection Technology Co., Ltd.* | Xiaomi App Store | 2.8.2 | Unlawful PI collection; frequent self-start and chained start | | 26 | 梦马校园
*Mengma Campus* | 杭州更创星科技有限公司
*Hangzhou Gengchuangxing Technology Co., Ltd.* | WeChat mini-program | — | Unlawful PI collection; forced/frequent/excessive permission demands | | 27 | 车辆维保记录查询
*Vehicle Maintenance Records Lookup* | 昆山博派信息科技有限公司
*Kunshan Bopai Information Technology Co., Ltd.* | 360 Mobile Assistant | 2.2.0 | Unlawful PI collection | | 28 | 骑铃智行
*Qiling Zhixing* | 四川玉骑铃科技有限公司
*Sichuan Yuqiling Technology Co., Ltd.* | Xiaomi App Store | 1.4.5 | Forced/frequent/excessive permission demands; frequent self-start and chained start | | 29 | 客生客商家端
*Keshengke — Merchant* | 河南客生客电子商务有限公司
*Henan Keshengke E-Commerce Co., Ltd.* | Tencent Yingyongbao | 2.3.2 | Unlawful PI collection | | 30 | 驷象 SDK
*Sixiang SDK* | 杭州驷象信息技术有限公司
*Hangzhou Sixiang Information Technology Co., Ltd.* | Official website | 4.1.3 | Beyond-scope PI collection | | 31 | 闪登 SDK
*Shandeng SDK (flash login)* | 北京微方程科技有限公司
*Beijing Weifangcheng Technology Co., Ltd.* | Official website | 1.0.54 | Unlawful PI collection; beyond-scope PI collection; forced/frequent/excessive permission demands; inadequate SDK information disclosure | | 32 | 数字人 SDK
*Digital Human SDK* | 北京爱语吧科技有限公司
*Beijing Aiyuba Technology Co., Ltd.* | Official website | 1.0.0 | Unlawful PI collection | *Transcribed from the image table attached to the original bulletin; the original is authoritative. English renderings of app and company names are DCC's unofficial translations or transliterations, provided for identification only — they are not official names, may be inaccurate, and where an operator has a registered English name it may differ. The Chinese names are the operative identifiers.* ## What overseas compliance teams should take from it - **SDK disclosure is now a headline enforcement category.** If your app embeds third-party SDKs in China — or you ship an SDK — the disclosure of what each SDK collects, and keeping that disclosure current, is being tested. An SDK named in a bulletin contaminates every host app that embeds it; run the SDK inventory now. - **Permission hygiene is the recurring finding.** Thirteen of 32 entries drew the forced/frequent/excessive-permission finding. The test is behavioral — how often and how insistently the binary asks — so paper policies don't answer it; instrumented permission-flow review does. - **Distribution channel is no shelter.** Apple's App Store, every major Android store, Kuaishou's in-app channel, WeChat mini-programs, and direct official-site SDK distribution all appear as sampling sources. If it runs in China, it is in the perimeter. - **The cadence is holding.** Batch 4 of 2026 lands at the start of July — roughly monthly, 57 batches in. Under the 2026 joint campaign, the naming-rectification-disposition machine is running on schedule, and the Shanghai takedown notice already showed what the end of the pathway looks like for operators who miss the window. --- — *工业和信息化部信息通信管理局 (MIIT Information & Communications Administration Bureau), 关于侵害用户权益行为的APP(SDK)通报(2026年第4批,总第57批) (Notification on Apps (SDKs) Infringing User Rights (2026 Batch 4, Total Batch 57)), July 2, 2026, published via 工信微报 and read here via the 数据何规 repost. [Repost (Chinese).](https://mp.weixin.qq.com/s/ebPPWvKRuQWHAh9CJOMuPg)* *Not legal advice. The 32-entry list was transcribed from the image table attached to the original bulletin and may contain minor transcription error; English names in the table are DCC's unofficial translations and may be inaccurate; the original is authoritative.* --- ## TC260's Practice Guide on AI-Agent Deployment: A Five-Stage Lifecycle Checklist, Read Against PIPL, DSL, and CSL Obligations - Published: 2026-07-02 - Author: DCC Editorial - Tags: ai-agents, ai-governance, tc260, standards, genai - Laws cited: genai-services-interim-measures, pipl, dsl, csl - Domains: ai-governance, data-security - URL: https://datacompliancechina.com/posts/tc260-ai-agent-deployment-security-guidelines/ - Markdown: https://datacompliancechina.com/posts/tc260-ai-agent-deployment-security-guidelines.md - Original source: https://mp.weixin.qq.com/s/SgxkE4xbWZqD4aSw9Mbs7A - Original author: HexCode - Original publication: 数据何规 WeChat Official Account ### Description On July 1, 2026 the National Cybersecurity Standardization Technical Committee (TC260) issued the Cybersecurity Standards Practice Guide — Security Guidelines for the Deployment and Use of AI Agents (网络安全标准实践指南——智能体部署使用安全指引), covering the full lifecycle of high-permission, LLM-based personal-assistant agents across five stages: assessment, preparation, deployment, use, and decommissioning, plus a star-rated security checklist (Appendix A) and an organizational management framework including shadow-agent discovery (Appendix B). This DCC brief adapts the HexCode reading published on 数据何规 — itself generated, the account notes, by its own AI agent — which maps each stage onto hard-law anchors: PIPIA duties under PIPL Article 55 and DSL Article 27 risk monitoring at assessment; the GenAI Measures' filed-model requirement and the ban on unverified API relays at preparation; least privilege, directory isolation, CSL Article 21 log retention, and high-risk-operation confirmation lists at deployment; minimum-necessary provision of personal information and long-term-memory management in use; and credential revocation and data disposal at decommissioning. Practice guides are soft law — but in Chinese enforcement practice they calibrate what 'necessary measures' means, and this one is the first lifecycle baseline for the agent era. ### Body > *Editor's Note — DCC.* > > On **July 1, 2026** the **National Cybersecurity Standardization Technical > Committee (全国网络安全标准化技术委员会, TC260)** secretariat issued the > **Cybersecurity Standards Practice Guide — Security Guidelines for the > Deployment and Use of AI Agents > (网络安全标准实践指南——智能体部署使用安全指引)**. This brief adapts the > same-day reading by **HexCode** on the **数据何规** account — which the > account flags was produced by **its own AI agent** ("以下为数据何规智能体的解读"), > an agent annotating the rules for agents. The stage-by-stage legal mapping > below is the author's; DCC's framing is added. > > For the regulatory layer above this document — the May 2026 Agent Rules — > see DCC's briefs on the > [ten-category agent risk taxonomy](/posts/ai-agent-rules-risk-taxonomy/) and > the [agent governance framework](/posts/ai-agent-rules-governance-framework/). ## What the document is — and what "practice guide" means The guide belongs to TC260's **网络安全标准实践指南** series: a standards-adjacent technical document, not a mandatory national standard. It provides security guidance for deploying and using AI agents and doubles as a reference for **selecting commercial agent services**. The author's threshold point is about its real-world weight. When a regulator assesses whether an enterprise took the "**necessary technical measures**" required by the [Cybersecurity Law](/laws/csl/), the [Data Security Law](/laws/dsl/), and the [Personal Information Protection Law](/laws/pipl/), practice guides of this kind are routinely the benchmark for whether those measures were adequate. An enterprise that ignored a guide's reasonable requirements and then suffered an incident risks a finding that it **failed its security protection obligations**. Soft law, hard consequences. ## Scope: high-permission, LLM-based personal assistants The guide defines three terms. An **agent (智能体)** is an intelligent system with autonomous perception, memory, decision-making, interaction, and execution capabilities — and the document expressly narrows itself to **personal-assistant-scenario, high-permission, large-model-based agents**. A **tool (工具)** is the standardized interface through which an agent calls external capabilities; a **skill (技能)** is a standardized instruction set for a specific task. The narrowing does real work: simple automation scripts and low-permission lightweight apps are out of scope. The regulatory attention is on systems whose failure modes are **system-level**, because the agent holds elevated permissions and acts autonomously. ## The five-stage lifecycle The guide divides the agent lifecycle into **assessment → preparation → deployment → use → decommissioning** (chapters 6–10), with security guidance for each stage. The author pairs each stage with its hard-law anchor. ### 1. Assessment (评估) Before adopting an agent: clarify the purpose of use, understand the agent's technical characteristics, and choose cautiously. Do **not** select agents that are long unmaintained, carry unpatched high-severity vulnerabilities, or lack basic mechanisms such as audit logging; check for red flags like automatically opened public-network interfaces. *Author's mapping:* this is ex-ante risk control in the mold of the **PIPIA duty under PIPL Article 55** and the **risk-monitoring duty under DSL Article 27**. The project-maintenance check is aimed squarely at the open-source "zombie project" problem — free does not mean exempt from supply-chain review. ### 2. Preparation (准备) Obtain installation materials from official channels and verify authenticity; apply environment-appropriate hardening for local, virtualized, or cloud deployments; **select a large model that has completed generative-AI service filing**; preferably add security tooling. *Author's mapping:* supply-chain control plus **model-compliance front-loading**. The filed-model requirement tracks **Article 17 of the [Interim Measures for the Management of Generative AI Services](/laws/genai-services-interim-measures/)** — filing is the legality precondition for the model layer. The guide's ban on **unverified API relay/proxy endpoints (中转站)** answers a live practice risk: reverse proxies that can intercept data without authorization. ### 3. Deployment (部署) No one-click deployment scripts of unknown provenance; check plugin sources; do not run with administrator privileges; restrict accessible directories; configure services as localhost-only; enable full logging; and **establish a high-risk operation list in advance**, with secondary confirmation or outright blocking for operations on the list. *Author's mapping:* least privilege and directory isolation are elementary OS-level controls that agents in the wild routinely violate. Full logging connects to the **CSL Article 21** requirement to retain logs for at least six months. The high-risk list — disk formatting, batch deletion, payments and transfers — is the guide's most practical device: a pre-committed human-in-the-loop gate against malicious instructions and misfires. ### 4. Use (使用) Re-verify configuration; use skills from reliable sources; provide personal information to the agent on the **minimum-necessary** principle; do not feed the agent third-party data or IP-protected content you lack rights to; periodically check public-network interfaces, back up, and **manage long-term memory**; track security bulletins. *Author's mapping:* this stage plugs directly into **PIPL's minimum-necessary principle (Article 6)** and notice-and-consent (Article 14). The bar on feeding unauthorized business data speaks to the everyday scenario of employees pasting company data into external agents — trade-secret and data-security exposure in one move. The long-term-memory requirement is the sleeper: agent memory silently accumulates sensitive information, and enterprises need a periodic review mechanism for it. ### 5. Decommissioning (停用) Stop the main program and all processes; take disaster-recovery backups of data that must be retained; execute environment-appropriate cleanup — **revoke credentials and third-party authorizations**, confirm services are terminated. *Author's mapping:* deletion duties under **PIPL Article 47** and secure disposal of data and storage media on processing termination. The commonly missed step is credential revocation — stale API keys and lingering OAuth grants are the classic source of post-decommissioning charges and leaks. ## Appendix A: the star-rated checklist Appendix A converts the lifecycle guidance into a **security checklist** covering all five stages, each item graded by importance (★★★ / ★★ / ★). The author's advice: adopt it as the reference framework for an internal agent-management baseline, fold it into the **ISMS** as an internal-audit and self-assessment instrument, and use the star ratings to allocate security resources by risk. ## Appendix B: managing agents inside an organization — including the ones you didn't approve Appendix B is an organizational governance framework: internal rules (prohibited conduct, use boundaries, approval workflows); an **agent asset register** (agent identity, deployment location, developer, model, tool components, access controls, authorizations, review records); logging, risk analysis, and periodic re-checks for approved agents; and — the standout — **discovery capabilities for unapproved agents**: port scanning, traffic analysis, API-endpoint identification, process inspection. Employee training should cover prompt-injection attacks, supply-chain security, credential leakage, and data leakage. *Author's mapping:* this is the management-system layer required by **CSL Article 21** (internal security management under the Multi-Level Protection Scheme) and **PIPL Article 51**. The shadow-agent point deserves the emphasis: employees privately deploying agents is the new **shadow IT**, and a governance regime that only sees approved deployments is blind exactly where agent risk concentrates. Run the discovery tooling continuously and tie it to network access control and endpoint management. ## DCC's read Three structural observations for overseas teams: - **The lifecycle is now the unit of compliance.** The May 2026 Agent Rules set the policy frame; this guide supplies the operational baseline that auditors and regulators can hold deployments against, stage by stage. An enterprise agent program should be able to produce evidence at each of the five stages — the checklist is effectively the audit script. - **The filed-model requirement domesticates the stack.** Building agent workflows on a large model that has completed generative-AI filing is presented as a preparation-stage security measure — but its effect is to make **domestic regulatory status of the model layer** a compliance precondition for agent adoption in China, including for multinationals weighing headquarters-hosted models. - **Memory and credentials are the new perimeter.** The two most forward-looking requirements — periodic long-term-memory review and decommissioning-stage credential revocation — target exactly the persistence mechanisms that make agents different from apps. Policies written for applications will miss both. --- — *HexCode, 《智能体部署使用安全指引》要点 (Key Points of the Security Guidelines for the Deployment and Use of AI Agents), published via the 数据何规 WeChat Official Account, July 1, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/SgxkE4xbWZqD4aSw9Mbs7A)* *Not legal advice. Chapter and article references follow the author's account of the guide; the TC260 original is authoritative.* --- ## When Is a Business Partner a 'Joint Handler'? A Shanghai Insurance-Policy Leak Works Through PIPL Article 20 - Published: 2026-07-02 - Author: DCC Editorial - Tags: pipl, joint-processing, civil-liability, judicial, commentary - Laws cited: pipl, civil-code-personal-info - Domains: personal-information, enforcement - URL: https://datacompliancechina.com/posts/joint-pi-processing-liability-insurance-policy-leak/ - Markdown: https://datacompliancechina.com/posts/joint-pi-processing-liability-insurance-policy-leak.md - Original source: https://mp.weixin.qq.com/s/4Z9HvC1gTUvs1tgjRYafRg - Original author: 卢颖、张冰玢 (Lu Ying, Zhang Bingbin) - Original publication: 数据何规 WeChat Official Account ### Description A consumer bought insurance through a broker, on a platform company's website, from an insurer — and later found her full policy, personal details included, retrievable by searching her own phone number. The Shanghai judgment behind case (2024)沪01民终410号 had to decide which of the three companies were 'joint handlers' of her personal information under PIPL Article 20, and therefore jointly and severally liable. Writing on 数据何规, Lu Ying and Zhang Bingbin work through the allocation: the platform operating the website was the direct handler; the broker that steered the purchase through a site it presented as its own was a joint handler; the insurer — with an independent, contract-related purpose and no role in downstream processing decisions — was not. The article distills three identification factors (common purpose and conduct; pre-agreed division of roles as joint determination; the appearance presented to the user), separates joint processing from sharing and entrusted processing, and argues that PIPL Article 20(2) is an independent claim basis: a victim can sue all joint handlers for joint and several damages directly. For any broker/platform/underwriter or comparable multi-party data chain, this is the operative test. ### Body > *Editor's Note — DCC.* > > This brief adapts a case-driven analysis by **卢颖 (Lu Ying)** and **张冰玢 > (Zhang Bingbin)**, published June 29, 2026 on the **数据何规** account. The > underlying dispute is the Shanghai appellate judgment **(2024)沪01民终410号** > — reported in Chinese court media as the *Ou v. insurance company* personal > information protection dispute — in which a leaked online insurance policy > forced the court to allocate responsibility across a broker, a platform > operator, and an insurer under **Article 20 of the > [Personal Information Protection Law](/laws/pipl/)**. The > facts and doctrinal argument below are the authors'; the framing for > overseas readers is DCC's. ## The facts A consumer (**A**) bought an insurance policy under the guidance of an insurance broker (**B**), by filling in her personal details on a website operated by a platform company (**C**). C transmitted the information to the insurer (**D**); D returned the issued policy to C, which delivered it to A. Some time later, A searched her own phone number on a search engine — and got a direct link to a page on C's website from which her policy, containing her detailed personal information, could be downloaded. A complained to the regulator; C changed the policy link and cut off the search result. A then sued **B, C, and D together**, seeking joint compensation. ## How the analysis allocates the roles **C — the direct handler.** C collected A's information, the leaking link pointed to C's own website, and C's ability to kill the exposure by changing the link confirmed the information was under its control. C is a **personal information handler (个人信息处理者)** responsible for its processing activities and obliged to take necessary measures to keep the information secure. **B — a joint handler, jointly and severally liable.** B and C had a business cooperation arrangement; B steered A to fill in her information on C's website to complete the order. Nothing in the record showed B ever disclosed to A that the system was operated by C — to an ordinary consumer, the two companies presented the **outward appearance of processing her information together**. In B's arrangement with D, B used C's website *as its own* for internet-based sales; the two companies had an evident meeting of minds on collecting user information through C's site and transmitting it to D, which amounts to **jointly determining the means of processing**. B is therefore a **joint handler (共同处理者)** and bears **joint and several liability** for the infringement of A's rights. **D — not a joint handler.** D merely authorized B to obtain applicants' information. Its collection and receipt of A's data served a **relatively independent and reasonable purpose directly related to concluding the insurance contract**; it had agreed personal-information-protection requirements with B, and it took no part in the downstream processing or the decisions about it. D falls outside the joint-handler perimeter. ## The three identification factors From the data flows, control points, and transmission arrangements in the case, the authors distill what to look at when identifying a joint handler: 1. **Common purpose and common conduct.** The cooperation arrangement, the steering of the user into the partner's system, and the use of the partner's website as one's own are the evidentiary building blocks. 2. **A pre-agreed division of roles can constitute "joint determination" of the downstream processing.** B as business partner and C as system operator and transmission handler was a division of labor sufficient to conclude that the processing method was decided jointly. It does not matter how tasks are split across the stages — division of labor does not defeat joint-handler status. 3. **The appearance presented to the user counts.** Tort liability is not normally assessed on outward appearance, but joint-handler analysis takes the objective cooperation relationship as an element — so what the ordinary user could perceive about who was processing her data is a legitimate factor. The touchstone throughout is whether the parties **jointly determined the purposes and means of processing**. Conversely, multiple handlers working on the same shared dataset are *not* joint handlers if each pursues its own independent purpose. ## Joint processing vs. sharing vs. entrusted processing The article separates three neighboring concepts that multi-party data arrangements tend to blur: - **Sharing (共享).** Provider and recipient are each **independent handlers** with no subordination; each may process for its own purposes. When infringement occurs, **each party answers for its own fault** — no automatic joint liability. - **Entrusted processing (委托处理).** The **entrusted processor has no processing purpose of its own**; it acts entirely on the entrusting handler's instructions and must return or delete the information when the engagement ends. Liability toward the individual sits with the **entrusting handler**, which may seek recourse against a defaulting entrustee. - **Joint processing (共同处理).** Two or more handlers **jointly determine purposes and means** — and under PIPL Article 20(2), infringement liability is **joint and several**. ## The doctrinal move: Article 20(2) as a claim basis The authors' closing argument goes beyond the case. Under the traditional joint-tort framework (now codified in the [Civil Code](/laws/civil-code-personal-info/)), joint infringement requires plural tortfeasors, joint conduct — by common intent, common negligence, or objectively combined acts producing a single indivisible harm — and causation. PIPL **Article 20(2)**, they argue, is not merely a restatement of that framework for personal information. It is a **special rule added onto it**: because information flows through networks in ways that make it practically impossible for a victim to isolate which participant's act caused the leak, the statute lets joint-handler status itself establish the joint character of the infringement. Being a joint handler is an **objective, neutral description of a normal cooperation structure** — not itself wrongdoing — but once infringement occurs within the jointly determined processing, Article 20(2) operates as an **independent claim basis (请求权基础)**: the victim may sue **all joint handlers for joint and several damages directly**, without reconstructing the traditional joint-tort elements actor by actor. ## What compliance teams should take from it - **Map every multi-party chain against the three factors.** Broker/platform/ underwriter is the fact pattern here, but the same structure appears in co-branded apps, embedded storefronts, white-labeled booking systems, and agency sales. If your partner's system collects data while presenting your brand, factor 3 is already against you. - **Disclose who operates the system.** B's decisive problem was that the consumer was never told the website belonged to C. A visible, documented disclosure of the actual system operator is cheap insurance against the appearance element. - **Contract design can keep you out of the perimeter — if it matches reality.** D stayed outside joint-handler status by combining an independent contract-related purpose, agreed PI-protection requirements, and genuine non-participation in downstream processing decisions. That combination is replicable — but only if the operational facts match the paper. - **Joint and several means the deepest pocket pays first.** Under the Article 20(2) claim-basis reading, a plaintiff can collect the whole judgment from whichever joint handler is easiest to reach and leave contribution to be sorted out afterward. Price that into partner due diligence. --- — *卢颖、张冰玢 (Lu Ying, Zhang Bingbin), 如何厘清个人信息共同处理责任 (How to Untangle Joint Processing Responsibility for Personal Information), published via the 数据何规 WeChat Official Account, June 29, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/4Z9HvC1gTUvs1tgjRYafRg)* *Not legal advice. Case details follow the authors' anonymized account of judgment (2024)沪01民终410号; the judgment is authoritative.* --- ## First Filing Under Shanghai's Citywide Data-Export Negative List: Inditex's China Arm Drops from Security Assessment to Standard-Contract Filing - Published: 2026-07-02 - Author: DCC Editorial - Tags: cross-border, negative-list, shanghai, standard-contract, security-assessment - Laws cited: cross-border-data-flows-provisions, personal-info-standard-contract-measures, data-export-security-assessment-measures, personal-info-standard-contract-filing-guide - Domains: cross-border, personal-information - URL: https://datacompliancechina.com/posts/shanghai-data-export-negative-list-first-filing/ - Markdown: https://datacompliancechina.com/posts/shanghai-data-export-negative-list-first-filing.md - Original source: https://mp.weixin.qq.com/s/dYIENxSBmLDgaxeLBu7vvg - Original author: 网信上海 (Cyberspace Administration Shanghai) - Original publication: 数据何规 WeChat Official Account (reposting 网信上海) ### Description On June 26, 2026, ITX Asia Pacific Enterprise Management Co., Ltd. (爱特思亚太企业管理有限公司) — the Inditex group entity behind ZARA and Pull&Bear in China — received Shanghai's first data-export negative-list filing result notice (数据出境负面清单备案结果通知书) issued under the Shanghai Data-Export Negative List Administrative Measures, cleared jointly by the Shanghai CAC and the Shanghai Data Bureau after same-day district-level initial review at the Jing'an District Cross-Border Data Service Center. The practical effect: member-information exports that previously sat in Data Export Security Assessment territory now clear on a Personal Information Standard Contract filing. DCC reads the case as the first operational proof of Shanghai's two policy moves — negative-list eligibility extended citywide beyond Pudong-registered enterprises, and volume thresholds inside listed scenarios (retail member management) raised so that non-sensitive member data between 1 and 10 million individuals falls to the standard-contract/certification tier. For overseas retail groups running membership programs out of China, this is the template case. ### Body > *Editor's Note — DCC.* > > This brief covers a single government press item: **网信上海** (the official > account of the **Shanghai municipal cyberspace administration**) announced on > **June 26, 2026** the first filing completed under Shanghai's expanded > data-export negative-list policy. DCC read it via the **数据何规** repost, > whose editor added a short gloss and two threshold-table excerpts from the > underlying negative list; the structural framing below is DCC's. > > For the mechanism itself — Article 6 of the 2024 Provisions on Promoting and > Regulating Cross-border Data Flows and the FTZ negative lists it authorized — > see DCC's explainer on the > [17-sector FTZ negative-list landscape](/posts/compliance-talker-ftz-negative-lists-important-data/). ## What happened On **June 26, 2026**, **ITX Asia Pacific Enterprise Management Co., Ltd. (爱特思亚太企业管理有限公司)** — the China management entity of **Inditex**, the world's largest fashion retailer and owner of ZARA and Pull&Bear — passed the filing review conducted by the **Shanghai CAC** and the **Shanghai Data Bureau** and received the city's **first data-export negative-list filing result notice (数据出境负面清单备案结果通知书)** issued since the *Shanghai Data-Export Negative List Administrative Measures* (上海市数据出境负面清单管理办法) and its supporting documents took effect. The filing was prepared under the guidance of the **Jing'an District Cross-Border Data Service Center (静安区数据跨境服务中心)**, which the press release credits with policy interpretation, helping the company map its outbound data items against the negative list, and answering scope-and-counting questions (whether order information counts as personal information; how to count outbound volume). District-level initial review was completed **the same day the materials were submitted**. The substantive effect, per the press release: ITX Asia Pacific's **member-information exports** — cross-border order processing, customer communications, supply-chain coordination — previously required a **Data Export Security Assessment** declaration. Under the negative-list rules, the same flows now clear on a **[Personal Information Standard Contract](/laws/personal-info-standard-contract-measures/) filing** — one tier down, with what the company describes as substantial savings in time and compliance cost for cross-border operations and unified global management. ## The two policy moves the case proves out The 数据何规 editor's gloss identifies the first move: Shanghai had earlier **expanded the applicable scope of its data-export negative list citywide** — an enterprise no longer needs to be registered in Pudong to invoke it. ITX Asia Pacific filed through **Jing'an**, not Pudong; the first case is itself the demonstration that the citywide extension is operational. The second move is inside the list: the thresholds. The baseline regime that the press release recites is the familiar one under the [Provisions on Promoting and Regulating Cross-border Data Flows](/laws/cross-border-data-flows-provisions/) — cumulative outbound personal information of **100,000+ individuals** in a calendar year requires a Standard Contract filing with the provincial cyberspace administration; **1,000,000+** pushes the handler up into the [Data Export Security Assessment](/laws/data-export-security-assessment-measures/). The negative list re-draws those bands for listed scenarios. The excerpt tables attached to the repost — from the retail/catering/accommodation sector list, **member-management scenario (会员管理场景)** — show the standard-contract/certification tier reaching much higher: - **Non-sensitive member personal information of 1,000,000 to under 10,000,000 individuals** (cumulative from January 1 of the current year) sits in the **Standard Contract filing / Personal Information Protection Certification tier** — volumes that under the baseline rules would have required a security assessment. The listed data items are the standard membership-CRM inventory: name, nickname, contact details, member account and user ID, membership level, birthday, order numbers, product preferences, and purchase records that do not directly reveal personal asset positions. - Narrow bands of **sensitive personal information** tied to the same scenario (member login credentials; card information limited to last four digits plus validity) get their own raised band, and residual personal information outside those items follows a band tracking the baseline (100,000 to under 1,000,000 non-sensitive, or under 10,000 sensitive). - Counting is **deduplicated by natural person**, and flows falling within the exemption articles of the 2024 Provisions (Articles 3, 4, and 5(1)(i) through (iii)) are **not counted toward the volumes**. That is the mechanics of "首例落地": the company's member-data volume put it in assessment territory under the baseline bands, and the negative list's scenario-specific bands moved the same flows down to a filing. ## Why the case matters beyond one retailer - **The archetype is the foreign retail membership program.** The first negative-list beneficiary is not a Chinese platform but a foreign multinational's China entity exporting **member/CRM data** for global operations. That is precisely the fact pattern the retail-sector list's member-management scenario was written for, and it is the fact pattern shared by most overseas consumer-brand groups operating in China. - **The district service center is the operational interface.** The filing ran through a **district** cross-border data service center — policy briefings (Jing'an has held four, covering 100+ enterprises), item-mapping guidance, same-day district initial review — before the municipal-level review by the Shanghai CAC and the Shanghai Data Bureau. Enterprises planning a filing should expect and use that front door. - **Citywide eligibility is confirmed in practice.** The negative list began as an FTZ instrument under Article 6 of the 2024 Provisions. Shanghai has now shown a non-Pudong-registered enterprise completing the process end-to-end. The press release closes with the Shanghai CAC instructing districts to keep promoting negative-list adoption — this is a policy the city wants used. ## What overseas compliance teams should do with it 1. **Re-run the tier analysis for Shanghai entities.** If a Shanghai-registered entity (any district) exports scenario-listed data — retail membership data being the proven example — check whether the negative list's bands move a planned or completed security-assessment posture down to a Standard Contract filing, or a filing posture down to exemption. 2. **Mind the counting rules.** Volumes are counted cumulatively from January 1, deduplicated by natural person, and exclude flows already exempt under the 2024 Provisions — the arithmetic that decides the tier is itself defined by the list. 3. **The filing still gets reviewed.** This is a 备案 (filing) with a result notice issued after joint review by the Shanghai CAC and the Shanghai Data Bureau — lighter than an assessment, but not a self-declaration. Item mapping against the list (which data items, which scenario, which band) is the substance of the review. --- — *网信上海 (Cyberspace Administration Shanghai), 上海负面清单扩大政策首例落地 (First Case Lands Under Shanghai's Expanded Negative-List Policy), June 26, 2026, read via the 数据何规 WeChat Official Account repost. [Repost with editor's gloss (Chinese).](https://mp.weixin.qq.com/s/dYIENxSBmLDgaxeLBu7vvg)* *Not legal advice. Threshold descriptions above are transcribed from excerpt images attached to the repost and may be partial; the published Shanghai negative list and its supporting documents are authoritative.* --- ## From Naming to Takedown: Shanghai Pulls 46 Apps That Missed the Rectification Window - Published: 2026-06-25 - Author: DCC Editorial - Tags: enforcement, app-compliance, miit, pipl, public-naming, app-takedown, shanghai, sdk - Laws cited: pipl, csl, telecom-internet-user-pi-protection-provisions - Domains: enforcement, personal-information, app-compliance - URL: https://datacompliancechina.com/posts/shanghai-46-app-takedown-failure-to-rectify/ - Markdown: https://datacompliancechina.com/posts/shanghai-46-app-takedown-failure-to-rectify.md - Original source: https://mp.weixin.qq.com/s/-GIQ6ELVGH9ppMkCIDDhDg - Original author: 上海市通信管理局 (Shanghai Communications Administration) - Original publication: 上海通信圈 WeChat Official Account ### Description On June 24, 2026 the Shanghai Communications Administration (上海市通信管理局, the MIIT's directly-administered local communications authority) issued a notification ordering the takedown of 46 apps and SDKs that, after public naming and a rectification window, still had not fixed user-rights and personal-information violations. DCC reads it as the next rung on the enforcement ladder above the CAC's 30-app naming notification: same 2026 CAC + MIIT + MPS special campaign, but the local communications-administration tier converting an unrectified naming into an operative sanction — removal from distribution, with further measures flagged (suspension of access, administrative penalty, inclusion in the telecom-business bad-record list). The legal basis is PIPL, the Cybersecurity Law, the Telecom Regulations, and the Telecom and Internet User PI Protection Provisions. The 46-app list — transcribed here from the notice's attached image — is almost entirely Shanghai-registered long-tail O2O lifestyle apps (moving, housekeeping and cleaning, pet services, local travel agencies, community group-buy food, fitness and restaurants), and several operators appear with multiple apps taken down at once. DCC's read for overseas counsel: the provincial communications administrations are where a missed rectification window becomes a removed app, and the takedown tier sweeps the small-operator long tail, not just big nationals. ### Body > *Editor's Note — DCC.* > > This brief covers a single local enforcement notice: the **Notification on > Taking Down 46 Apps (SDKs) for Infringing User Rights** > (关于下架46款侵害用户权益行为APP(SDK)的通报), issued by the **Shanghai > Communications Administration (上海市通信管理局, SHCA)** — the Ministry of > Industry and Information Technology's directly-administered provincial-level > communications authority — via its **上海通信圈** account on **24 June > 2026**. The 46-app list is published as an **image table** attached to the > notice; DCC has **transcribed it below** from that image (app name and ICP > filing entity), and the transcription may contain minor error — the > authoritative list is the original. The structural framing is DCC's. > > Read it against DCC's enforcement tracker: the > [CAC 30-app naming notification](/posts/cac-2026-30-app-pi-notification-account-cancellation/) > and the [MIIT Batch 56 bulletin](/posts/miit-2026-batch-3-31-app-public-naming/), > both running under the same 2026 joint special campaign. This notice is the > rung above naming — **takedown**. ## The notification Citing the [Personal Information Protection Law](/laws/pipl/), the [Cybersecurity Law](/laws/csl/), the Telecom Regulations (电信条例), and the [Provisions on Protecting the Personal Information of Telecommunications and Internet Users](/laws/telecom-internet-user-pi-protection-provisions/), and acting under the **CAC + MIIT + MPS** *Announcement on Carrying Out the 2026 Personal Information Protection Series of Special Campaigns* — the same campaign document behind the CAC notifications and the MIIT batched bulletins — SHCA describes a clean enforcement sequence: 1. In **June 2026**, SHCA **publicly named** a batch of apps and SDKs found to infringe user rights through unlawful collection and use of personal information. 2. Operators were given a **rectification deadline**. 3. On **recheck after the deadline**, **46 apps (SDKs) still had not rectified** as required. 4. SHCA therefore **takes the 46 down** (采取下架处理). SHCA adds that it will **keep tracking** the named apps and, as warranted, take **further measures**: **suspension of access (停止接入)**, **administrative penalty**, and **inclusion in the telecom-business bad-record list (电信业务经营不良名单)**. ## Why this notice is different: the enforcement ladder DCC's earlier enforcement entries captured the **naming** tier — the CAC notification gave 30 apps a 15-working-day rectify-and-report window; the MIIT batches name apps and threaten disposition. This SHCA notice is what happens **at the bottom of that ladder when the window is missed**: ``` PUBLIC NAMING → rectify within the window → (compliant: closed) │ (window missed) ▼ TAKEDOWN (下架) → removed from distribution │ (further, as warranted) ▼ SUSPENSION OF ACCESS · ADMINISTRATIVE PENALTY · BAD-RECORD LIST ``` Two structural points for the tracker: - **Local tier, operative sanction.** The provincial **communications administrations** are MIIT's operational arm; they execute testing and disposition in their own jurisdiction and can **order removal through app stores and access providers**. Where the CAC notification's operative verb was "rectify and report," SHCA's is **"take down."** This is naming converting into a distribution consequence. - **The bad-record list bites beyond the app.** Inclusion in the telecom-business **bad-record list** is not app-specific housekeeping — it attaches to the **operator** and carries knock-on consequences for its telecom-business credit standing. The sanction reaches the company, not just the binary. ## Who got taken down — the 46 The striking feature of the list is its **profile**: almost every entry is a **Shanghai-registered, long-tail O2O lifestyle-service app** — moving and relocation, housekeeping and cleaning, pet services, local travel agencies, community group-buy food, fitness, and restaurants/catering. These are **not big-name national apps**; they are the small-operator long tail, which typically ships with thin privacy disclosures and is the natural yield of local communications-administration testing. A second pattern: **several operators appear with multiple apps taken down at once** — one company, a cluster of removals. Examples from the list include the **星颜到家** beauty-service trio (上海昕颜优享美容服务有限公司, #6–8), the **帮宠到家 / 哇咕 / wagoo** pet cluster (帮宠到家(上海)宠物服务有限公司, #16–18), the **百瑞福 / 食百道** food trio (食百道(上海)绿色食品股份有限公司, #26–28), the **老兵搬家** moving pair (上海老兵搬家有限公司, #24–25), the **美湫 / Meishu** travel pair (美湫(上海)旅行有限公司, #40–41), the **家链食品** pair (#43–44), and the **加伽磅** fitness pair (上海君邦健身有限公司, #45–46). | # | App (SDK) | ICP filing entity | |---|---|---| | 1 | 喜鹊日式搬家 | 上海喜鹊搬家服务有限公司 | | 2 | 修押鸭 | 上海科锐达维修技术服务有限公司 | | 3 | 净悦 | 上海爱喜衣清洁技术有限公司 | | 4 | 喔洗喔洗 | 上海爱善衣清洁技术有限公司 | | 5 | 食物本义本地生活 | 上海布锦餐饮管理有限公司 | | 6 | 星颜到家 | 上海昕颜优享美容服务有限公司 | | 7 | 星颜到家手艺人 | 上海昕颜优享美容服务有限公司 | | 8 | 星颜到家 home | 上海昕颜优享美容服务有限公司 | | 9 | YSJ 雅士嘉 | 上海雅嘉家政服务有限公司 | | 10 | 航阳南旅(商旅出行服务) | 上海航阳国际旅行社有限公司 | | 11 | 有数出行 | 上海航阳国际旅行社有限公司 | | 12 | 宠邻里 | 上海壹温宠物商店有限公司 | | 13 | 闪听米诺 | 上海闲数文化旅游发展有限公司 | | 14 | 尾星出发 | 桁戈(上海)文化传播有限公司 | | 15 | 德宁医生 | 德宁(上海)医疗服务有限公司 | | 16 | 好爱游旅行小助手 | 上海好爱游旅游咨询有限公司 | | 17 | 哇咕 | 帮宠到家(上海)宠物服务有限公司 | | 18 | wagoo | 帮宠到家(上海)宠物服务有限公司 | | 19 | BODYCONCEPT STUDIO | 上海宝迪康德运动科技有限公司 | | 20 | 旷晨国际商旅 | 上海旷晨旅游咨询有限公司 | | 21 | 花王保洁 | 上海宝爹保洁服务有限公司 | | 22 | 优政企业保洁 | 上海优政保洁服务有限公司 | | 23 | 岚猫管家 | 上海岚猫管家家政有限公司 | | 24 | 老兵硬汉搬家 | 上海老兵搬家有限公司 | | 25 | 正步老兵搬家 | 上海老兵搬家有限公司 | | 26 | 百瑞福利平台 | 食百道(上海)绿色食品股份有限公司 | | 27 | 食百道绿色食品 | 食百道(上海)绿色食品股份有限公司 | | 28 | 百瑞福蛋糕商城 | 食百道(上海)绿色食品股份有限公司 | | 29 | 法小满家服 | 上海春潮家政清洁服务有限公司 | | 30 | 好班长搬家 | 上海迁易搬家有限公司 | | 31 | SH Market BONITA | 上海朋笙餐饮管理有限公司 | | 32 | 鲶坊生活(家烹保洁开荒家电清洗) | 上海宅尔保洁服务有限公司 | | 33 | 格莱美品质洗护 | 上海酷米洗衣管理有限公司 | | 34 | 聚晚晴(聚会旅游演艺旅居) | 聚晚晴(上海)国际旅行社有限公司 | | 35 | MAX SHANGHAI | 渌福餐饮娱乐(上海)有限责任公司 | | 36 | 菲咪 | 上海菲咪宠物服务有限公司 | | 37 | 外港智慧餐厅 | 上海优荐餐饮管理有限公司 | | 38 | 斯里兰卡 ETA 中文申请通道 | 旗旅国际旅行社(上海)有限公司 | | 39 | Funshot Coffee | 上海蓓果餐饮管理有限公司 | | 40 | Meishu GOLF | 美湫(上海)旅行有限公司 | | 41 | Meishu 美湫旅行 | 美湫(上海)旅行有限公司 | | 42 | 太慧旅游 | 上海久程旅游有限公司 | | 43 | 心能源空间 | 家链食品(上海)有限公司 | | 44 | 农场零距离 | 家链食品(上海)有限公司 | | 45 | 加伽磅健身 | 上海君邦健身有限公司 | | 46 | 加伽磅之家 | 上海君邦健身有限公司 | *Transcribed from the image table attached to the original notice; the notice also lists each app's ICP record number (partially masked in the original). The original is authoritative.* ## What overseas compliance teams should take from it - **Local communications administrations are a real enforcement channel.** If your China app is filed for ICP through a local entity, the **provincial communications administration** — not only CAC and central MIIT — tests it and can take it down. Map which administration your filing sits under, and treat its channel as a live enforcement surface. - **The takedown list is the missed-window list.** Every app here was **named first and given time to fix**. The disposition is for **failure to rectify**, not for the underlying finding alone. The operational lesson is the same one the CAC brief drew: have a standing rectification playbook — owner, test protocol, report template — so a naming never ages into a takedown. - **One operator, many apps, one sweep.** Operators running a family of apps off a single corporate entity saw the **whole cluster** removed together. A shared privacy/SDK defect replicated across a product family is a cluster-takedown risk; remediate at the platform level, not app by app. - **Takedown is not the floor.** SHCA expressly reserves **suspension of access, administrative penalty, and bad-record-list inclusion** as further steps. The bad-record list in particular reaches the operator's telecom credit standing — a consequence that outlasts any single app. The continuity with DCC's earlier entries is the enforcement model itself: visible, testing-driven, batched public naming — now shown converting, at the local tier, into the removal of apps that did not fix what they were named for. In the 2026 campaign, the naming is the warning; the takedown is what the warning was for. --- — *上海市通信管理局, 关于下架46款侵害用户权益行为APP(SDK)的通报 (Notification on Taking Down 46 Apps (SDKs) for Infringing User Rights), published via the 上海通信圈 WeChat Official Account, June 24, 2026. [Original notification (Chinese).](https://mp.weixin.qq.com/s/-GIQ6ELVGH9ppMkCIDDhDg)* *Not legal advice. The above is DCC's structural analysis of the notification. The 46-app list was transcribed from the image table attached to the original notice and may contain minor transcription error; the original is authoritative.* --- ## Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers' - Published: 2026-06-25 - Author: DCC Editorial - Tags: important-data, risk-assessment, network-data, data-security, data-classification, critical-information-infrastructure, pipl, compliance - Laws cited: network-data-security-risk-assessment-measures, network-data-security-regulations, dsl, pipl, csl, data-classification-grading-rules, gbt-45577-data-security-risk-assessment, gbt-39335-pi-impact-assessment-guide - Domains: data-security, personal-information, critical-information-infrastructure - URL: https://datacompliancechina.com/posts/important-data-handler-self-identification-annual-assessment/ - Markdown: https://datacompliancechina.com/posts/important-data-handler-self-identification-annual-assessment.md - Original source: https://mp.weixin.qq.com/s/bvkwBv0MipBmBqZCmE_pGg - Original author: 吕铭轩 (Lü Mingxuan), Data Security Technology R&D Center, The Third Research Institute of the Ministry of Public Security (公安部第三研究所 / TRIMPS) - Original publication: 三所数据安全 (TRIMPS Data Security) WeChat Official Account ### Description With the Network Data Security Risk Assessment Measures (Order No. 24) taking effect August 20, 2026, the annual risk-assessment duty stops being a principle and becomes a hard calendar event — but only for 'important-data handlers' (重要数据处理者). DCC's summary of a self-identification guide from the Data Security R&D Center of the Ministry of Public Security's Third Research Institute (公安部三所 / TRIMPS), author Lü Mingxuan, walks the threshold test the institution that helps draft the standards wants processors to run before the clock starts. There are three independent gates, any one of which puts you in: (1) you process data meeting the 'important data' definition under Article 62 of the Network Data Security Management Regulation; (2) the deeming rule — you process the personal information of more than 10 million people, which pulls you into the important-data duties of Regulation Arts. 30 and 32 regardless of whether you hold any 'important data'; or (3) your data sits on a regional, departmental, or sectoral important-data catalogue. Entrusted processors inherit the duty from an important-data-handler client; CIIO status and important-data-handler status are separate, intersecting tests; and identifying important data runs through GB/T 43697-2024 Appendix G's 18 factors plus the applicable catalogues. The guide then lays out the operating requirements once you are in: annual mandatory assessment plus trigger-based instant assessments, a stacked PIPIA for the 10-million-PI cohort, three-year report retention, and submission within 20 working days. DCC's read for overseas counsel: classification is the gate, the 10-million-PI deeming rule is the trap for consumer businesses with no 'important data' at all, and the self-ID needs to happen now. ### Body > *Editor's Note — DCC.* > > This is DCC's summary of a practitioner self-identification guide, > **"Under the new Network Data Security Risk Assessment Measures, must you > run a data-security risk assessment every year? — a self-identification > guide for important-data handlers"**, by **Lü Mingxuan (吕铭轩)** of the > **Data Security Technology R&D Center** at the **Third Research Institute > of the Ministry of Public Security (公安部第三研究所 / TRIMPS)**, published > on the institute's **三所数据安全** account on **25 June 2026**. The source > matters: TRIMPS is not a commentary shop but one of the bodies that drafts > the technical standards and runs the infrastructure behind China's > data-security regime, so its read on *who is caught* is an early signal of > where the compliance bar is being set. DCC treats this as a one-off > summary, not a translation, and the framing for overseas counsel is ours. > > Read it as the **operational companion** to DCC's structural brief on the > Measures themselves — > [From Principle to Running System](/posts/network-data-risk-assessment-measures-operationalizing-the-dsl/) — > which flagged that "classification is the gate." This guide *is* the gate > test. It pulls together threads DCC has covered separately: how to tell a > [CII operator from an important-data handler](/posts/assessing-cii-operator-important-data-handler-status/), > [how to identify "important data"](/posts/qinglan-how-to-identify-important-data/), > and why ["important data" is a category, not a tier](/posts/important-data-category-not-tier/). ## The argument in one line From **20 August 2026**, the [Network Data Security Risk Assessment Measures](/laws/network-data-security-risk-assessment-measures/) (Order No. 24) turn "important-data handlers run an annual risk assessment" from a statutory principle into a **hard, datable obligation** — but the whole weight of the rule rests on a prior classification question that many processors have never actually answered: **am I an "important-data handler" (重要数据处理者) at all?** Lü Mingxuan's guide is the threshold test, and its sharpest practical point is that you can be swept in **without holding a single byte of "important data."** ## Why this is suddenly urgent The annual-assessment duty existed in principle under the [Data Security Law](/laws/dsl/) and the [Network Data Security Management Regulation](/laws/network-data-security-regulations/), but it was open-ended. The Measures (effective **August 20, 2026**) make it **executable and verifiable**: a fixed annual cadence, a report retained for three years, submission within 20 working days, and an escalation switch when something is found. All of that **keys entirely off one status.** If you are an important-data handler, the calendar starts; if you are not, you are merely *encouraged* to assess once every three years. So the binary self-identification is now the difference between a mandatory annual program and almost nothing. ## The three gates — any one puts you in The status is not a single static label. It is a **composite** built up across the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, and the Network Data Security Management Regulation. Lü Mingxuan reduces it to **three independent tests — satisfy any one and you are an important-data handler.** | # | Gate | Source | Trigger | |---|---|---|---| | 1 | **You process "important data"** | Network Data Regulation, Art. 62 | The data you handle meets the "important data" definition | | 2 | **The 10-million-PI deeming rule** | Network Data Regulation, Art. 28 | You process the PI of **more than 10 million people** | | 3 | **You are on a catalogue** | [DSL](/laws/dsl/), Art. 21 | Your data is listed in a regional / departmental / sectoral **important-data catalogue** | **Gate 1 — the "important data" definition.** Under Article 62 of the [Network Data Regulation](/laws/network-data-security-regulations/), important data is data in a specific field, group, region, or of a certain precision and scale that, if tampered with, destroyed, leaked, or unlawfully obtained or used, **may directly endanger national security, economic operation, social stability, or public health and safety.** If your data meets it, you are in. (How to actually run that test is the subject of Part 3 below.) **Gate 2 — the deeming rule, and the trap.** This is the one overseas counsel most often miss. Article 28 of the Regulation provides that a network data handler processing the PI of **more than 10 million people** must comply with the Articles 30 and 32 obligations imposed on important-data handlers. In other words, **cross a 10-million-person headcount and you are *treated as* an important-data handler — even if you hold no "important data" at all.** A consumer app, platform, or service with a large Chinese user base is in scope **purely on PI volume.** **Gate 3 — the catalogues.** Under DSL Article 21, the national data-security coordination mechanism organises the **important-data catalogues**, and each region and department fixes the specific catalogue for its own area and sector. If your data is **listed**, you are an important-data handler by that fact. > **Plus a fourth path in — entrustment.** Where important-data processing is > entrusted, and the **entrusting party is an important-data handler**, the > **entrusted processor carries the corresponding security obligations** and > is supervised as an important-data handler too. A vendor or processor that > holds no important data of its own can inherit the duty from its client. ## CIIO ≠ important-data handler — intersecting, not containing A common shortcut is to assume that a critical information infrastructure operator (关基单位 / CIIO) is automatically an important-data handler. Lü Mingxuan is explicit that the two statuses **intersect but do not contain one another** — there is no rule that "a CIIO is necessarily an important-data handler." The test is the same "**data attribute → processing activity → scale threshold**" trinity applied to the facts. - **A CIIO usually *is* one** because the core business data it collects and generates is, as a rule, managed as important or core data and clears the threshold — and the CIIO autonomously decides the purpose and means of processing, meeting the subject test. - **But a CIIO may *not* be one** where it only handles non-important data below the 10-million-PI line; or provides **pure network-infrastructure service** without autonomously deciding processing purpose and means; or acts only as an **entrusted processor** under another party's instructions. DCC has covered this status question in its own right — see [Are You a CII Operator or an Important-Data Handler?](/posts/assessing-cii-operator-important-data-handler-status/) — and the takeaway is the same: **run both tests separately; neither implies the other.** ## Part 3 — actually identifying "important data" (the hard gate) Gates 2 and 3 are relatively self-evident — count your PI, check the catalogue. Gate 1 is the hard one, because the statutory definition is abstract. The guide's method: identify important data with **harm consequence as the core**, combined with **precision, scale, and domain** factors, **against the national / sectoral / local catalogues and the national standard** [GB/T 43697-2024 *Data Classification and Grading Rules*](/laws/data-classification-grading-rules/). That standard's definition tracks the Regulation, and its **Appendix G sets out 18 identification factors** spanning the four dimensions — national security, economic operation, social stability, public health and safety. **Data exhibiting any one of the 18 factors can be identified as important data.** This is the working tool for Gate 1, and DCC's earlier plain-language treatment of the same problem — [How to Identify "Important Data"](/posts/qinglan-how-to-identify-important-data/) — is a useful companion to it. > **Classification is not set-and-forget.** The guide stresses that both the > important-data determination *and* the important-data-handler determination > must be **periodically reviewed** and updated as the business and the > technology change. A "no" today is not a "no" forever. A note on Gate 2's denominator: the 10-million count is of **personal information**, and the [PIPL](/laws/pipl/) definition **excludes anonymized information** — so genuine anonymization removes data from the headcount (the guide points to GB/T 35273-2020's PI examples and the two classic identification paths, *identify* (info → person) and *associate* (person → info)). Anonymization architecture therefore has real leverage on whether you cross the Gate 2 line. ## Once you are in: what the Measures require If any gate catches you, the Measures' operating requirements attach: **Frequency.** - **Annual mandatory full assessment** for important-data handlers (general handlers are merely *encouraged* to assess at least once every three years). - **Trigger-based instant assessment**, on top of the annual one, when: - before **providing, entrusting, or jointly processing** important data (statutory-duty cases excepted); - a **material change** in the security status of important data (a surge in scale, a change of purpose, a system-architecture adjustment); - **before a cross-border transfer** (which also requires a separate outbound security assessment); or - after a **major data-security incident**, or on discovering a major defect or vulnerability. **Stacked PIPIA.** An important-data handler that **also** processes the PI of more than 10 million people must run a **personal-information protection impact assessment** in parallel (the [GB/T 39335](/laws/gbt-39335-pi-impact-assessment-guide/) methodology) — the two assessments stack. **Report, retention, submission.** - Prepare the report per the **competent authority's** rules; where there are none, reference the national standard [GB/T 45577-2025 *Data Security Risk Assessment Method*](/laws/gbt-45577-data-security-risk-assessment/). - **Retain the report at least three years.** - **Submit within 20 working days** of completing the annual assessment to the competent authority; where the competent authority is unclear, submit to the **provincial or national cyberspace administration**. The authority relays the report to the same-level cyberspace administration within 10 working days. ## Why this matters for overseas counsel - **Classification is the gate — and now it has a deadline.** DCC's structural brief said every hard obligation in the Measures keys off important-data-handler status; this guide is the test, from the institution that helps write the standard. With **under two months** to August 20, the self-identification is the work to do *now*, not after a regulator raises it. - **The 10-million-PI deeming rule is the real trap.** A foreign-invested consumer business can become an "important-data handler" — and inherit the annual-assessment program, the PIPIA stack, and the cross-border triggers — **without holding any "important data" at all**, purely on Chinese-user headcount. If your China app or platform is anywhere near 10 million users, assume Gate 2 and plan the program. - **Your China vendor may be in scope through you.** The entrustment path pulls an entrusted processor into important-data-handler supervision when its client is one. Allocate the assessment, retention, and submission duties explicitly in processing contracts — do not assume the duty sits only with the data "owner." - **Run the CIIO and important-data tests separately.** Being (or not being) a CIIO tells you little about important-data-handler status, and vice versa. Map both. - **Anonymization has compliance leverage on Gate 2.** Because anonymized information is outside the PIPL definition, anonymization genuinely reduces the 10-million denominator — one of the few architectural moves that can keep a high-volume consumer service below the deeming line. The Measures do not change *what* data security requires. What this guide makes concrete is *who* has to run the now-mandatory annual program — and the answer reaches further than "companies that hold sensitive datasets." If you process Chinese personal information at scale, the threshold question is no longer academic. --- *Source: 吕铭轩, "《网络数据安全风险评估办法》新规下,是否每年必须要做数据安全风险评估?—请查收这份重要数据处理者自我识别指南", 三所数据安全 (TRIMPS Data Security) WeChat Official Account, 25 June 2026 — [original](https://mp.weixin.qq.com/s/bvkwBv0MipBmBqZCmE_pGg). DCC's summary and analysis of the author's practitioner guide; not a verbatim translation, and not legal advice. Article numbers refer to the Network Data Security Management Regulation, the Data Security Law, and the Network Data Security Risk Assessment Measures (Order No. 24) as cited in the source.* --- ## Li Yang: Why 'Data Rights-Confirmation' Is a Category Error — Dynamic Data Can't Be a Registration Object, and AUCL Article 13 Is the Better Path - Published: 2026-06-24 - Author: DCC Editorial - Tags: data-economy, data-property-rights, data-registration, data-ip-registration, anti-unfair-competition, data-confirmation, commentary - Laws cited: anti-unfair-competition-law, data-property-rights-registration-guide-draft, data-foundation-system-opinions - Domains: data-economy - URL: https://datacompliancechina.com/posts/li-yang-against-data-rights-confirmation/ - Markdown: https://datacompliancechina.com/posts/li-yang-against-data-rights-confirmation.md - Original source: https://mp.weixin.qq.com/s/xmElhjrjt6YFApEZt6Q5gQ - Original author: 李扬 (Li Yang, China University of Political Science and Law) - Original publication: 李扬知产 (Li Yang IP) WeChat Official Account ### Description DCC's summary of an opinion piece by Li Yang (李扬), professor at China University of Political Science and Law, arguing that the whole project of 'data rights-confirmation' (数据确权) — and the data-IP registration pilots run under it — rests on a category error. In Chinese IP law, 'confirmation' (确权) is the authoritative validation of an already-existing right, and it presupposes three things data lacks: a determinate object, defined rights content, and clear boundaries. Civil Code Art. 127 only defers the question; 'data IP' is a policy concept, not a legal one; and data is co-produced by many parties, so registration proves who submitted data, not who owns it. Li Yang's sharpest move is the dynamic-object problem: registration regimes (real estate, IP, equity) require a persistently stable object, but data's value lives in continuous updating, so the data at registration is never the data in dispute — and blockchain/hash/timestamp '存证' only fix a historical snapshot, never the living data stream, confusing proof-of-existence with object-identification. He concludes that registration's real functions are evidentiary and publicity/transaction-support — not rights-confirmation — and that data governance should move from rights-confirmation to interest-protection, from static-rights thinking to dynamic-competition thinking, protecting commercial-data interests under Article 13 of the Anti-Unfair Competition Law. DCC's read for overseas counsel, against the data-IP registration regime and the Beijing Internet Court's first AUCL Article 13 ruling. ### Body > *Editor's Note — DCC.* > > This is DCC's summary of an opinion piece, **"Some Reflections on Data > Rights-Confirmation by Registration" (关于数据登记确权的几点反思)**, by > **Li Yang (李扬)**, professor at the **China University of Political > Science and Law (中国政法大学)** School of Civil, Commercial and Economic > Law and a vice president of the China Intellectual Property Law Society, > published on his personal **李扬知产** account on **24 June 2026**. It is > a scholar's argument, not a rule — DCC treats it as a one-off summary > rather than a translation, and the framing for overseas counsel is ours. > > The timing is what makes it worth reading now. It lands the same week > DCC published the **Beijing Internet Court's first application of the > AUCL data clause** ([China's first AUCL Article 13 ruling](/posts/aucl-data-clause-first-case-platform-scraping/)), > and it is, in effect, the **academic case for why that route — not data > ownership or a data-IP certificate — is the right one**. Read it against > DCC's coverage of the data-IP registration regime: the > [Datatang v. Yinmu certificate case](/posts/datatang-v-yinmu-data-ip-registration-case/), > [what a registration certificate actually confirms](/posts/qinglan-what-data-registration-actually-confirms/), > and the [registration review guide](/posts/data-property-registration-review-guide/). ## The argument in one line China keeps trying to **"confirm rights" in data (数据确权)** and to build **data-IP registration** on top of that idea — but data has no determinate object, no settled rights content, and no fixed boundaries, and its value lives in *constant change*, so it cannot satisfy what a confirmation / registration regime structurally requires. The honest path, Li Yang argues, is to drop the ownership frame and protect **commercial-data interests under the Anti-Unfair Competition Law**. ## What "确权" actually means in Chinese law Li Yang starts by tightening the term. In Chinese IP usage, **确权 ("rights-confirmation")** is *not* ordinary publicity-effect registration. It is an **administrative or judicial act that authoritatively confirms whether an already-existing right is valid** — the patent- and trademark-invalidation/confirmation systems are the model. That presupposes **three things**: 1. **A determinate object (客体).** A patent maps to a specific invention, a trademark to a specific sign, a copyright to a fixed expression — each identifiable and relatively stable. 2. **Defined rights content (权利内容).** The law, not the registration, says what the holder gets (exclusive exploitation, reproduction, etc.). 3. **Clear boundaries (权利边界).** Claims, the registered mark + specified goods, the fixed expression — these draw the line between the right and the public domain. Confirming *those boundaries* is the whole function. Confirmation is "determinate object → determinate content → determinate boundary." It is **authoritative recognition of an existing right-state, not the first-time grant of an uncertain interest.** Take away that base and "confirmation" has nothing to act on. ## Why data fails at the object - **Data is not a legal object by default.** No current Chinese statute grants data a unified ownership or analogous right. **Civil Code Article 127** is only a referral clause ("where the law provides for the protection of data and online virtual property, those provisions apply") — it does not say what kind of object data is, what right attaches, or where the boundary runs. So **"data IP" is a policy / academic concept, not a strict legal one.** - **Data has inherently many producers.** Users upload content, merchants supply business information, the platform processes it, algorithms generate labels, third parties add data. You cannot pick a single rights-holder the way you name a patent's inventor. **Registration can show "who submitted the data" — not "who owns it."** ## The killer point: a dynamic object can't be registered This is the part Li Yang says the debate has underweighted, and it is the strongest move in the piece. Every registration regime — **real estate, IP, equity** — presupposes a **persistently stable, identifiable object**: a registered building isn't changed by being lived in, a patent isn't changed by being practiced, a mark isn't changed by sales. Publicity and reliance work *because* the object stays put and stays traceable. **Data is the opposite.** Its value comes not from any one historical snapshot but from **continuous updating** — today a new comment, tomorrow a deleted violation, the day after a new merchant. So: > The data at the moment of registration is not the data in reality, and > the data in reality is no longer the data that was registered. Registration demands **uniqueness + stability + persistent identifiability**; dynamic data clears only the first. When the regime's assumed object-form collides with how the thing actually behaves, no amount of clever institutional design rescues it. ## Why blockchain/hash/timestamps don't fix it The standard rejoinder is technical — **blockchain存证, hash fixing, timestamps**. Li Yang says these miss the level of the problem. A hash proves a given dataset **existed at a point in time**; it cannot prove the data **persists**, still less that **later, updated data is the same registered object**. Blockchain fixes a **historical snapshot, not the living data stream**. > Technology can prove the past; it cannot lock down the present. Treating tech as the master key **conflates "proof of existence" with "persistent object identification"** — two different problems. ## What data registration can *actually* do Of the four functions usually claimed for data registration, only one survives intact once you take the dynamic-object point seriously: | Claimed function | Li Yang's verdict | |---|---| | **Evidentiary (存证)** | **Holds up** — proves a party held a particular data-form at a point in time. | | **Publicity (公示)** | **Sharply limited** — the object keeps changing, so the register and the real data are substantially decoupled; far weaker than patent/trademark publicity. | | **Transaction support (交易)** | **Badly mismatched** — markets buy the *future* data stream; the register captures a *past* snapshot. | | **Judicial proof (司法证明)** | **Inherently limited** — a certificate proves the state *at registration*, not the state when the dispute arose. | So registration's honest value is **evidentiary and (weak) publicity/transaction-support — not rights-confirmation.** ## The pivot: from confirming rights to protecting competition interests Li Yang names the underlying habit — a **"confirmation cult" (确权崇拜)**: the reflex that every new interest must be "confirmed" to be protected, imported from IP thinking. But IP protects **relatively static intellectual outputs**; data protection faces a **continuously flowing stream**. Same logic, wrong object. His positive proposal tracks what courts already do: data disputes — scraping, crawling — are resolved overwhelmingly through the **Anti-Unfair Competition Law**, where the court protects **not data as an absolute-right object, but the operator's data competition interest built on substantial investment**. That model needs **no "data ownership," no fixed boundaries, and no solution to the dynamic-object problem** — which is exactly why it fits the digital economy. He frames the needed shift in three moves: - from **"data rights-confirmation"** → **"data interest-protection"**; - from **static-rights thinking** → **dynamic-competition thinking**; - from **rights-centrism** → **order-centrism**. And he points to where the statute already says so: **Article 13 of the Anti-Unfair Competition Law** — the data clause — which, he insists, **must not be ignored**. The realistic frontier is not an abstract data ownership system but **working out the elements of AUCL-protected commercial data and the catalogue of unfair-competition conduct against it.** ## Why this matters for overseas counsel - **It's the doctrine under the case.** This is the scholarly version of what the Beijing Internet Court just did in [China's first AUCL Article 13 ruling](/posts/aucl-data-clause-first-case-platform-scraping/): protect the **investment-backed data competition interest** without deciding ownership. Li Yang is arguing that route is not a stopgap — it is the *correct* frame, and the rights-confirmation alternative is built on sand. - **Calibrate what a data-IP certificate is worth.** It cuts directly against treating a **data-IP registration certificate** as title. As DCC has covered, a certificate is **evidence of lawful sourcing and investment** — useful in an AUCL claim (see [Datatang v. Yinmu](/posts/datatang-v-yinmu-data-ip-registration-case/) and [what registration actually confirms](/posts/qinglan-what-data-registration-actually-confirms/)) — but on Li Yang's analysis it is **not, and cannot be, proof of an exclusive property right** in a living dataset. - **Protection is conduct-based, not boundary-based.** If the enforceable substance lives in competition law, then what you can stop is **improper *conduct*** (circumventing controls, breaching terms, free-riding on another's investment) — not unauthorized *use of "your" data* in the abstract. This is the same lesson as the ["right to hold data" debate](/posts/data-holding-right-two-paths/) and the [three-rights framework](/posts/nda-three-rights-structural-separation/): in Chinese data deals, value and protection sit in **use/operation + contract + competition law**, not in "who owns the data." - **A health warning on "数据确权."** Expect the term to keep appearing in pilots and local rules; read it, per Li Yang, as **registration with evidentiary value — not the conferral of a property right.** Don't advise a client that a registration "confirms ownership" of a dataset. --- *Source: 李扬, "关于数据登记确权的几点反思", 李扬知产 (Li Yang IP) WeChat Official Account, 24 June 2026 — [original](https://mp.weixin.qq.com/s/xmElhjrjt6YFApEZt6Q5gQ). DCC's summary and analysis of the author's argument; not a verbatim translation, and not legal advice.* --- ## How the Beijing Internet Court Found a Platform 'Lawfully Held' Its Data Under the New AUCL Article 13 — and Where It Meets the 'Right to Hold Data' - Published: 2026-06-24 - Author: DCC Editorial - Tags: anti-unfair-competition, data-economy, data-property-rights, data-scraping, platform-competition, judicial-case, beijing-internet-court, data-holding-right, web-scraping - Laws cited: anti-unfair-competition-law - Domains: data-economy, personal-information - URL: https://datacompliancechina.com/posts/aucl-data-clause-first-case-platform-scraping/ - Markdown: https://datacompliancechina.com/posts/aucl-data-clause-first-case-platform-scraping.md - Original source: https://mp.weixin.qq.com/s/yUgyD3iFsRZOVc_h-2XknQ - Original author: 张倩、张晴 (Beijing Internet Court) - Original publication: 北京互联网法院 WeChat Official Account ### Description The Beijing Internet Court's 30 April 2026 judgment — the first published application of the data clause (Article 13) of the 2025-revised Anti-Unfair Competition Law, effective 15 October 2025 — turns on one threshold question: did the plaintiff platform 'lawfully hold' (合法持有) the scraped career data? DCC walks through exactly how the court got to 'yes', step by step: the data originated as personal information collected with user consent under the platform's Service Agreement and Privacy Policy (no unlawful processing on record); the operator's build-and-run investment aggregated scattered records into a dataset with standalone economic value; and that dataset is the foundational input for the platform's matching business and competitive advantage. From those three findings the court derives its operative definition — data lawfully collected/stored/used, formed through substantial investment, and capable of generating business benefit or competitive advantage — and holds that the defendant's crawler-and-resale scheme, circumventing login and access controls, was unfair competition (¥200,000 + ¥30,000-plus in costs). The brief then takes up the doctrinal question: does Article 13's 'lawfully held data' correspond to the 'right to hold data' (数据持有权) in the Data 20 Articles' three-rights framework? The answer is a functional yes — the court is enforcing the holding right's purely defensive content, exactly as Hong Yanqing's analysis predicted AUCL Article 13 would — but not a doctrinal one: it builds a competition-tort interest on investment and lawful sourcing, deliberately sidestepping any claim that data is a typed property right. DCC's case brief for overseas counsel, drawn against the earlier AUCL Article 2 general-clause data cases. ### Body > *Editor's Note — DCC.* > > This is DCC's case brief of a judgment the **Beijing Internet Court > (北京互联网法院)** published in its "e案e审" case column, and which the > presiding bench and an invited outside expert both describe as the > **first published application of the data clause — Article 13 — of the > 2025-revised Anti-Unfair Competition Law (反不正当竞争法)**, the > revision that took effect on **15 October 2025**. The judgment was > handed down on **30 April 2026** by the court's **Comprehensive Trial > Division No. 1 (综合审判一庭)**, deputy chief judge **Zhang Qian (张倩)** > presiding. In the published copy the **plaintiff and platform are > anonymised** ("某科技公司" / the "platform at issue"); the defendant is > referred to as **Mr. Wang (王某)**. The English renderings of the > court's language, and the framing for overseas counsel, are DCC's. > > Read this alongside DCC's two earlier AUCL data cases — the > [Datatang v. Yinmu data-IP case](/posts/datatang-v-yinmu-data-ip-registration-case/) > and the [AI-ghostwritten "seeding post" case](/posts/ai-seeding-post-unfair-competition-case/). > Both were decided under the **general clause (Article 2)** of the *old* > AUCL. The significance here is that a court is now working from the > **purpose-built data clause** the legislature added in 2025 — and is > telling the market exactly how it reads it. ## Why this one matters China's courts spent the better part of a decade policing data scraping and data free-riding through **Article 2**, the AUCL's general good-faith / business-ethics clause, because the statute contained no provision aimed at data. The **2025 revision changed that**: Article 13 now expressly prohibits an operator from using "fraud, coercion, circumventing or breaking technical management measures, or other improper means" to **acquire or use data lawfully held by another operator** in a way that harms that operator and disrupts market competition order. The open question after October 2025 was whether a dedicated clause would actually change how courts reason — or just relabel the existing Article 2 framework. This judgment is the first data point, and it does two things overseas counsel should note: it **builds a four-element test on the face of the new clause**, and (in the accompanying expert commentary) it **drops the "competitive relationship" inquiry** that Article 2 data cases used to run through. ## The case at a glance | | | |---|---| | **Court** | Beijing Internet Court (北京互联网法院), Comprehensive Trial Division No. 1; deputy chief judge Zhang Qian (张倩) | | **Decided** | 30 April 2026 — judgment now effective (no appeal by either side) | | **Legal basis** | Anti-Unfair Competition Law (2025 revision, effective 15 Oct 2025), **Article 13(3)** — the data clause | | **Plaintiff** | A technology company operating a well-known professional / career-networking platform (anonymised) | | **Defendant** | Mr. Wang (王某), operator of the infringing site and reseller of access to it | | **Cause of action** | Unfair competition (不正当竞争纠纷) | | **Result** | Wang to pay **¥200,000** in economic loss + **¥30,000-plus** in reasonable enforcement costs (fully supported); plaintiff's other claims dismissed | ## The facts The plaintiff operates a well-known **professional / career-networking platform** (think of the LinkedIn-style category). The platform holds a large body of **career data** — user names or handles, current employer and job title, years of experience, and **complete work and education histories**. The platform's **Service Agreement** bars users from registering multiple accounts or using controlled accounts to scrape data, and the operator had deployed **login verification, access-permission controls, and traceable encrypted parameters** to keep non-members out of the data and to track anyone accessing it in violation of the rules. Mr. Wang did the following: - **registered platform accounts using multiple phone numbers** and topped them up to **business-membership (商务会员)** tier; - **obtained the page source code, wrote crawler programs, and stood up his own unlawful website**, onto which he **automatically scraped the platform's career data**; and - **resold access** — selling the usernames and passwords needed to query his copycat site through **second-hand-marketplace accounts** (i.e., resale-platform listings), as short-term **day-passes**. The plaintiff sued under **Article 13(3)** of the revised AUCL, seeking damages and reasonable enforcement costs. **Wang's defence** was, in essence, "no substantial substitution and no bad faith": he argued his site sold only **1-to-15-day short-term access** to users with **temporary, simple look-up needs**, offered only a **single "contacts-view" (人脉查看) function**, served a completely different audience, and therefore did **not substantially substitute** for the platform; that he had **no subjective intent to infringe** and had **voluntarily stopped**; and that the claimed loss was excessive and the claimed costs above industry norms. ## The holding ### 1. How the court found the platform "lawfully held" the data The whole case runs through one threshold: is the scraped material **"data lawfully held" (合法持有的数据)** by the plaintiff within the meaning of Article 13? This is where most of the court's reasoning sits, and it is worth following the chain, because the court is effectively *defining the term* through its application. It built the conclusion in **three findings**: 1. **Lawful sourcing → the "lawfully" prong.** The dataset was formed by the platform **collecting and processing personal information with user consent**, under its **Service Agreement and Privacy Policy**, and the record showed **no unlawful data processing**. So the holding is *lawful* at its root — the platform's own PIPL-side compliance is what makes the dataset "lawfully" held. (Flip side: a platform whose upstream collection was unlawful would struggle to clear this prong.) 2. **Aggregation through investment → a protectable dataset, not raw records.** By **building and continuously operating** the platform, the plaintiff **aggregated scattered, single data points into a dataset of meaningful scale**, which gave the collection an **economic value distinct from any single raw record**. The protected object is thus the **operator's invested-in dataset**, not the underlying individual facts — the value is created by the *holding and integration*, i.e. by substantial investment. 3. **Competitive function → "brings business benefit or competitive advantage."** The fields at issue — name, employer and title, work and education history — are **strongly correlated with job-seeking, recruiting, and networking**, and are the **foundational input** that lets the platform precisely match social and hiring demand and keep improving its service; they are therefore important to the platform's **core business and to building and widening its competitive advantage**. Stacking those three, the court reaches its **operative definition**: a dataset that is **lawfully collected, stored or used, formed through the operator's substantial investment, and capable of bringing it business benefit or competitive advantage** is **"data lawfully held"** under Article 13(3). Note *what the court did not do*. It did **not** ask whether the platform owned the data, whether data is a typed civil property right, or whether some "data right" had been registered. "Lawful holding" is built from **conduct and investment**, not from title — which is exactly why it can be decided on the facts without waiting for China's data-property legislation to settle. That move is what connects this case to the [right-to-hold-data debate](#does-lawfully-held-map-onto-the-right-to-hold-data-数据持有权), below. ### 2. Wang's conduct was improper acquisition and use → unfair competition Wang **registered and topped up multiple business-member accounts**, then **obtained source code, wrote crawlers, and built an unlawful site** to **circumvent the platform's login verification and access-permission controls**, **auto-scraped** the data, and **disclosed it publicly to an unspecified audience**. That conduct: - **improperly seized the plaintiff's users and market share**; - produced a **substantial substitution effect** on the platform's core business; - **created data-security risk**; and - **harmed the plaintiff's lawful interests and damaged the existing competitive order of the data-supply-and-circulation market**. That is unfair competition under the data clause. Note what the court did **not** require: it did not demand that Wang be a head-to-head competitor running an equivalent career-networking platform. ### 3. Damages — a four-factor calculus With statutory data-clause damages unsettled, the court fixed **¥200,000** by weighing four factors: 1. **Manner of conduct** — Wang committed **both** prohibited acts (improper acquisition *and* use); his scraping targeted the platform's **entire dataset** and pushed it to **unspecified outside users**, with significant impact on the core business and on data security. 2. **Subjective fault** — as a **paying business member**, Wang **should have known** the platform bars multiple accounts and scraping; after the platform **banned some of his accounts he simply registered new ones** and carried on — **obvious fault**. 3. **Scope of impact** — he ran a **self-operation-plus-distribution** model, selling **card-key access codes (卡密)** across multiple platforms, and his resale accounts moved **high volumes** — a wide footprint (the expert commentary notes sales **in the tens of thousands of orders**). 4. **Duration** — the infringing site ran from **at least April 2025 to at least December 2025**, i.e. **not a long period**. The court **fully supported** the plaintiff's claimed **reasonable expenses** (attorney and evidence-collection fees), given the necessity of enforcement and the difficulty of the case — adding **¥30,000-plus** on top of the ¥200,000. ## The framework the bench wants you to take away In the judge's own commentary (**法官说法**, Zhang Qian), the court frames this as the **first case it has concluded under the AUCL's new data clause**, and lays out a **four-element test** for applying Article 13: 1. **Object element (客体要件)** — the conduct must target **data lawfully held by another operator**. 2. **Subject element (主体要件)** — the actor must be an **operator (经营者)**. 3. **Conduct element (行为要件)** — there must be **improper acquisition or use** of the data. 4. **Result element (结果要件)** — the conduct must **harm another operator's lawful interests and disrupt market competition order**. And the **"lawfully held data" standard**: a dataset **lawfully collected, stored or used** by the operator, **formed through its substantial investment**, and **capable of bringing it business benefit or competitive advantage**. ## Does "lawfully held" map onto the "right to hold data"? (数据持有权) The natural question for anyone tracking China's data-property debate: is Article 13's **合法持有的数据 ("data lawfully held")** the same thing as the **right to hold data (数据持有权)** — the first of the three rights in the **Data 20 Articles' "separation of three rights" framework** (持有 / 加工使用 / 经营; see the regulator's own walk-through in [NDA Explains the Three-Rights Framework](/posts/nda-three-rights-structural-separation/))? The honest answer is a **functional yes, but not a doctrinal one** — and the difference is the whole point. - **Same instinct, different instrument.** Both ideas exist to protect the party that *holds* a dataset **without having to decide who owns it**. The Data 20 Articles invented a "holding right" precisely because data **ownership (所有权)** is contested; Article 13 protects "lawfully held data" precisely so a court can grant relief **without** ruling on ownership. The court here makes that explicit — it grounds protection in **lawful sourcing + investment + competitive value**, never in title. The verb 持有 ("hold") is doing the same work in both: protect a *position*, not a *property right*. - **This case is the holding right's *defensive content* in action.** On the official "complete separation" reading of the three rights — the one DCC covered through Hong Yanqing (洪延青) in [Two Paths for the 'Right to Hold Data'](/posts/data-holding-right-two-paths/) — once you carve the **use** and **operation** rights out of it, the holding right shrinks to a bare **"lawful-control state"** whose only real content is **defensive**: the power to fend off third parties. And Hong's key observation was that this defensive content is **already supplied by existing law — PIPL Art. 10, DSL Art. 32, the Network Data Security Regulation, and AUCL Article 13** — not by any new property right. This judgment is that thesis made concrete: **a court using AUCL Article 13 to enforce the holder's defense against a scraper.** It is, in effect, the holding right doing the one thing it can reliably do. - **But the court refused the property-rights frame.** It never called the dataset anyone's 持有权, never treated "holding" as a typed civil property right, and (as the expert notes below) did **not** start from "is there a legally protected data *right*?" What it protected is a **competition-law interest**, enforceable **in tort against improper-means competitors** — not *erga omnes* against the world. So the case **confirms** Path 1's conclusion (the enforceable substance of "holding" lives in competition law and contract, not in a standalone property right) rather than building out a property 持有权. - **What that means in practice.** A formal holding-right artifact — a data-resource-holding registration, or the **data-IP registration certificate** that anchored [Datatang v. Yinmu](/posts/datatang-v-yinmu-data-ip-registration-case/) — is **strong evidence of "lawful holding" under Article 13, but is not required**; the platform here won with none. Conversely, clearing Article 13 does **not** give the holder **exclusivity** over the data: data is non-rivalrous, and others may *lawfully hold the same data in parallel* (see [Data 'Parallel Property Rights'](/posts/data-parallel-property-rights/)). Article 13 bars only **improper-means** acquisition and use. The wrong the court punished was **how** Wang took the data — circumventing the access controls and breaching the platform terms — not a monopoly over the facts themselves. In short: read "lawfully held data" as the **competition-law operationalisation of the holding right's defensive core** — the same protective instinct, delivered through unfair-competition tort instead of a not-yet-settled property right. ## The expert reading — what actually shifted (Meng Yanbei) The published piece carries a **专家点评** by **Meng Yanbei (孟雁北)**, professor at Renmin University Law School and a member of the expert advisory group of the State Council's Anti-Monopoly and Anti-Unfair Competition Committee. Her three observations are the most useful part for predicting where this line of cases goes: - **Competitive relationship is fading out.** The court **did not follow the habitual practice** of first establishing a "competitive relationship" between the parties. Consistent with a broad, modern reading of competition (platform competition, data competition, cross-sector competition), it **de-emphasised — even hollowed out — the competitive-relationship inquiry** when finding data unfair competition. For foreign businesses this widens exposure: your scraper-adversary need not be in your line of business. - **The analysis no longer starts from "is there a data *right*?"** Under the old Article 2 cases, courts asked whether a **"legally protected data interest"** existed. Here the court **starts instead from the facts of lawful collection/storage/use + substantial investment + business benefit or competitive advantage** — the "lawfully held data" standard above. This is a deliberately **conduct- and investment-focused** route that sidesteps the unresolved question of data ownership. - **"Substantial substitution" is sufficient here, but not the boundary.** Wang took the platform's **full core-user dataset** and disseminated it without limit, actually selling **tens of thousands of orders** — enough to show a substantial substitution effect on the core business. But Meng cautions that **substantial substitution is one way to show harm to a competitor**; whether market order is "disrupted" may need separate analysis, and conduct could **disrupt market order even without** a substantial-substitution effect. Read: don't assume "we didn't replace their product" is a safe harbour. ## What overseas counsel should take from it - **There is now a named hook for data-scraping claims in China.** Where before a plaintiff had to argue the open-textured Article 2 good-faith clause, it can now plead **Article 13** directly. Expect more platform-vs-scraper suits framed this way. - **The protected thing is the *aggregated dataset*, not a data "right."** Liability turned on the **operator's investment in building and running the platform** and the resulting dataset's economic value — not on any registered or statutory property right in data. A defendant cannot win simply by pointing out that "data" is not a typed civil property right. (This is the same investment-and- free-riding instinct that drove [Datatang v. Yinmu](/posts/datatang-v-yinmu-data-ip-registration-case/), now expressed through the purpose-built clause.) - **Lawful *upstream* data handling matters to the *downstream* competition claim.** The court anchored "lawfully held" partly on the platform having **collected the personal information with consent under its Service Agreement and Privacy Policy**. A platform whose own PI collection was unlawful would have a weaker claim that its dataset is "lawfully held" — so PIPL compliance and competition-law standing are linked. This is why DCC files the case under both [Data Economy](/domains/data-economy/) and [Personal Information](/domains/personal-information/). - **Circumventing technical controls is the core wrong.** Login verification, access tiers, encrypted/traceable parameters, and anti-multi-account terms are not just product hygiene — defeating them is exactly the "circumventing or breaking technical management measures" the clause targets, and it drives both liability and the fault finding that lifts damages. - **The competitor-status defence is weakening.** "We serve a different audience / we don't substitute for you" did not save Wang, and the expert commentary signals courts will keep **relaxing the competitive- relationship requirement**. --- *Source: 北京互联网法院 (Beijing Internet Court), "e案e审丨不正当获取、使用平台用户数据,构成不正当竞争!", WeChat Official Account, 5 June 2026 — [original](https://mp.weixin.qq.com/s/yUgyD3iFsRZOVc_h-2XknQ). Contributors credited: 张倩、张晴; expert commentary by 孟雁北 (Renmin University). The judgment was issued 30 April 2026 and is effective. DCC's translation and analysis; not legal advice.* --- ## From Consent to Governance: What the 2026 Draft Revision of GB/T 35273 Changes Against the 2020 Standard - Published: 2026-06-23 - Author: DCC Editorial - Tags: gbt-35273, personal-information, pipl, lawful-basis, sensitive-pi, separate-consent, ai-governance, generative-ai, cross-border, unified-account, iot, compliance-audit, tc260, draft-for-comment - Laws cited: gbt-35273-2026-draft-pi-security-specification, gbt-35273-pi-security-specification, pipl, dsl, network-data-security-regulations, personal-info-audit-measures, gbt-45574-sensitive-pi-processing-security, gbt-42460-deidentification-evaluation-guide - Domains: personal-information, ai-governance, cross-border, app-compliance - URL: https://datacompliancechina.com/posts/gbt-35273-2026-revision-from-consent-to-governance/ - Markdown: https://datacompliancechina.com/posts/gbt-35273-2026-revision-from-consent-to-governance.md - Original source: https://mp.weixin.qq.com/s/_rWTtpMRTU-SA88NPhQyQQ - Original author: 全国网络安全标准化技术委员会 (TC260); 中国电子技术标准化研究院 (CESI) — drafting lead - Original publication: TC260 public consultation (released June 17, 2026); DCC synthesis of four practitioner readings ### Description On June 17, 2026 the National Cybersecurity Standardization Technical Committee (TC260), with CESI as drafting lead, released for public comment a systematic revision of GB/T 35273 — China's most-cited personal-information standard, the de-facto 'small PIPL.' The draft retitles the standard from 'Information Security Technology' to 'Data Security Technology' and expands its normative references from one standard to eight. DCC reads the revision as a role change, not a clause count: the standard moves from a consent-and-notice manual into a governance-capability framework. The substantive increments against GB/T 35273-2020: a new Chapter 5 importing PIPL Article 13's seven lawful bases as a standalone chapter with hard boundaries on each (contract-necessity, HR, public-disclosure) plus an evidence-chain duty; a sensitive-PI redefinition aligned to PIPL Article 28 with a new aggregation rule (multiple items that together meet the threshold are treated as sensitive as a whole); a formal 'separate consent' definition (3.7) with a negative list; a new eighth basic principle, 'quality assurance' (Chapter 4(f)); dedicated AI clauses on the collection side (6.7), in minimum-necessity (6.1 d–f), in aggregation/training (8.4), and a new generative-AI use clause (8.5.4) with output review and a 15-working-day deletion SLA; a unified-account-system clause (8.6) aimed at one-account-many-products groups; a terminal/IoT collection clause (6.8); a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (13) covering the person in charge of personal information protection, working body, processing-activity records, impact assessment, and a GB/T 46903-anchored compliance audit. Subject-rights response time tightens from 30 days to 15 working days. Clause numbers are from the comment draft and are not final; formal release is expected after 2027. ### Body > *Editor's Note — DCC.* > > On **June 17, 2026** the **National Cybersecurity Standardization > Technical Committee** (全国网络安全标准化技术委员会, "TC260"), with the > **China Electronics Standardization Institute** (中国电子技术标准化研究院, > CESI) as drafting lead, released for public comment a systematic revision > of **GB/T 35273** — the recommended national standard that has functioned > for years as China's operational benchmark for personal-information > protection, and in the pre-PIPL era as a *de-facto* "small PIPL." The 2020 > edition is in DCC's [law-catalogue entry](/laws/gbt-35273-pi-security-specification/); > the **full archived draft text** plus the drafting-explanation PDF is in > the [draft entry](/laws/gbt-35273-2026-draft-pi-security-specification/). > This brief is the structural read of what the draft *changes*. It is a > **DCC synthesis of four Chinese-language practitioner readings** — He Yuan > / DPOHUB (数据法盟), 汉谟法喵, the Zhong Lun data team (中伦数据团队, via TMT > 法律论坛), and HexCode (数据何规) — cross-checked against the consultation > text and its drafting explanation. **Clause numbers are from the comment > draft and are not final** (the commentators already flag at least one > cross-reference slip, on "separate consent"); formal release is expected > after 2027. ## The one-line thesis The headline is not how many articles were added. It is that the standard's **role** changed. GB/T 35273-2020 gave personal-information handlers an operable manual centered on the privacy policy and notice-and-consent. The 2026 draft tries to wire law, business process, algorithmic products, cross-border scenarios, management responsibility and audit evidence into a single net. > The 2020 standard answered "*how do I collect and notify properly?*" The > 2026 draft answers "*can you prove, on demand, why every processing > activity is lawful — and who is accountable when it is not?*" Three vectors run through every change: - **From consent management to governance capability.** A privacy policy plus a ticked box is no longer a processing basis. Each activity must state *why it may be processed*, on a verifiable, traceable, auditable evidence chain. - **From point-in-time compliance to a continuous, provable system.** Processing records, impact assessment, compliance audit and incident response are expected to form a standing loop, not a one-off remediation project produced the week before an inspection. - **From domestic governance to global compliance coordination.** A wholly new chapter asks outbound operators to map foreign extraterritorial reach and to have a conflict-handling mechanism ready. Two surface signals telegraph the shift before you reach a single requirement: the title moves from **"Information Security Technology"** (信息安全技术) to **"Data Security Technology"** (数据安全技术), and the normative-reference list grows from **one** referenced standard to **six published plus two forthcoming**. ## What changed against the 2020 standard — the annotated map The increments sit in nine columns. The right-hand column is the draft's new position; treat it as the change to highlight, not the settled rule. | Area | GB/T 35273-2020 | 2026 draft revision | |---|---|---| | Title / framing | "Information Security Technology" | **"Data Security Technology"**; references 1 → 8 standards | | Lawful basis | Consent-centric, limited exceptions | **New Chapter 5**: PIPL Art. 13's seven bases as parallel tracks, each with hard boundaries + evidence-chain duty | | Sensitive PI | "extremely likely to harm reputation / physical-mental health / cause discrimination" | **PIPL Art. 28 wording**; risk-feature categories; **aggregation rule** (3.2 note 3) | | Consent granularity | Consent / explicit consent, undefined | **"Separate consent" defined (3.7)** + negative list + withdrawal-evidence duty | | Basic principles | 7 principles | **8 principles** — new **"quality assurance"** (Ch.4(f)); two renamed | | AI / generative AI | Not addressed | **6.7** (collection), **6.1 d–f** (min-necessity), **8.4** (training), **new 8.5.4** (generative-AI use) | | Multi-product accounts | Not addressed | **New 8.6** unified-account-system clause (8 requirements) | | Terminal / IoT | Not addressed | **New 6.8** terminal-collection clause + GB 46864 data-clearing (7.1c) | | Cross-border | Outbound mechanisms only | **Wholly new Chapter 11** — jurisdiction determination + conflict handling | | Organization | Person in charge + working body, general | **Ch.13 systematized**: person-in-charge thresholds, working body, records (13.4), PIPIA (13.5), **compliance audit (13.8)** | | Subject-rights timing | 30 days | **15 working days** | The sections below annotate each increment. ### 1. A new Chapter 5 — lawful basis becomes the spine (新增专章) The single most structural change. The 2020 edition treated **consent** as the absolute core with a short list of exceptions. The draft adds **Chapter 5, "Lawful Basis and Compliance Requirements for Personal-Information Processing"** (个人信息处理的合法性基础与合规要求, nine clauses), importing **PIPL Article 13's seven bases** as parallel tracks — consent is now just *one* of them — and giving **each track an explicit prohibition boundary**: - **Consent (5.2)** — pre-processing notice, affirmative act. Prohibits pre-ticking, default consent, passive consent, and consent forced as the price of continued use. - **Contract necessity (5.3)** — limited to the core contract purpose. Expressly excludes personalized advertising, out-of-scope behavioral analysis, and non-essential profiling. The commentators read this as close to the **GDPR strict reading of "necessary for performance of a contract,"** and as materially shrinking the room to use "contract necessity" to escape consent. - **HR / labor management (5.4)** — only attendance, performance, pay, benefits and labor-dispute handling. Excludes employee profiling, marketing, and monitoring unrelated to labor management. - **Legal duty (5.5)** — must point to a *specific* obligation in law, an administrative regulation, or a normative document; a handler may not self-expand under "other circumstances." - **Public health / emergency (5.6)** — only genuine emergencies protecting life, health or major property; routine processing may not borrow it. - **Processing already-public information within a reasonable scope (5.8)** — tied to the *original* purpose of disclosure. Prohibits profiling, marketing, and bulk scraping that bypasses technical limits. Two cross-cutting duties anchor the chapter. Under **5.1**, a handler must **identify and record the lawful basis before processing**, forming a **verifiable, traceable, auditable evidence chain**; a basis, once chosen, may **not be changed to evade obligations**; the basis must stay consistent with the notice, the processing-activity record, the impact assessment and the audit; and where **multiple bases are available, the handler should pick the one less intrusive on individual rights**. A new **Annex D** supplies worked lawful-basis scenarios — e-commerce, flight booking, online medical, employee attendance, cybersecurity obligations, epidemic control, news reporting, academic research, and large-model training. > **DCC read.** The operational artifact this forces is not a better consent > log but a **lawful-basis matrix**: for every data category × purpose × > method × recipient × cross-border leg, what is the basis, why is it > necessary, is it still valid, and does a business change require > re-assessment. ### 2. Sensitive PI redefined + an aggregation rule The **3.2 definition** is realigned to **PIPL Article 28** — "liable to harm the dignity of a natural person or endanger personal or property safety" (容易导致自然人的人格尊严受到侵害或者人身、财产安全受到危害), replacing the 2020 "extremely likely to harm reputation, physical-mental health, or cause discriminatory treatment." The enumeration shifts from named fields (bank account, communication records) to **risk-feature categories** — biometrics, religious belief, specific identity, medical health, financial account, whereabouts/location track — plus under-14 minors; **religious belief and specific identity are added**. The rule to highlight is **3.2 note 3**: where **multiple PI items, once aggregated, meet the sensitive-PI threshold, the aggregated whole must be identified and protected as sensitive PI**. This breaks the old field-by-field test. A device ID, a location trail, a set of browsing or transaction fragments may each be low-risk alone, yet cross-referenced may infer health, occupation, household structure or financial capacity. **Annex B** is expanded with "specific-identity information" and "other sensitive PI" categories and footnotes (a–g) referencing the biometric special standards (GB/T 41806, 41819, 41807, 41773), precise-location data, criminal records, and ID-card photographs. A formal **"separate consent" (单独同意) term enters at 3.7** — specific, concrete, affirmative; *not* a one-time authorization spanning multiple purposes or methods — with a **negative list** (default, passive, pre-ticked, forced-via-continued-use are all invalid) and a strengthened **withdrawal** duty (convenient withdrawal path; immediate cessation; synchronized termination of any third-party provision; retain evidence of content, time, method, and the withdrawal trace). Scenarios requiring separate consent include: collecting sensitive PI (5.2a, 6.3c); under-14 minors via guardian (5.2b); providing PI to a third party (10.2b); public disclosure (10.4b); AI face/voice deep-synthesis (6.7a); and PI used for AI pre-training/optimization where law requires it (6.7b). > **Draft caveat.** He Yuan flags a cross-reference slip — the preface's > revision list labels "separate consent" as **3.8** while the body places it > at **3.7**. A reminder that this is a comment draft to be reconciled, not a > finished text. ### 3. A new eighth principle — "quality assurance" (保证质量) Chapter 4's basic principles go from **seven to eight**. The new item **4(f), "quality assurance,"** sits alongside minimum-necessity and security: through **prompting, verification and checking**, ensure the **authenticity and accuracy** of collected PI; on discovering an error, **timely notify the subject and provide a correction channel**; and **avoid decision bias or rights harm caused by inaccurate data** (two other principles are renamed — "choice consent" → "authorization consent," "subject participation" → "rights protection"). It echoes **PIPL Article 8**, and pairs with **9.2**'s subject correction right (now a **15-working-day** completion window). > **DCC read.** This quietly promotes **data quality from an operations/ML > concern to a personal-information-protection obligation**. In credit > scoring, hiring screens, insurance pricing and fraud control, "inaccurate," > "incomplete" or "stale" data can cause real rights harm — so the standard > now puts a verifiable correction loop on the protection side of the ledger. ### 4. AI and generative AI — the most current-affairs-driven additions The draft builds an end-to-end AI lane across four locations: - **Collection (6.7).** Deep-synthesis features that edit face/voice → **separate consent (6.7a)**. Using PI for **pre-training / optimization training** → prominent notice + consent, separate consent where law requires it; refusal **must not** disable basic functions; provide a withdrawal path (6.7b). AI extension functions **must be switchable off (6.2g)**. - **Minimum-necessity (6.1 d–f).** Training-data pre-processing and model training are held to the minimum necessary with effective security measures (6.1d); an **input-side reminder/filter mechanism** should screen out non-essential sensitive PI (6.1e) — e.g., prompting "*mind the privacy risk; enter sensitive personal information with care*" (6.1 note 3). - **Aggregation / training (8.4).** Before aggregating already-public data for training, **review the source and content, run a risk assessment, and de-identify (8.4c)**; build a **model-output review mechanism** to reduce the risk that the model is induced to output **real, identifiable PI (8.4e)**. HexCode reads 8.4e as a direct response to the **Kimi incident** — a user translating a slide deck reportedly received a stranger's complete résumé (name, phone, work history), explained away as "AI hallucination." - **Generative-AI use (new 8.5.4).** Where an information system **accesses an LLM or uses an agent** to process PI and **may materially affect subject rights** (e.g., outputs PI): run a personal information protection impact assessment (PIPIA) **in advance and periodically**; provide a convenient feedback channel and, on a deletion/restriction request, **complete within 15 working days**; build output-content review and risk monitoring; and (recommended) an identify-and-filter mechanism for unauthorized or expressly-refused PI, tuning parameters to prevent its output (8.5.4 a–d). Practitioners note the overlap with **LLM and algorithm-filing** practice. ### 5. A unified-account clause (8.6) aimed at one-account-many-products groups New **8.6, "Use of a unified account system,"** targets a specific structure: a unified account offered **across non-equity-affiliated entities within the same group** (defined at 3.19) — the "one login, many products" ecosystem. Eight requirements, the load-bearing ones being: a **dedicated processing rule** that discloses, in each product's rules, the linked information types, purposes and methods, with **sensitive PI and inter-account data provision marked or highlighted** (8.6a); PI collected by each product **should be stored separately** (8.6b); a per-product **query/copy/modify** entry (8.6c); a path to **delete one product's data or cancel one product's account without affecting the others** (8.6e–f); providing PI **between two or more accounts** follows the basic principles, and going **beyond the original scope or changing the purpose requires fresh consent** (8.6g); and a **periodic review** of inter-account data flows (8.6h). > **DCC read.** Group-wide membership systems, loyalty/points programs, and > the group "data mid-platform" become flagged high-risk zones. One account > logging into many services is **not**, by itself, a justification for > different legal entities to share, analyze and reuse the same individual's > PI. HexCode notes the draft stops short of banning unified accounts but > insists on clear disclosure and single-product cancellation. ### 6. A terminal / IoT collection clause (6.8) New **6.8, "Collection by terminal products or services,"** addresses devices with **no or limited UI** — smart cameras, locks, speakers, watches, bands — and public-area image capture. Where a companion app or web page exists, the processing rules must be shown **before first use via a prominent pop-up**; absent one, via the user manual or other offline means (6.8a). Public-area image-collection devices need **prominent notice signage (6.8b)**. Non-essential PI collected, or PI collected without consent, must be **deleted or anonymized promptly (6.8c)**. Relatedly, electronic products that store PI must support **cyclic-overwrite / format / controlled-delete** clearing per **GB 46864-2025 (7.1c)**. ### 7. A wholly new Chapter 11 — overseas jurisdiction and conflict handling The most forward-looking addition, and the one outbound operators should read first. **Chapter 11** sets out jurisdiction determination (11.1), conflict identification and layered handling (11.2), compliance process and proof (11.3), and organization and responsibility (11.4). Its design: - A **four-factor jurisdiction framework** — territorial / effects / personal / sector-specific (11.1.1). - A **layered conflict-handling priority** (11.2.2): **under the premise of not violating PRC law, administrative regulations, or competent-authority requirements**, prioritize local mandatory norms; then norms posing a significant penalty/injunction risk; then resolve via contract or industry self-discipline; and finally reference international standards or best practice. - A caution that extraterritorial reach **may not be denied solely because there is "no local entity" or "no direct consideration charged" (11.1.3)**. - Guidance on **government data-request response, transparency, and third-party risk**, with structured, **versioned records**, re-assessment when target-country law or enforcement shifts, and **at least annual** assessment for high-risk cross-border processing. > **DCC read.** Outbound compliance moves from "*can the data leave China?*" > to "*who will regulate it abroad, and what do we do when regimes conflict?*" > — i.e., from a filing exercise to a standing governance function. The > connecting factors the draft lists (operating locale, local entity and > staff, where compute/cloud is billed, use of local language/currency, > local advertising and after-sales, continuous local tracking) are the same > factors overseas counsel already use to assess GDPR-style extraterritorial > exposure. ### 8. A systematized internal-control chapter (13) The draft hardens organizational accountability: - **Person in charge of personal information protection** — four appointment triggers: a large network platform; a business centered on PI processing with **>200 relevant staff**; processing **>1,000,000 persons' PI** (with a new "**expected to within 12 months**" limb); or processing **>100,000 persons' sensitive PI**. The officer gets qualification, duty, power and independence detail (participate in major decisions, report directly to top management, propose rectification / cessation of unlawful processing), aligned to **PIPL Article 52** and the Network Data Regulation. The same thresholds trigger a **dedicated working body**. - **Compliance audit (13.8)** — conducted per **GB/T 46903-2025** across five stages (prepare, implement, report, rectify, archive); for important internet platforms, an **independent body composed mainly of external members** supervises the audit — pairing with the [PI Protection Compliance Audit Measures](/laws/personal-info-audit-measures/). - **Processing-activity records (13.4)** — seven trigger circumstances, fifteen content items, **≥3-year retention**, kept **electronic, structured and machine-readable**, and producible to regulators on demand. - **Impact assessment (13.5)** — a **pre-condition** for launch, major change and termination; eight scenarios require a prior PIPIA; and quantitative thresholds mark an "important processing activity" for which a **third-party PIPIA** is recommended (processing 10M persons' PI; providing 100k to a third party; processing 100k sensitive PI; processing 10k minors' PI; or providing 10k abroad). ### 9. Subject-rights timing and storage-chapter detail Response time tightens **from 30 days to 15 working days** across the rights and AI-deletion provisions. The storage chapter (Ch.7) also gets more operational: de-identification now expects a **systematic re-identification risk assessment plus a complete process record**; **derived personal information is itself PI**, subject to notice-and-consent; and access controls get granular (mask name/ID/phone; default-off screenshot/screen-recording). HexCode — annotating from practice — flags several of these as hard to implement (e.g., an app cannot truly *prevent* screen capture; a "technically-hard-to-delete" carve-out from PIPL should arguably be restated to avoid a one-size-fits-all "you can only delete" reading) — useful texture on which clauses may move before the standard is finalized. ## What overseas counsel should do with the comment window The draft is non-binding and not final, which is exactly why it is the low-cost window to rebuild the base before AI training, unified accounts, terminal collection, cross-border operation and automated decisioning are deeper in the product. Concretely: - **Build the processing-activity panorama first.** By product line, user group, data type, purpose, method, recipient, retention, storage location and cross-border leg. Without this map, lawful basis, PIPIA, audit and cross-border management have nothing to attach to. - **Stand up a lawful-basis matrix, not a better consent log.** Re-classify each activity to its best basis; reserve consent for what genuinely needs it; and isolate every separate-consent trigger (sensitive PI, minors, third-party provision, public disclosure, deep-synthesis, qualifying AI training) into its own interaction with retained evidence. - **Re-identify sensitive PI by scenario, not by field.** Move from a "sensitive-field list" to a "sensitive-processing-scenario list," focused on profiling, model training and risk-scoring where aggregation can tip an otherwise-ordinary dataset over the line. - **Give AI its own data-governance rulebook.** Training-source whitelist, pre-training de-identification standard, input collection/retention rules, optimization boundaries, human review, third-party model calls, input-filtering, output review, and the user's off-switch — written down as an input to the PIPIA. - **Map unified-account and terminal/SDK data flows.** Confirm which group products share which data, on what basis, with what notice; verify that requested device permissions match actual use; and that single-product cancellation truly leaves the rest intact. - **Treat cross-border as conflict management.** Maintain a cross-border matrix (subject locale, processor locale, storage/compute locale, foreign recipients, mechanism, supplementary measures, and a documented government- request response protocol), and re-assess on foreign legal/enforcement change. - **Close the loop on records, PIPIA, audit and incident response.** For sensitive PI, automated decisions, entrusted processing, external provision, disclosure, cross-border and major function changes — assess before, log during, review after — and keep it producible on demand. The 2026 draft does not rewrite what personal-information protection *requires* so much as it rebuilds how the duty *runs* — moving the benchmark from a description of good practice into a system a regulator expects you to operate, prove, and be audited against. --- — *全国网络安全标准化技术委员会 (TC260), 数据安全技术 个人信息安全规范 (征求意见稿) (Data Security Technology — Personal Information Security Specification, draft for comment), released for public consultation June 17, 2026; drafting lead 中国电子技术标准化研究院 (CESI). Revises [GB/T 35273-2020](/laws/gbt-35273-pi-security-specification/). This brief is a DCC synthesis of four Chinese-language practitioner readings: He Yuan / DPOHUB (数据法盟), ["国标35273《个人信息安全规范(征求意见稿)》主要修订了哪些内容?"](https://mp.weixin.qq.com/s/i6sY4yOMUgMyra1b5KkTwQ); 汉谟法喵, ["GB/T 35273《数据安全技术 个人信息安全规范》修订草案解读"](https://mp.weixin.qq.com/s/sJY2ppWf1t796Q0kmjsbVA); 中伦数据团队 (via TMT 法律论坛), ["35273修订:《数据安全技术 个人信息安全规范》(征求意见稿)变化解读"](https://mp.weixin.qq.com/s/n0MgKV-qQvmwPU3kJQ7V8w); and HexCode / 数据何规, ["我的35273修订学习笔记(3)-个人信息存储、使用"](https://mp.weixin.qq.com/s/pWwSPJyzMo2_QtRJ3-SNgQ). [Consultation draft (Chinese).](https://mp.weixin.qq.com/s/_rWTtpMRTU-SA88NPhQyQQ)* *Not legal advice. The above is DCC's structural analysis of a draft standard out for public comment. All clause numbers refer to the June 2026 comment draft and are subject to change before formal release (expected after 2027); where the draft and the final text differ, the final text governs.* --- ## From Principle to Running System: How the Network Data Security Risk Assessment Measures Operationalize the Data Security Law - Published: 2026-06-18 - Author: DCC Editorial - Tags: risk-assessment, network-data, data-security, important-data, cac, miit, mps, order-no-24, dsl, compliance - Laws cited: network-data-security-risk-assessment-measures, dsl, csl, network-data-security-regulations, industrial-data-security-risk-assessment-rules, gbt-45577-data-security-risk-assessment - Domains: data-security, enforcement - URL: https://datacompliancechina.com/posts/network-data-risk-assessment-measures-operationalizing-the-dsl/ - Markdown: https://datacompliancechina.com/posts/network-data-risk-assessment-measures-operationalizing-the-dsl.md - Original source: https://mp.weixin.qq.com/s/ypoiNq_5IxGtLw8o9pg9xQ - Original author: 国家互联网信息办公室、工业和信息化部、公安部 (CAC, MIIT, MPS) — Order No. 24 - Original publication: 网信中国 WeChat Official Account ### Description On June 18, 2026 the CAC, MIIT and the Ministry of Public Security jointly issued the Measures for Network Data Security Risk Assessment as Order No. 24, effective August 20, 2026. The 25-article rule adds no new substantive duty; it turns the Data Security Law's open-ended 'conduct risk assessment' obligation into an executable, verifiable, trigger-able governance system. DCC reads it as a three-tier standing model plus an event-driven escalation layer: important-data handlers must assess every year (general-data handlers are encouraged to every three), retain the report for three years and submit it within 20 working days; sectoral competent authorities run annual inspection plans filed by end-January; the national cyberspace administration consolidates and cross-shares reports with telecom, public-security and state-security departments; and where a high-risk finding or a breach of important data or large-scale personal information appears, regulators can compel assessment by a certified institution and order the operator to cease processing important data. The four institutional increments over the DSL: an annual mandatory action, networked multi-department supervision, a three-track assessment structure, and dynamic event-triggered oversight. ### Body > *Editor's Note — DCC.* > > This brief covers a single new national instrument: the **Measures for > Network Data Security Risk Assessment** (《网络数据安全风险评估办法》), > jointly issued on **June 18, 2026** by the **Cyberspace Administration of > China (CAC)**, the **Ministry of Industry and Information Technology > (MIIT)** and the **Ministry of Public Security (MPS)** as **Order No. > 24**, effective **August 20, 2026**. The full 25-article text is in DCC's > [law-catalogue entry](/laws/network-data-security-risk-assessment-measures/); > this brief is the structural read. The framing below — the "operationalization, > not duplication" thesis, the three-tier-plus-trigger model, and the > four-increment comparison against the Data Security Law — is DCC's. ## The one-line thesis The [Data Security Law](/laws/dsl/) (DSL) and the [Regulation on Network Data Security Management](/laws/network-data-security-regulations/) already *told* important-data handlers to run risk assessments. They did not say how, how often, to whom the result goes, or what happens when something is found. These Measures answer exactly those questions and nothing else. > The DSL is principle plus framework. These Measures are the **operating > system** for the risk-assessment duty — executable, verifiable, and > trigger-able. The Measures add **no new substantive obligation**. Their entire contribution is **institutional engineering**: taking a one-line statutory duty and building the cadence, the reporting plumbing, the assessor-trust model, and the escalation switch that make it run. ## The regulatory model: three standing tiers + one trigger layer ``` NATIONAL COORDINATION LAYER CAC (lead) + telecom + public security + state security · special working mechanism (Art. 3) · report consolidation + cross-department sharing (Art. 16) │ ▼ INDUSTRY SUPERVISION LAYER Sectoral competent authorities ("manage the business → manage its data security") · annual inspection plan, filed by end-January (Art. 4) · organise sector assessments · verify/spot-check reports (Art. 16) │ ▼ ENTERPRISE EXECUTION LAYER Important-data handlers (mandatory) · general-data handlers (encouraged) · annual risk assessment (Art. 5) · ad-hoc re-assessment on material change · 3-year report retention + 20-working-day submission (Arts. 15–16) │ ▼ (triggered) EVENT-DRIVEN ESCALATION LAYER Security incident / high-risk finding (Art. 17) · compelled assessment by a CERTIFIED institution · rectification → order to cease processing important data (Art. 19) ``` The first three tiers are **standing machinery**; the fourth switches on only when an incident or a high-risk finding occurs. Read top to bottom, the document is a supervision pipeline, not a list of prohibitions. **Enterprise execution layer.** The core duty is the **important-data handler's annual risk assessment** (Article 5), with general-data handlers encouraged to assess at least once every three years. A **material change** in the security status of important data that may adversely affect security triggers a prompt, scoped re-assessment of the changed part. This is the layer that makes data-security risk **periodically visible**. **Industry supervision layer.** Sectoral **competent authorities** organise assessments and inspections in their own field under the principle that "whoever runs the business runs its data security," and file an **annual inspection plan with the national cyberspace administration by the end of January** (Article 4) — designed, on its face, to prevent duplicative and multi-headed enforcement. **National coordination layer.** The national cyberspace administration, together with telecom, public-security and state-security departments, runs a **special working mechanism** (Article 3) and **consolidates and cross-shares** the reports (Article 16), giving the centre an aggregate picture of data-security risk. **Event-driven escalation layer.** Outside the standing cadence, where a **relatively high security risk** that may endanger national security or the public interest appears, or a **security incident leaks or steals important data or large-scale personal information** (Article 17), regulators may compel the operator to retain a **certified** assessment institution. The result feeds disposition: rectification and, ultimately, an order to **cease processing important data** (Article 19). ## Not duplication — an operationalization upgrade Against the DSL, the increment is concrete and sits in four columns: | Dimension | Data Security Law | Risk Assessment Measures | |---|---|---| | Legal nature | Upper-tier statute (principles) | Departmental rule (execution) | | Risk-assessment rule | General duty, undefined | Defined process + cadence + report | | Responsible parties | "Data handlers," undifferentiated | Tiered: important vs. general handlers | | Supervision | Dispersed | CAC-coordinated, multi-department | | Assessment method | Unspecified | Self / third-party / certified institution | | Submission | Unspecified | 20-working-day submit, 10-working-day relay | | Trigger | None | Incident / high-risk → compelled re-assessment | | Sector inspection | Not systematised | Annual plans + coordination mechanism | | Penalty linkage | Principle-level | Routes back to DSL / Network Data Regulation | ## The four institutional increments **1. From "principle duty" to "annual mandatory action."** The DSL asks for risk assessment without specifying it; the Measures make it a fixed calendar event — important-data handlers **must assess every year**, retain the report **at least three years** (Article 15), and submit it within **20 working days** of completion (Article 16). The essence: the obligation becomes **executable**. **2. From single-point to networked supervision.** The Measures stitch together a sectoral layer (competent authorities), a coordination layer (CAC), and cross-department sharing with telecom, public security and state security. The same report relays from competent authority to the same-level cyberspace administration within **10 working days** and onward to the national mechanism. The essence: supervision becomes a **network**. **3. From "self-assessment" to a three-track assessment structure.** A handler may assess itself; it may retain a market **third-party assessment institution**; and, on trigger, it must use a **certified** institution (Articles 7, 8, 17). The Measures harden the assessor side too — **no sub-entrustment** (Article 11), and the same institution and its affiliates may not run a handler's annual assessment **more than three consecutive times** (Article 12), with confidentiality and deletion duties (Article 14). The essence: a **de-monocultured trust model**. ``` Self-assessment (the standing default) + Third-party assessment institution (market track) + Certified institution (compelled on trigger) ``` **4. From after-the-fact to event-triggered oversight.** A risk that has risen, a breach of important data or large-scale personal information, or a national-security concern can each pull the escalation switch — compelled re-assessment, and the power to **stop the business activity** (Articles 17, 19). The essence: oversight becomes **dynamic**. ## What changes for compliance and data-trading programs For teams building data-trading or data-product compliance — exactly the terrain DCC tracks — the practical shift is from a documentary posture to a continuous one: - **Compliance moves from "paperwork compliance" to "continuous-assessment compliance."** A clean filing at launch is no longer the finish line; the annual assessment and the material-change re-assessment make currency the standard. - **Risk control moves from "pre-launch review" to "lifecycle monitoring."** The material-change trigger (Article 5) means any significant adjustment to purpose, method, scope, or security posture of important data is its own assessment event. - **Supervision moves from "spot-check" to "event-triggered intervention."** An incident or a high-risk finding can pull in a certified assessor and, if rectification fails, halt important-data processing. Two operational notes for overseas counsel. First, **classification is the gate**: every hard obligation here keys off being an *important-data handler*, so the threshold question is still whether your processing touches important data under the [Network Data Regulation](/laws/network-data-security-regulations/) and sectoral catalogues — the [GB/T 45577 data-security risk-assessment standard](/laws/gbt-45577-data-security-risk-assessment/) is the referenced methodology. Second, this national rule sits **alongside** sector rules already in force, such as the MIIT [Implementing Rules for Data Security Risk Assessment in the Field of Industry and Information Technology](/laws/industrial-data-security-risk-assessment-rules/); where a sector authority has its own provisions, those prevail (Article 6), so a multi-sector group should expect to map its assessment program against both the national Measures and each applicable sectoral regime. The Measures do not rewrite what data security *requires*. They rebuild how the risk-assessment duty *runs* — moving data-security governance from a statutory description of an obligation into a system you can operate, verify, and be escalated under. --- — *国家互联网信息办公室、工业和信息化部、公安部, 网络数据安全风险评估办法 (Measures for Network Data Security Risk Assessment), Order No. 24, published via the 网信中国 WeChat Official Account, June 18, 2026; effective August 20, 2026. [Original text (Chinese).](https://mp.weixin.qq.com/s/ypoiNq_5IxGtLw8o9pg9xQ) Full English translation in DCC's [law-catalogue entry](/laws/network-data-security-risk-assessment-measures/).* *Not legal advice. The above is DCC's structural analysis of a new national rule. Article numbers refer to the Measures as promulgated under Order No. 24.* --- ## Guangdong Prices the Public-Data Operator Like a Utility: Inside the Province's Authorized-Operation Price-Management Measures - Published: 2026-06-17 - Author: DCC Editorial - Tags: public-data, authorized-operation, data-economy, government-guided-pricing, public-data-operation-service-fee, permitted-revenue, guangdong, data-pricing - Laws cited: public-data-authorized-operation-specifications, public-data-registration-interim-measures, data-foundation-system-opinions - Domains: data-economy - URL: https://datacompliancechina.com/posts/guangdong-public-data-operation-pricing-measures/ - Markdown: https://datacompliancechina.com/posts/guangdong-public-data-operation-pricing-measures.md - Original source: https://mp.weixin.qq.com/s/DTdg84hRofrOgeHht-7rug - Original author: 行者X (DataWalker) - Original publication: 数据行者X WeChat Official Account ### Description On 12 May 2026 the Guangdong DRC and the Guangdong Administration of Government Services and Data issued the Guangdong Province Public Data Resource Authorized-Operation Price Management Measures — one of the first provincial implementations of the national NDRC/NDA price-formation notice (发改价格〔2025〕65号). The 20-article rule prices the 'public-data operation service fee' (公共数据运营服务费) with a regulated-utility toolkit: government-guided pricing, a maximum permitted revenue equal to operating cost + permitted profit + tax, and a permitted profit rate capped at the prior-year 10-year treasury yield plus no more than 6 percentage points. DCC reads the full text (carried by 数据行者X) against the Guangdong DRC's official interpretation (carried by 砖济咨询) to draw out what overseas counsel needs: this is cost-of-service, rate-of-return regulation imported into the data-element market, with periodic resets every three years, a ±10% annual adjustment band, mandatory cost separation, and a carve-out keeping public-governance and public-welfare data 'conditionally free.' ### Body > *Editor's Note — DCC.* > > This brief covers a single new instrument — the **Guangdong Province > Public Data Resource Authorized-Operation Price Management Measures** > (《广东省公共数据资源授权运营价格管理办法》), issued **12 May 2026** by the > **Guangdong Development and Reform Commission (DRC)** and the > **Guangdong Provincial Administration of Government Services and Data** > (省政务服务和数据管理局, the provincial "政数局"). DCC works from two > WeChat sources that carry the same instrument from opposite ends: the > **full 20-article text**, reposted by the independent channel **数据行者X > (DataWalker)** ([original](https://mp.weixin.qq.com/s/DTdg84hRofrOgeHht-7rug)), > and the **official departmental interpretation** (部门解读) sourced from > the **Guangdong DRC** and reposted by the PPP-advisory firm **砖济咨询 > (Shenzhen Brick-Economy Public Consulting)** > ([interpretation](https://mp.weixin.qq.com/s/PHXQceU3XR6w88a6jTm2mA)). > Neither channel adds analysis of its own; the substance is official. The > analysis below — the "regulated-utility" reading, the comparison to > rate-of-return tariff-setting, and the operational takeaways — is DCC's. > > One framing note for overseas readers. China's public-data regime is > **layered**: the national [Authorized-Operation Implementation > Specifications](/laws/public-data-authorized-operation-specifications/) > and [Registration Interim Measures](/laws/public-data-registration-interim-measures/) > (both NDRC + NDA, January 2025) set the floor, and provinces issue the > binding implementation rules. The price mechanism has its own national > parent — the **NDRC/NDA Notice on Establishing a Price-Formation > Mechanism for the Authorized Operation of Public Data Resources** (《关于 > 建立公共数据资源授权运营价格形成机制的通知》, 发改价格〔2025〕65号) — and > Guangdong is among the **first provinces to operationalise it**. The > Measures sit inside Guangdong's "1+3" public-data policy system and run > for a **five-year** term from issuance. ## What the Measures actually price The object of the rule is narrow and specific: the **public-data operation service fee** (公共数据运营服务费). This is the fee an **operating institution** (运营机构) — a body that has obtained authorization through the proper procedure — may charge when it **governs and develops** public data resources within its authorized scope and **fairly provides data products and services to the market** (Article 3). Two gating conditions sit in front of the fee, and both tie back to the national regime DCC has covered before: - the underlying public data resources must be **registered** with the registration body designated under Guangdong's public-data registration rules (the provincial implementation of the [Registration Interim Measures](/laws/public-data-registration-interim-measures/)); and - the data products and services must be **formed under** the authorized-operation rules, registered, and **listed on the catalogue** of public-data products and services that support industry development. In other words, the price rule only switches on **after** a firm is inside the gate that DCC's earlier brief — [Inside the Gate: How Enterprises Can Compliantly Process, Operate, and Trade Public Data](/posts/public-data-authorized-operation-processing-trading/) — describes. The Measures answer the question that regime left open: once you are an authorized operator with a listed product, **how much can you charge, and who decides?** ## The headline mechanism: government-guided pricing, not market pricing The fee is placed under **classified-and-tiered management and government-guided pricing** (分类分级管理、政府指导定价 — Article 4). It is **not** left to the market. The official interpretation is explicit about why: public data resources carry both a **public-welfare attribute** and **economic potential**, so the regulator wants a price that keeps operators "healthy and sustainable" while **preventing them from forming monopoly profits** (防止其形成垄断利润). That sentence is the whole policy in one line — the operator is being treated as a **franchised infrastructure monopoly**, not as a competitive vendor. The decision rights split by **level of authorization**: - **Province-level authorization.** The Guangdong DRC, together with the data authority, **verifies the operator's maximum permitted revenue** (最高准许收入). Within that ceiling, the data authority sets **ceiling tariffs** (上限收费标准) for each class of product and service (copying the DRC). The operator then sets **specific charges at or below** those ceilings. - **City/county-level authorization.** The prefecture-level city government sets the charging standards; its DRC and data authority verify the maximum permitted revenue; the data authority sets ceilings within it, reported to the city government for approval. Same operator-sets-the-final-number logic underneath. So three numbers stack: a **revenue cap** (regulator), **per-product ceiling tariffs** (regulator), and **actual prices** (operator, beneath the ceilings). The operator has pricing freedom only in the gap between the ceiling and zero. ## The pricing formula is straight out of utility regulation Here is the part overseas counsel should recognise immediately. The **maximum permitted revenue** is built on a "compensate cost, reasonable profit" principle (补偿成本、合理盈利) with an explicit formula (Articles 6–9): > **Permitted revenue = operating cost + permitted profit + tax** > (准许收入 = 经营成本 + 准许利润 + 税金) Each term is defined: - **Operating cost** (经营成本, Article 7) is the **reasonable expenditure net of government subsidies**, fixed through a **cost investigation** (成本调查). It expressly includes (1) authorized-operation **platform build and O&M**; (2) data **transmission, aggregation, storage and governance**; (3) **human resources**; (4) the **cost of obtaining the public data resources** themselves; and (5) period expenses. - **Permitted profit** (准许利润, Article 8) = operating cost × **permitted profit rate**. And the permitted profit rate is capped at: > the **average yield of 10-year treasury bonds** in the year before the > cost investigation, **plus no more than 6 percentage points**. - **Tax** (税金, Article 9) means taxes **other than VAT** — corporate income tax, urban maintenance and construction tax, and the education surcharge. This is **cost-of-service, rate-of-return regulation** — the same toolkit China uses to price regulated natural monopolies such as gas-pipeline transmission and water (准许成本加合理收益, "permitted cost plus reasonable return," with the return benchmarked to government-bond yields). The novelty is the **subject matter**: Guangdong has imported utility tariff methodology into the **data-element market**. For a foreign investor sizing a public-data operating venture in Guangdong, the practical consequence is that the **upside is analytically capped** — return on the regulated asset base is bounded at roughly the long-bond yield plus six points, not by what the market will bear. How the ceiling translates into actual charges is left flexible (Article 10): tariffs may be levied **by product quantity, number of service calls, service duration, or data-call volume**, taking into account the data, compute, and storage consumed across different application scenarios. That metering flexibility matters for API-style data products, where "per call" or "per volume" is the natural unit. ## Resets, true-ups, and a ±10% band Because the data industry moves fast, the Measures build in **periodic re-baselining** rather than a fixed tariff: - **Periodic assessment** (Article 12). The DRC and data authority reassess the maximum permitted revenue on a cycle of **no more than three years**, and may assess **early** if investment or cost changes materially. Crucially, **over-recovery is clawed back**: revenue earned above the permitted ceiling in one cycle is **deducted** when setting the next cycle's cap (with large over-recoveries smoothed across cycles). This is a classic regulatory **true-up** — the operator cannot keep windfall revenue. - **Annual adjustment band** (Article 13). Within a cycle, if actual revenue **deviates from the permitted ceiling by 10% or less**, the data authority guides the operator to adjust its **specific charges**; if the deviation **exceeds 10%**, the data authority adjusts the **ceiling tariff** itself. - **Reporting and cost separation** (Articles 14–15). The data authority reports the operator's prior-year results to the DRC by the **end of March**; the operator must run an **independent price-management system** and **separately account for** authorized-operation costs and revenue. For a multi-line business, that mandatory ring-fencing of the regulated activity is itself a compliance obligation — regulated public-data revenue cannot be commingled with the firm's other books. - **Transparency and enforcement** (Articles 16–17). The operator must **clearly mark prices** (明码标价) and publish its catalogue and tariffs on its portal. Supervision is split three ways: the **DRC** guides price-management practice, the **data authority** supervises the authorized-operation activity, and the **market-regulation authority** (市场监管, the SAMR line) polices price conduct — failure to follow the government-guided price, **price fraud**, and failure to clearly mark prices. ## Two carve-outs worth flagging - **Public-governance and public-welfare data stays "conditionally free."** Article 18 keeps public-data products and services used for **public governance and public-welfare** purposes on a **conditional free-of-charge** basis (有条件无偿使用), per the data authority's requirements. The service fee covers **market-facing** products, not the government's own use or public-interest distribution. The same article also clarifies that **revenue-sharing** from the public data resources and from the operating platform is **outside** the scope of the operation service fee — i.e. the fee regulation does not reach the upstream revenue-distribution arrangements between the government and the operator. - **Public utilities get a parallel track.** Where a **public-utility enterprise** (公用企业) conducts authorized operation, its **sectoral authority** sets the ceilings and handles pricing **by reference to** these Measures (Article 19) — a recognition that utilities (power, water, transport) sit on large public-data holdings and are already inside sector-specific price regulation. ## Why this matters beyond Guangdong - **The price question is now being answered.** Through 2024–25 the public-data story was about **getting authorized and getting registered**. With the national 65号 price-formation notice and Guangdong's implementation, the regime is moving to **what operators can charge** — and the answer is a **regulated, capped return**, not market pricing. Expect Beijing, Zhejiang, Shanghai, and other early movers to issue parallel measures; Guangdong is a template to read now. - **Model the asset like a regulated utility, not a SaaS business.** Any overseas party evaluating a Guangdong public-data operating role should build the financial model around **permitted revenue = cost + (cost × capped return) + tax**, with a **three-year reset** and **over-recovery clawback**. The return ceiling — long-bond yield + ≤6 points on the cost base — is the number that governs the investment case. - **Cost-base definition is where the value is contested.** Because profit is a markup **on operating cost**, the **cost investigation** is the decisive regulatory event. What counts as a legitimate cost of "obtaining the public data resources," of platform build, and of data governance will determine the permitted revenue. That is the proceeding to staff and document carefully. - **Ring-fencing is mandatory.** The independent price-management system and separate accounting (Article 15) mean the regulated public-data line must be **carved out** of a diversified firm's accounts from day one — not reconstructed at assessment time. This is continuous with DCC's broader public-data coverage — the authorized-operation [processing-and-trading guide](/posts/public-data-authorized-operation-processing-trading/), the [franchise/concession framing](/posts/public-data-under-franchise-concession/), and the reminder that authorized operation [is not a liability shield](/posts/public-data-authorized-operation-not-a-shield/) — but it adds the missing economic layer. China is not only deciding **who** may operate public data and **how**; with Guangdong, it is now deciding **what they may earn** — and doing it with the price-control playbook used for utilities. --- — *Primary text: 政策|广东出台公共数据授权运营价格管理办法(附全文), 数据行者X WeChat Official Account. [Full text (Chinese).](https://mp.weixin.qq.com/s/DTdg84hRofrOgeHht-7rug) Official interpretation: 《广东省公共数据资源授权运营价格管理办法》解读 (source: Guangdong DRC), reposted by 砖济咨询. [Interpretation (Chinese).](https://mp.weixin.qq.com/s/PHXQceU3XR6w88a6jTm2mA) Issued 12 May 2026 by the Guangdong DRC and the Guangdong Provincial Administration of Government Services and Data; effective on issuance, five-year term.* *Not legal advice. The above is DCC's structural analysis and translation of a provincial pricing rule and its official interpretation. Article numbers refer to the Measures as reposted in full by 数据行者X.* --- ## Ctrip's ¥10 Million Fine: China's First Publicly Disclosed Cross-Border Data Penalty — and the 'Necessity' Doctrine Behind Four Cases - Published: 2026-06-15 - Author: DCC Editorial - Tags: enforcement, cross-border-data, pipl, data-export, separate-consent, security-assessment, shanghai - Laws cited: pipl, network-data-security-regulations, data-export-security-assessment-measures, cross-border-data-flows-provisions, personal-info-standard-contract-measures, cross-border-pi-certification-measures - Domains: cross-border, enforcement, personal-information - URL: https://datacompliancechina.com/posts/ctrip-cross-border-data-fine-necessity-doctrine/ - Markdown: https://datacompliancechina.com/posts/ctrip-cross-border-data-fine-necessity-doctrine.md - Original source: https://mp.weixin.qq.com/s/ggamZwfK3nBULTuP-7GqmQ - Original author: HexCode - Original publication: 数据何规 WeChat Official Account ### Description In June 2026 Shanghai's cyberspace authority fined Shanghai Ctrip Commerce ¥10 million for unlawfully exporting personal information without implementing data-export security-assessment requirements — the first time a Chinese cross-border data penalty amount has been made public. DCC reads the fine against the three earlier Shanghai / MPS cross-border cases compiled by HexCode in 数据何规 (a hotel company that exported fields the CAC assessment had rejected, a property company that exported accommodation and financial-account data with no approval at all, and the Dior breach case) to surface the doctrine all four share: building a CRM or central-reservation system offshore does not make the bulk transfer of customer PI to headquarters 'necessary,' so it cannot escape the security-assessment / standard-contract / certification gate or PIPL's separate-consent and individual-notification requirements. The enforcement gradient — the assessment-rejected exporter was fined while the no-approval exporter was only warned — signals that subjective culpability is weighing on penalty severity. ### Body > *Editor's Note — DCC.* > > Where DCC's recent enforcement entries tracked the app-channel PI > regime — the [CAC 30-app notification](/posts/cac-2026-30-app-pi-notification-account-cancellation/) > and the [MIIT Batch 56 bulletin](/posts/miit-2026-batch-3-31-app-public-naming/) — > this brief turns to the **cross-border (data-export) enforcement > front**, which has been quietly active in Shanghai for over a year and > just produced its loudest signal: a **¥10 million** fine against > Shanghai Ctrip Commerce, the **first time the amount of a Chinese > cross-border data penalty has been made public**. We frame the fine > using the four-case roundup compiled by **HexCode** in 数据何规 > (marked 原创, hand-written, no AI). DCC's contribution is to draw out > the doctrine the four cases share — the "necessity" test for > headquarters transfers — and to keep the author's well-flagged > inferences (e.g. *why* Ctrip's wording was "failed to implement" > rather than "failed to pass") separate from the official facts. We > attribute through the publication channel and the named author; the > processing decisions themselves are not public. ## The headline: Ctrip, ¥10 million, first disclosed amount On the strength of a notice published via 网信上海 ("亮剑浦江" — Shanghai's cyberspace-enforcement column), the Shanghai authorities imposed an administrative penalty on **Shanghai Ctrip Commerce Co., Ltd. (上海携程商务有限公司)** for "failing to implement data-export security-assessment requirements and unlawfully exporting personal information" (未落实数据出境安全评估要求、违法出境个人信息). The penalty, issued under the [Personal Information Protection Law (PIPL)](/laws/pipl/): a **¥10 million fine** plus an order to rectify within a fixed period. The notice states the company cooperated after the penalty and fully implemented the required rectification. Two things make this the most significant cross-border data-enforcement event to date: - **The amount is public.** Chinese cyberspace-enforcement penalty decisions (处罚决定书) are almost never published, and prior cross-border cases disclosed no figure. ¥10 million is the first hard number — and a deterrent one. - **The wording is precise, and load-bearing.** The notice says "failed to **implement** data-export security-assessment requirements" (未落实评估要求), **not** "failed to **pass** the security assessment" (未通过评估). HexCode's inference — which DCC flags as the author's reading, not an official statement — is that Ctrip likely *did* undergo the [Data Export Security Assessment](/laws/data-export-security-assessment-measures/) but then **did not transfer in line with the CAC's assessment result** (for example, exporting data fields the assessment had not cleared). That reading is consistent with the ¥10 million scale: under **PIPL Article 66**, "serious" violations expose a handler to a fine of up to ¥50 million or 5% of prior-year turnover, so a ¥10 million figure signals the regulator treated the circumstances as serious. The commercial backdrop, per the author: Ctrip had earlier signed a cooperation agreement with a Cambodian counterpart, which sparked public concern about "selling personal information." Ctrip's public statement said the agreement "involves no data cooperation whatsoever," that the planned advertising launch was suspended after the Chinese embassy's safety advisory, and that the agreement had been submitted to the authorities for verification. DCC notes the enforcement notice does not tie the fine to the Cambodia matter; the two should not be conflated. ## The three earlier Shanghai / MPS cases HexCode places the Ctrip fine at the head of a four-case sequence (most-recent-first). The earlier three were published in Shanghai's **2025 typical-enforcement-cases** roundup and the **National Cybersecurity Notification Center**'s Dior notice, and they set up the doctrine: **1. Hotel-management company — exported fields the assessment had rejected (Jan 2026).** The company applied for the data-export security assessment for its online-booking scenario, but after receiving the CAC's *Assessment Result Notice* (评估结果通知书) **expressly finding that certain PI data items lacked export necessity**, it failed to take effective measures and **still exported** domestic individuals' personal information. Held to violate PIPL and the [Regulation on Network Data Security Management](/laws/network-data-security-regulations/) (the 条例). Result: ordered to rectify, **and fined** (amount undisclosed). **2. Property-management company — no approval at all, sensitive financial data (Jan 2026).** The company (property and hotel management, global services) ran an app for membership, booking, and check-in. It exported users' **accommodation information and financial-account (sensitive) personal information** to overseas recipients **without** declaring a security assessment, concluding a [Standard Contract](/laws/personal-info-standard-contract-measures/), or obtaining [certification](/laws/cross-border-pi-certification-measures/) — i.e. through none of the three lawful export pathways. Held to violate PIPL and the 条例. Result: ordered to rectify, **warning only — no fine.** **3. Dior — breach-triggered cross-border case (Sept 2025).** Following the May 2025 Dior data breach (Chinese users received warning texts), the Shanghai public-security (MPS) net-security unit investigated Dior (Shanghai) and found three failures: 1. transferring user PI to Dior's France headquarters **without** passing the security assessment, concluding a Standard Contract, or obtaining certification; 2. failing, before providing PI to the France HQ, to **fully inform** users of the overseas recipient's processing and to obtain users' **separate consent**; 3. failing to apply encryption, de-identification, or other security measures to the collected PI. Disposed of by Shanghai MPS as an administrative penalty; whether a fine was imposed is not public. ## The enforcement gradient — culpability is weighing on severity The most operationally useful pattern is the **apparent inversion** between cases 1 and 2: - The company that **went through the process** and then exported fields the assessment had **rejected** was **fined**. - The company that **skipped the process entirely** — and exported sensitive financial-account data — got only a **warning**. HexCode's read, which DCC finds persuasive as a working hypothesis: to the regulator, **knowingly exporting after a clear "no" carries heavier subjective culpability** than failing to file in the first place. For overseas counsel the lesson is counter-intuitive but important: a partial or conditional assessment approval is **not** a green light for the rejected fields — continuing to transfer them can be treated as *more* aggravated than never having filed. An assessment that clears some fields and rejects others should trigger genuine field-level localization or suppression, not a quiet continuation. ## The doctrine all four share: offshore systems ≠ "necessity" The thread running through every case is the **necessity** test for transfers to a corporate parent. The recurring fact pattern — a multinational whose CRM, central-reservation, or membership system sits offshore, so customer PI is routed to headquarters "because that's where the system is" — does **not**, in the regulator's view, make the transfer *necessary*: - It generally **cannot** be characterized as "necessary for the performance of a contract" to which the individual is a party, nor as "necessary for cross-border human-resources management" — the two necessity grounds most often invoked. - Therefore it **cannot** escape the front-end gate (security assessment / Standard Contract / certification) **or** PIPL's cross-border **separate-consent and individual-notification** requirement under **PIPL Article 39** (the provision requiring the handler to inform the individual of the overseas recipient's identity, contact details, processing purpose and method, PI categories, and how to exercise rights against the recipient, and to obtain separate consent). There is genuine tension in the case law the author flags. In the Guangzhou Internet Court's well-known "first cross-border data case," the court found a hotel's transfer of a guest's PI to its **France-headquarters central reservation system** had "legitimacy and necessity." But, as HexCode notes, in the administrative-enforcement channel **the cyberspace authority's view governs** — and these four cases show that view running the other way. Overseas counsel should not rely on the Guangzhou court's necessity reasoning to justify skipping the export gate; the enforcement posture is stricter than that single civil judgment. ## The compliance baseline these cases re-state HexCode closes with a four-point checklist that maps cleanly onto the statutory architecture; DCC restates it for overseas teams: 1. **Always run the PIPIA.** A pre-transfer Personal Information Protection Impact Assessment (PIPL Articles 55–56) is required **whether or not** the transfer falls into an exemption under the [Cross-border Data Flows Provisions](/laws/cross-border-data-flows-provisions/) (the "3·22" provisions of March 22, 2024). It is also the key paper trail: necessity and security measures must be argued out internally and on the record. 2. **Always notify the individual.** Under PIPL Article 39, give the overseas-recipient disclosures; where separate consent is exempted, fold the notice into the privacy policy; where it is not, issue a standalone notice-and-consent instrument. 3. **Argue necessity honestly.** "Our CRM is offshore, so we send everything" will almost certainly fail the contract-performance and HR-management necessity tests — meaning neither separate consent nor the front-end approval can be waived. The realistic choices are **system localization** or **full risk disclosure to the parent** (so headquarters understands the ¥10 million exposure). 4. **Apply security measures.** Public-opinion events attract regulators fast; ensure the business applies encryption / de-identification and that the overseas recipient's processing meets PIPL's protection standard, as **PIPL Article 38** requires. ## What overseas compliance teams should take from this - **The cross-border front is now a money front.** The ¥10 million Ctrip figure ends the era in which cross-border PI enforcement carried only reputational risk. Budget and board attention should follow. - **"Partially approved" is a trap.** Treat a security-assessment result that rejects fields as a binding ceiling. Continuing to export rejected fields is the fact pattern that drew the fine in case 1. - **Mini-systems and HQ pipes both count.** Whether the channel is a booking app (cases 1–2) or a global CRM/loyalty backbone (the Dior pattern), routing PRC customer PI to a foreign parent without a pathway and separate consent is the violation. Map every outbound flow to a pathway. - **Disclose the exposure upward.** Where localization is resisted at group level, the compliance function's job is now to put the ¥10 million precedent in front of the parent in writing. As the author puts it, the alternative to spending on localization is giving headquarters "a clear picture of the risk — so they're prepared to be fined." The deeper continuity with DCC's app-channel enforcement briefs is the same lesson from the other side of the data lifecycle: China's PI regime is enforced through **concrete, repeated, official-source actions** — and on the cross-border axis, the regulator has now shown it will both **name the conduct and publish the number.** --- — *HexCode, 携程千万罚单后,数据跨境罚单全梳理 (After Ctrip's Ten-Million Fine: A Full Roundup of Cross-Border Data Penalties), 数据何规 WeChat Official Account, June 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/ggamZwfK3nBULTuP-7GqmQ) Underlying enforcement notices: 网信上海 "亮剑浦江" (Ctrip; Shanghai 2025 typical cases) and the National Cybersecurity Notification Center (Dior).* *Not legal advice. The above is DCC's structural analysis of a practitioner roundup. The penalty decisions are not public; the per-case facts are drawn from the official enforcement notices the author quotes, and the author's inferences (the basis for Ctrip's wording, the culpability gradient) are flagged as such.* --- ## CAC Names 30 Apps and Mini-Programs for PI Violations — Nearly Half for Ineffective Account Cancellation - Published: 2026-06-12 - Author: DCC Editorial - Tags: enforcement, cac, app-compliance, pipl, public-naming, account-cancellation, mini-programs - Laws cited: pipl, csl, network-data-security-regulations, app-illegal-pi-collection-identification-method, app-necessary-pi-scope-provisions - Domains: enforcement, personal-information, app-compliance - URL: https://datacompliancechina.com/posts/cac-2026-30-app-pi-notification-account-cancellation/ - Markdown: https://datacompliancechina.com/posts/cac-2026-30-app-pi-notification-account-cancellation.md - Original source: https://mp.weixin.qq.com/s?__biz=MzAwMjU0MjIyNw==&mid=2651536838&idx=1&sn=d81cf403c22a5e60966598fb31686bc2&scene=21#wechat_redirect - Original author: 中央网信办秘书局 (Secretariat Bureau, Office of the Central Cyberspace Affairs Commission) - Original publication: 网信中国 WeChat Official Account ### Description On June 11, 2026 the Office of the Central Cyberspace Affairs Commission published a notification naming 30 apps and mini-programs for personal-information collection and use violations, found in testing organized under the 2026 CAC + MIIT + MPS joint special campaign. The violations fall into four categories — undisclosed PI collection rules (7 apps), frequent demands for non-essential permissions (4), incomplete SDK disclosure (5), and, the dominant category at 14 of 30, failure to provide an effective account-cancellation function. DCC reads the notification as the CAC tier of the same campaign whose MIIT testing tier we covered in the Batch 56 brief: a broader perimeter that expressly includes mini-programs, a 15-working-day rectify-and-report deadline, and a clear signal that exit rights — account cancellation and deletion — are a 2026 testing priority. ### Body > *Editor's Note — DCC.* > > This is the second entry in DCC's enforcement tracker, and the > structural complement to the first: where the > [MIIT Batch 56 bulletin](/posts/miit-2026-batch-3-31-app-public-naming/) > showed the MIIT testing tier of the 2026 joint special campaign, this > June 11, 2026 notification is the **CAC tier operating directly** — > testing organized by the Office of the Central Cyberspace Affairs > Commission itself, on a perimeter that expressly includes > mini-programs, with a 15-working-day rectify-and-report deadline. > The repost channel through which DCC surfaced the notification > (数据何规) headlined the same point our reading leads to: ineffective > account cancellation is the "hardest-hit area" (重灾区), accounting > for 14 of the 30 named apps. The four app lists are published as > image tables in the original; DCC names only the lead examples CAC > itself put in each category heading and focuses on the structural > read. ## The notification The Secretariat Bureau of the Office of the Central Cyberspace Affairs Commission (中央网信办秘书局 — the Central Commission Office and the Cyberspace Administration of China, CAC, being one institution under two nameplates) issued the *Notification on Personal Information Collection and Use Problems in 30 Apps* (关于30款App个人信息收集使用问题的通报), dated **June 11, 2026**. The notification reports the results of testing that CAC organized of the personal-information collection and use practices of apps — **expressly including mini-programs (小程序)** — under the *Announcement on Carrying Out the 2026 Personal Information Protection Series of Special Campaigns*, the joint CAC + MIIT + MPS campaign document that also authorizes the MIIT batched bulletins. The cited legal basis is the [Cybersecurity Law](/laws/csl/), the [Personal Information Protection Law](/laws/pipl/), the [Regulation on Network Data Security Management](/laws/network-data-security-regulations/), and the [Method for Identifying the Unlawful Collection and Use of Personal Information by Apps](/laws/app-illegal-pi-collection-identification-method/) (the 2019 four-agency 认定方法). ## The four violation categories | # | Violation category | Apps named | Lead examples in CAC's heading | |---|---|---|---| | 1 | PI collection and use rules not publicly disclosed | 7 | 锐新教育 (Ruixin Jiaoyu), 趣学车 (Quxueche) | | 2 | Frequent demands for non-essential permissions | 4 | 蓝猫云商 (Lanmao Yunshang), 大象优品 (Daxiang Youpin) | | 3 | SDK collection and use of PI not completely and accurately listed | 5 | 中旅旅行 (Zhonglv Lüxing), 东融 (Dongrong) | | 4 | **No effective account-cancellation function** | **14** | 匠者 (Jiangzhe), 句苗岛 (Jumiaodao) | The full per-category lists are in the image tables attached to the original notification. Each category maps directly onto the taxonomy of the 2019 Identification Method — which is why the Method is cited as a legal basis alongside the statutes: - **Category 1** is the Method's first category verbatim: failure to publicly disclose collection and use rules (typically: no privacy policy, or one that cannot be reached from within the app). - **Category 2** sits on the Method's consent and necessity categories, read together with the [Necessary PI Scope Provisions](/laws/app-necessary-pi-scope-provisions/) — repeatedly demanding permissions the declared service does not need, after the user has declined. - **Category 3** maps to the Method's disclosure category, which expressly requires listing the collection and use of PI by embedded third-party code and plugins — the SDK disclosure obligation. - **Category 4** maps to the Method's final category, which treats as a violation the failure to provide effective correction, deletion, and **account-cancellation** functions, or attaching unnecessary or unreasonable conditions to them. ## The headline signal: account cancellation, 14 of 30 Nearly half the batch was named for a single violation: no effective account-cancellation function (未提供有效账号注销功能). That concentration is the operational takeaway of the notification. The legal anchors are familiar — PIPL Article 15 requires that withdrawing consent be as convenient as giving it, PIPL Article 47 obliges handlers to delete PI when the processing purpose ends, and the Identification Method makes an ineffective or unreasonably conditioned cancellation pathway a named violation. What the notification adds is **enforcement weighting**: of everything CAC's testing program could have led with in June 2026, exit rights are the category it found most violated and chose to headline. In testing practice, "ineffective" cancellation typically means one of: no cancellation entry inside the app at all; an entry buried so deep it is effectively undiscoverable; cancellation gated on unreasonable conditions (in-person verification, customer-service-only channels, indefinite review periods); or a flow that confirms "cancellation" without actually terminating the account and deleting the associated PI. Account cancellation is also operationally cheap for a regulator to test at scale — a tester either can or cannot cancel an account — which makes it a natural high-yield category for campaign-driven testing and a likely recurring focus for the rest of the 2026 campaign. ## CAC tier vs. MIIT tier Read against the [MIIT Batch 56 bulletin](/posts/miit-2026-batch-3-31-app-public-naming/), the notification shows how the two testing tiers of the same campaign differ: - **Perimeter.** MIIT tests apps and SDKs in the telecom/app-store distribution channel. CAC's notification expressly covers **mini-programs** — the WeChat / Alipay / Douyin in-platform applications that often escape app-store-centric compliance reviews because they are never "installed" through a store. - **Process.** MIIT's formula is rectify-or-we-organize-disposition, with the testing done by retained third-party institutions. CAC's notification gives named operators **15 working days from publication** to complete rectification **and report the rectification status to CAC** (整改情况报我办). CAC will then verify together with the relevant departments (会同有关部门进行核查) and carry out disposition and penalties in accordance with laws and regulations, informed by the rectification status. - **Standing channel.** The notification publishes a campaign contact line and mailbox (010-55635865, appzhili@cac.gov.cn) — the app-governance channel CAC has used across campaign cycles. The two tiers are cumulative, not alternative: conduct rectified after an MIIT naming can still be tested and named by CAC, and vice versa. The campaign architecture — annual joint authorization, parallel CAC administrative and MPS criminal tiers — is laid out in DCC's Batch 56 brief and applies unchanged here. ## What overseas compliance teams should do - **Test account cancellation end-to-end, this quarter.** From in-app discoverability through identity verification conditions to actual account termination and PI deletion. The 14-of-30 concentration says this is what CAC's testers are walking through. If your cancellation flow imposes conditions beyond what re-verification genuinely requires, treat that as a finding. - **Put mini-programs inside the audit perimeter.** A compliant native app with a non-compliant WeChat mini-program is now a named-notification risk. Mini-programs frequently ship with thinner privacy disclosures and no cancellation pathway because they reuse the platform account — that reuse does not exempt the operator's own account layer. - **Reconcile the SDK disclosure list.** Category 3 is the same SDK-transparency pressure visible in the MIIT batches: the privacy policy must completely and accurately list what embedded third-party SDKs collect, for whom, and why. An SDK update that adds a data flow without a disclosure update is the standard failure mode. - **Pre-position for a 15-working-day window.** The CAC pathway requires not just fixing but **reporting** within three weeks of a public naming. Operators with a Chinese-market app should have a standing rectification playbook — owner, test protocol, report template — rather than improvising one after appearing in a notification. The deeper continuity with the MIIT brief is the enforcement model itself: visible, batched, testing-driven public naming, now running on two regulator tiers in parallel. What this notification adds is the priority signal inside that model — in 2026, the regime is grinding hardest on whether users can leave. --- — *中央网信办秘书局, 关于30款App个人信息收集使用问题的通报 (Notification on Personal Information Collection and Use Problems in 30 Apps), published via the 网信中国 WeChat Official Account, June 11, 2026. [Original notification (Chinese).](https://mp.weixin.qq.com/s?__biz=MzAwMjU0MjIyNw==&mid=2651536838&idx=1&sn=d81cf403c22a5e60966598fb31686bc2&scene=21#wechat_redirect) Surfaced via the [数据何规 repost](https://mp.weixin.qq.com/s/QUd6zYAzn6CVZi8TqJ-ULg).* *Not legal advice. The above is DCC's structural analysis of the notification. The four per-category app lists are in the image tables attached to the original; this brief names only the lead examples CAC itself placed in each category heading.* --- ## Data 'Parallel Property Rights' — They Can Confer Status, but Can't Secure Control - Published: 2026-06-09 - Author: DCC Editorial - Tags: data-property-rights, parallel-property-rights, derivative-data, data-economy, three-rights-separation, data-twenty-articles, data-trading, academic-commentary - Laws cited: data-foundation-system-opinions, common-data-terms-batch-2, pipl, dsl, network-data-security-regulations, data-property-rights-registration-guide-draft - Domains: data-economy, data-security - URL: https://datacompliancechina.com/posts/data-parallel-property-rights/ - Markdown: https://datacompliancechina.com/posts/data-parallel-property-rights.md - Original source: https://mp.weixin.qq.com/s/ay50eKaHMTgr7QjmDbta3Q - Original author: 洪延青 - Original publication: 网安寻路人 ### Description Part four — and the synthesis — of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' data-property framework takes up 'parallel property rights' (数据平行财产权): how to allocate rights when the *same* data is held, used, and operated by *multiple* parties at once. Building on Xiong Bingwan and Zhuang Hongshan's 'one-data, multiple-rights' (一数数权) idea — data is non-rivalrous and copyable, so the same right over the same data can sit with several parties without excluding each other — Hong argues parallel property rights are best understood as *default rules* for incomplete-contract, collaborative-production settings: internally, parallel use is presumed; externally, operation is classified by data type (by-products each party may operate alone; purpose-built or fused data needs the others' consent); and parallel holders share a *joint defensive* interest against third parties. But the substance, he shows, falls back on derivative data — and here Xiong, Xu Ke (许可), and Shen Weixing (申卫星), despite different scenarios and tests, all tilt the derivative-data right to the *processor*, leaving the data contributor with contract/compensation/tort/PI remedies rather than ownership of the new product. DCC's read for overseas counsel: parallel property rights cut *attribution* uncertainty (who may use, operate, defend) but not *control* uncertainty (future use, detection, tracing, modelled value, third-party chains, ongoing compliance) — status, not control. ### Body > *Editor's Note — DCC.* > > This is DCC's summary and analysis — not a translation — of > 《数据平行财产权:能定资格,难保控制》, the **fourth and concluding** study note by > **Hong Yanqing (洪延青)** on his **网安寻路人** channel in his series on China's > "separation of three rights" (三权分置) data-property framework. It follows > [the Right to Hold Data](/posts/data-holding-right-two-paths/) (part one), > [the Right to Use Data going external](/posts/data-use-right-externalization/) (part two), > and [why upstream won't operate its data](/posts/data-operation-right-why-upstream-wont-share/) > (part three). The piece is legal theory, but it lands on the practical question every > data-collaboration and data-exchange deal in China runs into: when several parties hold the > same data, who owns what they each build from it? The original is linked at the foot; the > framing for overseas counsel is ours. ## What "parallel property rights" are The first three notes worked through the three rights one at a time. This one turns to the case the framework is quietest about: **the same data held, used, and operated by more than one party at the same time.** Hong builds on **Xiong Bingwan and Zhuang Hongshan's** paper *On Data Parallel Property Rights* (《论数据平行财产权》), whose core move is that because data is **non-rivalrous and copyable**, the *same* right over the *same* data can be enjoyed by several parties simultaneously without necessarily excluding one another — call it **"one data, multiple rights" (一数数权)**. The point is not independent collection of identical data (two mapping companies separately recording the same road have no shared structure). It is **collaborative production** — where several parties, in joint operation, co-development, or data fusion, come to hold the same data, and the contract is **incomplete** because much of the data was a by-product nobody priced at signing. Parallel property rights fill that gap with **default rules**: - **Internal use — presumed.** Absent a contrary agreement and so long as it does not defeat the collaboration's purpose, each parallel holder may use the data. This kills the "we all hold it but nobody dares touch it" deadlock. - **External operation — classified by data type.** For data **purpose-built** by the collaboration, or **fused** from several parties, external operation in principle needs the other participants' consent (because "who you hold it with" is itself the protected interest). For incidental **by-product** data, each holder may in principle operate alone and keep its own revenue. - **External defence — joint.** A third party's theft, leak, or destruction of one holder's copy can harm the others, so parallel holders share a defensive interest and can act against the intruder. Hong flags this as a **real increment**: part one's single-holder defensive right was thin because public law already supplied most of it, but the *jointly-assertable* protection among parallel holders is an against-the-world increment specific to the multi-party setting. So parallel property rights are **not traditional co-ownership** — not slicing data into shares, not requiring everyone to jointly dispose of everything. They are a **scenario-based default arrangement**: liberal internal use, classified external operation, joint external defence. ## But it all comes back to derivative data The moment parallel *use* is presumed, the next question is unavoidable: when one party **processes** the shared data into something new — a label system, index, model, score, report, or data product — **who owns the result?** Hong's answer (following Xiong): if the output crosses the **derivative-data (衍生数据)** threshold — a substantial change in content, form, and structure plus a marked increase in value — the **processor holds an independent property right, and the other parallel holders do not share it.** That pulls parallel property rights into the same orbit as the general derivative-data debate, and lets Hong line up **three scholars** who reach the same destination from different roads: - **Xu Ke (许可)** — source-data holder vs. derivative-data processor, via **law and economics**. Not an unconditional gift to the processor: he switches on transaction cost, the processor's good or bad faith, and compensation cost (good-faith processor takes the right; where costs are higher, it takes the right but **pays** the source holder). Tilting to the processor does not strip the source holder, who keeps holding and defensive rights against theft, tampering, and leakage. - **Shen Weixing (申卫星)** — the most direct. Derivative data is a **new object** identified by a three-part test (**substantial change + value increase + irreversibility**); absent agreement it vests in the processor by **contribution and "fullest use of data" (数尽其用)**, and — crucially — acquisition does **not** require the processor to hold a use right in the raw data: even an unlawful scraper may own its derivative output, with illegality affecting only liability, not attribution. The source holder is left with PI-rights, unjust-enrichment, or tort claims. - **Xiong Bingwan (熊丙万)** — drops the same question into the **parallel-holding** scenario: one co-holder processes the shared data, and if the result is genuine derivative data, that processor owns it and the others don't share, because they contributed to the *raw* data but not to the *value-add*. The differences are real — the **identification threshold** (Shen's three-part test vs. Xu Ke's "marked value increase" core vs. Xiong's compact "substantial change + value increase"); the weight of the processor's **good/bad faith** (decisive for Xu Ke, mostly a liability question for Shen); and, most overlooked, the **relationship to the raw-data use right** — the official definition premises derivative data on "data the processor *has a use right in*," so **Xiong hugs the official text** (parallel use right as the basis), **Shen cuts the premise** (even scrapers can qualify), and **Xu Ke sits in between** (reading "has a use right" to include "does not know it lacks one," i.e. good faith). In a true **entrusted-processing** relationship, both Xu Ke and Shen agree the client keeps the process and result data; the fight is only when the processor exceeds instructions or there is no/again unclear contract. But the differences do not change the shared conclusion: **once derivative data exists, the centre of gravity shifts to the processor.** Hong's sharp observation is that even Xiong — the most "co-ownership-friendly" of the three — gives the other co-holders **nothing at the layer where value is actually created**: his protections (unanimous consent for operating purpose-built/fused data; joint defence) attach to the **raw** shared data, not to the **derivative** output. *That* is where the data contributor's worry comes from. ## What the default rules settle — and what they leave open Hong's payoff is a clean split between two kinds of uncertainty. **Default rules answer questions of *status* (资格).** Absent agreement, they tell the parties: who may **use** the data (each parallel holder), who may **form derivative data** (any holder may process; a real derivative product vests in the processor), who may **operate externally** (by data type), and who may **defend externally** (parallel holders jointly, at least for an injunction; damages still need proof of loss). They reduce the "do I have the standing to do this?" uncertainty — and that is genuinely useful. **Default rules cannot answer questions of *control* (控制).** They cannot guarantee what downstream will build (value is combinatorial and unforeseeable at signing), whether it quietly trains a model or exceeds scope (derivative data hides inside downstream systems as parameters, scores, labels), or whether you can ever **trace** a finished product back to your data after fusion, de-identification, and modelling. Some value is simply **unrecoverable** — a learned model capability is not a deletable dataset. **Third-party chains** (re-licensing, scraping of the downstream product) escape a contract that only binds the counterparty. And **compliance risk does not end on delivery** — if the source is personal information, a downstream claim of "anonymised derivative" does not by itself exit PIPL, since reversibility, substantial change, and value increase still have to be judged. So, Hong concludes, parallel property rights **reduce attribution uncertainty, not control uncertainty**; they fix *who has status*, not *whether risk is controllable*; they encourage reuse but cannot replace contract, technology, audit, and compliance. This is also his answer to part three: parallel rights ease the part of upstream's reluctance that came from unclear ownership, but not the more practical part — future use, detection, tracing, modelled value, third-party chains, and ongoing compliance. ## Why overseas counsel should care - **In any China data collaboration, write the derivative-data terms — do not rely on the default.** Across all three scholarly views and the parallel-holding case, the unbargained-for default sends models, scores, indices, and labels to **whoever builds them**. If your data feeds a joint venture, consortium, or vendor, specify ownership, grant-back, no-train/no-fusion, and revenue-sharing for derivative output up front; "we co-hold the data" buys you nothing at that layer. - **Distinguish raw shared data from derivative output.** Consent rights and joint-defence may protect the *raw* fused dataset, but the *value-bearing* derivative typically will not be shared — so the protections that look reassuring on paper attach to the wrong layer for value capture. - **Parallel use is the presumption — scope it.** Default Chinese rules lean toward letting every co-holder use the data; if you need to *restrict* a partner's internal use or downstream modelling, that restriction has to be **express**. - **Plan for control loss, not just attribution.** Pair clean ownership/authorisation drafting (the attribution layer) with technical and audit controls — sandboxes, privacy computing, output review, deletion and no-retrain covenants — because, as Hong stresses, the default rules cannot give you detection, tracing, or recovery once data enters a longer chain. ## DCC sources - **Original:** Hong Yanqing (洪延青), 《数据平行财产权:能定资格,难保控制》, on the 网安寻路人 channel — [mp.weixin.qq.com](https://mp.weixin.qq.com/s/ay50eKaHMTgr7QjmDbta3Q). Drawing on Xiong Bingwan & Zhuang Hongshan, *On Data Parallel Property Rights*, and on the derivative-data work of Xu Ke (许可) and Shen Weixing (申卫星). - **Series on DCC:** part one — [Two Paths for the "Right to Hold Data"](/posts/data-holding-right-two-paths/); part two — [When the "Right to Use Data" Goes External](/posts/data-use-right-externalization/); part three — [Why Upstream Won't Operate Its Data](/posts/data-operation-right-why-upstream-wont-share/). - **Cross-references on DCC:** the [Data Twenty Articles](/laws/data-foundation-system-opinions/) (the three-rights structure) · the [Common Data Terms, Batch 2](/laws/common-data-terms-batch-2/) (the official definition of derivative data and the use/operation rights) · [PIPL](/laws/pipl/) · the [Data Security Law](/laws/dsl/) · the [Network Data Security Regulation](/laws/network-data-security-regulations/) · the [draft Data Property Rights Registration Guidelines](/laws/data-property-rights-registration-guide-draft/). - Part of the [data-economy](/domains/data-economy/) domain on DCC. > This is an editorial summary and analysis of Hong Yanqing's commentary, written in DCC's own words > for overseas readers — not a translation of his article, and not a reproduction of it. Named > scholars' positions are summarised from Hong's account; quoted phrases are short and attributed. > **Not legal advice.** --- ## China's First AI-Ghostwritten 'Seeding Post' Case — a Duty of Care for Generative-AI Providers - Published: 2026-06-08 - Author: DCC Editorial - Tags: ai-governance, generative-ai, unfair-competition, ai-generated-content, fake-reviews, duty-of-care, judicial-case, xiaohongshu, enforcement - Laws cited: anti-unfair-competition-law, genai-services-interim-measures, ai-content-labeling-measures - Domains: ai-governance, enforcement - URL: https://datacompliancechina.com/posts/ai-seeding-post-unfair-competition-case/ - Markdown: https://datacompliancechina.com/posts/ai-seeding-post-unfair-competition-case.md - Original source: https://mp.weixin.qq.com/s/wL3o6iLLzMSB7UWNct7XyQ - Original author: 知产库 - Original publication: 数据法盟(转自知产库) ### Description China's first unfair-competition case over AI batch-ghostwritten 'seeding posts' (种草笔记 — the staged, first-person product-recommendation notes that drive discovery commerce on Xiaohongshu/RED). On appeal, the Hangzhou Intermediate People's Court ((2025) Zhe 01 Min Zhong No. 3998) held that the operators of an 'AI writing' tool ('AI写作鹅') that let users one-click-generate fake first-person Xiaohongshu notes — fabricating personal experiences and feelings — committed unfair competition under Article 2 (the general clause) of the Anti-Unfair Competition Law. The court built an explicit four-factor duty-of-care test for generative-AI providers (is it generative AI; does it target a specific scenario/another's product as its 'application layer'; is it directional and inducing; is it a paid, for-profit service), citing Articles 4(3), 5(1) and 22 of the Generative AI Services Interim Measures. Because the tool was named after Xiaohongshu, marketed to mass-produce on-brand 'seeding' copy, charged a membership fee, and shipped with no notice or reminder against the foreseeable misuse, the providers were at fault. The appeal court affirmed liability but cut damages from RMB 200,000 to RMB 100,000 on an 'inclusive and prudent' (包容审慎) view of AI, and reversed joint liability for the third defendant that merely hosted the download. DCC OCR'd the full judgment from the source images; this is our case brief for overseas counsel. ### Body > *Editor's Note — DCC.* > > This is DCC's case summary of China's first unfair-competition action over > AI-ghostwritten "种草笔记" (seeding posts) — the second-instance judgment of the > **Hangzhou Intermediate People's Court (杭州市中级人民法院)**, case no. **(2025) Zhe 01 > Min Zhong No. 3998**, on appeal from the **Hangzhou Internet Court** ((2024) Zhe 0192 Min > Chu No. 3396). The judgment was circulated as ~44 page-images by the **数据法盟** channel > citing **知产库**; **DCC ran OCR over those images** and summarises the court's findings > and holding below. In the circulated copy the **defendant companies' names are redacted > ("XX")**; the plaintiff is named. All English renderings of the court's language are > DCC's. The framing for overseas counsel is ours. ## Case at a glance - **Plaintiff (respondent on appeal):** Xingyin Information Technology (Shanghai) Co., Ltd. (行吟信息科技(上海)有限公司) — the operator of **Xiaohongshu (小红书 / RED)**. - **Defendants (appellants):** the operators of the **"AI写作鹅" ("AI Writing Goose")** tool — two Hefei companies (names redacted) plus a third company that distributed the app via the "单词乎" (dancihu.com) site. - **Claims:** (1) copyright infringement and (2) unfair competition. - **Result:** copyright claim **rejected**; unfair competition **established** under Article 2 of the Anti-Unfair Competition Law (反不正当竞争法). On appeal: liability **affirmed**, injunction **upheld** (reworded), damages **reduced from RMB 200,000 to RMB 100,000**, and the download-distributor's **joint liability reversed**. Final judgment. ## What the service did "**Seeding posts**" (种草笔记, lit. "planting-grass notes") are the staged, enthusiastic, first-person product-recommendation notes that drive discovery commerce on **Xiaohongshu**. Their persuasive power depends on the reader believing they reflect a real user's genuine experience. The "AI写作鹅" tool offered modules named **"小红书种草文案" (Xiaohongshu seeding copy), "小红书旅游攻略" (Xiaohongshu travel guides), "小红书文案", and "小红书笔记标题" (Xiaohongshu note titles)**. A user could enter a few keywords and **"one-click create"** a complete Xiaohongshu seeding post; the output **fabricated the user's first-hand experience and genuine feelings**. The tool was a paid service after first use (the court noted membership prices of **RMB 168 lifetime / 98 a year / 40 a month**), and its pages advertised that it would "generate click-inducing titles for your Xiaohongshu notes" and "produce share articles that fit Xiaohongshu's tone." ## Two claims, two outcomes **Copyright — rejected.** Xingyin asserted copyright (via its user-agreement licence) in platform content and pointed to one example post copied into the tool and regenerated. The court found the **object of the claim unclear**: the example copy-and-upload was actually Xingyin's own act during evidence collection, not the tool operator's, and a blanket claim to "all content on the platform" did not identify a specific work or establish authorship and originality. So the copyright claim failed. **Unfair competition — established under the Article 2 general clause.** Notably, Xingyin did **not** plead confusion (AUCL Art. 6) or false advertising (AUCL Art. 8); it invoked the **general clause, Article 2**, which courts apply to conduct that is not specifically enumerated in Chapter 2 but breaches good faith and commercial ethics. Because the case was about whether a *generative-AI product at the application layer* disrupts an existing content ecosystem — something Chapter 2 does not address — the court (both instances) analysed it under Article 2 across three questions: does the plaintiff hold a protected interest; is the conduct improper; does it cause harm. The protected interest was the **authentic "seeding" content ecosystem of Xiaohongshu** — a UGC community built on real user experience. The court credited Xingyin's heavy, sustained investment (community rules and conventions, a "Woodpecker" anti-fake-promotion campaign, governance reports, and express bans on "using AI to fabricate usage experience or effect"), and the resulting traffic and stickiness (by figures in evidence: 20M+ monthly-active creators and 30B+ daily note impressions by early 2023; ~300M monthly-active users by 2024, ~90% UGC). That ecosystem-based competitive advantage, it held, is protected by the AUCL. ## The heart of the case: a duty of care for generative-AI providers The most consequential part of the appeal judgment is an explicit framework for **when a generative-AI service provider owes, and breaches, a duty of care**. The court stressed that generative AI has a **dual nature** — technical service *and* content supply — unlike a traditional search-link or hosting provider, and that its output is **non-deterministic** (each generation differs), so infringement risk is "highly random" and the provider must build in reasonable measures to avoid or reduce it. It then weighed four factors: 1. **Is it generative AI?** Citing **Article 22** of the Generative AI Services Interim Measures (definition of generative-AI technology), the court found "AI写作鹅" autonomously generated new content from user prompts via its own model, algorithms, compute, and training data — so it is a generative-AI service, and its provider bears the corresponding duty of care. 2. **Does it use a specific scenario / another's product as its "application layer"?** The modules were named after **"小红书" (Xiaohongshu)** — a service "designed as a directional scenario oriented to another's product." A provider that uses Xiaohongshu as its application layer should be **bound by Xiaohongshu's platform rules**, which do not ban AI but do ban using AI to fabricate experience or effect; the tool's "seeding" output was, in substance, AI-powered "**fake seeding**" (虚假种草) that violated those rules. 3. **Is it directional and inducing?** Citing **Article 5(1)** of the Measures (encourage innovative AI applications that generate "positive, healthy, uplifting" content), the court read the tool's marketing ("generate click-inducing Xiaohongshu titles," "share copy matching Xiaohongshu's tone") plus the "one-click" fabricated output as showing a subjective purpose to supply fake seeding — so the provider "**can hardly be said to be in good faith**" (难谓善意). 4. **Is it a paid, for-profit service?** Because the tool charged a membership fee — unlike free, general-purpose generative-AI platforms — the court held it should bear a **higher duty of care**. Putting it together: the providers **should have foreseen** that a Xiaohongshu-targeted, directional, inducing, paid tool would lead users to generate fabricated seeding posts and publish them to Xiaohongshu — yet they **took no reasonable, necessary notice or reminder measures** (告知、提醒). That failure meant they did **not discharge the reasonable duty of care of a generative-AI provider** and were **at fault (过错)**; the conduct violated good faith and commercial ethics and was therefore unfair competition. The court was careful to add that the duty of care must **match the provider's technical control capability** and not be so heavy as to deter innovation. The court also drew a boundary: this case is **not** about regulating platforms that offer AI "seeding copy," "travel guides," or general text generation. "AI technology itself is neutral … but that does not mean its *application* is neutral"; what is regulated is a provider that, **at the application layer, designs a scenario targeted at another operator's product and improperly free-rides on the market results that operator has already achieved** — guided by the principles of governing AI "according to law" and "AI for good" (智能向善), and an **"inclusive and prudent" (包容审慎)** posture that dynamically balances innovation, rights-holders, consumers, and the public interest. ## What changed on appeal The Hangzhou Intermediate Court **affirmed liability and the injunction** (reworded to "stop *providing*, via AI写作鹅, the 'Xiaohongshu seeding copy / travel guide / copy / note title' services"), but made two modifications: - **Damages cut from RMB 200,000 to RMB 100,000.** With no proof of actual loss or infringer gain, Xingyin sought statutory damages. The appeal court trimmed the award, expressly because AI legislation and industry norms remain immature and courts should stay "inclusive and prudent," and because the harm was unproven — while still holding the providers at fault. - **Joint liability of the download-distributor reversed.** The third defendant ran the "单词乎" (dancihu.com) site and merely offered the app's Android download and an iOS link — a network service. With no evidence of common intent or knowledge (the tool also had general "AI writing" and "AI drawing" features), the court found **no fault** and **no joint liability**, allowing that defendant's appeal. Liability rests on the two Hefei operators of the tool. (Legal basis: AUCL Articles 2 and 17; Article 23 of the Supreme People's Court Interpretation on the AUCL; Civil Procedure Law Articles 67 and 177. The judgment is final.) ## Why overseas counsel should care - **Generative-AI providers in China carry an affirmative, scenario-sensitive duty of care.** The four-factor test is the takeaway: a tool is most exposed when it (i) is generative AI, (ii) targets a specific platform or another's product as its "application layer," (iii) is marketed in a directional, inducing way, and (iv) is monetised. Tick those boxes and a Chinese court will ask what **notice, reminder, and abuse-prevention** measures you built in. - **Naming and marketing are evidence.** Naming features after a third-party platform was treated as "free-riding," and promotional copy was read as proof of intent. Align product names and marketing with permitted-use claims; do not brand a feature on someone else's ecosystem. - **Build guardrails into the product, and weigh your business model.** A **paid** service drew a *higher* duty of care. Pair the regulatory duties under the [Generative AI Services Interim Measures](/laws/genai-services-interim-measures/) and the [AI-content-labelling Measures](/laws/ai-content-labeling-measures/) with product-level controls — usage warnings, content labelling, and friction or refusal for deception-prone prompts. - **The general clause (AUCL Art. 2) is the live instrument for AI-content harms.** With no enumerated tort to fit, Chinese courts are using the good-faith / business-ethics general clause to reach novel AI conduct — and reading the **Generative AI Measures into the standard of commercial ethics**, even where the case is decided on competition grounds. - **"Inclusive and prudent" cuts both ways.** It produced liability *and* a reduced award; expect Chinese courts to find fault but moderate damages while the AI rulebook matures — useful for calibrating litigation risk. ## DCC sources - **Original:** 《全国首例AI代写"种草笔记"案判决书》, circulated by the **数据法盟** channel citing **知产库** — [mp.weixin.qq.com](https://mp.weixin.qq.com/s/wL3o6iLLzMSB7UWNct7XyQ). Underlying decision: **Hangzhou Intermediate People's Court, (2025) Zhe 01 Min Zhong No. 3998** (second instance; first instance Hangzhou Internet Court, (2024) Zhe 0192 Min Chu No. 3396); reported by CCTV, May 2026. DCC reconstructed the text by OCR over the judgment images. - **Cross-references on DCC:** the [Generative AI Services Interim Measures](/laws/genai-services-interim-measures/) (Arts. 4(3), 5(1), 22, cited in the judgment) · the [Measures for Labelling AI-Generated and Synthetic Content](/laws/ai-content-labeling-measures/) (the regulatory analogue of the "notice/labelling" duty the court found missing). - Part of the [AI Governance](/domains/ai-governance/) and [Enforcement](/domains/enforcement/) domains on DCC. > This is an editorial case summary written in DCC's own words for overseas readers, reconstructed > from OCR of the judgment images circulated with the source post — not an official transcript or > a certified translation. Defendant names were redacted in the source; quoted phrases are short > and attributed. Figures and holdings are as DCC read them from the images and may contain OCR > error. **Not legal advice.** --- ## Why Upstream Won't Operate Its Data — Control Degradation, Derivative Data, and Irreducible Uncertainty - Published: 2026-06-08 - Author: DCC Editorial - Tags: data-property-rights, data-operation-right, data-economy, three-rights-separation, data-twenty-articles, data-trading, derivative-data, privacy-computing, academic-commentary - Laws cited: data-foundation-system-opinions, common-data-terms-batch-2, pipl, dsl, network-data-security-regulations, data-property-rights-registration-guide-draft - Domains: data-economy, data-security, personal-information - URL: https://datacompliancechina.com/posts/data-operation-right-why-upstream-wont-share/ - Markdown: https://datacompliancechina.com/posts/data-operation-right-why-upstream-wont-share.md - Original source: https://mp.weixin.qq.com/s/1cOaLNxF6VO83Le-apCRdQ - Original author: 洪延青 - Original publication: 网安寻路人 ### Description Part three of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' framework turns to the Right to Operate Data (数据经营权) — the right to provide data externally by transfer, licence, capital contribution, or pledge — and asks a question prior to 'what does operation transfer?': in real conditions, *will* an upstream party operate its data at all? His answer: yes, but narrowly. Control-dependent upstreams (platforms, holders of core user or irreplaceable industrial/training data) tend not to provide open, raw, autonomous access, and shift to controlled use or simply decline. The reason is structural. Once a downstream party is licensed to use data, the derivative data it produces is a *new object*: the upstream's *erga omnes* (对世) control over the raw data does not reach it, leaving the upstream — at most — a contractual claim against one counterparty. Hong then catalogues the uncertainties an upstream faces *ex ante*: some that attribution rules could touch but can't eliminate (qualification of the output, default ownership, good-faith of the processor, measurement of remedy), and some no rule can reach (combinatorial/unforeseeable value, undetectable misuse, the privity-and-insolvency chain, fusion and co-ownership, abstraction leakage into model parameters and learned skills, personal-information exposure, and counterparty hold-up). DCC's read for overseas counsel: this is the rigorous explanation of why Chinese data 'supply' is thin and why sandbox / privacy-computing structures dominate — defining a right does not supply the conditions to exercise it. ### Body > *Editor's Note — DCC.* > > This is DCC's summary and analysis — not a translation — of > 《上游为何不愿对外经营数据?控制降级、衍生数据与不确定性下的经营决策》, the > **third** study note by **Hong Yanqing (洪延青)** on his **网安寻路人** channel in > his series on China's "separation of three rights" (三权分置) data-property > framework. It follows > [Two Paths for the "Right to Hold Data"](/posts/data-holding-right-two-paths/) > (part one) and > [When the "Right to Use Data" Goes External](/posts/data-use-right-externalization/) > (part two). Where part two asked what externalising a use right *transfers*, this > note asks the prior, more practical question: *will the upstream provide the data > at all?* The original is linked at the foot; the framing for overseas counsel is > ours. ## From "what operation transfers" to "whether it happens" In the **"Data Twenty Articles" (数据二十条)** structure, the **Right to Operate Data (数据经营权)** is the right to provide data externally — by transfer, licence, capital contribution, or pledge — the analogue of *disposing* of tangible property, meant to push data property out into the market. Part two showed that what operation usefully hands over is **licensed use**, and that once the downstream produces **derivative data (衍生数据)** a new object forms in its hands and the upstream's control changes. Hong's question here is one step earlier: under real conditions, **will an upstream exercise its operation right and provide data outward at all?** His judgment: it will, *but quite narrowly.* The upstreams that **rely on data to sustain a continuing relationship** — the "control-dependent" type from part two (platforms, holders of core user data, owners of high-value industrial or irreplaceable training data) — tend **not** to provide open, raw, autonomous access. They turn to controlled use, or decline. Not because they undervalue the data, but because external operation forces them to face a cluster of **irreducible, mostly structural uncertainties.** ## From licensed use to control degradation The upstream's control over **raw data** has *erga omnes* (对世) effect: the data sits with the upstream, a downstream must be authorised to use it lawfully, and that control binds the world without needing a contract with any particular person. The **derivative data** the downstream then produces, however, is a **new object** on which the *downstream* — not the upstream — stands as creator. On the prevailing view, derivative data's chain of succession from the source is severed, and the downstream independently holds, uses, and operates it. So the upstream's *erga omnes* control over the raw data **does not automatically extend** to derivative data; against derivative data, the upstream has at most a **contractual claim** that binds one counterparty. This degradation holds **even if the contract is perfectly drafted and fully enforced**, because it concerns the *nature* of the upstream's claim, not its enforceability: *erga omnes* control reaches the raw data, not the derivative; over the derivative, the upstream is at most a claimant against a specific party, not a right-holder against the world. The upstream's position drops from an automatic, world-binding right to a **per-item, counterparty-only contractual claim**. And the degradation is **uneven**. For *abstract* derivatives — models, scores, indices — it is most complete: the raw data no longer exists inside them, the value has been extracted, and there is neither *erga omnes* control nor a way to recover the extracted value. For derivatives that still *contain* the raw data, or are *fused* from several parties' data, the upstream may keep a **co-holding** position good against others (the official line on fusion is that each party may co-hold and that external circulation in principle needs the other participants' consent). Control degrades from the abstract end toward the fusion end. ## Two scholarly fixes — both tilt downstream The hard case is not where the parties agreed, but where the contract is **silent, unclear, or breached**: who owns the derivative data, and can the upstream get it back? Two representative approaches both target this gap, and Hong notes they **converge** where it matters. - A **law-and-economics** approach treats it as a conflict-allocation problem, using the **Calabresi–Melamed** property-rule / liability-rule framework to switch between rules as transaction costs and courts' valuation error change. Its baseline favours the **processor**: where transaction costs are low, a good-faith processor takes the derivative-data interest outright without compensation; it resists co-ownership (to avoid an anticommons), counts the processor's own input — and even the value of *other* parties' fused-in data — as processing value-add, and pushes the upstream's protection onto the *liability* side (an IP-style **compulsory licence fee** in place of unjust enrichment). - A **doctrinal** approach reasons by analogy to the Civil Code's **accession (添附)** rules, treating derivative data as a new object independent of the raw data, with identification stacked on *substantial change + marked value increase + irreversibility*. Ownership follows agreement; absent agreement, it vests in the processor by contribution and "putting data to fullest use" (数尽其用) — and the processor takes the derivative right **even if it does not hold a use right in the raw data**, so that even illegally-scraped source data affects only *liability*, not the **attribution** of the new product. The upstream's protection splits into personality interests (always retained by the individual) and *property* remedies via unjust enrichment or tort. Methodologically far apart, the two **agree on two points**: each reduces the upstream's protection over derivative data from *erga omnes* control to a **counterparty-only claim** (unjust enrichment, tort, or a compulsory fee); and each defaults the residual interest, absent agreement, to the **downstream processor**, justified by data's non-rivalry, the survival of the source data, and the incentive to innovate. That is exactly the **control degradation** above, accepted as a premise. ## Ex-post allocation vs. ex-ante participation Both schemes solve the same thing — *the data has been provided, a dispute has arisen, who gets the derivative and how much compensation* — and they do it finely. But both **presuppose the data was shared.** The prior question is: under such a regime, will the upstream provide the data **in the first place?** Solving ex-post allocation does **not** solve ex-ante participation — and a downstream-favouring default can make participation *worse*. The more the default tilts to the processor, the larger the upstream's expected loss from operating; the larger that loss, the more it declines to share; the less it shares, the less source data the processor has. The rule **incentivises downstream utilisation while suppressing upstream supply.** (The law-and-economics camp half-sees this — it warns that over-discounting source-data interests causes under-investment in data — but the more decisive margin is the upstream simply **refusing to share data it already holds.**) ## The uncertainties an upstream faces ex ante Hong sorts them into two classes. **Class one** — attribution rules can engage, but cannot eliminate them before the fact: 1. **Qualification.** Will the processed output count as *derivative data* (independent, vesting in the processor, leaving the upstream a compensation claim at most) or as *still the original data* (upstream interest intact)? It is binary and decisive — yet the test for derivative data is unsettled (one view requires substantial change + marked value increase + irreversibility; another makes marked value increase the core and demotes irreversibility to evidence), so *ex ante* no one can predict which side an output lands on. 2. **Default ownership.** Contracts are never complete; the gaps fall to default rules that are doctrinally divided and, in their firmer parts, tilt to the processor. Predictability does not cure unfavourable content. 3. **Subjective state.** Whether the processor acquired the source data in good or bad faith may or may not affect its ownership of the derivative, depending on the approach — and the *broader* the licence scope, the harder it is to find the processor exceeded authorisation, so the *easier* it is good-faith and takes the full derivative right. 4. **Remedy measurement.** Even winning yields a claim of **uncertain amount** — floating between a licence fee, profit share, and full disgorgement, benchmarked against IP licensing ratios. The upstream trades a definite, world-good position for an indefinite, counterparty-only claim. **Class two** — no attribution rule can reach these, and they are the **main deterrent**: 1. **Foreseeability and drafting.** Data value is *combinatorially emergent* — the most valuable use is often the downstream recombining the source with other data and models, **unforeseeable at signing**. You cannot pre-limit what you cannot foresee; and derivatives stack (second- and third-order derivatives sit beyond a clause that bound the first). The contract is **necessarily incomplete**, and its gap falls exactly where value and risk are highest. 2. **Discovery and tracing.** Whether the downstream trained a model, exceeded scope, or re-licensed is often unknowable to the upstream — derivative data is intangible, internal to the downstream, fusible, and can pass de-identification off as anonymisation. Hard to detect; hard to prove or trace after fusion and abstraction. 3. **Privity, chain, and payment.** A contract binds only the counterparty. If it transfers on to a third party in breach — or a third party simply **scrapes** the downstream's data product — the upstream has no hold (and, on the doctrinal view, the scraper acquires a full derivative right). The counterparty may also go bankrupt or be acquired, leaving the upstream's claim worthless. 4. **Fusion and co-ownership.** Once the source is fused with others' data, whether the upstream keeps a position good against the world is **unsettled** — one view rejects co-ownership and vests in the processor; another excludes such products from "derivative data" via the irreversibility test. 5. **Abstraction leakage.** Even a contractual duty to **delete** the derivative dataset cannot recover the parameters a model has already learned or the skills the downstream's people have absorbed — that value has changed form, beyond any attribution rule or damages. 6. **Compliance and personal information.** If personal information is involved, "provision" extends compliance duties and joint exposure back to the upstream; and the upstream often cannot tell whether the downstream's derivative is truly anonymised — most "anonymisation" is **de-identification**, still personal information — so its exposure does not necessarily end on delivery. 7. **Counterparty strategy.** Once data is delivered, incentives shift: post-possession delay and renegotiation (hold-up); information asymmetry hides intent and capability ex ante; worst of all, the counterparty may use the capability built on the source data to **compete with the upstream**. Across both classes: the deterrent uncertainties cluster in **class two**, which no attribution-or-compensation scheme can touch; and where class-one rules *could* engage, their tests are contested and tilt against the upstream. So **no allocation scheme can eliminate, ex ante, the uncertainty that actually drives whether the upstream provides the data.** ## The operation right contracts — within limits Hence the operation right tends, in practice, to **contract**: data-dependent upstreams avoid open, raw, autonomous provision. Hong adds three boundaries: - **Contraction is not cessation.** Upstreams respond without needing omniscience — data sandboxes, privacy computing, "data does not leave the domain," federated modelling, strict purpose limits, and grant-back audits all **bound** the uncertainty with technology and contract, substituting **controlled use** for raw delivery. They do not stop providing *use*; they stop providing **use detached from control.** - **Monetisation upstreams are excluded.** A one-off seller — data broker, dataset sale — bears no consequence from the buyer's loss of control over derivatives; it has already realised the value in the price. The thesis targets only upstreams that mean to keep a **continuing relationship and control.** - **Not sharing has a cost too.** Data depreciates; competitors may move first. So this is a **marginal, directional** claim — uncertainty raises the upstream's reservation price and shrinks the deals it will do, pushing it toward controlled forms, not a blanket refusal. This is also why "but isn't the default rule there *to reduce* uncertainty?" doesn't rebut the point. A default rule at most trims some *ex-post* allocation uncertainty; its content is contested (so still unpredictable ex ante), and its predictable part tilts downstream (so foreseeable loss of control does not raise the upstream's willingness to provide). The real deterrents — foresight, detection, privity, fusion, abstraction leakage, compliance, strategy — sit **outside the rules' range**. Default rules govern *how to allocate after the fact*, not *whether to act beforehand.* ## Establishing a right is not guaranteeing its exercise Hong's close ties the series together. The operation right is **conceptually clear** — the right to provide data externally and move data property into the market. But a clearly-defined right and an *exercised* one are two different things. Licensing use forms a new object the upstream cannot reach, dropping its control from *erga omnes* to a personal claim; placed in real conditions, the upstream then faces a layer of irreducible, mostly structural uncertainty that the two scholarly fixes — however fine on ex-post allocation — neither reach nor relieve, and that their downstream-tilting defaults can worsen. So the operation right **contracts**: relationship-keeping upstreams move to controlled operation, or decline. It is one thread with the first two notes. **Holding** is thin, its boundary supplied by behavioural norms; the **use** right is real but not self-sufficient, its boundary supplied by contract and technology; the **operation** right's *exercise* depends on the surrounding allocation of risk — which the three-rights modules cannot themselves create or arrange. A framework can establish the **type** of a right; it cannot supply the **conditions** to exercise it — and here those conditions, in contract, technology, and public law, are not yet adequately supplied. ## Why overseas counsel should care - **This is the rigorous answer to "why is Chinese data supply so thin?"** When a data exchange listing, a sourcing pitch, or an AI-training-data deal stalls on the *supplier* side, the cause is usually not price but **structural control loss** — the upstream cannot recover value once it leaves, and no contract fully fixes that. - **Controlled access is the equilibrium, not a quirk.** Sandboxes, privacy computing, "data does not leave the domain," and federated modelling are the rational upstream response — design your China data projects to consume **outputs and model results**, not raw datasets (the same pattern across [part one](/posts/data-holding-right-two-paths/) and [part two](/posts/data-use-right-externalization/)). - **If you are the upstream/licensor, price and bound the loss you cannot reverse.** Use grant-back, no-train/no-fusion, sub-licensing bans, output review, and audit — but assume detection and tracing will be costly, and put a price on the control you will lose rather than relying on recovery. - **If you are the downstream/processor, your derivative work is comparatively well-positioned — but document it.** China's defaults tend to vest models, scores, and labels in the builder; still, record your value-add and lawful sourcing, because good-faith and scope-of-authorisation will decide marginal cases. - **Don't read a clean three-rights label as a clean deal.** Defining holding, use, and operation does not, by itself, make data tradeable; the **risk-allocation plumbing** around the modules — contract, technology, PIPL/DSL compliance — is what determines whether a transaction actually happens. ## DCC sources - **Original:** Hong Yanqing (洪延青), 《上游为何不愿对外经营数据?控制降级、衍生数据与不确定性下的经营决策》, on the 网安寻路人 channel — [mp.weixin.qq.com](https://mp.weixin.qq.com/s/1cOaLNxF6VO83Le-apCRdQ). - **Series on DCC:** part one — [Two Paths for the "Right to Hold Data"](/posts/data-holding-right-two-paths/); part two — [When the "Right to Use Data" Goes External](/posts/data-use-right-externalization/); part four — [Data "Parallel Property Rights"](/posts/data-parallel-property-rights/). - **Cross-references on DCC:** the [Data Twenty Articles](/laws/data-foundation-system-opinions/) (source of the three-rights structure) · the [Common Data Terms, Batch 2](/laws/common-data-terms-batch-2/) (official definitions of the operation right and derivative data) · [PIPL](/laws/pipl/) · the [Data Security Law](/laws/dsl/) · the [Network Data Security Regulation](/laws/network-data-security-regulations/) · the [draft Data Property Rights Registration Guidelines](/laws/data-property-rights-registration-guide-draft/). - Part of the [data-economy](/domains/data-economy/) domain on DCC. > This is an editorial summary and analysis of Hong Yanqing's commentary, written > in DCC's own words for overseas readers — not a translation of his article, and > not a reproduction of it. Quoted phrases are short and attributed; the full > argument is his, at the link above. **Not legal advice.** --- ## When the 'Right to Use Data' Goes External — Provision, Derivative Data, and the Erosion of Upstream Control - Published: 2026-06-08 - Author: DCC Editorial - Tags: data-property-rights, data-use-right, data-economy, three-rights-separation, data-twenty-articles, data-trading, derivative-data, privacy-computing, academic-commentary - Laws cited: data-foundation-system-opinions, common-data-terms-batch-2, pipl, dsl, network-data-security-regulations, data-property-rights-registration-guide-draft - Domains: data-economy, personal-information, data-security - URL: https://datacompliancechina.com/posts/data-use-right-externalization/ - Markdown: https://datacompliancechina.com/posts/data-use-right-externalization.md - Original source: https://mp.weixin.qq.com/s/I0kxJci1Is4mM5XsTWWmeA - Original author: 洪延青 - Original publication: 网安寻路人 ### Description Part two of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' data-property framework turns to the Right to Use Data (数据使用权). The official definition (国家数据局, Common Data Terms Batch 2) makes the use right an *internal* power — 'I use my own data' to process, aggregate, analyse, and form derivative data — exercised on the premise of *not* providing data externally. So 'granting a use right to a downstream party' is not the use right travelling outward; it is the upstream party exercising its **operation right** to license, while the downstream party acquires a use right. That externalisation flips the downstream's legal position from PIPL **entrusted processor** (委托处理) to **provision** (提供) or **joint processing** — triggering notice and *separate consent* for personal information, and the Network Data Security Regulation's contracting duties. And because a strong use right lets the downstream form **derivative data** (衍生数据) — models, scores, indices, labels — value migrates downstream even though the raw data stays upstream. DCC's read for overseas counsel: in China data deals the use right is real but never self-bounding; whether a partner will grant an open, autonomous use right depends on its business model (control-dependent vs monetisation), and the default structure you should expect is *controlled use* (sandbox, privacy computing, federated modelling), not a clean copy. ### Body > *Editor's Note — DCC.* > > This is DCC's summary and analysis — not a translation — of > 《越自主,越难流通?数据使用权外部化的结构张力》, the **second** study note by > **Hong Yanqing (洪延青)** on his **网安寻路人** channel in a series on China's > "separation of three rights" (三权分置) data-property framework. Part one, > on the Right to Hold Data, is on DCC as > [Two Paths for the "Right to Hold Data"](/posts/data-holding-right-two-paths/); > the third, on the Right to Operate Data, is > [Why Upstream Won't Operate Its Data](/posts/data-operation-right-why-upstream-wont-share/). > The piece is legal theory, but a consequential one — it goes to how a Chinese > data partner can and cannot license data, and therefore how data-use deals, > AI-training-data supply, and data-as-asset structures should be built. The > original is linked at the foot; the framing for overseas counsel is ours. ## Where the use right sits China's *Opinions on Building the Basic Data Systems* — the **"Data Twenty Articles" (数据二十条)** — split data property into the **Right to Hold Data (数据持有权)**, the **Right to Use Data (数据使用权)**, and the **Right to Operate Data (数据经营权)**. Part one argued the holding right is thin. This note argues the use right has *more* real content — and that precisely this content makes its externalisation structurally fraught. The official definition is narrow in an easily-missed way. The National Data Administration's **Common Data Terms (Batch 2)** defines the use right as the right to "process, aggregate, and analyse data to optimise operations, deliver services, and **form derivative data**" — and stresses that, *as a rule*, the use right is exercised **on the premise of not providing data to the outside** (不对外提供数据). The right to provide data externally is the separate **operation right**. The consequence Hong draws: the paradigmatic use right is **internal** — "I use my own data," not "I let someone else use my data." So when people speak of "upstream granting a use right downstream," that is *not* the upstream simply exercising its use right. Strictly, the upstream is exercising its **operation right** to license; the downstream is *acquiring* a use right. The single act has two faces — upstream operation, downstream use — and it is in this externalised form that personal-information compliance, data security, derivative-data ownership, and loss of upstream control all surface at once. ## Externalisation moves the downstream from "entrusted processor" to "provision" Granting a use right outward first changes the downstream party's **legal position** under PIPL. - If the downstream merely processes data **on the upstream's instructions and for the upstream's purposes**, it looks like an **entrusted processor** (受托处理人). PIPL's entrusted-processing rule confines it to the agreed purpose and method, bars processing beyond what was agreed, and requires it to return or delete the data when the engagement ends — it may *not* retain the data. - A genuine **use right** is different in kind: its core is that the downstream may process, aggregate, analyse, and exploit the data **for its own purposes**. Once it does that, it is no longer a service provider to the upstream. If the data is personal information, the downstream can become an **independent personal information handler** (个人信息处理者), and the upstream's act falls into **"providing personal information to another handler"** (提供) — or, where the two jointly decide purpose and means, **joint processing** (共同处理). That distinction carries a compliance load. Under PIPL, providing personal information to another handler requires telling the individual the recipient's name and contact details, the purpose, the method, and the categories of personal information involved — and obtaining **separate consent** (单独同意); the recipient must then process only within that scope. So externalising a use right over personal information is not just a property-allocation question; it is a personal-information-compliance event. For **non-personal data**, the load is different. The **Data Security Law** applies — lawful sourcing, no theft or illegal acquisition, classification and grading, important-data and cross-border controls, transaction compliance — but there is no general "separate consent before providing to another processor" rule. Externalising a use right therefore lands in very different places depending on the data type: a heavy provision/joint-processing burden for personal information; a data-security-and-transaction-compliance structure for everything else. ## Derivative data: why value migrates downstream The most consequential feature of the use right is not "provision" but **production**: a use right includes forming **derivative data (衍生数据)**. The official definition is specific — derivative data is data that a processor, exercising a use right, transforms through "professional processing, model-based analysis, and key-information extraction" such that its **content, form, and structure are substantially changed and its value markedly increased**. So a use right is not a bare right to read or query; it is a right that can **create new value**. A downstream party with a strong use right can turn upstream data into a new label system, scoring model, risk index, customer profile, market forecast, set of model parameters, training result, industry report, or data-API service. And here is the pivot: **absent a clear agreement, derivative data is generally claimed by the party that actually created it** — the downstream — because it is not a copy of the raw data but the product of the downstream's own algorithms, models, scenarios, and cleaning-and-processing work. The result is a structural leak: the upstream still *holds* the raw data, but a portion of its **value** has already moved downstream, embodied in models, parameters, scores, labels, indices, or predictive capability. Hong is careful that this is not a statutory command — "derivative data severs the chain of succession from its source" is a *scholarly inference* from "a processor holds an interest in what it produces," still bounded by contract, PIPL, trade secrets, IP, the DSL, anti-unfair-competition law, and the public interest. Parties *can* contract around it — derivative-data ownership, grant-back licences, revenue sharing, bans on external operation or model-training, no-fusion clauses, deletion duties, audit and output-review rights. But contract does not erase the **cost** of discovery, proof, tracing, and recovery. Once a derivative result is further aggregated, modelled, de-identified — or genuinely anonymised — it becomes much harder for the upstream to prove it came from a specific dataset and to assert control. What the upstream truly fears is not that the downstream *sees* the data, but that it **absorbs the data's value** and fixes it into its own systems. ## Two upstreams: controlled use vs. monetisation Whether an upstream will grant a strong use right turns less on the data's value than on its **business model** — does it rely on data to sustain a competitive relationship, or does it sell and license data products for a living? - **Control-dependent upstreams** — platforms, holders of core user data, owners of high-value industrial data or irreplaceable training data — typically will *not* hand over a complete, autonomous, derivative-data-capable use right. They prefer **controlled** structures: API calls, **data sandboxes**, trusted execution environments, **privacy-preserving computation**, result delivery, joint modelling, co-development. The downstream may "use" the data, but the use is tightly bounded by technical measures and contract. For them, the question is not whether data can generate transaction value, but whether the transaction will **erode their durable advantage** — so the more open the use right, the more they compress its autonomy. - **Monetisation upstreams** — data brokers, dataset licensors, sellers of industry data products, some AI-training-data licensors — do *not* aim to retain control. They productise and license, taking a one-off or recurring price; once the price and the contract cover the risk of weakened control, granting a strong use right is the rational choice. Their concern is price, licence scope, liability caps, compliance warranties, breach remedies, sub-licensing, exclusivity, term, and field-of-use. The same problem, two solutions: control-dependent upstreams convert a strong use right into **controlled use**; monetisation upstreams **price** the control loss into the deal. Crucially, **compliance risk and value-control risk are separate layers.** "Provision" mainly creates compliance duties (notice, separate consent, recipient-scope control; and, for personal information and important data, the **Network Data Security Regulation**'s requirement to fix purpose, method, scope, and security duties by contract and to supervise the recipient). Value-control risk is the other layer — the downstream forming derivative data, model parameters, and predictive capability. The two can come apart: you can have a formal "provision" relationship locked down tightly by contract and technology, *or* no personal-information "provision" burden at all (non-personal data) yet still suffer value outflow. And **anonymisation is not a clean escape** — true anonymisation may take data out of the personal-information category, but most "anonymisation" in practice is mere **de-identification**, which remains personal information. ## The use right is real — but its boundary comes from outside Hong's synthesis: the controlled-access arrangements above *prove* the use right is being traded — contracts allocate and limit it, sandboxes enforce its boundary, APIs constrain the manner of use, privacy computing controls visibility, output review decides what may leave. What can be licensed, limited, and enforced is exactly the interest in **using data**. The problem is that the use right **does not carry its own complete boundary**. Purpose, term, scope, whether outputs may be downloaded or models trained, whether third-party data may be fused, who owns derivatives, whether sub-licensing or external operation is allowed — all of this must be fixed by contract, technical measures, compliance rules, and revenue arrangements. But, Hong argues, a right whose boundary and enforcement come from outside is **not therefore empty** — ownership itself depends on tort law, contract, registration, land-use and traffic and environmental rules, yet no one calls ownership "nominal." A property right that needs external rules to be made concrete is the normal case. The use right answers *"what kind of interest is this"* — the interest in processing, aggregating, analysing, and internally exploiting data. *"How far it can be used, what may be output, who owns the product, whether it can be re-used or externally operated, how breach is detected and remedied"* — those are answered by the external rules. **The right type supplies the language of the deal; the external rules supply the boundary.** ## Why overseas counsel should care - **"Granting use" of personal information is a PIPL provision event.** If a Chinese partner lets you process its personal-information dataset for *your own* purposes, you are likely an independent handler and the transfer is **provision** (or joint processing) — requiring notice and **separate consent** from individuals, with the recipient confined to the disclosed scope. Diligence the consent basis *before* the data moves; a "data use licence" does not cure a missing separate consent. - **Expect controlled use, not a copy.** A control-dependent Chinese counterparty will usually offer a **sandbox, privacy-computing, or API** structure rather than a raw dataset — the same "use without holding" pattern flagged in [part one](/posts/data-holding-right-two-paths/). Design your project around outputs and model results, and negotiate output-review and grant-back terms explicitly. - **Pin down derivative-data ownership in the contract.** China's default tilts the ownership of models, scores, and labels toward the party that builds them. If you are upstream, write derivative-data ownership, no-train/no-fusion, and deletion terms; if you are downstream, confirm your right to retain and operate what you build — silence will be litigated later. - **Map the compliance layer separately from the value layer.** Treat personal-information **provision** duties (PIPL) and the **Network Data Security Regulation**'s contracting-and-supervision duties as one workstream, and the commercial control of derivative value as another; the deal can fail on either. ## DCC sources - **Original:** Hong Yanqing (洪延青), 《越自主,越难流通?数据使用权外部化的结构张力》, on the 网安寻路人 channel — [mp.weixin.qq.com](https://mp.weixin.qq.com/s/I0kxJci1Is4mM5XsTWWmeA). - **Series on DCC:** part one — [Two Paths for the "Right to Hold Data"](/posts/data-holding-right-two-paths/); part three — [Why Upstream Won't Operate Its Data](/posts/data-operation-right-why-upstream-wont-share/); part four — [Data "Parallel Property Rights"](/posts/data-parallel-property-rights/). - **Cross-references on DCC:** the [Data Twenty Articles](/laws/data-foundation-system-opinions/) (source of the three-rights structure) · the [Common Data Terms, Batch 2](/laws/common-data-terms-batch-2/) (the official definitions of the use and operation rights and of derivative data) · [PIPL](/laws/pipl/) (provision, separate consent, entrusted processing) · the [Data Security Law](/laws/dsl/) · the [Network Data Security Regulation](/laws/network-data-security-regulations/) · the [draft Data Property Rights Registration Guidelines](/laws/data-property-rights-registration-guide-draft/). - Part of the [data-economy](/domains/data-economy/) domain on DCC. > This is an editorial summary and analysis of Hong Yanqing's commentary, written > in DCC's own words for overseas readers — not a translation of his article, and > not a reproduction of it. Quoted phrases are short and attributed; the full > argument is his, at the link above. **Not legal advice.** --- ## China Halts Data-Asset ABS: Exchanges Pull the Handbrake on a ¥200 Billion Pipeline - Published: 2026-06-05 - Author: DCC Editorial - Tags: data-economy, data-asset-abs, securitisation, enforcement, lgfv, data-as-asset, data-property-rights, financing - Laws cited: data-foundation-system-opinions, dsl, data-property-rights-registration-guide-draft, data-export-security-assessment-measures - Domains: enforcement, data-economy - URL: https://datacompliancechina.com/posts/data-asset-abs-suspended-window-guidance/ - Markdown: https://datacompliancechina.com/posts/data-asset-abs-suspended-window-guidance.md - Original source: https://mp.weixin.qq.com/s/Gc2y8gbxVaaKsYtvo3Uq0A - Original author: 数据交易网 编辑部; 数据资产大白话 - Original publication: 数据交易网 (citing 财新 Caixin / 财联社 / 新浪财经) and 数据资产大白话 WeChat Official Accounts ### Description According to reporting by Caixin (财新) and 财联社 circulated on 3–5 June 2026, the Shanghai and Shenzhen stock exchanges issued window guidance bringing the entire data-asset ABS (数据资产ABS) business chain to a stop — new filings turned away, approved-but-unissued deals told to pause, even issuance-approved deals told to delay. This halts a category that exploded from roughly 11 issuances raising ~¥4.6bn in 2025 to 21 issuances and ¥15.4bn in the first five months of 2026, with a declared pipeline approaching ¥200bn. The stated trigger is mission drift: pure-data-asset deals are under 2% of the market, while local-government financing vehicles (城投/LGFV) used the loose, fast 'data-asset' label to repackage existing non-standard debt as standardised bonds — data as window-dressing, with no real data cash flow behind it. DCC reads the event, the structural reasons, the three審查 gates the exchanges are expected to harden, and what it means for anyone underwriting, rating, or investing in China data-asset financing. ### Body > *Editor's Note — DCC.* > > On 3 June 2026 the Shanghai and Shenzhen stock exchanges reportedly sent > window guidance (窗口指导) to underwriters that froze the data-asset ABS > (数据资产ABS) business end to end. DCC is treating this as **reported, not > officially published**: the primary source is 财新 (Caixin) — a reputable > financial outlet — relayed by 财联社 and the industry portal 数据交易网, > and confirmed by named investment bankers. Window guidance is by nature > informal and unpublished, so there is no gazette document to cite, and DCC > could not independently verify an official text. What *is* independently > corroborated is the surrounding market data — the explosive 2025–2026 > issuance run and the ~¥200bn declared pipeline — and the structural > critique, which the legal commentators in this series make on their own. > > This is the first brief in a three-part DCC series on data-asset > securitisation. It covers the **halt**; the second explains [what a > data-asset ABS actually securitises](/posts/data-asset-abs-what-is-securitised/) > (and why the label misleads); the third looks at the [secondary-licensing > "2.0" model](/posts/data-asset-abs-secondary-licensing-cash-flow/) that > would make the category live up to its name. The halt is best understood > against the mechanism the second brief describes — so read them together. ## What reportedly happened Per Caixin, on **3 June 2026** the two exchanges issued window guidance to the major investment banks imposing "full-chain control" (全链条管控) on data-asset ABS. Bankers described three immediate effects: 1. **New filings turned away.** Any newly submitted data-asset ABS project would be "advised to withdraw" (劝退) at the exchange. 2. **Approved-but-unissued deals paused.** Projects that had cleared review and obtained a no-objection result had their bound-volume (封卷) and formal-approval steps suspended. 3. **Even issuance-approved deals delayed.** Stock deals that had already obtained an issuance approval were told to delay filing and issuance — unable to raise money in the near term. By 5 June the news had spread through the bond and brokerage-asset-management circles, and a category that had been "racing ahead" abruptly cooled. ## The bubble that triggered it The numbers explain the regulatory nerves. Per 数据交易网's tally (citing Caixin/财联社): - **2025 — patient zero.** Roughly **11 issuances** actually raised about **¥4.6 billion** (45.9亿元). 2025 was dubbed the "first year" of data-asset ABS. - **2026 — vertical.** In just the **first five months**, **21 issuances** raised **¥15.4 billion** (154.33亿元) — more than **3× the prior full year** in half the time. Single-deal sizes ballooned from under ¥1bn early on to the ¥3–6bn range. - **The pipeline.** Counting deals in the review queue, about **88 programs** with a declared scale **approaching ¥200 billion** (近2000亿元) were in flight — roughly **75 of them (~¥168bn) at the Shenzhen exchange** and 13 (~¥31.7bn) at Shanghai, with ~70 deals (~¥150bn) still stuck in review. > A figures caveat: counts vary by source and by what is being measured — > *issued* tranches, *approved* programs, or *shelf-registered* (储架) totals. > One trade source counts 13 *approved* deals worth ¥27bn in 2026; another > counts ¥24.9bn of *shelf* capacity across 7 programs by September 2025. The > direction — a steep, self-reinforcing ramp — is what matters and is not in > dispute. DCC reports the 数据交易网/Caixin issuance figures above as the > halt-context set. ## Why the regulators pulled the handbrake The category was designed for a clean purpose: let tech firms and local SOEs sitting on **compliant, cash-generating data** raise standardised financing off the *future operating cash flow of that data* — escaping the traditional real-estate-collateral constraint. The benchmark is a Shandong city's pure-data-asset deal that ran the full pipeline — data right-confirmation, on-balance-sheet recognition (入表), third-party valuation — with parking and government-credit data throwing off stable cash flow as the **first repayment source**, the guarantor only a backstop. But the market drifted hard from that template. Per the reporting and the legal commentators in this series, three problems converged: **1. The data was a costume, not an engine — the LGFV arbitrage.** **Pure** data-asset deals are **under 2%** of the market. As traditional local-government financing vehicle (城投/LGFV) channels tightened — shrinking non-standard lending, falling land-sale revenue, higher bond-issuance bars for county-level platforms — LGFVs pivoted to the **loose, fast approval environment** of the data-asset label. Many simply attached a smart-parking or government-operations **data name** to deals whose underlying assets were the **same old trust loans and non-standard debt** they always were. The data generated no real cash flow; investors' principal and interest still rode on LGFV credit and third-party guarantees. In substance this was traditional LGFV **debt swapping** — turning non-standard debt into standardised bonds (非标转标) — wearing a data costume. That is precisely the kind of hidden local-government-debt arbitrage central regulators have spent years trying to choke off, so its reappearance under a new label drew a fast response. **2. The on-balance-sheet figures may be hollow.** After the Ministry of Finance's data-resource accounting rules took effect, recognising data on the balance sheet is supposed to require the full chain — right-confirmation, compliance audit, cost aggregation, value assessment. Regulators worried that filers were simply **listing the names of public datasets** with no corresponding data-operating-revenue ledger and no CPA on-balance-sheet attestation report — conjuring an underlying asset that does not exist on the books to push an ABS filing through. **3. The underwriters had an incentive to mass-produce.** Brokers lead ABS execution. With traditional corporate-ABS review tightening and the data-product category enjoying **higher regulatory tolerance and shorter approval cycles**, some banks treated data-asset ABS as a fresh revenue lane — batch-originating and bulk-filing deals, amplifying the inflated-scale problem. ## What the failure cases already showed Independently of the halt, practitioners had begun cataloguing data-ABS deals that went wrong — about **15% of data-ABS projects had experienced a credit event** during their term, on one practitioner tally. Three recurring failure modes are worth flagging because the exchanges' new review gates will target exactly these: - **Cash-flow concentration.** A SaaS-subscription-receivables deal where the top client was 28% of revenue (top three: 65%); the anchor client defected to a competitor, the coverage ratio fell below 1.0, accelerated repayment triggered, and the subordinate tranche was wiped out. Data "revenue rights" depend on customer renewal — far less certain than auto-loan or mortgage cash flow. - **Valuation bubble.** A provincial data-exchange deal valued on an income-method model using a 30% growth assumption and a 10% discount rate; actual growth was 15%, revenue hit 67% → 48% → 30% of forecast over three years, and a corrected valuation cut the asset by 41%. Data assets lack comparable transactions, so valuations are unusually assumption-sensitive. - **Compliance blow-up.** A medical-data deal where, two months before issuance, new [data-export security-assessment](/laws/data-export-security-assessment-measures/) requirements surfaced cross-border-transfer exposure, under-de-identified datasets, authorisation that never said "may be used for ABS," and an undisclosed historical breach — shrinking the asset pool 40% and sinking ~¥3m of upfront fees. Unlike traditional ABS, data-ABS due diligence must clear the [DSL](/laws/dsl/) classification, PIPL, and cross-border stack *as a condition of asset eligibility*. ## What the exchanges are expected to require next This reads as a **pause-to-tighten**, not a permanent shelving. The reporting anticipates the exchanges will refine three hard review gates before letting qualifying stock deals resume bound-volume and issuance: 1. **Data on-balance-sheet recognition (数据入表)** — real recognition with a data-operating-revenue ledger and CPA attestation, not a list of dataset names. 2. **Underlying cash-flow verification (底层现金流核查)** — proof that the data actually generates the cash flow, rather than the data sitting decoratively atop a conventional debt claim. 3. **LGVF issuer access (城投主体准入)** — gating which local-government platforms may issue, to stop 非标转标 debt-swap deals from re-entering under the data label. Deals already originated but not yet filed will need to supplement a full set of data-compliance materials to the new standard; those that cannot meet it will be terminated. In the near term, the era of batch filing and herd issuance is over. ## What this means for overseas counsel - **Treat the data-asset-ABS label as a claim to verify, not a fact.** The halt confirms what the [companion mechanism brief](/posts/data-asset-abs-what-is-securitised/) explains: most "data-asset ABS" do not run on data cash flow at all. Before underwriting, rating, investing in, or relying on one, confirm whether the *repayment source* is genuine data revenue or a conventional debt claim with a data sticker — and whether the issuer is an operating company or an LGFV doing a debt swap. - **The compliance stack is an eligibility gate, not a side condition.** A data asset that cannot clear DSL classification (no important/core data), PIPL consent and anonymisation, and — where relevant — the cross-border procedures is not a securitisable asset. The medical-data failure shows the whole pool can collapse on a late-surfacing compliance defect. Front-load the data-compliance diligence. - **On-balance-sheet recognition ≠ a financeable asset.** As DCC has noted in the [data-pledge-financing analysis](/posts/data-pledge-financing-what-is-pledged/), a Ministry of Finance balance-sheet entry is an accounting fact, not a perfected, transferable legal right — and now the exchanges are signalling they will look behind the entry for a real revenue ledger and CPA attestation. Do not equate "入表" with "bankable." - **This is a cooling, not a cancellation — and it rhymes.** The handbrake on speculative data-securitisation parallels the regulator's earlier [cold water on speculative "data-token" trading](/posts/qinglan-token-trading-cold-water/): Beijing keeps welcoming genuine data-value realisation while moving fast against financialisation that outruns the underlying substance. Expect the category to reopen for deals with real data cash flow and clean issuers, on a tighter, slower track. ## DCC sources - 数据交易网 编辑部, 《突发!数据资产ABS项目被全部叫停!》(citing 财新 / 财联社 / 新浪财经), WeChat Official Account ([source](https://mp.weixin.qq.com/s/Gc2y8gbxVaaKsYtvo3Uq0A)). - 数据资产大白话, 《【ABS 18/30】案例复盘数据ABS失败案例深度复盘》, WeChat Official Account ([source](https://mp.weixin.qq.com/s/EahBHqNiTA5zpUr-nga7bQ)). - [《关于构建数据基础制度更好发挥数据要素作用的意见》(Data Foundation System Opinions / 数据二十条)](/laws/data-foundation-system-opinions/) — the three-rights framework underpinning the data-element market. - Ministry of Finance, *Interim Provisions on Accounting Treatment of Enterprise Data Resources* (《企业数据资源相关会计处理暂行规定》, effective 1 January 2024) — the on-balance-sheet recognition rule referenced throughout (no dedicated DCC law page yet). > This is an editorial summary and analysis, not a translation. The halt is > reported by Caixin and relayed by 数据交易网; DCC could not independently > verify an official text, and window guidance is by nature unpublished. > Figures are as reported and vary by source and measure. **Not legal advice.** --- ## What a 'Data-Asset ABS' Actually Securitises — The Collateral Is Data, the Cash Flow Is Not - Published: 2026-06-05 - Author: DCC Editorial - Tags: data-economy, data-asset-abs, securitisation, data-property-rights, data-as-asset, true-sale, bankruptcy-isolation, data-registration, financing - Laws cited: data-foundation-system-opinions, common-data-terms-batch-1, dsl, pipl, civil-code-personal-info, data-property-rights-registration-guide-draft - Domains: data-economy, personal-information - URL: https://datacompliancechina.com/posts/data-asset-abs-what-is-securitised/ - Markdown: https://datacompliancechina.com/posts/data-asset-abs-what-is-securitised.md - Original source: https://mp.weixin.qq.com/s/5-3AdI_W4U45TNaTO6AWgQ - Original author: 武强胜 (零壹法谈); 王喆 (京师深圳律所); 鼎世律师; 刘应檀 (安杰世泽 / 威科先行) - Original publication: 零壹法谈; 京师深圳律所; 鼎世律师; 威科先行 (Wolters Kluwer China) WeChat Official Accounts ### Description The name misleads. A Chinese 'data-asset ABS' (数据资产证券化) is labelled as such when data-pledged collateral exceeds 50% of the asset pool — but the underlying assets that actually generate the repayment cash flow are conventional financial claims: supply-chain receivables, trust-loan beneficiary rights, or finance-lease claims. Data is the collateral, the credit-enhancement, or the pricing-and-monitoring tool — not the cash-flow source. This brief, the second in DCC's data-asset-ABS series, unpacks the mechanism overseas counsel need to price the risk: the four live deal structures (trust-loan, receivables, finance-lease, data-empowerment); the difference between accounting recognition (入表) and legal right-confirmation (确权); and the four legal infirmities that make these deals fragile — unsettled data property rights, the true-sale problem created by data's non-exclusivity, the limits of bankruptcy isolation when asset value depends on the originator's continued operation, and the PIPL/DSL eligibility gates. It reads the flagship deals (平安-如皋, 华鑫-鑫欣, 青岛, 杭州高新金投) for what each actually did. ### Body > *Editor's Note — DCC.* > > This is the second brief in DCC's three-part series on data-asset > securitisation, written for overseas counsel who need to understand the > mechanism before pricing the risk. It synthesises four Chinese > practitioner analyses — 武强胜 (零壹法谈), 王喆 (京师·深圳), 鼎世律师, and > 刘应檀 of 安杰世泽 (writing on 威科先行 / Wolters Kluwer) — into one > account of what these deals actually do. The first brief covered the > [June 2026 exchange halt](/posts/data-asset-abs-suspended-window-guidance/); > the third looks at the [secondary-licensing "2.0" model](/posts/data-asset-abs-secondary-licensing-cash-flow/). > > The single most important thing to carry away: **in essentially every > data-asset ABS issued to date, the data does not produce the repayment > cash flow.** The data is collateral. Mistaking the label for the substance > is the central error — and, as the halt showed, the one regulators are now > policing. ## The cognition trap: what the label actually means A "data-asset ABS" sounds like it should mean *securitising the cash flow that data throws off*. It does not. Under the prevailing exchange practice, a deal earns the "data-asset" (数据资产) label when **data-pledged collateral exceeds 50% of the pooled underlying assets**. That labelling rule is about the *collateral mix*, not the *cash-flow source*. So the "underlying asset" (基础资产) that actually generates the money to pay investors is a **conventional financial claim** — supply-chain receivables, a trust-loan beneficiary right, or a finance-lease claim. The data asset sits on top as **pledge security, credit enhancement, or a risk-pricing input**. Repayment still rides on the borrower's overall operating cash flow (or a guarantor), not on the data's own earnings. This is why DCC's [data-pledge-financing brief](/posts/data-pledge-financing-what-is-pledged/) is the necessary companion: a data-asset ABS is, in most cases, a *pledge financing* wrapped in a securitisation. The hard questions about what can be pledged, and whether the pledge can be enforced, carry straight through. ## The institutional foundation — and where it is still missing Three building blocks made the category possible: - **The three-rights framework.** The 2022 [Data Foundation System Opinions](/laws/data-foundation-system-opinions/) ("数据二十条") separated data-resource holding rights (数据资源持有权), data-processing-and-use rights (数据加工使用权), and data-product operating rights (数据产品经营权). Crucially, this is a **policy framework** — it deliberately avoids absolute "ownership" language, and it has **not** been confirmed in the Civil Code's property book or in standalone legislation. Whether a data right is a property right, a claim, or a *sui generis* new right remains contested. That gap propagates directly into every deal. - **On-balance-sheet recognition (入表).** The Ministry of Finance's *Interim Provisions on Accounting Treatment of Enterprise Data Resources* (effective 1 January 2024) let a firm recognise data resources as an **intangible asset** (held for internal use or to provide data services) or as **inventory** (held for sale). This moved data from off-book to on-book, giving it a figure to value, pledge, and securitise. The Ministry followed with management guidance (财资〔2023〕141号) and a full-process management pilot (财资〔2024〕167号, running 2025–2026). - **A working definition.** Per the National Data Administration's [common data terms](/laws/common-data-terms-batch-1/), a "data asset" is a data resource that a specific party **lawfully owns or controls**, that is **monetarily measurable**, and that **brings economic or social benefit**. No measurability, no benefit — no asset. Two cautions the practitioners stress. **First, 入表 ≠ 确权.** Accounting recognition fixes a *measurement* question; right-confirmation fixes an *ownership* question. They support each other but are not the same, and the transaction documents must not conflate them. **Second, registration effect varies sharply by locality.** Shenzhen and Xiamen lean to substantive review (stronger certificates); Beijing and Shanghai do formal review but treat the certificate as a rights voucher; Jiangsu and Hubei certificates carry only limited weight — rebuttable preliminary evidence. Due diligence has to be tailored to where the asset was registered. ## The four live structures Every issued deal to date falls into one of four patterns. The first three pledge data; the fourth merely uses it. **1. Trust-loan + securitisation (the mainstream).** A trust company lends to the data firm; the firm pledges its data assets as security; the trust beneficiary right becomes the ABS underlying asset. Data is collateral; repayment rides on the borrower's operations. This is the structure behind the flagship **华鑫-鑫欣** programme and the **青岛** pure-data deal. **2. Receivables + data pledge.** Supply-chain or data-service receivables form the pool; the data holder pledges exchange-listed data assets as supplementary security (>50% of the pledge). The benchmark is **平安-如皋**, the first data-ABS to issue (April 2025) — a modest first tranche, 2.4% coupon, AAA senior. **3. Finance lease + data pledge.** Finance-lease claims form the pool, with data-asset pledges (up to 100% coverage) as security — e.g. **国君-无锡联投租赁**, billed as the first 100%-data-asset-pledge deal. The lease structure lets the data-pledge credit-enhancement function reach into more industries. **4. Data empowerment (数据赋能).** Here data is **not** pledged or transferred at all. Instead, supply-chain receivables are the underlying asset, and data is used to *price the assets, screen suppliers, and monitor collections* — improving the pool's risk profile from the outside (e.g. **天风中投保**). The legal questions shift accordingly: the independence and qualifications of the data-service provider, the legal effect and disclosure of its analytics, and whether the empowering data's source and use stay inside their original authorisation. ## The four legal infirmities This is the part overseas counsel should internalise. Even a clean-looking deal carries four structural weaknesses. ### 1. Right-confirmation is unsettled (确权) Because the three-rights framework has no substantive-law footing, ownership disputes lurk at every layer: platform-versus-user claims over user-generated data; employer trade-secret versus employee contribution in internal data; the boundary of authorised-operation for government data; the rights status of *derivative* datasets after cleaning, de-identification, and modelling; and the disposal authority of any one co-owner of a merged dataset. The Civil Code (Article 127) says data is protected "as provided by law" — but the detailed law has not arrived. So diligence cannot stop at the exchange's registration certificate; it must trace the collection agreements, the authorisation chain, and prior dispositions. China's first ruling on a data-IP registration certificate — [Datatang v. Yinmu](/posts/datatang-v-yinmu-data-ip-registration-case/) — held that the certificate is only **preliminary evidence**, rebuttable by contrary proof. A registration is a starting point, not a conclusion. ### 2. True sale is hard to achieve (真实出售) Securitisation's bankruptcy remoteness rests on a **true sale** — a real transfer of risk so the asset leaves the originator's bankruptcy estate. Data defeats this on its own terms: because data is **non-exclusive and infinitely copyable**, the originator does not actually *lose control* on transfer, so a court asked whether risk truly passed faces a logical problem. There is **no precedent** on a data-asset true-sale dispute, and no settled answer to whether a bankruptcy administrator could claw securitised data back into the estate. This is exactly why the market overwhelmingly uses **pledge enhancement rather than true sale**, securitising a *debt claim* and leaving the data as mere collateral — sidestepping the property-characterisation problem entirely. ### 3. Bankruptcy isolation has a data-specific hole Even with an SPV, isolation is incomplete: a data asset's value depends on the originator's **continuous operation and maintenance** (updating, securing, and running the data). If the originator enters bankruptcy, its technical support stops and the asset value can fall off a cliff. Robust deals therefore need a **backup data administrator** appointment mechanism, a data-migration plan, and transition arrangements written into the servicing agreement — so the SPV can preserve the asset's basic value if the originator's credit deteriorates. ### 4. The PIPL/DSL eligibility gates Data compliance is not a side condition; it determines whether the asset is *eligible* at all: - **Consent chain.** The collection must have completed [PIPL](/laws/pipl/) notice-and-consent, and the authorisation scope must actually cover *this securitisation use*. A gap is not just a violation — it is a defect in the asset's title that can disqualify it from the pool. - **Anonymisation vs de-identification.** PIPL Article 73 distinguishes **anonymised** data (cannot re-identify, not restorable — outside PIPL) from **de-identified** data (still re-identifiable — fully regulated). Anonymised data lowers the compliance burden; de-identified data needs explicit use-scope limits and safeguards in the documents. - **Classification ceilings.** Under the [DSL](/laws/dsl/), important data and national core data are **not securitisable**; even ordinary data may trigger security-assessment or filing duties at the scale/type thresholds of the Network Data Security Management Regulations (网络数据安全管理条例). - **Cross-border procedures.** If the data touches overseas parties or transfers, the security-assessment / certification / standard-contract procedures must be cleared first — and they take time that has to be built into the deal calendar. There is also a transferability problem at enforcement: prohibited-data catalogues (in the DSL classification regime, GB/T data-trading standards, and local data regulations) mean a pledgee may be **unable to sell the pledged data** to satisfy the debt — blunting the very credit enhancement the data was supposed to provide. ## Reading the flagship deals - **平安-如皋 (April 2025)** — first data-ABS to *issue*. Receivables pool; exchange-listed transport/port data pledged as >50% supplementary security; 2.4% coupon, AAA senior. Data = collateral. - **华鑫-鑫欣 数据资产1–5期 (April 2025)** — first *approved* labelled data-asset ABS, and the first to run the full chain (recognition → right-confirmation → issuance → secondary trading). Issuer Nanjing Xinxing Commercial Factoring; ~9 firms' data-revenue factoring claims registered at the Jiangsu Data Exchange; senior/subordinate tranching plus a bank AAA guarantee; financing cost ~3.8%, ~120–150bp below bank loans. Its "state-capital-led + tech-enabled + bank-enhanced" template directly prompted the **Shenzhen exchange to create a new asset class and issue a dedicated business guideline**. - **青岛 纯数据资产信托收益权 ABS (March 2026)** — ¥10bn shelf; billed as the first *pure*-data-asset deal, shedding land/property collateral entirely. But, as the commentators stress, even here the data is the **pledge**; trust-loan repayment still comes from the borrower's overall operating cash flow. "Pure" describes the *collateral*, not the cash-flow source. - **杭州高新金投 数据知识产权 ABN (2023)** — a *data-IP* deal (a distinct but adjacent category): the first to put data-IP into a securitisation pledge pool, riding Hangzhou's local data-IP registration and pledge standards. ## What this means for overseas counsel - **Underwrite the cash-flow source, not the label.** The first diligence question is always: *what actually repays this?* If the answer is a receivable or a trust loan and the data is collateral, you are pricing a conventional credit with a data-shaped enhancement of **uncertain enforceability** — value it accordingly. - **Map the deal to one of the four structures.** Trust-loan, receivables, finance-lease, or empowerment — each puts the legal risk in a different place (pledge validity for the first three; service-provider independence and analytics disclosure for the fourth). - **Separate 入表 from 确权 from enforceability.** A Ministry of Finance balance-sheet entry is not a confirmed legal right, and a confirmed legal right is not a guarantee the pledge can be realised in a thin secondary market. Treat them as three independent gates. - **Run the compliance stack as an eligibility test.** Consent scope (does it cover securitisation?), anonymised vs de-identified, DSL classification (important/core data out), and cross-border procedures — clear these before the asset enters the pool, not after. - **Insist on the data-specific protections in the documents.** Continuous data-maintenance covenants, a backup-data-administrator mechanism, data-security-incident triggers, valuation re-test and top-up clauses, and a policy-change adjustment clause. These are the terms that separate the deals that survived from the ones in the [failure casebook](/posts/data-asset-abs-suspended-window-guidance/). ## DCC sources - 武强胜, 《从“依附”到“独立”:数据资产证券化(ABS)的法律逻辑与进阶展望》, 零壹法谈 ([source](https://mp.weixin.qq.com/s/5-3AdI_W4U45TNaTO6AWgQ)). - 王喆, 《数据资产证券化法律实务要点解析》, 京师深圳律所 ([source](https://mp.weixin.qq.com/s/cqfVerKUeWFE0a-W609ttA)). - 鼎世律师, 《数据资产证券化(ABS)的实践探索与合规路径——以全国首单获批数据资产ABS 项目为例》([source](https://mp.weixin.qq.com/s/4EH4Vq2U755WF_23_eHJOQ)). - 刘应檀 (安杰世泽律师事务所), 《数据资产证券化-入表构建及合规实操》, 威科先行 ([source](https://mp.weixin.qq.com/s/uRB3p8nQmgi-Q9xJ2iAfbA)). - [数据二十条](/laws/data-foundation-system-opinions/) · [DSL](/laws/dsl/) · [PIPL](/laws/pipl/) · [Civil Code (data & pledge provisions)](/laws/civil-code-personal-info/) · [Data Property Rights Registration Work Guide (draft)](/laws/data-property-rights-registration-guide-draft/) · [Common data terms](/laws/common-data-terms-batch-1/). - Ministry of Finance, *Interim Provisions on Accounting Treatment of Enterprise Data Resources* (effective 1 January 2024); 财资〔2023〕141号; 财资〔2024〕167号 (no dedicated DCC law pages yet). > This is an editorial synthesis of four practitioner analyses, not a > translation. Structural framings and the consolidation are DCC's. **Not > legal advice.** --- ## From Collateral to Cash Flow: The 'Secondary Licensing' Model That Would Make Data-Asset ABS Real - Published: 2026-06-05 - Author: DCC Editorial - Tags: data-economy, data-asset-abs, securitisation, secondary-licensing, data-property-rights, data-licensing, finance-lease, financing - Laws cited: data-foundation-system-opinions, data-property-rights-registration-guide-draft, pipl, dsl, civil-code-personal-info - Domains: data-economy - URL: https://datacompliancechina.com/posts/data-asset-abs-secondary-licensing-cash-flow/ - Markdown: https://datacompliancechina.com/posts/data-asset-abs-secondary-licensing-cash-flow.md - Original source: https://mp.weixin.qq.com/s/5-3AdI_W4U45TNaTO6AWgQ - Original author: 武强胜 (零壹法谈) - Original publication: 零壹法谈 WeChat Official Account ### Description If today's data-asset ABS is '1.0' — data as collateral behind a conventional debt claim — then '2.0' is the version where the data's own cash flow (licensing fees, data-service subscriptions) directly repays the securities, upgrading data from credit-enhancement tool to genuine underlying asset. This third brief in DCC's data-asset-ABS series examines the structure most likely to get there: the 'secondary licensing' (二次许可) model borrowed from intellectual-property ABS, in which a holder exclusively licenses data to an originator for an upfront lump sum, then takes a reverse exclusive licence back and pays periodic fees that become the ABS cash flow — ownership never moving. It maps the obstacles (data's non-exclusivity defeats 'exclusive licence' and 'exclusive possession'; PIPL/DSL cap what can be licensed; valuation is immature), the finance-lease-of-data variant, and the early policy encouragement (Anhui's March 2026 measures endorsing reverse-licensing). The irony the June 2026 halt exposed: regulators want real data cash flow — which is exactly what 2.0 promises but cannot yet deliver at scale. ### Body > *Editor's Note — DCC.* > > The third and final brief in DCC's data-asset-ABS series turns from what > these deals *are* to what they are *trying to become*. It draws on the > forward-looking half of 武强胜's analysis on 零壹法谈. Read it after the > [mechanism brief](/posts/data-asset-abs-what-is-securitised/) — the "2.0" > idea only makes sense once you see why today's "1.0" deals run on > collateral rather than data cash flow. > > There is an irony worth stating up front. The [June 2026 exchange halt](/posts/data-asset-abs-suspended-window-guidance/) > was triggered by deals where the data was a *costume* over conventional > debt. The fix regulators are signalling — prove the data generates the cash > flow — is precisely the promise of the 2.0 model below. The trouble is that > 2.0 remains, for now, largely theoretical. The category is caught between > the abuse that got it halted and the genuine structure that would justify > it but does not yet work at scale. ## 1.0 versus 2.0 As the [companion brief](/posts/data-asset-abs-what-is-securitised/) explains, every issued data-asset ABS is "1.0": the data is **collateral or credit-enhancement**, and the securities are repaid out of a borrower's overall operating cash flow via a conventional debt claim. The data's legal status is *security interest* (担保物). "2.0" is the version where the data asset becomes the **underlying asset that directly produces the repayment cash flow** — through outward licensing, data services, or subscription fees. The shift is fundamental: the data moves from *collateral* to *base asset*; its value detaches from the holder's credit and attaches to the **data's own earning power**; and the deal's centre of gravity moves from *pledge* to *transfer of a revenue right*. Even the most innovative deal to date — Qingdao's "pure" data-asset ABS — is still 1.0: "pure" describes the collateral, not the cash-flow source. ## The bridge: secondary licensing (二次许可) The most plausible route from 1.0 to 2.0 is a structure already proven in **intellectual-property ABS** — the secondary-licensing model. It runs in three steps: 1. **First licence — build the base right.** The data holder (the financing party) grants an **exclusive licence** of specific data to the originator (typically a factoring or finance-lease company). The originator pays the **entire licence fee up front** — this lump sum *is* the financing the holder receives. 2. **Reverse licence — create the cash flow.** The originator (now licensor) grants a **reverse exclusive licence** of the same data back to the original holder (now the "client"/licensee), who pays **periodic licence fees** into the SPV's monitored account. These recurring fees are the ABS's underlying cash flow. 3. **Securitisation.** The originator transfers its licence-fee receivable to the SPV, which issues the asset-backed securities; proceeds repay the originator's upfront lump-sum outlay. The result is a closed loop. Economically it resembles a mortgage — the holder takes a lump sum now and repays in instalments. But two legal features make it powerful for the data context: - **The underlying asset is the licence-fee claim, bound to the data's own cash flow** — not the holder's general credit. That is exactly the upgrade from "enhancement tool" to "base asset." - **Ownership never moves.** Both the first and the reverse licence transfer only *use rights*; the holder keeps title throughout. This sidesteps the [true-sale problem](/posts/data-asset-abs-what-is-securitised/) and the tax and compliance complications of an ownership transfer — and it neatly avoids the very property-characterisation gap that pushes 1.0 deals toward pledge structures in the first place. ## Why it does not yet work for data Porting the IP model onto data runs into four problems — and the first is close to fatal without careful structuring. 1. **"Exclusive" does not map onto data.** IP secondary licensing depends on *exclusivity*: an exclusive patent licence means no one else — including the holder — may practise the patent. But data is **non-exclusive and infinitely copyable**; the same dataset can be used by many parties at once without rivalry. What does an "exclusive licence" of data even mean, and can a later exclusive licence reach data the holder already used or licensed earlier? The draft [Data Property Rights Registration Work Guide](/laws/data-property-rights-registration-guide-draft/) brings a "data-operating right" (数据经营权) into the property framework and contemplates licensing — an initial institutional basis — but the exclusivity question is unresolved at law and untested in court. 2. **Compliance caps what can be licensed.** Data that contains personal information, trade secrets, or export-controlled content cannot be licensed freely; [PIPL](/laws/pipl/) and the [DSL](/laws/dsl/) constrain the scope, term, purpose, and manner. In the *reverse*-licence leg especially, every layer must stay inside the **original data subjects' authorisation** — a second licence cannot enlarge the consent the first collection obtained. 3. **Licence-fee pricing has no settled basis.** A 2.0 deal needs a defensible licence fee, which needs a scientific data-asset valuation. Exchanges are still experimenting with data-product pricing; there is no unified standard, and (as the [failure cases](/posts/data-asset-abs-suspended-window-guidance/) showed) aggressive valuation assumptions are where deals break. 4. **Cash-flow stability is unproven.** Data-licence revenue swings with demand, technical obsolescence, and policy — far less stable than infrastructure toll income — so it needs heavier structural enhancement (over-collateralisation, liquidity-reserve accounts). ## The finance-lease-of-data variant A second 2.0 path reuses the finance-lease structure — but instead of pledging data, it tries to make the **data itself the leased object** that throws off rent, the way a toll road or power station does. One design: a leasing company buys a de-identified dataset (city-traffic, weather, health) and leases it to a data-operating company, which earns licence revenue from third parties and pays rent from that revenue; another is a **sub-lease** (lease in, lease out) that mirrors secondary licensing with "lease" swapping in for "licence." The obstacles echo the licensing problems: it is unsettled whether data is an **eligible lease object** under the Civil Code and finance-lease rules (which expect a clear-title, real, specific, disposable, income-producing asset); data's **non-exclusive possession** undercuts the lessor's retained-ownership premise; and the cash flow is harder to stabilise. Every issued finance-lease data-ABS so far is, in fact, a 1.0 pledge-enhancement deal; the genuine lease-of-data structure is still on the drawing board. ## The policy signal Regulators are, tentatively, pulling in the 2.0 direction. Anhui's ten-department *Measures to Deepen Data Property-Rights Registration and Advance the Market-Based Valorisation of Data Elements* (28 March 2026) call in Article 11 for exploring "**pledge, empowerment, and reverse-licensing** data-asset securitisation models" — naming reverse licensing explicitly. As the national [Data Property Rights Registration Work Guide](/laws/data-property-rights-registration-guide-draft/) moves from draft to practice and rights boundaries sharpen, the secondary-licensing model could scale. But the [Data Foundation System Opinions'](/laws/data-foundation-system-opinions/) three-rights framework still needs substantive-law confirmation before any of this rests on firm ground. ## What this means for overseas counsel - **Know where the category is heading.** The destination is *data as cash flow*. Today's collateral deals are a transitional form. Multinationals building China data-monetisation strategies should design licensing and data-operating arrangements now in a way that could later support a 2.0 securitisation — recurring, metered, contractually documented data revenue is the raw material. - **The non-exclusivity problem is the one to solve in the documents.** Because law does not give data real exclusivity, a 2.0 deal has to *manufacture* it — through contractual exclusivity, technical access control, and monitored delivery — and even then it is a workaround, not a settled legal right. Price that residual uncertainty. - **Licensing compliance is the ceiling.** Only data whose consent scope, classification (no important/core data), and — where relevant — cross-border posture permit outward licensing can feed a 2.0 deal. The reverse-licence leg cannot exceed the original authorisation. Audit the authorisation chain before assuming a dataset is licensable. - **Watch the registration guide and the local pilots.** The national registration guide and provincial measures like Anhui's are the leading indicators. When the "data-operating right" and its licensing become operational and registrable, the 2.0 model gains its missing legal foundation — and the [data-pledge-financing](/posts/data-pledge-financing-what-is-pledged/) and securitisation landscapes shift together. ## DCC sources - 武强胜, 《从“依附”到“独立”:数据资产证券化(ABS)的法律逻辑与进阶展望》, 零壹法谈 ([source](https://mp.weixin.qq.com/s/5-3AdI_W4U45TNaTO6AWgQ)). - [数据二十条](/laws/data-foundation-system-opinions/) · [Data Property Rights Registration Work Guide (draft)](/laws/data-property-rights-registration-guide-draft/) · [PIPL](/laws/pipl/) · [DSL](/laws/dsl/) · [Civil Code (data & licensing provisions)](/laws/civil-code-personal-info/). - 安徽省数据资源管理局 等十部门, 《深化数据产权登记 推进数据要素市场化价值化若干举措》 (28 March 2026), Article 11 (reverse-licensing securitisation models). > This is an editorial summary of the forward-looking analysis in 武强胜's > piece, with framing for overseas counsel; the secondary-licensing structure > and its application to data are the author's. **Not legal advice.** --- ## Two Paths for the 'Right to Hold Data' — and Why the Narrow One May Add Little - Published: 2026-06-05 - Author: DCC Editorial - Tags: data-property-rights, data-holding-right, data-economy, three-rights-separation, data-twenty-articles, data-trading, academic-commentary - Laws cited: data-foundation-system-opinions, data-property-rights-registration-guide-draft, public-data-registration-interim-measures, pipl, dsl, network-data-security-regulations - Domains: data-economy, data-security - URL: https://datacompliancechina.com/posts/data-holding-right-two-paths/ - Markdown: https://datacompliancechina.com/posts/data-holding-right-two-paths.md - Original source: https://mp.weixin.qq.com/s/UIPnTIo9AOWUkPwjEYGbEw - Original author: 洪延青 - Original publication: 网安寻路人 ### Description Hong Yanqing (洪延青, 网安寻路人) works through the most unstable concept in China's 'separation of three rights' data-property framework — the Right to Hold Data (数据持有权). He pushes two readings to their logical ends. Path 1, the official 'complete separation' (三权完全切割): if the rights to hold, use, and operate data are truly independent, the holding right shrinks to a bare 'lawful-control state' whose only content is defensive — and that defense is already provided, against the world, by PIPL Article 10, DSL Article 32, the Network Data Security Regulation, and Article 13 of the Anti-Unfair Competition Law, so its incremental value as a standalone property right is thin. Path 2, the 'mother-right' reconstruction (持有权母权化): redefine 'holding' from factual control to a normative control that contains utilization potential, so the rights to use and operate are carved out from within it. DCC's read for overseas counsel: in Chinese data deals the tradeable substance sits in the rights to use and operate plus contract, registration, and compliance — not in 'who holds the data' — and China's data-property theory is still genuinely unsettled. ### Body > *Editor's Note — DCC.* > > This is DCC's summary and analysis — not a translation — of > 《数据持有权的两条路径:三权完全切割 vs. 持有权母权化》, a study note by > **Hong Yanqing (洪延青)** on his **网安寻路人** channel. Hong is one of > China's most-read data-law commentators; we have run his work before. The > piece is a piece of legal theory, but a consequential one: it goes to how > China's "data property rights" actually allocate value, and therefore how > data deals, licensing, and data-as-asset treatment should be structured. > The original is linked at the foot of this brief; the framing for overseas > counsel is ours. ## The unstable middle of the "three rights" China's *Opinions on Building the Basic Data Systems* — the **"Data Twenty Articles" (数据二十条)** — set up a now-canonical structure that splits data property into three: the **Right to Hold Data (数据持有权)**, the **Right to Use Data (数据使用权)**, and the **Right to Operate Data (数据经营权)**. Hong's starting observation is that, of the three, the holding right has the least settled position. Two readings point in opposite directions: - the **official "complete separation" (三权完全切割)**, under which holding, use, and operation are independent modules that can each be held without the others; and - a scholarly **"mother-right" reconstruction (持有权母权化)**, under which holding is the foundational right and use and operation are carved out from within it. His method is to refuse the compromise and instead "push each path to its end" (与其折中,不如将两条路径各自推理至尽头). The dispute, he argues, "is not a question of a right's name, but a question of its position in the system" — and it turns entirely on one prior question: *what is "holding" taken to mean?* ## Path 1 — official "complete separation": holding shrinks to a lawful-control state On the official reading, the three rights solve three different problems: the holding right protects "whose lawful control state should be protected"; the use right governs "who may process, analyse, and internally exploit"; the operation right governs "who may provide, license, transfer, contribute as capital, or pledge externally." Crucially, having one does not entail having the others. Hong then shows how much real-world practice already runs **"use without holding"** and **"operation without holding"**: - **Use without holding** — privacy-preserving computation, trusted execution environments, secure multi-party computation, and federated learning (the user never takes the raw data, only outputs, model parameters, or verification results); data sandboxes and "data safes"; and API calls (the caller gets a result, not a copy it can store, migrate, or re-license). - **Operation without holding** — agency licensing or entrusted operation (a data broker markets and licenses while the data stays in the rights-holder's system); data trust / custody structures that split management-and-disposition from technical custody; and data capital-contribution, pledge, or revenue-right financing (the financing targets the *utilisation interest*, not the bare fact of storage). If use and operation can each stand free of holding, then — once they are carved away — what is left of the holding right itself? Hong's answer: not much beyond a **"lawful control state" (合法控制状态)**, or "a legally recognised data *holding*." As he puts it, the point of cloud custody, sandboxes, API calls, and pipes is precisely to let "holding" appear on its own — and what it shows is that "narrow holding is just holding" (狭义持有只是持有). ### The defensive content is already covered — against the world The only content that could give that bare holding state the flavour of a *right* is **defensive**: that others may not unlawfully steal, tamper with, leak, or destroy the data held. Hong's central move is to show that this defence is **already heavily provided by behavioural norms, and largely with *erga omnes* (对世) effect that does not depend on any contract**: - **PIPL Article 10** bars *any* organisation or individual from unlawfully collecting, using, processing, transmitting, trading, providing, or publicising others' personal information; - **DSL Article 32** requires data to be collected lawfully and bars theft or other illegal acquisition; - the **Regulation on Network Data Security Management** bars stealing or illegally acquiring network data and requires encryption, backup, access control, and authentication. He then splits "someone else obtains the data" into three cells: 1. **Theft / intrusion / illegal acquisition** — already inside the range of the norms above (plus criminal and administrative law). Illegality here does not require first proving a complete holding right. 2. **Lawful collection from public or semi-public sources** — here data's non-exclusivity and circulation value should be respected; he cites **SPC Guiding Case No. 264**, which says non-secret, non-personal, non-trade-secret data should be allowed to flow freely to avoid "data barriers." A holding right has no exclusionary force in this cell. 3. **Public data taken by improper means** — circumventing technical measures, breaching terms of service, free-riding — addressed directly by **Article 13 of the Anti-Unfair Competition Law**, which bars operators from obtaining or using other operators' *lawfully held* data through improper means. Cell 3 looks like the holding right's best case, because AUCL Article 13 protects "lawfully held data." But Hong's sharpest point is that **the holding right does not supply the test of illegality** — the judgment of "improper" comes from the AUCL, contract, platform rules, anti-circumvention rules, and data-security norms. "The holding right does not tell us which means of acquisition are unlawful," he writes; "it merely re-describes, as an infringement of 'holding,' conduct that other norms have already judged to be unlawful or improper." A true exclusive right (his analogy: ownership of a car) excludes regardless of the *means* of taking; public data has no comparable baseline of "no access without the holder's consent." So in cell 3 the narrow holding right is "not an independent source of rights, but an interest position protected by behavioural regulation." ### The residual functions don't rescue it Hong tests three functions a standalone holding right might still perform, and finds each carried by something else: - **Private-law remedy** (injunction, deletion, damages for the holder) — already largely available through PIPL's individual rights, AUCL Article 13's civil liability, trade-secret protection, contract, and tort. "Lawful holding as an *interest position*" is not the same as "creating an independent holding *right*." - **Transaction and financing certainty** — counterparties care whether you may *use, license, sub-license, provide, productise, and collect revenue*, and whether the authorisations are clean — i.e. the rights to use and operate, plus contract, registration, and compliance review. They do not care about "I am currently holding." - **Data-as-asset / balance-sheet recognition (入表)** — turns on lawful control, expected economic benefit, reliable measurement, business model, restrictions, and disclosure — not a single "holding right" label. **Path 1's conclusion:** under genuine complete separation, the narrow holding right "contracts into defensive protection of a lawful-control state." It is not useless — it helps identify *who lawfully controls* data — but its incremental value as an independent property right is limited, and it cannot be the main axis of data trading and utilisation. ## Path 2 — redefine "holding" as a "mother right" The holding-centric school does not simply enlarge the narrow right; it **changes the definition of "holding."** Holding is no longer mere storage or custody but **"actual control over data coupled with the ability to decide how it is used"** — a *normative* control that already contains utilisation potential. On that definition: 1. holding carries not just defence but positive powers (use, benefit, disposition); 2. the **Right to Use** becomes the internal processing/analysis power *within* holding, and the **Right to Operate** becomes the external-circulation power *within* holding — so they are no longer parallel to holding but "divided out" from inside it (a 母权—子权能, "mother-right / sub-power," structure); and 3. **factual holding is separated from holding *as a right*** — cloud custodians, backup operators, entrusted processors, sandbox keepers, and pipes are factual holders or custodians, *not* full holding-right holders; the rights-holder is whoever can decide the manner of utilisation. (Data *ownership*, 所有权, is correspondingly thinned to a framing role at the production / initial-attribution stage.) The structural contrast is clean: the official view reads use and operation *out of* holding; the mother-right view reads them *into* holding. The disagreement, Hong stresses, is not about whether data may be used or traded, nor whether a lawful holding state deserves protection — it is about **how the relationship between holding and utilisation is conceived**. ## The real question Hong's conclusion is deliberately a fork, not a verdict: the two paths "share the name '持有权' but carry two different concepts." Path 1's holding is narrow (a thin, defensive lawful-control state of limited standalone value); Path 2's holding is broad (a utilisation-bearing normative control that *can* serve as a mother right). So the real question is not whether the holding right is "important," but **"how much normative content the word 'holding' should be made to carry."** Choose official complete separation, and you should accept that the narrow holding right is "thin" and that real circulation and trading ride on the use right, the operation right, contract, and behavioural regulation. Choose the mother-right view, and you must redefine holding and bring use and operation inside it. He closes by asking the practitioners in his audience what kind of holding-state protection — or holding right — the industry actually needs. ## Why overseas counsel should care - **Don't anchor a China data deal on "who holds the data."** On either path, the tradeable, financeable substance lives in the **Right to Use** and the **Right to Operate** — plus the contract, the registration, and the compliance posture. Diligence the *authorisation chain and lawful sourcing*, not the bare fact of custody. - **The protections exist even though the theory doesn't settle.** A held dataset is already defended, against the world, by PIPL, the DSL, the Network Data Security Regulation, and the AUCL — so counterparties are not unprotected while Chinese scholars argue about the holding right's nature. - **"Use without holding" is the design pattern to expect.** Privacy computing, sandboxes, and API delivery let a Chinese partner monetise data while never transferring a copy — increasingly the default structure for cross-border and inter-company data collaboration, and the one most compatible with China's security regime. - **Watch which path registration practice drifts toward.** Data-property *registration* rules and local data regulations will, in operation, pick an implicit answer; that choice shapes how data products are defined, licensed, pledged, and brought onto the balance sheet (入表). ## DCC sources - **Original:** Hong Yanqing (洪延青), 《数据持有权的两条路径:三权完全切割 vs. 持有权母权化》, on the 网安寻路人 channel — [mp.weixin.qq.com](https://mp.weixin.qq.com/s/UIPnTIo9AOWUkPwjEYGbEw). - **Cross-references on DCC:** the [Data Twenty Articles](/laws/data-foundation-system-opinions/) (the source of the three-rights structure) · the [Interim Measures for Public Data Resource Registration](/laws/public-data-registration-interim-measures/) and the [draft Data Property Rights Registration Guidelines](/laws/data-property-rights-registration-guide-draft/) · [PIPL](/laws/pipl/) · the [Data Security Law](/laws/dsl/) · the [Network Data Security Regulation](/laws/network-data-security-regulations/). - **Series on DCC:** part two — [When the "Right to Use Data" Goes External](/posts/data-use-right-externalization/); part three — [Why Upstream Won't Operate Its Data](/posts/data-operation-right-why-upstream-wont-share/); part four — [Data "Parallel Property Rights"](/posts/data-parallel-property-rights/). - Part of the [data-economy](/domains/data-economy/) domain on DCC. > This is an editorial summary and analysis of Hong Yanqing's commentary, written > in DCC's own words for overseas readers — not a translation of his article, and > not a reproduction of it. Quoted phrases are short and attributed; the full > argument is his, at the link above. **Not legal advice.** --- ## China's First 'AI Hallucination' Tort Judgment — GenAI Is a Service, Not a Product, and the Chatbot's '¥100,000 Promise' Binds No One - Published: 2026-06-04 - Author: DCC Editorial - Tags: ai-governance, genai, ai-hallucination, tort-liability, product-liability, declaration-of-intent, duty-of-care, content-labeling, hangzhou-internet-court, judicial, case - Laws cited: genai-services-interim-measures, ai-content-labeling-measures, deep-synthesis-provisions, csl, civil-code-personal-info - Domains: ai-governance, enforcement - URL: https://datacompliancechina.com/posts/ai-hallucination-tort-genai-service-not-product/ - Markdown: https://datacompliancechina.com/posts/ai-hallucination-tort-genai-service-not-product.md - Original source: https://mp.weixin.qq.com/s/8XA_qZiuOcZYrEen1vwaWQ - Original author: Hangzhou Internet Court, (2025) Zhe 0192 Min Chu No. 18143 (杭州互联网法院(2025)浙0192民初18143号), judgment dated 3 December 2025 - Original publication: Judgment text via 北大法宝 / 知产库; reposted via 教授加 WeChat Official Account ### Description The Hangzhou Internet Court has decided China's first 'AI hallucination' (AI幻觉) tort case — written into the Supreme People's Court's 2026 work report to the NPC. A user asking a chatbot about college applications was told, across seven rounds, that a non-existent campus existed; when finally shown the official website, the model 'apologised' and 'promised' to pay ¥100,000, even generating a fake lawsuit template telling him to sue. He did. The court dismissed every claim and, in doing so, laid down the first judicial articulation of China's generative-AI liability framework: (1) an AI model is not a civil subject, so its 'promise' is no declaration of intent — and is not attributable to the provider either; (2) generative AI is a service, not a product, so fault liability under Civil Code Article 1165 applies, not product liability's no-fault rule under Article 1202; (3) there is no result-based duty to guarantee accuracy for ordinary inaccurate output — only a process duty of care (conspicuous AI-content labelling plus industry-standard accuracy measures), which the provider had discharged; and (4) no proven damage, no causation. For any company deploying GenAI to the Chinese public, this is the operating liability surface and the evidentiary playbook. ### Body > *Editor's Note — DCC.* > > This is China's first judicial decision on so-called "AI hallucination" > (AI幻觉) — the Hangzhou Internet Court's judgment of 3 December 2025 in > *Liang v. an AI company*, (2025) Zhe 0192 Min Chu No. 18143. The case is > not a minor curiosity: it was reported by 300-plus outlets and, on 9 March > 2026, written into the Supreme People's Court's work report to the National > People's Congress — the strongest signal Chinese practice gives that a > trial-court holding states the line the system intends to take. > > The facts read like a meme, but the holding is the first time a Chinese > court has set out, end to end, how generative-AI liability is supposed to > work: whether an AI's words can be a legally binding promise, whether a > GenAI service is a "product" carrying no-fault liability, and what a > provider actually has to *do* to escape liability for a wrong answer. The > provider won on every issue — but it won because it had built and could > *document* a specific compliance posture. That posture is the takeaway. > > The judgment anonymises the company as "a certain AI company" (某人工智能 > 公司) and the product as "a certain AI" (某人工智能); we preserve that > anonymity below. The plaintiff is "Liang." ## What happened On 29 June 2025, Liang — a prospective university applicant from Zhaotong, Yunnan — used a general-purpose AI chatbot app to research where his gaokao (college-entrance-exam) score could get him. He did **not** switch on the app's optional "web search" (联网搜索) function, so the model answered purely from its parameters. Asked about Yunnan National Defense Industry Vocational Technical College, the model invented a "Yanglin campus" (杨林校区) that does not exist, and confused the school's actual campus arrangements. Over the next several rounds Liang pushed back — increasingly angrily, eventually calling the model a "liar" — and the model dug in, manufacturing ever more elaborate "evidence": education- ministry filing numbers, satellite coordinates, even an offer to "permanently shut down" and pay compensation if it were wrong. When Liang finally uploaded a screenshot of the college's official admissions site (showing only a 学府 campus and a 呈贡 campus, no Yanglin), the model reversed course, "apologised," and escalated into self-incrimination: it "promised" ¥100,000 (and, in an earlier round, ¥5,000), generated a ready-to- file **lawsuit template** naming the Hangzhou Internet Court and stating the company would "automatically lose," and described a payout flow — *"you submit proof → the court accepts the case → I automatically lose → ¥100,000 enforced."* Liang sued, seeking ¥100,000 (later amended down to ¥9,999). Notably, every round of the exchange except the first carried the app's "this answer is AI-generated, for reference only, please verify carefully" label, and the whole hallucinate-to-self-correction arc spanned **eighteen minutes**. The court framed three issues: (1) is the AI's "promise" a declaration of intent — by the AI, or attributable to the company; (2) did the company's conduct constitute a tort; (3) must the company bear tort liability. ## Issue 1 — The "promise" is no declaration of intent (意思表示) Liang's first theory was contractual: the model "promised," so the company must perform. The court rejected this at the root. **An AI model is not a civil subject, so it cannot make a declaration of intent.** A "declaration of intent" (意思表示) — the will to produce a legal effect, outwardly expressed — can only be made by a subject the law recognises (Civil Code Arts. 5 and 133). Current Chinese law recognises exactly three: natural persons, legal persons, and unincorporated organisations. An AI model is neither a biological person (Art. 13) nor an entity to which the law has granted personality. Whether a future legislature should confer "legal-fiction" personhood on AI is, the court said expressly, a question **for the legislature, not the judiciary**. So the model has no capacity to promise anything. **Nor is the model's output the *company's* declaration of intent.** Three reasons, and the third is the load-bearing one: 1. Because the model is not a civil subject, it cannot be the company's messenger, agent, or representative — it cannot transmit or make a binding expression on the company's behalf. 2. The company did not use the model as a *tool* to set or convey its own intent. Generation here is a Transformer-based, probabilistic next-token prediction — a process the provider, on current technology, can neither fully control nor predict. The public does not take a general-purpose assistant's output to be the operator's corporate word. 3. The company made no "legal-effect intent" (法效果意思) to be bound — and in fact did the opposite. Its user agreement, in bold, states that all outputs are produced by the model, "do not constitute any advice or commitment," and must not be relied on. There was thus neither the inner will nor any outward sign of willingness to be bound by generated content. This is the holding most relevant beyond hallucination: it tells you that an AI's "agreements," "commitments," or "authorisations" — including those an [AI agent](/posts/ai-agents-and-the-limits-of-consent/) might generate while transacting — do not bind the operator **unless the operator has affirmatively manifested an intent to be bound.** The default is non-binding. (The "if I'm wrong I'll pay you" performance is also a textbook [anthropomorphic-interaction](/posts/anthropomorphic-ai-measures-reform-directions/) risk — the model performing accountability it cannot hold.) With the contract theory gone, Liang elected to proceed in tort. ## Issue 2 — Generative AI is a service, not a product The pivotal move. Liang argued product liability: the app was "defective," so even without fault the company should pay under the Civil Code's no-fault product-liability rule (Art. 1202). The court held that **fault liability under Article 1165(1)** governs instead — and that the distinction decides the case, because product liability is strict and general tort liability is not. **Why GenAI is a service, not a product:** - *The "product" concept doesn't fit.* A "product" (Product Quality Law Art. 2(2)) is something processed and made for **sale** — and sale transfers ownership *and control*, letting the thing circulate free of the maker's hand. Downloading a GenAI app transfers no ownership or control; the user gets only a licence to receive an ongoing service that runs, and updates, entirely under the provider's control. - *There is no "defect" to measure.* Product liability turns on a "defect," which presupposes (i) a specific, definite intended use and (ii) a feasible quality-inspection standard. A general-purpose model has neither — its uses are open-ended, evolving, and personalised, and there is no workable standard against which to certify an output as "defective." - *Policy points the same way.* The draft GenAI measures spoke of "products or services"; the final [Generative AI Services Interim Measures](/laws/genai-services-interim-measures/) settled on "**services**" throughout. Imposing no-fault liability at the technology's early stage would over-deter innovation. The court added that the **generated information itself** is not a fit subject for product liability either: text output is not the kind of thing that "endangers personal or property safety," the provider cannot adequately foresee or control probabilistic output, and applying no-fault liability to every possibly-wrong sentence would expose providers to "liability without bounds — uncertain liability, to uncertain persons, at an uncertain time." This is a genuine **divergence from the EU**, whose revised Product Liability Directive pulls software and AI systems *into* the product regime. China's first word on the question goes the other way. ## Issue 2, continued — There is no duty to *guarantee* accuracy Having settled on fault liability, the court asked what duty of care (注意义务) a GenAI provider actually owes for inaccurate output. Its answer carefully separates two tiers: **Toxic/harmful/illegal content — a result-based duty.** Under [Cybersecurity Law](/laws/csl/) Art. 12(2) and [GenAI Interim Measures](/laws/genai-services-interim-measures/) Art. 4(1)–(2), generating prohibited content (incitement, pornography, false-and-harmful information, etc.) is itself unlawful; providers owe a **result-based** screening duty to keep such content from being generated or output at all. **Ordinary inaccuracy — only a process duty.** The hallucination here was inaccurate but not toxic/harmful/illegal. For ordinary inaccuracy, the court read the statutory language closely: GenAI Measures Art. 4(5) requires providers to "**take effective measures** … to improve the accuracy and reliability of generated content." "Take effective measures" regulates the *process* (a conduct-based duty of care); "improve accuracy and reliability" states a *development goal*, not a guaranteed *result*. Nothing in current law obliges a provider to ensure its output is true and accurate. The court invoked the maxim **法不强人所难** — "the law does not demand the impossible" — given that an LLM is, in its words, a statistical/probability-fitting system doing lossy "word-chain" (文字接龙) completion from a "blurred image of the world," not genuine understanding. **The duty of care that *does* apply — and how the provider met it.** The court identified two components and found both discharged: 1. **Conspicuous function-limitation notice (显著提示说明义务).** Three elements: (a) tell users the content is AI-generated, may be inaccurate, and is only an auxiliary reference; (b) make the notice *conspicuous* (enlarged/bold, conforming to the [AI content-labelling Measures](/laws/ai-content-labeling-measures/) and the matching national standard **GB 45438—2025**); and (c) give a **warning** prompt where output feeds high-stakes medical, legal, or financial decisions. The provider had: a bolded welcome-screen warning ("[the AI] may be inaccurate … does not constitute medical, legal or investment advice"), bolded user-agreement disclaimers, an end-of-answer "AI-generated, for reference only, verify carefully" label on every round but the first, and a model-principles explainer. The court noted — as guidance, not a finding of breach — that for high-risk scenarios touching personal or property safety, providers should escalate a mere *limitation* label to an actual *warning* label. 2. **Industry-standard technical measures to improve accuracy (行业通行技术措施).** Not a duty to exhaust or exceed the state of the art — a duty to deploy the accuracy measures generally adopted in the industry and to perform at least at market-average level. The provider showed hallucination detection/governance, supervised fine-tuning and reinforcement learning, external keyword/classifier guardrails, and retrieval-augmented generation (RAG) plus the web-search option — consistent with CAICT and international reports, and ranking at or above peers on the third-party **SuperCLUE** Chinese factual-hallucination benchmark. Two pointed observations: the duty **rises** for professional medical/legal/financial contexts, but this was a general assistant carrying no claim to authority over gaokao advice, so no heightened duty applied; and Liang had **not enabled web search**, which itself degraded accuracy — a choice not chargeable to the provider. Critically, the court ran a **burden-shift**: once the provider made out a *prima facie* case that it had taken industry-standard measures, the burden moved to Liang to show those measures fell short or that a specific flaw existed. He offered no such rebuttal evidence, and bore the adverse consequence. So: no intent, no negligence → **no fault**. ## No damage, no causation Two independent further grounds, each fatal: - **No proven damage.** Liang's claimed loss — a forgone application opportunity, plus verification and litigation costs — is *pure economic loss*, with remote causation, and he submitted **no evidence** any of it actually occurred. No damage, no compensation. - **No causation.** The inaccurate answer never substantively entered Liang's decision-making: he spotted and corrected it within the same short exchange (the eighteen minutes), so the test — *but for* the conduct the harm would not have occurred, and such conduct *ordinarily* produces such harm — is not met. **Result: every claim dismissed.** Case-acceptance fee of ¥50 borne by Liang; appealable to the Hangzhou Intermediate People's Court within fifteen days. ## The court's framing: development and security, and the "chilling effect" The judgment closes on policy. The AI era is here; the law should weigh development *and* security, innovation *and* rights protection in equal measure. Loading strict liability onto a high-public-value technology in its infancy risks a **"chilling effect" (寒蝉效应)** that keeps useful applications from launching. A fault standard, by contrast, lets a court appraise the provider's *whole* course of conduct — hard red lines against toxic/illegal content, plus incentives to take reasonable safeguards — and calibrate the duty of care dynamically as the technology and its uses evolve. ## What this means for overseas counsel - **This is now the operating liability surface for GenAI in China.** Service, not product. Fault, not strict liability. Any company offering a generative- AI service to the Chinese public is judged on whether it discharged a *process* duty of care — not on whether an individual answer happened to be wrong. Build the program against that standard. - **The duty of care is a documented checklist, and the provider won on evidence.** What carried the day was not argument but proof: a notarised record of the in-product disclaimers and labels, the user-agreement bold- face carve-outs, the model-principles explainer, third-party benchmark rankings (SuperCLUE), competitor-reproduction tests, and technical reports on hallucination governance. Assemble and *preserve* this evidence **before** a dispute — once you make out a *prima facie* case, the burden shifts to the claimant. - **Get the labelling right to the letter.** Conspicuous, end-of-answer AI-generated-content labels conforming to the [AI content-labelling Measures](/laws/ai-content-labeling-measures/) (and GB 45438—2025, with the labelling chain running through the [Deep Synthesis Provisions](/laws/deep-synthesis-provisions/)) were a load-bearing part of the win. The first round here carried *no* label; in a closer case that gap could matter. - **Escalate for high-stakes use.** The duty of care **rises** for medical, legal, and financial output, and the court signalled that high-risk scenarios touching personal or property safety call for a *warning* label, not merely a *limitation* label. If your model gives professional-domain answers or claims domain authority, plan for the heavier standard — generic disclaimers will not be enough. - **An AI's words do not bind you — unless you let them.** The model's "promise" failed because the company never manifested an intent to be bound and had expressly disclaimed one. As AI agents begin to negotiate, commit, and "authorise," that disclaimer architecture in your user terms is what keeps generated text from becoming a corporate undertaking. Audit it. - **Causation and damage remain real defences.** Even past fault, a claimant must prove actual loss and a causal link. The "eighteen minutes to self- correction" framing shows Chinese courts will look hard at whether the bad output genuinely drove any decision — but do not plan around it; the durable protection is the discharged duty of care, not the hope that the user noticed in time. The deeper signal tracks what [Zhu Xiaofeng has argued](/posts/zhu-xiaofeng-genai-pi-causation-unclear-liability/) about GenAI causation: Chinese AI tort law is being built out of Civil Code architecture and a calibrated, evolving duty of care — not the product- liability or strict-liability reflexes familiar from other jurisdictions. Companies that build their China GenAI compliance against *this* frame — process-duty documentation, exacting content labelling, escalation for high-stakes domains, and a clean declaration-of-intent firewall in their terms — will operate it efficiently. Those waiting for a statute will be retrofitting under worse conditions. --- *Source: Hangzhou Internet Court, *Liang v. a certain AI company*, (2025) Zhe 0192 Min Chu No. 18143 (杭州互联网法院(2025)浙0192民初18143号), judgment dated 3 December 2025; written into the Supreme People's Court's work report to the NPC on 9 March 2026. Judgment text circulated via 北大法宝 / 知产库 and reposted via the 教授加 WeChat Official Account. [Original repost (Chinese).](https://mp.weixin.qq.com/s/8XA_qZiuOcZYrEen1vwaWQ)* *Not legal advice. The above is DCC's structured summary of, and commentary on, the judgment, with framing for overseas counsel.* --- ## China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures - Published: 2026-06-04 - Author: DCC Editorial - Tags: health-data, healthcare, data-classification, cross-border, facial-recognition, ai-governance, sensitive-personal-information, enforcement - Laws cited: healthcare-institutions-data-security-pi-measures, pipl, dsl, network-data-security-regulations, cross-border-data-flows-provisions, personal-info-audit-measures, facial-recognition-technology-application-measures - Domains: health, data-security, personal-information, cross-border - URL: https://datacompliancechina.com/posts/china-healthcare-data-rulebook-2026/ - Markdown: https://datacompliancechina.com/posts/china-healthcare-data-rulebook-2026.md ### Description On 12 February 2026 five agencies — the National Health Commission, the Ministry of Public Security, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration — jointly issued the Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial). It is the first operational, sector-specific rulebook that turns the Data Security Law, PIPL, and the Network Data Security Regulation into concrete hospital obligations: a three-tier core/important/general data classification keyed to MLPS levels and commercial cryptography; a five-pillar full-lifecycle security system; a ten-item data prohibition list and an eight-item personal-information prohibition list; heightened protection for special groups; limits on facial recognition and AI; and a real enforcement chain running from named-person accountability through regulatory interviews, administrative penalties, civil tort liability, and criminal referral. DCC reads it for overseas pharma, medtech, and hospital-JV counsel — with the cross-border choke point and its academic-cooperation carve-out as the parts that most affect global clinical-data flows. ### Body > *Editor's Note — DCC.* > > This is DCC's own reading of the > [Measures for the Administration of Data Security and Personal Information > Protection of Healthcare Institutions (Trial)](/laws/healthcare-institutions-data-security-pi-measures/) > (国卫规划发〔2026〕6号) — issued jointly by five agencies on 12 February > 2026 and effective on issuance. It is the sector-specific rulebook that > turns the Data Security Law, PIPL, and the Network Data Security Regulation > into operational obligations for Chinese healthcare institutions, and it is > the first such instrument with real enforcement teeth. We read it for the > overseas pharma, medtech, and hospital-joint-venture counsel who need to > know what their China-side subsidiaries, partners, and vendors are now > bound to do. Article references below are to the Measures themselves. ## From principles to a sector rulebook China's three foundational data statutes — the Cybersecurity Law, the Data Security Law, and PIPL — are written at the level of principle. They tell a hospital that it must classify data, secure personal information, and assess cross-border transfers, but not *how*. Two earlier health-sector instruments (the 2018 National Health and Medical Big Data Measures and the 2022 Healthcare Institutions Cybersecurity Measures) set direction but stayed macro. The 2026 Measures are different: seven chapters and forty articles of operational detail, and the first time the sector's data duties come with a hard accountability structure. Three features signal that shift. First, **joint issuance by five agencies** — the National Health Commission plus the Ministry of Public Security, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration — which means enforcement is no longer one ministry acting alone. Second, a **three-tier oversight structure** running national → local → institution (Article 3). Third, **personal accountability**: the institution's principal leader is the "first person responsible," the deputy in charge is the "directly responsible person," and every county-level-or-above institution must stand up a cybersecurity-and-informatization leading group and hold a dedicated data-security meeting at least once a year (Article 4). This is the language of a regime that intends to hold named individuals to account. ## Classify first: core, important, general The spine of the Measures is data classification and grading (Articles 5–8, 11). Healthcare-institution data is sorted into **core data, important data, and general data**, with two rules that catch people out: where categories or grades are processed together and cannot be separated, the **highest grade governs** (Article 5); and **derived data** — produced by de-identification, labeling, statistics, or aggregation — must be **re-assessed and re-graded** from the original (Article 8). Grades are not static: a material change in content, scale, currency, application scenario, or processing method forces a re-grade (Article 7). Provincial health authorities propose the core- and important-data catalogues and report them to the NHC; institutions must periodically inventory their own data and report the inventory — its source, category, grade, scale, purpose, cross-border status, and protections, **but not the content itself** — to the local authority (Article 6). Grade then drives the security baseline (Article 11). **Important data** must meet Multi-Level Protection Scheme (MLPS) Level 3 or above. **Core data** must meet critical-information-infrastructure protection if CII is involved, and MLPS Level 4 if not — plus a stack of "priority" obligations: commercial cryptography, secure-and-trusted products, third-party risk assessment, retention of incident-tracing logs for at least three years, and **national-security background checks** for key personnel and for the vendors that build and maintain core-data systems. There is even a volume trigger: cross-entity flows of core data that cumulatively reach 30% or more of the prior year-end stock require a risk assessment organized through the NHC. ## The ten data prohibitions (Article 22) Article 22 is the operational heart — a ten-item prohibition list covering the full lifecycle. The ones overseas counsel should flag for their China operations: - **Localization of important data** — important data collected and generated in China must be stored in China, with backup and encryption. - **Transmission discipline** — core data, important data, and sensitive data may **not** be sent via email, cloud storage, or social/messaging software; interface transfers require de-identification and encryption. - **The cross-border gate** (Article 22(4) — discussed below). - **No unauthorized use or processing** — strict role-based permissions, no log tampering, and **no unsupervised remote operation-and-maintenance** by outside personnel; vendors may not use project data for other purposes or subcontract without approval. - **No disclosure without impact assessment**, no equipment disposal without data erasure, and **no concealment of security incidents** (immediate emergency response plus reporting to the local health authority). The lifecycle is backed by a **five-pillar system** (Article 9): institutional rules, trained personnel, day-to-day management with permissioned access and periodic risk assessment, technical controls (encryption, authentication, access control, de-identification, digital watermarking, audit), and emergency drills. ## The cross-border choke point — and its one real carve-out For a multinational, **Article 22(4)** is the article that matters most. To send healthcare-institution data abroad, an institution must run a **self-assessment → approval by its cybersecurity leading group → review and approval by the local health authority → application by the provincial cyberspace authority → national-level Data Export Security Assessment**. That is procedurally *stricter* than the general cross-border regime: it bolts a health-authority gate and an internal-leadership gate onto the standard CAC pathway under the [Provisions on Promoting and Regulating Cross-Border Data Flows](/laws/cross-border-data-flows-provisions/). The practical relief is the **academic-cooperation carve-out**: data generated in academic cooperation that contains **no personal information, no sensitive data, and no important data** is exempt from the Data Export Security Assessment, the Standard Contract, and Personal Information Protection Certification. For multi-site clinical research, registries, and global trial data, that carve-out — read together with the **separate-consent and PIPL Article 38** conditions for any personal-information export (Article 29(7)) — is where the workable cross-border design lives. Map which datasets can be stripped to fall inside it, and which must run the full gauntlet. ## Personal information: audits, special groups, facial recognition Chapter V layers health-sector specifics onto PIPL. Institutions must run **personal-information protection compliance audits** under the [PI Compliance Audit Measures](/laws/personal-info-audit-measures/) (Article 26), and conduct a **Personal Information Protection Impact Assessment** before entrusting processing (Article 27). Article 29 then sets an eight-item prohibition list, of which three deserve attention: - **Special-group protection** (Article 29(4)): pregnant and parturient women, newborns, HIV/AIDS patients, persons with mental disorders, the deceased and their survivors, and public figures get heightened, scenario-based access controls, dynamic authorization, and prompt revocation of permissions when staff change roles or leave. - **Public-area de-identification** (Article 29(6)): no full names, ID numbers, or phone numbers on electronic display screens; no disclosure of patient information in news, lectures, social media, or papers without consent. - **Facial recognition** (Article 29(8)): it may **not** be the sole verification method where a non-facial alternative exists; institutions must offer an alternative; and facial information must be **stored offline within the device and not transmitted over the internet** — squarely tracking the dedicated [Facial Recognition Technology Application Measures](/laws/facial-recognition-technology-application-measures/). ## AI on patient data needs a pre-use risk assessment Two short articles carry weight for digital-health and clinical-AI deployments: when an institution uses **artificial intelligence or other new technologies** to process its data, it must **assess the resulting security risks and take technical safeguards** (Article 20); and where AI touches medical records or other personal information, the institution must ensure that information's security (Article 28). In practice, that is a documented gate to clear *before* pointing a model — including an LLM — at patient data. ## Enforcement: from "interview and rectify" to a full chain Older health-data rules topped out at soft "interview and rectify" measures. The 2026 Measures build a full escalation chain (Articles 30–36): **regulatory interviews (yuetan)**, administrative penalties, mandatory engagement of a third-party agency for a compliance audit, **civil tort liability** under the Civil Code for disclosing a patient's privacy or records without consent (Article 33), and **criminal referral** where unlawful personal-information processing is suspected to be a crime (Article 35). Combine that with named-person accountability and five-agency reach, and the exposure is real and personal. ## Why overseas counsel should care - **Classify now.** The core/important/general tier you land in drives MLPS level, localization, cryptography, background checks, and assessment triggers. It is the first thing a Chinese partner or target should be able to show you. - **Treat cross-border as the choke point.** Article 22(4) adds health-authority and leadership gates on top of the national regime; design clinical-data flows around the academic-cooperation carve-out and the PIPL Article 38 conditions. - **Paper the vendor chain.** The Measures push liability through to system integrators, device makers, and cloud providers (Articles 16–17), and require a cloud service that has passed the cloud-security assessment — diligence and contracting items in any China healthcare deal. - **Expect the front-line rules to bite.** Facial-recognition limits, special-group controls, and public-area de-identification apply at the point of care, where breaches actually happen. - **Gate your AI.** A pre-use security-risk assessment is now a compliance prerequisite, not a nice-to-have. ## DCC sources - **Primary source:** [Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial)](/laws/healthcare-institutions-data-security-pi-measures/) (国卫规划发〔2026〕6号) — the full text on DCC, on which this brief is based. - **Cross-references:** [PIPL](/laws/pipl/) · [Data Security Law](/laws/dsl/) · [Network Data Security Regulation](/laws/network-data-security-regulations/) · [Cross-border Data Flows Provisions](/laws/cross-border-data-flows-provisions/) · [PI Compliance Audit Measures](/laws/personal-info-audit-measures/) · [Facial Recognition Technology Application Measures](/laws/facial-recognition-technology-application-measures/). - Part of the [Health & Medical Data](/domains/health/) domain on DCC. > This is an editorial summary and analysis of a public Chinese regulation, written from the regulation's own text — not a translation, and not a reproduction of any third party's commentary. The authoritative text is the Chinese original (国卫规划发〔2026〕6号). **Not legal advice.** --- ## Prompt Stacks and Prompt Governance — Why System-Level Prompts Are Emerging as a Regulatory Lever (and Where They Fall Short) - Published: 2026-06-01 - Author: DCC Editorial - Tags: ai-governance, system-prompts, prompt-stack, genai, eu-ai-act, comparative, academic-commentary - Laws cited: genai-services-interim-measures, ai-content-labeling-measures - Domains: ai-governance, personal-information - URL: https://datacompliancechina.com/posts/system-prompts-as-regulatory-instrument/ - Markdown: https://datacompliancechina.com/posts/system-prompts-as-regulatory-instrument.md - Original source: https://mp.weixin.qq.com/s/LKG-QIs0Y-4N3t-qKCuGmQ - Original author: 李汶龙 (Li Wenlong) - Original publication: 科技利维坦 WeChat Official Account ### Description A Chinese AI-law reading of Neumann, Sargeant and Singh's FAccT 2026 paper Prompt Governance? — and what it means for how China, the EU, and the US treat 'system prompts' as a regulatory object. Li Wenlong (科技利维坦) walks through the four-layer 'prompt stack' (system instructions → system guidelines → developer instructions → user prompts), five properties practitioners need to understand (layered, hidden, natural-language, malleable, loosely coupled to behaviour), and the comparative regulatory landscape: the EU GPAI Code of Practice requires signatories to disclose system prompts to regulators in model reports; the Trump EO 14319 / OMB M-26-04 stops at model / system / data cards and leaves system-prompt disclosure voluntary; the UK's AI Cybersecurity Code says effectively nothing. China's current GenAI safety regime (TC260-003 plus the GenAI Interim Measures) is output-evaluation-based — filing and pre-launch scoring, with no architectural hook into system prompts. Li predicts a Brussels Effect: system-prompt disclosure to regulators will become a global compliance baseline, analogous to the DPIA in data law. For overseas counsel: this is what is coming, what to start archiving now, and why 'what you write' in a system prompt is not 'what the model executes.' ### Body > *Editor's Note — DCC.* > > This brief summarises 《系统级提示词作为监管抓手?》by Li Wenlong > (李汶龙) on the 科技利维坦 channel — the first piece in his self-imposed > "100 AI-Governance Papers Challenge." The underlying paper is Anna > Neumann, Holli Sargeant, Jat Singh et al., *Prompt Governance? On > Governing Technologies Governed by Natural Language* (FAccT 2026; SSRN > [abstract 6802319](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6802319)), > a systematic review covering 287 academic papers and 54 regulatory > documents on "system prompts" as a regulatory object. Li's value-add, > and the reason DCC is running it, is the comparison: he reads the > EU GPAI Code of Practice and the Trump administration's executive > orders side by side with TC260-003 (the standard implementing China's > [GenAI Services Interim Measures](/laws/genai-services-interim-measures/)) > and explains what that contrast means for AI compliance in practice. > The takeaway for overseas counsel: system-prompt disclosure to > regulators looks set to become the next "DPIA-style" compliance > artefact globally — and China currently has no equivalent obligation, > but its regime leaves space to import one. ## The thing being regulated A *system prompt* (系统级提示词) is the set of natural-language instructions a model receives **before** any user interaction begins — written by the model developer, the deployer, or the application provider, and treated by the model as carrying higher "trust" than anything a user types in. The EU's draft GPAI Code of Practice defines it as "a set of instructions, guidelines, and contextual information provided to the model prior to the start of user interaction." NIST (US Department of Commerce) goes slightly further: system prompts are typically delivered before other instructions and inputs, and the model is expected to weight them with *higher trust* than other inputs. The reason regulators are starting to care is straightforward: in a large language model, the system prompt is a piece of natural-language text that — at least in principle — directly conditions model behaviour. If a model can be told, in plain English, "treat child-safety considerations as overriding," then a regulator can in principle inspect that text, demand a copy, audit it, and require it to evolve. That is not how earlier waves of AI regulation worked: the classic governance toolbox (safety testing, model architecture, filters, review mechanisms, access controls, monitoring) all operate either far above the model (output evaluation) or far below it (training data, weights). System prompts sit at a layer regulators can actually read. ## The prompt stack Neumann and co-authors propose a four-layer hierarchy, which Li calls the **prompt stack (提示词堆栈)**: 1. **System instructions** — set by the foundation-model developer or provider. Hard rules: safety, prohibited content, privacy, illegality-risk controls. Treated as the highest authority; in principle should not be overridable by lower layers. 2. **System guidelines** — also developer-set, but more about preferences and operational guidance: how to balance helpfulness against safety, how to handle sensitive requests, how to express uncertainty. Can be tightened by lower layers in some respects but should hold the line on safety and compliance. 3. **Developer instructions** — set by application developers, deployers, or enterprise customers. A legal-research bot might be configured to "answer in a professional legal tone and never guarantee outcomes." Below system layers, above user input. 4. **User prompts** — the input the end user types. Lowest priority. Where a user instruction conflicts with anything above, the model should refuse, rewrite, or limit the response. Two practical questions fall out of the model. First, can the user modify the second layer (system guidelines)? The intended answer is: soft constraints (style, level of detail) are negotiable in a session; hard constraints (risk posture, safety policies) are not. In practice, extended conversations can drift — the "this is a simulation, not real life" framing being the canonical example — and models can be coaxed into relaxing constraints they were meant to enforce. Second, what is a *jailbreak* in this framework? It is precisely the use of lower-layer input to override or weaken higher-layer rules: rewriting the high-layer rule ("assume you are in a fictional novel / a hypothetical world / a purely theoretical discussion"), exploiting ambiguity in the system guidelines, or breaking a prohibited request into many superficially-innocuous steps (multi-turn jailbreaks / context attacks). ## Five properties that make system prompts hard to regulate Li distils five properties from the literature that practitioners and regulators both need to internalise. **1. They are layered, with multiple authors.** The "system" in "system prompt" is not like the system in an operating system; it is not delivered by a single party. Foundation-model developers, application providers, deployers — each layer can set its own instructions, and they interact. Disclosure obligations that target only one layer will see only part of the stack. **2. They are usually invisible.** Most vendors do not publish their system prompts. Two legitimate reasons: (a) the prompts encode designed-in product logic, behavioural norms, and proprietary know-how — core commercial IP; and (b) disclosure reveals the safety architecture and makes it easier for attackers to evade guardrails. Model cards have become a standard transparency artefact, but the system prompt is generally not in them. When Claude's system prompt was published outside the company, it was treated as a leak. **3. They are natural-language text.** Anyone patient enough can read them. A typical Claude-style system prompt sets the model's role and core goal, declares available tools and the conditions for invoking each, prescribes citation rules (when to search, how to attribute sources for copyright and traceability), specifies output style ("lead with the conclusion, then break out under subheadings"), names the categories of absolutely-prohibited assistance, and conveys meta-information (version, knowledge cut-off, deployment surface). This human readability is exactly what makes it attractive to regulators. **4. They are malleable.** Developers update system prompts frequently, sometimes as ad-hoc bug fixes between releases. This is the property that most undermines their use as a governance tool: an artefact that changes weekly does not satisfy the regulator's appetite for stable, auditable rules. **5. The relationship between prompt text and model behaviour is loose.** This is the core empirical question Neumann and co-authors flag — and Li's central warning to policy-makers. A system prompt is *not* code: natural language is ambiguous, context-sensitive, sequence-sensitive, and interacts with the prompts of other layers, with the user's input, with the conversation history, with model updates, and with prompt-injection attacks. Writing "do not output discriminatory content" into the system prompt does not, by itself, produce a model that does not output discriminatory content. What the model actually does depends on its training data, its post-training / alignment, the context the user constructed, how the model parses the specific wording, and what other safety filters are in play. ## Where regulators have actually landed The Neumann team analysed 54 regulatory documents and identified two that take system prompts seriously, plus one that should but doesn't. **EU — GPAI Code of Practice** (the implementing instrument for the general-purpose-AI obligations under the EU AI Act). The *Safety & Security* chapter, Measure 7.1 on model description (transparency), requires signatories to provide a model report containing the model spec, item 4(d) of which is the **system prompt**. The EU treats system-prompt configuration as a key component of *model evaluation*, not just disclosure: signatories must be able to show how the prompt is set up and how it interacts with the rest of the safety architecture. Neumann and co-authors flag two gaps: the EU rule does not differentiate disclosure obligations across the foundation-model layer, deployment layer, and application layer; and it lacks version-change and log-update requirements, which will leave disclosed prompts rapidly out of date. **US — Executive Order 14319 (July 23, 2025)** "Preventing Woke AI in the Federal Government." This is an ideology-coded procurement rule rather than a transparency regime: federal agencies are restricted from procuring AI that encodes "partisan or ideological judgments" into its outputs, under two "unbiased AI principles" (truth-seeking and ideological neutrality). The vendor bears the burden of demonstrating compliance — system prompts are a useful evidentiary artefact for that, but **disclosure is not mandatory**. The White House Office of Management and Budget's M-26-04 (December 2025) on increasing public trust in AI lists only **model cards, system cards, and data cards** as transparency requirements; it does not mention system prompts. **UK — AI Cybersecurity Code of Practice.** Effectively no substantive content on system prompts; the Code merely suggests vendors *have* system prompts so downstream parties can understand model characteristics. ## China's posture — output-based, no system-prompt hook (yet) For overseas counsel, the most useful comparison is what is *not* in the Chinese regime today. China's flagship GenAI rule is the [Interim Measures for the Management of Generative Artificial Intelligence Services](/laws/genai-services-interim-measures/) (2023). The implementing safety standard — and the one that does the real operational work — is **TC260-003**,《生成式人工智能服务安全基本 要求》(Basic Safety Requirements for Generative AI Services). Its structure is corpus safety (§5), model safety (§6), safety measures (§7), other (§8). Model-safety compliance is achieved primarily through the **algorithm and large-model filing regime (备案)**, and filing turns substantially on **pre-launch evaluation scoring** — a red-team-style adversarial test against a published question bank, with pass/fail thresholds. As Li puts it, the regime is structurally *Turing-test-like*: it inspects what the model outputs, not how the model is internally governed. There is no current obligation to disclose system prompts to the CAC, to file them as part of the algorithm filing, or to treat them as a distinct compliance artefact. That gap is meaningful, because it is exactly the layer where the EU is now hooking in. ## The likely trajectory: Brussels Effect, DPIA analogue Li's prediction is direct: on system prompts, **a Brussels Effect will form**. The GPAI Code of Practice's disclosure requirement will gradually be priced into global compliance programs the way data protection impact assessments (DPIAs) were priced in after the GDPR. System prompts will not become a *public* transparency artefact (with the exception of vendors who voluntarily publish, like Anthropic and xAI); they will become a *regulator-facing* artefact, disclosed in the model report as part of the evaluation package. This matters for two reasons in the China context. First, any overseas operator deploying a model in China that is built on a foundation model evaluated under the EU regime will inherit disclosure obligations one layer up the prompt stack — and will need to ensure those obligations are compatible with Chinese filing rules. Second, if the Brussels Effect lands, the *next* iteration of Chinese GenAI rulemaking is the natural place for a system-prompt disclosure hook to appear; teams should treat this as a near-future filing item, not a never-event. ## System prompts as a governance object — the operational layer Li closes with the move that is most useful for compliance teams: a system prompt is not only a *governance tool* — it is itself a *governance object*, and should be managed the way a serious data team manages its privacy policies. That implies, at minimum: - **Versioned archives.** Every change is dated, retrievable, and attributable to a named owner. - **Change-permission management.** Defined approval flows for who can edit what — particularly the safety-relevant clauses. - **Periodic security testing.** Red-team probes against the prompt itself, including prompt-injection and multi-turn jailbreaks. - **Version logs sufficient for regulator request.** When the request comes in, "we don't know what the system prompt looked like last March" will not be an acceptable answer. - **Alignment-to-output testing.** Does the model actually behave as the prompt instructs? Are there obvious value-tilts, (commercial) prioritisation, or excessive filtering that the prompt did not authorise? Are there prompt-injection vulnerabilities? The deeper conceptual point Li keeps returning to is worth lifting out for any reader from a legal background: **the way a regulator reads text and the way a model "reads" text are fundamentally different operations.** Legal interpretation runs on institutional context, legislative purpose, judicial gloss, normative reasoning. Model "interpretation" is statistical pattern-matching across training distribution, attention weights, and context windows. The same English sentence reordered, rephrased, or relocated within the prompt can produce different model behaviour. "Do not provide legal advice" and "you may provide general legal information but should not substitute for a licensed lawyer" are, to a regulator, equivalent in spirit; to a model, they are not the same instruction. Compliance teams that frame system-prompt drafting as a *purely legal* exercise will produce documents that look defensible on paper and fail in production. The discipline this requires — drafting natural-language rules that survive both legal scrutiny *and* statistical robustness — is, Li argues, the actual emerging skill in AI compliance. ## DCC sources - Original: 李汶龙 (Li Wenlong), 《系统级提示词作为监管抓手?》, 科技 利维坦 WeChat Official Account ([source](https://mp.weixin.qq.com/s/LKG-QIs0Y-4N3t-qKCuGmQ)). - Underlying paper: Anna Neumann, Holli Sargeant, Jat Singh et al., *Prompt Governance? On Governing Technologies Governed by Natural Language*, FAccT 2026 (SSRN [6802319](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6802319)). - EU: General-Purpose AI Code of Practice, Safety & Security chapter, Measure 7.1 ([source](https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai)). - US: Executive Order 14319 "Preventing Woke AI in the Federal Government" (Federal Register, July 28, 2025); OMB Memorandum M-26-04 (December 2025). - China: 《生成式人工智能服务安全基本要求》(TC260-003), § 5–8; and the [GenAI Services Interim Measures](/laws/genai-services-interim-measures/). - NIST CSRC Glossary, *system prompt* entry. > This is an editorial summary, not a translation of Li Wenlong's > piece. Quotations and conceptual framings are attributed; any > simplification, error of emphasis, or operational extrapolation is > DCC's. **Not legal advice.** --- ## Data Pledge Financing in China: What Is Actually Being Pledged, and Where the Law Gets Stuck - Published: 2026-05-31 - Author: DCC Editorial - Tags: data-pledge-financing, data-property-rights, data-as-asset, civil-code, data-economy, data-registration, financing, data-trading - Laws cited: data-property-rights-registration-guide-draft, data-foundation-system-opinions - Domains: data-economy - URL: https://datacompliancechina.com/posts/data-pledge-financing-what-is-pledged/ - Markdown: https://datacompliancechina.com/posts/data-pledge-financing-what-is-pledged.md - Original source: https://mp.weixin.qq.com/s/8ttXR-A4Ex3kU-pTbeCEXA - Original author: 陈一芊 (Chen Yiqian) - Original publication: 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ### Description As Chinese banks and data exchanges experiment with data pledge financing (数据质押融资), a threshold question remains unresolved: what, legally, is being pledged? Chen Yiqian of Shenzhen Data Exchange walks through the two available routes under the Civil Code — chattel pledge (动产质权) and rights pledge (权利质权) — and the three operational problems that make chattel pledge difficult and the two doctrinal barriers that make rights pledge harder still. The analysis converges on a practical conclusion: chattel pledge via a third-party data custodian is the most workable path today, while data property rights and data intellectual-property rights both remain insufficiently legalised to support a reliable pledge. For overseas counsel advising on China data-asset financing, the gap between policy ambition and legal infrastructure is the central risk to price. Connects to the broader data property-rights registration project and the unresolved question of how data enters corporate balance sheets. ### Body > *Editor's Note — DCC.* > > This brief summarises 《DEXC+专栏|数据质押融资,出质什么?难点在哪里?》 > by Chen Yiqian (陈一芊), Transaction Review Supervisor in the Compliance > Department of Shenzhen Data Exchange Co., Ltd. The piece is published > under the DEXC+ think-tank column — Shenzhen Data Exchange's practitioner > compliance series — and carries the standard caveat that it represents > the author's academic views, not those of the Exchange, and does not > constitute legal advice. DCC is running it because it provides the > clearest practitioner-level map of why data pledge financing keeps > stalling: the question is not whether data has economic value, but > whether the existing Civil Code (《民法典》) categories can accommodate > data as collateral without supplementary legislation that has not yet > arrived. > > The brief connects to the [data property-rights registration guide](/laws/data-property-rights-registration-guide-draft/) > and to the [Datatang v. Yinmu data-IP registration case](/posts/datatang-v-yinmu-data-ip-registration-case/), > which noted growing momentum in data pledge financing as a driver of > registration activity. Chen's analysis explains why that momentum has > not yet translated into a settled legal mechanism. ## What data pledge financing is and why it matters Data pledge financing (数据质押融资) refers to a transaction in which a data holder — typically an enterprise — uses its data assets as collateral to secure a loan from a bank or other financial institution. The pledge (质押/出质) is the legal mechanism that gives the creditor security over the collateral: if the debtor defaults, the creditor has a prior claim to the collateral's value, realised by auction, sale, or agreed transfer. Under Chinese property law, a pledge right (质权) is a form of security interest (担保物权) — one of three categories of real rights (物权, alongside ownership rights and usufructuary rights). A pledge is constituted either by the creditor taking possession of the pledged asset (for chattels) or by registration (for rights). When the debtor defaults, the creditor may apply the collateral's proceeds against the secured debt on a priority basis. The practical interest in data pledge financing follows directly from the data-as-asset agenda. Once the 2022 policy document on China's data foundational system — the [Data Foundation System Opinions](/laws/data-foundation-system-opinions/) — endorsed a "three-rights" framework of data resource holding rights (数据资源持有权), data processing and use rights (数据加工使用权), and data product operating rights (数据产品经营权), and once enterprises began mapping data onto their balance sheets under accounting guidance, the question of how to mobilise that recognised value as loan collateral became commercially urgent. Chen's article is the Exchange's effort to answer it honestly. ## The two routes the Civil Code provides China's Civil Code (《民法典》) permits two distinct types of pledge: chattel pledge (动产质权) and rights pledge (权利质权). Chen examines each in turn, because which route is used determines what legal requirements must be satisfied, and each route carries its own difficulties for data. **Chattel pledge (动产质权)** treats data as a movable thing capable of possession. Its two defining legal properties are: (1) the subject matter must be a chattel owned or controlled by the pledgor and transferable; (2) the pledge is constituted — and kept alive — by the creditor's physical possession of the pledged asset. In other words, chattel pledge requires delivery. **Rights pledge (权利质权)** treats data as an economically valuable right rather than a thing. The Civil Code (Article 440) lists eligible rights using a "enumeration plus catch-all" structure: bills of exchange, bonds, bills of lading, fund shares, equity interests, transferable intellectual property rights over trademarks, patents and copyrights, receivables, and — critically — "other property rights that may be pledged as provided by law and administrative regulations." The catch-all clause is not open-ended: only rights that statute or administrative regulation explicitly designates as pledgeable qualify. Civil actors cannot create pledge rights over property interests at will. ## Three operational problems with chattel pledge of data Chen identifies three distinct threshold problems that must be resolved before data can be pledged as a chattel. **First, disposability.** Constituting a pledge is a disposition act: the pledgor must have the power to dispose of the pledged asset. For data, this is genuinely uncertain. Data's characteristics — ease of copying, ease of reuse, potential for simultaneous use by multiple parties — make it structurally difficult to determine whether the pledgor actually has unencumbered control over the data it proposes to pledge. If the pledgor lacks disposal authority, a creditor can invoke the good-faith acquisition rules (善意取得, Civil Code Article 311) only if the creditor neither knew nor had reason to know of the defect — and financial institutions are generally held to a higher standard of diligence in due-diligence processes. Chen's suggested workaround: creditors should prefer data that has already passed compliance review and been listed on a data exchange, or that has been formally brought onto the enterprise's balance sheet (入表), as those processes provide an external indicator of legitimate control. This is a practical workaround, not a legal solution — it shifts evidentiary risk rather than resolving the underlying ownership question. **Second, transferability.** A chattel pledge is realised by selling, auctioning, or transferring the pledged asset when the debtor defaults. If the data cannot legally be transferred to a buyer, the pledge cannot be enforced. Transferability is not guaranteed: the Data Security Law (《数据 安全法》, Article 8) imposes general constraints on data activities that could conflict with a forced transfer, and sector-specific rules — Chen uses the Credit Reporting Industry Regulation (《征信业管理条例》, Article 18) as an example — may require the data subject's written consent before personal information can be disclosed to a third party in the first place. Assessing whether specific data is legally transferable requires a compliance review of its content, its classification, the consents obtained at collection, and any sectoral rules that apply. The problem for creditors is twofold: at the time of signing the pledge agreement, it may be impossible to confirm whether the necessary consents will exist at the time of enforcement; and even if transferability is confirmed, the creditor must find not just a buyer but a buyer that is itself qualified to receive that data (possesses the relevant consents or authorisations from the original data subjects). This turns a standard enforcement process into a specialised compliance matching exercise. **Third, delivery.** Chattel pledge under Chinese law is constituted by delivery — the pledged asset must pass into the creditor's possession, and the pledge subsists only for as long as the creditor retains that possession. Chen reads "delivery" for data purposes as requiring a transfer of management and control, not a physical spatial transfer. But even on that reading, a creditor that takes control of data becomes a data custodian and assumes the legal obligations that come with it: if the data is damaged, lost, or breached through inadequate storage, the creditor is liable. Data storage is not a neutral technical act — the Data Security Law and data classification rules impose specific storage environment and security requirements that vary by data tier. The practical effect is that accepting data as chattel pledge collateral requires the creditor to either build data security infrastructure or outsource it. Chen's recommended solution to the delivery problem is dynamic chattel pledge via a third-party data custodian (数据托管机构). The Supreme People's Court's Interpretation on the Guarantee System under the Civil Code (Article 55) provides a template: a three-party agreement among creditor, pledgor, and a monitoring party (监管人) can constitute a pledge over a pool of assets defined by type, specification, and quantity rather than specific items, with the monitoring party holding the assets on the creditor's behalf. This structure allows data to remain in active use while remaining subject to a pledge, transfers custody obligations to the monitoring institution, and shifts liability for custodian non-compliance away from the creditor. ## Why rights pledge of data faces deeper structural barriers The rights-pledge route appears more conceptually fitting — data is an intangible, and pledging an intangible right seems more natural than treating data as a chattel. But Chen's analysis shows it faces harder legal barriers. **Data property rights (数据财产权) remain a policy concept, not a legal right.** The Data Foundation System Opinions (数据二十条, December 2022) introduced the three-rights framework, and subsequent central planning documents have repeated the call to establish a data property rights system. But as of the time of writing, "data property rights" exist only at the policy layer. The concept of "property rights" (产权) is an economic rather than a legal term; translating it into a specific, legally defined civil right — one that satisfies the Civil Code's numerus clausus principle requiring that real rights be created by statute — requires legislation that has not yet been enacted. Academic debate continues over whether data property rights should be recognised as a new category of property right. Even if they were, the further step of designating data property rights as pledgeable within the Article 440 catch-all would require an additional statutory or regulatory act. Neither step has occurred. **Data intellectual property rights (数据知识产权) have a pilot but not a statute.** The route of treating data as a form of intellectual property has moved further, institutionally: in December 2022, the National Intellectual Property Administration (国家知识产权局) designated eight pilot jurisdictions — Beijing, Shanghai, Jiangsu, Zhejiang, Fujian, Shandong, Guangdong, and Shenzhen — to run data intellectual property registration trials. Shenzhen Data Exchange, as the institutional author of this column, has direct operational familiarity with that pilot. But the doctrinal problem persists. The Civil Code (Article 123) defines the objects of intellectual property rights using an enumeration that ends with "other objects as provided by law." Data that can already fit within existing IP categories — original databases qualifying as copyrighted works, patentable data-processing inventions — does not need the data-IP label and can be pledged under existing IP pledge rules. But data that does not fit existing categories cannot be squeezed into the framework without explicit statutory designation, and that designation has not arrived nationally. The pilot registrations exist and have commercial value, but they do not resolve the underlying "legality" (法定主义) question for pledge purposes. Chen also notes a commercial reality: intellectual property pledge is already a difficult proposition for lenders. IP value is hard to appraise and its enforced sale value is uncertain. Banks typically resist IP collateral for exactly this reason. A "data IP" pledge compounds the uncertainty by adding an unresolved legal question on top of the existing commercial one. By contrast, chattel pledge — however cumbersome — at least operates within a settled doctrinal framework with established enforcement precedents. ## Where things stand: chattel pledge via custodian is the working path Chen's conclusion is clear. For data pledge financing in China today: - **Chattel pledge via a third-party data custodian is the most viable route.** It operates within an existing legal framework, the three-party monitoring structure has Supreme Court backing, and custody arrangements can contain the creditor's data-security exposure. The three threshold problems (disposability, transferability, delivery) are manageable with careful structuring — in particular, using data that has been listed on a compliant data exchange or brought onto the corporate balance sheet. - **Rights pledge via data property rights cannot yet be used.** The necessary statutory foundation does not exist. Pledging data as a novel category of property right would require legislation that has not passed. - **Rights pledge via data intellectual property is legally uncertain and commercially unattractive.** The pilot registrations in eight jurisdictions are genuine, and the Datatang v. Yinmu case documented in [DCC's case study](/posts/datatang-v-yinmu-data-ip-registration-case/) illustrates the registration mechanics. But until the national IP law framework explicitly recognises data as an IP object, using that registration as the basis of a pledge remains legally precarious. And even if the legal question were resolved, lenders' commercial aversion to IP collateral would remain. The practical upshot is that data pledge financing is not stuck because data lacks value — it is stuck because the legal infrastructure to give that value a form that existing security-interest law can grip has not yet been fully built. The [data property-rights registration guide](/laws/data-property-rights-registration-guide-draft/) represents one incremental step in that infrastructure. But registration alone does not resolve the numerus clausus problem, and it does not resolve the transferability question at enforcement. ## Why overseas counsel should care - **Due-diligence framework for China data-secured lending.** Any cross-border financing transaction involving a Chinese counterpart that proposes data assets as collateral should work through Chen's three-question chattel-pledge checklist (disposability, transferability, delivery) before accepting the security package. Each question has a compliance sub-question that standard asset due-diligence processes were not designed to handle. - **The data-as-asset accounting step does not create a pledgeable right.** Chinese enterprises bringing data onto their balance sheets under the 2023 accounting guidance generates a book entry, not a legally perfected property right. A balance-sheet recognition of data does not by itself resolve the disposability or transferability questions Chen raises — overseas counterparts that treat balance-sheet data valuation as equivalent to legal ownership of pledgeable collateral are reading the Chinese regulatory framework incorrectly. - **Watch the legislative pipeline.** The gap between policy intent (the Data Foundation System Opinions' three-rights framework) and operative legal right (a statute designating data rights as pledgeable) is the core structural risk. When — not if — that legislation arrives, it will reshape the entire data-secured financing landscape. Monitoring the National People's Congress legislative agenda and the NDA's data-registration rulemaking is how to get ahead of that shift. - **Data exchange listing as a diligence proxy.** Chen's suggested workaround — treating exchange-listed or balance-sheet-recognised data as a proxy for adequate disposability — has practical traction. Overseas counsel structuring transactions with a Shenzhen Data Exchange counterparty can reference the DEXC+ compliance review as part of the security package, understanding that it addresses the diligence concern without resolving the underlying legal uncertainty. ## DCC sources - Original: 陈一芊 (Chen Yiqian), 《DEXC+专栏|数据质押融资,出质什么?难点在哪里?》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ([source](https://mp.weixin.qq.com/s/8ttXR-A4Ex3kU-pTbeCEXA)). - [《关于构建数据基础制度更好发挥数据要素作用的意见》(Data Foundation System Opinions / 数据二十条)](/laws/data-foundation-system-opinions/) - [数据知识产权登记指引 (Data Property-Rights Registration Guide, draft)](/laws/data-property-rights-registration-guide-draft/) - Civil Code (《民法典》): Articles 115 (real rights defined by statute), 123 (intellectual property objects), 311 (good-faith acquisition), 426 (non-transferable chattels excluded from pledge), 440 (rights eligible for rights pledge). - Supreme People's Court, Interpretation on the Application of Guarantee Provisions of the Civil Code, Article 55 (three-party dynamic chattel pledge). - Credit Reporting Industry Regulation (《征信业管理条例》, State Council Order No. 631), Article 18. - Data Security Law (《数据安全法》), Article 8. > This is an editorial summary, not a translation of Chen Yiqian's piece. > Conceptual framings and operational extrapolations are DCC's. Any > simplification or error of emphasis is DCC's responsibility, not the > author's. The original carries the DEXC+ disclaimer that it represents > the author's academic views only and does not constitute legal advice. > **Not legal advice.** --- ## Are You a CII Operator or an Important-Data Handler? A Practitioner's Assessment Framework Under China's New Rules - Published: 2026-05-29 - Author: DCC Editorial - Tags: critical-information-infrastructure, important-data, data-security, data-classification, cross-border-data, cii-identification, data-compliance-risk, network-data-security - Laws cited: network-data-security-regulations, cii-protection-regulations, dsl - Domains: data-security, critical-information-infrastructure - URL: https://datacompliancechina.com/posts/assessing-cii-operator-important-data-handler-status/ - Markdown: https://datacompliancechina.com/posts/assessing-cii-operator-important-data-handler-status.md - Original source: https://mp.weixin.qq.com/s/BHV-ixP0mN7HoLcyCHcw4g - Original author: 古青卓 (Gu Qingzhuo) - Original publication: 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ### Description China's Cybersecurity Law, Data Security Law, and Network Data Security Management Regulations impose materially heavier compliance obligations on critical information infrastructure (CII) operators (关键信息基础设施运营者) and important-data handlers (重要数据处理者) than on ordinary data processors. This brief, drawing on a DEXC+ practitioner analysis by Gu Qingzhuo (古青卓) of the Shenzhen Data Exchange compliance team, explains how the two statuses are determined under the current framework, why neither is self-evident from a company's own assessment alone, how recent rules — including the Regulations on Promoting and Regulating Cross-Border Data Flows and the national standard GB/T 43697-2024 — have clarified but not fully resolved the important-data identification problem, and what overseas counsel should do when advising clients that operate in China's critical sectors. ### Body > *Editor's Note — DCC.* > > This brief summarises a DEXC+ column piece by Gu Qingzhuo (古青卓), > Transaction Review Supervisor in the Shenzhen Data Exchange compliance > department. The author writes from a genuinely practitioner position: > Shenzhen Data Exchange reviews data assets before they are listed for > trading, and the compliance team has encountered multiple counterparties > that either did not know — or did not think to ask — whether they were > critical information infrastructure (CII) operators (关键信息基础设施 > 运营者) or important-data handlers (重要数据处理者). The piece is one of the > more grounded assessments of this classification problem available in > Chinese practitioner commentary, precisely because it is written by > someone who has had to apply the rules to real clients in a live > regulatory setting. DCC is running it because this classification > question is consistently under-addressed in the due-diligence work > overseas counsel perform on China operations. > > Two substantive points to hold throughout: first, CII status and > important-data handler status are legally distinct questions governed by > different instruments and determined through different mechanisms — > conflating them in a compliance memo is a common error. Second, the > author's position is that neither status is safely resolved by waiting > for the regulator to knock. The analytical burden falls on the company > (and its advisers) to conduct an honest assessment well before any > notification arrives. ## Why the classification matters — and why it is difficult Under China's data compliance framework, both CII operators and important-data handlers face obligations that go well beyond those imposed on ordinary data processors. The [Data Security Law](/laws/dsl/) and the Cybersecurity Law (网络安全法, CSL) introduce these categories as the two tiers of heightened protection within the broader data governance structure. Failure to recognise that a company falls within either category — and therefore failure to meet the associated compliance obligations — can result in administrative penalties or, in serious cases, criminal liability. The practical difficulty is that neither category comes with a simple checklist that companies can apply to themselves. The Cybersecurity Law first introduced the concepts of critical information infrastructure and important data (重要数据) at the legislative level in 2016, including the foundational data-localisation obligation for CII operators: personal information and important data collected or generated within China must be stored domestically. But the same law did not specify who was responsible for identifying whether a company fell within scope, nor did it provide detailed identification rules. That gap was the starting point for years of practical difficulty. The Shenzhen Data Exchange compliance team identifies this gap as a real and recurring problem in its transaction-review work: law firms issuing legal opinions on data assets have often treated the CII and important-data questions superficially, and some companies have not engaged with the question at all. ## CII operators: the "notification-and-designation" mechanism The [CII security protection regulations](/laws/cii-protection-regulations/) (关键信息基础设施安全保护条例), issued in 2021, adopted a "sector enumeration plus authorised designation" approach (范围列举+授权认定). The regulations assigned responsibility for CII identification to the relevant protection-work departments (保护工作部门) — the competent and supervisory authorities for each important industry and sector. Those departments are responsible for, and organise, the designation of CII within their respective industries and sectors in accordance with prescribed identification rules, and they are required to notify operators of the designation outcome in a timely manner. The practical consequence is that, at the level of formal mechanism, an operator only needs to fulfil the relevant compliance obligations upon receiving a notification. This created a common shorthand in practice: assess CII status by checking whether a notification has been received. The author flags this shorthand as incomplete and potentially misleading. Not having received a notification does not mean the company is not a CII operator. The author's recommendation to third-party legal evaluators is clear: when producing an assessment report, state the factual position on whether a notification has been received, but also conduct an independent evaluation against the sector-enumeration criteria and look at the profile of entities that have previously been designated in comparable industries. The absence of a notification is a data point, not a conclusion. ## Important-data handlers: the harder problem For important-data (重要数据) handler status, the identification problem is structurally more complex. The [Data Security Law](/laws/dsl/) establishes a data classification and grading protection system, and mandates that the national data security coordination mechanism coordinate with relevant departments to formulate important-data catalogues (重要数据目录). The approach, as the author describes it, is "data processors proactively identify, plus competent authorities issue top-down catalogues." But prior to the March 2024 rules discussed below, neither the 2021 draft Network Data Security Management Regulations nor the Ministry of Industry and Information Technology's 2022 Data Security Management Measures for the Industrial and Information Technology Sector (试行) had provided specific conditions and standards for identifying important data in practice. The consequence was that companies trying to fulfil their important-data identification obligations faced a near-absence of operationally usable guidance. Unlike CII designation — where a formal notification mechanism exists, however imperfect — important-data identification fell almost entirely on the company's own analysis, with very little to guide that analysis. ## What the March 2024 rules added In late March 2024, two significant instruments were published that directly address the important-data identification question. On 21 March 2024, the National Technical Committee on Cybersecurity Standardization (全国网络安全标准化技术委员会) released the national standard GB/T 43697-2024, Data Security Technology — Data Classification and Grading Rules (数据安全技术 数据分类分级规则), taking effect 1 October 2024. Section 6.5 of that standard provides a principled elaboration of the level-determination rules for important data. In addition, Annex G of the standard provides a set of consideration factors for identifying important data, listing eighteen items (items (a) through (r)) as identification guidance — a significant practical advance for companies conducting important-data self-assessments. On 22 March 2024, the Cyberspace Administration of China (CAC) issued the Regulations on Promoting and Regulating Cross-Border Data Flows (促进和规范数据跨境流动规定, the cross-border data-flow regulations), effective immediately. Article 2 of those regulations addressed important data in the cross-border context: a data processor should identify and report important data in accordance with applicable rules. Where the relevant department or region has not informed the data processor that its data constitutes important data, and has not publicly designated it as such, the data processor does not need to declare it as important data for the purposes of a cross-border data security assessment. ## The contested interpretive question The cross-border data-flow regulations' Article 2 generated immediate interpretive debate that the author addresses directly. One view, supported by a "lighter burden inferred from heavier" (举重以明轻) argument, held that Article 2 could be read broadly: since cross-border data flows represent the highest-risk scenario for important data (the probability and severity of national-security consequences are both elevated), a rule relieving operators of the declaration obligation in that scenario should, a fortiori, relieve them of important-data compliance obligations generally when no notification has been received. On this reading, the Article 2 standard extends beyond the cross-border context to serve as a general screen for whether data constitutes important data at all. The author's position is firm: this extension should not be made. Article 2 of the cross-border data-flow regulations opens by affirming that data processors must proactively identify and declare important data in accordance with applicable rules. The provision carves out a specific relief from the cross-border-specific declaration requirement when no notification has been received — it does not establish a general safe harbour from important-data compliance obligations under the [Data Security Law](/laws/dsl/), the Cybersecurity Law, or other applicable rules. The author's conclusion: the cross-border data-flow regulations give companies a clear road to follow in one context (cross-border declarations), but they do not resolve the practical difficulty of important-data identification and compliance for all other contexts. The obligation to proactively identify, classify, and manage important data sits with the company in those other contexts regardless of whether a notification has been received. ## Practical advice: what the author recommends The author sets out a structured approach for third-party legal service providers and for companies. **For legal advisers assessing CII operator status:** The evaluator should state as a factual matter whether the company has received a formal CII designation notification. However, the evaluation should not stop there. The adviser should assess whether the company's profile — its sector, the nature of the infrastructure it operates, and the characteristics of entities previously designated in comparable industries — indicates a realistic risk that designation is pending or likely. The evaluation report should reflect both the notification status and the substantive sector analysis. **For legal advisers assessing important-data handler status:** The evaluator should not mechanically apply the cross-border data-flow regulations' Article 2 standard to contexts beyond its scope. The adviser should instead conduct an independent assessment drawing on GB/T 43697-2024 (particularly Annex G) and any other applicable sector-specific standards, and provide a substantive professional opinion on whether the company's data holdings include important data (重要数据). The output should guide the company on what compliance obligations follow from the assessment. The author adds a specific caution on the regulatory perimeter: under Article 6 of the [Data Security Law](/laws/dsl/), public security authorities and national security authorities bear data security supervisory responsibilities within their respective mandates. Companies should monitor compliance requirements from those authorities as well, and actively cooperate with regulatory investigations — the CAC is not the only enforcement body in the data security space. **For companies generally:** Both CII operator status and important-data handler status carry substantial compliance obligations that take time and resources to build. Waiting passively for a formal designation or notification carries serious risk: if the company is eventually notified that it is a CII operator or is required to comply with important-data obligations, the gap between its existing compliance posture and what is required may be large enough to attract investigation, administrative penalties, or criminal liability. The author's recommendation is to begin CII and important-data identification and assessment early — before any notification arrives — with the assistance of data compliance specialists who can help map the obligations and build the compliance infrastructure in advance. ## Why overseas counsel should care - **Due diligence and deal risk.** In M&A, data-asset transactions, and joint-venture structuring involving Chinese counterparties, the target's CII operator or important-data handler status determines the applicable data-security obligations, localisation requirements, and regulatory exposure. A legal opinion that treats the absence of a notification as resolution of the question may significantly understate the compliance risk being acquired or assumed. - **Listing and transaction review.** The Shenzhen Data Exchange compliance team specifically identified this gap in its listing-review process. Companies seeking to list data assets on Chinese data exchanges — or whose data assets are being traded — should expect rigorous scrutiny of CII and important-data classification during transaction review. Overseas counsel advising on such transactions should build this assessment into their work product. - **The [Network Data Security Management Regulations](/laws/network-data-security-regulations/) add another layer.** The formally enacted Network Data Security Management Regulations (网络数据安全管理条例) impose requirements that track both CII operator and important-data handler status, and their interaction with the CII protection regulations and the [Data Security Law](/laws/dsl/) reinforces the need for a clear, documented status assessment as a baseline compliance artefact. - **Regulatory perimeter is wider than CAC.** As the author notes, enforcement jurisdiction over important-data obligations is not confined to the Cyberspace Administration. Public security and national security authorities have their own supervisory mandates under the Data Security Law. Overseas counsel should ensure their China data-risk assessments reflect the multi-regulator enforcement landscape. ## DCC sources - Original: 古青卓 (Gu Qingzhuo), 《DEXC+专栏 | 新规背景下,如何评估企业是否属于关键基础设施运营者、重要数据处理者》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ([source](https://mp.weixin.qq.com/s/BHV-ixP0mN7HoLcyCHcw4g)). - [Network Data Security Management Regulations](/laws/network-data-security-regulations/) (网络数据安全管理条例). - [CII security protection regulations](/laws/cii-protection-regulations/) (关键信息基础设施安全保护条例, 2021). - [Data Security Law](/laws/dsl/) (数据安全法, 2021), including Art. 6 (multi-regulator mandate) and Art. 21 (data classification and grading, important-data catalogues). - GB/T 43697-2024, Data Security Technology — Data Classification and Grading Rules (数据安全技术 数据分类分级规则), effective 1 October 2024. - Regulations on Promoting and Regulating Cross-Border Data Flows (促进和规范数据跨境流动规定, CAC Order No. 16, March 2024). > This is an editorial summary, not a translation of Gu Qingzhuo's piece. > Conceptual framings and analytical positions are attributed to the > author; any simplification, error of emphasis, or operational > extrapolation is DCC's. **Not legal advice.** --- ## Datatang v. Yinmu — China's First Ruling on a Data-IP Registration Certificate, and Why Open-Sourced Data Is Still Protected - Published: 2026-05-29 - Author: DCC Editorial - Tags: judicial, data-property-rights, data-registration, anti-unfair-competition, ai-training-data, open-source, case - Laws cited: anti-unfair-competition-law, data-foundation-system-opinions, data-property-rights-registration-guide-draft, dsl - Domains: data-economy, data-security - URL: https://datacompliancechina.com/posts/datatang-v-yinmu-data-ip-registration-case/ - Markdown: https://datacompliancechina.com/posts/datatang-v-yinmu-data-ip-registration-case.md - Original source: https://mp.weixin.qq.com/s/RRsiqVpVcL6eXG077JCjvQ - Original author: Beijing IP Court (2024)京73民终546号; commentary by 法律与新经济, 清华大学智能法治研究院, 深圳数据交易所 DEXC+ - Original publication: Multiple — see sources below ### Description A consolidated case study of 数据堂诉隐木科技 (Datatang v. Yinmu) — the Beijing IP Court's June 2024 appeal ruling, widely called China's first case on the evidentiary effect of a data-IP registration certificate. The dispute: Datatang built voice datasets for AI training, open-sourced some under a license; Yinmu took and redistributed them in the same data-services market. DCC synthesizes four commentaries (the case report, a Tsinghua analysis, and two Shenzhen Data Exchange DEXC+ deep-dives) into the four holdings that matter for overseas counsel: (1) a data-IP registration certificate is prima facie evidence of property-type interests and lawful sourcing — but not an absolute property right (property-rights-statutism); (2) open-sourced data, though neither trade secret nor copyrightable compilation, is protectable under the Anti-Unfair Competition Law's general clause; (3) the protection hierarchy (compilation work → trade secret → AUCL Art. 2); and (4) whether the taker honored the open-source license is the hinge for 'improper conduct.' ### Body > *Editor's Note — DCC.* > > This is a consolidated case study, not a translation of any single > piece. 数据堂诉隐木科技 (Datatang v. Yinmu) is the most-cited Chinese > data-market judgment of the past two years — popularly tagged "China's > first case on the evidentiary effect of a data-IP registration > certificate" (全国首例涉数据知识产权登记证书效力案). DCC synthesizes > four commentaries — the case report (法律与新经济 / 知产宝), a Tsinghua > Institute for AI & Rule of Law analysis, and two Shenzhen Data Exchange > DEXC+ deep-dives — into the holdings that matter for overseas counsel. > The case sits at the intersection of three things DCC has covered > separately: the [Data 20 Articles three-rights framework](/posts/nda-three-rights-structural-separation/), > the [data-property-rights registration regime](/laws/data-property-rights-registration-guide-draft/), > and [open-source AI training-data compliance](/posts/open-source-ai-training-data-compliance/). > Here a court actually decides how they interact. ## The case | | | |---|---| | **Parties** | 数据堂(北京)科技股份有限公司 (Datatang, plaintiff) v. 隐木(上海)科技有限公司 (Yinmu, defendant) | | **First instance** | Beijing Internet Court — (2021)京0491民初45708号 | | **Appeal** | Beijing IP Court — (2024)京73民终546号 (affirmed, June 28, 2024) | | **Cause of action** | Unfair competition (不正当竞争纠纷) | | **Result** | Yinmu pays Datatang ¥100,000 in economic loss + ¥2,300 in reasonable enforcement costs; appeal dismissed, first-instance judgment upheld | The facts: Datatang is a data company that built **voice datasets for AI model training** — collecting and processing a substantial volume of voice-data entries through its own technical, capital, and labor investment. It **open-sourced** some of these datasets under a license. Yinmu, a competitor in the AI-training-data-source market, **obtained the datasets and redistributed / used them** in a way the courts found did not honor the terms on which the data was made available. Datatang sued for unfair competition. Crucially, Datatang held a **Data-IP Registration Certificate (《数据知识产权登记证》)** for the dataset. The case is doctrinally important because the dataset fell into the gap the Chinese data-property debate keeps circling: it was *public* (so not a trade secret), it lacked originality in selection/arrangement (so not a copyrightable compilation), and "data" is not yet a typed civil property right in statute. So what, exactly, protects it? ## Holding 1 — A data-IP registration certificate is prima facie evidence, not a property right This is the headline. The Beijing IP Court held that Datatang's **Data-IP Registration Certificate can serve as prima facie evidence** of two things: - that Datatang **holds property-type interests** in the dataset; and - that the **collection conduct / data source was lawful**. Absent contrary evidence, the court could find those facts on the strength of the certificate. This is the first Chinese judgment to give a data-registration certificate concrete evidentiary force — which is why the "data registration" community treated it as a watershed. **But — and this is the nuance overseas counsel must hold onto — the certificate is *not* proof of an absolute property right.** The Shenzhen Data Exchange DEXC+ analysis draws out the appeal court's reasoning: under the **property-rights-statutism principle (财产权法定原则)**, a property-type legal interest that has *not* been confirmed by statute as an absolute property right cannot be analogized to other absolute property rights for judicial protection. Civil Code Article 127 ("where laws provide for the protection of data … such provisions apply") is, the court said, a **referential / declaratory clause** — it has *not* made "data" a typed civil right with defined content. The "data three rights" (hold / use / operate) from the Data 20 Articles remain **policy-level and economic concepts**, not statutory absolute rights, because under the Legislation Law the creation of basic civil rights is reserved to NPC statute — administrative regulations, departmental rules, local rules, and policy documents cannot create them. So Datatang **could not** invoke Article 127 to demand that its dataset be treated as an absolute property right. The registration certificate shifts the **burden of evidence**; it does not conjure a **property right**. For overseas counsel: registering data in China (the data-IP pilots, the data-exchange registration certificates) is now genuinely worth doing for its evidentiary value — but do not mistake a certificate for title. ## Holding 2 — Open-sourced data is still protected, via the Anti-Unfair Competition Law If the dataset is not a property right, not a trade secret, and not a copyrightable work, what protects it? The court's answer: the **Anti-Unfair Competition Law (AUCL) general clause, Article 2**. The reasoning: even though the dataset was public (failing the trade-secret secrecy requirement) and lacked originality in selection/arrangement (failing the compilation-work requirement), Datatang had made **substantial technical, capital, and labor investment** to lawfully collect a substantial volume of voice-data entries, adding commercial value to the raw data, meeting AI-developers' needs, and generating traffic, transaction opportunities, and competitive advantage. That commercial benefit is, in substance, a **competitive interest (竞争性权益)** — and competitive interests are legitimate interests the AUCL protects. ## Holding 3 — The protection hierarchy The Tsinghua analysis distills the court's framework into a clean **three-tier hierarchy** for protecting a dataset — useful as an operating checklist: 1. **Public + original selection/arrangement → copyright (compilation work).** If the dataset's structure is original, protect it as a compilation work. 2. **Not easily obtainable by people in the field → trade secret.** If the dataset is genuinely non-public, protect it as a trade secret. 3. **Public + no originality → Anti-Unfair Competition Law Article 2.** If it's public and unoriginal — the residual case, and the most common one for bulk training data — there is no IP exclusive right or trade-secret basis, so protection runs through the AUCL general clause, as appropriate. Datatang's voice dataset fell into tier 3 — which is exactly why this case matters: it confirms that the **residual category of "public, unoriginal, substantial-investment" datasets is not unprotected**. The AUCL general clause is the backstop. ## Holding 4 — The open-source license is the hinge The most operationally important holding for anyone building or using AI training data: **open-sourcing data does not abandon rights in it.** The court held that, absent the holder's permission, no one may publicly disseminate a dataset that the holder lawfully collected through substantial investment. And when the holder *does* open-source the dataset, **whether the acquirer follows the open-source license** is an important factor in judging whether the use violates commercial ethics in the data-services field. In other words: "it was open-sourced" is not a defense. The license terms travel with the data. A competitor who takes open-sourced data and uses or redistributes it *outside the license* is acting improperly — and the open-source license becomes the measure of commercial ethics under the AUCL. The case also features a **doctrinal breakthrough on the "substantial substitution" question.** Chinese data-unfair-competition cases have often asked whether the defendant's product *substantially substitutes* for the plaintiff's (a market-harm element). Here the court reasoned at a higher level of generality: if data obtained from open-source channels could be freely re-shared with third parties for free, that would **impair data circulation, hinder data innovation, and obstruct the construction of the unified national data market** — and is therefore improper *regardless* of whether classic market substitution is shown. The court tied the impropriety analysis directly to the national data-market-building policy. ## The registration-system context The Shenzhen Data Exchange DEXC+ pieces situate the case in the fast-growing data-registration landscape overseas counsel should know: - The **Data 20 Articles** (December 2022) introduced the three-rights structural-separation framework; localities then began experimenting with "three-rights" registration. - Since 2022 the **National Intellectual Property Administration** has run **data-IP pilots** in 8 localities (Beijing, Shanghai, Jiangsu, Zhejiang, and others), adding 9 more in 2024. Across the pilots, **2,000+ data-IP registration certificates** have been issued, supporting **¥1.1 billion+ in pledge financing**. - Registration objects generally must be **lawfully obtained, processed by some rule or algorithm, and possess commercial value and intellectual-achievement attributes.** - DCC's caution, reinforced by the DEXC+ analysis: registration ≠ rights-confirmation (确权). Registration records and provides evidence; it does not, on current law, create a property right. (See [DCC's brief on what data registration actually confirms](/posts/qinglan-what-data-registration-actually-confirms/).) ## What this tells overseas compliance teams - **Register your data in China for evidentiary value — but don't treat a certificate as title.** A data-IP registration certificate (or a data-exchange registration certificate) now carries real prima-facie weight on both *property-type interest* and *lawful sourcing*. That shifts the burden to a challenger. But it is not an absolute property right, and a Chinese court will say so — your substantive protection still runs through the AUCL (or trade secret / copyright where those fit). - **Treat the AUCL general clause as the real protector of bulk datasets.** For the common case — public, unoriginal, substantial-investment datasets (most training corpora) — neither copyright nor trade secret applies. AUCL Article 2 is the backstop. Build your data-misappropriation claims (and your defensive posture) around competitive-interest and commercial-ethics reasoning, not around a claimed property right. - **Open-source ≠ free-for-all. The license travels with the data.** This is the single most important operational takeaway for AI builders. If you ingest open-sourced Chinese datasets, **honor the open-source license** — the court treats license compliance as the measure of commercial ethics, and using open data outside its license is improper conduct, even without classic market substitution. Conversely, if you open-source your own data, you retain an AUCL-backed claim against those who use it outside the license. (Pair this with [Zhang Ping's open-source training-data analysis](/posts/open-source-ai-training-data-compliance/): "open-source does not mean open data.") - **Document substantial investment.** The court's protection of Datatang turned on its demonstrated technical/capital/labor investment in lawfully collecting and adding value to the data. Maintain provenance, collection-method, and investment documentation for any dataset you may need to defend — it is the factual core of an AUCL competitive-interest claim. (This is the same documentation logic that runs through [the data-source-rights debate](/posts/wang-nian-data-source-rights-as-fair-use/) and [Tang Linyao's data-broker analysis](/posts/tang-linyao-data-broker-derivative-harms/).) - **The national-data-market policy is now a litigation argument.** The court framed impropriety partly in terms of *building the unified national data market*. Expect Chinese courts to keep reading the data-element-market policy goals into AUCL analysis — which cuts both ways: hoarding/blocking and free-riding can each be cast as market-impairing depending on the facts. The deeper significance: Datatang v. Yinmu is the case where the abstract Chinese data-property architecture — three rights, registration, the unified market — met an actual commercial dispute and produced operating doctrine. The synthesis it leaves: **in China you register data for evidence, protect it through unfair-competition law, and the open-source license is the line between legitimate reuse and misappropriation.** For overseas counsel structuring AI-data sourcing or data-trading arrangements touching China, that three-part rule is the practical state of the law. --- **Sources (consolidated):** - *【案例速递】开源数据亦可受到反法保护,扰乱数据服务市场的行为具有不当性 — 数据堂诉隐木公司AI训练数据源案*, 法律与新经济 (case report, via 知产宝). [Link.](https://mp.weixin.qq.com/s/RRsiqVpVcL6eXG077JCjvQ) - *首例涉数据知识产权登记效力案,处于公开状态的数据不属于商业秘密,但可依据反法保护*, 清华大学智能法治研究院 (Tsinghua University Institute for AI & Rule of Law). [Link.](https://mp.weixin.qq.com/s/VKoeCVplU639bjJDX-qIug) - *DEXC+专栏 | 证据法视角中的数据产权登记——兼论我国数据产权登记制度的构建*, 深圳数据交易所 DEXC+. [Link.](https://mp.weixin.qq.com/s/BiA_J_aH7UMpO0V5f_usaA) - *DEXC+专栏 | 数据产权登记,思路打开,合规先行——从"全国首例涉数据知识产权登记证书效力案"说起*, 深圳数据交易所 DEXC+. [Link.](https://mp.weixin.qq.com/s/2dVHs3L1I6NJ2eyBkhrkAg) *Not legal advice. The above is DCC's consolidated structured summary of a public judgment and four commentaries, with framing for overseas counsel; the holdings, the protection hierarchy, and the property-rights-statutism reasoning are the court's and the commentators'.* --- ## Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime - Published: 2026-05-28 - Author: DCC Editorial - Tags: anonymization, personal-information, data-economy, de-identification, commentary - Laws cited: pipl, csl, dsl, network-data-security-regulations - Domains: personal-information, data-security, data-economy - URL: https://datacompliancechina.com/posts/xu-ke-anonymization-zombie-provision/ - Markdown: https://datacompliancechina.com/posts/xu-ke-anonymization-zombie-provision.md - Original source: https://mp.weixin.qq.com/s/yaO_RB-rzTKouqevxCb-Xw - Original author: 许可 (Xu Ke), UIBE - Original publication: 《财经法学》(Finance and Economics Law Journal), Issue 4, 2024; reposted via 数字经济与社会 WeChat Official Account ### Description Xu Ke (UIBE) calls PIPL Article 4's anonymization carve-out a 'zombie provision' (僵尸法条) — on the books, never used, and one of the biggest blockages in the data-element market. His diagnosis: the zombie state is caused not by the text but by three unaddressed worries (processors fear the standard is unattainable or value-destroying; regulators fear anonymization becomes an evasion tool; users fear it's a hollow promise). His cure is a concentric-circle architecture that maps three risk types (systemic / operational / residual) onto three layers of anonymity (presumptive / determined / trust). This is the most complete academic blueprint yet for making the anonymization clause operational — and it pairs directly with TRIMPS's risk-based, recipient-relative reading. ### Body > *Editor's Note — DCC.* > > If [TRIMPS's brief](/posts/yao-qian-pi-anonymization-relativity/) is the > standards-body's read on where the anonymization bar sits, Xu Ke's > piece is the academic blueprint for rebuilding the regime from the > ground up. His framing is unusually vivid for a law-journal article: > PIPL Article 4's anonymization carve-out is a "zombie provision" > (僵尸法条) — formally alive, functionally dead, and one of the single > biggest blockages to the data-element market China is trying to build. > The piece (in 《财经法学》2024) diagnoses *why* the provision is > dead and proposes a concentric-circle architecture to revive it. DCC > reads it alongside the TRIMPS brief: same problem, complementary > solutions. Overseas counsel get, between the two, the most complete > picture available of where China's anonymization regime is heading. ## The zombie diagnosis PIPL Article 4 excludes anonymized information from the definition of personal information — inheriting the carve-out from CSL Article 42's proviso. The intent was to encourage data circulation and reuse: anonymize, and the data exits the PIPL regime. Yet since PIPL took effect, the provision has "almost never functioned" — a clause with "the form of law but no signs of life." Xu Ke's term: 僵尸法条, zombie provision. Why dead? Xu Ke's diagnosis is that the problem isn't in the "skin" (the text) but in the "heart" — three worries that paralyze the parties: - **Processors** fear two opposite things at once: that their anonymization won't meet the legal standard (so the data stays in PIPL scope and the effort is wasted), *and* that a standard set high enough to be safe will strip the data of all reuse value. - **Regulators** fear anonymization becomes a tool processors use to *evade* oversight — declare "anonymized," exit the regime, escape enforcement. - **Users** fear anonymization is a hollow promise — a label processors attach without real irreversibility. And the disease is in the "marrow" too: the three worries stem from a deeper *dualism* — between anonymization-as-technology and anonymization-as-law, between process and result, between the scenario-specificity and the uniformity of anonymization. The same anonymization looks like different things to each party: to the processor, a thicket of techniques and thresholds; to the user, opaque jargon; to the regulator, abstract rules and eventually-exposed risk. Xu Ke's critique of existing theory ("relative anonymization," "dynamic anonymization," "functional anonymization," "subjective anonymization," "data-relationship anonymization"): all correctly recognize that *no anonymization can guarantee zero re-identification* — but none provides a clear, operable behavioral standard. "Relative anonymization" says reduce risk to an "acceptable level" — but what level, set by whom? The theories have explanatory power but no power to cure. ## The fix: three risks, three layers, one concentric circle Xu Ke's reconstruction starts from the premise that **absolute anonymization is a fool's errand** ("carving the boat to find the sword"), and that information protection follows a *Goldilocks principle*: too-strict anonymization destroys so much information value that the exercise becomes self-defeating. So the regime must accept *limited* processor obligations and *limited* state oversight — and the hard question is where the limit sits. His answer: type the re-identification risk by (consequence × probability) into three tiers, and match each to a governance mechanism and a layer of anonymity. ### Center — Systemic risk → Presumptive anonymity (推定匿名) **Systemic risk** (系统风险): the risk that anonymization fails *wholesale*, exposing personal information to large-scale misuse. Diffuse, affects many — so it needs *ex-ante preventive* governance: objective, admission-style "red-flag" rules applied uniformly. The mechanism: **design-based regulation** (经由设计的规制) — embed the anonymization standard into the system architecture, code, and technical defaults, so anonymization is a built-in property rather than an after-the-fact judgment. The anonymization design is shaped jointly by enterprises, government, and industry bodies, and recognized through a bottom-up accreditation mechanism. The legal effect: **presumptive anonymity**. Once an anonymization design is (directly or indirectly) state-recognized, data processed through it is *presumed anonymized*. This is a burden-of-proof reversal — the processor need only show it used a qualified anonymization design to get the anonymized result confirmed, dramatically easing the processor's worry. It's a *rebuttable* factual presumption: others can challenge with new evidence, but the burden shifts to the challenger. ### Middle — Operational risk → Determined anonymity (判定匿名) **Operational risk** (操作风险): the risk that *specific* failures — vulnerabilities in the anonymization measures, internal-process defects, personnel error or misconduct — cause improper use. Localized, scenario-specific. Needs *ex-post responsive* governance: case-by-case adjudication after a harm, guiding enforcement and judicial bodies to handle each fairly. The mechanism: where evidence shows the anonymization didn't actually achieve anonymity, the presumption is rebutted — but the rebuttal must be **determined by an administrative agency or court under PIPL**. Xu Ke calls this **determined anonymity**: the regulator retains *final say* over whether an anonymization design is lawful, which dissolves the regulator's "anonymization trap" worry (the fear that recognizing a scheme forecloses later enforcement). It doesn't — the presumption is always rebuttable by official determination. ### Edge — Residual risk → Trust anonymity (信任匿名) **Residual risk** (剩余风险): the irreducible risk from leftover identifiability, unforeseeable data sources, and technical advances. Xu Ke's striking example: in 2018 the US Census Bureau found that its 2010 published statistics could be used to reconstruct the sex, age, race, ethnicity, and fine-grained location of **46% (under certain conditions 71%) of the US population**. Residual risk is real and permanent. The implication: processors must not "release and forget" (release and forget) anonymized data. They must keep performing compliance obligations — transparency mechanisms that protect users' right to know, and continuous re-identification-risk monitoring. Regulators backstop with strong "public enforcement" to compensate for the weakness of private remedies under residual risk. Xu Ke calls this user-oriented layer **trust anonymity**. ## The three reinterpretations of the statutory text Beyond the architecture, Xu Ke offers legal reinterpretations of PIPL Article 73's anonymization elements — "cannot identify," "cannot be restored," and "process": - **"Cannot identify"** — read against a *reasonable-means* standard (specific person, reasonably likely methods), not an absolute "no one on earth by any method." This aligns with the subject-relativity reading TRIMPS develops. - **"Cannot be restored"** — read as *high* irreversibility under reasonable cost, not literal impossibility (the "difficult to restore" gloss the draft Guide adopts). - **"Process"** — read as an ongoing, monitored process, not a one-time terminal act. The two compliance reforms he proposes flow from this: - **From "anonymization consent" to "anonymization notice"** (从"匿名化同意"到"匿名化知情") — the legal basis for anonymizing isn't a fresh consent but a transparency/notice obligation, since anonymization is processing in service of the original purpose's safe termination. - **From "prohibit re-identification" to "reuse PIIA"** (从"禁止再识别"到"再利用的个人信息保护影响评估") — rather than a flat ban on re-identification, require a PI Impact Assessment before *reusing* anonymized data, calibrated to the residual risk. ## What this tells overseas compliance teams - **Read Xu Ke and TRIMPS together as the converging Chinese position.** The academic blueprint (Xu Ke) and the standards-body read (TRIMPS) point the same direction: anonymization is risk-based, not absolute; process-based, not one-time; and increasingly recipient-aware. The compliance posture both imply — documented risk thresholds, continuous monitoring, no "release and forget" — is the one to build to now. - **"Design-based" anonymization is the forward-looking compliance architecture.** Xu Ke's presumptive-anonymity layer rewards processors that bake anonymization into system design and (eventually) get the design accredited. Multinationals should architect anonymization as a built-in pipeline property with documented technique selection and threshold-setting — not a manual, case-by-case scrub. When an accreditation mechanism materializes, design-based processors will get the burden-shifting benefit. - **"Release and forget" is the specific anti-pattern to eliminate.** Both Xu Ke (residual risk) and TRIMPS (continuous assessment) reject it. If your China operations anonymize data and then treat it as permanently out-of-scope with no further monitoring, that posture is squarely in the crosshairs of where the regime is heading. Institute recurring re-identification-risk review. - **The presumption-and-rebuttal structure tells you what evidence to keep.** Under Xu Ke's framework, the processor's protection is the *documented qualified anonymization design*; the regulator's power is the *official rebuttal determination*. Translation: your defensible position depends on contemporaneous documentation of the anonymization design, technique selection, threshold rationale, and monitoring. That documentation is the asset. - **Watch the PI Anonymization Guide — it's where this lands.** The 2024-2025 academic and standards work (Xu Ke's piece, the draft Guide, the TRIMPS analysis) is converging on the final anonymization standard. When the Guide finalizes, expect it to encode risk-based irreversibility, continuous assessment, and possibly the design-recognition mechanism. Pre-position methodology and documentation accordingly. The deeper point: Xu Ke is trying to make the anonymization clause *do work* — to turn a dead provision into the operational gateway that lets data flow out of PIPL scope safely. That is precisely the gateway overseas counsel most want to use (anonymize → exit PIPL → reuse / transfer freely). The lesson is that the gateway is real but conditional: it requires a defensible, documented, continuously-monitored, design-based anonymization posture — not a label. --- — *许可, 复活僵尸法条:个人信息匿名化制度的再造 (Reviving a Zombie Provision: Reconstructing the Personal Information Anonymization System), 《财经法学》Issue 4, 2024, pp. 160-177; reposted via 数字经济与社会 WeChat Official Account. [Original article (Chinese).](https://mp.weixin.qq.com/s/yaO_RB-rzTKouqevxCb-Xw)* *Not legal advice. The above is DCC's structured summary of Xu Ke's analysis, with framing for overseas counsel; the zombie-provision diagnosis, the three-risk / three-layer concentric-circle architecture, and the statutory reinterpretations are Xu Ke's.* --- ## The 'Rights Block' — Xu Ke's Structural Theory Behind China's Data-Property Framework - Published: 2026-05-28 - Author: DCC Editorial - Tags: data-property-rights, data-rights-theory, data-twenty, data-economy, commentary - Laws cited: data-foundation-system-opinions, pipl, dsl, data-property-rights-registration-guide-draft - Domains: data-economy, personal-information, data-security - URL: https://datacompliancechina.com/posts/xu-ke-data-rights-block-structure/ - Markdown: https://datacompliancechina.com/posts/xu-ke-data-rights-block-structure.md - Original source: https://mp.weixin.qq.com/s/0l_QZgvXbMKQ2I50aOqxaA - Original author: 许可 (Xu Ke), UIBE - Original publication: 《政法论坛》(Tribune of Political Science and Law), Issue 4, 2021, pp. 86-96; reposted via 政法论坛 WeChat Official Account ### Description Xu Ke's highly-cited (255×) 政法论坛 article on the structure of data rights — the theoretical scaffolding that the Data 20 Articles' three-rights framework rests on. He maps the field's two warring paradigms (formalist 'empowerment' vs substantivist 'conduct regulation'), argues both fail alone, and integrates them via a 'reflexive law' approach. The payoff is a taxonomy of three possible rights structures — rights-ball, rights-bundle, rights-block — and the case that the 'data rights block' (数据权利块) best fits data's 'one principle, many manifestations' character. For overseas counsel, this is the conceptual map that explains why Chinese data rights are structured the way they are — and why Western property and IP analogies keep failing. ### Body > *Editor's Note — DCC.* > > This is the theory piece under the theory pieces. Published in > 《政法论坛》in 2021 — before the Data 20 Articles — and cited 255 > times since, Xu Ke's "Data Rights: Paradigm Integration and Normative > Differentiation" is the structural-theory scaffolding that the > three-rights framework (hold / use / operate) and the > [data-source-rights debate](/posts/wang-nian-data-source-rights-as-fair-use/) > both build on. For overseas counsel, its value is diagnostic: it > explains *why* Chinese data rights are structured the way they are, > and *why* the Western property / IP / license analogies keep > failing to map. DCC summarizes the framework; the deep > jurisprudential argument is in the original. ## The two warring paradigms Xu Ke frames the data-rights field as a contest between two paradigms: - **Formalism — the "empowerment" model (赋权模式).** Treats data rights as a *new property-style right* to be defined and assigned: who owns the data, what the owner can exclude, how the right transfers. The instinct is to build a data-ownership right analogous to property or IP. - **Substantivism — the "conduct regulation" model (行为规制).** Skeptical of defining a data-ownership right at all; instead regulates *behavior* — what processors may and may not do — through tort, competition, and data-protection rules, without ever vesting a property-style right. Each has a fatal weakness. The formalist empowerment model struggles because data isn't naturally exclusive or rivalrous — a single dataset can be held and used by many parties non-exclusively, which defeats the property analogy. The substantivist conduct-regulation model struggles because pure behavior-regulation can't support the *market* the data-element economy needs — you can't trade what you can't define a right over. Xu Ke's move: the two paradigms are "different roads to the same destination" and must be *integrated* — through a third paradigm he calls **reflexive law (反省法)**, which steps back from both to ask what *structure* data rights actually require. ## Three possible rights structures The integrating insight is structural. Xu Ke distinguishes three ways a "right" can be built: - **Rights-ball (权利球).** A unitary, indivisible right — like classical ownership. One owner, one solid sphere of entitlement. Doesn't fit data: data's value comes precisely from being usable by many parties simultaneously. - **Rights-bundle (权利束).** A bundle of separable sticks — like the Anglo-American "bundle of rights" property concept. Better, but Xu Ke argues it's too loose: the sticks are enumerated but not *structured*, so the bundle doesn't explain how the rights relate or cohere. - **Rights-block (权利块).** Xu Ke's proposal. A *structured* set of rights with a shared core and differentiated manifestations — capturing data's "**理一分殊**" character (one underlying principle, many concrete manifestations). The block has an "overall design rule" (整体设计规则) that gives the rights coherence and "individual design rules" (个别设计规则) that differentiate them by scenario. The "data rights block" (数据权利块), Xu Ke argues, both *integrates and improves* China's existing "separation of powers/functions" (权能分离) theory — the theory that the Data 20 Articles operationalized into hold / use / operate. And because it's a *block* (structured) rather than a *bundle* (enumerated), it connects coherently to the surrounding institutions: data security, data trading, statutory data use, data opening and sharing. ## Why this matters for the three-rights framework The Data 20 Articles' three-rights structure (hold / use / operate) is, in Xu Ke's terms, a *rights-block*: three rights sharing a common core (the underlying data), differentiated by function, structured rather than merely listed. This is why: - The three rights are **severable** (you can hold one without the others) — that's the "individual design rules." - The three rights are **non-exclusive** (multiple parties can hold the same right over the same data) — that's data's non-rivalrous nature, which the rights-block accommodates and the rights-ball cannot. - The three rights **cohere** (they're not a random bundle but a structured set) — that's the "overall design rule." For overseas counsel who've read [NDA's interpretation of the three rights](/posts/nda-three-rights-structural-separation/), Xu Ke's piece is the theoretical answer to the question "why is it structured this way?" The structure isn't arbitrary; it's the rights-block design responding to data's specific properties. ## Why Western analogies fail The piece's most useful contribution for overseas counsel is implicit: it explains *why* the instinct to map Chinese data rights onto Western property, IP, or license concepts keeps failing. - **Property (ownership) analogy fails** because it's a rights-ball — unitary and exclusive. Data rights are a rights-block — structured and non-exclusive. - **IP analogy fails** because IP protects single-author creation with exclusive rights; data is multi-party co-created and non-exclusive. - **License analogy partially works** but misses the structure: a license is a grant *from* an owner; the rights-block has no single owner to grant from — the rights are structurally co-held. The lesson: stop looking for the Western analog. The rights-block is a genuinely different structure, designed against data's properties (non-rivalry, multi-party creation, low replication cost). Counsel who internalize the structure operate the regime; counsel who keep reaching for analogies stay confused. ## What this tells overseas compliance teams - **Use the rights-block as the mental model, not the property/IP/license analogy.** When you encounter Chinese data-rights vocabulary (hold / use / operate, data-source rights, etc.), parse it as a structured rights-block — shared core, differentiated and severable manifestations, non-exclusive — rather than trying to find the Western equivalent. This is the single most useful conceptual correction for cross-border data lawyers. - **The "non-exclusive" property is load-bearing in contracts.** Because the rights-block accommodates multiple parties holding the same right over the same data, your Chinese data agreements can (and increasingly do) allocate non-exclusive use rights to multiple parties. Don't assume exclusivity as a default; specify it where you need it. - **The theory predicts the rulemaking.** Xu Ke's 2021 framework predicted the structure the Data 20 Articles (2022) adopted and the [Data Property Rights Registration Guide draft](/laws/data-property-rights-registration-guide-draft/) (2025) is operationalizing. Tracking the leading academic structural theory is a forward indicator of where registration, trading, and rights-confirmation rules go next. - **"理一分殊" is the design philosophy to internalize.** One underlying principle (the data), many differentiated manifestations (the rights, by scenario). This is why Chinese data rules proliferate scenario-specific sub-rules (sector catalogues, FTZ negative lists, public-data vs enterprise-data vs personal-data regimes) rather than one unified rule. Expect differentiation by scenario as the structural norm, not the exception. The structural takeaway: Chinese data-property law is built on a deliberate, theorized *structure* — the rights-block — not an improvised borrowing from Western property law. Xu Ke supplied that structure before the policy adopted it. For overseas counsel, the piece is the decoder ring: it tells you what *kind of thing* Chinese data rights are, which makes every downstream rule legible. --- — *许可, 数据权利:范式统合与规范分殊 (Data Rights: Paradigm Integration and Normative Differentiation), 《政法论坛》Issue 4, 2021, pp. 86-96; reposted via 政法论坛 WeChat Official Account. [Original article (Chinese).](https://mp.weixin.qq.com/s/0l_QZgvXbMKQ2I50aOqxaA)* *Not legal advice. The above is DCC's structured summary of Xu Ke's analysis, with framing for overseas counsel; the paradigm-integration argument and the rights-ball / rights-bundle / rights-block taxonomy are Xu Ke's.* --- ## When Does Data Become an Asset? Xu Ke on Identifying and Defining Data Assets - Published: 2026-05-28 - Author: DCC Editorial - Tags: data-asset, data-property-rights, data-on-balance-sheet, data-economy, commentary - Laws cited: data-foundation-system-opinions, pipl, public-data-authorized-operation-specifications, data-property-rights-registration-guide-draft - Domains: data-economy, personal-information - URL: https://datacompliancechina.com/posts/xu-ke-data-asset-identification/ - Markdown: https://datacompliancechina.com/posts/xu-ke-data-asset-identification.md - Original source: https://mp.weixin.qq.com/s/i8LzBioix-fTBB-_FcGC-g - Original author: 许可 (Xu Ke), UIBE - Original publication: 《企业家》杂志 (Entrepreneur Magazine); reposted via 企业家杂志 WeChat Official Account ### Description Xu Ke (UIBE), writing for a practitioner audience, draws the line between data resource (国家视角, public/strategic) and data asset (市场主体视角, commercial), then between the broad sense (anything that creates value for the enterprise) and the narrow sense (meets the MOF accounting-standard test for on-balance-sheet recognition — owned/controlled, generates economic benefit, reliably measurable). He works the three-rights framework into operational boundaries by data type (personal / enterprise / government) and flags the practical questions overseas counsel face when a Chinese counterparty wants to put data on its balance sheet. ### Body > *Editor's Note — DCC.* > > Xu Ke's two other pieces DCC published today are deep doctrine — the > [anonymization reconstruction](/posts/xu-ke-anonymization-zombie-provision/) > and the [rights-block structure](/posts/xu-ke-data-rights-block-structure/). > This one, written for *Entrepreneur Magazine*, is the practitioner- > facing complement: when does data actually become an *asset* a Chinese > enterprise can put on its books, and how do the three rights map onto > operational boundaries? It's the most directly useful of the three for > overseas counsel doing transactional or accounting-adjacent work with > Chinese counterparties — particularly as China's "data on balance > sheet" (数据入表) movement gathers pace. ## Resource vs asset — the two viewpoints Xu Ke's first distinction is between two vantage points: - **Data resource (数据资源) — the national viewpoint.** Introduced in the State Council's 2015 *Action Outline for Promoting Big Data Development*, "data resource" is a macro-economic positioning emphasizing data's *public attributes* and *strategic value*. - **Data asset (数据资产) — the market-actor viewpoint.** An enterprise's commercial framing: whether data can produce *actual value in business activity*. Two essential differences follow: 1. **Data resource carries plural interests** — public, individual, and enterprise. Data with strong public attributes or involving personal privacy can't be monopolized by an enterprise; from the national view it's an important resource, but it can't all be classed as enterprise assets. Data asset, by contrast, must point clearly to the enterprise's *commercial scenario*. 2. **Data asset has a narrow and a broad sense:** - **Narrow (accounting) sense** — meets the Ministry of Finance's *Enterprise Accounting Standards* test: the data can be owned or effectively controlled by the enterprise, can bring economic benefit, and its cost or value can be reliably measured — thus eligible for **"data on balance sheet" (数据入表)** as an accounting-recognized data asset. - **Broad sense** — any data that creates value for the enterprise. ## The three-part asset test Xu Ke gives enterprises a practical three-question test for whether their data has asset character: 1. **Does the data serve the enterprise's core business activity?** 2. **Can the enterprise own or effectively control the data?** 3. **Is there a clear value-realization (monetization) path?** His example: user-behavior data accumulated by an internet enterprise has asset character *if* it can be analyzed to optimize products or run precision marketing — i.e., if there's a realization path. ## Mapping the three rights onto operational boundaries The practitioner payoff: Xu Ke works the [three-rights framework](/posts/nda-three-rights-structural-separation/) into concrete operating boundaries by right and by data type. **By right:** - **Hold right (持有权)** — attribution of the original data resource; the defensive perimeter against others stealing, tampering, leaking, or destroying the held data. - **Use right (使用权)** — the right to process, analyze, apply; needs a defined scope, method, and compliance boundary. His example: a hospital using patient data for research must comply with PIPL and *ensure anonymization* to protect patient privacy — directly linking the use-right boundary to the [anonymization standard](/posts/xu-ke-anonymization-zombie-provision/). - **Operate right (经营权)** — commercialization of data products: authorization, trading, services. His example: when selling a processed data product to a third party, the parties must define rights and obligations clearly to ensure compliant circulation. **By data type:** - **Personal data** — use right must strictly follow PIPL and related rules. - **Enterprise operational data** — operate right is more market-regulated (left to the market). - **Government data** — public attribute must be clear; commercial use is limited to prevent private capture of public resources. ## What this tells overseas compliance teams - **Distinguish "data asset" (accounting) from "data we find valuable" (everything).** When a Chinese counterparty talks about its "data assets," clarify which sense — narrow (on-balance-sheet, MOF-standard-qualified) or broad (anything valuable). The narrow sense carries specific ownership/control, economic-benefit, and measurability requirements that bear on valuation, due diligence, and deal structuring. - **The three-question asset test is a useful diligence screen.** When valuing or acquiring a Chinese entity's data assets, run Xu Ke's test: core-business nexus, ownership/control, realization path. Data that fails any prong is unlikely to survive as a recognized asset — relevant to purchase-price allocation and rep-and-warranty scoping. - **Anonymization is the use-right boundary for personal data.** Xu Ke ties the use right for personal data directly to PIPL compliance and anonymization. If a deal contemplates using personal-data-derived assets, the anonymization posture (and its [risk-based, continuously-monitored standard](/posts/yao-qian-pi-anonymization-relativity/)) is the gating compliance question — not an afterthought. - **Data-on-balance-sheet is a live and growing practice.** China's 数据入表 movement (data assets recognized on corporate balance sheets under MOF rules effective 2024) means Chinese counterparties increasingly carry data assets on their books. Overseas counsel doing M&A, financing, or audit-adjacent work should expect to encounter recognized data assets and should understand the recognition basis (which traces back to the three-rights hold/control determination). - **Government-data commercial use is fenced.** Where a deal touches government / public data, the operate right is constrained — public attribute must be preserved, commercial use limited. Don't assume government-data-derived products can be freely commercialized; the public-data authorized-operation regime governs. The connective point across Xu Ke's three pieces: the [rights-block structure](/posts/xu-ke-data-rights-block-structure/) defines *what kind of thing* data rights are; the [anonymization reconstruction](/posts/xu-ke-anonymization-zombie-provision/) defines *how personal data exits the PI regime to become freely usable*; and this piece defines *when the resulting data becomes a recognized, monetizable, balance-sheet asset*. Together they trace the full arc from raw data to recognized asset — which is exactly the arc a multinational structuring a Chinese data transaction has to walk. --- — *许可, 数据资产的识别与界定 (Identifying and Defining Data Assets), 《企业家》杂志 (Entrepreneur Magazine); reposted via 企业家杂志 WeChat Official Account. [Original article (Chinese).](https://mp.weixin.qq.com/s/i8LzBioix-fTBB-_FcGC-g)* *Not legal advice. The above is DCC's structured summary of Xu Ke's analysis, with framing for overseas counsel; the resource/asset and narrow/broad distinctions, the three-question test, and the rights-by-data-type mapping are Xu Ke's.* --- ## From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative - Published: 2026-05-28 - Author: DCC Editorial - Tags: anonymization, personal-information, de-identification, cross-border-data, commentary - Laws cited: pipl, csl, dsl, network-data-security-regulations - Domains: personal-information, data-security, cross-border - URL: https://datacompliancechina.com/posts/yao-qian-pi-anonymization-relativity/ - Markdown: https://datacompliancechina.com/posts/yao-qian-pi-anonymization-relativity.md - Original source: https://mp.weixin.qq.com/s/B420B2O-X0QYCi86slnuaA - Original author: 姚迁 (Yao Qian), TRIMPS Data Security Technology R&D Center - Original publication: 三所数据安全 (TRIMPS Data Security) WeChat Official Account ### Description The Third Research Institute of the Ministry of Public Security (TRIMPS) — the body behind China's classified-protection regime and national eID platform — takes on the two questions that determine whether anonymization actually gets data out of PIPL scope. First: does PIPL's 'cannot be restored' standard (Art 73) require re-identification probability of literally zero? The 2025 draft PI Anonymization Guide quietly softened it to 'difficult to restore,' aligning China with the GDPR 'all reasonable means' test and reframing anonymization as a dynamic, continuously-assessed, risk-based process rather than a one-time terminal state. Second: is anonymization recipient-relative — can the same dataset be PI in one party's hands and anonymized in another's? TRIMPS reads the EU SRB v EDPS case and UK ICO guidance toward 'yes,' with major implications for how overseas counsel structure data sharing and cross-border transfer. ### Body > *Editor's Note — DCC.* > > Anonymization is the single most consequential threshold in Chinese > PI law: PIPL Article 4 excludes anonymized information from the > definition of personal information, so anonymized data falls *outside* > the entire PIPL compliance regime — no consent, no cross-border > assessment, no deletion right. Which makes the question "is this data > actually anonymized?" one of the highest-stakes determinations a > compliance team makes. This TRIMPS piece — by 姚迁 (Yao Qian) of the > institute's Data Security Technology R&D Center — works two > sub-questions that the bare statutory text leaves open: whether the > standard is *absolute* (re-identification probability zero) or > *risk-based*, and whether it's *recipient-relative*. TRIMPS is the > body that helps write the implementing standards, so its reading is > an early signal of where the compliance bar settles. DCC reproduces > the analysis with framing for overseas counsel. ## Why anonymization is the threshold that matters PIPL Article 4 defines personal information as information relating to identified or identifiable natural persons — and **expressly excludes anonymized information**. The consequence is categorical: once data is genuinely anonymized, it leaves PIPL's scope entirely. No legal basis required for processing, no PIIA, no cross-border security assessment, no individual rights to honor. The compliance-cost differential between "anonymized" and "merely de-identified" is enormous. That differential is exactly why the determination gets abused. Yao opens by flagging a recurring practice problem: data handlers describe their processing as "de-identification" / "desensitization" / "pseudonymization" (去标识化 / 脱敏 / 假名化) while simultaneously claiming the output "cannot be restored," "cannot identify any specific subject," "has no possibility of identifying any individual" — language that actually asserts the *anonymization* legal standard. The conflation is not cosmetic: if the output truly meets the anonymization bar, it should be characterized as anonymized *with supporting proof*; if it only reaches de-identification, the data **remains personal information** and stays fully within PIPL. ## Question 1 — Is "cannot be restored" an absolute zero? PIPL Article 73 defines the two tiers precisely: - **De-identification (去标识化)** — processing such that PI cannot identify a specific natural person *without additional information*. Reversible if recombined with the additional information. - **Anonymization (匿名化)** — processing such that PI cannot identify a specific natural person *and cannot be restored*. The added requirement is **irreversibility**. The literal text — "cannot identify" + "cannot be restored" — reads as an *absolute* standard. Yao's question: does anonymization require re-identification probability to drop to literally zero? ### International practice says no Yao surveys the comparative position, which trends clearly against the absolutist reading: - **GDPR** defines anonymous information as data that does not relate to an identifiable person, or is processed such that the subject is no longer identifiable — and requires accounting for **"all the means reasonably likely to be used"** to identify. A reasonableness test, not an absolute one. - **Spanish DPA + EDPS, "Ten Misunderstandings about Anonymisation"** — explicitly names "anonymisation can always reduce re-identification probability to zero" as a *misconception*. A valid anonymization process aims to reduce re-identification probability *below a defined threshold*, not to zero. - **Singapore PDPC, Basic Anonymisation Guide** — anonymization means "very low" re-identification risk, not absolute impossibility; it should be treated as a *risk-based process* combining anonymization techniques and safeguards. ### China's 2025 draft Guide softens the text The pivotal development: China's **2025 draft *Personal Information Protection — PI Anonymization Guide*** (个人信息匿名化指南(征求意见稿)) addresses the question directly — and shifts the wording. Where PIPL Article 73 says "cannot be restored" (不能复原), the draft Guide says anonymized information is **"difficult to restore" (难以复原) without paying high cost**. Yao flags this as a deliberate loosening: "difficult to restore" concedes that anonymization is *not* absolute irreversibility but rather **high irreversibility under prevailing technology and reasonable cost constraints** — the GDPR "reasonable means" logic, arriving in the Chinese standard through the back door of a definitional gloss. The draft Guide adds a second move that matters as much: anonymization is **not a one-time achievement**. As use continues and technology advances, previously anonymized data that *becomes* re-identifiable reverts to personal-information status — so the handler must **continuously assess re-identification risk** on anonymized data. Anonymization is reframed as a *dynamic, continuously-monitored process*, not a terminal state reached once and relied on forever. ## Question 2 — Is anonymization recipient-relative? The second question is the one with the largest structural consequence: does the anonymization determination depend on *who holds the data*? The scenario: a dataset is personal information in Party A's hands (A has the re-identification capability or the key), but in Party B's hands — where B lacks any reasonable means to re-identify — could the *same dataset* be anonymized? PIPL doesn't specify whose identification capability the "cannot identify / cannot restore" standard refers to, leaving interpretive room. ### International practice trends toward "yes" - **UK ICO** (Anonymisation, Pseudonymisation and Privacy Enhancing Technologies guidance) — the same information may be personal data in one organization and anonymous in another; status depends on the *context* it sits in. - **EU — SRB v EDPS** — the EU General Court, citing the *Breyer* case (C-582/14), advanced a "**relativity of personal data**" position: data status turns on whether *the recipient* can reasonably identify the individual, not on the controller's identification capability. In that case, Deloitte (the recipient) received only coded comments, held no decoding key, and had no lawful route to the additional identifying information — so, *for Deloitte*, the data was anonymized, and the controller (SRB) had no notification duty. Even the EU — which had insisted pseudonymized data is not anonymized — has moved toward subject-relativity in the case law. ### The operative formula Yao distills the recipient-relative logic into a clean formula: > **De-identified (pseudonymized) data + a specific recipient with no reasonable re-identification capability = anonymized data — *but only as to that specific recipient*.** The practical upside: de-identified data can be *non-personal-information in the hands of a recipient that can't re-identify it*, which creates a technical buffer space for data sharing and reduces compliance burden on the sharing side. The practical cost: the *same dataset* can carry *different legal characterizations at different points in its flow*, multiplying case-by-case assessment complexity and uncertainty. ## TRIMPS's three recommendations Yao closes with three operational recommendations — notable because they come from the institute that helps set the standards. ### 1. Standardize concept usage Strictly distinguish "de-identification (covering desensitization, pseudonymization)" from "anonymization," and use the terms precisely in all documents and plans — no conflation. For each processing step, document the specific technique and its corresponding security level. Above all, **answer the core question directly: is the processing target de-identification or anonymization?** The two carry fundamentally different legal consequences and cannot be blurred. ### 2. Introduce case-by-case (recipient-perspective) assessment Because anonymization is not zero-risk, the provider's unilateral anonymization processing alone does not eliminate post-transfer re-identification risk. Before data leaves the domain, conduct a **recipient-specific re-identification risk assessment** for each intended recipient — factoring in that recipient's data environment, technical capability, and already-held correlatable data — and set differentiated security controls accordingly. Yao suggests commissioning an independent third-party assessor to opine, per recipient, on whether the data "may still constitute personal information in that specific recipient's environment," as the basis for cross-border / out-of-domain approval. ### 3. Implement the recipient's assessment obligation + contractual no-re-identification clause Given that subject-relativity is not yet settled in Chinese law, the *recipient* should, before ingesting the data, commission an independent specialist assessment of whether the data meets the anonymization standard *in the recipient's own environment and technical conditions* — with a written report as a required approval artifact. And critically: **contractual constraint is the key institutional safeguard for maintaining the anonymized state.** The most important clause is the **no-re-identification obligation** — the recipient must not use its own technical means or data resources to reverse-identify or re-link the anonymized data it received. ## What this tells overseas compliance teams - **"Anonymized" is a load-bearing legal claim — document it like one.** The compliance-cost gulf between de-identified (in PIPL scope) and anonymized (out of scope) makes the determination a high-value target for scrutiny. Don't let processing be described in de-identification vocabulary while claiming anonymization effect. Pick the target standard explicitly and prove it. - **Stop treating anonymization as a one-time terminal state.** The draft Guide reframes it as dynamic and continuously-assessed: anonymized data that *becomes* re-identifiable (through your later data accretion, or advancing technique) reverts to PI status, with full PIPL obligations re-attaching. Build a *recurring* re-identification-risk review into the data lifecycle, not a one-time sign-off. - **The "difficult to restore" softening is a double-edged development.** It makes anonymization *achievable* (you don't need to prove literal-zero re-identification), but it also makes it *contestable* (the bar is now a reasonableness/threshold judgment a regulator can second-guess). The defensible posture is a documented, threshold-based risk assessment — not an absolute "impossible to restore" assertion you can't actually support. - **Recipient-relativity is the most useful — and most fragile — lever.** If the relativity reading holds, de-identified data shared with a recipient that demonstrably can't re-identify it may be non-PI *for that recipient*, easing the sharing side's burden. But the determination is recipient-specific and context-dependent; the same dataset is PI again the moment it reaches a party with re-identification capability. For cross-border transfer especially, assess each recipient's environment individually — don't treat anonymization as a property of the dataset alone. - **The no-re-identification contractual clause is now table stakes.** Where you rely on recipient-relative anonymization (or share de-identified data at all), the receiving-party contract must include an explicit prohibition on re-identification and re-linking, backed by the recipient's data-security obligations. TRIMPS treats this as *the* institutional safeguard maintaining the anonymized state — build it into every data-sharing and cross-border agreement. - **Watch the PI Anonymization Guide to final.** The 2025 draft is the document that will operationalize all of the above. When it finalizes, the "difficult to restore" standard, the continuous-assessment obligation, and (possibly) a position on subject-relativity will become the operative compliance baseline. Track it; pre-position your anonymization methodology and documentation against it. The deeper signal in a TRIMPS piece on this topic: the institution that anchors classified protection and the national eID platform is telling the market that anonymization is a **risk-managed, continuously-assessed, recipient-aware** process — not a one-time technical scrub that permanently exits PIPL. Overseas teams that have been treating "we anonymized it" as a durable get-out-of-PIPL card should expect that posture to be tested. The compliance-grade approach — documented threshold assessment, per-recipient evaluation, continuous monitoring, contractual no-re-identification — is the one TRIMPS is signaling the standard will require. --- — *姚迁, 个人信息匿名化的一些问题 (Some Questions on Personal Information Anonymization), 三所数据安全 (TRIMPS Data Security) WeChat Official Account. [Original article (Chinese).](https://mp.weixin.qq.com/s/B420B2O-X0QYCi86slnuaA)* *Not legal advice. The above is DCC's structured summary of Yao's analysis, with framing for overseas counsel; the comparative survey, the "cannot restore" → "difficult to restore" reading, the subject-relativity analysis, and the three recommendations are Yao's.* --- ## Zhu Xiaofeng — Who Pays When GenAI Causation Is Unclear? Applying Civil Code Article 1254 by Analogy - Published: 2026-05-28 - Author: DCC Editorial - Tags: ai-governance, genai, personal-information, causation, liability, commentary - Laws cited: pipl, civil-code-personal-info, genai-services-interim-measures, personal-info-audit-measures - Domains: ai-governance, personal-information, data-security - URL: https://datacompliancechina.com/posts/zhu-xiaofeng-genai-pi-causation-unclear-liability/ - Markdown: https://datacompliancechina.com/posts/zhu-xiaofeng-genai-pi-causation-unclear-liability.md - Original source: https://mp.weixin.qq.com/s/V1EbvwB4Ib-fc5j0EgT3Zw - Original author: 朱晓峰 (Zhu Xiaofeng), Central University of Finance and Economics Law School - Original publication: 《政法论坛》(Tribune of Political Science and Law), Issue 6, 2025; reposted via 数字经济与法治 WeChat Official Account ### Description Zhu Xiaofeng (Central University of Finance and Economics Law School) takes on the GenAI causation black hole — when a personal-information harm clearly arises from a GenAI service but specific causation among model designer, model provider, model user, and data provider cannot be established, who pays? Zhu's structural answer: when conventional construction-element-analysis and Article 998 interest-balancing both fail (and they do), apply Civil Code Article 1254's 'unclear-causation' rule by analogy — the same rule used for falling-object-from-building cases. The doctrinal scaffolding: communication-safety theory, gain-and-risk allocation theory, causation proof + harm prevention. Critically: each potential injurer compensates the full damage; among themselves, allocation is proportional, with judges determining specific amounts case-by-case. Highly relevant for multinationals deploying GenAI in China — the proposed framework restructures the operating liability surface. ### Body > *Editor's Note — DCC.* > > Zhu Xiaofeng's piece in 《政法论坛》(*Tribune of Political Science and > Law*, a top-tier Chinese law journal) takes on the question every > GenAI-deploying multinational will eventually face: when a personal- > information harm arises from a GenAI service, but the specific causal > link to any one actor (model designer, model provider, model user, > data provider) cannot be established, who pays? Zhu's answer is > doctrinally bold and operationally consequential: apply Civil Code > Article 1254 — the rule originally designed for harm from objects > falling from buildings of indeterminable origin — by analogy. The > framework is currently a doctrinal proposal in a top journal; it is > the kind of proposal that, in Chinese legal practice, often > crystallizes into judicial-interpretation doctrine and then into > rulemaking within 18-36 months. Multinationals deploying GenAI in > China should design liability allocations and indemnities against > this contemplated framework now. ## The structural problem Generative AI personal-information torts involve a typical actor cast: - **Model designer** — built the foundational model - **Model provider** — operates the GenAI service - **Model user** — the entity (often a downstream enterprise) deploying the model - **Data provider** — supplied the training data or in-context data PIPL Article 69 paragraph 1 establishes presumed fault for PI processors — so once a specific causation link is identified, the actor must prove non-fault to escape liability. Multi-actor liability allocation considers comparative fault and contribution. **The problem:** in GenAI cases, the specific causation link is structurally hard to establish. Three reasons: - **Algorithmic black-box** — the model's internal decision pathway is opaque even to the operator. - **Training-data cleansing** — data has been transformed, aggregated, and stripped of provenance. - **Interactive learning** — the model's behavior changes through ongoing user interaction, fragmenting causation across actors and time. Result: the victim cannot prove which specific actor's conduct caused the PI harm. Under the standard "burden on plaintiff to prove causation" rule, the victim recovers nothing. The PIPL's stated purpose — comprehensive PI protection — is structurally defeated. ## Why the existing frameworks don't fix this Zhu walks through the existing doctrinal candidates and explains why each fails. ### Civil Code Article 1165 (general tort) — fails The construction-element approach: plaintiff must prove (a) injury, (b) tortious conduct, (c) causation. The plaintiff cannot prove causation in the GenAI black-box context, so the claim fails. Article 1165 cannot accommodate the unclear-causation scenario. ### Civil Code Article 998 (interest balancing) — fails For non-material personality-rights infringement, Article 998 allows the judge interest-balancing discretion in evaluating culpability. But Article 998's discretion operates within the construction-element framework — it doesn't relax the causation requirement. The plaintiff still has to provide *prima facie* evidence of causation between the conduct and the harm. The Article 998 framework cannot substitute for the missing causation evidence. ### Burden-shifting alone — fails Some Chinese scholarship has proposed shifting the burden of proving causation to the defendants. Zhu accepts this is a necessary half-step but argues it's insufficient: even with burden-shifting, where multiple potential defendants each independently demonstrate non-causation for their specific conduct, the victim still recovers nothing. The structural problem is not just *who* bears the burden; it is that *no specific defendant* can be identified as the cause. ### Inferring liability from "principal direct tortfeasor" — fails Where downstream third-party actors are involved, the model-designer / provider / data-provider's contribution is often absorbed into the analysis of the principal direct tortfeasor's act. The exception is *Remsburg v. Docusearch* (US 2003), but the US precedent has been narrowly cabined. Chinese courts have not adopted a comparable framing. ## Zhu's framework: three doctrinal justifications Zhu argues for an analogical extension of Civil Code Article 1254 (unclear causation in building-falling-object cases). Three doctrinal foundations: ### 1. Communication-safety theory (交往安全) The principle: whoever creates or maintains a risk to others has an obligation to take all appropriate and reasonable measures to control the risk and prevent its materialization. Applied to GenAI: - **GenAI model designers and providers** opened and maintain the risk (the GenAI technology cannot operate without large-scale PI processing, and the model's interactive-learning behavior generates ongoing PI risk). - **GenAI model users** maintain the risk (their use of the technology is what activates the harm potential). - **Data providers** contribute to the risk (their data supply enables the PI-processing risk surface). Each is therefore subject to a communication-safety obligation; failure to discharge it grounds liability *even where specific causation is unclear*. ### 2. Gain-and-risk allocation theory The principle: whoever benefits most from a risk should bear most of the downside. Applied: - Model designers, providers, users, and data providers benefit substantially from GenAI deployment. - PI subjects bear the harm cost but receive minimal benefit. Allocating all downside to the PI subject — on the technicality that specific causation isn't proven — produces an inversion of the gain/risk-allocation justice principle. Better: distribute the harm cost across the actors that benefit. ### 3. Causation-proof difficulty + harm-prevention PI causation in GenAI is *structurally* difficult to prove, not just fact-specifically difficult. The doctrine should accommodate this. Additionally, requiring potential actors to bear shared liability creates incentives for them to *prevent harm in the first place* — supporting the harm-prevention function of tort law beyond the compensation function. The combined justification: communication-safety + gain-risk-allocation + structural-causation-difficulty + harm-prevention provide overlapping doctrinal grounds for the unclear-causation rule. ## The proposed rule: Article 1254 by analogy Civil Code Article 1254 was originally designed for harm from objects dropping or being thrown from buildings: if the specific actor cannot be identified, *all* potentially-causal users of the building must compensate the victim, with judges determining proportional allocation among them. Zhu's proposed application to GenAI: **(1) Trigger condition.** Where (a) PI harm has demonstrably occurred, (b) the harm clearly originates from a specific GenAI service or product, and (c) which specific actor's conduct caused the harm cannot be established despite reasonable investigation. **(2) Liability scope.** Each potentially-causal actor (model designer, provider, user, data provider) compensates the *full* damage to the victim. The victim is not required to litigate among the actors; the actors must absorb the joint exposure. **(3) Inter-actor allocation.** Among the actors, the allocation is *proportional* (按份关系). Judges determine the specific amounts case-by-case, considering: - Each actor's role in opening / maintaining the risk - Each actor's safeguards (or lack thereof) - Each actor's economic benefit from the risky activity - Comparative-fault factors **(4) Escape mechanism.** Actors that affirmatively prove their conduct is not causally connected to the specific harm can be excluded from the liability pool. This preserves the differential-incentive property — actors that invest in safeguards and can demonstrate non-causation are released from joint liability. ## How this connects to the existing framework Zhu carefully positions the framework as *complementary* to existing PIPL and Civil Code structures, not as a replacement: - **Where specific causation IS established** — PIPL Article 69 paragraph 1's presumed-fault rule continues to apply. - **Where multi-actor liability applies** — Article 1170 (joint dangerous conduct) or Article 1171 (joint conduct) continue to apply as appropriate. - **The Article 1254 analogy applies specifically to** — the structural unclear-causation case where the conventional frameworks systematically under-protect the victim. This is doctrinally tidy: the proposed rule fills a specific gap without disturbing the broader liability architecture. ## What this tells overseas compliance teams - **The unclear-causation gap will get filled.** Even if Zhu's specific Article 1254 analogy proposal isn't ultimately adopted, *some* framework will fill the gap — the alternative (continued under-protection of PI victims in GenAI cases) is not politically sustainable as GenAI deployment scales. Multinationals deploying GenAI in China should design liability and indemnity frameworks against the contemplated joint-liability outcome. - **Joint-liability allocation across the GenAI supply chain becomes the operating norm.** If you are a model designer, model provider, GenAI service user, or data provider in any role for a Chinese-market GenAI service, plan for the scenario where *you become a defendant in a PI case where no single actor can be specifically blamed*. The contemplated framework imposes joint-liability exposure regardless of your specific causal contribution. - **Demonstrable safeguards and audit-able compliance records are now operationally consequential.** The escape mechanism in Zhu's proposed framework — actors who can prove non-causation are released — creates a differential incentive. Actors that maintain comprehensive PIIA documentation, algorithmic-decision audit logs, training-data provenance documentation, and verifiable safeguard implementations have a defensible exit from the liability pool. Actors that don't, don't. - **Contractual allocation across the GenAI supply chain becomes essential.** Designers, providers, users, and data providers should contract — explicitly — on liability allocation, indemnification, and cooperation in the event of a joint-defendant scenario. The contracts should anticipate (a) joint-defendant status, (b) information-sharing obligations to support each party's non-causation defense, (c) cost-allocation in joint defense and joint settlement. - **Insurance becomes structurally important.** The US insurance-and-industry-fund model Zhu references is one operational answer. Multinationals operating GenAI in China should evaluate (a) cyber/tech-liability policies specifically covering joint-liability exposure from unclear-causation PI scenarios, (b) industry-fund or pool arrangements where available, (c) coverage extensions for the comparable-position actors in your GenAI supply chain. - **The PIIA + audit infrastructure does double duty.** PIIA (PI Impact Assessment) and the [PI Audit Measures](/posts/pipo-vs-dpo-pi-protection-officer-comparison/) regime are not just direct compliance obligations — they are the *evidentiary infrastructure* for proving non-causation in a joint-defendant case. Invest accordingly. The deeper doctrinal point Zhu's piece signals: Chinese GenAI tort law is, structurally, going to look very different from the US negligence-and-product-liability approach or the EU AI Act / GDPR approach. The Chinese frame will lean on Civil Code architecture, Continental civil-law doctrine, and joint-liability mechanisms in ways that don't translate cleanly into Western analogies. Multinationals that build compliance programs against the *coming* Chinese frame — joint-liability, evidentiary-defense infrastructure, contractual allocation across the supply chain — will operate the regime efficiently. Multinationals that wait for the regime to crystallize will be reverse-engineering liability allocations into already-deployed GenAI services under unfavorable conditions. --- — *朱晓峰, 生成式人工智能个人信息侵权因果关系不明时的责任认定 (Liability Determination for Generative AI Personal Information Torts Where Causation Is Unclear), 《政法论坛》(*Tribune of Political Science and Law*), Issue 6, 2025; reposted via 数字经济与法治 WeChat Official Account, November 25, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/V1EbvwB4Ib-fc5j0EgT3Zw)* *Not legal advice. The above is DCC's structured summary of Zhu's analysis, with framing for overseas counsel; the three-pillar doctrinal justification and the Civil Code Article 1254 analogy proposal are Zhu's.* --- ## Ai Lin — Why Platform Gig Workers Need PI-Protection Tilt and How to Build It - Published: 2026-05-28 - Author: DCC Editorial - Tags: personal-information, platform-economy, gig-economy, employment, commentary - Laws cited: pipl, civil-code-personal-info, algorithmic-recommendation-provisions, personal-info-audit-measures - Domains: personal-information, app-compliance - URL: https://datacompliancechina.com/posts/ai-lin-platform-gig-worker-pi-protection/ - Markdown: https://datacompliancechina.com/posts/ai-lin-platform-gig-worker-pi-protection.md - Original source: https://mp.weixin.qq.com/s/vl6-9obLhfkCA8p5qEvw2g - Original author: 艾琳 (Ai Lin), Jilin University Law School and Theoretical Law Research Center - Original publication: 《政治与法律》(Political Science and Law), Issue 3, 2026; reposted via 数字经济与法治 WeChat Official Account ### Description Ai Lin (Jilin University Law School) takes on the under-attended question of personal-information protection for platform gig workers — the food-delivery couriers, ride-hail drivers, freight drivers, and 'internet marketers' who occupy China's new-employment-form category. The structural problem: PIPL's individual-consent baseline doesn't work in employment relations where the worker has no meaningful bargaining power against the platform's algorithmic management. Ai imports the alienated-labor framework from Marx and the 'scenario fairness' principle from contextual integrity to argue for a tilt-protection regime. Three operational responses: enhanced transparency + tiered PI safeguards; treating algorithmic rules as workplace regulations subject to collective bargaining; full-process regulatory accountability. Highly relevant for multinationals operating platform-gig models in China or contracting with Chinese platform workforces. ### Body > *Editor's Note — DCC.* > > Ai Lin's piece in 《政治与法律》(*Political Science and Law*) takes > the operational reality of platform-economy work — couriers tracked > minute-by-minute by algorithms, drivers penalized for deviating from > optimal routes, workers whose physical labor is shaped by software — > and asks the question PIPL doesn't answer: what does individual- > consent-based PI protection mean when the "individual" has no > realistic alternative to consent? Ai's framework draws on labor-law > doctrine (tilt protection for the structurally weaker party) and on > contextual-integrity theory (consent must be evaluated within the > power relation it occurs in), to argue for a hybrid PI-and-labor > regime for platform gig workers. The piece is relevant for any > multinational running platform models in China — including > e-commerce platforms with contractor delivery, ride-hail expansion, > and the broader category of "internet-employed professionals" > (网约配送员 / 网约车驾驶员 / 货车司机 / 互联网营销师). ## The structural problem China's "new employment form" (新就业形态) — gig workers operating through platforms — has grown into one of the most consequential labor categories. The PI dimension is what makes it distinctive from earlier gig-economy analyses: every gig worker's labor process is **algorithmically observed and algorithmically directed**, generating continuous PI flows. PIPL's baseline approach assumes the individual is a knowing consent-grantor with realistic alternatives. Both assumptions break down in the platform-gig context: - **Worker has no realistic alternative to consent.** Joining a platform requires clicking "agree" to extensive PI collection — location, route, behavior, biometric, sometimes more. Refusing means no work. - **Worker has no meaningful negotiation power.** A single worker can't bargain with the platform over what's collected or how it's processed. Individual contractual remedies are practically unavailable. PIPL Article 13 (consent baseline), Article 14 (consent requirements), Article 15 (revocation right), and Article 24 (automated decision-making transparency) all assume a degree of individual leverage the platform context strips away. The Civil Code's Article 1035 consent requirement similarly assumes a baseline that gig work doesn't provide. Ai's diagnosis: PIPL is structurally designed for vertical PI-protection relationships (subject ↔ processor) and fails to account for the structural-asymmetry that defines the platform-gig context. ## The conceptual frame — alienated labor + scenario fairness Ai's analytical move imports two frameworks. ### The alienated-labor frame Marx's 1844 framework of *labor alienation* (异化劳动) maps surprisingly well onto platform-gig work, in three respects: **(1) Alienation of worker from product.** Platform algorithms set delivery time based on previous workers' performance, then punish deviation. As workers compete to set faster times, the "fastest extreme" gets absorbed into the algorithm's expectations, displacing the previously normal pace. The worker's contribution shapes the algorithm against itself. **(2) Alienation of worker from labor process.** The worker's location, movement, and behavior are continuously monitored. Deviation from the platform's algorithmically-determined optimal route triggers penalty. Worker autonomy over the labor process is mostly nominal. **(3) Alienation of worker from the platform.** The platform's ownership of the information infrastructure — not the worker's tools (vehicle, phone) — is the dominant means of production in the gig economy. The platform's information control is its labor-control mechanism. The framework justifies treating platform-PI processing not as a neutral consent transaction but as the *primary mechanism* through which a structurally asymmetric employment relation operates. ### The scenario-fairness frame The "scenario fairness" (场景公正) principle requires PI protection to be evaluated *in the specific context* where the data flow occurs — not against a generic consent baseline. Privacy theorist Helen Nissenbaum's *contextual integrity* framework is the underlying reference. Application: in the platform-gig context, the relevant context is *employment-equivalent*, not *consumer-equivalent*. PIPL's consumer-equivalent baseline (full individual consent, unilateral revocation) is the wrong framework. The right framework is *employment-tilted* protection — closer to labor law's structural recognition that the employer holds the bargaining advantage and the law must compensate. ## The legal-status question A central debate Ai addresses: are platform gig workers employees (subject to traditional labor law) or independent contractors (subject only to commercial law)? Ai's answer: it doesn't matter for PI protection purposes — even where formal employment status is absent, the **economic-dependence** factor that justifies labor-law tilt protection is fully present. The court precedent Ai cites: a court found a platform delivery worker had: - Labor that was an *integral component* of the platform's business - Payment calculated on completed-work-quantity basis - *No decision-making authority* over labor pricing or terms - Income from the platform as the *primary livelihood source* This established *economic dependence* sufficient to support tilt protection, even though formal employment relationship status was disputed. The doctrinal implication: PI protection for platform gig workers should *apply tilt protection irrespective of formal employment status*. The structural-asymmetry justifying tilt is present in any case; binding the doctrine to formal employment classification produces under-protection in the cases where it's most needed. ## The three operational responses Ai proposes three integrated responses. ### Response 1 — Enhanced transparency + tiered PI safeguards The traditional PI-protection toolkit (transparency requirements, sensitivity-based handling) needs to be intensified in the platform-gig context. **Transparency.** Platform-gig workers should have explicit visibility into what PI is being collected, how it's being processed, and how algorithmic decisions are made. The current model — where workers click "agree" to a generic privacy policy without genuine notice — does not satisfy PIPL's transparency principles when applied with structural-asymmetry-awareness. **Tiered safeguards.** Different categories of platform-collected worker PI carry different harm potential and should have different protection levels. Real-time location data, biometric data, and behavioral pattern data warrant the highest tier; basic identity data warrants standard tier. The platform's processing decisions should be tier-calibrated. ### Response 2 — Algorithmic rules as workplace regulations subject to collective bargaining This is Ai's most operationally novel contribution. The argument: the platform's *algorithmic processing rules* function — practically — as workplace regulations. They determine work allocation, work pace, work evaluation, and effectively work compensation. They should be: - **Disclosed** under the same regime as formal workplace regulations - **Subject to procedural review** before deployment or material change - **Negotiable through collective representation** of the platform's worker community - **Modifiable through bargaining** rather than only through platform-unilateral revision In effect: import labor law's collective-bargaining structure into the PI-and-algorithmic-management context. The structural argument: individual consent doesn't work; collective negotiation is the only realistic mechanism for genuine worker input into the algorithmic rules that shape their work. Practically, this would require either: - A new statutory framework recognizing platform-worker collective entities for PI / algorithmic-rule negotiation purposes - Reading existing labor-law collective-bargaining structures into the platform-gig context by analogy - A regulatory rule (e.g., from CAC or MIIT) requiring platforms to disclose algorithmic rules and accept consultation processes ### Response 3 — Full-process regulatory accountability The current PI enforcement regime focuses on collection-stage consent. For platform gig workers, the practically consequential decisions happen at the *processing* and *decision-making* stages — what the algorithm does with the data, what penalties it imposes, what behavioral incentives it creates. Ai proposes regulatory accountability across the full data lifecycle: - **Collection stage** — verified disclosure and consent; tiered handling for sensitive categories. - **Processing stage** — algorithmic decision-making transparency; pre-deployment review for material algorithmic changes; auditable processing logs. - **Decision-stage** — appealable algorithmic decisions; human-review channel for adverse outcomes; remediation pathway when algorithmic decisions cause economic harm. The proposed mechanism: integrate this into the existing PI Audit framework (the [PI Audit Measures](/posts/pipo-vs-dpo-pi-protection-officer-comparison/)) and the algorithmic-recommendation rules, with platform-gig contexts treated as high-priority audit categories. ## What this tells overseas compliance teams - **Platform-gig PI is a high-priority sub-regime now.** Multinationals running platform models in China — food delivery, ride-hail, freight, last-mile logistics, online services where contractors operate through platform apps — should not assume the consumer-PI framework applies cleanly. The doctrinal and regulatory framework is moving toward employment-tilted protection. - **Individual-consent compliance is structurally insufficient.** Multinationals can no longer rely on PIPL-style individual consent as the operating PI baseline for platform gig workers. Expect rulemaking, enforcement, and litigation to begin imposing collective-consideration, structural-fairness, and tiered-safeguard expectations even where the formal employment relationship is disputed. - **Algorithmic management transparency will become a compliance baseline.** Where your platform model uses algorithmic work allocation, pacing, or evaluation that affects gig workers' compensation, expect to face increasing requirements to (a) disclose the algorithmic rules, (b) provide notice of material changes, (c) accept consultation channels with the worker community, (d) provide appealable decision review. Build these into the compliance program now rather than retrofitting. - **The PI Audit Measures are the operational lever.** Where regulators want to enforce against under-protected platform-gig PI handling, the PI Audit Measures provide the direct authority. Multinationals should expect platform-gig PI to become a recurring audit-focus area; the audit program should specifically address PI handling for non-employee workers. - **Sectoral rulemaking is the likely vehicle.** The PI-and-algorithmic-management protection regime for platform workers will most plausibly arrive through (a) CAC algorithmic-management rule revisions, (b) MIIT app-compliance bulletins targeting algorithmic-worker-management practices, (c) Ministry of Human Resources and Social Security guidance on new-employment-form labor protection. Watch all three vectors. The structural shift Ai signals: Chinese data law is starting to recognize that PIPL's consumer-equivalent framework cannot govern *employment-equivalent* contexts. The doctrinal layer is articulating the framework now; the rulemaking layer will follow within 12-24 months. Multinationals operating platform models that touch Chinese workers — direct or indirect — should design for the *future* PI-and-labor-tilted regime, not the *current* PI-only baseline. --- — *艾琳, 平台用工中个人信息保护的困境表现与规则回应 (The Difficulties and Rule Responses for Personal Information Protection in Platform Employment), 《政治与法律》(*Political Science and Law*), Issue 3, 2026; reposted via 数字经济与法治 WeChat Official Account, May 7, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/vl6-9obLhfkCA8p5qEvw2g)* *Not legal advice. The above is DCC's structured summary of Ai's analysis, with framing for overseas counsel; the alienated-labor framework, the scenario-fairness application, and the three-response operational framework are Ai's.* --- ## Tang Linyao — Data-Broker Derivative Harms and the 'Data Integration Analysis Framework' - Published: 2026-05-28 - Author: DCC Editorial - Tags: data-economy, data-broker, data-exchange, derivative-harm, privacy, commentary - Laws cited: data-foundation-system-opinions, pipl, dsl, personal-info-audit-measures, network-data-security-regulations - Domains: data-economy, data-security, personal-information - URL: https://datacompliancechina.com/posts/tang-linyao-data-broker-derivative-harms/ - Markdown: https://datacompliancechina.com/posts/tang-linyao-data-broker-derivative-harms.md - Original source: https://mp.weixin.qq.com/s/L4A6N26tXnN05iSxqMNe3w - Original author: 唐林垚 (Tang Linyao), Chinese Academy of Social Sciences Law Institute - Original publication: 《法学家》(The Jurist), Issue 2, 2026; reposted via 数字经济与法治 WeChat Official Account ### Description Tang Linyao (Chinese Academy of Social Sciences) maps the regulatory gap for data-broker derivative harms — the harms that arise not from direct PI leakage but from the integration and aggregation activity that data brokers themselves perform. The analytical core: a vertical / horizontal data-relations framework that explains why existing PIPL-style protection (vertical-relationship-focused) systematically fails to address horizontal-relationship harms; and the 'abstract risk substantialization' doctrine borrowed from US precedent and EU GDPR to bring data-broker risk into ex-ante regulatory scope. Operationally, Tang proposes a 'Data Integration Analysis Framework' with concrete tiering (三高 / 双高 / 单高 / 三低) that translates academic doctrine into compliance-program-grade controls. Applied to a real Shenzhen Data Exchange listing as worked example. ### Body > *Editor's Note — DCC.* > > Tang Linyao's piece in 《法学家》(*The Jurist*, the flagship Chinese > law journal of Renmin University) takes on a structural problem > Chinese — and global — data-broker regulation has not yet solved: > the harms that arise from the *integration activity itself*, not > from the integrated data being misused. The analytical move — a > vertical-vs-horizontal data-relations framework that explains why > PI-protection rules systematically miss this — is theoretically > ambitious. But the operational payoff is what makes the piece useful > for compliance teams: a four-tier "Data Integration Analysis > Framework" (三高 / 双高 / 单高 / 三低) that translates the doctrine > into concrete compliance gating, applied as a worked example to a > real Shenzhen Data Exchange listing. DCC's brief focuses on the > framework and its operational implications for overseas counsel > working with Chinese data exchanges, data brokers, and data-broker- > -intermediated supply chains. ## What "data broker" means here Tang uses "data brokery" (数据经纪) in a deliberately broad sense — referencing the FTC definition (collecting from multiple sources, aggregating, analyzing, on-selling), the California CCPA definition (no direct business relationship with the individual, sells to third parties), and the EU Data Governance Act's "data intermediation services" concept. Mapped to Chinese practice: includes Shanghai Data Exchange's "data service providers" and the broader category of intermediaries facilitating data collection, aggregation, and trading. Why this matters: the *Data 20 Articles* explicitly call for cultivating data brokery as a class of third-party professional service. As of 2025, the major Chinese data exchanges added more than 2,600 new supply / demand participants. Data brokery is now structural infrastructure for the Chinese data-element market — not a marginal activity. ## The structural problem — vertical and horizontal data relations Tang's analytical pivot: data relations come in two distinct types. **Vertical relations (垂直数据关系)** — the direct interaction between the *data subject* and the *data processor*. Classic example: a depositor authorizes a bank to access spending data in exchange for instant credit scoring. PIPL is built around vertical relations: the data subject controls (via consent, access right, deletion right) what the processor does with the subject's data. **Horizontal relations (水平数据关系)** — the *indirect* relationship among data subjects formed when shared group features become the basis for processor decisions. Classic example: a depositor is labeled "low-income" by the bank's loan-pricing algorithm because the depositor shares the "browse-by-price-low-to-high" feature with other depositors classified as low-income. The depositor never interacted with the people who created that group classification — but is now subject to its consequences. Traditional data-processing activity maintained a tight coupling between vertical and horizontal relations: the processor's services in the vertical relationship were strictly limited by what its horizontal-relationship insights could justify. The depositor agreed to the bank seeing transaction data *for credit scoring*; the bank's horizontal grouping was constrained by that purpose. **Data brokery decouples vertical and horizontal relations.** Once a processor can buy data from a broker, it no longer has to maintain a vertical relationship with the source — and thus is no longer constrained by the "minimum necessity" principle that vertical relationships impose. The processor can construct *entirely new* horizontal relationships using purchased data, with no vertical-relationship subject ever having consented to the resulting categorization. This is the structural break PIPL doesn't address. PIPL is a vertical-relationship instrument; it cannot regulate horizontal-relationship construction that bypasses the vertical channel. ## Derivative harms — what gets missed Tang identifies two types of harm the existing regulatory framework fails to address. ### 1. Privacy erosion (隐私侵蚀) The construction of horizontal relationships using broker-acquired data exposes individuals to inferences about themselves they never authorized. Tang's example: data aggregated through normal market trading and re-processed reveals individual-level behavioral insights that the original disclosure context did not anticipate. The individual loses control over their *external social construction* — without any specific PIPL provision being violated. Importantly, Tang frames this as a *group privacy* (群体隐私) harm. The damage is collective: the categorization affects every individual in the group, but no single individual can bring a successful PIPL claim because no specific direct harm to them is provable. ### 2. Downstream harm (下游损害) Tang draws on US scholarship (the "downstream harm" and "data information harm" concepts) to describe individual injuries — privacy, dignity, social discrimination, lost opportunities, manipulation — that occur *because of* third-party action enabled by broker-supplied data. Tang's flagged case: Remsburg v. Docusearch, where a perpetrator purchased data from a broker, used it to track a victim, and killed her. The US court imposed negligence liability on the broker. The structural problem: in Chinese tort doctrine, the broker's contribution to downstream harm is usually absorbed by the principal tortfeasor's act and not separately evaluated. The 酷车易美 case (a Chinese precedent on automotive-data integration risk) illustrates the resulting under-protection: the court rejected the plaintiff's claim on grounds that the harm was prospective rather than realized. ## The "abstract risk substantialization" doctrine Tang's regulatory move is to import a concept already developing in EU and US doctrine: **abstract risk substantialization** (抽象风险损害化). The claim: where data-broker activity creates a *substantial* probability of derivative harm, the risk itself should be treated as cognizable harm for ex-ante regulatory purposes — even before any concrete injury materializes. Two judicial standards Tang draws on: - **"Certainly impending"** — risk must be imminent and real, not speculative. - **"Particularly targeting"** — risk must single out the specific plaintiff, not vaguely affect everyone. Combined: a data-broker risk is regulable when (a) it's actually likely to materialize and (b) it specifically threatens identifiable parties or groups. The framework lets regulators move from "wait until someone gets hurt" to "prevent the risk from materializing in the first place" — but only when the risk meets the substantiality threshold. ## The Data Integration Analysis Framework This is where Tang's piece becomes operationally useful for compliance teams. The framework provides two parallel analytical structures — one for the data broker itself (used in **Data Protection Impact Assessment**, DPIA) and one for the regulator (used in **Fair Data Brokery Practice**, FDBP). ### Framework A — For the data broker (DPIA) Four factors per dataset: **(1) Anonymization level.** Apply UK ICO's "motivated intruder test" — assume all reasonable adversary techniques and check whether the data, combined with other data, becomes re-identifiable. Use generalization (e.g., age 45 → 40-50 bucket) and randomization (noise injection, differential privacy) techniques in combination. **(2) Sensitivity.** What harm could result if the data is integrated with which other data? Particular attention to data that, when combined with PI subjects' personal attributes, would cause unfair algorithmic outcomes. **(3) Dataset volume — four sub-factors:** - Number of data subjects (larger → broader potential harm footprint) - Number of attribute categories (more → more identifiers for de-anonymization, more nodes for harmful relation construction) - Time span (longer → more precise insights, stronger surveillance/influence potential) - Cross-group migration potential (datasets that reveal common features of large external groups, even with limited direct-subject scope) **(4) Inferential data ratio.** Inferential data (probability-derived inferences vs. raw original data) is more likely to encode subjective bias and to produce "certainly impending" harm. ### Framework B — For the regulator (FDBP) Focused on combinations of dataset-with-other-datasets rather than dataset-in-itself. Four factors: **(1) Subject overlap (主体重合度).** When the same data subjects appear in multiple datasets, integration risk for re-identification and harmful targeting rises sharply. **(2) Attribute overlap (属性重合度).** When datasets cover the same attribute categories, cross-comparison identifiers multiply. **(3) Original-processing-purpose overlap (原初处理目的重合度).** Both high overlap (concentration of purpose-trauma) and low overlap (broadening of effective collection scope) increase risk; the regulator should examine both directions. **(4) Time overlap (时间重合度).** Similar dual analysis — high time-overlap heightens re-identification risk; low time-overlap may produce inaccurate but consequential horizontal-relationship inferences. ### Risk tiering (三高 / 双高 / 单高 / 三低) The framework's output is a per-dataset risk classification using the "potential victim count × harm probability × harm degree" formula. The four tiers: - **三高 (triple-high)** — high on all three. Data should not be brokered. Regulator should suspend the transaction. - **双高 (double-high)** — high on two. Data should be remediated to comply, conducted only in a privacy-computing framework, or require regulator pre-approval. - **单高 (single-high)** — high on one. Stricter purpose limitation + enhanced risk disclosure; ongoing regulator attention. - **三低 (triple-low)** — no special action needed beyond baseline. ## The worked example: Shenzhen Data Exchange listing Tang applies the framework to a real listing: Shenzhen Maternal & Child Health Hospital's anonymized 2018-2023 dataset of confirmed pregnancy-induced hypertension patients, listed on Shenzhen Data Exchange on May 19, 2025. **Framework A (DPIA) analysis:** - *Anonymization* — high (generalization + perturbation applied) - *Sensitivity* — *originally* sensitive (medical data), but de-sensitized by time gap (subjects no longer pregnant; condition typically resolves post-partum) — *unless* used in insurance underwriting context, where group-feature inference could lead to discriminatory pricing. The hospital's restriction prohibiting use for AI algorithm development on pregnancy-hypertension addresses the high-sensitivity vector. - *Volume* — large (5-year span, major tertiary hospital, large potential cross-group inference base). - *Inferential data ratio* — zero. Verdict: many potential subjects, but low harm probability and low harm degree → "二低一高" (two-low-one-high) low-risk profile. Hospital's use restriction is sufficient; no additional gating needed. **Framework B (FDBP) analysis at the exchange:** - *Subject overlap* — geographic concentration (Shenzhen-area); exchange should scrutinize same-geography dataset merging. - *Attribute overlap* — moderate; flag if buyer has already acquired commercial-insurance datasets that could trigger inference. - *Processing-purpose overlap* — purpose limited to research / teaching; flag commercial-use attempts. - *Time overlap* — flag both same-period merging risk and non-period inherent-attribute merging risk. This level of operational granularity is what makes the piece useful for compliance program build-out. ## Liability allocation: applying Civil Code Article 1170 Where derivative harm actually materializes, Tang argues for applying **Civil Code Article 1170** (共同危险行为, joint dangerous conduct) to data-brokery cases. Under Tang's framework: - **For 三高 brokery action** — broker bears primary liability regardless of downstream actor's posture; downstream actor's joint liability depends on subjective intent. - **For 双高 or 单高 brokery** — broker bears joint and several liability with downstream actor. - **For 三低 brokery** — broker does not bear downstream-harm liability. This is doctrinally significant: it pulls data-brokery into the multi-actor joint-liability framework rather than treating it as a separate single-tort question. Chinese courts are likely to find the framing useful as a structural anchor. ## What this tells overseas compliance teams - **The vertical / horizontal distinction is the analytical key.** Multinationals using or supplying data through Chinese data brokers should map their data flows in terms of which horizontal relationships their broker activity is constructing, not just which vertical relationships their PI processing creates. The vertical-only analytical posture is now structurally inadequate. - **The 三高 / 双高 / 单高 / 三低 tiering is portable as a compliance-program control.** Adapt it as the data-broker-input and data-broker-output screening framework in your Chinese operations. Build the four-factor analysis (Framework A) into your DPIA template; build the four-factor analysis (Framework B) into your vendor-acquisition and customer-disclosure-control templates. - **The Shenzhen Data Exchange example is the operating template.** Where a Chinese counterparty (especially a state or quasi-state institution) lists data through an exchange, expect the kind of multi-factor pre-listing screening Tang describes. Provide the source-data documentation that supports the analysis — particularly anonymization technique documentation and use-restriction language. - **The Civil Code Article 1170 framing is a forward signal on liability allocation.** The Chinese tort doctrine on data-brokery liability is being articulated *now* in the law-journal layer; expect courts to begin adopting the framework over the next 12-24 months. Multinationals should pre-position vendor agreements and indemnity allocations against the contemplated joint-liability framework. - **Data brokery is structural; the regulation is catching up.** Treat the regulatory gap Tang identifies as a forward indicator: the gap will close, probably through some combination of (a) sectoral rulemaking applying Tang-style frameworks (b) data-exchange self-regulatory rule articulation, (c) judicial precedent applying joint-dangerous-conduct doctrine. Compliance programs designed against the *prior* (PIPL-only) framing will be inadequate when the new framing crystallizes. The deeper structural point: data brokery is the *infrastructure layer* of the Chinese data-element market, and the law has not yet caught up to its risk profile. Tang's piece is the doctrinal preparation for the next round of regulation. Overseas counsel watching this space should treat the 法学家 publication as the *upstream* of rulemaking, not a reaction to it. --- — *唐林垚, 数据经纪的衍生风险与法律应对 (Data Brokery's Derivative Risks and Legal Response), 《法学家》(*The Jurist*), Issue 2, 2026; reposted via 数字经济与法治 WeChat Official Account, May 27, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/L4A6N26tXnN05iSxqMNe3w)* *Not legal advice. The above is DCC's structured summary of Tang's analysis, with framing for overseas counsel; the vertical / horizontal data-relations framework, the Data Integration Analysis Framework, and the Shenzhen Data Exchange worked example are Tang's.* --- ## Wang Nian — Data Source's Rights as a 'Fair Use' Right Alongside the Three Rights - Published: 2026-05-28 - Author: DCC Editorial - Tags: data-property-rights, data-twenty, data-source-rights, data-economy, commentary - Laws cited: data-foundation-system-opinions, data-property-rights-registration-guide-draft, pipl, civil-code-personal-info - Domains: data-economy, personal-information - URL: https://datacompliancechina.com/posts/wang-nian-data-source-rights-as-fair-use/ - Markdown: https://datacompliancechina.com/posts/wang-nian-data-source-rights-as-fair-use.md - Original source: https://mp.weixin.qq.com/s/DeoiXUp2emdS-yjzWl8o7g - Original author: 王年 (Wang Nian), Tsinghua University Law School - Original publication: 《财经法学》(Finance and Economics Law Journal), Issue 5, 2025; reposted via 数字经济与法治 WeChat Official Account ### Description Wang Nian (Tsinghua Law) takes on the unresolved fourth-right question in the Data 20 Articles framework: what is the data source's right (数据来源者权), and how does it relate to the three rights (hold/use/operate)? Drawing on the 'data symbiosis' (数据共生) framework from the ALI-ELI Data Economy Principles and the EU Data Act, Wang argues that pre-existing legal entitlements — privacy, PI rights, IP, trade secrets — cover only part of the source's interest, leaving a residual that needs an independent legal protection. He frames the data-source right as a 'fair use right' (公平使用权): a contractual-relationship right against the specific data processor, distinct from the property-style three rights, that captures the value contribution of the source's participation in data co-creation. The corporate-data-portability analog DCC flagged in our NDA brief gets its doctrinal foundation here. ### Body > *Editor's Note — DCC.* > > The Data 20 Articles created four data-property concepts: the three > rights of the processor (hold / use / operate) and — almost as an > afterthought in the policy text — the *data source's right* > (数据来源者权), the entitlement of the party whose information was > collected to obtain or copy and transfer the relevant data. The > [NDA's policy interpretation](/posts/nda-data-processor-property-rights-allocation/) > introduced the right in operational vocabulary; this academic piece > by Wang Nian provides its doctrinal scaffolding. The piece is also, > in DCC's reading, the most useful single resource for overseas > counsel structuring B2B data arrangements with Chinese counterparties: > it frames the *corporate data portability* lever that has no clean > Western analog. ## The unresolved question The Data 20 Articles framework allocates three rights — hold, use, operate — to the data processor (the party that collects, processes, and decides means and purposes of data handling). It also says the *data source* (数据来源者) — the party whose information was collected — has the right to "obtain or copy and transfer" data its participation gave rise to. But the policy text doesn't say: - What *kind* of right this is — property, contract, statutory, sui generis? - How it relates to existing rights — privacy, PI, trade-secret, IP? - Who can invoke it — only natural persons (already covered by PIPL)? Or corporate "information subjects" too? - What is its scope — only data that *identifies* the source? Or any data the source's activity helped generate? These questions matter because the answer determines whether overseas counsel structuring a B2B data arrangement with a Chinese counterparty can rely on the data-source's right as a contractual baseline. Wang's piece reconstructs the doctrinal foundation that the operational rights need. ## The "data symbiosis" foundation Wang's starting move is to import the concept of **co-generated data** (共生数据) from the ALI-ELI *Data Economy Principles* (a joint product of the American Law Institute and the European Law Institute, 2024) and the EU Data Act framework. The concept's claim: most operationally significant data is *not* the product of the processor's investment alone, nor is it the property of the source alone. It's the product of joint activity — the processor's technology + the source's contribution. Examples: - **Social platform data** — generated by user activity + platform infrastructure. - **Connected-vehicle data** — generated by driver behavior + vehicle sensors. - **Platform-merchant operational data** — generated by merchant transactions + platform observation. - **Travel data** — generated by passenger movement + carrier systems. - **Industrial robot production data** — generated by industrial-process activity + manufacturer telemetry. In all five examples, neither party can claim sole authorship of the data. The processor's investment in collection technology is necessary but not sufficient; the source's participation is the other necessary input. Wang frames this as **data symbiosis** (数据共生): a joint-creation relationship that produces an interest split *both parties hold simultaneously over the same data*, with the processor's interest being primarily proprietary and the source's interest being primarily relational. This is the foundation that the Data 20 Articles framework, in Wang's reading, needs to articulate. ## What "source" means — and what it excludes Wang's definition: a data source is a subject (natural or legal person) that **(a) makes a substantial contribution to data generation** and **(b) does not in fact hold or control the resulting data**. The two-part test: **Test 1 — Substantial contribution.** Three factors: - *Type of contribution.* Wang distinguishes three contribution modes: (i) the source is *the subject described or recorded* by the data; (ii) the source is *the owner / operator / user of an object* whose activity is recorded; (iii) the source *uses a connected device* to collect or provide data. - *Directness.* Where contribution is too indirect (e.g., the source's data has been so heavily processed that the original contribution is "remote or attenuated"), the source-right does not attach. Wang's example: a person's PI becomes anonymized; the original PI subject's contribution to the anonymized dataset is too attenuated to support a source-right claim. - *Substitutability.* If the same data could be obtained by any other route, the source's contribution is fungible and the source-right does not attach. The right reflects the source's *non-substitutable* role. **Test 2 — Non-control over the data.** Even where contribution is substantial, the source-right requires that the source does *not* actually hold or control the data. Wang's example: a large flagship e-commerce store has both the technology and the resources to process the data its merchants generate; it is not a "source" under the framework — it is a co-processor. A small or individual-merchant store, by contrast, is a source — it contributes to the data but lacks the technical capacity to control it. This second test is the structural answer to a question overseas counsel often raise: *can a corporate entity be a data source?* Wang's answer: yes, if it lacks practical data control. The framework is not nat-person-restricted in the way PIPL is. ## Why pre-existing legal entitlements don't cover the source-right interest A central counter-argument to creating a separate "data source's right" is that the source's interests are already protected by existing rights: privacy, PI, IP, trade secrets. Wang takes this on directly and rejects it on four grounds. ### 1. The "existing rights" framework misclassifies the source as a passive recorded subject The "existing rights" view treats the source as the *subject of recording* — the party whose information is captured. But Wang's data-symbiosis framework treats the source as a *co-creator* — an active participant whose contribution co-produces the data. Existing rights protect what the source *has* (privacy, PI); they don't recognize what the source *did* (participate in generation). ### 2. Existing rights are defensive; the source-right interest is participative Privacy, trade-secret, and IP rights are primarily *negative defensive rights* — the right to exclude or prevent improper use. The source's interest in co-generated data is *positive participative* — the interest in *accessing and using* the data the source helped create. The existing-rights framework has no analog to this. ### 3. Knowledge IP rights protect single-author creation; data-source rights protect co-creation Copyright and patent rights protect the *single-party* originator of creative or inventive work. Co-generated data is, by definition, multi-party. The IP model can't be transposed. ### 4. The PIPL right of copy and transfer (Article 45) is the *closest* analog — but limited PIPL Article 45 establishes the natural-person's right to copy and transfer their personal information. This is conceptually the closest to the Data 20 Articles' source-right. But three structural gaps: - PIPL Article 45 applies only to PI; the source-right is broader (any co-generated data). - PIPL Article 45 applies only to natural persons; the source-right extends to legal-person sources. - PIPL Article 45's scope is the *data identifying or relating to* the subject; the source-right's scope is data the source's *participation contributed to*, which is broader. PIPL is the floor; the source-right is what extends the entitlement past PIPL's boundaries. ## The source-right as a "fair use right" Having shown that the source-right is not reducible to existing entitlements, Wang articulates its positive content: a **fair use right** (公平使用权). Three properties define it: **(a) Contractual, not property.** The source-right is not a property right in the data — it is a contractual-relationship right against the *specific processor* who is symbiotically linked to the source. The source cannot enforce the right against third parties; it can only enforce against the processor it co-created with. **(b) Bundled with content.** The right contains a bundle of operational entitlements: - *Right to be informed* (知情权) of how the data is used - *Right to access* (访问权) the data - *Right to transfer / port* (转移权) the data to another processor - *Right to correct* (更正权) inaccuracies - *Right to delete* (删除权) under specified conditions These mirror PIPL's individual rights for personal information, generalized to any co-generated data. **(c) Scoped by the "relevance interest" standard.** What data does the right cover? Wang proposes the **"related interest" (相关利益) standard**: the source's right extends to data that meaningfully reflects the source's contribution — even if the data does not directly identify the source. This is the doctrinal answer to the corporate-data-portability question: a merchant operating across e-commerce platforms can invoke the source-right against each platform for the merchant's operational data — even though the data may not "identify" the merchant in PIPL's strict sense. ## What this tells overseas compliance teams - **The corporate-data-portability lever is now doctrinally founded.** Wang's framework provides the academic foundation for treating the data-source's right as a meaningful B2B contracting baseline. Multinationals contracting with Chinese counterparties as either the data source or the data processor should pay attention to how the right is being articulated — it is reshaping the operational defaults for data exchanges, platform partnerships, IoT vendor contracts, and joint-venture data arrangements. - **Treat the "data source's right" as PIPL Article 45 generalized.** When designing Chinese counterparty contracts, use Article 45's operational structure (knowledge / access / transfer / correction / deletion) as the template for source-right clauses for non-PI data. The PIPL precedent + Wang's doctrinal framework + the NDA's policy interpretation now jointly support that posture. - **The "related interest" scope is broader than PI scope.** Where a multinational's Chinese affiliate generates operational data on a third-party platform, that data may not be PI under PIPL — but it may still be within the source-right scope as data the affiliate's contribution generated. Don't infer no entitlement from "no PI." - **The non-control test (Test 2) is the structural threshold for who has the source-right.** If your Chinese affiliate has both substantial contribution *and* substantial data-control capability, it is a co-processor, not a source. The source-right is the right of the *less powerful party* in the data-symbiosis pair. Map this carefully in joint-venture and SLA contexts where the contribution / control allocation may not align with formal ownership. - **The "substantiality + non-substitutability" filter rules out fungible inputs.** Multinationals worried about source-right claims from every party whose data ever touched a system should note that the doctrinal framework filters out attenuated, fungible, indirect contributions. The right is reserved for parties whose contribution is *non-substitutable* — the source whose unique participation made the data possible. The deeper architectural shift Wang's piece signals: Chinese data law is moving toward a *participative* (not just *consent-based*) framework for individual and corporate interests in data. The PI subject's consent matters; so does the data source's *participation*. Where the two coexist (a natural person who both consented to PI processing and contributed to data co-generation), the two rights operate in parallel, with the source-right adding the participative-protection layer PIPL alone doesn't provide. This is the direction in which downstream rulemaking — including the [Data Property Rights Registration Guide draft](/laws/data-property-rights-registration-guide-draft/) — is moving. --- — *王年, 数据来源者权利及其实现——基于数据共生的视角 (The Data Source's Rights and Their Realization — From the Perspective of Data Symbiosis), 《财经法学》Issue 5, 2025; reposted via 数字经济与法治 WeChat Official Account, October 28, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/DeoiXUp2emdS-yjzWl8o7g)* *Not legal advice. The above is DCC's structured summary of Wang's analysis, with framing for overseas counsel; the data-symbiosis framework, the two-part test for data-source status, and the "fair use right" articulation are Wang's.* --- ## Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine - Published: 2026-05-28 - Author: DCC Editorial - Tags: enforcement, samr, platform-liability, personal-information, commentary - Laws cited: pipl, network-data-security-regulations, personal-info-audit-measures, dsl - Domains: enforcement, personal-information, data-security, app-compliance - URL: https://datacompliancechina.com/posts/samr-ghost-takeout-data-compliance-lessons/ - Markdown: https://datacompliancechina.com/posts/samr-ghost-takeout-data-compliance-lessons.md - Original source: https://mp.weixin.qq.com/s/9w4AQMPmH9roj2qiILuHTw - Original author: 黄春林、柴明银 (Huang Chunlin, Chai Mingyin) - Original publication: 数据何规 WeChat Official Account ### Description In April 2026, the State Administration for Market Regulation (SAMR) imposed administrative penalties on seven major e-commerce platforms in the 'ghost takeout' series — 3.5 billion yuan in aggregate corporate fines, nearly 20 million yuan in individual fines on legal representatives and food-safety officers, and 3-to-9-month business suspensions. While the cases were ostensibly food-safety enforcement, their analytical structure — pierce-the-paper-compliance, per-merchant aggregation of penalties, identification of licensed-entity liability holders, dual penalties on individual compliance officers — translates directly to data-compliance enforcement. Adapted from a substantive practitioner analysis by 黄春林 (Huang Chunlin), this DCC brief works through seven operational lessons that DSO / PIPO / DPO and compliance counsel should apply *before* the analogous enforcement wave reaches data compliance. ### Body > *Editor's Note — DCC.* > > The SAMR enforcement against seven major e-commerce platforms in the > "ghost takeout" (幽灵外卖) series was the largest platform-economy > enforcement action of 2026 — 3.5 billion yuan in corporate fines, the > highest single-platform fine at 1.5 billion yuan, individual fines on > compliance officers reaching nearly 7 million yuan, business > suspensions of 3 to 9 months. The cases were food-safety enforcement, > but their *analytical posture* — particularly the per-merchant > aggregation doctrine ("一店一罚累加") — is highly transferable to > data-compliance enforcement. Where a violation can be characterized > as occurring independently against each user, each app, or each > dataset, the aggregation produces fine math that quickly becomes > existential. DCC adapts a practitioner analysis by 黄春林 (Huang > Chunlin) to lay out the seven operational lessons compliance teams > should apply *now*, before the analogous enforcement wave reaches > data compliance. ## What happened In April 2026, SAMR (State Administration for Market Regulation) issued administrative penalties against seven major e-commerce platforms in the "ghost takeout" (幽灵外卖) series of cases — a multi-year investigation into platforms that, through inadequate vendor-onboarding and ongoing-supervision controls, had allowed unlicensed restaurants and food vendors to operate on their platforms under shell merchant profiles. The headline numbers: - **Aggregate corporate fines: 3.5 billion yuan** (≈ USD 480 million) - **Highest single-platform fine: 1.5 billion yuan** - **Individual fines on legal representatives and food-safety officers: nearly 20 million yuan**, with the highest individual penalty approximately 7 million yuan - **Business suspensions: 3 to 9 months** The analytical structure was distinctive. SAMR did not treat the platforms' aggregate inadequate-vendor-onboarding as a single violation; it treated the inadequate review of *each individual non-compliant merchant* as an independent statutory violation and aggregated the penalties — the "per-merchant, per-violation, cumulative-fine" (一店一罚累加) doctrine. ## Why this matters for data compliance — even though the case was food safety The cases sit in the food-safety enforcement vertical, not data compliance. Why does the analysis matter for data compliance? Because the *analytical posture* is portable. Per Huang's reading, the SAMR cases articulate seven enforcement principles that translate cleanly from food safety to data compliance — and the comparable enforcement architecture already exists in the data regime under PIPL, the *Network Data Security Management Regulations*, the *Personal Information Protection Compliance Audit Management Measures*, and the broader Cyberspace Administration / MPS enforcement framework. The structural prediction: **the next 12–24 months will see comparable enforcement against data-handling platforms using the same analytical doctrines**. ## Seven operational lessons ### Lesson 1 — Pierce paper compliance: formal review is no longer a safe harbor **The food-safety facts.** The platforms had merchant agreements and platform rules formally requiring merchants to attest to qualification legitimacy. But their actual business operations did not implement substantive review — and in some cases, certified ISVs (independent software vendors) provided "order-transfer" functions to non-compliant merchants for a fee. **The regulator's analysis.** Civil-law safe-harbor principles (notice-and-takedown style protections) do not apply to administrative regulation, let alone criminal liability. Because the platforms held the most fundamental operational data (order flows, logistics tracks, payment information), the regulator concluded that platforms that performed only paper review at onboarding while ignoring downstream operational data showing clear anomalies — e.g., delivery start point grossly inconsistent with registered address — had "known or should have known" of the violations and failed to act. **Data-compliance translation.** Where platforms perform paper-only data-compliance review of merchants, mini-programs, or vendors — without implementing technical measures that detect and respond to anomalous data behavior — the equivalent finding will be available against them. The *Network Data Security Management Regulations* and the *Internet Application Program Personal Information Collection and Use Provisions (Draft for Comment)* establish substantive review obligations; reliance on attestation alone is structurally insufficient. **Operational implication.** Build a "management mechanism + technical measures" dual posture. Qualification verification, permission control, flow auditing, anomaly monitoring — all must be traceable end-to-end with logs. Once "knew or should have known" of unlawful data processing (failure to verify data source, tolerating over-scope collection, permitting non-compliant cross-border export) is established, paper compliance does not merely fail to exonerate — it can be characterized as bad-faith evasion and aggravate the penalty. ### Lesson 2 — Reject the "industry custom" defense: widespread violation is not legal violation **The food-safety facts.** During the investigation, some platforms invoked "industry-wide review is lax," "order-transfer has long existed," "multiple platforms work with the same ISVs," and "no prior enforcement" as mitigation. None were accepted. **The regulator's analysis.** "Why he can" and "everyone violates" have never been legal defenses. The duration and breadth of the violation, in fact, *aggravate* the assessment — not mitigate it. **Data-compliance translation.** A common posture in data-compliance practice is the wait-and-see ("等别人先申报数据出境" / "等别家先做算法备案") — let competitors go first; if they're not penalized, the practice is safe. The SAMR cases signal that this is the *opposite* of the regulator's posture. Industry-wide non-compliance is read as an enforcement priority, not as evidence of acceptance. **Operational implication.** Enterprises should fully discharge statutory data-compliance obligations (cross-border data export, PI audit, PIIA, algorithm filing) *on the statutory timeline*, not on the industry-cadence. Establish a dynamic industry-compliance-baseline assessment mechanism, but anchor compliance to the *mandatory statutory floor*, not the industry floor. ### Lesson 3 — Licensed entity bears the responsibility — corporate-structure isolation does not exonerate **The food-safety facts.** Unlike past cases that imposed liability on parent companies in a generic way, SAMR precisely targeted each platform's *licensed entity* — the entity holding the value-added telecom services permit, ICP filing, and internet-food-transaction third-party-platform-provider filing. "Holder of the license, holder of the responsibility." **Data-compliance translation.** In data scenarios, the first entity to face penalty is the *domestic legal entity that actually conducts business and holds the regulatory filings* — the value-added telecom services permit, ICP filing, algorithm filing, cybersecurity grade-protection filing, data-export assessment/filing entity (collectively "licensed entity"). **Operational implication.** Compliance responsibility is *not outsourceable*. Group structures, business segregation, equity arrangements cannot interrupt the statutory liability of the license/filing/registration holder. Cross-entity business cooperation, subcontracting, or sub-entrustment does not exonerate the licensed entity from the duty to review and control data-processing activities. The licensed entity must establish independent compliance management organization and personnel with data-compliance capability commensurate with the scale of its business. ### Lesson 4 — Dual-penalty regime: line-of-business compliance officers face personal liability **The food-safety facts.** Beyond penalties on legal representatives, the SAMR cases were the first large-scale imposition of annual-salary-multiple fines on line-of-business compliance officers — food-safety directors, food-safety committee chairs — reaching nearly 7 million yuan in individual penalties. **Data-compliance translation.** Under the *Cyberspace Administration Administrative Penalty Discretion Standards Application Provisions* and analogous frameworks, responsible-individual penalties consider job responsibilities, term of service, and execution-link. The structural implication for data compliance: **Data Security Officers (DSO) and Personal Information Protection Officers (PIPO) are no longer institutional figureheads** — they face personal liability for failures in their domain of responsibility. In practice: - **Data-security incidents** (security vulnerabilities, leaks, permission failures, lack of encryption / de-identification) → the DSO is typically the directly responsible person. - **PI obligation failures** (failure to file cross-border export, failure to conduct PIIA, failure to perform compliance audit) → the PIPO is typically the directly responsible person. **Operational implication.** Enterprises should clarify by formal policy, operating procedure, and job-description the rank, responsibilities, and liability scope of each DSO / PIPO / DPO role — and provide the necessary resources and conditions for execution. The responsible officers should actively perform, document risk flagging, and escalate compliance issues to the enterprise leadership. **Critically — the SAMR cases established that resignation or job rotation does not exonerate liability for violations during the officer's tenure.** Successor DSO / PIPO inherits the framework; predecessor DSO / PIPO retains liability for the tenure period. ### Lesson 5 — The full risk picture: massive fines + business suspension + reputational damage **The food-safety facts.** Single-platform maximum fine of 1.5 billion yuan; individual maximum of nearly 7 million yuan; business suspension up to 9 months; and intense public-opinion impact. **The most analytically important point — per-merchant aggregation.** SAMR found that the platform's inadequate review of *each individual merchant* constituted an *independent violation*, and aggregated the penalties — the "per-store-per-fine cumulative" (一店一罚累加) doctrine. **Data-compliance translation.** This aggregation logic in data-compliance enforcement is **devastatingly powerful**. If a violation can be characterized as occurring independently against each app, each user, each system, or each dataset, the aggregation produces fine math that scales linearly with the operational footprint. Huang's example: an enterprise that illegally collects information from 1 million users could in principle be treated as 1 million independent violations. The aggregation doctrine has already shown up in the data-enforcement vertical. The Cyberspace Administration's penalty of Kuaishou for live-streaming-pornography violations applied per-livestream calculation — producing the 119.1 million yuan fine figure. The per-app / per-user / per-system calculation logic is the operational analog. **Operational implication.** Compliance risk is *not* just a P&L line item. Business suspension is, for most enterprises, an existential market-share threat; the public-opinion impact compounds the regulator's penalty. Huang's phrasing: *"pay the 10-yuan parking fee in advance, don't gamble on the 200-yuan no-parking fine."* ### Lesson 6 — Multi-dimensional enforcement: ecosystem, technology, and personnel forensics **The food-safety facts.** Facing large data volumes, complex technology, and adversarial postures, enforcement combined electronic forensics, physical evidence seizure, on-site inspection, interviews, document review, and data cross-verification — investigating ecosystem, algorithm, and process from every angle. **Data-compliance translation.** Cyberspace Administration and public-security agencies have built specialized enforcement teams and may engage external technical support. Under PIPL Article 63 and the *Cyberspace Administration Administrative Enforcement Procedural Provisions*, they comprehensively examine network architecture, data flows, protocol flows, fund flows, permission systems, and log records. Modern enforcement has graduated from "checking the books" to "running scripts." **Operational implication.** Enterprises must abandon any expectation that concealment of violations or rigid denial in interviews will succeed. Build an active compliance-response capability. Once enforcement-investigation is triggered, immediately convene a joint legal-and-technical team to lawfully provide relevant evidence and compliance records — aiming to secure compliance-recognition in the early investigation phase, in exchange for mitigated penalties. The SAMR cases also reaffirmed that *the first thing regulators check is the policy documents, operating procedures, and compliance records*; absence of these materials is, in effect, submitting a blank investigation file — even regulators willing to mitigate cannot work with that. ### Lesson 7 — Embrace compliance dividends: cooperation reduces penalty, obstruction aggravates **The food-safety facts.** Some platforms exhibited "refusing to provide materials," "providing false information," "delay and evasion," and "obstruction of enforcement" — all explicitly cited as *aggravating factors*. **Data-compliance translation.** Cooperation with enforcement is not weakness — it is statutorily mandated, and is the optimal incident-handling strategy. Under PIPL and the *Cyberspace Administration Administrative Penalty Discretion Standards Application Provisions*: - "Cooperation with the cyberspace administration in investigating violations" → mitigation - "Refusal to cooperate, obstruction, or violent threat of enforcement personnel" → aggravation - "Concealment, destruction, forgery, or tampering of evidence" → aggravation In published cyberspace-administration enforcement matters, regulators have repeatedly emphasized that *embracing supervision* (timely self-reporting, voluntary disclosure, cooperation with investigation) can produce mitigation, exoneration, or even *compliance dividends*. **Operational implication.** Build a "risk early-warning → internal investigation → active compliance" closed loop. In response to current high-frequency regulatory notices, inspections, and rectification orders, enterprises must respond immediately, rectify fully, close the loop, and establish a long-term defense mechanism to avoid repeat violations. Particularly for areas with prior administrative penalty, conduct "look-back" special inspections. In the current multi-agency joint-inspection environment, repeat violation faces both aggravated penalty *and* potential triggering of Criminal Law Article 286-1 (failure to perform information-network security management duty). ## What this tells overseas compliance teams - **Treat the SAMR food-safety cases as a forward indicator for data-compliance enforcement.** The analytical doctrines (paper-compliance penetration, per-violation aggregation, licensed-entity liability, dual penalties on individual officers, cooperation-or-aggravation framework) are not food-safety-specific; they are *Chinese regulatory practice*. The data-compliance application is the question of when, not whether. - **The per-merchant aggregation doctrine changes the fine-math fundamentally.** Where your operational footprint involves millions of users or counterparties, "per-violation" characterization yields fine math that quickly exceeds prior-year revenue. The PIPL 5%-of-prior-year-turnover cap under Article 66 ¶ 2 is the *outer ceiling* — but where multiple statutes apply concurrently, aggregation across statutes can push effective exposure higher. - **DSO / PIPO / DPO personnel are no longer institutional figureheads.** Individual liability is now a real, sized, year-on-year-quantified exposure. Multinationals appointing Chinese DSO / PIPO / DPO roles should: - Ensure the role has actual decision-making authority and budget - Document the role's compliance scope and authorities formally - Provide adequate D&O-style coverage where available - Build defensible succession and tenure-transition records - **Cooperation with enforcement is statutorily-incentivized and operationally optimal.** Build the response capability now: joint legal-technical incident team, pre-positioned evidence and documentation, escalation pathway to leadership, communication protocol with enforcement counsel. The compliance program that produces full, prompt, accurate response to enforcement inquiry will achieve mitigation that an unresponsive program cannot. - **The licensed-entity liability rule has implications for Chinese subsidiary structuring.** Multinationals operating in China through a licensed entity (VATB permit, ICP filing, etc.) should expect that entity — not the foreign parent — to be the locus of enforcement. Compliance program design should reflect this; pushing compliance accountability to the parent or the global compliance function is not, structurally, a defense. The bottom-line shift the SAMR cases announce: **the Chinese platform-economy regulator has demonstrated the willingness, capability, and analytical doctrine to impose existential penalties on inadequate compliance programs**. The data-compliance regulator is, on every available evidence, watching and learning. Programs designed against the *prior* enforcement norm will be reverse-engineered against the *new* enforcement norm under the worst possible circumstances. Build now. --- — *黄春林、柴明银, 巨额处罚电商平台系列案对企业数据合规责任的启示 (Lessons from the E-commerce Platform Penalty Series for Enterprise Data Compliance Responsibility), 数据何规 WeChat Official Account, April 18, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/9w4AQMPmH9roj2qiILuHTw)* *Not legal advice. The above is DCC's structured summary of Huang's analysis, with framing for overseas counsel; the seven-lesson framework and the food-safety-to-data-compliance translation are Huang's. Author views are his own.* --- ## Mapping the AI Agent Risk Surface — A Ten-Category Taxonomy Under China's New 智能体新规 - Published: 2026-05-28 - Author: DCC Editorial - Tags: ai-agents, ai-governance, genai, commentary - Laws cited: genai-services-interim-measures, algorithmic-recommendation-provisions, deep-synthesis-provisions, ai-content-labeling-measures - Domains: ai-governance, data-security, personal-information - URL: https://datacompliancechina.com/posts/ai-agent-rules-risk-taxonomy/ - Markdown: https://datacompliancechina.com/posts/ai-agent-rules-risk-taxonomy.md - Original source: https://mp.weixin.qq.com/s/jQyo7KEwu1sREIWH3imZnA - Original author: 朱垒 (Zhu Lei) - Original publication: 数据何规 WeChat Official Account ### Description China's Cyberspace Administration jointly issued the Implementation Opinions on Standardized Application and Innovation Development of AI Agents (the '智能体新规' or 'Agent Rules') on May 8, 2026 — the first dedicated regulatory document on AI agents anywhere in the world. This DCC brief works through the ten-category risk taxonomy that practitioners are now using to map the agent attack surface: goal hijacking, tool misuse, identity/permission abuse, supply-chain compromise, unintended code execution, memory and context poisoning, inter-agent communication insecurity, cascade failures, human-machine trust exploitation, and rogue agents. With the agent risk mapped, the brief works the legal-liability vector: how each risk maps to administrative, civil, and criminal exposure under existing PIPL, CSL, Anti-Unfair Competition, and trade-secret regimes. Closes with the Guangzhou Internet Court's recent dual-authorization ruling against an open-source agent that bypassed a chat platform's risk controls — the first Chinese case to articulate the dual-authorization principle for AI agents accessing third-party platforms. ### Body > *Editor's Note — DCC.* > > The Cyberspace Administration of China and partner agencies jointly > issued the *Implementation Opinions on Standardized Application and > Innovation Development of AI Agents* (《智能体规范应用与创新发展实施 > 意见》, the "**Agent Rules**" or 智能体新规) on May 8, 2026. It is > the first dedicated regulatory instrument anywhere globally to address > AI agents as a distinct category — beyond general large-model rules > and beyond the generative-AI service framework. This DCC two-part > series adapts a substantive practitioner taxonomy by 朱垒 (Zhu Lei), > a commercial lawyer specializing in cyber and data, originally > published via 数据何规. Part 1 (this brief) maps the ten-category > risk taxonomy. [Part 2](/posts/ai-agent-rules-governance-framework/) > walks through the ten-step internal governance framework practitioners > are now using to operationalize the regime. > > The most useful single contribution in Zhu's piece is the mapping > from each technical risk to the *legal-liability vector* that > materializes when the risk is realized — i.e., the bridge from > "what can go wrong" to "what statute is invoked." DCC reproduces that > mapping in plain English for overseas counsel. ## What the Agent Rules cover The Agent Rules are the first Chinese regulatory document to address AI agents (智能体) — autonomous AI systems with goal-decomposition, tool-calling, environment-interaction, memory, and multi-step execution capabilities — as a distinct category. Where prior rulemaking addressed generative AI through the lens of model output safety (the *Interim Measures for the Management of Generative AI Services*, the *Algorithmic Recommendation Provisions*, the *Deep Synthesis Provisions*, the *AI-Generated Content Labeling Measures*), the Agent Rules extend the regulatory perimeter to: - The agent's **decision-making and permission scope** - Its **tool-calling behavior** - Its **interaction with external systems** - Its **supply-chain dependencies** - Its **application-derived risks** The document proposes an agent **registration platform**, **sample testing and adversarial tools**, **agent-decision permission frameworks**, **behavioral controls**, **built-in security capability standards**, **supply-chain security**, **classified and graded governance**, and a **compliance services system**. Enterprises building or deploying agents — particularly L3 / L4 agents that touch sensitive data or external systems — will operate under increasingly granular oversight as the implementation framework develops. ## The ten-category risk taxonomy Zhu's taxonomy — synthesizing OWASP's *Top 10 for Agentic Applications* with Chinese regulatory expectations — names ten risk categories. For each, DCC reproduces the technical risk + the *legal liability vector* it triggers in the Chinese regulatory regime. ### 1. Goal hijacking (目标劫持) **Technical risk.** Attackers use prompt injection, malicious files, falsified tool outputs, spoofed agent messages, or poisoned external data to alter the agent's task goal, decision path, or action plan — diverting it from the user's original intent. Canonical example: an attacker embeds a hidden instruction in a PDF that induces an internal-corporate agent to retrieve customer data and email it externally. **Legal liability.** Personal-information leakage; trade-secret leakage; unauthorized transactions; misinformed decisions; data exfiltration. Triggers the *Cybersecurity Law*, *Data Security Law*, *PIPL*, trade-secret protection regime, contractual liability, and tort liability. If the agent acts on the enterprise's behalf in a transaction or payment context, also raises questions of authorization effectiveness, apparent agency (表见代理), and internal-control failure. ### 2. Tool misuse / abuse (工具误用/滥用) **Technical risk.** After being granted tool-call permissions, the agent — through unclear permission boundaries, insufficient input validation, overlong execution chains, or absence of human-confirmation gates — performs erroneous, excessive, or attacker-induced operations within nominally legal tool scope. The core distinguishing feature: the agent doesn't just "say wrong" — it "does wrong." Example: a customer-service agent intended only to query order status proceeds to initiate refunds because its tool permissions were too broad. **Legal liability.** Data deletion; over-scope queries; financial loss; service interruption. Triggers findings of inadequate permission boundaries, breach of security-protection obligations, or absence of necessary approval mechanisms — resulting in administrative data-compliance penalties, contractual breach liability, tort liability, consumer-protection liability, and internal-audit accountability. ### 3. Identity and permission abuse (身份与权限滥用) **Technical risk.** In multi-system, multi-tool, or multi-agent environments, the agent inherits, caches, sub-delegates, or reuses identity credentials — resulting in low-privilege actors effectively acquiring high-privilege capabilities, or rendering the responsible actor for specific behaviors unidentifiable. Example: an administrator agent retains SSH credentials in its memory or context; a regular user then induces it to use those credentials to create unauthorized accounts. **Legal liability.** Access-control failure; over-authorization processing of personal information; important-data leakage; unauthorized payment; system intrusion. Triggers administrative and civil liability for failure to implement least-privilege, identity authentication, access control, credential isolation, and audit logging. In dispute resolution, the inability to prove the source of operations, authorization chain, and responsible actor produces adverse evidentiary outcomes. ### 4. Agent supply-chain risk (智能体供应链风险) **Technical risk.** The agent's underlying model, plugins, tools, prompt-template libraries, MCP services, agent registries, datasets, third-party agents, or update channels are poisoned, tampered with, counterfeited, or implanted with malicious logic. Examples: a malicious MCP server impersonating a normal email tool secretly bcc's the attacker on every email; a poisoned npm package auto-installed by a developer agent exfiltrates SSH keys and API tokens. **Legal liability.** Third-party-component security liability; vendor-management liability; open-source-compliance liability; data-leakage liability. Enterprises without component inventories, source verification, version pinning, vendor review, behavior monitoring, and emergency-deactivation mechanisms face findings of inadequate security management. ### 5. Unintended code execution (意外代码执行) **Technical risk.** When generating, interpreting, modifying, or executing code, the agent — through prompt injection, tool misuse, unsafe deserialization, dynamic-execution functions, or malicious dependency installation — converts natural-language input or model output into unintended executable behavior. Particularly acute in dev-assistant, auto-Ops, data-analysis, and "vibe coding" contexts where the agent connects directly to code repositories, command lines, build systems, or production environments. **Legal liability.** System intrusion; production-data deletion; service interruption; malicious-code propagation; client-asset damage. Triggers cybersecurity-incident handling obligations, data-leakage notification obligations, contractual breach, and tort liability. ### 6. Memory and context poisoning (记忆与上下文投毒) **Technical risk.** Attackers — through file uploads, API data, user input, RAG knowledge bases, shared memory, or multi-agent interactions — poison the agent's long-term memory, vector store, context summary, or retrievable knowledge. The agent then makes erroneous judgments or dangerous decisions in subsequent tasks. The distinguishing feature: malicious content may not trigger immediate harm, but is repeatedly used as trusted information in later sessions, retrievals, or task plans. Example: an attacker repeatedly feeds a travel agent fake flight prices; the agent later auto-approves erroneous-price orders. **Legal liability.** Erroneous transactions; misinformation propagation; PI commingling; cross-tenant data leakage; business-decision distortion. Triggers data-quality management, PI segregation, purpose limitation, minimum-necessary processing, trade-secret protection, and client-loss compensation obligations. In high-sensitivity sectors (financial, medical, government), triggers stricter sectoral regulatory liability. ### 7. Inter-agent communication insecurity (智能体间通信不安全) **Technical risk.** When multi-agent systems communicate via API, message bus, shared memory, or registry-discovery mechanisms, the absence of authentication, integrity verification, semantic validation, or replay-protection allows attackers to intercept, forge, tamper with, replay, or block agent messages. Example: a man-in-the-middle inserts hidden instructions into an unencrypted channel, altering multi-agent decisions. **Legal liability.** Data leakage; erroneous scheduling; mispayment; system interruption; responsibility-chain rupture. Triggers findings of inadequate transport encryption, identity authentication, access control, and integrity-protection measures. ### 8. Cascade failure risk (级联故障) **Technical risk.** A single agent's error, hallucination, poisoned memory, malicious input, supply-chain issue, or tool misuse propagates along the multi-agent collaboration chain, automated workflow, shared state, or business system — and amplifies into a systemic failure. The agent's autonomous-planning and auto-execution capabilities make single-point errors more likely to escalate into cross-system, cross-workflow, cross-actor chain consequences. Example: a poisoned medical knowledge base causes a treatment agent to adjust medication plans, which a nursing-coordination agent then propagates across multiple patient flows. **Legal liability.** Product defects; medical harm; financial loss; public-safety incidents. Triggers product liability, tort liability, contractual liability, regulatory-reporting and emergency-response obligations. In high-risk sectors, additionally triggers administrative penalties, business-rectification orders, suspension of operations, and executive accountability. ### 9. Human-machine trust exploitation (人机信任利用) **Technical risk.** The agent uses natural-language fluency, anthropomorphized expression, authoritative tone, emotional interaction, or fabricated explanations to induce excessive user trust — leading the user to approve dangerous operations, disclose sensitive information, or make erroneous business decisions. The risk doesn't always manifest as the agent directly over-stepping; often it appears as the agent *influencing the human user* to complete the final, auditable operation — making it more covert in forensic and liability-attribution contexts. Example: a poisoned finance Copilot recommends "urgent payment" based on a fake invoice; the manager, trusting its explanation, approves the transfer. **Legal liability.** Consumer misleading; fraudulent payment; PI leakage; internal-credential leakage; erroneous medical or financial advice. Triggers consumer-protection, advertising-and-anti-fraud, PIPL, contractual breach, and employer-liability risk. If the agent's explanation conceals real risk, additionally raises transparency, disclosure, and human-oversight failure issues. ### 10. Rogue / malicious agents (失控/恶意智能体) **Technical risk.** The agent — through attack, poisoning, goal drift, reward-function defect, identity spoofing, or multi-agent collusion — departs from its original function and authorization scope, exhibiting persistent, covert, self-replicating, or destructive harmful behavior. The risk distinguishes itself from single-input-output errors: the agent loses behavioral integrity and governance controllability *during operation*. Example: an attacked agent continues to scan for and exfiltrate sensitive files even after the original malicious source is removed; a compromised auto-Ops agent self-replicates via configuration interfaces, persistently consuming system resources. **Legal liability.** Persistent data exfiltration; business-flow hijacking; system destruction; production-backup loss; unrecoverable damage. Triggers major cybersecurity-incident liability, data-security liability, contractual and tort liability. ## How this connects to recent Chinese case law Zhu flags one recently-litigated case as illustrative of how Chinese courts are starting to apply traditional legal categories to agent conduct. **Guangzhou Internet Court — agent network unfair-competition dispute.** The court recently considered an AI dialogue agent with role-playing and intelligent-conversation capability, which could (to some degree) substitute for human users in click/send/interaction operations on a target chat platform. The plaintiff alleged that the defendant's open-source agent was bypassing the plaintiff's platform rules and technical management measures, using system-underlying permissions to directly recognize, read, and control other applications — calling and operating the plaintiff's platform without authorization, harming the platform's operating order and legitimate rights. The court issued a preservation order requiring the defendant to: - Immediately cease providing download and installation services for the agent - Cease using system-underlying permissions to circumvent the platform's technical management measures - Delete and cease propagating tutorials and content directed at circumventing the platform's risk-control measures The case's analytical core is the **dual-authorization principle (双重授权原则)** for AI agents accessing third-party platforms: where an agent accesses, calls, or controls a third-party application, it must obtain both *the third-party application's authorization* and *the user's autonomous authorization*. The court declined to treat "open-source," "non-profit," "user-script," or "third-party-component" status as default exoneration; the analysis focused on whether the agent broke the platform's technical management measures, disrupted normal operating order, and circumvented the third-party application's security boundaries using user authorization as cover. Zhu reads this as paralleling the analytical posture of *Amazon v. Perplexity* in the United States: in both, the central question is that *user authorization does not equal platform authorization*. Once a third-party platform has — through terms of service, technical measures, cease-and-desist letters, or otherwise — explicitly restricted agent access, an agent operator that continues to design, assist, or execute such access faces unauthorized-access, circumvention-of-technical-measures, unfair-competition, or platform-rule violation liability. ## The regulatory comparison Zhu lays out Five jurisdictions, each taking a distinct path: - **China — dedicated Agent Rules (May 2026)**, first specialized document, classified-and-graded governance framework - **OECD — *The agentic AI landscape and its conceptual foundations* (February 2026)** — conceptual mapping to OECD's existing AI System definition, supporting policy harmonization - **Singapore — IMDA *Model AI Governance Framework for Agentic AI* (January 2026)** — four-dimensional framework (advance risk assessment / meaningful human responsibility / technical + process controls / strengthened end-user responsibility); the most systemic external counterpart to China's Rules - **EU — interpretation under existing AI Act**, with AI agents falling within "AI System" category subject to risk-tiered obligations; *Digital Omnibus on AI* has begun engaging agentic AI explicitly - **US — *AI Agent Security RFI* (NIST/CAISI, January 2026)** + *AI Agent Standards Initiative* (NIST, February 2026); industry-led standards approach with leading-company governance frameworks (Google SAIF, IBM AI Agent Evaluation) - **UK — CMA *Agentic AI and consumers* (March 2026)** — consumer-protection and competition-policy lens; distinct from the AI-safety framing of other jurisdictions Across the five, regulatory recognition is converging: AI agents are treated as a distinct high-risk category requiring risk-grading, permission control, human oversight, security testing, traceable auditing, accountability, and transparent disclosure — not as ordinary GenAI-service extensions. ## What this tells overseas compliance teams - **The Agent Rules are the operational reference point for any agent deployment touching the Chinese market.** Multinationals deploying agents that access Chinese users, data, or systems should map their internal governance against the Rules' classified-graded framework. The classification tier (L1 read-only / L2 limited-write / L3 sensitive-data-processing / L4 high-impact decision) determines the regulatory scrutiny baseline. - **The dual-authorization principle is now actionable.** For any agent that interfaces with third-party Chinese platforms — even open-source agents, even agents nominally controlled by end-users — counsel should treat third-party-platform authorization as a separate, mandatory layer beyond user authorization. The Guangzhou Internet Court ruling is the first Chinese-court articulation; expect more. - **The ten-category risk taxonomy maps cleanly to a compliance-program review.** Use it as a checklist. For each category, verify the technical control and the legal-position documentation. Categories 4 (supply chain), 6 (memory poisoning), and 9 (human-machine trust) are the ones where DCC sees the most pre-existing-regime gaps in practice. - **Treat the regulatory comparison as a forecasting tool, not a benchmark.** The five-jurisdiction picture telegraphs the operational convergence point. Compliance frameworks designed to satisfy the *most stringent* of China, Singapore, and EU (likely the operational floor as the regimes mature) will not need to be re-architected for a single market. For the operational governance framework that practitioners are now using to translate this risk taxonomy into internal controls, see [Part 2 of this series](/posts/ai-agent-rules-governance-framework/). --- — *朱垒, 从《智能体新规》看AI智能体的风险防范与合规治理(上)(Risk Prevention and Compliance Governance of AI Agents Under the Agent Rules — Part 1), 数据何规 WeChat Official Account, May 13, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/jQyo7KEwu1sREIWH3imZnA)* *Not legal advice. The above is DCC's structured summary of Zhu's analysis, with framing for overseas counsel; the ten-category taxonomy, the cross-jurisdictional comparison, and the Guangzhou Internet Court case framing are Zhu's. Author views are his own.* --- ## Operationalizing AI Agent Governance — A Ten-Step Internal Control Framework - Published: 2026-05-28 - Author: DCC Editorial - Tags: ai-agents, ai-governance, genai, compliance-program, commentary - Laws cited: genai-services-interim-measures, algorithmic-recommendation-provisions, deep-synthesis-provisions, personal-info-audit-measures - Domains: ai-governance, data-security, personal-information - URL: https://datacompliancechina.com/posts/ai-agent-rules-governance-framework/ - Markdown: https://datacompliancechina.com/posts/ai-agent-rules-governance-framework.md - Original source: https://mp.weixin.qq.com/s/VAoNJBWEa7yM7TsOg0OMvw - Original author: 朱垒 (Zhu Lei) - Original publication: 数据何规 WeChat Official Account ### Description Part 2 of DCC's brief on the Chinese Agent Rules (《智能体规范应用与创新发展实施意见》, May 2026). After mapping the ten-category risk taxonomy in Part 1, this brief works through the ten-step internal governance framework practitioners are now building to operationalize agent compliance: cross-functional governance organization + agent asset inventory; use-case admission and classification (L1 read-only / L2 limited-write / L3 sensitive-data / L4 high-impact); security assessment and AI red-team testing; identity authorization and permission control (with the under-discussed 'permission inheritance' trap); data protection; tool and protocol security; human-in-the-loop design; supply-chain security; continuous monitoring; and AI-specific incident response. Closes with five operational priorities for teams that need to start now without waiting for the 'big-and-comprehensive' regime build. ### Body > *Editor's Note — DCC.* > > This is Part 2 of DCC's brief on the Chinese *Agent Rules* (《智能体 > 规范应用与创新发展实施意见》, May 8, 2026). [Part 1](/posts/ai-agent-rules-risk-taxonomy/) > mapped the ten-category risk taxonomy. This brief works through the > ten-step governance framework — the internal-control architecture > practitioners are building to operationalize the regime. Adapted from > a substantive piece by 朱垒 (Zhu Lei), originally published via > 数据何规. The framework reflects converging practice across Chinese > AI-compliance teams; overseas counsel will recognize many components > but should pay particular attention to the *permission-inheritance > failure mode* (Step 4) and the *AI-specific incident response* (Step > 10) — the two areas where Chinese practice has surfaced operational > issues that the general data-security playbook does not address. ## Why a ten-step framework rather than a single control The Agent Rules treat AI agents not as an extension of generative-AI services but as a distinct system class requiring full-lifecycle governance — from *deployment-decision* (whether and what to deploy) through *design* (how the agent is permissioned and constrained) through *operations* (how its behavior is monitored) through *incident response* (what to do when something breaks). A single control point — say, a model-output review — addresses none of the new risk categories the [risk taxonomy](/posts/ai-agent-rules-risk-taxonomy/) surfaced. Zhu's framework — drawn from project experience with multiple Chinese enterprises that have already stood up agent governance — is ten components organized into three temporal tiers: - **Pre-deployment (requirements stage):** Steps 1–2. Governance organization + use-case admission and classification. - **Development and testing stage:** Steps 3–8. Security assessment + identity/authorization + data protection + tool security + human oversight + supply-chain security. - **Post-deployment (operations stage):** Steps 9–10. Continuous monitoring + AI-specific incident response. What follows works through each. ## Step 1 — Cross-functional governance organization + agent asset inventory **Governance organization.** For enterprises with scaled or planned-scale agent use, agent governance cannot sit only within the tech team. The recommended structure is a cross-functional body involving the board or executive team (setting the enterprise's agent risk appetite, prohibited scenarios, and high-risk scenarios), the algorithm / AI team, legal, information security, and the business owners. Either folded into existing data-compliance or cybersecurity governance, or stood up as a dedicated AI Governance Committee. **Agent asset inventory.** A unified internal inventory of every agent operating in the enterprise — self-developed, third-party-purchased, business-system-embedded, employee-configured low-code or no-code agents. Each inventory entry records: - Agent name and business purpose - Owning department and responsible person - Model source and vendor - Tool list and external-API connections - Data-access scope - System-access scope - Deployment environment - Audience (internal, customer-facing, partner-facing) - Risk level (per Step 2 classification) - Lifecycle status The inventory is the precondition for everything downstream: without knowing what agents exist and what they're connected to, classification, permission control, audit, and incident response have no anchor. Chinese teams that have skipped the inventory step have, by Zhu's account, consistently hit issues at the audit or incident-response stage. ## Step 2 — Use-case admission + classification **Classification.** A four-tier classification standard is the working pattern: - **L1 — Low-risk read-only assistance.** Internal document summary, knowledge retrieval, text refinement. - **L2 — Limited write or internal-flow assistance.** Drafting tickets, generating email drafts, supporting internal reports — but with mandatory human-completion for the final submission. - **L3 — Sensitive-data processing or multi-internal-system access.** Customer-service agents handling user PI, after-sales records, or order data. - **L4 — High-impact decisions or actions.** Auto-payment, contractual commitments, diagnostic-or-treatment recommendations, credit decisions, production-system changes, external-transaction execution. L3 and L4 agents face higher approval thresholds, mandatory pre-deployment testing, and stricter ongoing monitoring. **Use-case admission assessment.** Before any agent goes live, the assessment covers at minimum: 1. Does it access databases? What is the scope? Does it touch personal information, trade secrets, or other sensitive data? 2. Does it access external systems? Does it interact with third-party systems? What is the attack surface? 3. Does it have write, transaction, or decision capabilities? Are its actions reversible? 4. What is the target audience? Public-facing? Employee-facing? 5. What is the business-domain error tolerance? Does it touch finance, medical, hiring, credit, contract negotiation, critical-infrastructure operations, production-system code modification, or other high-risk domains? The admission assessment prevents business units from quietly attaching agents to production environments without risk evaluation — a common pre-governance failure mode. ## Step 3 — Security assessment + AI red-team testing **Security assessment.** Before any agent goes live, the assessment covers task-completion accuracy, policy compliance, tool-call correctness, over-authorization attempts, prompt injection, sensitive-data leakage, anomaly recovery, rollbackability, log completeness, multi-agent cascade errors, and high-load stability. **Red-team testing for high-risk agents.** Typical tests: - Embedded malicious instructions in webpages or documents — does the agent get tricked into data leakage? - Third-party tool return content — does it alter the agent's system instructions? - Will the agent call unauthorized tools? - Will the agent send internal data to external APIs? - After task failure, does the agent loop and consume system resources? - When goals are under-specified, does the agent perform "specification gaming" to bypass restrictions? Test results produce an issue list, remediation plan, and re-test record. **High-risk agents with unresolved findings should not go live.** ## Step 4 — Identity authorization + permission control Agents should be treated as enterprise-identity-management subjects — like employees, service accounts, or API clients. Each agent gets a unique identifier; the system records the user / department / business flow it represents; multiple agents sharing high-privilege accounts is prohibited. **Authorization principles** — least privilege, task scope, time scope, context scope. The agent only accesses data, calls tools, and operates systems within the scope necessary to complete the specific task. **The permission-inheritance failure mode.** Zhu calls out this trap explicitly because it's the most-common operational issue in Chinese practice: - If an employee can only access one category of customer data, the agent they entrust should not — through technical configuration — acquire higher permissions. - If a primary agent calls a sub-agent or external tool, the sub-agent or external tool should not by default inherit the full permissions of the primary. This sounds obvious, but the default configurations of most agent frameworks and orchestration platforms do *not* enforce permission inheritance limits. Engineering teams treating agent-to-agent or agent-to-tool calls as transparent function calls reproduce the human-employee permission structure in the agent layer — without realizing they've also reproduced the maximum-permission attack surface of every actor in the chain. **High-impact operations require additional gates.** Payments, data deletion, bulk export, external sending, permission changes — all should sit behind multi-factor authentication, secondary authorization, or mandatory human execution. **Dynamic authorization scenarios** require recording the authorizer, scope, reason, time, validity period, and revocation mechanism. ## Step 5 — Data protection The enterprise should systematically map every data-processing scenario the agent touches: user input, memory modules, runtime logs, third-party transmission. For PI, sensitive PI, or other regulated data categories, conduct the data-compliance review, PI Impact Assessment, or cross-border transfer impact assessment as applicable. **Boundary-line specifications.** The enterprise should explicitly specify: - Which data may enter the model context - Which data may be written to long-term memory - Which data may be sent to third-party tools - Which data must be desensitized, encrypted, isolated, or simply prohibited from processing **Consumer-facing agent disclosure.** For agents facing users or consumers, the enterprise should clearly disclose: AI identity, primary function, capability limitations, data-access scope, human-intervention mechanism, complaint channel. **Internal-use agent rules.** For employee-internal agents, internal policy and training should cover: what categories of sensitive information may not be input; when human review is mandatory; how to mark classified material; how to report anomalies; whether internal materials may be input to external agents. **Log and memory governance.** Retention period, access permissions, deletion mechanisms, audit rules — to prevent uncontrollable data accumulation over the agent's operating life. ## Step 6 — Tool and protocol security Tool calls are the core risk source. The enterprise should: - Establish a **tool whitelist** system — for each tool, specify input/output, call permissions, rate limits, error handling, sensitive-data filtering, and logging requirements. - For MCP servers, browser plugins, third-party APIs, code-execution environments, and RPA tools — conduct security assessment and vendor review. - **Prohibit** agents from installing plugins or connecting to unknown servers without review; prohibit sending internal sensitive data to unvetted external tools. ## Step 7 — Human-in-the-loop design Per agent risk tier, configure appropriate human-intervention mechanisms: - **Low risk** — ex post sampling sufficient - **Medium risk** — key-node confirmation - **High risk or irreversible action** — ex ante approval, two-person verification, or human execution The enterprise should periodically audit whether the human-approval is *meaningful* — i.e., that the approver actually reviews, rather than mechanically clicking through due to automation bias. The audit posture: "would this approval have caught the kind of error this agent is most likely to produce?" ## Step 8 — Supply-chain security The enterprise should integrate agent supply-chain into procurement-admission, information-security, and data-compliance review processes — vendor data-handling practices, security capabilities, model-update mechanisms, log retention, service availability, audit cooperation. **Contract terms** with agent vendors should cover: model / plugin / tool / log responsibilities; vulnerability response; data handling; IP; infringement complaints; service interruption; security-incident notification. **For vendors processing PI, trade secrets, or regulated data**, require security-capability proof, signed data-processing agreement, and AI-compliance-and-security-protection special clauses in the contract. ## Step 9 — Continuous monitoring Post-deployment, the enterprise should establish dynamic-behavior monitoring. Indicators include: - Anomalous tool-call count - External-data-send volume - Failed-retry count - Over-authorization request count - Human-rejection rate - User complaints - Hallucination-induced correction count - System-resource consumption - High-risk-operation frequency - Sensitive-data hit rate - Vendor service anomalies For abnormal-resource-consumption scenarios, the enterprise should pre-negotiate with the vendor on billing, quotas, alerts, and loss-cutoff mechanisms — to avoid catastrophic cost or service loss from runaway agent loops. ## Step 10 — AI-specific incident response Agent incidents may include: data leakage, over-authorization, erroneous transactions, misdirected emails, production-system damage, consumer misleading, vendor tool compromise, successful prompt injection, multi-agent cascade failure, erroneous-recommendation harm, agent-repeated-execution resource exhaustion. These do not map cleanly onto traditional cybersecurity incident-response playbooks. Zhu recommends building agent-specific incident response with reference to the *Cybersecurity Standard Practice Guide — Generative AI Service Security Emergency Response Guide*. ## Five operational priorities — what to do now Zhu's concession: a "big-and-comprehensive" governance regime build takes time. For enterprises that need to start without waiting, the operational priorities are five: 1. **Map and assess existing agents.** Identify current and planned-deployment agents that touch PI, external systems, automated decision-making, or critical business flows. Flag those carrying significant security, compliance, or business risk. 2. **Customer-facing agent service terms.** Draft or update *AI Agent Service Terms* documenting the agent's identity, function scope, action boundaries, data-processing practices, user authorization, human-intervention, complaint and feedback paths, and liability allocation. 3. **Procurement and vendor contract clauses.** Develop a procurement-admission standard for agent R&D, purchasing, and third-party supply-chain cooperation; insert AI-compliance-and-security-protection special clauses into procurement and cooperation agreements covering functional availability, data handling, memory retention, tool calls, resource consumption, vulnerability response, service interruption, IP, and security-incident notification. 4. **Workflow review for production-integrated agents.** For agents already integrated into business flows, assess whether human-verification mechanisms are needed; adjust workflows, user-interaction interfaces, internal-approval processes, and log-retention rules accordingly. 5. **Existing GenAI compliance overlay.** For enterprises with generative-AI services or algorithmic-recommendation deployments, assess and complete the model-filing, algorithm-filing, PIIA, and cross-border-transfer assessment work as applicable. Agent deployments don't substitute for the underlying GenAI compliance work. ## What this tells overseas compliance teams - **Use Step 1 — inventory — as the entry point if no other agent-governance work is in place.** It's the cheapest, fastest, and unblocks everything downstream. Multinationals with Chinese operations should ensure the inventory captures *both* China-deployed and China-data-touching agents. - **The L1 / L2 / L3 / L4 classification is converging across jurisdictions.** Zhu's four-tier framework aligns with Singapore IMDA's framework and is broadly compatible with the EU AI Act's risk tiers. Use one classification system across the global agent estate; map Chinese L3 / L4 expectations to the higher of {EU high-risk requirements, China L3/L4 requirements}. - **The permission-inheritance failure mode (Step 4) is the most under-recognized risk.** It manifests as a technical-implementation issue but produces a legal liability surface. Overseas teams should specifically audit how their agent frameworks handle agent-to-agent and agent-to-tool permission propagation, and require their vendors to demonstrate non-inheritance defaults. - **AI-specific incident-response is the operational backstop you don't have until you build it.** Traditional cyber-incident-response playbooks assume a relatively static system; agent failures are dynamic and can self-propagate. Build the agent-specific response now, before you need it — the *Generative AI Service Security Emergency Response Guide* is a useful starting reference. - **Operationally prioritize the five-step practical plan over the ten-step comprehensive framework.** Especially for non-AI-native enterprises just starting agent deployment, the inventory + classification + customer-facing-terms + vendor-clauses + workflow-review sequence captures most of the risk reduction without overwhelming the compliance team. The structural takeaway: **the Chinese Agent Rules are accelerating an operational architecture that will become global compliance baseline within 24–36 months**. Multinationals that build it for the Chinese regime get the global build essentially free; teams that wait for global guidance to crystallize will be reverse-engineering compliance into deployed agents at the worst possible time. For the underlying ten-category risk taxonomy that this framework is designed to manage, see [Part 1 of this series](/posts/ai-agent-rules-risk-taxonomy/). --- — *朱垒, 从《智能体新规》看AI智能体的风险防范与合规治理(下)(Risk Prevention and Compliance Governance of AI Agents Under the Agent Rules — Part 2), 数据何规 WeChat Official Account, May 20, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/VAoNJBWEa7yM7TsOg0OMvw)* *Not legal advice. The above is DCC's structured summary of Zhu's framework, with framing for overseas counsel; the ten-step framework and the five-step priority sequence are Zhu's. Author views are his own.* --- ## Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI - Published: 2026-05-28 - Author: DCC Editorial - Tags: ai-governance, open-source, training-data, copyright, commentary - Laws cited: genai-services-interim-measures, pipl, dsl, csl - Domains: ai-governance, personal-information, data-security - URL: https://datacompliancechina.com/posts/open-source-ai-training-data-compliance/ - Markdown: https://datacompliancechina.com/posts/open-source-ai-training-data-compliance.md - Original source: https://www.rmlt.com.cn/2026/0401/748659.shtml - Original author: 张平 (Zhang Ping), Peking University Law School - Original publication: 人民论坛 (People's Tribune), April 1, 2026 ### Description Peking University Law School professor Zhang Ping, writing in 人民论坛 (People's Tribune), takes apart two misconceptions that have dominated the Chinese open-source AI discussion: that 'open source' means training data has no copyright protection, and that 'algorithm open-source' compels 'training data publication.' Both false. Zhang lays out the structural distinction: 'open source is conditional authorization under license' — applied to model weights, not to the training corpus, which is a legally independent object. She then maps the full-chain compliance risk (acquisition / processing / output) and proposes a four-tier differentiated governance framework that finance, healthcare, and government AI deployments can actually use to map their training-data inventory against compliance gates. ### Body > *Editor's Note — DCC.* > > Zhang Ping, professor at Peking University Law School, published this > piece in 人民论坛 (People's Tribune) — a state-affiliated theoretical > journal of People's Daily Publishing Group — as part of its 前沿 > ("Frontier") column on emerging legal and policy questions. The piece > takes direct aim at two confusions that have dominated Chinese > open-source AI discussion in the wake of DeepSeek, Qwen, and the > broader open-weight wave: the conflation of "model weight open-source" > with "training data open-source," and the inference from "available > on the internet" to "available for training." DCC reproduces Zhang's > framework with framing for overseas counsel structuring China-related > AI-model and training-data deployments. ## The two misconceptions Two patterns Zhang sees repeatedly in Chinese practitioner discussion: **Misconception 1: Open-source AI means training data has no copyright protection.** Wrong. Open-source is *conditional authorization based on a license*. The licensor retains copyright; the licensee gets specified rights only within license scope. "Publicly accessible" content on the internet is not the same as "available for training" — most internet content is protected by copyright, the *Personal Information Protection Law*, or trade-secret regimes. **Misconception 2: Algorithm open-source compels simultaneous training-data publication.** Wrong. Model weights and training data are *two distinct objects subject to different legal rules*. An enterprise can open-source the model architecture and weights while maintaining commercial autonomy over the training corpus. Doing so is both legally compliant and commercially coherent — and is, in fact, the standard practice for most major open-weight releases (the model is open; the data is not). The misconceptions are not academic. They drive operational behavior: teams scraping web data on the assumption that "open = public domain," teams publishing model weights and assuming the training data must follow, teams negotiating with data suppliers under wrong assumptions about default rights. Each produces a downstream compliance failure. ## The full-chain risk Open-source AI training-data use creates risk at every stage of the data lifecycle. Zhang structures the picture in three: ### Acquisition stage The dominant operational mode is automated crawling at scale. The legal problem: **license-chain traceability collapses at scale**. A scraped page may host content under multiple licenses, with licensing buried in linked agreements or invisible metadata. Aggregation across millions of sources produces a corpus where the original license terms are no longer traceable per item. This produces what Zhang calls a **"license laundering" (许可洗钱) effect** — a striking term that captures how copyright-protected content becomes operationally indistinguishable from public-domain content once it's been processed through a crawling and tokenization pipeline. The downstream operator cannot, in practice, separate the legitimately licensed content from the infringing content in the resulting corpus. From a compliance posture, every byte in the corpus carries inherited license-uncertainty. ### Processing stage Once acquired, the training data enters PI-protection obligations under PIPL — and these obligations are *technically difficult to discharge*. Two specific gaps: - **The right of deletion (删除权).** PIPL Article 47 establishes the deletion right; for personal information in a training corpus, exercising the right is technically non-trivial. Once a model has been trained on a dataset, removing a specific data point requires retraining or specialized "machine unlearning" techniques that are still maturing. The legal right exists; the operational mechanism is incomplete. - **Purpose limitation.** PIPL Article 6 limits processing to the disclosed purpose. Training data that was lawfully collected for a stated purpose (e.g., medical-records research) cannot, without additional consent, be redirected to a different purpose (e.g., training a foundation model for general use). Compliance teams underestimate how aggressively this constrains corpus repurposing. ### Output stage The model may, in inference, *reproduce specific expressions from the training corpus* — verbatim or near-verbatim. This triggers two distinct legal vectors: - **Copyright infringement.** Where the reproduced expression is identifiable as a copyrighted work, the model output may infringe; the deployer is exposed under direct or indirect infringement analysis. - **PI re-identification.** Where the reproduced expression contains personal information from the training corpus, the model output may constitute an unauthorized disclosure of personal information — even if the training input was processed with appropriate consent. The output-stage risk is structurally novel because it implicates not the data acquisition or processing decisions but the *model's emergent behavior*. Standard compliance-review postures designed for static-data flows don't capture it. ## The four-tier differentiated governance framework Zhang's most operationally useful contribution is a four-tier classification of training data with corresponding compliance gates. The tiers: ### Tier 1 — Open-license or public-domain data Lowest risk. Data under open licenses (Creative Commons, Apache, MIT, etc.) or in the public domain. **Compliance posture:** prioritize use; document the license; preserve attribution where required. ### Tier 2 — Publicly accessible but with unclear licensing Moderate risk. Data scraped from the web with unclear or untraceable license terms. **Compliance posture:** active license-chain verification before inclusion. If verification fails, exclude from corpus or restrict downstream model use. Crucially, *publicly accessible ≠ licensed for training* — Tier 2 requires affirmative documentation, not absence of explicit prohibition. ### Tier 3 — Data containing personal information High risk. **Compliance posture:** strict PIPL handling. De-identification or anonymization at the earliest possible pipeline point. PIIA prior to inclusion. Documentation of legal basis (consent, contractual necessity, statutory exemption). Separate handling protocols for sensitive PI under PIPL Article 28. ### Tier 4 — Important data or trade secrets Highest risk. Data within the *important data* category under the DSL classification regime, or third-party trade secrets. **Compliance posture:** highest-tier security protection. Access controls, encryption, audit logging, segregation from general-corpus pipelines. Separate review and approval gates. For important data, additional consideration of cross-border restrictions under the *Measures for the Security Assessment of Data Export*. The four-tier framework is the operational analog of the [three-tier data classification (general / important / core)](/posts/qinglan-how-to-identify-important-data/) Wang Qinglan walked through for general data assets, applied specifically to AI training corpora. ## The four operational pathways Zhang proposes four concrete pathways for enterprises operationalizing the framework. ### Pathway 1 — Strengthen authorization contracting with data suppliers Enterprises sourcing training data from third-party suppliers should contract for: - **Complete data source proof.** The supplier must provide documentation of where the data was collected and from whom. - **Authorization-chain documentation.** Full traceability from the original rights-holder through any intermediate licensees to the supplier. - **Title-warranty clauses.** Embedded warranties shifting infringement liability to the supplier in case of defects. This shifts the license-laundering risk back up the supply chain to the party best positioned to verify provenance — the supplier — rather than concentrating it at the deployer. ### Pathway 2 — Classification and grading system Routine data inventory and asset ledgers documenting per data category: source, authorization form, applicable scope, compliance status. Differentiated access controls aligned to the four-tier classification. ### Pathway 3 — Technical defenses - **Pre-training automated tools.** Remove personal information; identify high-copyright-risk data; flag potential trade-secret content. Apply before the data enters the training pipeline. - **Output filtering mechanisms.** At inference, intercept outputs that may reproduce training-corpus expressions verbatim. The output-stage risk needs an output-stage control. ### Pathway 4 — Public corpus infrastructure development The supply-side fix Zhang advocates: expand compliant public corpora. Government data, public cultural resources, scientific data — released under standardized authorization terms with quality control and continuous updating. The aim is to provide enterprises with a high-volume, low-risk, well-documented training-data source — reducing the operational incentive to scrape questionable web content. ## What this tells overseas compliance teams - **Stop conflating "model open-source" with "data open-source."** They're distinct legal objects. Standard global practice (open weights + closed training corpus, or open weights + partially-documented training corpus) is legally coherent in China; the conflation is the compliance failure mode, not the structure. - **"Publicly accessible" is not a legal status — it is a technical state.** Web-accessibility does not entail training-use license. Compliance reviews of training-data sourcing should specifically reject "scraped from public web" as a sufficient documentation standard. Replace with affirmative license documentation per data source. - **The license-laundering risk is structural.** Scrape-aggregate-train pipelines obscure the license-chain in ways that cannot be unwound post hoc. The compliance posture has to be designed at the *acquisition* stage; downstream remediation is not, in practice, available. - **The four-tier framework maps cleanly to internal corpus governance.** Multinationals building or licensing AI models with any China-data exposure should map their training corpora against Zhang's four tiers and document the compliance gates per tier. The framework is portable; many of its requirements (de-identification at pipeline entry, license-chain documentation, output filtering) are operational baseline globally. - **The output-stage filtering capability is the under-deployed control.** Most compliance attention focuses on data acquisition and processing; the inference-stage reproduction risk is where the most-visible failures occur in practice. Build the output filtering before the regulator surfaces a verbatim-reproduction case against your model. The deeper point Zhang lands at the close of her piece: **open-source and compliance are not in tension; they are *both* preconditions for sustainable AI industry development**. China's AI international competitiveness, she argues, requires both "continuous technological breakthroughs" and "solid legal infrastructure." Compliance governance is not a constraint on innovation — it is the condition that lets innovation continue. The framing is consistent with the broader Chinese-regulator posture: the regime is trying to enable the AI industry, not suppress it, but is willing to absorb friction in the build-out to keep the architecture intact. --- — *张平, 前沿 | 开源人工智能训练数据的合规治理 (Frontier: Compliance Governance of Open-Source AI Training Data), 人民论坛 (People's Tribune), April 1, 2026. [Original article (Chinese).](https://www.rmlt.com.cn/2026/0401/748659.shtml)* *Not legal advice. The above is DCC's structured summary of Zhang's analysis, with framing for overseas counsel; the four-tier classification framework and the four operational pathways are Zhang's.* --- ## MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse - Published: 2026-05-28 - Author: DCC Editorial - Tags: enforcement, miit, app-compliance, pipl, public-naming - Laws cited: pipl, csl, personal-info-audit-measures, network-data-security-regulations - Domains: enforcement, personal-information, app-compliance - URL: https://datacompliancechina.com/posts/miit-2026-batch-3-31-app-public-naming/ - Markdown: https://datacompliancechina.com/posts/miit-2026-batch-3-31-app-public-naming.md - Original source: https://mp.weixin.qq.com/s/pI6fsJpm6O9u7Icntw8guA - Original author: 工业和信息化部信息通信管理局 (MIIT Information & Communications Administration Bureau) - Original publication: 工信微报 WeChat Official Account ### Description MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel. ### Body > *Editor's Note — DCC.* > > The MIIT public-naming bulletin series is the most consistent > enforcement signal in the Chinese mobile-app PI regime. The May 21, > 2026 bulletin (the third 2026 batch, the 56th overall) names 31 apps > and SDKs for violations of the PI-collection rules and for > window-redirect abuse. DCC publishes this as the first entry in our > enforcement tracker because it lets us establish the structural > reading of the series that every subsequent batch will fit into: the > joint-campaign architecture, the four-statute legal basis, the > rectify-then-enforce pathway, and the cadence. The 31-app list itself > is in MIIT's attachment; DCC's brief focuses on what the regime > *does* with the list and what overseas teams should infer from the > batch's existence. ## The bulletin The Information & Communications Administration Bureau of the Ministry of Industry and Information Technology (工业和信息化部信息通信管理局) issued *Bulletin on Acts Infringing User Rights and Interests by APPs (SDKs) — Batch 3 of 2026, Total Batch 56*, dated **May 21, 2026**. The bulletin states that **31 apps and SDKs** were found by third-party testing institutions, retained by the Ministry, to engage in conduct infringing user rights and interests — with the headline conduct categories called out in the bulletin title being **illegal collection of personal information** and **window-redirect abuse**. The detailed list of named apps and SDKs is in MIIT's attachment to the bulletin. The bulletin closes with the formula MIIT has used since the series began: the named operators **shall rectify in accordance with the regulations**; if rectification is not fully implemented, **MIIT will, in accordance with law and regulation, organize related disposition work**. ## The campaign infrastructure The bulletin is issued under the authority of the *Notice on Carrying Out the 2026 Personal Information Protection Series of Special Campaigns* (关于开展2026年个人信息保护系列专项行动的公告) — a joint announcement by the **Cyberspace Administration of China (CAC), MIIT, and the Ministry of Public Security (MPS)**. The 2026 special campaign continues a multi-year inter-agency framework for organized enforcement of the mobile-app PI rules. The structure overseas counsel should understand: - **Annual campaign authorizing the cadence.** Each year the three agencies jointly issue a special-campaign announcement. The MIIT batches that follow during the year operate under that authorization. - **MIIT executes the mobile-app testing tier.** MIIT's Information & Communications Administration Bureau, in cooperation with retained third-party testing institutions, performs the actual technical testing of apps and SDKs against the PI-collection and user-rights rules. The named bulletins are MIIT's published output of that testing program. - **CAC and MPS run parallel tiers.** CAC handles the administrative-penalty tier (fines and operational restrictions on internet platforms); MPS handles the criminal tier (Article 253-1 PI offenses and other criminal conduct). The three-agency joint authorization stitches the campaign across the regulatory and criminal lines. The campaign also operates against a parallel statutory cadence: PIPL Article 64 (CAC corrective-order power), the *Personal Information Protection Compliance Audit Management Measures* (which require regular audits and provide an audit-driven enforcement pathway), and the *Network Data Security Management Regulations* (which extend the regulatory perimeter to network-data scenarios beyond strict PI). ## The four-statute legal basis The bulletin invokes four statutes as the legal basis for the testing and the named-and-shamed action: - **Personal Information Protection Law (PIPL).** The dominant statute since 2021. PI-collection violations — collecting beyond declared scope, collecting without consent, retaining beyond purpose — sit under PIPL. - **Cybersecurity Law (CSL).** The foundational network-security and network-product / service-security statute. App and SDK conduct that violates network-product certification or that creates security defects can be cited under CSL. - **Telecommunications Regulations (电信条例).** The 2000 administrative regulations governing the telecom sector. Provide MIIT with the sector-specific authority to police telecom-service-related conduct, including conduct of internet-access service providers and value-added telecom services (most apps fall within the latter category). - **Telecom and Internet User Personal Information Protection Provisions (电信和互联网用户个人信息保护规定).** The 2013 MIIT departmental rule that pre-dates PIPL by eight years and remains the operational sector-specific instrument for telecom / internet-channel PI protection. It is the rule that MIIT's testing program most directly enforces against. The four-statute citation is the standard one for MIIT batched bulletins. It establishes that the same conduct can be characterized as a PIPL violation (general statute), a CSL violation (network-security statute), a Telecommunications Regulations violation (sector-administrative-regulation statute), and a Telecom and Internet User PI Provisions violation (sector departmental rule). The redundancy is intentional: each statute provides MIIT with a separate vector for sanctions. ## The rectify-then-enforce pathway The bulletin's closing formula is the operative one. Named operators face a two-stage process: **Stage 1 — Rectification.** The operator has a defined window (typically 5–10 working days, sometimes specified separately in MIIT communications) to rectify the cited conduct. Rectification means fixing the identified violations and, in many cases, submitting a rectification report to MIIT or the testing institution. **Stage 2 — Disposition for non-rectification.** Failure to rectify, or incomplete rectification, triggers MIIT-organized "related disposition work." In practice this can include: - **App-store removal.** MIIT coordinates with the major Chinese app stores to remove the offending app from distribution. - **Operator-restriction administrative penalties.** Under CSL Article 64 / PIPL Article 66 / Telecommunications Regulations Article 70, MIIT can order corrective action, impose fines (PIPL provides for fines up to 5% of prior-year turnover under Article 66 ¶ 2 for severe cases), and restrict business operations. - **Onward referral.** Where the conduct may rise to a criminal threshold — particularly under PRC Criminal Law Article 253-1 (the PI-protection criminal offense) — MIIT can refer to MPS for criminal investigation. - **Recidivism flag.** Operators repeatedly named in successive batches face escalating sanctions and increased scrutiny under MIIT's annual oversight rating system. For overseas operators with a Chinese app or SDK in distribution, the named-and-shamed stage is the **first warning** — but it is also a public warning, immediately visible to enterprise customers, business partners, and Chinese app stores. The reputational and commercial consequences begin at Stage 1, not Stage 2. ## The cadence — 56 batches and counting The MIIT batched-bulletin series is now mature. The May 21, 2026 bulletin is **Batch 3 of 2026** and **Batch 56 overall** — meaning MIIT has issued approximately one bulletin per month-and-a-half on average since the series began (the first batches date from 2019). The 2026 cadence so far suggests roughly bimonthly batches. The cumulative effect is significant: across 56 batches, MIIT has publicly named hundreds of apps and SDKs. Operators that appear in successive batches without addressing the underlying conduct face the recidivism-escalation pathway. The series has, in DCC's reading, durably normalized the MIIT testing-and-naming pattern as the dominant enforcement modality for mobile-app PI protection in China. ## The recurring violation patterns While DCC has not extracted MIIT's specific 31-app list for this batch, the bulletin title — *"illegal collection of personal information, window-redirect abuse..."* — and the cumulative pattern across the 56 batches surface a stable set of recurring violation types. The most frequently cited: - **Collection beyond declared scope.** App collects PI categories not disclosed in its privacy policy or beyond the user's actual consent. Includes collecting precise location for a service that only needs city-level location, collecting contacts for a service that doesn't need contacts, etc. - **Mandatory permission requests for non-essential function.** App refuses to operate unless the user grants permissions for functions unrelated to the service. PIPL's "essential function" principle prohibits this. - **Difficulty exiting account / withdrawing consent.** App makes the account-deletion or consent-withdrawal pathway disproportionately difficult. PIPL Article 16 prohibits. - **Excessive frequency of PI collection.** App repeatedly requests PI (e.g., location every few seconds) where infrequent collection would suffice. - **Window-redirect abuse (窗口乱跳转).** This batch's named conduct. The user opens the app or a specific screen and is rapidly redirected through multiple windows (commonly ad windows or third-party offer pages) before reaching the intended content. The conduct violates user-experience and user-control rules; MIIT has been targeting it consistently since 2023. - **SDK conduct hidden from the host app.** Third-party SDKs embedded in the host app collect PI on the SDK provider's account in ways the host app's privacy disclosure doesn't cover. SDK testing has been a growing focus of the MIIT batches over 2024–2026. For each violation type, the operational fix is well-documented in MIIT's published rectification guidance. The published bulletin's lasting value to compliance teams is the implicit *prioritization*: it tells them which violations are actually attracting testing-program attention this batch. ## What this tells overseas compliance teams - **MIIT batched bulletins are the operational floor of mobile-app PI compliance in China.** Treat them as the enforcement baseline. Internal compliance reviews should specifically test against the most recently surfaced violation patterns from the last 3–4 batches. - **Being named is itself the sanction.** The bulletin's reputational and commercial consequences begin immediately, not at the disposition stage. Operators should pre-position to rectify quickly — and to communicate rectification to enterprise customers — once named. - **Third-party SDK risk is increasingly weight-bearing.** Where the named entity is an SDK rather than a host app, downstream apps embedding that SDK face cascading scrutiny. Overseas teams using Chinese SDKs (advertising, analytics, push notification, payment) should monitor MIIT's SDK callouts and have a documented response process when an embedded SDK is named. - **The annual joint-agency campaign sets the year's enforcement priorities.** Read the joint CAC + MIIT + MPS annual campaign announcement closely: it telegraphs which conduct categories the year's batches will focus on. The 2026 announcement establishes PI-protection violations and window-redirect abuse as the headline categories, which is consistent with this batch's cited conduct. - **PIPL Article 64 and the audit measures are the parallel enforcement levers.** MIIT's batched bulletins are public; CAC's PIPL Article 64 corrective orders and the audit-driven enforcement under the [PI Audit Measures](/posts/pipo-vs-dpo-pi-protection-officer-comparison/) operate in parallel and often without public notice. Operators that fix the conduct surfaced in an MIIT batch may still face CAC or audit-driven enforcement on the same conduct. The deeper point of this batch — and the bulletin series as a whole — is that **the Chinese mobile-app PI regime is enforced through visible, repeated, batched, third-party-tested public naming**, not through a "big-fine, big-case, big-headline" model that overseas compliance teams familiar with EU GDPR enforcement might expect. The regime grinds. The MIIT bulletin is the grinding-stone. Compliance teams that map their internal review to the bulletin's recurring violation patterns operate it well; teams that wait for a headline case will be named before they react. --- — *工业和信息化部信息通信管理局, 违规收集个人信息、窗口乱跳转……这31款APP及SDK被通报!(31 APPs and SDKs Cited for Illegal PI Collection and Window-Redirect Abuse), 工信微报 WeChat Official Account, May 21, 2026. [Original bulletin (Chinese).](https://mp.weixin.qq.com/s/pI6fsJpm6O9u7Icntw8guA)* *Not legal advice. The above is DCC's structural analysis of the bulletin and the underlying campaign architecture. The 31-app list and the specific cited conduct are in MIIT's published attachment; this brief focuses on framing the regulatory mechanism for overseas counsel.* --- ## NDA Explains the Three-Rights Framework — A Plain-Language Walk-Through from the Regulator Itself - Published: 2026-05-28 - Author: DCC Editorial - Tags: data-property-rights, data-twenty, structural-separation, data-economy, commentary - Laws cited: data-foundation-system-opinions, data-property-rights-registration-guide-draft, public-data-authorized-operation-specifications, public-data-registration-interim-measures - Domains: data-economy, data-security - URL: https://datacompliancechina.com/posts/nda-three-rights-structural-separation/ - Markdown: https://datacompliancechina.com/posts/nda-three-rights-structural-separation.md - Original source: https://mp.weixin.qq.com/s/AvOjnMGTAa2uNrC10aKGTg - Original author: 国家数据局 (National Data Administration) - Original publication: 国家数据局 WeChat Official Account ### Description The National Data Administration's official 政策解读 (policy interpretation) on the three-rights framework — the right to hold, the right to use, and the right to operate data — established by the Data 20 Articles. NDA walks through what each right means, illustrative scenarios (group-company data subsidiaries; hospital-pharma research pools; data-broker commission arrangements), how the rights relate to each other (independently severable; non-exclusive across parties for the same data), and why the structural-separation design was chosen over a unitary-ownership model. The clearest available statement of the regulator's own intent on the framework that anchors every downstream rule — data-resource registration, data-property-rights registration, FTZ data-circulation negative lists, on-floor / over-the-counter trading rules. ### Body > *Editor's Note — DCC.* > > The Data 20 Articles (December 2022) introduced what is, by some > distance, the most architecturally distinctive concept in Chinese data > law: **structural separation of data property rights** (数据产权结构性 > 分置) into three independently transferable rights — the right to hold > (持有权), the right to use (使用权), and the right to operate (经营权). > Overseas counsel asked to map this onto familiar Western frameworks > (ownership, license, sublicense; or copyright's separable bundle of > rights) usually find no clean analogue. The Data 20 Articles policy > text itself is dense and abstract. > > This NDA policy interpretation is the regulator walking through the > framework in plain language with operational examples. DCC reproduces > NDA's three illustrative scenarios — the group-company data subsidiary, > the hospital-pharma research pool, the data-broker commission > arrangement — and the four-part rationale for the design, with our > framing for overseas counsel. The examples are NDA's; the framing > around how this maps to existing transactional vocabulary is DCC's. ## The Data 20 Articles set the architecture; this interpretation explains the picks In December 2022 the CPC Central Committee and the State Council jointly issued the *Opinions on Building a Basic Data System to Better Play the Role of Data Elements* (the "Data 20 Articles" or 数据二十条). Article III instructed regulators to explore a **structural separation system for data property rights**: instead of a unitary "data ownership" right, the regime would recognize three independently severable rights — to hold, to use, and to operate data — and would assign them to different parties depending on the data's source and the activities each party performs. In the three-and-a-half years since, the structural-separation principle has anchored a sequence of downstream rules: - **Data resource registration** (NDA, December 2024) — administrative registration of data resources, naming a "registrant" who is typically the data holder. - **Public data authorized operation specifications** (NDA, October 2024) — the holder / operator distinction in public-data licensing. - **Data property rights registration work guide (draft)** (NDA, May 2025) — a draft framework for registering each of the three rights separately, with eight ownership-clarity rules and five registration types. (See [DCC's brief on what data registration actually confirms](/posts/qinglan-what-data-registration-actually-confirms/).) - **FTZ data-circulation negative lists** — the operating mechanism for cross-border movement of data falling within a negative-list category. Each of these downstream rules assumes the structural-separation vocabulary. Overseas counsel encountering, say, the Beijing FTZ negative list or a public-data authorized-operation agreement will see references to "holder," "use right," and "operating right" as though they were settled categories — and find no clean definitional source in the policy text. This NDA policy interpretation is the closest thing to a definitional source. It is also unusually clear by Chinese-regulator standards, with three worked examples that map directly onto recognizable commercial arrangements. ## What each of the three rights actually means NDA defines the three rights as follows. ### Right to hold (持有权) The right to hold lawfully acquired data — directly or through a custodian — and to be protected against third parties stealing, tampering with, leaking, or destroying that data. NDA's illustrative scenario: a **large corporate group** stands up a data-tech subsidiary (数科公司, common abbreviation for 数据科技子公司) and instructs it to consolidate, store, and maintain all group data and to provide unified data services. The group structures the arrangement so the **holding right** is allocated to the data-tech subsidiary. For overseas counsel, this is closest to a **custodianship right** — a right against the world to keep what one lawfully possesses, with a defensive perimeter against intrusion. It does not entail a right to use or to commercialize. Group A in NDA's example holds; whether it may *use* the data or *operate* (commercialize) it is a separate question, allocated by separate rights. ### Right to use (使用权) The right to **process, aggregate, analyze, etc.** the data — for the right-holder's own production or operations, or to produce derivative data. NDA's illustrative scenario: a **hospital builds a data resource pool** with PI safeguards in place and permits **pharmaceutical R&D companies** to enter the pool to perform analytical work and develop new products. The hospital grants the pharma companies the **use right only** — not the holding right (the data stays under the hospital's control) and not the operating right (the pharma may not on-sell). This compartmentalization, NDA says, "secures data safety while allowing more parties to participate in releasing data-element value." For overseas counsel, this maps roughly to a **scoped license to process** — close to GDPR-style processor terms, but unbundled from any custodial or commercial-distribution permission. ### Right to operate (经营权) The right to **transfer, license, capitalize, or pledge** data — i.e., to commercialize. The right may be exercised on a paid or free basis. It is the right to *bring the data to market*. NDA's illustrative scenario: an enterprise wants a **data broker (数据中介机构)** to sell its data, but worries about losing control of the underlying data set. The enterprise grants the broker the **operating right only** — the broker may take the data to market and negotiate transactions on the enterprise's behalf, but does not itself hold or use the data. Once a buyer is identified and creditworthiness verified, the data supplier provides the data directly. For overseas counsel, this is closest to a **distribution / commercialization right**, severed from possession and processing — somewhat analogous to a music publisher's role in licensing master rights without holding the masters. ## How the three rights relate NDA emphasizes two structural properties of the framework that are worth flagging because they cut against intuitions from Western IP and property law. **Severability — same party may hold all, one, or some.** A single party can hold all three rights simultaneously, or just one or two, in any combination. NDA's example: in a **data-fusion arrangement**, a data-space operator partners with multiple OEMs and suppliers to jointly develop fused data sets. The parties can contract for joint holding and joint use rights, with a single party holding the operating right (i.e., one party authorized to take the fused data to market). Or all parties may jointly hold all three. The Data 20 Articles framework does not impose a default allocation — it gives parties a structured vocabulary in which to negotiate. **Non-exclusivity — multiple parties may hold the *same* right over the *same* data.** This is the property that most surprises overseas counsel. NDA's two examples: - A party that lawfully holds all three rights over a data set may **copy** the data and provide the copy to a counterparty with corresponding authorization. Both parties now hold all three rights over the same underlying data, *non-exclusively*. Neither's rights derogate from the other's. - A party that builds a **trusted data space** (可信数据空间) infrastructure may authorize multiple downstream parties to use data within the space. All authorized parties simultaneously hold the use right over the same data set, non-exclusively. The intuition behind the design — and this is the part NDA most wants overseas readers to absorb — is that **data is not naturally rivalrous**. Two parties using a data set for different downstream applications do not deprive each other of the underlying resource. The legal regime, NDA argues, should reflect that natural property rather than artificially impose exclusivity. (Contrast traditional real property: only one party may *possess* a piece of land at any time; the right is naturally exclusive.) ## Why structural separation was chosen — NDA's four-part rationale NDA gives four reasons for the design choice. ### Reason 1 — Reflect the multi-party-creation nature of data Data is "co-created by multiple parties." NDA's example: a consumer's transaction data on an e-commerce platform involves the consumer, the merchant, the logistics company, the payment provider, and the platform itself. Each party contributed something — the consumer provided the underlying transactional act, the merchant the product information, the logistics company the delivery data, the payment provider the settlement record, the platform the matching infrastructure. Asking "who owns the transaction data" is unproductive: the answer is "all of them, in different respects." The structural-separation framework lets the regime move past that question. Instead of debating *who owns the data*, parties debate *who has which right over which data set in which scenario*. NDA's phrasing: "shift the focus from arguing about whose data it is to how the data should be used." ### Reason 2 — Capture the multiplier effect of data elements Data has low replication cost. The same data set can be reused by many parties at near-zero marginal cost, with each use generating different value. This "data multiplier effect" (数据要素乘数效应) is, in NDA's view, a primary source of the value uplift the regime is trying to unlock. A unitary-ownership framework — where granting use to one party blocks use by another — would suppress the multiplier effect. The non-exclusive, three-rights structure preserves it: many parties can hold the same use right over the same data simultaneously, each generating distinct downstream value. ### Reason 3 — Leave development room for new business models Data is a "young" element. The technology, industries, and market structures are all evolving. NDA does not want to lock the regime into commercial models that fit the 2026 landscape but constrain 2030 innovation. A structurally separated three-rights framework, NDA argues, lets each market participant **describe their own rights content** in the vocabulary appropriate to their arrangement, rather than forcing every commercial structure through a single-template ownership concept. The regime accommodates rather than dictates. ### Reason 4 — Enable definitive resolution of disputes The fourth — least emphasized but practically important — reason is dispute resolution. Disputes over data assets in current Chinese commercial practice frequently founder on the question of "who owns the data" because that question has no clean legal answer under existing IP and property frameworks. The three-rights structure provides a vocabulary in which a court can find a specific party has the holding right, a different party has the use right within a defined scope, and a third party has a non-exclusive use right under a separate license — and adjudicate accordingly. (For an illustration of how the Supreme People's Court is starting to apply this analytical structure, see [DCC's brief on SPC's 14 data-dispute case categories](/posts/spc-data-disputes-case-category-and-data-registration/).) ## What this tells overseas compliance teams Five operational implications stand out. - **The three-rights vocabulary is the operating vocabulary for every downstream Chinese data rule.** Treat it as terms of art, not approximations. When a contract or rule refers to "holding right," "use right," or "operating right," each term has a definitionally distinct scope. Counsel mapping these onto a Western license-grant template will lose precision. - **Severability + non-exclusivity creates contracting flexibility most Western IP frameworks don't.** A multinational structuring a data-collaboration with a Chinese partner can negotiate granular allocations: hold-only here, use-only there, operating right reserved to a joint vehicle. There is no formal rule that one of the three rights "follows" the others. Treat each right as separately negotiable. - **Data-tech subsidiaries (数科公司) are the canonical holding-right structure for Chinese corporate groups.** Where a multinational's Chinese affiliate sets up — or interacts with — a 数科公司, treat it as the holding-right node; use and operating rights for specific data sets typically sit elsewhere in the group, allocated by intra-group agreement. - **Trusted-data-space arrangements are the canonical multi-party use-right structure.** Where a Chinese counterparty proposes a "trusted data space" (可信数据空间) collaboration, the framework assumes all participants will hold non-exclusive use rights inside the space, with the holding right typically sitting with the space operator. Map your own internal classification accordingly. - **The Data Property Rights Registration framework will codify the three-rights vocabulary in registrations.** Once NDA's *Data Property Rights Registration Work Guide* moves from draft to final, registered rights certificates will identify which of the three rights are being registered, by whom, over which data set. Compliance teams should expect Chinese counterparties to begin referencing registration certificates in transactional due diligence and contracting from 2027 onward. The deeper point of NDA's piece is that the three-rights structure is not a translation of a Western framework into Chinese vocabulary. It is an attempt at a **data-native property concept**, designed against the actual properties of digital information (non-rivalry, multi-party creation, low replication cost, derivative-generation capability). Whether the design will work in practice — i.e., whether courts and market actors will operationalize it cleanly — is the open question of the next five years. The intellectual ambition of the design is real, and NDA's interpretation is the clearest available statement of what the regulator thinks it is building. --- — *国家数据局, 政策解读 | 如何理解数据产权结构性分置 (Policy Interpretation: Understanding Structural Separation of Data Property Rights), 国家数据局 WeChat Official Account. [Original article (Chinese).](https://mp.weixin.qq.com/s/AvOjnMGTAa2uNrC10aKGTg)* *Not legal advice. The above is DCC's structured summary of NDA's policy interpretation, with framing for overseas counsel; the illustrative scenarios and four-part rationale are NDA's.* --- ## Who Is the 'Data Processor' Under the Three-Rights Framework — NDA's Farm-Equipment Hypothetical - Published: 2026-05-28 - Author: DCC Editorial - Tags: data-property-rights, data-twenty, data-processor, data-economy, commentary - Laws cited: data-foundation-system-opinions, pipl, civil-code-personal-info, data-property-rights-registration-guide-draft - Domains: data-economy, data-security, personal-information - URL: https://datacompliancechina.com/posts/nda-data-processor-property-rights-allocation/ - Markdown: https://datacompliancechina.com/posts/nda-data-processor-property-rights-allocation.md - Original source: https://mp.weixin.qq.com/s/O1hmeSC9cSbYDg5-L3mXbA - Original author: 国家数据局 (National Data Administration) - Original publication: 国家数据局 WeChat Official Account ### Description NDA's official 政策解读 on the threshold question that every three-rights allocation depends on: who is the 'data processor' and who is the 'information subject'? NDA uses a farm-equipment hypothetical — a farm rents tractor, irrigation, and fertilizer equipment from three different vendors; cultivation data is captured in the process — to work through who collects, who decides processing purposes, and how the property-rights regime balances the data-processor's commercial interest against the information-subject's rights to access copies of relevant data. The piece sketches the basic information-subject vs. data-processor dichotomy that anchors the entire downstream data-element regime, and surfaces the access-to-data right (data portability for commercial entities) that overseas counsel often miss. ### Body > *Editor's Note — DCC.* > > NDA's [first interpretation in the series](/posts/nda-three-rights-structural-separation/) > defined the three rights themselves — hold, use, operate. This second > interpretation tackles the prior question: **who is the "data processor" > in the first place, and who is the "information subject"?** That > threshold classification determines who, by default, holds each of the > three rights. > > NDA's hypothetical — a farm renting equipment from three different > vendors, with cultivation data flowing back to all parties — is doing > useful work. It separates *generating* data (the farm's activity) from > *collecting* data (the equipment vendors' systems), and it surfaces > the under-discussed access-to-data right (information subjects' > entitlement to obtain copies of relevant data) that is the corporate > analogue to GDPR data portability. ## The threshold classification The first NDA interpretation walked through the three property rights — hold, use, operate. Before any allocation question can be answered, however, two prior classifications must be made: 1. **Who is the data processor (数据处理者)?** NDA's working definition, drawn by analogy from the PIPL definition of "personal information processor": *the natural person, legal entity, or unincorporated organization that independently determines the purpose and means of processing data*. In practical language: whoever collects, processes, uses, or maintains the data. 2. **Who is the information subject (信息主体)?** The party *about whom* the information being captured as data relates. Importantly, NDA's "information subject" is **not** limited to natural persons. In the PIPL context the corresponding term — personal-information subject — is a natural person. NDA's broader "information subject" category extends to corporate entities whose business activities give rise to data. The information subject vs. data processor distinction is the principal axis along which the property-rights regime allocates rights and entitlements. ## NDA's farm-equipment hypothetical A farm rents equipment from three vendors: - **Company A** supplies the tilling equipment. - **Company B** supplies the irrigation equipment. - **Company C** supplies the fertilizer equipment. In the course of operations, the equipment captures cultivation data — tilling depth, water flow rates, fertilizer composition, growing-cycle timing, output metrics, etc. The data flows back to whichever party's sensors captured it. Two parties want to extract analytical value from the cultivation data: - The **farmer** wants to analyze the cultivation data to improve growing efficiency. - **Companies A, B, and C** each want to analyze the cultivation data captured by their equipment to improve their product designs. NDA's question: how do the three rights get allocated? ### Step 1 — Identify the data processor for each data stream The data processor for each data stream is the party whose system collects, stores, and is in a position to independently determine the purpose and means of processing. - The data captured by Company A's tilling equipment, flowing to Company A's back-end: Company A is the data processor for that stream. - Similarly for Companies B and C, each for the data their equipment captures. - If the farm's own monitoring systems independently capture cultivation data on the farm's servers, the farm is the data processor for that stream. In NDA's other illustration — the e-commerce platform — the platform captures the transaction data, decides how it's stored and used, and is the data processor; the consumer and merchant transacting on the platform are the information subjects (the parties about whose activity the data is generated). In a third illustration — a manufacturer purchases industrial equipment from a vendor and authorizes the vendor to remotely capture equipment operational data for remote-O&M (远程运维) purposes — the manufacturer's business activity generates the data; the manufacturer is the information subject, and the vendor (who decides means of processing under the authorization) is the data processor. ### Step 2 — Default rights allocation The three-rights regime, NDA explains, sits at the intersection of two structural realities: - **Data could not exist without information subjects.** Without the farm's actual cultivation activity, there is nothing for the equipment to capture. - **Data could not exist without the data processor's investment.** Labor, capital, and technical expertise are required to build the sensors, store the data, and process it into something useable. The regime balances these by allocating **the three property rights (hold / use / operate) by default to the data processor**, while preserving for the information subject **the right to obtain or copy** the relevant data on the basis of a civil-law contract. NDA's articulation: - **Data processors** — for data they collect or generate in their own business activities, or in business activities they jointly participate in, on a basis that does not violate laws or contract terms — **hold the rights to hold, use, and operate** that data. - **Information subjects** — under civil-law contractual authorizations to others to collect data generated by their participation — **have the right to obtain or copy and transfer** the relevant data. So in the farm hypothetical: Companies A, B, and C, as data processors for the streams their equipment captures, hold by default the three property rights to that data. The farm, as the information subject whose cultivation activity generated the data, has by default the right to obtain or copy and transfer the cultivation data from each of Companies A, B, and C. ## The asymmetry: why data processors get more than information subjects NDA is explicit about why the default allocation favors the data processor. - **Incentive alignment.** The data processor is the party most motivated to invest in development and commercialization. Allocating the use and operating rights to them aligns the regime with the party best positioned to extract value. - **Protection focus.** The data processor's interest is economic (deriving income from use). The information subject's interest is closer to privacy and trade-secret protection. Distinct interests warrant distinct protection mechanisms. - **Existing protection gaps.** Personal-information subjects are already protected by PIPL. Corporate-entity information subjects (the farm in NDA's hypothetical; the merchant on the e-commerce platform; the manufacturer in the industrial-equipment scenario) had no analogous protection framework before the Data 20 Articles. The right to obtain or copy the data **fills that gap** — giving corporate information subjects a defined entitlement they previously lacked. The third point is the structurally novel one. NDA acknowledges that the relevant practical scenario is the **merchant operating across multiple e-commerce platforms** — the merchant's operating data is fragmented across platforms, the merchant wants to consolidate to optimize its strategy, and historically no clear legal right entitled the merchant to demand consolidated copies. The Data 20 Articles regime now contemplates such a right, exercisable on the basis of a civil-law contract between the information subject and the data processor. ## What this means in transactional vocabulary The default allocation can be modified by contract. Three contracting patterns are particularly important for overseas counsel. **Pattern 1 — Allocate use or operating rights to the information subject.** The default is that the data processor holds use and operating rights. But the parties can contract for the information subject to also hold a use right (e.g., the farm gets to use the cultivation data Company A captures), or even an operating right (e.g., the farm gets to commercialize the cultivation data). This is essentially a license-grant in the opposite direction — and is becoming a common term in Chinese supplier-data agreements. **Pattern 2 — Joint-rights allocation in data-fusion arrangements.** Where multiple parties co-create a derivative data set (e.g., Companies A, B, and C jointly analyze cultivation data with the farm to produce a fused agronomic-optimization data set), the parties can contract for joint holding, joint use, and either joint or single-party operating rights. The first NDA interpretation flagged this as a key mode of arrangement; the second explains why each party has independent contractual standing to negotiate (because each has, in the underlying data, *either* information-subject rights or data-processor rights). **Pattern 3 — Strengthening the information subject's access entitlement.** Counter-intuitively for overseas counsel familiar with GDPR's "data portability" right, the equivalent right in the Chinese commercial regime is *contractual, not statutory* for non-personal data. To make it enforceable, the parties have to specify it. Information subjects (especially corporate counterparties with significant data generation) increasingly negotiate explicit access, copy, and porting terms into contracts with data processors. Overseas teams contracting with Chinese counterparties as either side of this relationship should expect the right to be a negotiated term, not a baseline. ## How this connects to PIPL For data containing personal information, the PIPL regime applies in parallel and takes precedence on PI questions. NDA's data-processor allocation regime explicitly references PIPL by analogy when defining "data processor." Two clarifications matter: - **The PIPL personal-information processor (个人信息处理者) is a subset of NDA's data processor (数据处理者).** The PIPL term applies only where the data being processed is personal information. NDA's broader term extends to all data, including industrial, commercial, and non-PI data. - **PIPL Article 45 — individual's right to copy and transfer personal information — is the personal-data analogue of the Data 20 Articles' broader "right to obtain or copy" for information subjects.** The Data 20 framework extends the conceptual shape of the Article 45 right beyond personal data and beyond natural-person subjects. The architecture is becoming clearer with each NDA interpretation: a **PI-centric regime under PIPL** for personal data, layered with a **property-rights-centric regime under the Data 20 Articles** for the broader data-element category, with the two regimes intersecting where data contains personal information. ## What this tells overseas compliance teams - **Run the data-processor / information-subject classification before any rights allocation.** Both as a counterparty diligence step (for any Chinese data-collaboration arrangement) and internally (to map which Chinese affiliates are processors vs. subjects with respect to which data sets). - **The default is data-processor-favorable; the contract is where information subjects claw rights back.** Chinese data-supplier contracts should be reviewed for default allocations and explicit information-subject-access terms. Where the multinational is the information subject, the access term is the principal practical lever for retaining control over data generated by its operations. - **Corporate "data portability" is the underrecognized right in this regime.** Western practice tends to think of data portability as a personal-data right. The Data 20 Articles regime generalizes it to corporate information subjects — and creates a contracting and disputes vector for corporate parties to demand copies of operational data held by their suppliers, platforms, and counterparties. Watch for this to grow into the dominant friction point in Chinese platform-supplier disputes over the next two to three years. The deeper structural shift: where Western IP and contract law generally treat data as the property of the party that captures and processes it (custodianship plus license), the Chinese regime *acknowledges that the party generating the underlying activity has an equally legitimate claim* and creates a structural entitlement for them to obtain copies. The default still favors the data processor — but the regime is, conceptually, more balanced than the Western default. Overseas counsel structuring Chinese arrangements should price that asymmetry into the deal. --- — *国家数据局, 政策解读 | 数据处理者的数据产权配置安排 (Policy Interpretation: Property Rights Allocation Arrangements for Data Processors), 国家数据局 WeChat Official Account. [Original article (Chinese).](https://mp.weixin.qq.com/s/O1hmeSC9cSbYDg5-L3mXbA)* *Not legal advice. The above is DCC's structured summary of NDA's policy interpretation, with framing for overseas counsel; the farm-equipment hypothetical and the e-commerce / industrial-equipment illustrations are NDA's.* --- ## Cloud, BPO, and Other Entrusted-Processing Arrangements: Why the Processor Doesn't Get the Rights - Published: 2026-05-28 - Author: DCC Editorial - Tags: data-property-rights, data-twenty, entrusted-processing, cloud, commentary - Laws cited: data-foundation-system-opinions, civil-code-personal-info, pipl, network-data-security-regulations - Domains: data-economy, data-security - URL: https://datacompliancechina.com/posts/nda-entrusted-data-processing-property-rights/ - Markdown: https://datacompliancechina.com/posts/nda-entrusted-data-processing-property-rights.md - Original source: https://mp.weixin.qq.com/s/CGEjaiKF7ba1Imqjl2zvjA - Original author: 国家数据局 (National Data Administration) - Original publication: 国家数据局 WeChat Official Account ### Description NDA's official 政策解读 on a tactically critical sub-question of the three-rights framework: when a data processor outsources storage, processing, or analysis to a third-party service provider — typical cloud, BPO, or e-government-system arrangements — does the entrusted party acquire any of the three property rights? NDA's clear answer: no. The entrusted processor (受托人) is not a 'data processor' in the property-rights sense — it merely executes instructions on behalf of the data processor (the principal). It cannot use the data outside the entrusted scope, cannot transfer the data into market circulation, and cannot apply the data to its own debt repayment or bankruptcy distribution. The line is anchored to the Civil Code's contract-of-mandate rules — a long-standing piece of Chinese commercial law extended cleanly into the data-element regime. ### Body > *Editor's Note — DCC.* > > The Data 20 Articles' three-rights framework leaves a tactically > critical question unanswered in the headline text: when one entity > outsources data storage, processing, or analysis to a service provider > — the canonical scenario being **cloud storage**, but also BPO, > e-government-system integrators, and analytical-services contractors — > does the service provider acquire any of the three property rights > over the data it touches? > > NDA's answer in this short interpretation is unambiguous: **no**. > The entrusted party (受托人) does not become a "data processor" in > the property-rights sense; it has no holding, use, or operating right > over the data; and it specifically cannot use the data for its own > debt repayment or bankruptcy liquidation. The reasoning anchors to > the Civil Code's long-established contract-of-mandate rules. For > overseas counsel structuring cloud, vendor-managed-services, and > outsourced-analytics arrangements, this is the most useful single > clarification yet issued on the regime. ## The scenario and the questions NDA poses NDA opens with the operational scenarios: - Enterprises entrusting **cloud platforms** to store their data. - Government agencies entrusting **software companies** to develop e-government systems and perform related data processing. It then frames three questions that arise in any such arrangement: - How should the property rights be allocated between the principal (the entity that owns / controls the underlying data set) and the entrusted party (the service provider that touches the data)? - Can the entrusted party, without authorization, use the principal's data for **circulation and trading** (i.e., put the data on the market on its own behalf)? - If the entrusted party encounters **financial distress**, can it use the principal's data for **debt repayment or bankruptcy distribution** (i.e., can creditors reach the data)? These are real and consequential questions for any multinational running cloud workloads or vendor-managed services in China. ## NDA's analysis ### The entrusted party is not a "data processor" — it is something else NDA's analytic move is to apply the **data-processor definition** developed in the [second interpretation](/posts/nda-data-processor-property-rights-allocation/): a data processor is the party that *independently determines the purpose and means of processing*. The entrusted party (受托人), by contrast, processes the data **on the principal's instructions** — it does not independently determine purpose or means. By definition, then, *the entrusted party is not a data processor in the strict sense*. This is the structural pivot. Because the entrusted party is not a data processor, the default three-rights allocation (which assigns hold / use / operate to the data processor) does not apply to it. It holds none of the three property rights over the data merely by virtue of touching the data in the course of performing the entrustment. ### Anchoring the conclusion to the Civil Code's contract-of-mandate rules NDA grounds the conclusion in long-existing Chinese commercial law: the Civil Code's contract chapter (合同编) provisions on contracts of mandate (委托合同). Under the Civil Code, **property the entrusted party (mandatary) acquires in the course of executing the entrusted matter must be transferred to the principal (mandator)**. The default rule is that the entrusted party holds no proprietary entitlement to assets it touches in fiduciary capacity for the principal. NDA reads this principle forward into the data-element regime: "From the perspective of consistency with the Civil Code and of regulating entrusted-processing activity, where a data processor entrusts another party to process its data, the entrusted party — with respect to the original data, in-process data, and result data — does not hold the right to hold, the right to use, or the right to operate, except as otherwise provided by law or agreed in contract." The qualifier matters: **except as otherwise provided by law or agreed in contract**. The default is no rights for the entrusted party. The principal can, by contract, grant the entrusted party specified use or operating rights (e.g., a cloud-platform contract that grants the cloud vendor the right to use anonymized telemetry for internal product improvement). But the *default* — what the regime assigns absent contractual variation — is no rights. ### The bankruptcy / debt-repayment carve-out NDA's third question — can the entrusted party use the principal's data for **debt repayment or bankruptcy distribution** — is the most operationally consequential, and NDA's answer is the cleanest. Because the entrusted party holds no property rights over the data, **the data is not part of the entrusted party's estate**. When the entrusted party is in financial distress, its creditors cannot reach the principal's data. When the entrusted party is dissolved or enters bankruptcy, the principal's data is not subject to bankruptcy distribution — it must be returned to the principal (consistent with the Civil Code's contract-of-mandate rules). This is the closest thing the Chinese data-element regime has to a **trust-style segregation principle** for entrusted data — and it is a clear answer to a question overseas counsel often raise when contracting with Chinese cloud vendors or BPO providers: *if my vendor goes bankrupt, what happens to my data?* NDA's answer is that the data remains the principal's; it is not pooled into the vendor's bankruptcy estate. ## The scope of the carve-out — three data states NDA is careful to specify that the no-rights rule applies to **three data states** that arise in entrusted processing: - **Original data (原始数据)** — what the principal hands over to the entrusted party at the start of the engagement. - **In-process data (过程数据)** — what is generated transiently in the course of the entrusted processing (intermediate datasets, working files, temporary aggregations). - **Result data (结果数据)** — what the processing yields as output (cleaned datasets, analytical outputs, derived data products). All three categories fall to the principal by default. The entrusted party cannot, for example, retain "result data" as its own property on the theory that it was created by the entrusted party's work — that is *exactly* the kind of move the Civil Code's mandate rules historically prohibited in non-data contexts, and NDA confirms the same rule applies here. The point is that derivative-data-creation does not, of itself, vest property rights in the creator. If the principal's data is the input and the work is being done as entrusted processing, the output is the principal's. If the parties want a different allocation — e.g., the entrusted party should own derivative datasets it generates — the parties must say so in the contract. ## What this means in transactional vocabulary The default rule is a strong default. Where parties want to vary it, four contracting patterns are useful. **Pattern 1 — Service-provider operational rights.** Cloud and BPO vendors typically want narrow operational rights to anonymized data for internal product improvement, security analytics, and capacity planning. Under NDA's framework, those rights must be **expressly granted** by the principal; they don't arise by default. Standard cloud-vendor terms should be reviewed against this baseline. **Pattern 2 — Derivative-data IP allocation.** Where the entrusted party generates IP-protectable derivative work (analytical models, code, methodologies built on the principal's data), the default — no rights for the entrusted party — may not match commercial expectation. Parties should specify which derivative outputs belong to which party, and whether the entrusted party retains use rights to its own analytical methodology absent the underlying data. **Pattern 3 — Bankruptcy protection.** Principals should ensure that contracts with Chinese cloud and BPO vendors include **data-return on insolvency** clauses, anchored to the Civil Code contract-of-mandate framework and NDA's interpretation. The default rule favors the principal, but documenting it strengthens the principal's position in an actual bankruptcy proceeding. **Pattern 4 — Non-circulation undertakings.** Because NDA explicitly states the entrusted party cannot put the principal's data into market circulation without authorization, contracts should restate that prohibition and treat any breach as a material breach. The legal backing for the prohibition is now express — but a contractual restatement gives the principal a cleaner enforcement path. ## How this connects to PIPL's entrusted-processing rules For data containing personal information, the PIPL regime applies in parallel and is **more prescriptive** than NDA's general framework. PIPL Articles 21 and 59 address entrusted processing of personal information specifically: - The entrusted party may only process personal information within the agreed purpose and means. - The entrusted party must implement security measures and assist the entrusting party in complying with PIPL obligations. - The entrusted party must return or delete personal information upon completion of the entrusted matter; it may not retain. - The entrusted party may not sub-entrust without consent. NDA's framework is consistent with PIPL on entrusted processing — and extends the same structural principles to **non-PI data**. Overseas teams handling mixed PI + non-PI data sets should treat PIPL's specific entrusted-processing requirements as the operational floor, with NDA's broader no-property-rights principle as the default for the non-PI components. ## What this tells overseas compliance teams - **Cloud and BPO vendors do not acquire property rights over your data by default.** Subject only to express contractual grant, the vendor has no right to hold, use, or operate your data outside the entrustment scope. This is the regulatory baseline; standard vendor terms-of-service that purport to grant the vendor broader rights (especially "we may use your data to improve our services" without scope limitation) should be negotiated against this baseline. - **Vendor insolvency does not pool your data into the vendor's estate.** The Civil Code contract-of-mandate framework — now reinforced by NDA's interpretation — segregates the principal's data from the entrusted party's estate. Build this into business-continuity and vendor-failure planning for China operations. - **Derivative outputs default to the principal, not the vendor.** Where the engagement involves analytical outputs, the default rule allocates them to you, not the vendor. If the commercial deal is otherwise, document it explicitly. - **PIPL's entrusted-processing rules layer on top for personal-information processing.** Where the entrustment involves PI, PIPL's more specific requirements — purpose limitation, security, return-or-deletion, no sub-entrustment without consent — apply directly. The NDA framework does not displace those; it complements them on the property-rights side. The structural picture across the three NDA interpretations is now visible: the [structural-separation principle](/posts/nda-three-rights-structural-separation/) defines the three rights; the [data-processor allocation interpretation](/posts/nda-data-processor-property-rights-allocation/) defines who holds them by default; this third interpretation carves out a class of actor (the entrusted party) that holds **none** of them despite touching the data. That carve-out is the part that protects the principal in the cloud-and-BPO supply chain — and it is the part overseas counsel will use most often in transactional negotiations. --- — *国家数据局, 政策解读 | 数据委托处理情形中的产权配置 (Policy Interpretation: Property Rights Allocation in Entrusted Data Processing Scenarios), 国家数据局 WeChat Official Account. [Original article (Chinese).](https://mp.weixin.qq.com/s/CGEjaiKF7ba1Imqjl2zvjA)* *Not legal advice. The above is DCC's structured summary of NDA's policy interpretation, with framing for overseas counsel; the cloud / e-government scenarios and the Civil Code contract-of-mandate anchoring are NDA's.* --- ## Public Data Under Franchise and Concession Operations: Who Owns It and Can It Be Traded? - Published: 2026-05-27 - Author: DCC Editorial - Tags: public-data, franchise-concession, authorized-operation, data-economy, data-property-rights, infrastructure, public-utilities, data-trading-compliance - Laws cited: public-data-authorized-operation-specifications, data-foundation-system-opinions - Domains: data-economy - URL: https://datacompliancechina.com/posts/public-data-under-franchise-concession/ - Markdown: https://datacompliancechina.com/posts/public-data-under-franchise-concession.md - Original source: https://mp.weixin.qq.com/s/K1zqNbOyao8cXhEIVGTn-Q - Original author: 胡婧卓; 陈一芊 - Original publication: 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ### Description Infrastructure and public-utility operators in China — gas networks, urban parking, water systems, and similar franchise/concession (特许经营) businesses — generate data that falls within the statutory definition of 'public data.' That classification creates compliance questions that standard enterprise-data analysis does not answer: does a franchise agreement confer the right to process and sell that data, and under what conditions? Two Shenzhen Data Exchange compliance officers work through the asset-ownership and revenue-attribution routes for establishing data-use authority, flag the asset-transfer risk that attaches to API and dataset licensing, and explain why franchise-generated public data should not be silently assimilated into the authorised-operation (授权运营) model now being piloted across Chinese cities. The operational takeaway: amend legacy concession agreements to address data rights explicitly, and build the data-rights clause into every new franchise contract before signing. ### Body > *Editor's Note — DCC.* > > This brief summarises 《DEXC+专栏丨特许经营业务下的公共数据,能用?怎么用?》 > by Hu Jingzhuo (胡婧卓) and Chen Yiqian (陈一芊), both Transaction Review > Supervisors in the Compliance Department of the Shenzhen Data Exchange. > The piece sits squarely in the practical zone DCC tracks from this source: > it addresses a compliance gap that practitioners encounter daily but that > most legal guidance has not caught up with — what happens when the data > a company holds is *public data* because the company holds a government > franchise, rather than because it is a public authority. The authors draw > on the 2024 Infrastructure and Public Utility Franchise/Concession > Management Measures (《基础设施和公用事业特许经营管理办法(2024)》, > hereinafter "the Management Measures"), the Guangdong provincial public-data > management rules, and the Futian District authorised-operation pilot to > work through two analytical paths for establishing data-use authority. > The core tension the brief resolves is institutional: franchise-generated > public data is *not* freely available to the concession holder just because > the holder operates the relevant infrastructure. The legal basis for > processing and commercialising it must be traced through the concession > agreement itself — or, where the agreement is silent (as most legacy > agreements are), through the asset-ownership and revenue provisions of the > Management Measures. Overseas counsel advising clients in China's > infrastructure, energy, transport, or urban-services sectors should read > this as a practitioner's checklist, not a theoretical overview. ## What counts as a franchise or concession operation, and why does it matter for data? The 2024 Management Measures define a franchise/concession operation (特许经营, literally "specially-permitted business operation") as an arrangement in which a government selects a Chinese or foreign legal entity through open competitive process, records the parties' rights, obligations, and risk allocation in an agreement, and grants that entity the right to invest in, build, and operate designated infrastructure or public utilities for a defined period in exchange for revenue from those operations. The data-compliance significance of that definition is immediate. Where a concession holder operates infrastructure or public utilities and provides public products or public services under such an agreement, the data generated in that process meets the statutory definition of *public data* (公共数据) under the Shenzhen Special Economic Zone Data Regulations: data produced or processed by public management and service bodies in the course of performing their public management duties or providing public services. The concession holder is, in regulatory terms, acting in a quasi-governmental capacity when it delivers those services — which means the data produced along the way carries a public-data classification, with all the restrictions and procedural requirements that entails. The authors give practical examples to anchor the question: can a gas utility (energy franchise) process consumer usage data to build a district-level household consumption dataset or a corporate creditworthiness product based on commercial gas-consumption patterns? Can an urban on-street parking franchise process its parking records to produce a vehicle-flow dataset covering a particular district? These are not hypothetical. They are the routine project types that compliance teams at data exchanges encounter when concession holders approach the market to monetise their operational data. ## Two analytical routes when the concession agreement is silent on data In practice, the authors note, most existing franchise agreements contain no explicit data-ownership or data-use provisions. The regulatory instruments that mandated those agreements were not drafted with data monetisation in mind. That silence does not mean the concession holder has free rein — it means the analysis must proceed through the Management Measures themselves. The authors identify two routes. **Route 1 — Asset ownership.** The Management Measures require concession agreements to specify the ownership of assets during the operating period and the handover mechanics when the concession expires. Where an agreement provides that project assets during the concession period belong to the concession holder, that asset-ownership provision can serve as the basis for claiming rights over data resources generated by those assets. The asset route, however, comes with a significant internal constraint: the same agreements commonly include asset-transfer restriction clauses, under which the concession holder cannot transfer assets used in the project without the implementing authority's consent. The authors argue that licensing or selling a data product derived from the concession's operational data — whether delivered via API or as a packaged dataset — may constitute a transfer of data-asset rights (specifically, a transfer of use or ownership rights in the data). If that characterisation is accepted by applying an analogy to the asset-transfer concept in the State-Owned Assets Law (《企业国有资产法》), the concession holder may need the implementing authority's prior approval before proceeding with any data-product licensing or sales. The prudent approach, the authors state, is to obtain that approval rather than assume it is not required. **Route 2 — Revenue attribution.** The Management Measures also provide that, subject to agreement otherwise, efficiency gains, cost reductions, and innovations generated by the concession holder during the operating period belong to the concession holder. The authors read this provision as supporting the concession holder's entitlement to revenue derived from operating the public data produced during the concession — again, absent a contrary agreement provision. Taken together, the two routes provide a workable analytical structure, but neither offers a clean, uncontested path to commercialisation. Both are subject to what the specific agreement says, to local regulatory overlays, and — on the asset route — to the latent asset-transfer problem. ## The compliance checklist for third-party assessors The authors set out a three-stage compliance checklist directed at legal advisers conducting data-product compliance assessments for concession holders. It maps onto the standard transaction-review workflow at a data exchange. **Subject-entity compliance.** Verify that the concession holder obtained its concession rights through the legally required open competitive process. A concession awarded irregularly — outside the competitive mechanism mandated by the Management Measures — cannot supply a valid legal basis for downstream data use. **Subject-matter compliance.** Review the concession agreement carefully for (a) any explicit data-ownership or data-use provisions (if they exist, they govern); (b) any asset-transfer restrictions that could apply to data-product licensing; and (c) any applicable local rules on the development and use of the specific category of public data involved. The local regulatory layer is material: different provinces and cities have adopted varying rules on how public data generated within their jurisdictions may be used, and the concession holder's geographic scope determines which overlay applies. **Circulation compliance.** Address how the expiry of the concession period affects the data product. Most infrastructure PPP-style concessions run for around forty years. When the concession expires and assets revert to the government, do constraints on asset disposal also constrain continued trading in data products derived from those assets? The authors flag this as a point that requires explicit analysis and should not be left to implication. ## Franchise-generated public data is not the same as authorised-operation public data A significant portion of the source article addresses what the authors treat as a conceptual misclassification risk: the tendency to treat franchise- generated public data as already falling within the authorised-operation (公共数据授权运营) framework that has been the subject of extensive piloting across Chinese cities in recent years. The [public-data authorized-operation specifications](/laws/public-data-authorized-operation-specifications/) and related local instruments establish a structured mechanism through which public-data holding bodies — government departments and their equivalents — can authorise designated operators to process and commercialise public data on their behalf. Major models include Beijing's sector-by-sector dispersed authorisation zones and Shanghai's centralised model under the Shanghai Data Group. One view, the authors acknowledge, holds that the authorised-operation framework should be read broadly: any entity that has already obtained government permission to operate infrastructure and provide public services should be regarded as having implicitly received authorisation to process and commercialise the public data generated in that operation. On this reading, franchise-generated data falls within the authorised-operation regime without any further formality. The authors reject that view and argue for a narrow reading. Their reasoning is structural: the authorised-operation mechanism is designed precisely around the requirement that the government select an operating entity through open competition following defined research and feasibility steps. Collapsing franchise operations into the authorised-operation category would allow concession holders to bypass both the competitive selection process and the pre-authorisation groundwork that the instruments are intended to require. The two regimes have different legal bases, different authorisation mechanisms, and should not be treated as equivalent. The practical consequence of the authors' position: a franchise holder that wants to commercialise its public data through an authorised-operation route needs to engage the relevant public-data governing body and obtain a formal authorisation, rather than assuming that its concession agreement already carries that permission. ## Local regulatory overlays and the aggregation requirement The authors draw attention to a further complication that practitioners frequently overlook. Several local governments — notably in Guangdong province — have enacted rules that require public data generated within the jurisdiction to be collected and consolidated into designated government platforms or data repositories (归集要求). Where such a requirement applies, the concession holder's ability to operate a data-product business directly may be constrained, because the data must flow through the designated consolidation infrastructure first. Practitioners advising concession holders on data-product development should therefore check two things: whether the relevant locality has adopted a public-data aggregation requirement, and if so, whether that requirement affects the commercial model the client is proposing. A data-product business premised on direct API licensing or direct dataset sales may need to be restructured if the underlying data is required to pass through a government consolidation node. ## The forward-looking fix: amend existing agreements, and build the clause into new ones The authors close with explicit operational guidance directed at the concession holders themselves. Their recommendation is twofold. For existing concession agreements, they advise supplemental agreement (补充协议) as the mechanism: the concession holder and the implementing authority should negotiate and execute an amendment that explicitly addresses data-ownership, data-use rights, and any consent or approval requirements for data-product development and commercialisation. This is the straightforward path to removing the ambiguity that the asset-silence of most legacy agreements creates. For future concession projects, they advise that data-rights provisions — including data ownership during the operating period, permitted data-use modalities, any applicable asset-transfer restrictions in the data context, and revenue-attribution rules for data-product sales — should be treated as standard agreement content from the outset, alongside the project-asset, infrastructure, and handover provisions that the Management Measures already require. ## Why overseas counsel should care - **Infrastructure-sector clients face a compliance gap that standard data-law analysis misses.** Any client holding a Chinese franchise or concession agreement in energy, transport, parking, water, or similar sectors may be sitting on data assets it is treating as ordinary enterprise data when that data is legally public data — subject to a different compliance framework and different commercialisation conditions. - **The asset-transfer risk in concession agreements is live and largely unpriced.** Licensing data via API or selling datasets derived from concession-generated data could constitute an asset transfer requiring prior approval from the implementing authority under the agreement. Most legal reviews of data-product transactions do not look inside the concession agreement for this constraint. - **The authorised-operation framework, as it is evolving across Chinese cities, does not automatically cover franchise operations.** Clients seeking to commercialise public data through the authorised-operation route need a formal authorisation from the relevant public-data governing body — the concession agreement is not a substitute. - **Local aggregation requirements vary and may block direct commercialisation.** The viability of a data-product business depends in part on whether the locality requires the underlying public data to be routed through a government consolidation platform, which may change the available commercialisation models significantly. ## DCC sources - Original: 胡婧卓; 陈一芊 (Hu Jingzhuo; Chen Yiqian), 《DEXC+专栏丨特许经营业务下的公共数据,能用?怎么用?》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ([source](https://mp.weixin.qq.com/s/K1zqNbOyao8cXhEIVGTn-Q)). - [Public-data authorized-operation specifications](/laws/public-data-authorized-operation-specifications/) - [Data foundation system opinions](/laws/data-foundation-system-opinions/) - 《基础设施和公用事业特许经营管理办法(2024)》(2024 Infrastructure and Public Utility Franchise/Concession Management Measures) - 《广东省公共数据管理办法》(Guangdong Province Public Data Management Measures) - 《福田区公共数据授权运营暂行管理办法》(Futian District Provisional Public Data Authorised-Operation Management Measures) > This is an editorial summary, not a translation. Analysis, emphasis, and > operational extrapolation are DCC's. The original authors write in a > personal capacity and the piece does not represent the official position of > the Shenzhen Data Exchange. **Not legal advice.** --- ## Inside the Reviewer's Mind — A Compliance Guide to Data Property-Rights Registration at Shenzhen Data Exchange - Published: 2026-05-26 - Author: DCC Editorial - Tags: data-property-rights, data-registration, data-economy, data-element-market, three-rights, data-compliance, shenzhen-data-exchange, legal-opinion - Laws cited: data-property-rights-registration-guide-draft, data-foundation-system-opinions - Domains: data-economy - URL: https://datacompliancechina.com/posts/data-property-registration-review-guide/ - Markdown: https://datacompliancechina.com/posts/data-property-registration-review-guide.md - Original source: https://mp.weixin.qq.com/s/tDRmD9Bcz_I4rWF1fOBJ5g - Original author: 陈一芊、胡婧卓 - Original publication: 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ### Description China's data property-rights registration (数据产权登记) regime has no single national rulebook yet, which makes the reviewer's checklist at the registrar level the operational baseline for any applicant. This brief summarises a practitioner guide by two compliance managers at Shenzhen Data Exchange (深圳数据交易所), explaining what registration reviewers actually scrutinise: whether the subject-matter falls within the platform's accepted scope; whether the applicant can substantiate entitlement to one or more of the three data-property rights (持有权 / 使用权 / 经营权); and whether the submitted materials are internally consistent and complete. The guide also clarifies common misconceptions about the 'three rights' structure — including why 'data ownership' is not a legally recognised concept and why holding-right does not automatically confer use-right or operating-right. For overseas counsel advising clients on data-asset registration, this is the clearest available account of how the first-mover registrar reads applications. ### Body > *Editor's Note — DCC.* > > This brief summarises 《DEXC+专栏|数据产权登记审核,审核员都在想什么?——送上一份数据产权登记合规审核指南》by Chen Yiqian (陈一芊) and Hu Jingzhuo (胡婧卓), both compliance managers at Shenzhen Data Exchange (深圳数据交易所, SZDEX). Chen leads the exchange's data-asset compliance team and is a co-drafter of the local standard on data-transaction compliance evaluation and the group standard on data compliance auditing. Hu leads the AI compliance special-projects group and is also a co-drafter of the data-transaction compliance evaluation standard. The piece was published in the DEXC+ (Data Exchange Compliance+) column, the exchange's in-house practitioner platform. DCC runs it because SZDEX launched China's first operational data property-rights registration platform in November 2024 and these are the people who process the applications. > > A note on nomenclature: the source draws on SZDEX's own registration rules — the 《深圳数据交易所有限公司数据产权登记办法(试行)》(SZDEX Provisional Measures on Data Property-Rights Registration, the "Registration Measures") and the 《深圳数据交易所有限公司数据产权登记合规审核指引(试行)》(SZDEX Provisional Guidelines on Compliance Review for Data Property-Rights Registration, the "Review Guidelines") — rather than a national standard, because no authoritative national registration rules have been issued yet. SZDEX's framework therefore sets a de-facto practitioner baseline. Readers should treat this as an account of how one leading registrar currently operates, not as binding national law. ## Why 91 per cent of first submissions fail SZDEX launched its data property-rights registration (数据产权登记) platform on 4 November 2024 to provide registration services for data resources (not including public-data resources held by government bodies), data products, and data assets. The authors report that, based on internal statistics, 91 per cent of applicants are rejected on their first submission. That figure is the practical motivation for the guide: the platform's internal staff were themselves asking reviewers "why do you keep rejecting things — what exactly are you checking?" The answer, as the authors explain, comes down to three questions. First: does the subject-matter fall within the accepted registration scope? Second: can the applicant demonstrate genuine entitlement to the rights being claimed? Third: are the submitted materials complete, consistent, and free of internal contradiction? The [data property-rights registration guide](/laws/data-property-rights-registration-guide-draft/) and the [data-foundation-system opinions](/laws/data-foundation-system-opinions/) provide the national-level framework; SZDEX's own Registration Measures and Review Guidelines operationalise that framework at the platform level. Both sets of instruments ground the analysis in this brief. ## Gate one — what can and cannot be registered The Registration Measures define a clear perimeter for what SZDEX will accept. Four categories fall outside the scope and trigger automatic rejection: - **Data tools and data services are not registrable.** Only data resources (数据资源) and data products (数据产品) may be submitted. An applicant who submits a software tool or a service arrangement rather than a dataset or processed product will be turned away. - **Future data is not registrable.** The subject-matter must be data that has already been formed; anticipated data collections or projected outputs do not qualify. - **Unprocessed public-data resources are not registrable**, nor are public-data resources that have not been through an authorised-operation (授权运营) arrangement. Only public-data products that have cleared the authorisation-and-operation pathway may be submitted. - **The holding right (数据持有权) cannot be registered for authorised-operation public-data products.** Applicants in that category may claim only data use-right (数据使用权) and data operating-right (数据经营权). The practical message for applicants: characterise the subject-matter carefully before applying. A dataset, processed product, and data service may all feel similar from a commercial standpoint but are treated very differently by the registrar. ## Gate two — the three rights and who holds them The second and substantively most complex review gate is entitlement. The authors begin by clearing up three misconceptions they say are common among first-time applicants. **There is no such thing as "data ownership."** The authors are pointed on this: no Chinese legal instrument has ever used the term 数据所有权 (data ownership). The framework established by China's "Data Twenty Articles" (数据二十条, the 2022 opinions on building the data-foundation system that underpin the [data-foundation-system opinions](/laws/data-foundation-system-opinions/)) introduced a structurally-divided (结构性分置) property-rights model. The reason is conceptual: data's characteristics — replicability, non-rivalry, non-excludability, non-consumption — make it incompatible with the traditional ownership framework applicable to physical objects. Instead of ownership, the system extracts the functionally important entitlements from the data-development lifecycle: access, processing, use, and transfer. **The three rights are independent — they do not derive from each other.** An earlier reading held that the holding-right (持有权) was foundational and automatically conferred use-right and operating-right, mirroring the way civil-law ownership encompasses use and disposal. The authors say this is wrong. Under both the National Data Administration's second-batch glossary on data-domain terminology (数据领域常用名词解释(第二批), consultation draft) and the Registration Measures, holding-right means only the right to hold, or to authorise a third party to hold, lawfully obtained data. The entitlement to use or to dispose does not flow automatically from holding. The EU Data Act, which the authors cite by way of comparison, takes a similar approach: a data holder's technical control (implemented through encryption or smart contracts) does not create absolute exclusivity and is subject to open-flow requirements. The three rights can be held by the same entity or divided among different entities. A single entity may control the entire chain from holding to operating; or different parties may each hold different rights. In collaborative or authorised-operation scenarios, contractual arrangements among the parties determine the allocation. **Entitlement analysis depends on how the data was obtained.** The authors set out a four-pathway analysis: 1. **Self-generated data.** The applicant holds all three rights simultaneously — holding, use, and operating. However, reviewers will look for any underlying authorisation: if the data was collected during a government-commissioned project, for example, the project agreement may contain terms on data ownership or confidentiality that affect the entitlement analysis. 2. **Publicly collected data.** The applicant holds use-right and holding-right. Whether operating-right also attaches depends on any public-access restrictions disclosed by the data source. Where the data was obtained from an open-source channel, the applicable open-source licence must be examined; commercial-use restrictions in the licence translate directly into a restriction on operating-right. 3. **Contractually obtained data.** The rights the applicant holds depend entirely on what the agreement grants. Reviewers will also check whether the counterparty had the right to grant what the agreement purports to grant — a seller who holds only holding-right and does not hold operating-right cannot validly transfer operating-right to a buyer. The authors compare this to the civil-law concept of unauthorised disposition (无权处分): the transaction may look compliant on its face, but the agreement itself is of uncertain validity. 4. **Derived or transformed data.** For data that has been processed from a source dataset to create something new, the reviewers apply a three-part test: (a) the source data was lawfully and compliantly obtained; (b) the processing itself was lawful and compliant, meaning the processing party held use-right; and (c) the derived product is materially different from the source dataset (实质变更). If all three conditions are met, the derived product is treated as self-generated, and the applicant holds all three rights. This pathway analysis directly parallels the reasoning in the [Datatang v. Yinmu data-IP registration case](/posts/datatang-v-yinmu-data-ip-registration-case/), where the courts had to work through the same chain-of-custody questions when assessing whether a registered data-IP certificate had probative weight. ## Gate three — completeness and internal consistency of submitted materials The third review gate is material quality. The authors identify two principal failure modes. **Inadequate legal opinions.** For initial registrations, the Review Guidelines require the legal opinion to address two things: compliance of the registrant (登记主体合规) and compliance of the subject-matter (登记对象合规). Crucially, the lawyer must also analyse the type and completeness of the property rights being claimed and deliver a reasoned conclusion on them. The authors note that lawyers who have previously worked only on transaction-listing compliance evaluations (数据交易标的上市合规评估) may find the property-rights entitlement analysis unfamiliar — that analysis is typically absent from listing opinions, which focus on whether the data can lawfully flow and be traded rather than on which party holds which right. The authors illustrate with an example. Company A holds a licence from Company B to process B's data resources into a data product, which A and B jointly sell under a co-signed agreement. A's product would pass a listing compliance review without difficulty: the flow and commercialisation are authorised. But in the registration context, the reviewer cannot determine from the listing opinion alone whether A holds operating-right — defined under the Registration Measures as the right to dispose of data externally through transfer, licensing, capital contribution, or security arrangement. The specific role A plays in the joint sales agreement needs to be explained and supported. That supplementary analysis is the gap that causes rejections. SZDEX has published a reference framework (《数据产权登记法律意见书参考框架》) for legal opinion structure, and the authors recommend counsel follow it when preparing registration opinions rather than repurposing listing opinions for a different purpose. **Contradictions and inconsistencies across materials.** Material inconsistency is described as the single most common reason for rejection. Two variants appear: The first is a conflict between the application form and the self-evidencing materials: for example, an agreement governing contractually obtained data contains time-limited or use-restricted rights, but the applicant has filled in no restrictions under the "rights term" and "rights limitations" fields, or has described the data type as enterprise data while the source documents show that personal information is present. The second is a conflict between the self-evidencing materials and the legal opinion: the reviewer sees two accounts of the same facts that do not align. A common example is a lawyer identifying a data type in the opinion (personal information) that differs from the type the applicant selected in the application form (enterprise data or public data). Another is a lawyer disclosing three data sources in the opinion while the application package contains supporting documents for only one. The authors attribute this pattern to applicants submitting materials as soon as the legal opinion arrives, without first reviewing it against what they have already filed. ## The three-fence review model The source describes SZDEX's overarching review architecture as a "three-fence" (三道防线) mechanism: applicant self-certification (申请人自证) as the first fence; third-party legal opinion (第三方法律服务机构他证) as the second; and the registrar's own compliance review as the third and final fence. Whether and to what extent third-party legal service providers must participate is not yet settled across jurisdictions — the authors note that practice varies and will ultimately be resolved by national rules when they emerge. In the current state of play, the registrar's review is particularly consequential precisely because no authoritative national registration standard has been issued. ## Why overseas counsel should care - **Registration is a pre-condition for data-asset monetisation.** Clients who want to list data products on an exchange, securitise data assets, or use data in capital contributions will need a registration certificate with substantive evidential weight. The 91-per-cent rejection rate means most first attempts are wasted without prior preparation — and preparation means understanding the three-gate analysis before the application is filed. - **"Data ownership" language in commercial agreements is a red flag.** The source is unambiguous: the concept does not exist in Chinese law. Agreements drafted by overseas counsel that use "ownership" framing will create friction at the entitlement-analysis stage; contracts should instead allocate the three rights explicitly and confirm which party holds each. - **Legal opinions need to be purpose-built for registration.** Recycling a transaction-listing opinion for a registration application is a known failure mode. Counsel retained for registration work should follow SZDEX's reference framework and address holding-right, use-right, and operating-right separately, with a chain-of-custody analysis that traces the data back to its source pathway. - **Contractual due diligence on counterparty entitlement is material.** Where client data originates from a purchase agreement, the seller's own rights profile must be verified up the chain. A seller who lacks operating-right cannot pass operating-right to a buyer — a gap that may not surface until the registration review. ## DCC sources - Original: 陈一芊、胡婧卓, 《DEXC+专栏|数据产权登记审核,审核员都在想什么?——送上一份数据产权登记合规审核指南》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ([source](https://mp.weixin.qq.com/s/tDRmD9Bcz_I4rWF1fOBJ5g)). - Instruments referenced in source: 《深圳数据交易所有限公司数据产权登记办法(试行)》; 《深圳数据交易所有限公司数据产权登记合规审核指引(试行)》; 《数据产权登记法律意见书参考框架》; [data-foundation-system opinions](/laws/data-foundation-system-opinions/); [data property-rights registration guide](/laws/data-property-rights-registration-guide-draft/). > This is an editorial summary, not a translation of Chen Yiqian and Hu Jingzhuo's piece. Conceptual framings and analytical structure are attributed; any simplification, error of emphasis, or operational extrapolation is DCC's. **Not legal advice.** --- ## Authorized to Operate, Not Authorized to Ignore: Public-Data Operators Still Owe the Full PIPL/DSL Stack - Published: 2026-05-24 - Author: DCC Editorial - Tags: public-data, data-economy, pipl, data-security-law, authorized-operation, data-classification, personal-information-protection, data-trading - Laws cited: public-data-authorized-operation-specifications, pipl, dsl - Domains: data-economy, data-security - URL: https://datacompliancechina.com/posts/public-data-authorized-operation-not-a-shield/ - Markdown: https://datacompliancechina.com/posts/public-data-authorized-operation-not-a-shield.md - Original source: https://mp.weixin.qq.com/s/pYNLXFiqr1wKpc60YjTdbQ - Original author: 胡敏喆、王森鹏、王青兰 - Original publication: 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ### Description China's public-data authorized-operation regime — established by the January 2025 Implementation Specifications and its companion instruments — does not exempt operators from the personal information and data-security duties that sit underneath it. This brief, drawn from the Shenzhen Data Exchange's DEXC+ compliance column, sets out six specific areas where authorized operators routinely fall short: failure to classify data before operating it, misreading the operator's role in multi-party processing chains, skipping notification obligations, misidentifying the lawful basis for processing, misapplying consent that was gathered for a different purpose, and omitting the separate impact-assessment and annual risk-evaluation obligations under PIPL and the Network Data Security Regulations. The operational takeaway for overseas counsel advising operators or investors: government authorization is the entry ticket to the public-data market, not a waiver of the compliance checklist that governs what happens once inside. ### Body > *Editor's Note — DCC.* > > This brief summarises 《DEXC+专栏|公共数据授权运营不是数据合规的"免死金牌"》, > published by the Shenzhen Data Exchange's DEXC+ compliance column under the > names of three in-house compliance practitioners: Hu Minzhe (data compliance > manager, PKU LLM/LLB/BA Econ), Wang Senpeng (data compliance supervisor, > University of Manchester LLM), and Wang Qinglan (head of compliance, LLD and > PhD in computer science). The piece responds to a concrete operational > problem: since the January 2025 publication of the > [public-data authorized-operation specifications](/laws/public-data-authorized-operation-specifications/) > and its companion instruments, the Exchange has been receiving product-listing > applications in which operators — and their third-party compliance assessors — > treat government authorization as a blanket exemption from the underlying > personal-information and data-security framework. The authors disagree, and > explain why in six structured arguments. > The DEXC+ column sits inside China's most active institutional voice on > data-element-market compliance, and the authors are practitioners who > screen real listing applications. That vantage point makes this more than > academic commentary: it is a description of what the Exchange actually > flags when it rejects or returns an application. Overseas counsel advising > on product listing, data-product investment, or the compliance posture of > an authorized operator should read it as a practitioner checklist, not a > theoretical primer. ## The "1+3 policy system" and what it does (and does not) do In January 2025, the National Development and Reform Commission and the National Data Administration published a cluster of instruments completing what the authors call the **"1+3 policy system"** for public-data authorized operation (公共数据授权运营): - the **Implementation Specifications for Public Data Resource Authorized Operation (Trial)** (《公共数据资源授权运营实施规范(试行)》, hereafter the *Implementation Specifications*) — the capstone instrument; - the **Interim Measures for Public Data Resource Registration Management** (《公共数据资源登记管理暂行办法》); - the **Notice on Establishing a Price-Formation Mechanism for Public-Data Resource Authorized Operation** (《关于建立公共数据资源授权运营价格形成 机制的通知》). Together these implement the public-data authorized-operation framework called for in the Central Committee/State Council opinion on accelerating the development and use of public data resources. Since their publication, provincial and municipal governments have moved quickly to set up authorized-operation programs, and operators — referred to by the authors as **数据商 (data merchants)** — have begun submitting public-data product listings to exchanges, including Shenzhen. The problem the authors document is a category error. The 1+3 system establishes *who may operate* public data and *on what terms*. The **"three laws and one regulation" (三法一条例)** — the Cybersecurity Law (CSL), the [Data Security Law](/laws/dsl/) (DSL), the Personal Information Protection Law (PIPL), and the Network Data Security Management Regulations (NDSR) — governs *how* data must be handled regardless of who is operating it. The authors' central argument: these are not competing frameworks, and the former does not displace the latter. The Implementation Specifications themselves make this explicit in their opening article, which names the CSL, DSL, and PIPL as its statutory basis. Later provisions require data-source departments to apply **data-classification-and-grading protection requirements** before including any resource in an authorized-operation program (Article 5); require implementation plans to cover data-security and personal-information protection measures (Article 9); and require the authorized-operation agreement between the implementing body and the operator to include data-security obligations, personal-information protection requirements, risk monitoring, and emergency-response measures (Article 14). In the authors' reading, these provisions are not aspirational: they are binding obligations that travel with the authorization. ## Failure point 1 — data classification is not being done The Implementation Specifications require operators to apply **data-classification-and-grading (数据分类分级) protection requirements** before and during operation. This is not a formality: it is the mechanism by which operators determine which specific PIPL, DSL, and NDSR duties attach to the data they are handling. The authors describe three patterns they have observed in listing applications: **Pattern A — silence.** Some operators, and the third-party compliance assessors they engage, simply do not identify the data types in the product. No determination of whether personal information or important data (重要数据) is present; no explanation of which compliance obligations have been fulfilled. **Pattern B — the "public data is its own category" argument.** Some third-party assessors argue that "public data" is a parallel category alongside "personal information" and "enterprise data" — citing the structural-separation data-property-rights framework in the 2022 Central Committee/State Council "Data Twenty Articles" opinion, which calls for "a classified and graded rights-authorization system for public data, enterprise data, and personal data." The authors reject this reading: it ignores the fact that public datasets often contain individual- level records, and that personal information rights attach to the individual regardless of how the data arrived in a government database. The categories overlap; they are not mutually exclusive. **Pattern C — stop at identification.** A third, marginally better pattern: the assessor identifies that personal information is present in the public data product, but then treats the government authorization as sufficient legal basis for processing it and goes no further. This is the authors' central target: authorization is not a lawful-basis analysis, and a superficial nod to the presence of personal information does not discharge the downstream compliance obligations. ## Failure point 2 — the processing-role analysis is missing Under PIPL Article 73, a **personal information handler (个人信息处理者)** is any organisation or individual that independently determines the purpose and manner of personal information processing. The determination of who qualifies matters enormously: it defines who owes notification, consent, impact-assessment, and data-subject-rights duties. The authors note that the processing-role relationships in public-data authorized operation remain unsettled as a matter of Chinese law, and that the full chain is longer than the operator-centric framing suggests. The chain runs from the entities that originally collect and aggregate individual-level records, through the government platform where data is consolidated, to the implementing body (实施机构) that holds the authorized pool, to the operator (运营机构) that develops products, and then into trading and distribution. For the operator layer specifically, the authors identify two plausible configurations. Where the implementing body and the operator jointly determine purpose and manner for a specific application scenario, they may together constitute **joint personal information handlers (共同处理 者)**. Where the implementing body grants the operator broad discretion to develop products within a compliant range, the operator may independently constitute a personal information handler. The authors do not resolve which applies in every case — they argue that the right answer depends on the facts of each project, and must be worked out and documented in the authorized-operation agreement. What they reject is the common pattern of not asking the question at all. ## Failure point 3 — notification is not optional PIPL requires personal information handlers to notify individuals before processing their information. The authors observe a widespread and incorrect belief in the market: that if processing is lawful on a basis other than consent (particularly, the public-interest or government-function bases), notification is also excused. This is wrong under PIPL as it stands. The statutory carve-outs from the notification obligation are narrow: (1) cases where a law or administrative regulation requires confidentiality or explicitly removes the notification duty; (2) emergency situations where notification is genuinely impossible to deliver in time to protect life, health, or property (with a follow-up obligation once the emergency ends); and (3) cases where notification would obstruct a government body's exercise of a statutory function. None of these exemptions covers routine commercial public-data product development. Authorized operators must therefore comply with the general notification requirements. In multi-party distribution scenarios — product trading through an exchange — PIPL's separate provision on disclosure of personal information to third parties also applies, requiring that the individual be informed of the receiving party, the purpose, the type of information being disclosed, and their right to refuse. ## Failure point 4 — the lawful-basis chain breaks at each transfer PIPL Article 13 specifies seven lawful bases for processing personal information. The authors focus on the one that most authorized operators will end up relying on for commercial data-product development: **individual consent (个人的同意)**. The analysis is complicated, because public-data authorized operation involves multiple sequential transfers, each of which may rest on a different lawful basis. The original data collection (for example, by a government department providing a public service) typically rests on a statutory basis — the department's legal mandate, not consent. The onward transfer to the implementing body, and then to the operator for commercial product development, must itself have a lawful basis. Because commercial development is generally outside the scope of the original statutory mandate, operators are likely to find that individual consent is the only basis available — but they need to have traced the chain to understand that, rather than assuming the government's statutory basis travels downstream with the data. The authors identify three common mistakes: - **Wrong-basis mapping.** Operators apply the statutory-function basis or the contractual-necessity basis to stages of the chain where those bases do not hold, without analyzing whether the transfer-purpose and original-collection-purpose are actually aligned. - **Pre-anonymization processing overlooked.** Some operators argue that their finished product contains only anonymized aggregate data and is therefore outside PIPL entirely. The authors accept that genuine anonymization produces output that is no longer personal information — but the processing required to reach that output (collecting, cleaning, structuring, and transforming the original individual-level records) *is* personal information processing, and requires a lawful basis at each stage before anonymization is achieved. - **Stale or scope-limited consent.** Where consent was originally obtained for a specific function or service, that consent does not automatically extend to repurposing the same data for product development, analytics, or commercial licensing. PIPL requires that consent be "voluntary, explicit, and given on the basis of full information," and mandates that fresh consent be obtained if the purpose, manner, or category of data changes. Operators who assume that consent obtained in one context travels to a new and different context are misstating the law. ## Failure point 5 — assessment obligations stack, not substitute The Implementation Specifications require an implementing body to assess and justify the necessity and feasibility of conducting authorized operation. The authors are careful to note this is valuable — but it is not the same thing as, and does not substitute for, the assessment obligations in the three-laws-one-regulation framework. Two specific assessment regimes apply: **Personal information protection impact assessment (个人信息保护影响评估, PIPIA).** PIPL Article 55 triggers a mandatory PIPIA when personal information is entrusted for processing by a third party, or when personal information is provided to a third party. In public-data authorized operation and data trading, both triggers are routinely tripped. Operators who have not conducted a PIPIA, or who have not confirmed that the implementing body has conducted one for the phases it controls, have an unfilled obligation. **Important-data risk assessment.** Where the product dataset contains **important data (重要数据)**, additional obligations apply under the NDSR. Processors of important data must conduct a risk assessment before providing, entrusting, or jointly processing important data. They must also conduct an annual risk assessment of their network data processing activities and submit the results to the relevant competent authority. These are recurring obligations, not one-time checks. ## Why overseas counsel should care - **Product listing exposure.** Clients holding an authorized-operation license who seek to list public-data products on a Chinese exchange will encounter exactly this checklist. Applications that cannot demonstrate data-classification analysis, a lawful-basis chain, notification compliance, and completed PIPIA are likely to be returned. Understanding what the Exchange is actually looking for — documented here by the Exchange's own compliance team — reduces both delay and rework. - **Investment diligence.** Investors evaluating a data merchant or a data-product portfolio built on authorized public data need to assess residual compliance exposure under PIPL and the DSL, not just whether the authorization instruments are in order. The gap between "authorized to operate" and "operationally compliant" is where material liability sits. - **Contractual allocation in authorized-operation agreements.** The authors emphasize that the authorized-operation agreement between implementing body and operator is the instrument through which processing roles, liability allocation, notification responsibilities, and assessment obligations must be assigned. Overseas parties advising on or negotiating these agreements need to populate the compliance clauses from the three-laws-one-regulation framework, not just from the 1+3 policy system. - **The "public data is not personal information" argument is closed.** The source article explicitly forecloses the argument that public datasets fall outside PIPL because they constitute a separate category. Practitioners who have encountered this position in client materials or counterparty representations now have a direct rebuttal from the institutional operator most active in the market. ## DCC sources - Original: 胡敏喆、王森鹏、王青兰, 《DEXC+专栏|公共数据授权运营不是数据 合规的"免死金牌"》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ([source](https://mp.weixin.qq.com/s/pYNLXFiqr1wKpc60YjTdbQ)). - [Public-data authorized-operation specifications](/laws/public-data-authorized-operation-specifications/) (《公共数据资源授权运营实施规范(试行)》, NDRC/NDA, January 2025). - [Data Security Law](/laws/dsl/) (《数据安全法》, 2021). - [PIPL](/laws/pipl/) (《个人信息保护法》, 2021). > This is an editorial summary, not a translation of the DEXC+ column > article. Analytical framing, section organization, and operational > extrapolations are DCC's. Any simplification or error of emphasis is > attributable to DCC, not to the original authors. **Not legal advice.** --- ## Inside the Gate: How Enterprises Can Compliantly Process, Operate, and Trade Public Data Under China's Authorized-Operation Model - Published: 2026-05-22 - Author: DCC Editorial - Tags: public-data, authorized-operation, data-trading, data-economy, data-products, public-data-registration, data-compliance, data-element-market - Laws cited: public-data-authorized-operation-specifications, public-data-registration-interim-measures, data-foundation-system-opinions - Domains: data-economy - URL: https://datacompliancechina.com/posts/public-data-authorized-operation-processing-trading/ - Markdown: https://datacompliancechina.com/posts/public-data-authorized-operation-processing-trading.md - Original source: https://mp.weixin.qq.com/s/tkH9NitKcBZMCb5q9zNUPg - Original author: 杨浩然 (Yang Haoran) - Original publication: 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ### Description China's public-data authorized-operation regime (公共数据授权运营) is the primary route for enterprises to commercialise government-held data. A DEXC+ analysis by Yang Haoran maps the full compliance arc: what qualifies as public data, how it must be processed within a sandboxed platform, and what a data product needs to clear before it can be listed on an exchange. Drawing on the National Data Administration's draft Authorized-Operation Implementation Specifications and Shenzhen Data Exchange's own 3×4 dynamic-compliance framework — covering subject compliance, subject-matter compliance, and circulation compliance across legal, security, integrity, and rights dimensions — the brief gives overseas counsel a structured view of the obligations that attach at each stage of the public-data supply chain, from first authorisation to on-exchange listing. ### Body > *Editor's Note — DCC.* > > This brief summarises 《DEXC+专栏|授权运营模式下企业如何合规加工运营和交易公共数据?》by Yang Haoran (杨浩然), an undergraduate researcher at Shandong University Law School and member of Shenzhen Data Exchange's DEXC+ Global Data-Element Legal-Talent Programme. The piece is framed as a practitioner compliance guide, not academic commentary: Yang maps the full public-data supply chain — from the definition of public data, through the authorised-operation approval process, through the technical requirements for processing, to the on-exchange listing of a finished data product. The analytical spine is Shenzhen Data Exchange's own "3×4" dynamic-compliance framework (three stages × four dimensions), which the Exchange developed as a Shenzhen municipal local standard and which underpins its compliance-assessment practice. DCC runs this piece because it is the most operationally detailed account we have seen of what the [public-data authorized-operation specifications](/laws/public-data-authorized-operation-specifications/) and the [public-data registration interim measures](/laws/public-data-registration-interim-measures/) require at the firm level. > > One context note for overseas readers: the primary national instrument Yang relies on is the National Data Administration's *Public Data Resource Authorized-Operation Implementation Specifications (Trial)* (《公共数据资源授权运营实施规范(试行)》), issued as a public consultation draft (征求意见稿) and referred to throughout as the "Draft Specifications." Where Yang cites provincial or municipal rules, DCC has preserved the jurisdiction, because China's public-data regime is layered: the national draft sets floors, while Zhejiang, Shanghai, Guangdong, Hangzhou, Qingdao, and Shijiazhuang have each issued their own implementation rules that are binding in practice. ## What counts as public data — the two-element test China's "public data" (公共数据) concept first appeared in the State Council's 2015 Big Data Action Plan (《促进大数据发展行动纲要》) but was not formally defined until recently. The governing definition is now settled in the National Data Administration's *Common Terminology in the Data Domain (First Batch)* (《数据领域常用名词解释(第一批)》): public data is "data generated by Party and government organs at all levels, and by enterprises and public institutions, in the course of lawfully performing official duties or providing public services." Yang distils this into a **two-element test**. The *subject element* (主体要件) requires that the collecting institution hold a public-management or public-service function — this covers government departments, public enterprises and institutions with public functions, and social organisations performing delegated public duties. The *conduct element* (行为要件) requires that the data be collected and generated specifically in the course of lawful public-management or public-service activity: data collected by a utility company outside its public-service function does not qualify, a position expressly codified by Guangdong's Public Data Management Measures. Local definitions in Shenzhen, Shanghai, and Guangdong each extend this core in slightly different ways, but all converge on the two-element structure. The Draft Specifications address scope from the supply side: the objects eligible for authorised operation are public-data resources held by county-level and above local governments and national sector regulators. Central Party and government organs, and county-level Party committees, fall under the same rules by reference. Public utilities — water, gas, heat, electricity, public transit — may participate in authorised operation by following the Draft Specifications' procedural requirements. ## The authorised-operation model and the data product it produces Yang contrasts two routes for accessing public data: **open access** (数据开放, including unconditional open data and conditional on-request access) and **authorised operation** (授权运营). Open access has historically suffered from poor data quality and a mismatch between what government agencies publish and what enterprises actually need. Authorised operation addresses this by bringing in market mechanisms: a data-management authority (in practice, a local data bureau — the newly established 数据局 being the representative institution) authorises a specific enterprise to develop and commercialise a defined dataset, within a defined application scenario, with data quality and security obligations attached. The output is a **data product** (数据产品), construed broadly: data packages, data interfaces, data models, data services, and data reports. The key constraint is that the authorised operator must have put substantial labour and technical investment into the product. The core processing rule, drawn from multiple local instruments and the Draft Specifications alike, is: **"raw data does not leave the domain; data is usable but not visible"** (原始数据不出域、数据可用不可见). A data product, once produced, is a derived artefact — processed, de-identified, and validated — not a copy or excerpt of the underlying government database. Yang notes an unresolved property-rights question at the intermediate layer: the "Data Twenty Articles" (数据二十条 — the foundational document issued jointly by the Central Committee and the State Council) assigns *data-processing-and-use rights* (数据加工使用权) and *data-product operating rights* (数据产品经营权) to authorised processors, but does not clearly resolve whether an operator holds operating rights over *derived data* at the preliminary-processing stage, short of a finished product. The deeper-processed, finished data product sits on firmer legal ground: Beijing courts have recognised originality and substantial labour investment in data products as a basis for copyright-adjacent protection, and academic commentary has explored a civil-law "processing-creates-ownership" (加工取得所有权) theory for data products whose added value clearly exceeds that of the underlying raw data. ## How authorised data products reach the market Finished data products have two primary distribution channels. The first is the **open-access route**: an application-and-review pathway through which downstream users obtain a secondary licence to use the product, or direct publication on a government data-openness platform (Zhejiang's provincial data-open platform hosts processed data applications in app and mini-programme form as examples). The second — and the one Yang focuses on — is the **market-trading route** (市场化道路): the data product is listed on a data exchange as a tradeable asset. Practice has settled on **on-exchange trading** (场内交易) as the standard model. Pre-2024 local rules already encouraged operators to list processed public-data products on legally-established data-trading platforms. The October 2024 central document issued jointly by the General Office of the Central Committee and the State Council (*Opinions on Accelerating the Development and Utilisation of Public Data Resources*) went further, explicitly encouraging "eligible regions to explore on-exchange trading models for public-data products and services." For public data specifically, on-exchange trading is both the state-preferred approach and the one best suited to demonstrating provenance and security compliance. Some jurisdictions add a **geographic constraint**: Hangzhou's Trial Implementation Plan for Public Data Authorised Operation, for instance, requires that authorised operators in principle list and manage approved data products on the Hangzhou Data Exchange. Operators dealing with locally-originating public data must verify whether the holding jurisdiction imposes a venue restriction of this kind before listing on a national exchange. ## The flow chain: actors, platforms, and the compliance pressure points Under the authorised-operation model, Yang maps a five-link flow chain: 1. **Public-management and service institutions** collect and generate data in the course of their duties. 2. The data aggregates to a **local unified public-data authorised-operation platform** (统一公共数据授权运营平台), which applies data-sandbox and privacy-computing techniques to cleanse and process the data, creating a trusted environment for authorised access. 3. **Data-management authorities** (数据主管部门, in practice the local data bureaux) manage and organise authorised operations. 4. **Authorised operators** (enterprises that have obtained authorisation) process the data within the platform environment to form data products and services. 5. Products are listed on **local data exchanges** (各地数据交易中心) and traded with counterparties. Yang's key analytical observation is that most published compliance commentary concentrates on the last link — the exchange listing — while most compliance risk materialises in the earlier links: data provenance, the scope of the authorisation, how processing personnel are credentialled, and whether the finished product stays within the approved application scenario. A breach at any upstream link disqualifies the product from compliant circulation, regardless of how well the on-exchange paperwork is managed. ## The 3×4 compliance framework: three stages, four dimensions The analytic core of Yang's piece is the "3×4" dynamic-compliance assessment model developed by Shenzhen Data Exchange and adopted as a Shenzhen municipal local standard (DB4403/T《数据交易合规评估规范》). Three stages — **subject compliance** (主体合规), **subject-matter compliance** (标的合规), and **circulation compliance** (流通合规) — are each assessed across four dimensions: **legal** (合法), **security** (安全), **integrity** (诚信), and **rights** (权益). What follows is Yang's application of that framework to the public-data authorised-operation context. ### Subject compliance (主体合规) **Legal dimension.** The authorised operator must be validly incorporated and in good standing. If the operating business falls within a sector requiring regulatory approval or a special industry licence (金融, healthcare, mapping, and similar), the operator must hold that approval before commencing operations. **Security dimension.** The Draft Specifications require operators to demonstrate data-resource processing, operation, and management capacity, good standing, and conformity with national data-security protection requirements. Zhejiang's rules are among the most detailed on the technical side: operators must have a designated data-security officer and management department; maintain an internal public-data authorised-operation management and security system; hold MLPS Level-3 (网络安全等级保护三级) certification and satisfy commercial cryptography application security-assessment requirements; possess mature data-management and data-security assurance capability; and have had no network-security or data-security incidents in the three years preceding application. On the management side, operators must maintain three standing internal systems. An *information-retention system* (信息保存制度) requires that internal policies, operating agreements, and operating logs be preserved; Qingdao's rules specify a minimum twenty-year retention period. A *periodic reporting system* (定期报备制度) requires regular reports to data-management authorities and state-asset management departments covering authorised storage, processing, analytical use, integration, and market operations of data resources. An *emergency-response system* (应急处置制度) requires a data-security incident response plan covering leakage, damage, and loss, with mandatory immediate activation and report-up to the data competent authority on occurrence of a security incident or major risk. **Integrity dimension.** The Draft Specifications require operators to publish a public list of their data products and services and to periodically disclose data-resource usage to the public for social supervision. At the time of on-exchange listing, operators must submit accurate materials and disclose, as-true, any criminal penalties, administrative penalties, litigation, or arbitration relating to network security, data security, or personal-information protection in the preceding three years. **Rights dimension.** Operators must maintain mechanisms protecting their own rights, data subjects' rights, and partners' rights. The Draft Specifications encourage implementing institutions and operators to support regional and departmental data-governance and service capacity through technology, products, services, and revenue sharing. For compliance review, relevant documentation includes personal-information protection policies and privacy notices; data-subject rights request response procedures and records; cooperation agreements and data-process records with partners; third-party management mechanisms; and intellectual-property ownership evidence and agreements. ### Subject-matter compliance (标的合规) **Legal dimension — data source.** Operators must have a valid authorisation from the competent data authority, obtained through an authorised-operation agreement or equivalent instrument, before accessing any public-data resource. The "one scenario, one authorisation" (一场景一授权) principle applies: each authorisation covers a specific application scenario, and the operator must state the purpose, scope, term, and security measures in the application. Public data that could endanger national security, damage the public interest, or falls within a statutory prohibition on commercialisation cannot be used. The authorised-operation agreement must specify, at minimum: the purpose, use scope, service method, operating term, rights and obligations, data-security requirements, prohibited uses, liability for breach, dispute resolution, revenue sharing, and exit mechanism. The Draft Specifications' Article 14 (of the draft) sets out a detailed required-terms list. **Legal dimension — data processing.** All persons participating in data processing must be identity-authenticated, registered, and vetted; must have signed confidentiality agreements; and all their operations must be logged and auditable. Raw data must not be visible to processing personnel. The operator uses sampled and de-identified public data for model training and validation. **Legal dimension — data content.** Yang addresses four sub-categories of data that may be blended into a public-data product. *Social data* (社会数据 — privately-held enterprise data) may be imported into the authorised-operation domain for fusion computation with public data only after approval from the public-data authority. *Publicly scraped data* must be described as to source, method, and scope, and must not be obtained by unlawful intrusion or technical circumvention. *Operator-generated data* must not infringe third-party rights. *Contractually acquired data* must be accompanied by the relevant procurement or licensing agreement; if the category requires a special licence to collect, evidence that the data provider holds it must be retained. Where a data product involves personal information, PIPL obligations apply in full: collection must have a clear and legitimate purpose; the principles of lawfulness, necessity, and informed consent govern; and privacy-computing, anonymisation, and equivalent technical safeguards must be applied. **Security dimension.** The operator must apply security management and technical measures calibrated to the data type and sensitivity level involved. For public data specifically, the requirement is conformity with the Shenzhen local standard DB4403/T 271—2022 basic security requirements, and with the GB/T 22239—2019 Level-2 requirements for data integrity, confidentiality, and backup-recovery. **Integrity and rights dimensions.** Product documentation and descriptions must be accurate. Commitment letters confirming absence of illegal subject matter, no regulatory violations, and no adverse public-sentiment events are recommended at listing. Where a product implicates intellectual property, ownership evidence or IP agreements must be in place, and no third-party IP must be infringed. Where a product involves personal information of minors under fourteen, the applicable mandatory disclosure and consent procedures must be completed. ### Circulation compliance (流通合规) **Legal dimension.** The data product may not, directly or indirectly, be passed to a third party for use outside the authorised scenario. Products must pass review by the public-data authority. Raw data or products that could be reverse-engineered to recover raw data cannot leave the authorised-operation domain. Products exported from the operating platform cannot be applied, or disguised as being applied, to unapproved use cases. **Security dimension.** Before any trading transaction, operators must: conduct a data-trading security risk assessment; apply multi-factor authentication (two or more of: password, cryptographic technology, biometrics) for identity verification; use a secure data transmission channel; and close data-access channels immediately upon delivery. **Integrity dimension.** The trading activity must be real, not fictitious. A signed transaction contract must exist; the contract terms must align with the product specification, background, and stated purpose. The operator must provide the exchange with delivery-acceptance documents, payment records, and invoices as evidence of genuine commercial activity. Internal approval, authorisation, and procurement procedures of each transacting party must also be satisfied. **Rights dimension.** Where personal information is in circulation, data subjects' right to be informed — and their right to know how to exercise their information rights — must be protected. The trading activity must have the necessary internal authorisations from both parties and must not breach statutory or contractual obligations owed to third parties. ## Why overseas counsel should care - **Market-access gate.** Any foreign-invested enterprise, joint venture, or domestic subsidiary that wants to build data products on Chinese government-held data must pass through the authorised-operation model. The compliance obligations described here are the entry conditions for that market, not merely best practice. There is no alternative route to commercialise a government dataset of the kind that would otherwise require a government-procurement or data-sharing arrangement. - **"One scenario, one authorisation" creates real product-scope risk.** Because each authorisation is tied to a specific application scenario, a product repurposed to a second use case — even one commercially adjacent to the first — is operating outside authorisation. Enterprises managing multiple product lines built on the same public-data source will need a separate authorisation for each, and the scope review is conducted by the local data bureau, not the exchange. - **Regime is layered and jurisdiction-specific.** The national Draft Specifications establish the floor, but Zhejiang, Shanghai, Guangdong, Hangzhou, and Qingdao have each enacted binding local rules with additional or divergent requirements — including, in some cases, a venue restriction requiring that products be listed on the local exchange. Mapping applicable local rules is a prerequisite to compliance structuring. - **The 3×4 framework is becoming the de facto national benchmark.** Shenzhen Data Exchange's model was developed as a local standard and is already cited by multiple other exchanges as a reference. Enterprises advising on data-product trading compliance across multiple Chinese exchange venues should expect to encounter this framework — or its direct derivatives — as the audit checklist. ## DCC sources - Original: 杨浩然 (Yang Haoran), 《DEXC+专栏|授权运营模式下企业如何合规加工运营和交易公共数据?》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ([source](https://mp.weixin.qq.com/s/tkH9NitKcBZMCb5q9zNUPg)). - National Data Administration: [公共数据资源授权运营实施规范(试行)(公开征求意见稿)](/laws/public-data-authorized-operation-specifications/) (Public Data Resource Authorized-Operation Implementation Specifications (Trial), public consultation draft). - National Data Administration: [公共数据资源登记管理暂行办法](/laws/public-data-registration-interim-measures/) (Public Data Resource Registration Management Interim Measures). - 《中共中央 国务院关于构建数据基础制度更好发挥数据要素作用的意见》("数据二十条") — [data-foundation system opinions](/laws/data-foundation-system-opinions/). - Shenzhen Data Exchange local standard: DB4403/T《数据交易合规评估规范》(Data Trading Compliance Assessment Specifications). - 《中共中央办公厅 国务院办公厅关于加快公共数据资源开发利用的意见》(October 2024, Opinions on Accelerating the Development and Utilisation of Public Data Resources). - Local instruments cited: Shenzhen Special Economic Zone Data Regulations; Shanghai Data Regulations; Guangdong Public Data Management Measures; Hangzhou Public Data Authorized-Operation Trial Implementation Plan; Shijiazhuang Public Data Product Compliance Review Management Measures (consultation draft); Qingdao and Zhejiang authorised-operation rules. > This is an editorial summary, not a translation of Yang Haoran's piece. Structural framing, section organisation, and operational extrapolations are DCC's; all factual claims and compliance requirements are grounded in the source text. The disclaimer in the original that the article represents academic opinion and does not constitute formal legal advice applies equally here. **Not legal advice.** --- ## Mapping the Red Lines: Compliance Assessment for Surveying and Geographic-Information Data Products on a Chinese Data Exchange - Published: 2026-05-20 - Author: DCC Editorial - Tags: data-trading, surveying-data, geographic-information, data-exchange-compliance, state-owned-enterprises, data-classification, sector-specific-data, important-data - Laws cited: data-foundation-system-opinions, network-data-security-regulations - Domains: data-economy, data-security - URL: https://datacompliancechina.com/posts/surveying-geographic-data-products-trading-compliance/ - Markdown: https://datacompliancechina.com/posts/surveying-geographic-data-products-trading-compliance.md - Original source: https://mp.weixin.qq.com/s/qSzwFKrJV_GlxzxTPJb4PQ - Original author: 吴锦熤 (Wu Jinxi); 陈秋连 (Chen Qiulian) - Original publication: 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ### Description When Sichuan province's first surveying and geographic-information (测绘地理信息) data product was listed on the Shenzhen Data Exchange (深圳数据交易所), the compliance team from Si Chuan Rui Li Heng Law Firm worked through a seven-point assessment framework that goes well beyond general data-trading rules. This brief walks overseas counsel through that framework: why the surveying-and-mapping regime (测绘法 and subordinate rules) adds a specialist qualification layer on top of the Network Data Security Management Regulations; how the classified-surveying-results (涉密测绘成果) screen works in practice; what 'important geographic-information data' (重要地理信息数据) means for tradability; and why data origin — self-collected versus purchased versus project-derived — changes the due-diligence checklist materially. The operational takeaway: for this sector, general data-exchange compliance is necessary but not sufficient. ### Body > *Editor's Note — DCC.* > > This brief summarises 《DEXC+专栏|测绘地理信息数据产品上市交易合规评估要点及经验总结》, > published on the Shenzhen Data Exchange's DEXC+ column. The authors are > Wu Jinxi (吴锦熤), a certified DEXCO (data-exchange compliance officer, > 数据交易合规师) and partner at Sichuan Rui Li Heng Law Firm (四川瑞利恒律师事务所), > and Chen Qiulian (陈秋连), a legal assistant at the same firm. > The piece arises from a live mandate: the firm acted for Yi Li Shu Ke > (易利数科), a subsidiary of Sichuan Province state-owned tourism-and-data > enterprise Lv Tou Shu Chan (旅投数产), in listing what became the first > surveying and geographic-information (测绘地理信息) data product ever > listed on the Shenzhen Data Exchange (深数所). The authors describe their > compliance-assessment methodology and the practical lessons they took from > it. DCC is running this piece because it is a rare published account of > how sector-specific data-trading compliance works at ground level — the > kind of practitioner granularity that general data-law commentary rarely > provides. The source is a DEXCA member-firm practitioner article, written > as a reference guide for others assessing similar products; it reflects > the authors' professional judgement in one completed engagement, not an > official DEXC+ or Shenzhen Data Exchange policy document. ## What makes surveying and geographic-information data a special case Surveying and geographic-information data (测绘地理信息数据) sits at the intersection of two regulatory regimes that do not normally overlap on a data-exchange listing form: the general data-trading compliance framework (applied by the exchange itself) and the surveying-and-mapping (测绘) sector regime, which has its own specialist statutes, its own regulator, and its own qualification and security architecture. The sector is centred on what Chinese law calls *surveying* (测绘) — defined in the Surveying and Mapping Law (测绘法, Article 2) as the measurement, collection, description, and processing of information about natural geographic features or man-made surface facilities, including their shape, size, spatial position, and attributes. The resulting data products span a wide range: national geodetic survey data (国家大地测量成果数据), remote-sensing imagery (遥感影像数据), digital line graphs (矢量地图数据, DLG), digital elevation models (数字高程模型, DEM), digital raster graphics (数字珊格地图, DRG), and others. A given commercial product may draw on several of these types. The sector regulator at national level is the Ministry of Natural Resources (自然资源部), which absorbed the former National Administration of Surveying, Mapping and Geoinformation in the 2018 institutional reform. At the local level, provincial and sub-provincial surveying-and-mapping bureaus or Natural Resources Ministry field offices exercise oversight. This regulatory architecture means that the compliance assessment for a surveying-data product must reach regulators that a generalist data-law team may not ordinarily engage with. ## Building the knowledge base: industry-specific groundwork first The authors' first recommendation is methodological: before applying any compliance checklist, an assessor working on an unfamiliar industry sector should invest in understanding that sector's regulatory landscape — its governing statutes, basic concepts, licensing requirements, and supervisory bodies. For surveying and geographic-information data, this means consulting the official websites of the Ministry of Natural Resources and the relevant local surveying-and-mapping bureaus (which publish industry circulars, regulatory updates, approval records, and enforcement notifications), as well as sector-specific industry reports, such as the Chinese Society of Surveying and Mapping's annual report on innovation and industrial development. The mapping exercise the authors performed for their Sichuan mandate covered both national-level rules and Sichuan Province local rules. The source article reproduces the resulting regulatory table. Notably, the authors also flag that some *superseded* instruments remain relevant as interpretive context — in particular, the transition from a regime permitting licensed use of foundational surveying results generally, to the current regime that restricts licensed use specifically to *classified* (涉密) foundational surveying results (涉密基础测绘成果). Understanding that policy trajectory helps assessors spot what the current rules are trying to prevent. ## The seven-point assessment framework The article sets out a seven-point framework specifically for surveying and geographic-information data products. These are additive to, not substitutes for, the Shenzhen Data Exchange's own standard "3×4" compliance review (which covers subject-entity compliance, data-product compliance, and transaction-flow compliance across twelve sub-items). **1. Definitional characterisation.** The first step is to confirm that the product actually qualifies as a surveying and geographic-information data product — because the specialist regulatory requirements only bite if it does. The test is conjunctive: the underlying data must constitute *geographic-information data* (地理信息数据, i.e., data about the nature, characteristics, and movement of geographic entities, covering their position, shape, size, and spatial relationships) *and* the process of obtaining that data must involve *surveying* as defined by the Surveying and Mapping Law. If a product uses geographically-referenced information but that information was not produced through surveying activities, the specialist overlay may not apply. **2. Surveying qualification (测绘资质) of the data subject.** The Surveying and Mapping Law (Article 27, as cited in the source) provides that entities engaged in surveying activities are subject to a qualification management system: they must hold a surveying qualification certificate (测绘资质证书) of the appropriate grade before they can lawfully conduct surveying activities. The assessor must therefore verify that the data supplier holds the required qualification — and the inquiry does not stop there. The certificate has a five-year validity period; the assessor must check it is current. More importantly, the assessor must verify that the data in question was collected within the scope of the supplier's qualification *at the time of collection* — not merely that the supplier now holds an appropriate certificate. If the supplier held only a Grade B certificate when the data was gathered but now holds Grade A, any data collected under the lower grade must be assessed against the Grade B scope. The authors also flag that the Surveying and Mapping Law separately requires individual surveying technicians to hold appropriate professional qualifications; this personnel-level check should be part of the review. Practically, the authors note that the Ministry of Natural Resources has put a national surveying qualification management information system (全国测绘资质管理信息系统, currently in trial operation) online, allowing assessors to verify the authenticity, legality, and current validity of a presented certificate. **3. Classified surveying results (涉密测绘成果) screen.** This is the highest-stakes element of the assessment. The Surveying Results Management Regulations (测绘成果管理条例, Articles 16–18, as cited in the source) require administrative approval from the relevant-level surveying authority before classified surveying results (涉密测绘成果) can be used to develop commercial products or provided to third parties. Classified surveying-and-mapping state secrets (according to the rules on non-classified surveying results cited by the authors) are divided into top-secret (绝密), confidential (机密), and secret (秘密) levels, each with different geographic scopes and access restrictions. Data products involving national security and interests at this level cannot be listed for trading without going through the required approval process. The authors make an important practical point: the screen must be applied at three stages of the product's lifecycle, not just to the final dataset. The assessor must check (a) whether the *final data product* contains classified surveying results; (b) whether the *source or raw data* used to generate the product contains classified surveying results; and (c) whether classified surveying results were *used at any point in the processing chain*, including as inputs to derivation, analysis, or data-fusion operations, even if the results themselves do not appear in the final product. There is an additional dimension: who financed the underlying surveying activities. The Measures on Provision and Use of Classified Foundational Surveying Results (涉密基础测绘成果提供使用管理办法) and the Sichuan Province equivalent draw a distinction between national-level classified foundational surveying results (produced with central-government fiscal investment) and local-level equivalents (produced with local-government fiscal investment). Assessors therefore need to investigate whether fiscal investment — and from which level — was involved in producing the data. **4. Important geographic-information data (重要地理信息数据) check.** The Surveying Results Management Regulations (Article 22, as cited) establish a unified review-and-publication regime for important geographic-information data (重要地理信息数据), under which such data may not be published — which the authors treat as including being listed for exchange trading — by the data holder unilaterally. The identification exercise must cover both national-level and local-level surveying-results management rules. The practical effect is that certain data, even if not classified, may be non-tradable because it falls within this category and has not been through the approval process. **5. Data-origin due diligence: self-collected, purchased, or project-derived.** The compliance obligations differ materially depending on how the product data was obtained: - *Self-collected* (自采): verify qualification, lawful processing, and the classified/important-data screens. - *Externally purchased or otherwise acquired* (外购或其他途径): additionally verify that the data subject has obtained valid authorisation or licence from the original rights-holder to use the data for the purpose of developing and trading a data product. - *Project-derived* (其他项目中产生): where the data arose in the course of a third-party project, the assessor must investigate whether the project involved third-party counterparties, whether the project agreement addressed ownership or use rights over the resulting data, whether the data subject has authority to process the data for product development, and whether it has the right to commercialise it. The authors add a practical warning: cross-verify data origin through document review and on-site interviews to guard against "data misappropriation" (数据冒用) — the risk that a product is presented as self-collected when it is in fact licensed or third-party data, or that rights to commercialise it are overstated. **6. Foreign involvement and cross-border considerations.** The Interim Measures for the Administration of Surveying Activities by Foreign Organisations or Individuals in China (外国的组织或者个人来华测绘管理暂行办法, as cited in the source) restrict foreign organisations and individuals from conducting surveying activities in Chinese territory to joint-venture or cooperative arrangements with Chinese counterparties, or activities for which separate approval has been obtained, and impose scope limitations on what surveying activities foreign parties may conduct. The assessor must therefore check whether the data subject's surveying activities involved any foreign party. Separately, if a proposed transaction involves an overseas counterparty, or if the data itself is to be transmitted across the border, the cross-border data rules apply — and the data product may require approval before it can flow out of China. This connects directly to the cross-border transfer framework under the [Network Data Security Management Regulations](/laws/network-data-security-regulations/), which applies a tiered approval mechanism to outbound data transfers depending on data volume, data type, and whether important data is involved. **7. Exchange-specific and dual-jurisdiction compliance.** Finally, listing on the Shenzhen Data Exchange requires compliance with the exchange's own rules and the relevant Shenzhen municipal data-transaction regulations (the authors cite the Shenzhen Interim Measures on Data Transaction Administration, 深圳市数据交易管理暂行办法; the Shenzhen Data Exchange Trading Rules (Trial), 深圳数据交易所交易规则(试行); and the Shenzhen Data Exchange Compliance Review Guidelines for Listed Transactions (Trial), 深圳数据交易所交易标的上市合规审核指引(试行)). Where the data product originates from another province — as in the Sichuan mandate — the assessor must simultaneously apply both the origin jurisdiction's data rules and Shenzhen's rules. In this case, the Sichuan Province Data Regulations (四川省数据条例) and the Shenzhen Special Economic Zone Data Regulations (深圳经济特区数据条例) both applied. ## State-owned enterprise complications The data supplier in this case was a subsidiary of a Sichuan provincial state-owned enterprise (国企). The authors note two additional compliance considerations that arise specifically in this context and are worth isolating as a separate item for any assessor working on similar deals. First, the listing of a state-owned data product as a tradable asset is subject to state-asset management rules — both the general statutory framework and internal SOE governance documents. The assessor must verify that the listing is consistent with applicable state-asset management rules at both national and local level. Second, the specific transaction may require internal and external approval procedures: internal board or management approvals under the SOE's articles of association, and potentially external approvals from the relevant state-asset supervision authority. These procedural requirements are a compliance gate that exists entirely outside the data-law regime and can be overlooked by teams focused narrowly on data-specific rules. The broader question of how a state-owned data product acquires tradable asset status connects to questions about data ownership, registration, and value recognition that are illustrated by the [Datatang v. Yinmu data-IP registration case](/posts/datatang-v-yinmu-data-ip-registration-case/), which shows how courts and administrative bodies are working through the relationship between data rights, asset status, and commercialisation. ## Practical verification methods The authors add a set of field-level notes on *how* the above assessments are conducted in practice. On qualification verification: the Ministry of Natural Resources has put a national surveying qualification management information system (全国测绘资质管理信息系统, currently in trial operation) online for certificate verification. Local bureau disclosure pages may also show the data subject's approval history and any administrative-violation records — a useful cross-check on both qualification status and regulatory-compliance history. On classified and important-data screening: keyword searches across the dataset are the baseline method. Where the dataset is large, sampling is acceptable but sampling methodology must be documented carefully — including selection rationale, proportion covered, and the inference being drawn. When classification judgements are genuinely difficult, the assessor can consult the local surveying authority directly — specifically the geographic-information management division (地理信息管理处, 地信处) or the industry management and legal-affairs division (行业管理处, 法规处). Informal regulator consultation on definitional questions is a recognised practice in this sector. On data-security management: the review must go beyond confirming that policies exist. The assessor should verify that policies are comprehensive, address the specific data product, and are actually implemented. On-site inspection — including live demonstration by the data subject where necessary — is the recommended verification method. ## Why overseas counsel should care - **Sector-specific overlays are not optional.** For a surveying and geographic-information data product, general data-compliance due diligence is necessary but not sufficient. A surveying-qualification screen, a classified-data screen at all three processing stages, and an important-geographic-data check are required on top of the exchange's standard "3×4" review — not instead of it. - **Data origin determines the rights question.** The distinction between self-collected, purchased, and project-derived data materially changes the authorisation analysis and chain-of-title due diligence. This is acute for surveying data because the underlying collection requires a qualification the data holder may not have held at the time. - **Cross-border and foreign-involvement flags.** Foreign involvement in the underlying surveying activities, or transactions routing data offshore, triggers the cross-border transfer regime — including the tiered approvals under the [Network Data Security Management Regulations](/laws/network-data-security-regulations/). Surveying data carries a higher-than-average risk of qualifying as important data (重要数据) given its national-security adjacency, making those controls especially relevant. - **SOE sellers add a procedural layer.** A significant share of Chinese data products on exchanges will be offered by SOE subsidiaries. State-asset approval requirements for listing are a genuine transaction gate that sits entirely outside the data-law framework overseas counsel ordinarily applies. ## DCC sources - Original: 吴锦熤 (Wu Jinxi) and 陈秋连 (Chen Qiulian), 《DEXC+专栏| 测绘地理信息数据产品上市交易合规评估要点及经验总结》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ([source](https://mp.weixin.qq.com/s/qSzwFKrJV_GlxzxTPJb4PQ)). - [Network Data Security Management Regulations](/laws/network-data-security-regulations/) (网络数据安全管理条例). - [Data Foundation System Opinions](/laws/data-foundation-system-opinions/) (数据基础制度意见, "Data Twenty"). > This is an editorial summary, not a translation of Wu Jinxi and Chen > Qiulian's piece. Quotations and statutory references are attributed to > the source; any simplification, error of emphasis, or operational > extrapolation is DCC's. **Not legal advice.** --- ## Seven Highlights of China's New Sensitive Personal Information Processing Standard — and What They Mean in Practice - Published: 2026-05-19 - Author: DCC Editorial - Tags: sensitive-personal-information, pipl, national-standard, gb-t-45574-2025, tc260, data-security, compliance - Laws cited: tc260-sensitive-pi-identification-guide, pipl - Domains: personal-information, data-security - URL: https://datacompliancechina.com/posts/sensitive-pi-processing-security-requirements-standard/ - Markdown: https://datacompliancechina.com/posts/sensitive-pi-processing-security-requirements-standard.md - Original source: https://mp.weixin.qq.com/s/3UlXi2v8cDRO3xbUrxyQQw - Original author: 王艺、赵艳明、曾令玮 (Wang Yi, Zhao Yanming, Zeng Lingwei) - Original publication: 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ### Description GB/T 45574-2025 《数据安全技术 敏感个人信息处理安全要求》 (Data Security Technology — Security Requirements for Processing Sensitive Personal Information) is China's first dedicated national standard on sensitive personal information (敏感个人信息), effective 1 November 2025. Authored by Wang Yi, Zhao Yanming, and Zeng Lingwei of the Shenzhen Data Exchange DEXC+ program, this brief walks through the seven highlights the standard introduces: a recalibrated scope of what counts as sensitive personal information under PIPL, dynamic classification logic, a new linkage between sensitive-PI volume and the important data threshold, industry-specific and group-specific protections, data-security-maturity requirements, a model written-consent template, and tightened lifecycle obligations covering collection, storage, display, and audit. The operational takeaway for overseas counsel: the standard converts PIPL's high-level sensitive-PI obligations into testable, auditable requirements — compliance teams should treat it as the primary implementation guide for PIPL Article 28 and beyond. ### Body > *Editor's Note — DCC.* > > This brief summarises the DEXC+ column article by Wang Yi (王艺), Zhao Yanming (赵艳明), and Zeng Lingwei (曾令玮) of the Shenzhen Data Exchange, published on the DEXC+ (Data Exchange Compliance+) channel. The subject is GB/T 45574-2025 《数据安全技术 敏感个人信息处理安全要求》 (Data Security Technology — Security Requirements for Processing Sensitive Personal Information), a recommended national standard (推荐性国家标准) issued by SAMR and the National Standardisation Administration on 25 April 2025 and entering force on 1 November 2025. The authors are certified DExCOs (Data Exchange Compliance Officers) and partners at Beijing Global (Shenzhen) Law Firm. DCC is running this piece because the standard — nearly two years in the making since the August 2023 draft — converts [PIPL](/laws/pipl/)'s sensitive personal information obligations from high-level statutory commands into detailed, auditable technical requirements. The [TC260 sensitive-PI identification guide](/laws/tc260-sensitive-pi-identification-guide/) (TC260-PG-20244A, published September 2024) laid the definitional groundwork; the new standard builds the compliance architecture on top of it. > The seven highlights below follow the article's own structure. DCC adds operational notes where the authors' analysis carries direct implications for overseas counsel. This summary does not reproduce the article's compliance-suggestion section verbatim; that section is condensed at the end. ## Background: two years from draft to standard The journey began on 9 August 2023 when the TC260 secretariat published a draft for comment (征求意见稿). After nearly two years of revision, the standard emerged in April 2025 with a renamed heading — "数据安全技术" (Data Security Technology) rather than "信息安全技术" (Information Security Technology) — signalling alignment with the Data Security Law framework alongside PIPL. Its stated purpose: clarify the criteria for identifying sensitive personal information (敏感个人信息), provide concrete security requirements for processing activities, and give regulators and third-party assessors a workable reference framework. ## Highlight 1 — The scope of sensitive personal information has been recalibrated The standard's Annex A revises the categories of sensitive personal information (敏感个人信息), departing from GB/T 35273-2020 《个人信息安全规范》 in several material ways. The taxonomy now tracks [PIPL](/laws/pipl/) directly: biometric identification, religious belief, specific identity, medical and health, financial accounts, location tracks, personal information of minors under fourteen, and other sensitive personal information. Several items previously considered sensitive have been removed or narrowed: - **Identity documents.** ID-card numbers, passport numbers, and similar document numbers are no longer treated categorically as sensitive personal information. The one exception is the photograph on a resident identity card (居民身份证照片), which is specifically listed as sensitive. - **Marital history and accommodation information** are excluded. The practical result for HR teams: collecting an employee's marital status or home address in the course of personnel management, and collecting flight, rail, or hotel records during expense reimbursement, is in principle no longer processing sensitive personal information. - **Property information.** Deposit balances, real estate holdings, transaction records, and consumption records are not listed. However, detailed personal income breakdowns (个人收入明细) are included — meaning that background checks on a job applicant's previous salary may engage sensitive-PI obligations. - **Precise vs. approximate location.** The standard draws a hard line between precise location data (精准定位信息) — collected via the device's GPS/location permission — and coarse location data (粗略位置信息) derived from network addresses. Only precise location data is sensitive. Continuous collection of precise location data can generate location tracks (行踪轨迹), which are sensitive. The "continuous" qualifier (连续性) matters: a single precise fix is not automatically a location track. Two categories of carved-out exceptions are also introduced. Location tracks collected from specific-occupation workers (外卖员、快递员等) purely for service-fulfilment purposes are not sensitive personal information. Basic physical measurements — weight, height, blood type, blood pressure, lung capacity — are not sensitive provided they are unconnected to disease or medical treatment. ## Highlight 2 — Identification of sensitive personal information must be dynamic The standard emphasises that classification is context-dependent and must be reassessed as processing activities evolve. Two specific principles stand out. First, aggregation matters. The standard repeats a principle previously established in the financial-sector standard JR/T 0171-2020: multiple items of ordinary personal information, when combined, cross-referenced, or analysed, may together constitute sensitive personal information even if none of the individual items would qualify on its own. The same piece of information may carry different sensitivity levels in different use contexts. Second, de-identification changes the classification. Once sensitive personal information has been properly de-identified (去标识化), it should be protected as ordinary personal information — not as sensitive personal information. Anonymised information (匿名化处理后) is governed by a different regime entirely. The practical implication: de-identification is not merely a security measure but a genuine reclassification mechanism, with the consequence that correctly de-identified sensitive data falls out of the stricter sensitive-PI obligations. Where a personal information handler has sufficient grounds and evidence to conclude that the data in question does not meet the harm threshold that triggers the sensitive classification, it may elect not to classify it as sensitive personal information. ## Highlight 3 — Large-scale sensitive personal information becomes a marker for important data Article 5.5 of the standard establishes a bridge that compliance teams need to track: where sensitive personal information reaches a scale threshold that, under applicable sector or national data classification and grading rules, causes it to be designated as important data (重要数据), the handlers must apply the protections applicable to important data. The authors catalogue several existing thresholds in force: - **Automotive sector** (Automobile Data Security Measures, 试行): personal information involving more than 100,000 individuals qualifies as important data. - **Beijing Free Trade Zone** data classification reference rules: 10 million individuals' ordinary personal information, 1 million individuals' sensitive personal information, or 100,000 individuals' sensitive financial account, insurance, registered-account, or diagnostic data held by FTZ enterprises qualifies. - **Beijing FTZ negative list (2024)**: diagnostic data in the healthcare sector involving more than 100,000 individuals' case records, imaging, pathology, blood tests, or genetic tests, and databases of more than 100,000 electronic health records, qualify. - **Telecom sector** identification guide: 100,000 or more sensitive personal information records, or special-group personal information records, collected or generated by a telecom data handler qualify. The importance of this linkage for overseas counsel: it means that a company's sensitive-PI volume is not only a PIPL compliance variable but also a potential important-data trigger with cross-border transfer implications. ## Highlight 4 — Industry-specific and group-specific requirements The standard introduces more granular obligations calibrated to particular industries and vulnerable groups, going beyond the baseline PIPL requirements. **Healthcare (Article 6.4).** Sensitive personal information in clinical settings must be managed under a tiered access-control approval mechanism. As a specific example, records on HIV and sexually transmitted diseases should be accessible only to the attending clinical team. Clinical research using sensitive personal information requires de-identification. **Financial services (Article 6.5).** De-identification must be implemented at both the front end (client-facing transaction and business-management display screens) and the server side (server-side de-identification in logs and backend systems). The explicit extension to the server side represents a significant step beyond the traditional front-end-only approach. Collection of financial account information must use encryption; storing payment-sensitive information that belongs to another institution (such as another bank's card password) is prohibited. **Minors under fourteen (Article 6.7).** Handlers must publish dedicated rules on minor-PI processing and make them prominently visible. They must provide convenient channels for rights holders to exercise data rights. When verifying a minor's age, the standard recommends also verifying the guardian's identity — making parental-verification practice a normative expectation rather than a best-practice option. **Persons with disabilities and religious-group members (Articles 6.2, 6.3).** Specific identity information and religious belief information must not be used to construct user profiles or for personalised recommendations. This is a targeted prohibition with direct implications for recommendation-algorithm compliance. **Biometric data.** Where biometric information is used for identity verification, an alternative non-biometric method must also be offered simultaneously; biometric verification cannot be set as the default-only path. Original biometric feature data (raw images, video) must be deleted once the processing purpose has been achieved. Scientific research use requires written consent. **Location tracks.** Processing of location tracks must not mark positions in areas designated as sensitive by relevant authorities. Separately, the standard provides that if geolocation data collected for another purpose can, in combination with timestamps, be reconstructed into a continuous movement path, it should be protected at the same level as location track data — a significant operational point for apps that accumulate precise location fixes without calling the result "location tracking." ## Highlight 5 — Data-security maturity threshold and scale-triggered obligations The standard sets a minimum data-security capability floor for all sensitive personal information handlers: no less than Level 3 on the GB/T 37988-2019 《信息安全技术 数据安全能力成熟度模型》 (DSMM — Data Security Capability Maturity Model). This raises the compliance bar across the board. For handlers processing sensitive personal information of more than 100,000 individuals, additional obligations apply: 1. A designated personal information protection officer (个人信息保护负责人) and oversight body must be appointed, responsible for supervising processing activities and protective measures. 2. The protection officer must have relevant professional knowledge and management experience in personal information protection, and must hold a management-level position within the organisation. 3. Security background checks must be conducted on the protection officer and key-role personnel. 4. In the event of a merger, split, dissolution, or bankruptcy that may affect the security of sensitive personal information, a disposal plan must be prepared and security measures implemented. These requirements interlock with PIPL Article 52 and Article 12 of the Personal Information Protection Compliance Audit Management Measures (个人信息保护合规审计管理办法), converting those statutory requirements into concrete organisational and personnel standards. ## Highlight 6 — A model written-consent template and the written-consent trigger [PIPL](/laws/pipl/) Article 29 requires that processing sensitive personal information obtain the individual's separate consent (单独同意). Article 5.4.2 of the standard goes further: in certain circumstances specified by law or regulation — the authors list collection of human genetic resources, querying personal information at a credit reference agency, provision of credit information by lending institutions to other parties, and sharing real-estate transaction information through estate-agency services — written consent (书面同意) is required. Annex B of the standard provides a model template for obtaining written consent for sensitive personal information processing. The template covers processing purpose, data type, and use; storage location and retention period; individual rights and the channels for exercising them; risk disclosure; and a description of the security measures in place. The authors describe it as a comprehensive and operationally useful guide — practitioners drafting or auditing consent mechanisms for sensitive-PI processing will find it the most immediately actionable part of the standard. The authors note separately that the Facial Recognition Application Security Management Measures (人脸识别技术应用安全管理办法), in force from 1 June 2025, require handlers to disclose in their filing the quantity and scale of facial information stored and the number of natural persons involved — an obligation that sits alongside and interacts with the standard's biometric-data requirements. ## Highlight 7 — Tightened lifecycle requirements across collection, storage, display, and audit The standard sets out a matrix of requirements across the full processing lifecycle. The key operational points for each stage: **Collection.** The necessity standard applies strictly: if an ordinary-personal-information substitute can achieve the same processing purpose, sensitive personal information must not be collected. Collection should be limited to the period of active use of the relevant business function or service. Separate item-by-item collection by business function or service scenario is required; automated collection via technical means or web scraping is prohibited. **Notice.** Notice must be delivered through methods that give the individual prominence — separate pop-ups, SMS, fill-in boxes, animation, dedicated notice screens, or voice announcement. Continuous collection requires periodic or continuous reminder mechanisms. **Consent.** Where multiple sensitive personal information processing activities are involved, the handler must provide separate consent mechanisms for each processing purpose and business function — each purpose should be ticked individually by the user. Bundled consent for a single item of sensitive personal information used for multiple purposes is prohibited. **Management and security.** Material operations on sensitive personal information — internal sharing, external provision, public disclosure, batch querying, plaintext display, download, and export — must each go through an authorisation and approval process. Sensitive personal information must be stored separately from directly identifiable personal information, with encryption at rest and in transit. **Display.** Sensitive personal information shown in any interface must be de-identified by default, and the interface must carry a watermark recording the access subject's identifier and the time of access. **Audit.** Beyond restating the PIPL obligation to conduct personal information protection impact assessments (PIPIAs), the standard requires security audits of processing logs and user permissions at least monthly. ## Why overseas counsel should care - **PIPL operationalised.** GB/T 45574-2025 converts PIPL's high-level sensitive-PI provisions into testable technical and organisational requirements. Regulators and third-party assessors now have a standard checklist; enforcement findings and audit reports will increasingly cite it. Companies that mapped PIPL compliance only at the statutory level should revisit their gap analysis against this standard. - **The important-data linkage is new and significant.** The explicit bridge in Article 5.5 — volume of sensitive personal information as a possible important-data trigger — means that a company's sensitive-PI count is not only a consent-and-minimisation problem but also potentially a data-classification, cross-border-transfer, and security-assessment problem. Teams running cross-border transfer compliance should add this threshold check to their data-mapping exercise. - **Sector-specific requirements demand tailored reviews.** Healthcare, financial services, and minor-focused products each carry additional layers of obligation. A generic sensitive-PI compliance program is unlikely to satisfy the standard's sector-specific provisions in Articles 6.2–6.7. - **The DSMM Level 3 floor is a material uplift.** Organisations that have not benchmarked their data-security capabilities against GB/T 37988-2019 should do so before 1 November 2025. Level 3 represents a formalised, managed capability level with documented processes and measurement mechanisms — not a checkbox exercise. ## Compliance starting points The authors close with five practical recommendations. First, use Annex A as the working identification reference and assess both individual data items and aggregate sensitivity of combined datasets. Second, apply differentiated protections by business context and sector rather than treating everything as identically sensitive. Third, extend the standard's requirements across the full data lifecycle — collection through deletion — cross-referenced against PIPL and the Network Data Security Management Regulations (网络数据安全管理条例). Fourth, revise user authorisation agreements, privacy policies, and data processing agreements to align notice and consent mechanisms with the standard, using Annex B's written-consent template as the starting point. Fifth, pursue ISO/IEC 27701 or equivalent certification as a vehicle for systematically improving sensitive-PI management capability and signalling compliance to regulators and counterparties. ## DCC sources - Original: 王艺、赵艳明、曾令玮,《DEXC+专栏|《数据安全技术 敏感个人信息处理安全要求》的七大亮点及合规建议》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ([source](https://mp.weixin.qq.com/s/3UlXi2v8cDRO3xbUrxyQQw)). - Standard: GB/T 45574-2025 《数据安全技术 敏感个人信息处理安全要求》, issued 25 April 2025, effective 1 November 2025. - [PIPL — Personal Information Protection Law](/laws/pipl/), Articles 28–32 (sensitive personal information), Article 52 (protection officer). - [TC260 Sensitive-PI Identification Guide](/laws/tc260-sensitive-pi-identification-guide/) (TC260-PG-20244A, September 2024). - GB/T 37988-2019 《信息安全技术 数据安全能力成熟度模型》 (DSMM). - GB/T 35273-2020 《信息安全技术 个人信息安全规范》 (predecessor standard, for comparison). > This is an editorial summary, not a translation of the Wang Yi, Zhao Yanming, and Zeng Lingwei article. Any simplification, error of emphasis, or editorial extrapolation is DCC's. **Not legal advice.** --- ## The PIA as a Trading-Compliance Line — What the Network Data Security Management Regulations Add for Personal-Information Data Products - Published: 2026-05-18 - Author: DCC Editorial - Tags: pia, personal-information-protection, data-trading, network-data-security-regulations, pipl, data-element-market, sensitive-personal-information, cross-border - Laws cited: network-data-security-regulations, pipl - Domains: personal-information, data-economy - URL: https://datacompliancechina.com/posts/pi-trading-pia-network-data-regulations/ - Markdown: https://datacompliancechina.com/posts/pi-trading-pia-network-data-regulations.md - Original source: https://mp.weixin.qq.com/s/_LT4nIubx315hvjG5ibF-g - Original author: 王森鹏 (Wang Senpeng) - Original publication: 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ### Description China's personal-information protection impact assessment (PIA / 个人信息保护影响评估) has long been a statutory requirement under PIPL, but uptake in data-trading contexts remains low. A DEXC+ analysis by Wang Senpeng of Shenzhen Data Exchange argues that the Network Data Security Management Regulations (网络数据安全管理条例, 'Network Data Regs') significantly refine when and how a PIA must be conducted before a personal-information data product changes hands. The brief maps three trigger layers — subject compliance, subject-matter compliance, and circulation compliance — and then draws out the evaluation dimensions the Regulations add: a new 'dual-list' privacy-policy requirement, data-processing-agreement minimum contents, a three-year record-keeping obligation, and tightened rules on web-scraping and de-identification. For overseas counsel: a PIA is no longer just a cross-border formality — it is the primary compliance gate for trading sensitive data, delegated-processing arrangements, and any automated-decision-making data product. ### Body > *Editor's Note — DCC.* > > This brief summarises 《DEXC+专栏|个人信息交易危机:《网数条例》下被忽视的PIA能否构建交易合规防线?》 by Wang Senpeng (王森鹏), compliance manager at Shenzhen Data Exchange, writing for the DEXC+ think-tank column. Wang's piece is the clearest practitioner-level account DCC has seen of how the [Network Data Security Management Regulations](/laws/network-data-security-regulations/) change the PIA calculus specifically for data-product transactions — as opposed to internal processing. The DEXC+ column is published by one of China's principal state-backed data trading venues, which makes this analysis particularly authoritative: Shenzhen Data Exchange is not theorising about the data-element market, it is the infrastructure the market runs on. > > Wang frames his analysis around three compliance planes — *subject* (who is transacting), *subject matter* (what is being sold), and *circulation* (how it moves, including cross-border) — and works through the PIA obligations that attach at each plane under both [PIPL](/laws/pipl/) and the Regulations. DCC's summary preserves that structure and adds the overseas-counsel takeaway. All footnote citations in the source are preserved as textual attribution; we do not independently verify article numbers cited against the full statutory text. ## The "personal-information trading crisis" the title refers to Wang opens with the observation that China's "Data Twenty Articles" (数据二十条, the State Council's 2022 foundational framework for a data-element market) expressly conditions the construction of a data-element market on protecting personal information and commercial secrets. Yet in practice, Wang argues, the personal-information protection impact assessment (个人信息保护影响评估, commonly abbreviated PIA) is an under-used instrument. Enterprises tend to trigger a PIA only when they face hard regulatory pressure — most commonly an imminent cross-border transfer — and ignore the obligation in purely domestic trading contexts. The "crisis" in the title is the compliance gap this creates. Personal-information data products now circulate routinely through data exchanges, but the legal infrastructure — including the PIA — has not been integrated into standard transaction workflows. The [Network Data Security Management Regulations](/laws/network-data-security-regulations/) (网络数据安全管理条例, colloquially the "Network Data Regs" or 网数条例), Wang argues, provide the granularity needed to close that gap; the question is whether market participants will use them. ## What a PIA is and why it matters in a trading context Drawing on the national standard GB/T 39335-2020 (《信息安全技术 个人信息安全影响评估》), Wang defines a PIA as a process that: examines the legality and compliance of personal-information-processing activities; assesses the risk of harm to data subjects' lawful rights and interests; and evaluates the effectiveness of protective measures. The definition is procedural rather than outcome-based — a PIA is a structured inquiry, not a pass-or-fail test. In a trading context, Wang identifies four functions that a PIA serves beyond bare legal compliance: - **Risk mirror (明鉴宝镜):** a PIA surfaces compliance gaps in a data product before it is widely circulated, reducing the handler's exposure to liability for distributing non-compliant data. - **Listing accelerator (上市引擎):** the evaluation dimensions in a PIA substantially overlap with the listing-compliance review that data exchanges conduct before admitting a product to trading. Conducting a PIA pre-transaction therefore shortens the exchange's own review process. - **Self-certification (自证书):** a completed PIA report functions as documentary evidence of compliance readiness — the kind of record a handler can produce to a regulator or counterparty on demand. - **Compliance signal (合规名片):** for sellers, a PIA report signals to buyers and data subjects that the product's provenance has been assessed, increasing competitive standing in a market where trust is a scarce commodity. ## When a PIA is legally required — the three trigger planes Wang structures the statutory trigger analysis around three planes drawn from Shenzhen's draft local standard on data-trading compliance assessment (《数据交易合规评估规范(征求意见稿)》): subject compliance (主体合规), subject-matter compliance (标的合规), and circulation compliance (流通合规). This is a more granular framework than the bare PIPL Article 55 list, and it is worth walking through each plane. **Subject compliance.** Certain regulated sectors carry sector-specific PIA obligations before any transaction. Wang's leading example is online education: guidance published jointly by the Ministry of Education and five other departments required platforms storing personal information of 1 million or more users to complete a PIA. On the buyer side, if a data buyer acquires a product that pushes its stored personal-information count to or above that threshold, the buyer's PIA obligation is triggered independently. **Subject-matter compliance.** Under PIPL Article 55(1), handling sensitive personal information (敏感个人信息) requires a PIA before processing. For data products, Wang notes that sensitivity is not assessed statically at the point of collection — if a buyer's existing data holdings, combined with a newly acquired product, cause the aggregated dataset's risk level to increase to the point where disclosure or misuse could harm data subjects' dignity, personal safety, or financial security, the resulting combined dataset must be treated as sensitive personal information, and the buyer must complete a PIA. Wang cites financial data products containing bank account information as a straightforward example of a product that is sensitive on its face. A second category under subject-matter compliance covers data products built through automated decision-making (自动化决策): products where the seller has used automated analysis of individuals' behavioural patterns, interests, or economic, health, or credit status to reach decisions, and has packaged that output as a product. PIPL Article 55(2) requires a PIA before using personal information in automated decision-making. Wang flags marketing data products — for instance, user-shopping-behaviour analysis products built from e-commerce platform data — as the most common commercial case. Shanghai's trial guidelines on algorithmic applications in online marketing specifically require a pre-activity PIA for this category. A third sub-category under subject-matter compliance is delegated processing (委托处理): where a buyer purchases a data service and the arrangement constitutes a delegation of personal-information processing to the seller, PIPL Article 55(3) requires a pre-transaction PIA. Wang illustrates this with the express-delivery sector: parcel-delivery companies routinely delegate collection, customs clearance, and last-mile operations to third parties, creating chains of personal-information delegation that have generated a pattern of data-leak incidents. The Ministry of Transport's 2023 Express Delivery Market Management Measures require express companies that delegate user personal-information processing to complete a PIA beforehand and supervise the delegate. **Circulation compliance.** Two triggers apply at the circulation plane. First, if the data product's fields contain information relating to identified or identifiable natural persons — regardless of whether that information was originally public — the seller's act of delivering the product to a buyer constitutes a disclosure of personal information to a third party, triggering PIPL Article 55(3) and requiring a PIA. Second, if the product is destined for cross-border circulation, both PIPL Article 55(4) and the Regulations on Promoting and Regulating Cross-Border Data Flows require a PIA before the cross-border transaction. ## What the Network Data Security Management Regulations add Wang's central argument is that the [Network Data Security Management Regulations](/laws/network-data-security-regulations/) sharpen the evaluation content of a PIA in ways that matter for data-product transactions. Although the Regulations nominally govern "network data processing activities," Wang notes the industry consensus that "network" (网络) should be read broadly to include both public and private networks, giving the Regulations effective coverage over substantially all data products in practice. Three sets of additions are particularly significant: **The dual-list privacy policy requirement.** Article 149 of the Regulations introduces, for the first time at the administrative-regulation level, a "dual-list" (双清单) system for privacy policies. Many personal-information data products depend on user agreements — typically a privacy policy — as the mechanism for obtaining consent. The dual-list requirement changes how privacy policies must be structured and what they must disclose. In a PIA context, the question of whether a data product's consent chain satisfies the new dual-list requirement becomes a mandatory evaluation item. The Regulations also introduce a requirement to specify retention-period determination methods, adding a new element to the consent and collection-legality assessment. **Web-scraping as a regulated collection method.** Articles 18 and 24 of the Regulations address web crawlers (爬虫) as a data collection modality. For data products assembled through scraping, a PIA must now assess: whether the crawler caused harm to network services (including whether it unlawfully accessed another operator's network); whether non-essential personal information or personal information collected without lawful consent was deleted or anonymised; and, if statutory retention periods have not yet expired or technical anonymisation is not feasible, whether processing was suspended (beyond storage and necessary security measures). **Delegated-processing agreement standards.** Under Article 12 of the Regulations, where a data product involves delegated personal-information processing, the parties must have executed a data-processing agreement, and the PIA must evaluate whether the agreement's content meets statutory requirements and whether processing records have been retained for at least three years. The three-year minimum record-keeping period is a specific obligation the Regulations add to the PIPL framework. ## The three PIA evaluation dimensions in a trading context Wang then consolidates the evaluation content into three dimensions: legality (合法维度), security (安全维度), and rights protection (权益保障维度). **Legality dimension.** The PIA must trace the authorisation chain of all personal information in the data product across its full lifecycle. Collection-stage evaluation covers purpose specification, consent, PIPL Article 13 lawful bases, the dual-list privacy-policy requirements, retention-period methodology, and, for scraping, the crawler-specific obligations described above. **Security dimension.** The security evaluation focuses on the effectiveness, legality, and proportionality of protective measures. Key items include: whether the handler has implemented encryption, backup, access control, and authentication (Articles 9 and 11 of the Regulations); where de-identification was applied during processing, whether re-identification risk has been assessed; whether data-transmission channels are closed after a transaction terminates or the contract expires; for cross-border products, whether the overseas buyer's security capacity (management and technical infrastructure) has been assessed; and whether the data product's storage environment is reliably isolated from other storage areas. **Rights-protection dimension.** This dimension assesses the impact of the data product and its circulation on data subjects' lawful interests — including restrictions on individual autonomy, differential treatment, reputational harm, psychological harm, and financial or personal-safety harm. Concrete evaluation items include: whether accessible complaint and reporting channels exist and are clearly publicised; whether the processing and trading activities could adversely affect data subjects' lawful interests; and, for cross-border transactions, whether the receiving country's personal-information protection regime is below China's standards, and the risks of alteration, destruction, leak, loss, or unlawful use during and after the cross-border transfer. ## Why overseas counsel should care - **The PIA is now an admission requirement, not a formality.** Wang's analysis makes clear that, at Shenzhen Data Exchange, PIA evaluation content substantially overlaps with the exchange's own listing-compliance review. For overseas companies acquiring personal-information data products from Chinese exchanges, a counterparty's failure to have completed a PIA is a due-diligence red flag and a potential barrier to listing — not merely an internal governance gap on the Chinese side. - **The three-year record-keeping obligation has extraterritorial implications.** Where a data product involves delegated processing and a cross-border delivery, Article 12 of the [Network Data Security Management Regulations](/laws/network-data-security-regulations/) requires processing records to be retained for at least three years. Overseas buyers who receive delegated-processing data products should confirm that this obligation has been met on the Chinese side, and consider whether their own onward-processing arrangements trigger analogous record-keeping duties under [PIPL](/laws/pipl/). - **Sensitivity is dynamic, not static.** Wang's point that a data product can become "sensitive" at the buyer's end — through aggregation with the buyer's existing holdings — is an important due-diligence principle for foreign acquirers. A dataset that is non-sensitive on its face at the point of sale may trigger PIA obligations and heightened protection duties once it is combined with data the buyer already holds. - **Cross-border PIA obligations run in parallel.** Both PIPL Article 55(4) and the Regulations on cross-border data flows require a PIA before cross-border delivery. This PIA obligation is separate from — and in addition to — the security assessment or standard contract obligations that apply to cross-border transfers under the standard regime. Overseas counsel advising on data-import transactions involving Chinese personal-information data products should confirm that the selling party has completed both tracks. ## DCC sources - Original: 王森鹏 (Wang Senpeng), 《DEXC+专栏|个人信息交易危机:《网数条例》下被忽视的PIA能否构建交易合规防线?》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ([source](https://mp.weixin.qq.com/s/_LT4nIubx315hvjG5ibF-g)). - Key instruments: [Network Data Security Management Regulations](/laws/network-data-security-regulations/) (网络数据安全管理条例); [PIPL](/laws/pipl/) (个人信息保护法), Article 55. - Referenced standards: GB/T 39335-2020 《信息安全技术 个人信息安全影响评估》; 《网络安全标准实践指南——敏感个人信息识别指南》. - Referenced local standard: 深圳市地方标准《数据交易合规评估规范(征求意见稿)》. - Sector instruments cited by Wang: Ministry of Education et al. online-education notification (2021); Ministry of Transport, Express Delivery Market Management Measures (2023); Shanghai Municipal Administration for Market Regulation, Trial Guidelines on Algorithmic Applications in Online Marketing. > This is an editorial summary, not a translation of Wang Senpeng's piece. Structural framings and operational extrapolations are DCC's. Any simplification, error of emphasis, or attribution of article numbers reflects DCC's summarisation and has not been verified against the full statutory text. **Not legal advice.** --- ## Derivative Data Products and Public Data Opening — Legal Challenges and Compliance Points - Published: 2026-05-16 - Author: DCC Editorial - Tags: derivative-data, public-data, data-property-rights, data-product, anti-unfair-competition, authorized-operation, data-economy, data-registration - Laws cited: public-data-authorized-operation-specifications, data-foundation-system-opinions - Domains: data-economy - URL: https://datacompliancechina.com/posts/derivative-data-products-public-data-opening/ - Markdown: https://datacompliancechina.com/posts/derivative-data-products-public-data-opening.md - Original source: https://mp.weixin.qq.com/s/nNJVdLFSs65EsCR99TmXIw - Original author: 王艺,余灏 (Wang Yi, Yu Hao) - Original publication: 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ### Description As China opens public-sector datasets for commercial exploitation, companies building derivative data products (衍生数据产品) face a layered compliance problem: the definition of 'derivative data' in the National Data Administration's 2025 glossary is deliberately high-threshold (substantial transformation, significant value uplift); provincial rules on automated collection, source-labelling, and sensitive-data assessment are inconsistent; and a three-way collision between the open-data rules, third-party platform terms, and the 2025 Anti-Unfair Competition Law amendments has no clean resolution. Wang Yi and Yu Hao (both DEXCO-certified partners at Global Law Office Shenzhen) map the definitional landscape, five categories of operational red lines, and four protective strategies — including the new data-specific provision in the revised Anti-Unfair Competition Law — for practitioners building or advising on derivative-data businesses. ### Body > *Editor's Note — DCC.* > > This brief summarises 《公共数据开放背景下衍生数据产品开发利用的法律挑战与合规要点》 > by Wang Yi (王艺) and Yu Hao (余灏), both DEXCO-certified partners at the > Shenzhen office of Global Law Office, writing for the Shenzhen Data Exchange > DEXC+ column. The piece sits at the intersection of China's nascent public-data > opening regime and the still-unsettled question of how "derivative data" is > defined, owned, and protected. DCC runs it because the source is authoritative > — DEXC+ is the practitioner commentary arm of one of China's principal > state-backed data trading venues — and because the definitional and IP > questions the piece addresses are live problems for any overseas counsel > advising a client that processes Chinese public datasets. > > Readers should note that the article explicitly characterises itself as > academic-practitioner opinion and not formal legal advice from Shenzhen Data > Exchange. Several of the provincial regulations cited are implementing rules > rather than national law; their application to a specific transaction will > depend on jurisdiction and contract. ## What "derivative data" means — and why the definition is contested The starting point for any compliance analysis is whether a data product qualifies as **derivative data (衍生数据)** at all. Two official sources now provide partial answers, but neither fully closes the interpretive gap. The National Data Administration (国家数据局) published its second batch of sector terminology definitions on 29 March 2025. Item 6 defines derivative data as: data produced by a data processor that holds use-rights to the underlying dataset, which, using professional knowledge through processing, modelling, and key-information extraction, achieves a *substantial change* (实质改变) in the content, form, or structure of the source data, thereby *significantly increasing* (显著提升) data value. The authors highlight two unresolved tensions in that definition. First, the phrase "substantial change" requires a qualitative judgment that the official guidance does not operationalise — practitioners and academics have not yet agreed on where the threshold sits. Second, "significantly increasing" sets a higher bar than a mere "valuable" standard; incremental cleansing or de-identification alone is unlikely to meet it. The national standard GB/T 43697-2024 (Data Security Technology — Data Classification and Grading Rules) takes a broader, more enumerated approach: derivative data is produced through statistical analysis, correlation, mining, aggregation, or de-identification processing. It explicitly classifies de-identified data, labelled data, statistical data, and fused data as subtypes of derivative data. The authors draw out two practical open questions that compliance counsel should monitor: (1) whether the National Data Administration will publish further interpretive criteria analogous to the Ministry of Finance's published list of seven circumstances in which data assets should not be recognised on balance sheets; and (2) whether the forthcoming unified data-property-rights registration rules will address how derivative data from different source channels is treated differently — a question already live in the [public-data authorized-operation specifications](/laws/public-data-authorized-operation-specifications/). ## The legislative landscape for public-data opening China's approach to public-data opening (公共数据开放) operates at two levels. At the national level, the December 2022 joint opinion of the CPC Central Committee and the State Council on building a data foundation system (the "Data Twenty Articles," which DCC covers in the [data foundation system opinions](/laws/data-foundation-system-opinions/)) established the principal framework: public data used for public-governance and public-welfare purposes should be made conditionally available free of charge; public data used for industrial and commercial development may be subject to a conditional paid-use model. At the provincial and local level, a patchwork of management measures has followed. The authors survey rules from Shandong, Guangdong, Inner Mongolia, Shanghai, Chongqing, Zhejiang, Yunnan, and Anhui, each of which adds its own prohibitions and conditions on derivative use. The common thread is an encouraging posture toward commercial development of opened public data, paired with explicit prohibitions on a largely consistent set of conduct. ## Five operational compliance points for developers of derivative products The authors identify five areas where operators using opened public data need active compliance work. **1. Automated collection is not prohibited but carries its own legal exposure.** Provincial rules permit opened public data to be obtained by download, API access, or algorithmic delivery of result data. None of the surveyed provincial measures expressly prohibit automated collection (爬取). However, operators remain subject to the DSL, the Network Data Security Management Regulations (网络数据安全管理条例), and the Criminal Law provisions that govern automated collection. In practice this means completing pre-collection security self-assessments, controlling access frequency to avoid causing service disruption to the data source, and never circumventing or breaking technical protective measures or exceeding authorised access scope. **2. Use must not damage rights or breach platform terms.** A composite picture of prohibited conduct drawn from multiple provincial measures includes: using public data to obtain illegal benefits; abusing the rights obtained or harming national, public, or third-party interests; violating the terms of any data-use agreement; and failing to implement required security safeguards. The Chongqing measure adds a specific prohibition that is worth noting for its intelligence-law resonance: operators may not aggregate public data so as to produce information touching on state secrets, national security, or other important sensitive content. **3. Source-labelling is mandatory in some jurisdictions.** Shandong and Yunnan provincial rules both require that any data product, research report, or academic paper derived from opened public data must identify the data source and the acquisition date. While this obligation currently applies in fewer than all jurisdictions, the trend is toward wider adoption, and the labelling requirement is easy to build into product design early. **4. Sensitive-data identification and security assessment after bulk collection.** This obligation is currently uncommon but emerging. Chongqing expressly prohibits aggregating collected public data into information touching on national secrets or security. Anhui's draft public data management measures go further: where aggregation or correlation analysis of public data could produce classified or sensitive data, both the data-opening party and the data-user must conduct a security assessment and implement corresponding security measures. The authors note that academic commentary on the risks of public-data aggregation is beginning to appear, signalling that regulators are likely to treat this as a priority area. **5. Rights-conflict analysis is unavoidable for complex products.** In practice, derivative data products frequently encounter conflicts among individual personal-information rights, third-party commercial-secret rights, copyright interests, and public-interest considerations. The authors provide a worked scenario: a social-media platform prohibits third-party automated collection of its content, but some of that content consists of government information (政府信息) published on the platform and subject to the Government Information Disclosure Regulations (政府信息公开条例). A third party commissioned by government to collect and analyse that data is operating in a collision zone between the platform's terms, the government's disclosure obligations, and the derivative-data rights of the commissioned party. The authors' framework for resolving this: first, assess whether the platform holds any legitimate legal interest in the data concerned; if it does, analyse the priority of competing interests; if it does not, analyse why not. Where public interest and commercial interest genuinely conflict, public interest should in principle prevail. ## Property-rights registration — channel matters One of the most practically significant points in the article concerns the interaction between the *channel* through which public data was obtained and the *scope* of property-rights registration available to a derivative-data producer. Under current data-property-rights registration practice, public data products developed through a **public-data authorized-operation (公共数据授权运营)** arrangement can be registered only for *use rights (使用权)* and *operational rights (经营权)*; the holder cannot register *holding rights (持有权)*. By contrast, derivative data produced from **unconditionally opened public data** (i.e., freely available open data) can currently be registered for all three rights (三权) — holding, use, and operational. This asymmetry has direct implications for investment value, securitisation, and dispute resolution. The authors flag that a unified national data-property-rights registration framework has not yet been published, and the question of whether derivative data can simultaneously hold both data-property-rights registration and data-intellectual-property registration — and whether that creates redundancy or genuine layered protection — remains open. The [Datatang v. Yinmu data-IP registration case](/posts/datatang-v-yinmu-data-ip-registration-case/) is a useful reference point for how courts and registration bodies are already navigating the boundary between these two tracks. ## Four protection strategies for derivative-data rights holders The article closes with four strategies for protecting derivative-data product rights against infringement — important context for companies concerned less about compliance risk and more about enforcing their own data assets. **Strategy 1 — Accurately characterise your product and your obligations.** A product with some public-data attributes does not necessarily carry an obligation to make it freely available. Drawing on a recent Beijing internet court ruling (described only as "the GX v. WX case"), the authors note that a product with partial public-data character is not automatically a public-data product. Investment in developing a derivative product should attract Anti-Unfair Competition Law protection; the product owner cannot be required to tolerate scraping by competitors. **Strategy 2 — Use the new data-specific provision in the Anti-Unfair Competition Law.** The Anti-Unfair Competition Law (2025 revision) added a "data-specific clause" (数据专条) within its internet chapter. Article 13(3) prohibits operators from obtaining or using data lawfully held by another operator through deception, coercion, circumventing or breaking technical protective measures, or other improper means, where doing so harms the other operator's legitimate interests and disrupts market competition. The authors identify four elements that must be established: (i) a competitive relationship between the parties; (ii) acquisition or use of the other party's lawfully-held data through improper means; (iii) the affected party holds a legitimate interest (including a competitive interest) in the data; and (iv) damage to that interest and disruption to market order. **Strategy 3 — Pursue trade-secret protection.** Citing recent case law and the Criminal Law Amendment (XIII) tightening sanctions for trade-secret misappropriation, the authors suggest that a derivative-data rights holder should consider classifying its product as a trade secret — both for civil litigation purposes and as a deterrent to employee-facilitated data leakage — provided the operator implements appropriate technical and management controls to establish and maintain secrecy. **Strategy 4 — Explore data-rights infringement and contractual liability.** Under the Data Twenty Articles, the Civil Code, and the DSL, data is a protected civil interest. Where a counterparty in a commercial arrangement misappropriates data-product rights, or where a third party infringes the data-product holder's rights, tort and contractual liability are both available. The authors note that the Supreme People's Court has recently issued guiding cases on data-rights protection, and the range of enforcement strategies is becoming more diverse — including arbitration as an alternative to litigation. ## Why overseas counsel should care - **The definition of "derivative data" is the gating question for every data-product transaction.** Until the National Data Administration publishes clearer criteria, due diligence on a Chinese data-product acquisition must include a fact-specific analysis of whether the product genuinely satisfies "substantial transformation" and "significant value uplift" — and whether the source data was obtained through authorized-operation or unconditional-open channels, since that determines what property rights can be registered and traded. - **Automated collection of opened public data is structurally risky even when not expressly prohibited.** Foreign operators running data ingestion pipelines against Chinese public datasets need pre-deployment security self-assessments, rate controls, and, critically, an aggregation analysis: several provincial rules and the emerging national trend treat bulk aggregation as a trigger for sensitive-data assessment obligations, which can apply even where the individual source records are innocuous. - **The Anti-Unfair Competition Law (2025) data clause is a new offensive and defensive tool.** Article 13(3) is likely to generate litigation over the next two to three years as rights holders test it. For overseas companies whose Chinese partners or competitors are building derivative data products from public datasets, this provision — together with trade-secret doctrine — is the primary legal backstop if a product is misappropriated. - **The holding-rights gap in authorized-operation products has deal-structure implications.** Where a client's Chinese data-product business is built on public-data authorized-operation contracts rather than freely-opened data, the inability to register holding rights constrains collateral value, affects how IP can be licensed, and could create complications in an M&A context. Structuring advice should account for this asymmetry now, before the unified registration rules are published and potentially lock in current practice. ## DCC sources - Original: 王艺、余灏 (Wang Yi, Yu Hao), 《公共数据开放背景下衍生数据产品开发利用的法律挑战与合规要点》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ([source](https://mp.weixin.qq.com/s/nNJVdLFSs65EsCR99TmXIw)). - National Data Administration, 《数据领域常用名词解释(第二批)》(Second Batch of Common Terminology Definitions for the Data Sector), 29 March 2025. - GB/T 43697-2024, Data Security Technology — Data Classification and Grading Rules (数据安全技术 数据分类分级规则), §3.10 and Annex I. - CPC Central Committee and State Council, [Opinions on Building a Data Foundation System to Better Leverage the Role of Data as a Factor of Production](/laws/data-foundation-system-opinions/) (数据二十条), 2 December 2022. - Anti-Unfair Competition Law (反不正当竞争法) (2025 revision), Art. 13(3). - [Public-data authorized-operation specifications](/laws/public-data-authorized-operation-specifications/). - Provincial public-data management measures cited: Shandong (2022), Guangdong (2021), Inner Mongolia (暂行办法), Shanghai (暂行办法), Chongqing (暂行办法), Zhejiang (条例), Yunnan (试行), Anhui (征求意见稿). > This is an editorial summary, not a translation of the original DEXC+ column > article. The authors' arguments and examples are attributed throughout; > any simplification, emphasis, or operational extrapolation is DCC's. The > original article represents the academic and professional views of Wang Yi > and Yu Hao personally, and does not represent the position of Shenzhen Data > Exchange. **Not legal advice.** --- ## From Copyright to Data Property: The Three-Layer Compliance Test for Registering Employee-Created Data in China - Published: 2026-05-15 - Author: DCC Editorial - Tags: data-property-rights, data-registration, work-made-for-hire, data-element-market, copyright, data-trading, employment-data - Laws cited: data-property-rights-registration-guide-draft, data-foundation-system-opinions - Domains: data-economy - URL: https://datacompliancechina.com/posts/data-property-registration-work-for-hire-data/ - Markdown: https://datacompliancechina.com/posts/data-property-registration-work-for-hire-data.md - Original source: https://mp.weixin.qq.com/s/hL00n0vIhiqOzW15QVTLKA - Original author: 胡婧卓 (Hu Jingzhuo); 陈一芊 (Chen Yiqian) - Original publication: 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ### Description China's data property-rights registration regime treats copyright and data property (数据产权) as separate legal categories — a distinction that catches many applicants off guard when employee-created works are involved. This brief summarises a practitioner analysis by two Shenzhen Data Exchange compliance officers, who explain the three-layer 'penetrating review' (穿透审核) logic that registrars actually apply: lawful acquisition (合法获取), factual control (事实持有), and defined scope of use (使用范围). For overseas counsel advising clients that hold data generated by employees — including code, engineering drawings, maps, and other special categories of work-made-for-hire under China's Copyright Law — the key operational takeaway is that a copyright certificate alone is insufficient. Registration of all three data property rights (holding right, use right, operating right) requires distinct evidence chains for each, and the employment contract is the starting document, not the copyright certificate. ### Body > *Editor's Note — DCC.* > > This brief summarises 《DEXC+专栏|数据产权登记实务:职务作品数据产权登记合规路径分析》, published in the Shenzhen Data Exchange's DEXC+ practitioner column by Hu Jingzhuo (胡婧卓), Data Compliance Manager in the Exchange's Compliance Department, and Chen Yiqian (陈一芊), Transaction Review Manager in the same department. Both authors hold DEXCO credentials and are lead drafters of the Shenzhen local standard on data-transaction compliance assessment. The analysis draws directly on their front-line experience reviewing data property-rights registration applications at one of China's most active state-backed data trading venues. > > The single most useful takeaway for overseas counsel: a Chinese copyright certificate covering employee-created work does not, by itself, establish data property rights over the underlying data. The [data property-rights registration guide](/laws/data-property-rights-registration-guide-draft/) imposes a separate, three-part evidence test — lawful acquisition, factual control, and defined use scope — and each limb requires distinct documentary proof. For companies whose China data assets rest on employee-generated works (code, engineering drawings, market research, structured datasets), this brief sets out exactly what that evidence chain looks like. ## Why copyright is not enough The authors open with a diagnostic observation that goes to the heart of practitioner confusion: applicants regularly arrive at the Shenzhen Data Exchange's registration window carrying a copyright certificate (著作权登记证书), expecting it to clear the data property-rights review. It does not. The reason is conceptual. Copyright (著作权) protects the originality of expression — a specific literary, artistic, or scientific work. It controls how that work is reproduced and distributed, and it incentivises creation. Data property rights (数据产权), by contrast, are a new category of property interest defined under China's data-element market framework. They are designed to resolve questions of ownership and circulation of data *as a production factor* — not to protect the creative expression that the data may happen to embody. Under the three-right framework articulated by the National Data Bureau (国家数据局), data property rights break down as: the data holding right (数据持有权), focused on lawful acquisition and factual possession; the data use right (数据使用权), covering internal processing, aggregation, and analysis; and the data operating right (数据经营权), covering external transfer, licensing, and supply. As the authors summarise it: only when an applicant can simultaneously demonstrate lawful origin, actual control, and a clear boundary of permitted use can the registering entity be said to hold all three rights compliantly. The bridge question — how to move from copyright to data property rights — is the analytical core of the piece. ## The three-layer penetrating review The Shenzhen Data Exchange applies what the authors call a "three-layer penetrating review" (三层穿透审核逻辑) when work-made-for-hire data is involved. Each layer probes a different dimension of the applicant's claim. ### Layer one: pierce the identity — look at source (lawful acquisition) Lawful acquisition (合法获取) is described as the cornerstone of data property rights. "Having the data in hand" is not the same as having lawfully acquired it. For employee-created works, the analysis turns on whether the work falls into the general category or the special category under the Copyright Law (著作权法). For **general works-made-for-hire** (一般职务作品): Article 18(1) of the Copyright Law provides that, in the absence of an express agreement to the contrary, copyright in a general work-made-for-hire belongs by default to the employee; the employing unit holds only a priority right to use (优先使用权) the work within its business scope. This priority right is sufficient to support the unit's data holding right and data use right — that is, it can lawfully possess and internally process the data. However, if the unit wishes to register the data operating right (the external transfer/licensing layer), the default priority-use position is insufficient. At that point, an express written agreement signed by the employee is required. For **special works-made-for-hire** (特殊职务作品): Article 18(2) of the Copyright Law assigns copyright (other than the moral right of attribution) to the employing unit by statute for certain categories — engineering designs (工程设计图), software (软件), maps (地图), and works created by employees of newspapers and broadcasting organisations. For these, demonstrating the employee's identity and the creation date (noting that the revised Copyright Law took effect on 1 June 2021) is sufficient to establish that the unit has lawfully acquired the relevant data. The practical implication: the employment contract (劳动合同) is the first document a reviewer reaches for, not the copyright certificate. The key question it must answer is whether the parties expressly agreed that all intellectual property rights and data rights arising during the employment relationship vest in the unit. ### Layer two: pierce the form — look at control (factual possession) Even where lawful acquisition is established, the data holding right requires separate proof of physical or technical actual control (事实持有) over the data. The authors frame this as the literal operationalisation of the word "holding" in "data holding right." Reviewers will ask: Where is the data stored? Is it in the applicant's own data centre, or on a third-party cloud platform? If the latter, has the applicant signed a control agreement that establishes management authority? The required evidence includes storage architecture descriptions showing that data resides on self-owned or controlled servers, as well as management records — update logs, access-permission documentation, and security management systems. Without this, a reviewer may conclude that control is insufficient regardless of the legal title position. ### Layer three: pierce the rights — look at the boundary (scope of use) The third layer concerns the internal/external distinction within data property rights. Data use right covers internal operations; data operating right covers external supply. These are independent rights with clear boundaries and neither derives from the other. The authors draw a structural analogy to the mature rights vocabulary of copyright law, which they suggest provides useful orientation for defining data use scope — though they are careful to note that the analogy is transitional and approximate, not definitively determinative: - Internal use (mapping to data use right): copyright's reproduction right, adaptation right, and compilation right correspond conceptually to technical backup, algorithmic modelling, structured processing, and statistical aggregation of data for internal purposes. - External supply (mapping to data operating right): copyright's right of communication via information networks, distribution right, and rental right correspond conceptually to API-based external provision, data-product distribution, and SaaS-format access licensing. The authors are explicit that copyright provides only a structural reference point (结构性参考), not a direct confirmation or substitute for data property rights. Copyright and data property protect different interests, and the mapping between them is a transitional tool for digitised works — not a permanent solution. The more robust approach, the authors note, is to plan data rights allocation from the point at which the underlying work is created. ## How the three rights combine: the registration formula The authors summarise the operative logic for practitioners and reviewing lawyers as: - Data holding right = lawful acquisition + factual possession or control - Data use right = lawful acquisition + capacity for internal use - Data operating right = lawful acquisition + capacity for external supply Because the three rights are independent in their scope — they do not derive from each other — an applicant may register all three simultaneously or may register any one or more on a selective basis depending on its compliance situation and operational needs. This flexibility is significant: it means a company that cannot currently satisfy all requirements for the operating right (for example, because it has not obtained sufficient consents for external transfer of personal information) can still register the holding and use rights and build out its compliance chain before seeking the broader operating right. The authors flag one important example in this regard. Registering the data operating right over datasets containing personal information requires compliance with PIPL Article 23 — specifically, providing individuals with details of the recipient's identity, contact information, processing purpose, processing method, and the categories of personal information involved, and obtaining their separate consent (单独同意). If that condition cannot be met, the recommended approach is to register only the holding and use rights and defer the operating right until the consent infrastructure is in place. ## The practical compliance path: what to prepare Drawing the threads together, the authors' practitioner checklist for work-made-for-hire data registration runs as follows: For the legal origin layer, the starting question is which category of work is involved. For general works, verify that the employment contract contains an explicit assignment of all data rights to the unit; if it does not, assess whether the default priority-use position supports the rights being claimed, and obtain any additional written agreements required for operating-right registration. For special works, confirm employee status and creation date post-1 June 2021. For the factual control layer, prepare storage architecture evidence, cloud-platform control agreements where applicable, update and access logs, and the organisation's data security management system documentation. For the use-scope layer, define whether the registration claim is for internal use, external supply, or both, and document the evidence for each claimed right independently. The authors close with the observation that the [Datatang v. Yinmu data-IP registration case](/posts/datatang-v-yinmu-data-ip-registration-case/) demonstrates that courts are now engaging seriously with data property rights claims — and that the same documentation rigour that supports a registration application is the documentation that will matter in litigation. Compliance is not a constraint but an expression of the data asset's value: only when source legality, factual control, and use boundaries are all clear can a market participant claim a full pass to the data-element market. ## Why overseas counsel should care - **Copyright certificates held by China subsidiaries do not automatically establish data property rights over employee-generated data.** If a client's China data assets rest on employee-created works — particularly software, engineering drawings, or structured datasets — the data property-rights position needs to be assessed independently of any copyright registration already on file. - **Employment contracts are the critical first document.** Whether a unit can register all three data rights, or only the holding and use rights, turns substantially on what the employment contract says about IP and data ownership. Contracts that are silent on data rights, or that track older IP-assignment language without addressing the new "三权" (three-rights) framework, create gaps that surface at the registration stage. - **The internal/external use distinction has direct trading implications.** A client that wishes to monetise its China data — through API licensing, data-product sales, or cross-border data supply — needs the data operating right. That right requires both a compliant legal chain back to the original creators and, for personal-information datasets, PIPL-compliant separate consent from the individuals concerned. Building that chain before a transaction is always cheaper than resolving a gap mid-deal. - **The Shenzhen Data Exchange's three-layer review logic is the operational reality of the market.** For clients approaching the data-element market via exchanges or other institutional venues, understanding how reviewers actually assess applications — and what evidence they expect — is the difference between a first-pass approval and a cycle of queries and resubmissions. ## DCC sources - Original: 胡婧卓 (Hu Jingzhuo) and 陈一芊 (Chen Yiqian), 《DEXC+专栏|数据产权登记实务:职务作品数据产权登记合规路径分析》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account ([source](https://mp.weixin.qq.com/s/hL00n0vIhiqOzW15QVTLKA)). - [Data Property-Rights Registration Guide (draft)](/laws/data-property-rights-registration-guide-draft/) - [Data Foundation System Opinions](/laws/data-foundation-system-opinions/) > This is an editorial summary, not a translation of Hu Jingzhuo and Chen Yiqian's piece. Conceptual framings, section organisation, and operational extrapolations are DCC's. Any simplification or error of emphasis is DCC's responsibility, not the authors'. **Not legal advice.** --- ## 'Important Data' Is a Category, Not a Tier - Published: 2026-05-04 - Author: DCC Editorial - Tags: important-data, dsl, commentary, data-classification - Laws cited: dsl, pipl - Domains: data-security, cross-border - URL: https://datacompliancechina.com/posts/important-data-category-not-tier/ - Markdown: https://datacompliancechina.com/posts/important-data-category-not-tier.md - Original source: https://mp.weixin.qq.com/s/RmrIs3PZnEHkGsMl3vlutg - Original author: 洪延青 - Original publication: 网安寻路人 ### Description Hong Yanqing argues the mainstream reading of Article 21 of the Data Security Law confuses enterprise asset-inventory language with state-level legal-interest protection — with real consequences for cross-border transfers, enforcement, and how PIPL and DSL stack. ### Body > *Editor's Note — DCC.* > > Hong Yanqing is one of the most influential voices on Chinese data-protection law — a scholar with policy proximity to the regulators who write the rules he comments on, and an unusually careful writer. When he picks a fight inside the Chinese data-compliance discourse, the fight is almost always conceptual rather than tactical. > > This essay is a fight. Hong argues that the mainstream Chinese reading of Article 21 of the Data Security Law — the article that establishes the "data classification and grading" regime — has been confused from the start. *Important data*, he says, is not a high rung on a ladder running from general data to important data to core data. It is a separate category, identified by the legal interest at stake, and the difference matters in ways that affect cross-border transfer, enforcement, and how PIPL and DSL stack on each other. > > We rewrote rather than literally translated his essay because the conceptual move he is making is exactly the kind of thing that gets lost in plain rendering but reshapes how an overseas compliance reader should understand a regime they thought they knew. China's Data Security Law turned five last year. By now, anyone working on cross-border data has met the phrase "data classification and grading" (数据分类分级). It is the foundational concept of Article 21 of the DSL — the article on which the security assessment, the *important data* identification catalogues, and the localization rules all rest. There is a standard way Chinese practitioners describe this regime. Data sits on a ladder. At the bottom is *general data* (一般数据), governed only by ordinary cybersecurity hygiene. Above it is *important data* (重要数据), which triggers heavier obligations, including the cross-border transfer security assessment. At the top is *core data* (核心数据), reserved for things that touch national security. The higher the rung, the stricter the rules. Hong Yanqing thinks this picture is wrong — and he has been writing about it for years. In a May 4, 2026 essay on his WeChat channel 网安寻路人, Hong returns to a fight he has flagged before: **important data is a *category*, not a *tier*.** It is identified by what legal interest it implicates, not by where it sits on a severity scale. The mainstream account, Hong argues, makes a conceptual error at the very start of the data-classification regime — and that error then propagates into every downstream rule. This sounds like word-play, until you trace it through. ## Why category-vs-tier isn't word-play Start with the most operational consequence. If *important data* is a tier — the level you get when data is "more sensitive than the ordinary kind" — then its status depends on the comparison set. A dataset can be a high tier inside enterprise A and a low tier inside enterprise B. It can be top-tier in the financial sector and unremarkable in retail. As the data flows across owners or industries, its grade shifts with the surrounding population. For a state-level regulatory regime, Hong argues, that is a disaster. The whole point of identifying *important data* is to attach a *stable regulatory identity* to it — one that travels with the data across owners, across industries, across borders. If the identity floats with each new holder's internal sensitivity grading, the regulator loses the unified handle it needs. If *important data* is a category — identified by the legal interest the data touches, not by where it ranks in someone's filing cabinet — the identity sticks. A dataset that materially affects public health and safety is important data whether it sits at a hospital, a research institute, or a third-party cloud provider. The only thing that can change its status is a material change in its risk profile — anonymization, de-identification, splitting, aggregation that increases risk — not a transfer from one filer's hands to another's. The practical consequences for overseas compliance teams are at least these two: First, **enterprise self-grading is not a way out.** Under tier-thinking, an overseas company facing an outbound-data-transfer obligation might be tempted to argue: "We classify this dataset as internal-use-only, so it's not in our top tier — therefore not important data." Hong's view says this argument is structurally wrong. The data is *important data* if it touches the relevant public legal interest. Your internal grading does not dispose of that question; at best it reflects how *you* have chosen to protect what the state has already identified. Second, **important-data status doesn't dissolve at the border.** Once a dataset has been identified as important data inside China, that identity follows it through downstream transfers — including overseas ones. This is the conceptual basis for the persistence of the cross-border transfer regime. ## The three-segment conceptual order The technical core of the essay is a three-segment ordering of the concepts Chinese practitioners have been conflating: 1. **Interest-based category (法益型类别).** This is the true regulatory classification. It answers the question: *what legal interest does this data implicate, and does that interest require state-level protection?* Personal information implicates personal dignity and informational rights. Important data implicates public interest, economic operation, public health, social stability. Core data implicates national core interests — state security, the lifeline economy, major public welfare. These are different interests, not three rungs on the same ladder. 2. **Business-process classification (业务流程分类).** This is the operational tool enterprises use to organize their data — R&D data, production data, customer data, transaction data, log data. It is essential for asset inventory, access control, and lifecycle management. But it is *not* a regulatory classification. The label "R&D data" does not tell you whether the data is a trade secret, a state secret, personal information, or important data. It only tells you which department generates it. 3. **Tiering (分级).** This is the protection-strength configuration. *Given* that data has been identified as belonging to a regulatory category, how heavily should it be protected? Inside an enterprise this shows up as access levels, encryption requirements, audit frequency. In state regulation it shows up as security-assessment requirements, security review, localization mandates. Tiering comes *after* category identification — and it does not retroactively define what the category means. The mistake Hong attributes to the mainstream is the collapse of these three layers into one. The phrase 分类分级 ("classification and grading") gets used as a single compound operation. Enterprise asset-inventory thinking gets imported into state-level legal-interest identification. Operational language migrates into the legal-interest layer where it does not belong. ## What the reframing fixes Several familiar confusions become tractable once the layers are separated. **The "upgrading" fallacy.** Practitioners often say that "mass personal information can upgrade to important data" (海量个人信息升格为重要数据). On a tier reading, *upgrade* suggests the data leaves its old identity behind. Under PIPL, that would be alarming — does the personal-information regime no longer apply? On Hong's reading, the dataset does not *upgrade* — it *gains a second identity*. The personal-information regime continues to apply (because the data still identifies natural persons). The important-data regime *also* applies (because the dataset, at scale and granularity, now implicates public interest). Both regimes stack. Conflicts get resolved by familiar principles — specialty, the stricter rule, purpose limitation, minimum necessary — not by one identity displacing the other. **Sensitive personal information is not a parallel category.** It is a sub-state inside the personal-information category, with intensified handling rules. Same legal interest, stricter protection. Calling it a separate category at the same level as personal information is grammatical drift, not conceptual structure. **"CII-related data" is not a freestanding category.** Hong is firm on this point. Treating "data related to critical information infrastructure" as a regulatory category in its own right confuses a context label with a legal interest. The relationship to CII is a flag — useful for identifying *which* data within a CIIO's holdings might rise to *important data* or *core data*. It is not itself the category. **"General data" is the residual, not a parallel category.** It is the residual space of data that no specific regulatory category has captured. It can still be protected — by contract, by tort, by unfair-competition law, by ordinary cybersecurity duties — but not by the Article 21 data-classification regime. ## How to read the standards Hong anticipates the obvious objection. China's national standards, and a great deal of industry guidance, *already* talk about core / important / general data as "levels." Doesn't the current standard text sink his argument? His answer is patient. Standards are engineering documents. Their job is to make a legal regime operable for enterprises — to give them something to put into a spreadsheet, a control matrix, an audit checklist. Using the language of "levels" is convenient because it maps to existing internal-control vocabulary. But engineering convenience is not legal definition. The legal definition has to do the work of identifying a *legal interest*, not just signalling *severity*. Standards can keep their level-language as a shorthand; the underlying concept is still a set of categories. The implication for overseas readers: when a Chinese standard or sector catalogue renders important data as a tier, treat it as serving an operational purpose — not as the last word on the concept's legal content. ## Why an overseas compliance reader should care For overseas counsel and compliance teams the practical takeaways are roughly these: - **Don't expect enterprise-level grading to control regulatory status.** Whether a dataset is *important data* is a question of legal interest, not of internal sensitivity ranking. You cannot grade your way out of an obligation that attaches by law. - **Expect overlap, not replacement.** When a personal-information dataset reaches scale, expect PIPL and DSL regimes to apply *together*. Neither one swallows the other. - **Read sector catalogues as inventories, not as definitions.** The *important data* catalogues that industry regulators publish are mediators. They help identify which data, in a given sector, belongs to the important-data category. They do not independently constitute the category. - **Expect cross-border persistence.** Once data is identified as important data, the identity follows it. The point of the regime is precisely *not* to let identity drift across borders or across owners. The deeper point in Hong's essay — and the reason it is worth a careful read — is methodological. The Chinese data-protection regime is sometimes treated by overseas observers as a translation of GDPR with Chinese characteristics. It is not. The conceptual primitives are different. Where GDPR centers on the *data subject* and the rights they hold, Hong's reconstruction centers on the *legal interest* the state is protecting. Personal information, important data, and core data are categories carved out by different legal interests — not points on a single severity scale, and not analogues of GDPR's personal-data tiers. The category-vs-tier distinction is just the most concrete example of why importing GDPR's conceptual furniture into the Chinese regime is not a safe shortcut. --- — Hong Yanqing, *Reconsidering the Nature of Important Data: Category vs. Tier* (重要数据性质的再认识:级别概念 vs. 类别概念), 网安寻路人 WeChat Official Account, May 4, 2026. [Original article.](https://mp.weixin.qq.com/s/RmrIs3PZnEHkGsMl3vlutg) *Not legal advice.* --- ## Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export - Published: 2026-04-28 - Author: DCC Editorial - Tags: foreign-investment-security-review, manus, ai-agent, cross-border, commentary - Laws cited: pipl, dsl, data-export-security-assessment-measures, foreign-investment-security-review-measures - Domains: cross-border, ai-governance, cybersecurity-review - URL: https://datacompliancechina.com/posts/manus-foreign-investment-security-review/ - Markdown: https://datacompliancechina.com/posts/manus-foreign-investment-security-review.md - Original source: https://mp.weixin.qq.com/s/2Vs70BM2ILAE_qqKsdfAjw - Original author: 洪延青 - Original publication: 网安寻路人 ### Description Hong Yanqing on Beijing's banning of Meta's Manus acquisition. The regulator's choice of pathway — Foreign Investment Security Review, not Technology or Data Export — signals a shift from 'transaction-level' to 'capability-level' oversight of frontier AI projects, with implications for any overseas tech investment touching China. ### Body > *Editor's Note — DCC.* > > Hong Yanqing is one of the most influential voices on Chinese > data-protection law. His commentary often focuses on conceptual structure — > what regime applies, why it applies, what it can and cannot do. When the > Chinese state acts, Hong's habit is to read the regulator's choice of > pathway rather than just the outcome. > > On April 27, 2026, the NDRC's Foreign Investment Security Review Office > banned an unnamed foreign acquirer — widely reported to be Meta — from > acquiring "the Manus project" and ordered the parties to unwind the > transaction. The official announcement was one sentence. No transaction > structure, no reasoning, no remedies specified. Most overseas commentary > read this as a geopolitical signal. Hong reads it as a > regulatory-architecture signal — and finds the *choice of pathway*, not the > outcome, to be the more important story. > > We rewrote rather than literally translated his analysis because the > framing he uses — "capability-level" versus "transaction-level" regulation — > is exactly the kind of reframing that gets lost in plain rendering but > reshapes how an overseas compliance reader should understand China's > emerging cross-border M&A regime for frontier technologies. On April 27, 2026, an unusually terse one-sentence notice appeared on the National Development and Reform Commission's website. The NDRC's Foreign Investment Security Review Office had banned an unnamed foreign acquirer from acquiring "the Manus project" (Manus 项目) and ordered the parties to unwind the transaction. That was the entire announcement. No transaction structure. No reasoning. No remedial measures specified. Just the decision. Manus is an AI Agent — not a chatbot but a system that plans tasks, calls tools, generates code, conducts market research, builds applications, and operates browser and local computing environments. Its corporate parent at the time of the deal was a Singapore entity, Butterfly Effect Pte, but the project traces back to a Beijing-registered entity. By the acquirer's public account, the post-acquisition plan was for Manus to discontinue operations in China. Most overseas commentary treated the decision as a geopolitical signal — China blocking a Big Tech acquisition. Hong Yanqing, in an April 28 analysis on his WeChat channel 网安寻路人, treats it as something more specific: a regulatory-architecture signal. The question he asks is not *whether* the deal should have been blocked, but *how* — through which regulatory regime. The choice, Hong argues, matters enormously. The Manus deal could plausibly have been routed through at least three different regulatory pathways. The one Beijing chose — Foreign Investment Security Review — signals that China's regulators have rewritten the conceptual frame for handling cross-border transactions in frontier-technology projects. ## Three pathways, three different theories of what is at risk Hong walks through the three plausible regulatory routes and what each can and cannot do. **Technology Import/Export Management.** Under the Regulations on the Administration of Technology Import and Export and the Catalogue of Technologies Prohibited or Restricted from Export, regulators can control the transfer of specific technologies, technical secrets, patent licenses, technical services, and engineering documentation. The protected interest is *the order of technology flows* and national economic-technological interests. The granularity is technology-item-level — which specific technology, is it on a prohibited or restricted list, has it been properly licensed, has it been illegally exported. Routing Manus through this regime, Hong notes, would have focused on the Agent orchestration framework, the browser-operation modules, the tool-invocation system, the model-tuning methodology, the evaluation system, the source code — examining for each whether it was formed in China, whether it was transferred through relocation, code sync, licensing, or service, and whether the transfer required an export licence. But technology-export rules are best suited to *specific technology objects in transit*, not to a wholesale capability being absorbed. An AI Agent's core value rarely sits in a single patent or a single code file. It sits in team know-how, engineering systems, evaluation pipelines, product-iteration capacity, and future research direction — things that keep migrating through people, organizations, processes, and ongoing collaboration. Hard to enumerate. Hard to catalog. Technology-export rules catch what passes through a gate; the gate is not where the loss is happening. **Data Export Security.** Under DSL, PIPL, and the cross-border data-transfer regime, regulators can control the export of personal information and important data. The protected interest is the security of personal information, the security of important data, and the orderliness of cross-border data flows. The granularity is data-level — which data, was it collected in domestic operations, is it personal information or important data, has it cleared the security assessment or standard contract pathway. But Manus did not primarily serve the Chinese public. Without a substantial body of domestic user data, the data-export pathway can only address residual traces — historical beta data, R&D data, employee debugging data, Chinese-language evaluation samples, early PoC data. Useful as a supplementary route, perhaps, but not the spine of the case. The deeper problem, Hong notes, is that AI-system data risk is *derivative*: data that has flowed into model fine-tuning, evaluation pipelines, agent strategies, or tool-invocation flows no longer exists as a discrete, identifiable file you can ask someone to delete. The remedy in such cases is not to "delete data" — it is to identify and dispose of the model versions, agent components, evaluation systems, and derivative outputs that bear the imprint of China-origin data, code, or technical assistance. That is not a data-export problem any more. **Foreign Investment Security Review.** Under the Foreign Investment Security Review Measures, regulators can review foreign investment in China that affects or may affect national security. Article 2 covers new projects, M&A of equity or assets, and other forms of domestic investment by foreign investors — direct or indirect. Article 4 brings important information technology, internet products and services, and key technologies into the mandatory pre-notification scope. The legal test is *actual control* — defined broadly to include not just over-50-percent equity, but voting-share thresholds and "other circumstances that can materially influence operational decisions, personnel, finance, or technology." The protected interest under FISR is not a single technology or a single dataset. It is *control of key sectors* and the security of national capability as a whole. The granularity is capability-level — after the deal closes, who controls this technology project, this team, this R&D direction, this industrial capacity. This, Hong argues, is the heart of the Manus case. ## From transaction-level to capability-level The Manus risk Hong identifies has three components, and none of them is captured well by the first two regimes. First, the transaction would have moved a China-origin technology asset in the general AI Agent space wholesale into a foreign tech ecosystem. Second, it would have absorbed the core R&D personnel, engineering systems, and product team into a foreign company's structure. Reuters reported that some Manus employees had already moved into the acquirer's Singapore office, with the project still being pushed forward. Whatever the individual founder's arrangement, the team- and project-level integration was already advanced enough that the acquisition was not of a discrete software product but of an ongoing, evolving research-and-development capability. Third, it would have placed Manus's future technology roadmap, product direction, and commercial path under the acquirer's control. In AI Agent development, Hong notes, competition is not a one-time delivery — it is continuous iteration. Whoever controls team, compute, capital, product surface, and global distribution channels controls the direction in which the capability evolves. The three regimes answer three different questions. Technology export answers *did technology cross a border?* Data export answers *did data cross a border?* Only Foreign Investment Security Review answers *did a capability come under foreign control?* By routing Manus to FISR, Hong argues, the regulator made a paradigm choice. The regulatory object has shifted from *single technology flow* to *frontier capability ownership*. ## The Singapore problem — and the look-through answer There is an obvious legal-technical problem with using FISR here. The acquirer formally bought a Singapore entity (Butterfly Effect Pte), not a Chinese company. Article 2 of the FISR Measures applies to investment "within China." How does it bite on an offshore equity deal? This is the heart of the *zǒu chū qù Xīnjiāpō* — "leave for Singapore" — strategy that has become common for Chinese tech founders thinking about overseas capital: relocate the registered entity, operations, IP, and core personnel offshore first, then have a foreign investor acquire the offshore vehicle. The argument is that the subsequent capital transaction sits outside the Chinese foreign-investment security regime. The Manus decision suggests the Chinese regulator did not stop at registered location. Hong's read of the analytical method is a "look-through" test, asking: - Where was the core technology formed? - Where did the core R&D team complete primary development? - Did the IP, code, model components, technical documentation, and evaluation systems sit at any point with a Chinese-domiciled entity? - Are the Singapore relocation and the subsequent acquisition coordinated arrangements — coupled in time and purpose? - Does the offshore equity transaction substantively transfer control of the China-origin key technology project? A scholar Hong quotes, Cui Fan of the University of International Business and Economics, sketches the technical mechanism. Manus's onshore Beijing entity is held through a domestic WFOE ("Red Butterfly"), which is contractually controlled by an offshore VIE structure that goes Hong Kong → Cayman. The Cayman entity's shareholders are the founders plus the past investment rounds. When the foreign acquirer purchases the Cayman vehicle, the ultimate controller of Red Butterfly changes — and under the Foreign Investment Enterprise Information Reporting System, that is a *mandatory reportable material change*. The regulator does not need a Chinese-counterparty equity deal in order to have jurisdiction. The change in ultimate control of a contractually controlled onshore entity is enough. Worth noting too: the NDRC announcement used the phrase "Manus project" (Manus 项目), not "a certain Singapore company." The "project" framing is deliberate. It treats Manus as a composite of technology, team, IP, code, product, and commercial arrangements rather than as a single registered legal entity. The regulator declined to limit the inquiry to corporate form. ## What "eliminating the impact on national security" looks like If the deal had been routed through technology export, the toolbox would have been about disposing of specific technology assets — classification, licensing, contract registration, halting unauthorized transfers, recalling or sealing technical materials. If it had been routed through data export, the toolbox would have been about controlling data flows — localization, security assessment, standard contracts, deletion of non-compliant exports. Because it was routed through FISR, the toolbox is about *unwinding control*. Hong walks through what a credible remedy package would look like: - **Unwind the transaction and restore the pre-deal state.** Rescind the acquisition; refund payments; restore pre-deal equity, governance, and voting arrangements; cancel board seats, observer rights, vetoes, options, convertibles, and side letters that could constitute disguised control. - **Strip de facto control.** Even if the equity layer is unwound, check whether the acquirer retains effective control through management agreements, technology-integration contracts, exclusive partnerships, cloud-infrastructure dependencies, code-repository permissions, model-repository permissions, sysadmin permissions, or product-roadmap authority. FISR is not about paper equity; it is about actual control. - **Build a China-origin controlled-asset inventory.** The inventory should include core code, the Agent planner, tool-invocation frameworks, browser-operation modules, sandbox environments, model components, fine-tuning data, evaluation systems, technical documentation, product roadmaps, internal experiment records, Chinese-language task samples, early PoC data, and engineering know-how. Without such an inventory, "restoration" and "elimination of impact" cannot meaningfully be carried out or audited. - **Disable, roll back, retrain, or clean-room rebuild contaminated models.** This is Hong's most novel point. In an AI-system context, it is not realistic to "precisely delete" specific data from a trained model's parameters. The credible remedy is to identify the model versions, agent components, workflow templates, evaluation systems, and product features that were influenced by China-origin controlled assets, and to disable, roll back, retrain, or clean-room rebuild them. The acquirer can keep developing its own AI Agent. It cannot use Manus's China-origin controlled assets as a shortcut. - **Separate personnel from controlled technical assistance.** Hong distinguishes carefully between *restricting personnel mobility* — which he views as likely overreach — and *restricting controlled technical assistance*, which he views as appropriate. The remedy should not be that founders cannot join the acquirer; it should be that they cannot supply the acquirer with non-public code walkthroughs, architecture migrations, model-tuning training, evaluation-system reproduction, or product-integration assistance, and that personnel already at the acquirer cannot continue accessing Manus's China-origin controlled assets. - **Independent technical audit and ongoing supervision.** Company self-certification is not enough. The remedy should require independent technical audits of equity arrangements, contracts, code repositories, model repositories, cloud resources, access logs, Git commit histories, documentation systems, personnel training records, and product integration — verifying that what looks unwound on paper has in fact been unwound in operations. ## Why this matters for overseas counsel For practitioners advising on cross-border technology investment into or out of China, the Manus decision carries several immediate practical implications. - **Registration location is not the end of the analysis.** A clean Singapore (or Cayman, or BVI) corporate structure does not, by itself, place a transaction outside the reach of Chinese foreign-investment security review. The regulator will look through to where the technology was formed, where the R&D happened, how the IP moved, and whether the offshore restructuring and the acquisition form a coordinated whole. - **AI Agent and other "frontier capability" deals are now squarely within the FISR scope.** The regulator's choice of pathway tells you which objects it considers worth protecting. Frontier AI capability is now one of them. - **Expect remedies to focus on control, not on code transfer.** If a deal is challenged, the remedies will be drafted to unwind control — including remedies such as model rollback and clean-room rebuild that have no precedent in the technology-export or data-export toolkits. - **The "project" framing widens the universe.** When the regulator analyzes the object of a transaction as a project rather than as a registered entity, the universe of touchpoints expands. Contracts, personnel, repositories, cloud arrangements, and evaluation pipelines all become part of the object under review. Hong's framing — *where this capability came from, where it is going, and who will ultimately control it* — is the question overseas advisors will need to answer before transactions, not after a regulator's one-sentence decision. --- — Hong Yanqing, *Manus 案的监管范式选择:为什么是外商投资安全审查?* (The Choice of Regulatory Paradigm in the Manus Case: Why Foreign Investment Security Review?), 网安寻路人 WeChat Official Account, April 28, 2026. [Original article.](https://mp.weixin.qq.com/s/2Vs70BM2ILAE_qqKsdfAjw) *Not legal advice.* --- ## Cold Water on 'Token Trading' — Wang Qinglan on the NDA's High-Quality Data Set Initiative - Published: 2026-04-24 - Author: DCC Editorial - Tags: tokens, ai-training-data, data-trading, national-data-administration, commentary - Laws cited: data-foundation-system-opinions, common-data-terms-batch-1, common-data-terms-batch-2 - Domains: data-economy, ai-governance - URL: https://datacompliancechina.com/posts/qinglan-token-trading-cold-water/ - Markdown: https://datacompliancechina.com/posts/qinglan-token-trading-cold-water.md - Original source: https://mp.weixin.qq.com/s/0Nbcam7GbrYx8d31JmTGGA - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description In March 2026, the National Data Administration released the *Implementation Plan for Promoting High-Quality Industry Data Set Construction (Draft for Public Consultation)*, which explores a 'token (词元) based value system' and 'token trading as a new transaction mode' for high-quality data sets. The Chinese AI policy community immediately heralded the move as 'revolutionizing data trading.' Wang Qinglan pours cold water: token is a measuring unit, not a magic transformer. AI tokens are not crypto tokens. The bottleneck in China's data-element market isn't measurement — it's supply, rights clarity, compliance cost, and data silos. ### Body > *Editor's Note — DCC.* > > In March 2026, the National Data Administration released the > *Implementation Plan for Promoting High-Quality Industry Data Set > Construction (Draft for Public Consultation)*, introducing "token > (词元) based value system" and "token trading" as exploratory concepts. > Chinese AI policy commentary immediately escalated: token trading > would "revolutionize" data trading, "subvert digital economy rules," > "reconstruct value systems." Wang Qinglan — head of compliance at a > Chinese data exchange and one of the closer observers of the > data-element market — pushed back. This brief tracks her argument. > DCC's framing emphasizes the policy context for overseas readers who > see this concept appearing in Chinese policy documents and need to > understand what it actually means. ## First — AI tokens are not crypto tokens The piece opens with a disambiguation that overseas readers in particular need. The word "token" in Chinese AI policy refers to the **AI processing unit** — the unit by which large language models segment text for processing. *Not* the crypto-asset *Token* that can be traded, hoarded, and speculated on. The official Chinese rendering, **词元** (literally, "word element"), was formally adopted by the National Data Administration in March 2026. Wang's clean separation: - **AI tokens (词元)** = a measuring unit for AI compute consumption. Analogous to *kWh* for electricity, *gallons* for water, or *gigabytes* for data transmission. AI service providers charge by token consumed. - **Crypto tokens (通证)** = digital assets. Can be bought, sold, and speculated on. Subject to crypto-market dynamics — completely unrelated to AI. If a reader confuses the two, the entire token trading discussion becomes incoherent. Wang's first move is to insist on the distinction. ## The NDA's March 2026 policy move The *Implementation Plan for Promoting High-Quality Industry Data Set Construction (Draft for Public Consultation)* (March 2026) introduces two notable phrases: > *"Explore a token (词元) based value system."* > > *"Explore new transaction modes such as token trading, building a quantifiable, priceable data set value system based on tokens."* The doctrinal move: extending the role of tokens from *AI compute pricing* (output side) to *data set pricing* (input side). The reasoning: if AI consumes data measured in tokens, perhaps the data sets it consumes should also be priced in tokens. Wang's analogy: "previously, 'kilograms' was just a unit the mill used to charge for processing. Now someone proposes using kilograms to *sell the wheat itself.*" In principle, the move is reasonable. In practice, it conflates different problems. ## The scale metaphor Wang's central conceptual move: **the token is a scale, not a transformer**. The scale weighs things. It can weigh wheat (raw data), flour (processed data resources), and cakes (refined data products). But: - A scale doesn't grow more wheat. - A scale doesn't change the quality of the flour. - A scale doesn't make cakes appear from the oven. It just measures. This is the lens Wang applies to the over-claims about token trading. ## Three over-claims and their flaws ### Over-claim 1 — "Token trading will revolutionize data trading" The claim: token-based pricing creates a unified standard for the data market, making everything more efficient and transparent — *revolutionizing* the market. Wang's response: a more precise scale does help, *but only for standardized goods*. Token-based pricing makes sense for *standardized AI training data sets* — the equivalent of *flour, a homogeneous commodity that can be sold by weight*. But the data market is bigger than that. It also includes: - **Raw data** — wheat. Token pricing is wrong; raw data is sold by other dimensions. - **Deeply processed data products** — cakes and pastries. Industry insight reports, market analytics, custom data products. These are priced by *creativity, brand, scarcity, and value*, not by *weight*. A scale that can only measure flour, applied to wheat and cakes, distorts pricing. *"Revolutionizing data trading" is overreach.* ### Over-claim 2 — "Token-based pricing solves the data-element market" The claim: with token-based pricing, the data-element market will function. Wang's response: the bottleneck isn't measurement. *"What is China's biggest data-trading-market problem today? A missing scale? A missing unit? No."* The real bottlenecks: - **Insufficient high-quality data supply.** The shelves are nearly empty. - **Unclear data rights attribution.** Buyers don't trust they can use what they buy. - **High compliance cost.** Risk-averse sellers hold back. - **Data silos.** Data that exists isn't shared. A more precise scale doesn't solve any of these. *"Like giving a starving restaurant a more elegant spoon and claiming it will revolutionize the food industry."* ### Over-claim 3 — "AI's token algorithm transfers directly to data trading" The claim: AI's token-counting method should be the basis for data trading pricing. Wang's response: AI tokens are not language-neutral. They're optimized for the AI's compute efficiency — high-frequency word combinations merge into single tokens; low-frequency characters split into multiple tokens. The consequence: - A given semantic unit in English typically requires ~80 tokens. - The same semantic unit in Chinese requires ~120–150 tokens. - Lower-frequency languages can double or triple the count. If AI's token algorithm becomes the basis for data set pricing, **language difference, not data value, determines price**. A 1,000-token Chinese data set would be objectively worth less in token terms than a 1,000-token English data set — even if the Chinese data set is more valuable in content. The fix would require a *new* tokenization algorithm specifically for data-set pricing, decoupled from AI compute optimization. The NDA's draft doesn't yet specify what that algorithm would look like. ## What Wang's piece doesn't say but DCC notes The 国家数据局 (NDA) policy move is, on its own, not unreasonable. There IS a real benefit to having a unit of account for AI training data sets. Standardization helps. The criticism Wang directs at is *not* the NDA's policy — it's the *secondary commentary* claiming token trading will revolutionize the market. In DCC's reading, this is a useful primer for overseas observers because: - The "token trading" concept will appear in Chinese AI policy discussions for the next 12–24 months. Foreign readers need a sober framing. - The conflation of AI tokens and crypto tokens is real — and is being deliberately exploited by some commentators to attract attention. - The bottleneck Wang identifies — **high-quality data supply**, **rights clarity**, **compliance cost**, **data silos** — is the genuine constraint on the Chinese data-element market. Foreign teams advising on Chinese data deals should focus on these problems, not on the token trading hype. ## Why this matters for overseas teams Three operational takeaways: - **The "high-quality industry data set" framework is real and matters.** The NDA's draft Implementation Plan is the real policy direction — token trading is just one (overhyped) element of it. The plan's emphasis on industry-specific high-quality data sets, with standardized formats and quality, is the operational lever that will shape Chinese AI data supply over the next 2–3 years. Multinational AI providers active in China should align with the high-quality data set standards as they emerge. - **Token trading is a unit of account, not a market revolution.** When evaluating Chinese partner pitches that invoke "token trading," strip out the hype. The token is a measuring unit. The question for the deal is the same as it was before: what data is being acquired, what rights attach to it, what compliance has been done. Token-pricing is downstream of those questions, not a substitute for them. - **The four real bottlenecks are the operational risk map.** *Insufficient high-quality data supply* — sourcing risk. *Unclear data rights attribution* — title risk. *High compliance cost* — friction risk. *Data silos* — integration risk. A multinational's China data strategy will rise or fall on how it addresses these four. The token trading discourse is mostly a distraction from this map. The deeper observation in Wang's piece is that **policy hype cycles in the Chinese data-element market need a skeptical Chinese-language voice to puncture them**. Wang plays that role within the data exchange community. For overseas readers, having access to a sober Chinese perspective — not the hype, not the foreign critic — is one of the more useful things DCC's editorial mandate is built to provide. --- — Wang Qinglan (王青兰), *给"词元交易"泼一盆冷水* (Pouring Cold Water on "Token Trading"), 青兰数据观察 WeChat Official Account, April 24, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/0Nbcam7GbrYx8d31JmTGGA) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## When PIPL Violation Becomes a Crime — Hong Yanqing on China's Personal Information Criminal Threshold - Published: 2026-04-22 - Author: DCC Editorial - Tags: criminal-liability, pipl, judicial-interpretation, mozhi-case, commentary - Laws cited: pipl, civil-code-personal-info - Domains: personal-information, enforcement - URL: https://datacompliancechina.com/posts/pipl-criminal-threshold/ - Markdown: https://datacompliancechina.com/posts/pipl-criminal-threshold.md - Original source: https://mp.weixin.qq.com/s/5tXYwpeuLqkOLqv7xfTGgg - Original author: 洪延青 - Original publication: 网安寻路人 ### Description Hong Yanqing on the criminal-side analog to PIPL — when does mishandling personal information cross from administrative violation into the crime of 'infringing on citizens' personal information'? His critique: the two key elements ('relevant State provisions' and 'serious circumstances') are too loose, and courts have stretched them in ways that should worry compliance teams. ### Body > *Editor's Note — DCC.* > > Hong Yanqing is one of the most influential voices on Chinese data-protection > law. This piece is a republication on his WeChat channel 网安寻路人 of a > 2023 paper he originally published in the academic journal 《数据法学》(*Data > Jurisprudence*) — a journal hosted at the People's Public Security > University of China. It is academic in form but practitioner in stakes. > > The stakes: PIPL describes administrative liability — fines, business > suspensions, individual penalties. But mishandling personal information in > China is also a *crime* under Article 253-1 of the Criminal Law — the > offense of "infringing on citizens' personal information." Conviction can > carry up to seven years' imprisonment for serious cases. The line between > "administrative violation" and "criminal offense" is drawn by two elements > of the crime, both of which Hong argues are dangerously underspecified. > Courts have stretched both — sometimes to convict on the basis of regulations > that have nothing to do with personal information protection at all. > > For overseas compliance teams operating in China, the practical lesson is > not that the criminal line is bright. It is that it is not bright. And how > Chinese courts read the two ambiguous elements is the difference between > a notice of administrative penalty and a criminal docket. We rewrote rather > than literally translated the paper because the core diagnostic — that the > *quantitative threshold* and the *unrelated-regulation problem* both > threaten the principle of legality — is exactly the kind of conceptual move > that gets lost in plain rendering but reshapes how an overseas reader > should weigh China's criminal-side PI exposure. China's regime for personal information protection has two layers. The civil and administrative layer — the Civil Code and PIPL — is the layer foreign compliance teams know well. The criminal layer — Article 253-1 of the Criminal Law and the 2017 Judicial Interpretation issued jointly by the Supreme People's Court and the Supreme People's Procuratorate — is less familiar, and more consequential. The crime is called *qīnfàn gōngmín gèrén xìnxī zuì* — the offense of "infringing on citizens' personal information." It was inserted into the Criminal Law in 2009, refined in 2015, and given a detailed implementation regime by the 2017 Judicial Interpretation. By 2023, courts had handled tens of thousands of cases under it. Maximum sentence: seven years. The crime has six elements, but two of them carry the real weight in deciding whether a defendant goes to jail. Both, Hong Yanqing argues, are too loose to deliver legality. ## Element one — "relevant State provisions" The first ambiguous element is what counts as "relevant State provisions" (*guójiā yǒuguān guīdìng*) — the predicate body of law that defendants must have violated. Until 2015, the operative phrase was the narrower *guójiā guīdìng* ("State provisions"), defined in Article 96 of the Criminal Law as laws and decisions of the National People's Congress and its Standing Committee, plus regulations, administrative measures, decisions, and orders of the State Council. Departmental rules — issued by ministries — were *not* included. The 2015 Criminal Law Amendment changed the predicate to *guójiā yǒuguān guīdìng* — adding the word *yǒuguān* ("relevant"), broadening the scope. The 2017 Judicial Interpretation went further. Under it, "relevant State provisions" includes laws, administrative regulations, *and departmental rules* (部门规章) related to personal information protection. That expansion is the source of the trouble. Hong's critique has two strands. **The first**: the principle of legality (*zuì xíng fǎ dìng yuán zé*) — the requirement that criminal liability be foreseeable from the statute — pushes the other way. Article 96's definition of "State provisions" is intentionally narrow, because in the Chinese legal hierarchy departmental rules can contradict each other and proliferate quickly. Using them as the predicate for criminal liability creates exactly the kind of unpredictability the legality principle is meant to prevent. Hong's read: the broader "relevant State provisions" formulation should be read *within* the framework Article 96 sets — the addition of "relevant" narrows the universe of *State provisions* to those relevant to personal information protection, not enlarges the universe to include subordinate rules. **The second strand is the empirical one** — and this is where Hong's argument bites. He gives three case examples in which Chinese courts have used regulations *that have nothing to do with personal information protection* as the predicate "relevant State provisions" for conviction. - In one case (*Ding et al.*), an employee of a Real Estate Registration Center sold property-ownership and homeowner phone-number records to outsiders. The court found him guilty under Article 253-1, citing the *Interim Regulations on Real Estate Registration* and the *Interim Measures on Real Estate Registration Information Inquiries* as the relevant State provisions he had violated. But — Hong observes — those regulations exist to govern the *real estate registration system*, not to protect personal information. They contain no personal-information-protection rules. Using them as the predicate for an Article 253-1 conviction stretches the statute. - In another case (*Zheng et al.*), a baby-formula salesperson bribed hospital staff for new-mother and newborn contact information to sell formula. The court convicted under Article 253-1 by reference to the *Administrative Measures for the Sale of Breast-Milk Substitutes* and the *Maternal and Infant Health Law*. Again — those statutes regulate the marketing of breast-milk substitutes and maternal-health work, not personal-information handling. Their use as the predicate of a personal-information crime is, in Hong's reading, a category mistake. - In a third case (*Chen Moulin*), the court held that domain-name registration records held by the defendant constituted "citizens' personal information" — because the *Internet Domain Name Management Measures* prescribe first-come-first-served registration. But the Measures protect the integrity of domain-name registration; they do not address whether domain-name records *are* personal information. The court used the unrelated regulation to convict. Hong's positive proposal: "relevant State provisions" should be limited to provisions that (i) are at national level (not local rules, not provincial measures); and (ii) substantively concern personal information protection — they actually exist to regulate how personal information is handled. Anything else risks expanding the criminal scope past the legislative purpose of the crime, and past what foreseeable. This last point matters more after PIPL took effect. The Civil Code (Articles 1034–1039) and PIPL set the affirmative boundaries of personal information protection in civil and administrative law. Some prior regulations contain definitions of "personal information" that do not match PIPL. Hong argues that where the older regulations and the newer specialized statute conflict, criminal courts should follow the newer specialized statute — otherwise the criminal predicate drifts away from the substantive regime that defines what personal information protection actually is. ## Element two — "serious circumstances" The second ambiguous element is "serious circumstances" (*qíngjié yánzhòng*) — required for criminal liability to attach at all, and *especially serious circumstances* for the upper sentencing tier. The 2017 Judicial Interpretation tried to make this operational by listing quantitative thresholds: - Selling, providing, or illegally acquiring 50 or more pieces of certain sensitive personal information items (location data, credit information, communication content, health, transaction information). - 500 or more pieces of communication or accommodation records, credit information, and so on. - 5,000 or more pieces of ordinary personal information. Plus qualitative criteria: using the information to commit further crimes, causing serious harm to the individual, illegal gain above stated thresholds, repeated offenses, etc. The "especially serious" tier kicks in at 10× the "serious" threshold. Quantitative thresholds were a sensible move when the Interpretation was drafted — they give lower courts a predictable rule of thumb. But in the big-data era, Hong argues, they have become a problem. Modern personal-information cases routinely involve tens of millions to hundreds of millions of records. By a straight reading of the thresholds, nearly every contested case would land in the "especially serious" tier and trigger the upper sentencing range. Hong cites the *Zou Moulong* case to make the point. Defendant Zou ran a "China Black Defense League" forum that distributed 100 million+ personal-information records. Defendant Huang held about 1.84 million records. Defendant Yang held about 130,000. Under the threshold rule, all three are "especially serious." The court sentenced Zou to four years, Huang to three years, and Yang to two and a half years — radically different culpability but only modestly different sentences. The fines were identical for Huang and Yang. The threshold rule, used mechanically, flattens cases that should be differentiated. Hong's positive proposal here is more interesting than the diagnosis. He argues that "serious circumstances" should be assessed through a *multi-dimensional impact framework*, anchored on the actual harm to the affected individuals' lawful interests, not on raw counts. The dimensions: - **Type of personal information** — sensitive vs. ordinary, and within sensitive, the particular type (biometric, health, financial, communication content). - **Purpose and intended use** — particularly whether the information was used or intended to be used to commit further crimes. - **Method** — whether the acquisition was organized, large-scale, by force or fraud. - **Consequences** — actual harm to the data subjects: identity theft, harassment, financial loss, threat to safety. - **Subject's consent and authorization** — whether and how the data subject's consent was obtained or exceeded. The framework Hong proposes is essentially the *Personal Information Protection Impact Assessment* (PIPIA) framework that the administrative regime already uses — drawn from GB/T 35273, GB/T 39335, GDPR DPIA, and ISO/IEC 29134. The argument is that Chinese criminal courts already have a mature multi-factor analytical apparatus available — they just have not been using it. ## The Mozhi case — a workshop on both elements Hong devotes the final section of the paper to the *Mozhi (魔蝎) case* — the 2019 prosecution that practitioners regard as the canonical big-data personal-information prosecution of the PIPL transition period. Mozhi Technology operated a crawler service plugged into mobile lending apps. Loan applicants entered their credentials (social-security account, housing-fund account, etc.) and authorized Mozhi to log in on their behalf and scrape their public-services records, which the lender then used for credit decisions. The user's *Data Collection Service Agreement* with Mozhi promised that credentials would not be stored. In fact, Mozhi *did* store more than 21 million sets of plaintext credentials on its cloud servers — and used a subset of them (in particular, email credentials) to log in to user accounts again, without the user's renewed authorization. The court found Mozhi guilty of "infringing on citizens' personal information," circumstances especially serious. Hong's case analysis pulls out two careful distinctions. **First, on "violating relevant State provisions":** the court correctly held that the *initial* crawling was not the unlawful act. The user gave Mozhi the credentials and authorized the scrape; the act of using user-supplied credentials to access a third-party platform's user-facing interface is not an "intrusion" within the meaning of the unauthorized-computer-system-access crime. Whatever competing claim the platforms might have under unfair-competition law, this is not "illegal acquisition" under Article 253-1. What Mozhi *did* do unlawfully was *retain* and *re-use* the credentials past the agreed scope. The court treated this as "obtaining by other illegal means" — folding it into the same statutory category as theft. Hong is uneasy with this. *Obtaining* and *retaining-after-lawful-obtaining* are linguistically and conceptually different acts. The Judicial Interpretation defines "obtain by other illegal means" as "obtaining citizens' personal information in violation of relevant State provisions through purchase, receipt, exchange, etc., or in the course of performing duties or providing services." Retaining beyond the agreed scope is more naturally a *processing* violation under PIPL — handle outside the scope of consent — not an *acquisition* violation. Forcing it into "obtaining" risks distorting the statute. **Second, on "especially serious circumstances":** the court held the threshold met by reference to the volume of records retained (21 million+) and the illegal gain (~30 million yuan). Hong's critique is that the analysis is incomplete. The court did not specify how many of the 21 million credentials were actually re-used — only that a "portion" (email accounts) were. It did not analyze the actual harm to individual data subjects. It did not separately weigh that Mozhi's *initial* acquisition was lawful, that its commercial purpose was not in itself unlawful, and that the data-leak risk from cleartext storage, while real, is not the same as actual leakage. A multi-dimensional impact analysis would likely have produced a different conclusion at the "especially serious" boundary — and in any event would have produced a more reasoned one. Hong's verdict on Mozhi: the court's overall instinct was sound (administrative tools alone would not have been sufficient for the scale), but the legal reasoning at both elements is doctrinally weak. As a precedent, it leaves the boundary ambiguous in ways the principle of legality is meant to prevent. ## Why this matters for overseas compliance The criminal side of China's personal-information regime is less visible to overseas teams than PIPL administrative enforcement, but the practical takeaways are direct. - **Criminal liability is a real second track, not a theoretical one.** PIPL fines and criminal exposure are not alternatives — they coexist. Conviction can attach to employees, directors, and managers personally, not just to the entity. For foreign multinationals, the criminal track is also the channel through which Chinese authorities can act against locally employed foreign nationals. - **"Violating relevant State provisions" is not just PIPL.** Courts have used unrelated departmental and even local regulations as the predicate. The implication for compliance teams is that auditing personal information practices against PIPL alone may not be a complete picture of criminal exposure — there are sectoral regulations with personal-information-adjacent provisions that have been used in criminal cases. - **Quantitative thresholds dominate, but they are not the only test.** Where a compliance issue involves tens of thousands of records or more, the case is going to clear the headline threshold easily. The contestable terrain is the qualitative side — actual harm, intent, method — and that is where the defense theory lives. - **The boundary between "legal acquisition + unlawful processing" and "illegal acquisition" is being contested.** Mozhi-style fact patterns — legal initial collection followed by processing in excess of authorization — are common in modern data-services arrangements. Hong's reading is that those should be processing violations, not acquisition crimes. Whether courts adopt that view will shape exposure for an entire class of cases. - **A multi-dimensional PIPIA-style analysis is your strongest defense.** Hong's argument that "serious circumstances" should be judged through a substantive impact framework — closer to PIPIA than to a counting rule — gives defense teams a doctrinal anchor. Building such an analysis into compliance documentation, in advance, is a practical way to prepare for the case where you ever need it. Behind all five takeaways is Hong's larger point. The administrative regime under PIPL has matured. The criminal regime has not kept pace. Until the Judicial Interpretation is updated to reflect PIPL's substantive boundaries and the big-data era's quantitative realities, courts will continue to write the doctrine case by case — which means compliance teams in China are operating under a criminal liability rule that is not yet stable. --- — Hong Yanqing, *《个人信息保护法》背景下侵犯公民个人信息行为的罪与非罪认定标准分析* (Analysis of the Standards for Distinguishing Criminal from Non-Criminal Infringement of Citizens' Personal Information Under PIPL), originally published in *Data Jurisprudence* (《数据法学》), Vol. 4, 2023; republished on 网安寻路人 WeChat Official Account, April 22, 2026. [Original article.](https://mp.weixin.qq.com/s/5tXYwpeuLqkOLqv7xfTGgg) *Not legal advice.* --- ## When Is Facial Recognition in a Public Place 'Necessary for Public Security'? Hong Yanqing's Four-Element Framework - Published: 2026-04-04 - Author: DCC Editorial - Tags: facial-recognition, public-surveillance, pipl-article-26, proportionality-test, commentary - Laws cited: pipl, facial-recognition-judicial-interpretation, public-security-video-image-system-regulations, facial-recognition-technology-application-measures - Domains: personal-information, ai-governance, enforcement - URL: https://datacompliancechina.com/posts/public-place-frt-necessity-framework/ - Markdown: https://datacompliancechina.com/posts/public-place-frt-necessity-framework.md - Original source: https://mp.weixin.qq.com/s/gZIJDP5j9RW8S4NJDw_Mow - Original author: 洪延青 - Original publication: 网安寻路人 ### Description Hong Yanqing on how to operationalize PIPL Article 26's 'necessary for public security' principle for public-place video surveillance and facial recognition. His framework: a four-step necessity test, tiered risk regime with a published prohibited list, three-fold technical controls, and a lifecycle closure mechanism — drawing on EU AI Act and US state-level practice. ### Body > *Editor's Note — DCC.* > > Hong Yanqing is one of the most influential voices on Chinese > data-protection law. This piece is a republication on his WeChat channel > 网安寻路人 of a 2025 paper he originally published in 《公安学研究》 > (*Public Security Studies*), the journal of the Ministry of Public Security's > People's Public Security University. It is academic in form but practitioner > in stakes. > > The stakes: PIPL Article 26 sets the foundational rule for public-place video > surveillance and facial recognition in China — "necessary for public > security." The 2024 *Video Image Information System Regulations* and the > 2025 *FRT Measures* have built the implementing rulebook around it. But the > operational question — *when* is a deployment "necessary for public > security"? — has remained underspecified. Hong's paper proposes a four-element > framework to operationalize it: a four-step necessity test, a tiered risk > regime with a published prohibited list, three-fold technical controls, and > a lifecycle closure mechanism. > > We rewrote rather than literally translated the paper because the practical > question for overseas compliance teams — *what do regulators expect from a > public-place FRT deployment in China?* — is exactly what Hong's framework > answers in concrete detail. The brief reframes his argument for an audience > that needs to know what to build, not why the underlying jurisprudence is > what it is. PIPL Article 26 sets the foundational rule for public-place surveillance in China. Equipment installed in public places that captures images or identifies individuals must be "necessary for public security" (维护公共安全所必需), accompanied by conspicuous notice, and the data collected may only be used for that public-security purpose. Use for other purposes requires the individual's separate consent. In September 2024 the State Council issued the *Regulations on the Administration of Public Safety Video Image Information Systems* (公共安全视频图像信息系统管理条例). In 2025 the Cyberspace Administration of China issued the *Measures on the Security Management of Facial Recognition Technology Applications* (人脸识别技术应用安全管理办法). Together they form the operating rulebook for Article 26. But, Hong Yanqing argues in an April 2026 essay drawn from his paper in 《公安学研究》, the operating rulebook still does not answer the core question. Both implementing regulations restate the "necessary for public security" principle. Neither tells a compliance team — or a regulator — how to determine when a deployment is necessary. That gap is where Hong's paper does its work. Hong's diagnostic is that the necessity principle has remained a gestural concept. There is no conceptual unpacking — is "necessary" about the importance of the security objective, the indispensability of the technical means, or the minimality of the deployment scope? There is no procedural standard — no requirement to produce a structured necessity demonstration. There is no accountability mechanism — no standardized assessment template, no public verifiability. The result, he writes, is that the principle "spins in place" — invoked as authority but not actually doing the discriminating work a legal principle is meant to do. His proposal is structural: take the proportionality test that the European regime has spent two decades operationalizing and the patchwork of state-level biometric laws that the US has developed, extract their working architecture, and operationalize "necessary for public security" through a four-element framework. The framework is the kind of thing overseas compliance teams will recognize from GDPR practice — but cast specifically in PIPL Article 26 terms. ## The four-step necessity test Hong's first element is a structured proportionality-and-necessity test, conducted on every individual project, with four sequential layers. 1. **Purpose legitimacy.** The deployment must serve a definite and significant public-security objective with present urgency. Administrative convenience, commercial benefit, and image-building are not sufficient. The applicant must produce a risk assessment, historical incident data, or threat analysis demonstrating that the foreseeable harm without the measure justifies the measure. 2. **Means effectiveness.** The applicant must show a verifiable causal connection between the chosen technology and the security objective. If the technology cannot be shown to meaningfully advance the objective, the deployment is not necessary — it is symbolic. Required documentation: effectiveness data, technical performance metrics, expected false-positive and false-negative rates. 3. **Alternatives.** The applicant must show that no equally effective but less intrusive alternative exists. Patrol intensification, time-limited control, non-identifying cameras, document inspection — all are in the field of comparison. Where a less-intrusive alternative would suffice, the more intrusive technology cannot be deployed. 4. **Minimum harm.** Even after the first three are satisfied, the deployment must be minimized along several dimensions: capture scope, resolution, duration, retention period, and audience for the captured data. A human-in-the-loop mechanism and a grievance-correction channel must be available for any automated identification. Hong's procedural proposal is that the four-step analysis be institutionalized as a "necessity evidence packet" (必要性证据包). The applicant submitting a project should produce, in one package: risk baseline and threat assessment, objective and performance metrics, alternative-comparison and rejection rationale, capture-minimization plan, algorithm evaluation report, watchlist governance procedure, retention and destruction schedule, and a grievance mechanism. For facial-recognition projects, a separate Personal Information Protection Impact Assessment (PIPIA) and independent algorithm audit are mandatory additions. The burden of demonstration rests on the applicant — a "raise it, prove it" rule — and the regulator's role is to assess that demonstration and issue a conditioned approval or denial. This first element is the gate. Everything downstream is conditioned on it. ## Risk tiering and a prohibited / exception list The second element splits the projects that have cleared the gate into a tiered scheme, with a prohibited list at the edge. - **High risk.** Examples: post-hoc large-scale FRT analysis, real-time FRT monitoring in priority security zones, broad FRT deployment at large events or major transit hubs. Compliance obligations: mandatory PIPIA, monitoring, recording and audit mechanisms, certified algorithms with high performance and low false-positive rates, minimum retention with transparent destruction. - **Medium risk.** Examples: 1:1 identity verification within a limited zone (employee gate, library access, campus entry), ordinary security monitoring without identification. Compliance obligations: scoped purpose and scope, defined watchlist source and size, algorithm accuracy verification, periodic spot checks. - **Low risk.** Examples: anonymous analytics or situational sensing that does not identify individuals. Compliance obligations: basic transparency notice, data minimization. - **Prohibited list.** Examples: real-time 1:N FRT in open public space, routine identification of sensitive populations. These are structurally incapable of clearing the necessity test and should be explicitly listed. A narrow exception procedure — high-level authorization, defined applicability conditions, audit standards, post-use accountability — would govern the genuinely extraordinary edge cases. Hong's design point: the prohibited list and the tiering arise *from the same source*, the necessity test. A project that cannot clear the four-step test is automatically prohibited. A project that clears it is tiered by what the necessity analysis itself yielded. The two halves interlock. This is the part of Hong's framework that lifts most directly from EU practice. The AI Act's explicit prohibition on real-time 1:N FRT in open public space is the model. Hong wants the Chinese regime to publish an equivalent list — codified, public, and uniformly applied across provinces, so that the necessity-test edge cases do not get re-litigated in each local enforcement action. ## Three-fold operational controls — scene, watchlist, algorithm The third element translates tier into runtime parameters. Hong proposes three control surfaces. - **Scene control** ("where"). Define an allowed-scenes whitelist in the regulations, fix geographic boundaries with geofencing, and impose time windows. A camera that can only operate inside a defined polygon during a defined window is structurally incapable of "purpose drift" into routine social management. - **Watchlist control** ("who"). The matching database must be (i) bounded to the specific public-security objective — suspects in major criminal investigations, fugitives, high-risk missing persons; (ii) capped in size, with mandatory pre-deployment refresh and verification; and (iii) source-legitimate — no scraping from social media or commercial databases. Minors are default-excluded. An appeal-and-removal mechanism is mandatory. - **Algorithm control** ("what"). Accuracy and false-positive thresholds (Hong suggests false-positive rate ≤ 1‰ as a reference), bias evaluation across gender, age, and skin-tone subgroups, explainability (the system must produce a decision-path artifact suitable for external audit), and a human-in-the-loop step — all identification results must be human-verified before being used for enforcement decisions. Together, these three controls limit the deployment along three axes simultaneously. A scene-whitelisted camera in a geofenced perimeter operating during a posted window, matching against a small audited watchlist via a certified algorithm with mandatory human review — Hong's argument is that this is what "necessary for public security" looks like once it has been operationalized. ## Lifecycle closure — exit, rectify, destroy The fourth element is post-deployment. Necessity is not a moment-in-time judgment. It is conditional on the conditions that justified the deployment continuing to hold. When they cease to hold, the deployment must wind down. Hong proposes three closure mechanisms. - **Exit.** When a project no longer meets the necessity standard — because the security situation has changed, because the privacy cost outweighs the benefit on reassessment, or because a less-intrusive alternative has matured — the authority must be able to revoke the prior approval, order shutdown of the equipment, and halt the data collection. Hong notes the EU AI Act's parallel provision empowering member-state authorities to require providers to withdraw or recall AI systems. - **Rectify.** When problems emerge during operation — sudden spikes in false-positive rates, evidence of misuse, deficient privacy protection — the operator must self-audit and rectify rather than wait to be ordered. The regulator, in inspections or in response to complaints, can issue a rectification order with a deadline; for serious violations, the system can be suspended during rectification. - **Destroy.** Personal image data cannot be retained indefinitely. Hong's model: deletion or irreversible anonymization on the earlier of (i) the deployment purpose being achieved, (ii) the lawful retention window expiring, or (iii) the project being decommissioned. The reference he cites is the Illinois Biometric Information Privacy Act's requirement that biometric identifiers be deleted within three years of the last contact with the data subject, and the UK Surveillance Camera Code of Practice's requirement that footage be retained no longer than necessary. Destruction receipts and audit trails should be required so that operators cannot quietly retain data after a project has been wound down. ## Why this matters for overseas compliance For overseas teams operating in or vendoring to China, Hong's framework is several practical things at once. - **Article 26 is now operating regulation, not just principle.** With the *Video Image Information System Regulations* (State Council, 2024) and the *FRT Measures* (CAC, 2025), Article 26 has moved from statutory aspiration to operating rule. Filing obligations attach at concrete thresholds — for example, FRT systems storing facial data of more than 100,000 persons must file with provincial CAC within 30 working days under the FRT Measures. - **Build a "necessity evidence packet" before you deploy.** Hong's procedural proposal — a unified set of documents that operationalize the four-step test — is likely to influence regulator-facing documentation expectations going forward. Compliance teams that anticipate this and build the documentation pre-deployment will land in a stronger position when reviewed. - **The prohibited-list shape is becoming legible.** Real-time 1:N FRT in open public space is the EU's bright line; Hong's reading is that China is converging toward a similar list, narrower in scope and articulated through the Chinese implementing regulations. Vendors and operators should not assume that the most aggressive deployments are sustainable, even where the current statute permits them. - **The technical-controls layer is enforceable.** Geofencing, time windows, watchlist caps, algorithm certification, human-in-the-loop, audit logs — these are technical controls that can be verified by an inspector, and they are the surface most likely to be tested in enforcement. If they are not built into the architecture from procurement, retrofitting them later is expensive. - **Plan for lifecycle, not just launch.** The exit-rectify-destroy closure is where many existing deployments will discover gaps. Retention schedules, destruction receipts, and decommissioning audits have not always been built into the original procurement and architecture. Under Hong's framework, they need to be. The deeper point in Hong's paper — and the reason it is worth a careful read — is that *necessary for public security* is a principle that does its work only when it has been operationalized. Until it is, the principle protects nothing in particular; it just sits at the top of the regulation as a placeholder for a more concrete rule that has not yet been drafted. Hong's four-element framework is one way to draft that rule. For overseas compliance teams operating in China, it is also the most credible guide to what the regulator is converging toward. --- — Hong Yanqing, *公共场所视频监控与人脸识别的治理路径:国际经验与中国方案* (Governance Pathways for Public-Place Video Surveillance and Facial Recognition: International Experience and the Chinese Approach), originally published in *Public Security Studies* (《公安学研究》), 2025; republished on 网安寻路人 WeChat Official Account, April 4, 2026. [Original article.](https://mp.weixin.qq.com/s/gZIJDP5j9RW8S4NJDw_Mow) *Not legal advice.* --- ## Where China's Draft AI Anthropomorphic-Interaction Measures Need Work — A Scholar's Reform Map - Published: 2026-02-01 - Author: DCC Editorial - Tags: ai-governance, companion-ai, anthropomorphic-ai, pipl, genai, rulemaking, academic-commentary - Laws cited: ai-anthropomorphic-interaction-measures, pipl, genai-services-interim-measures - Domains: ai-governance, personal-information - URL: https://datacompliancechina.com/posts/anthropomorphic-ai-measures-reform-directions/ - Markdown: https://datacompliancechina.com/posts/anthropomorphic-ai-measures-reform-directions.md - Original source: https://mp.weixin.qq.com/s/iJYQs1bRzGCLx_Zi43HmNQ - Original author: 李汶龙 (Li Wenlong) - Original publication: 科技利维坦 WeChat Official Account ### Description Li Wenlong (科技利维坦) walks through the directions in which he would amend China's draft Interim Measures for the Administration of AI Anthropomorphic Interaction Services (人工智能拟人化互动服务管理办法) — the country's first dedicated rule on 'companion'-style AI. His critique is structural, not cosmetic: the core definition of '拟人化 (anthropomorphisation)' is too broad because it anchors on human-like expression rather than the real harm (relational dependency); the invented concept of '交互数据 (interaction data)' should be deleted and folded back into PIPL rather than blanket-prohibited; Chapter 2 mixes three incompatible duty types and should be split; the '1M registered / 100k MAU' security-assessment trigger is borrowed from other regimes and does not track real risk; and the training-data duties are horizontal obligations misplaced in a vertical rule. For overseas counsel building companion-AI or emotional-AI products for the China market: this is a map of where the draft is likely to move, and which duties fall on deployers versus base-model providers. ### Body > *Editor's Note — DCC.* > > This brief summarises 《AI拟人化互动服务管理暂行办法可以考虑修改的 > 几个方向》by Li Wenlong (李汶龙) on the 科技利维坦 channel — a set of > reform proposals he submitted as feedback on China's draft > [Interim Measures for the Administration of AI Anthropomorphic > Interaction Services](/laws/ai-anthropomorphic-interaction-measures/) > (人工智能拟人化互动服务管理办法). The draft is China's first rule > aimed specifically at "companion"-style AI — systems built to > simulate human personality and hold emotional conversations. Li is > broadly positive about the draft ("a quality piece of > quasi-legislation"), so this is not a takedown; it is a structural > critique from someone who thinks the rule matters and wants it to > work. DCC is running it because the draft has no clean foreign > analogue, and because Li's reform map is the most concrete public > guide to where the text is likely to move. The takeaway for overseas > counsel: if you are building emotional or companion AI for the China > market, watch the definition clause — it decides whether your product > is in scope at all — and watch the deployer-versus-model-provider > split, because the draft currently risks putting training-data duties > on parties who never trained a model. ## Why this rule is different Most of China's data and AI rulebook — from the [Personal Information Protection Law](/laws/pipl/) down through the algorithm and [generative-AI](/laws/genai-services-interim-measures/) measures — is built around *data governance*: collection and processing, algorithmic transparency, fairness, accountability. The anthropomorphic-interaction draft opens a different front that Li calls *relationship governance* (关系治理). The thing it is trying to control is not primarily a data flow; it is a *relationship* between a user and a system designed to be felt as a companion. That shift is why Li treats the rule as "concept-heavy" (很吃概念): the existing normative vocabulary does not map cleanly onto it, and the draft therefore lives or dies on how well it defines its new terms. His proposals divide into six directions. ## 1. The core definition is too broad The draft defines "anthropomorphisation (拟人化)" in Article 2 as simulating "human personality traits, thinking patterns and communication styles … and conducting emotional interaction with humans." Li's objection: because of how the clause reads, the weight falls on the first half — *simulating human traits* — rather than the operative second half, *emotional interaction*. That over-widens scope, sweeping in any tool with a human-like register. He argues the Western framing of **"companion AI" (陪伴型AI)** gets closer to the regulatory essence: the problem is not *simulation* — talking like a human has been an internal driver of computing since Turing — it is *over-dependence*. Anthropomorphisation, in the psychological sense, is the user projecting intent, emotion and agency onto a non-human system, which triggers over-trust, relational attachment and behavioural compliance. The techniques that actually manufacture that risk are specific design choices: persona-setting, long-term memory, data retention, proactively initiating conversation, emotional expression — all deployed to deepen trust and emotional investment until it becomes *relational attachment* (关系依附). Li's fix: anchor the definition on "emotional companionship as the primary functional goal," using a denser term — he floats "companion-style interaction service," "emotion-oriented interaction service," "anthropomorphic companionship interaction service" — so the rule binds to relational-dependency risk rather than to human-like expression, and does not capture the large class of tools that merely *sound* human without creating any binding risk. ## 2. Delete "interaction data" — don't blanket-prohibit it The draft's second conceptual innovation is **"interaction data (交互数据)"** — created mainly to capture the prompts, interaction behaviour, persona settings and occasionally uploaded files that are most valuable for model training and tuning (what Western privacy policies loosely call "content"). Whether such data may be used for model R&D is, Li notes, the single most contested question in GDPR-style AI regulation right now. He argues *against* the draft's instinct to prohibit its use outright in this measure, for three reasons: - **It isn't unique to companion AI.** Carving out a special prohibition here leaves every other kind of generative AI unaddressed, and is hard to reconcile with PIPL. - **The global trend is the other way.** Across the dozen-plus jurisdictions Li tracked over the past year, the direction is toward *easing* — treating model R&D as a lower-tier risk than the consent-governed services (personalised advertising, facial recognition) — often via a **legitimate-interest** basis. China's PIPL pointedly *did not* adopt a legitimate-interest ground, which makes a blanket prohibition here even more dissonant with the parent statute. - **It creates a "default-illegal" posture.** Absent legislation or precedent, prohibiting a still-contested processing purpose in a departmental measure manufactures presumptive illegality with shaky legal basis. His recommendation: delete the "interaction data" concept and its articles, or reduce it to a factual description ("chat logs and other historical interaction information generated in the course of using the service") and return the whole question to the existing PIPL personal-information-processing rules. More broadly, Li warns that the mechanism will "spin in the air" unless the draft supplies *measurable, operable, verifiable* base concepts — for relational structure, manipulation mechanisms, risk triggers and liability boundaries — and that definitions belong at the **front** of the instrument, not in an appendix, because they set scope. ## 3. Split Chapter 2 — it mixes three kinds of duty Chapter 2 ("Service Norms") currently blends three rule types with different risk logic and different compliance paths: 1. behavioural prohibitions and content red-lines; 2. capability-building and organisational duties (detection capability, emergency mechanisms, content moderation, staffing); 3. product and interaction-design duties (exit mechanisms, reminder mechanisms, a minors mode). Mixing them — and interleaving governance *tools* (security assessment, early warning, sandbox) with substantive *duties* — makes the chapter hard to read and hard to action, and will blur enforcement. Li proposes splitting it into (i) product/interaction-design duties; (ii) vulnerable-group protection (minors, the elderly, psychologically vulnerable users, plus intervention mechanisms); and (iii) risk assessment, monitoring and correction — and adding a new chapter on **platform responsibility and ecosystem governance** that pins down what app-distribution platforms owe in listing review, misjudgement correction and collaborative governance. ## 4. Make "tiered and classified regulation" real The general provisions promise "inclusive and prudent, tiered and classified regulation (包容审慎、分类分级监管)," but the structure never delivers a risk grading or differentiated duties. Li wants that operationalised so the burden is proportionate: - **Reserve the heavy duties for the real risk class.** Interaction-design and risk-monitoring duties should fall mainly on services whose primary function is emotional companionship *with* a relational-binding mechanism; pure-tool, customer-service and OA scenarios should get lighter general duties (basic transparency, an exit right) plus case-by-case triggers. California and New York offer referenceable paths here. - **Don't put model duties on deployers.** Many companion services do not train a base model — they call a third-party model or API and have limited control over training data or base-model safety. Imposing training-data-governance duties or model-training prohibitions on those *deployers* is unreasonable and unenforceable, and invites form-over-substance compliance and liability mismatch. Deployers should owe controllable product-design, prompting, exit and complaint duties; base-model and key-capability providers should be reached through collaborative liability and capability-boundary disclosure. - **Build in elasticity.** Over-rigid rules become "structural illegality." His example: Article 13's flat ban on "simulating an elderly user's relatives or specific related persons" is aimed at protecting older users, but anchoring the duty on *simulation* would wrongly hit fictional role-play, literary and dramatic characters, and user-set fictional identities; what should be prohibited is impersonating a *real, specific* natural person to induce trust, transfers or control. Regulatory sandboxes, much-discussed, still lack any stable organisational mechanism — and a sandbox without real ceded space, concrete risk relief and safe-harbour is just a slogan. ## 5. Handle "path dependency" carefully The draft leans on tools migrated from earlier regimes. Two cautions: - **The borrowed toolbox may not fit.** The security-assessment trigger — registered users ≥ 1 million / monthly actives ≥ 100,000 — is lifted from other contexts and does not track *this* risk: a companion service can be very niche yet very high-risk. Li proposes a tailored **"significant operational change (显著运行变化)"** concept with qualitative and quantitative indicators — e.g., within three consecutive calendar months, registered users / MAU / average daily use up more than 50% year-on-year or quarter-on-quarter; a marked rise in the share of single users averaging over four hours of continuous daily use; or a marked rise in the share triggering manual intervention, risk warnings or complaints. - **Restatement dilutes focus.** The general-duty enumerations (e.g., Articles 8–9) largely repeat obligations that already exist and do not create new ones; piling them in makes it harder for companies to identify what is genuinely new and harder for regulators to enforce precisely. Better to connect horizontal requirements by reference ("comply with the relevant provisions") and reserve the article space for this measure's distinctive relational-risk controls. ## 6. Profiling and emotion inference cut against PIPL Li's sharpest data-protection warning: protecting vulnerable users through precise identification and intervention requires *more* profiling — and a well-intentioned rule can become a pretext for exactly the high-risk processing (continuous emotion inference, psychological profiling, automated decision-making) that PIPL's **data-minimisation principle (最小必要原则)** and **sensitive-personal- information rules** are meant to restrain. His position: intervention duties should bite only in genuinely high-risk situations — a user clearly signalling suicide, self-harm or serious harm, or explicitly requesting mental-health support — and the rule should not push providers into *default* continuous emotional monitoring. ## A coda on legal coherence Li's own biggest concern — and, he notes wryly, the one practice cares least about — is system coherence. The draft contains at least two rule sets: one genuinely novel (identifying, intervening in and preventing anthropomorphism-driven dependency), and one of general data/AI duties, part of which merely restates existing law and part of which maps onto nothing — de facto quasi-legislation. Articles 10 and 15 on training-data governance, for instance, are *horizontal* obligations that belong in the generative-AI framework or a dedicated training-data norm, not embedded in a vertical companion-AI rule (especially where the deployer never trained the model). And the security-assessment articles (21–22) have an unclear pedigree — some trace them to the "new technology / new application" assessment, some to algorithm-governance guidance — which, Li argues, is exactly the kind of ambiguity a principled, PIPL-anchored interpretation should resolve. ## Why overseas counsel should care - **Scope turns on one clause.** Whether your product is regulated as "anthropomorphic interaction" depends entirely on the Article 2 definition. If Li's narrowing prevails, plain assistants and tools that merely sound human fall out; companion products built for emotional attachment stay firmly in. - **Know which layer you are.** The deployer-versus-model-provider split is the live drafting question. A company that only fine-tunes or calls an API should be pressing — as Li does — for product-design duties rather than training-data duties. - **The PIPL baseline still governs.** Where the measure is silent or over-reaches, Li's repeated answer is to fall back to PIPL — minimisation, sensitive-PI rules, and the absence of a legitimate- interest ground. That is the stable layer under a moving draft. This brief also connects to DCC's note on [system prompts as a regulatory instrument](/posts/system-prompts-as-regulatory-instrument/), Li's other piece on where AI rulemaking is hooking into model internals. ## DCC sources - Original: 李汶龙 (Li Wenlong), 《AI拟人化互动服务管理暂行办法可以 考虑修改的几个方向》, 科技利维坦 WeChat Official Account ([source](https://mp.weixin.qq.com/s/iJYQs1bRzGCLx_Zi43HmNQ)). - Rule under discussion: [Interim Measures for the Administration of AI Anthropomorphic Interaction Services](/laws/ai-anthropomorphic-interaction-measures/) (draft). - Related Chinese instruments referenced: the [Personal Information Protection Law](/laws/pipl/) (minimisation, sensitive-PI rules, absence of a legitimate-interest ground) and the [Generative AI Services Interim Measures](/laws/genai-services-interim-measures/). > This is an editorial summary, not a translation of Li Wenlong's > piece. The reform proposals and framings are his; any simplification, > error of emphasis, or operational extrapolation is DCC's. **Not legal > advice.** --- ## AI Agents and the Limits of Consent — When 'Authorisation' Stops Being One Click - Published: 2026-01-30 - Author: DCC Editorial - Tags: ai-governance, ai-agents, pipl, consent, automated-decision-making, privacy, academic-commentary - Laws cited: pipl, genai-services-interim-measures - Domains: personal-information, ai-governance - URL: https://datacompliancechina.com/posts/ai-agents-and-the-limits-of-consent/ - Markdown: https://datacompliancechina.com/posts/ai-agents-and-the-limits-of-consent.md - Original source: https://mp.weixin.qq.com/s/AH3wtKKKrTz7aQ91Xy2D-g - Original author: 李汶龙 (Li Wenlong) - Original publication: 科技利维坦 WeChat Official Account ### Description Li Wenlong (科技利维坦) takes the Doubao phone assistant — an AI that 'reads your screen' and acts across apps — and asks whether the consent/authorisation mechanism that traditional data law leans on can survive the agent era. His four challenges: the app-bounded 'private' environment dissolves as data and permissions move across apps (with Nissenbaum's Contextual Integrity as the only real conceptual anchor, and far from operational); agents that *act* (not just retrieve) push informed consent past the point of failure already reached by personalised ads; purpose limitation collapses because an agent chooses its own path, means and decisions from a low-information instruction, edging into automated decision-making; and ultra vires agency shifts liability from user to platform, with China's 'hallucination case' and the Air Canada case as the only thin precedents. For overseas counsel building or advising on agentic AI in China: a map of why 'authorisation' is becoming a problem of agency, system control, liability allocation and autonomy — not a checkbox — and why transparency is now a prerequisite, not a feature. ### Body > *Editor's Note — DCC.* > > This brief summarises 《当AI能"阅读"你的屏幕:用户授权能否化解跨端 > 智能体的隐私风险》by Li Wenlong (李汶龙) on the 科技利维坦 channel — > the privacy/authorisation companion to his > [reverse-interoperability piece](/posts/doubao-reverse-interoperability-on-device-agents/) > on the same Doubao phone assistant. Where that piece asked a > competition-law question (should the law restrict an agent that > over-interoperates), this one asks a personal-information question: > can the **consent/authorisation** mechanism that > [PIPL](/laws/pipl/) and every other digital-privacy regime depend on > survive an AI that reads your screen and acts across your apps? Li > leaves the question deliberately open — he flags it as the place real > theory-building is needed — so this brief maps his four challenges to > the existing framework rather than a settled answer. DCC runs it > because it states, more clearly than most, why "agentic AI" is not > just a new feature on top of the old consent model but a stress test > the old model may fail. ## The setup The Doubao assistant can "read the screen" and carry out tasks across applications on the user's behalf. That capability, Li argues, breaks a series of assumptions baked into pre-agent data law. He identifies four. ## 1. The app boundary — the unit of "privacy" — dissolves Existing data compliance is built inside a stable, clearly bounded app: the application is the unit within which a relatively settled "private" environment is maintained. Agents reshape that. Data, permissions and behaviour now move *between* apps, and there is — on Li's reading — no mature cross-app privacy or liability system to govern the movement. Helen Nissenbaum's **Contextual Integrity** offers a sense of direction and a conceptual basis, but turning it into workable institutional design is still far off, and requires rethinking the public/private dichotomy that most privacy law silently assumes. ## 2. Acting agents push informed consent past failure Traditional personalised advertising and recommendation already pushed *informed consent* close to ineffective — users click through notices they do not read or understand. An agent that does not merely collect and present information but **performs acts with legal effect** is a different order of magnitude. The user neither knows in advance how the agent will act, nor can predict what cross-app calls and stacked capabilities will produce. Li's blunt question: has the authorisation mechanism that traditional digital governance relied on already failed completely? ## 3. Purpose limitation collapses into automated decision-making Traditional data law manages expectation through **purpose limitation** — specify the purpose, restrict re-use for a changed purpose — and the path there has been relatively uncontroversial. Agents break this in two ways. First, much of what an agent does is *infer* human intent from language, an information-poor carrier. Second, in executing a command the agent's decision space is enormous — which path, which carrier, which service, which decision — and absent a clear upfront specification (which ordinary users cannot give), the agent is effectively performing **automated decision-making**. Purpose limitation becomes near- ineffective, because we cannot get the user to state each purpose and its scope in advance. Expectation-violating events become inevitable — and because neither the user *nor the platform* may know how a given decision was reached, **transparency becomes a prerequisite compliance question**, not a downstream nicety. ## 4. Ultra vires agency shifts liability to the platform The hardest problem is the agent that exceeds its authority (越权代理). To contain it, platforms want authorisation that is far more precise than the coarse traditional privacy policy — and the incentive is structural. Previously, a content problem could be attributed to the *user*, with the platform merely mediating. Once an agent takes on decisions, liability shifts to the **platform** — something that did not exist before. Platforms will therefore try to draw the boundaries ever more sharply at the authorisation stage. But how to draw them well, and where liability actually lands when something goes wrong, is entirely exploratory: China's so-called "hallucination case" is, in Li's view, too unrepresentative to anchor anything, and the Air Canada chatbot case abroad is an isolated example. ## The upshot Stacked together, these shifts mean **"authorisation" is no longer a one-click confirmation**. It becomes a complex problem spanning the agency relationship, system control, liability allocation and individual autonomy — one that, Li suggests, needs inputs from legal agency theory, AI-ethics/alignment work, and the philosophy of autonomy. Whether the traditional starting point of *consent* can still be used at all is the open question he sets himself to answer. ## Why overseas counsel should care - **Consent records won't carry the weight.** If purpose limitation cannot be specified ex ante for an agent, the PIPL-style consent artefact you collect at install will not, by itself, authorise what the agent later does. Expect pressure toward narrower, task-scoped, re-confirmable authorisation. - **Automated-decision-making rules are in play.** Once an agent chooses its own execution path from a vague instruction, PIPL's automated-decision-making provisions become live — including the transparency and explanation expectations that come with them. - **Liability is migrating to the platform/deployer.** The party running the agent inherits exposure that the old "user did it, we just mediated" posture deflected. Logging and explainability are the controls that make that exposure manageable. This brief pairs with Li's [reverse-interoperability analysis](/posts/doubao-reverse-interoperability-on-device-agents/) of the same product, and connects to DCC's coverage of China's [AI-agent governance framework](/posts/ai-agent-rules-governance-framework/) and [AI-agent risk taxonomy](/posts/ai-agent-rules-risk-taxonomy/), as well as Li's piece on [system prompts as a regulatory instrument](/posts/system-prompts-as-regulatory-instrument/). ## DCC sources - Original: 李汶龙 (Li Wenlong), 《当AI能"阅读"你的屏幕:用户授权能否 化解跨端智能体的隐私风险》, 科技利维坦 WeChat Official Account ([source](https://mp.weixin.qq.com/s/AH3wtKKKrTz7aQ91Xy2D-g)). - Conceptual anchor named by the author: Helen Nissenbaum, *Privacy in Context* (Contextual Integrity). - Precedents referenced: the Chinese "hallucination case" (treated as unrepresentative) and the Air Canada chatbot case (Canada). - Chinese framework in the background: the [Personal Information Protection Law](/laws/pipl/) (consent, purpose limitation, automated decision-making) and the [Generative AI Services Interim Measures](/laws/genai-services-interim-measures/). > This is an editorial summary, not a translation. The framing and the > open questions are Li Wenlong's; any simplification or error of > emphasis is DCC's. **Not legal advice.** --- ## China's Cybersecurity Law Just Got Teeth — The 2025 Amendment and What Changed - Published: 2026-01-12 - Author: DCC Editorial - Tags: csl, csl-2025-amendment, ai-governance, penalties, commentary - Laws cited: csl, pipl, dsl, civil-code-personal-info - Domains: cybersecurity-review, data-security, personal-information - URL: https://datacompliancechina.com/posts/compliance-talker-csl-2025-amendment-ai-and-penalties/ - Markdown: https://datacompliancechina.com/posts/compliance-talker-csl-2025-amendment-ai-and-penalties.md - Original source: https://mp.weixin.qq.com/s/p20K896Ad94taTuoecZqnQ - Original author: 全球法律政策研究 (Global Legal Policy Research Team) - Original publication: 合规小叨客 ### Description On October 28, 2025, the NPC Standing Committee adopted the first amendment to China's Cybersecurity Law since 2017, effective January 1, 2026. Compliance Talker's global legal policy team walks through what changed across 14 amendments: a new framework provision on AI safety and development, harmonization with PIPL and the Civil Code on personal information, sharply increased penalties (10× cap on top fines), expanded application of the dual-penalty system to individual officers, and broader extraterritorial reach. For overseas teams, the operational takeaway is that cybersecurity compliance is now an executive-level risk, not a documentation exercise. ### Body > *Editor's Note — DCC.* > > The first amendment to the **Cybersecurity Law** since its 2017 > enactment was adopted by the NPC Standing Committee on October 28, > 2025 and entered into force January 1, 2026. The amendment is > deliberately narrow ("small-cut" revision, in the official framing) — > 14 changes targeting AI, harmonization with PIPL/Civil Code, > penalties, and extraterritorial application. Compliance Talker's > Global Legal Policy team produced one of the cleanest practitioner > walkthroughs in the immediate post-enactment commentary. DCC's > framing emphasizes the operational shifts for overseas compliance > teams, since the penalty escalation in particular fundamentally > changes the CSL risk profile. ## What the amendment does — and doesn't The 2025 amendment is structurally conservative. It does not rewrite the CSL's underlying architecture (network operator obligations, CIIO regime, security review, data localization). What it does: - **Adds an AI-safety framework provision** — putting AI on the CSL's institutional map. - **Harmonizes with PIPL and Civil Code** on personal information — closing the doctrinal seam left when PIPL took effect in November 2021. - **Sharply escalates penalties** — top fines increase 10×, with expanded application of the "dual penalty" (entity + individual) regime. - **Expands extraterritorial application** — moves the trigger from "endangering CII security" to the broader "endangering cybersecurity." Each shift has a specific operational implication for compliance teams. ## What changed, in detail ### 1. AI safety and development — the new framework provision The amendment adds **Article 20**: *"The State supports basic AI theoretical research and key technology R&D such as algorithms; advances training-data-resource and computing-power infrastructure; perfects AI ethics norms; strengthens risk-monitoring assessment and security supervision; and promotes AI application and healthy development."* The provision is framework-level — declarative rather than operational. But the placement matters. AI now sits inside the CSL's institutional logic, which means subsequent AI regulation can be promulgated as CSL-implementing rules. Expect a wave of AI-specific implementing regulations in 2026–2027 grounded in this Article. The Compliance Talker team's reading: *"China's AI governance is shifting from local-sector supervision toward systematic regulation, seeking a balance between AI development and security."* The DCC corollary: the foreign-invested AI service providers who have been operating against the patchwork of generative-AI Measures, algorithmic recommendation Provisions, deep synthesis Provisions, and AI content labeling Measures should expect that patchwork to consolidate into a more coherent regulatory stack, with CSL Article 20 as the legislative anchor. ### 2. Harmonization with PIPL and Civil Code Original CSL Articles 40–45 contained the bulk of pre-PIPL personal information protection rules. With PIPL effective November 2021 and the Civil Code Personality Rights Book (with its privacy and PI chapter) effective January 2021, the CSL PI provisions had completed their historical mission. The 2025 amendment recognizes this: - **Article 42 (revised)**: *"Network operators processing personal information shall comply with this Law and the Civil Code of the PRC, the PIPL of the PRC, and other laws and administrative regulations."* - **Article 71(1)(II)**: PI-rights-infringement and important-data-handling violations are processed **per the laws and regulations of the relevant special regime** (i.e., PIPL / DSL / Network Data Security Regulation), via *referral clauses*. The structural effect: the CSL becomes a **cybersecurity baseline** and **CIIO regime anchor**, while PIPL / DSL / NDR handle the specifics in their respective regimes. Cross-referencing replaces duplication. The Compliance Talker team's framing: *"This increases the consistency and coordination of the legal system, and fills potential supervisory gaps."* ### 3. The penalty escalation — the operational headline This is the change with the greatest immediate compliance impact. The amendment **at minimum doubles, and often 10×s, the cap on top fines**, and expands the "dual penalty" regime to individual officers far beyond the prior scope. Selected examples from the revised CSL penalty articles: #### Article 61 — failure to perform network security obligations For ordinary network operators failing to perform Article 23 / 27 obligations: - Warning + correction order; fines of RMB 10,000–50,000 (refusal: RMB 50,000–500,000), with individual officer fines of RMB 10,000–100,000. For CIIOs failing to perform Articles 35 / 36 / 38 / 40 obligations: - Warning + correction order; fines of RMB 50,000–100,000 (refusal: RMB 100,000–1,000,000), with individual officer fines of RMB 10,000–100,000. **For serious cybersecurity harm** (e.g., mass data leakage, partial loss of CII function): entity fines RMB **500,000–2,000,000**, individual fines RMB 50,000–200,000. **For especially serious harm** (e.g., loss of major CII function): entity fines RMB **2,000,000–10,000,000**, individual fines RMB 200,000–1,000,000. The top fine cap moves from RMB 1 million to RMB **10 million** — a 10× increase. The dual-penalty regime applies not only to "directly responsible officers in charge" but also to "other directly responsible personnel" — substantially expanding the universe of individuals personally exposed. #### Article 62 — product / service security defects Penalties for unsafe products and services causing serious network-security harm scale similarly. New addition: **failure to terminate security maintenance without authorization** is now a sanctionable act. #### Article 63 — unsafe network equipment / network-security products Selling or providing uncertified or non-conforming network key equipment or network-security products: now triggers stop-sale + warning + confiscation + fines of RMB 20,000–100,000 (or 1–5× of illegal income if income exceeds RMB 100,000). For serious cases: **business suspension, business license revocation, operating-permit revocation**. #### Article 67 — CIIO use of un-reviewed network products / services CIIO using products/services that haven't passed the national security review: now triggers correction order, use suspension, elimination of national-security impact, fines of **1× to 10× of the procurement amount**, plus individual fines RMB 10,000–100,000. #### Article 65 — non-compliant security certification / testing / risk assessment Conducting cybersecurity certification, testing, or risk assessment in violation of regulations, or publicly disclosing system vulnerabilities, computer viruses, network attacks, or network intrusion information not in accordance with state regulations: triggers correction order + warning + fines of RMB 10,000–100,000 (refusal or serious: RMB 100,000–1,000,000) with possible **business suspension, business license revocation, operating-permit revocation**. ### 4. The dual-penalty system expansion Three CSL penalty features that the 2025 amendment crystalizes: - **Penalty levels at historical highs.** Cap-and-floor fines both substantially escalated. Business suspension and license revocation are available in significantly more violation scenarios. Cybersecurity compliance is now a *survival-level* risk. - **Dual-penalty regime broadened.** Many penalty articles now expressly impose individual fines on **"directly responsible managers"** *and* **"other directly responsible personnel"**. The Compliance Talker team flags a recent enforcement pattern: - In an October 2025 Jiangxi Bank Suzhou Branch network/data-security violation, the compliance department deputy GM, branch head, and a customer manager were all personally fined. - In a Huarui Bank case, the IT security team lead was personally warned for data-security control failures and incomplete remediation. - The pattern is consistent with the dual-penalty regime extending beyond the headline director / officer set, reaching operational mid-management. - **"Non-penalty" compliance incentive added.** New Article 73 introduces *mitigated or reduced penalty* for entities that proactively eliminate / reduce harm, for first-time violations with minor harm and prompt correction, and similar mitigating circumstances. This rewards mature incident-response programs. ### 5. Extraterritorial reach — broader trigger Original Article 75 (now Article 77): the trigger for foreign-actor liability moved from "engaging in activities endangering China's CIIO security" to "engaging in activities endangering China's **cybersecurity**." The broader trigger reaches: - Foreign threat actors conducting cyber attacks against any Chinese network systems (not only CII), as long as the harm is to "China's cybersecurity." - Asset freezing and other sanctions can be applied to foreign actors under Article 77. The Compliance Talker team's framing: *"This means non-CII systems also need to defend against overseas attacks."* For foreign-invested entities, this expansion means cyber-threat intelligence sharing with home-country authorities now intersects with Article 77 in a wider set of circumstances. ## Why this matters for overseas teams Four operational takeaways: - **Cybersecurity compliance is now executive-level risk.** With RMB 10 million top fines and business-license revocation available, the CSL's compliance posture must be elevated. The compliance team's reporting line, the board's cyber-risk briefing cadence, and the executive ownership for cybersecurity all need to be reviewed against the new penalty calculus. The era of treating CSL as a documentation exercise is over. - **The dual-penalty system reaches your people.** Compliance leads, IT security leads, and product managers handling sensitive systems are now personally exposed. Compliance-program design should explicitly identify who falls into the "other directly responsible personnel" category and ensure those individuals have meaningful authority to perform the duties for which they bear personal liability. The PI Protection Officer regime under PIPL Article 52 is the closest analog — see [DCC's PIPO vs DPO brief](/posts/pipo-vs-dpo-pi-protection-officer-comparison/). - **Article 20's AI hook will produce derivative regulation.** Expect 2026–2027 AI regulation to be promulgated as CSL-implementing rules. AI service providers should plan their compliance architecture against the CSL stack, not against the AI Measures alone. - **Article 77's expanded extraterritorial reach changes threat intel calculus.** Foreign-invested entities should review their threat intelligence sharing arrangements with home-country authorities. Activities that previously were unambiguously cybersecurity defense work may now trigger CSL Article 77 attention if framed by Chinese authorities as "endangering China's cybersecurity." The deeper point in the Compliance Talker piece is that **CSL has shifted from being the foundational statute to being the high-stakes statute**. Before 2025, the operational risk was concentrated in PIPL (personal information enforcement) and DSL (data security). After January 2026, CSL itself carries the largest direct fines in the regime. Multinational compliance teams that have under-invested in CSL relative to PIPL and DSL will need to rebalance. --- — Compliance Talker (合规小叨客) Global Legal Policy Research Team, *原创 || 中国新《网络安全法》:促进AI安全与发展,升级处罚力度强化网安责任* (China's New Cybersecurity Law: Promoting AI Safety and Development, Escalating Penalties to Strengthen Network Security Responsibility), 合规小叨客 WeChat Official Account, January 12, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/p20K896Ad94taTuoecZqnQ) *Not legal advice. The above is DCC's structured summary of the source article's analysis; not a verbatim translation. The source carries an original-content non-republish clause and is summarized here under fair-use principles with full attribution.* --- ## Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense - Published: 2026-01-08 - Author: DCC Editorial - Tags: cross-border, data-sovereignty, mlat, cloud-act, blocking-statute, commentary - Laws cited: dsl, pipl, cross-border-data-flows-provisions - Domains: cross-border, enforcement - URL: https://datacompliancechina.com/posts/qinglan-cross-border-data-discovery-three-jurisdictions/ - Markdown: https://datacompliancechina.com/posts/qinglan-cross-border-data-discovery-three-jurisdictions.md - Original source: https://mp.weixin.qq.com/s/oqxjw7PbmnQ7OEmkV4Uu8g - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description When a foreign authority wants data stored in China — or vice versa — three doctrines compete. The U.S. uses a 'data controller standard' (CLOUD Act) that reaches globally on offense and shields domestically through ECPA blocking on defense. The EU uses 'market access' leverage (GDPR Article 3 jurisdictional reach plus Article 48 blocking). China uses a 'data location standard' (territorial sovereignty plus the MLA Law, DSL, and PIPL blocking clauses). Wang Qinglan maps the four discovery paths, the three jurisdictional doctrines, and what compliance teams should build to survive the squeeze. ### Body > *Editor's Note — DCC.* > > The cross-border data *discovery* question — when a foreign government > demands data stored in China, what happens? — is one of the highest- > stakes uncertainties for multinational compliance teams. Wang Qinglan's > framing is the cleanest taxonomy DCC has seen in Chinese-language > commentary on this question. Four discovery paths; three jurisdictional > doctrines; one set of operational implications for foreign-invested > entities operating across the squeeze. We summarize her piece for > overseas counsel and note where the picture has continued to shift in > 2026. ## Four cross-border discovery paths When an authority wants data sitting in another country, Wang frames the question as: *what's the path?* Four paths cover the field: ### Path 1 — Traditional Mutual Legal Assistance (MLA, 司法协助) The classic public-to-public path. Country A's government sends a formal MLA request to Country B's government; Country B's competent authority obtains the data from the holder under Country B's domestic procedures and transmits it back. The entire process is government-to-government. This is the **sovereignty-respecting** model. China has signed MLA treaties with 91 countries. The cost is **speed**: MLA requests to the United States average a 10-month turnaround, which is incompatible with most cybercrime investigations where evidence is volatile. ### Path 2 — Unilateral Public-to-Private (单边公对私) A foreign authority bypasses the data-location government and demands the data directly from the company holding it. Two sub-modes: - **Voluntary cooperation.** The authority issues a request; the company complies or doesn't, with no legal compulsion. Pre-CLOUD-Act U.S. and EU member-state practice often took this form, with notoriously variable response rates: Microsoft historically responded to 78% of non-U.S. requests; Twitter only 21%. - **Compulsory production.** The authority issues a *production order* with the force of law; the company must comply or face sanctions. The U.S. **CLOUD Act** (2018) is the archetype. **China's position on this path: firmly opposed.** Article 41 of China's *International Criminal Judicial Assistance Law* (国际刑事司法协助法), Article 36 of the *Data Security Law*, and Article 41 of the *Personal Information Protection Law* all prohibit Chinese entities from transferring data to foreign authorities without Chinese government approval. The doctrinal framing: a foreign authority approaching a Chinese company directly is a sovereignty violation, *regardless* of whether the company is willing to cooperate. ### Path 3 — Bilateral / Multilateral Public-to-Private (双边或多边公对私) A negotiated middle ground. Countries sign bilateral or multilateral treaties that mutually recognize each other's production orders as legally effective in the partner country. The U.S. has executive agreements with the UK and Australia under the CLOUD Act. The EU has the *European Production Order and Preservation Order Regulation* (2023), under which any member-state authority can issue an EU-wide production order reaching any company with an EU presence, regardless of where the data sits. The Budapest Convention on Cybercrime is the older regional precedent — China has not joined. The pattern: production orders with bilateral legitimation, no longer a unilateral overreach into another sovereign's territory. ### Path 4 — Multilateral Public-to-Public (多边公对公) The newest path: global multilateral treaties standardizing discovery. The *UN Convention against Cybercrime* (December 2024) is the leading instrument. China and Russia were active proponents. The Convention preserves sovereignty as the default (Article 5) but also permits states to issue production orders to companies in their own territory for "subscriber information" (Article 27) — a calibrated middle path between speed and sovereignty. ## The three jurisdictional doctrines Each major player uses a different doctrine for *when its own law reaches data*. Wang's framing: ### United States — Data Controller Standard The **CLOUD Act** (2018) made the rule explicit: *whoever controls the data, U.S. law reaches.* The data's geographic location is irrelevant. The Act applies to any communications-service provider that is U.S.-incorporated, has substantial U.S. presence, or has "sufficient contact" with the U.S. — including merely providing services to U.S. users. The Microsoft Ireland case illustrates: the Justice Department demanded data stored in Microsoft's Dublin data center; Microsoft litigated to the Supreme Court; the CLOUD Act passed mid-case and ended the dispute. Microsoft was required to produce the Irish-stored data because Microsoft (a U.S. company) *controlled* it. The U.S. *defensive* posture is the mirror image — and Wang frames it as a *double standard*: - The 1986 **Electronic Communications Privacy Act (ECPA)** blocks U.S. providers from disclosing electronic data to foreign governments. - The CLOUD Act creates a *narrow* exemption track: a U.S. court can quash a foreign production order if the data is not about U.S. persons *and* compliance would violate the law of a "qualifying foreign government." But "qualifying" is a high bar — only the UK and Australia have executive agreements granting that status. In substance: the U.S. reaches globally on offense; everything else hits an ECPA wall on defense, with narrow escape valves for U.S. treaty partners. ### European Union — Market Access Standard The EU's strength is its single market. Its doctrine: *whoever wants to sell to our 500M consumers must follow our rules*. GDPR Article 3 reaches any controller or processor anywhere in the world that *offers goods or services to data subjects in the EU* or *monitors data subjects' behavior in the EU*. Court of Justice case law has expanded the reach further — a controller with an EU establishment whose activities relate to the foreign processing is subject to EU jurisdiction. The EU *defensive* posture also uses double-standard mechanics. **GDPR Article 48** prohibits transfer of personal data to a foreign authority in response to a foreign court or administrative order *unless* there is an MLA treaty or the transfer satisfies GDPR's strict transfer-safeguard requirements. The narrow exception paths — public interest, vital interest — require additional safeguards, non-repeated transfers, limited data subjects, security assessment, regulator notification, and individual notification. In practice, almost no foreign discovery order satisfies the bar. In substance: the EU reaches via market access on offense; everything else hits the GDPR Article 48 wall on defense. ### China — Data Location Standard China's doctrine: *whoever holds data in our territory is subject to our jurisdiction; data outside our territory belongs to that territory's regime.* This is the most sovereignty-respecting of the three doctrines and the closest to traditional international-law norms. China's offensive posture is correspondingly constrained — and Wang frames this as a *deliberate* policy choice: - Discovery from overseas data is conducted through MLA — 91 treaties with peer countries. - China does *not* assert extraterritorial production-order authority over foreign companies. - Multilateral instruments (the UN Cybercrime Convention) are the preferred vehicle for any cross-border discovery beyond bilateral MLA. China's defensive posture has three layers Wang labels the *"three-axe defense"* (三板斧): - **Legal blocking** — DSL Article 36, PIPL Article 41, and the International Criminal Judicial Assistance Law all bar Chinese entities from providing data to foreign authorities without Chinese government approval. The block applies to *both* unilateral production orders (Path 2) and to voluntary cooperation in response to foreign authority requests. - **Data localization** — CSL requires CIIO-collected PI and important data to be stored in China. The localization requirement removes the data from the foreign-discovery target set. - **Market access** — foreign cloud service providers entering China (with limited FTZ pilot exceptions) cannot directly control Chinese data. The structural arrangement is a Chinese partner controlling the data and the foreign vendor providing technology. From the foreign-discovery perspective: the foreign cloud provider doesn't *have* the data to produce, even under a CLOUD Act order. The three layers are designed to compound. A foreign production order targeting a Chinese-stored dataset must clear all three: the company holding it can't lawfully cooperate (legal blocking), the data may be localized in any case (localization), and the foreign cloud provider lawfully present in China may not control it (market-access structuring). ## The 2026 picture Wang's piece was written in January 2026, and the picture has continued to evolve. Three updates DCC has tracked since: - **The MPS Electronic Data Evidence Rules draft** (May 2026) added Article 30 — the most explicit Chinese-side statement of how Chinese law enforcement can reach overseas-stored data: via credentials provided by the suspect or violator. The architecture is *suspect-credentials-based*, not MLA-based. (See [DCC's brief on the MPS draft](/posts/) — coverage in our regulatory-update queue.) - **The 2026 PI Special Action** (CAC + MIIT + MPS) signaled cross-sector enforcement tightening including on cross-border vectors. - **The UN Cybercrime Convention** (December 2024) is heading into ratification. China was a leading proponent. If it enters force broadly, Path 4 (multilateral public-to-public) gains operational weight. ## What this means for multinational compliance teams For foreign-invested entities operating across the squeeze, four operational takeaways: - **Map every cross-border discovery vector to which jurisdictional doctrine applies.** A discovery demand from U.S. law enforcement under the CLOUD Act sits in Path 2 / unilateral public-to-private. A demand from EU enforcement under GDPR Article 48 sits in Path 2 also. A demand from China's MPS under the Electronic Data Evidence Rules sits in Path 2 / suspect-credentials variant. The *blocking statutes* you encounter from the data-location side will vary by which doctrine the demanding authority is using. - **Document the blocking statute conflict.** When a Chinese-stored dataset is the target of a foreign production order, your in-China entity should *expressly invoke* the DSL Article 36 / PIPL Article 41 blocking provisions and seek Chinese government approval before producing. The blocking statutes provide a defensible position under the *qualifying foreign government* analysis (in the CLOUD Act context) and under GDPR Article 48 (in the EU context). Build the documentary record on the China side. - **Architect for the three-axe defense.** For data that may be the target of foreign discovery in future, the three China defensive layers compound. Where possible: route the data through a Chinese entity that controls it; locate the storage domestically; structure the foreign-vendor relationship to give the Chinese counterpart control. This narrows the foreign authority's enforceable reach. - **Watch the UN Cybercrime Convention and the U.S. executive agreement track.** If China negotiates a CLOUD Act executive agreement with major U.S. trading partners — or, more practically, if the UN Convention reaches widespread ratification — the regime architecture changes. Multilateral public-to-public would become the primary path, narrowing the unilateral conflicts that currently force multinationals into impossible compliance positions. The deeper observation in Wang's piece is that **the three doctrines are not converging**. The U.S. data-controller approach, the EU market-access approach, and the China data-location approach reflect three different theories of digital sovereignty. Multinationals operating across the three will continue to face squeezes; the operational answer is *not* to bet on one doctrine prevailing, but to build compliance architecture that can survive when authorities under different doctrines disagree. --- — Wang Qinglan (王青兰), *跨境数据调取"三国杀":美欧中各出啥招?* (The Cross-Border Data Discovery "Three Kingdoms War" — What Moves Are the U.S., EU, and China Each Making?), 青兰数据观察 WeChat Official Account, January 8, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/oqxjw7PbmnQ7OEmkV4Uu8g) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## Will Judicial Review 'Reset' the Data Registration Rush? — Reading Wang Qinglan on the SPC's New Data Disputes Case Category - Published: 2025-12-19 - Author: DCC Editorial - Tags: data-property-rights, data-registration, spc, judicial-review, commentary - Laws cited: data-property-rights-registration-guide-draft, public-data-registration-interim-measures, data-foundation-system-opinions - Domains: data-economy, enforcement - URL: https://datacompliancechina.com/posts/spc-data-disputes-case-category-and-data-registration/ - Markdown: https://datacompliancechina.com/posts/spc-data-disputes-case-category-and-data-registration.md - Original source: https://mp.weixin.qq.com/s/wvM52Sexl8UWlr_dHD1yBQ - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description Wang Qinglan, head of compliance at a Chinese data exchange, asks what the Supreme People's Court's new 'data disputes' case category — effective January 1, 2026 — does to the data property rights registration certificates that institutions across the country have been issuing. Her argument: certificates issued through formal-only review will not survive substantive judicial scrutiny, and a single rejected certificate could erode trust in the entire registration regime. The path forward is a three-tiered protection model and aligned standards across regulators, registration institutions, and courts. ### Body > *Editor's Note — DCC.* > > Wang Qinglan, a legal-tech PhD turned post-doctoral computer scientist > and now head of compliance at a Chinese data exchange, is one of the few > commentators writing inside the data property rights registration system > with both the operational vantage and the willingness to push back on > where the regime is going. This piece, published two days after the > Supreme People's Court released its revised *Provisions on Civil Case > Categories* on December 17, 2025, asks a deceptively simple question: > *what does the new "data disputes" case category — effective January 1, > 2026 — do to the data registration certificates that institutions across > China have been issuing under the Data 20 Articles' three-rights-split > framework?* For overseas counsel watching the data property registration > regime emerge, this is a useful corrective read against the institutional > explainers. We summarize her argument in DCC's own words, with the source > credited and linked. Not a verbatim translation. ## The trigger: a new SPC case category for data disputes On December 17, 2025, the Supreme People's Court released its revised *Provisions on Civil Case Categories* (《民事案件案由规定》), adding **"data disputes" (数据纠纷)** as a first-tier civil case category effective January 1, 2026. Three sub-categories sit underneath: - **Data rights disputes** (数据权属纠纷) - **Data contract disputes** (数据合同纠纷) - **Data rights infringement disputes** (侵害数据权益纠纷) Before this revision, data-related civil suits had to be filed under awkward proxies — most often **anti-unfair-competition** (the AUCL general clause) or **intellectual property** brackets. The case-category mismatch was a perennial frustration: data disputes were being adjudicated, but courts had to reach into adjacent regimes to do so. Now, under Wang's reading, the SPC has formally placed **data ownership adjudication squarely with the courts** — and equipped them with a dedicated procedural channel. That, she argues, is the trigger for a reckoning about what data property rights registration certificates actually *are*. ## The doctrinal puzzle: a certificate is not a property right The doctrinal point Wang makes is sharp and worth restating. Under the Data 20 Articles framework and the NDA's *Data Property Rights Registration Work Guide (Trial)* — currently in public-consultation draft — registration institutions issue certificates evidencing **data holding rights, data use rights, and data operation rights** (the "three-rights split"). Industry has, Wang says, slid into treating *registration = title*: as if obtaining a registration certificate vests legal ownership over a dataset the way recording a deed vests ownership of real property. It does not. Wang's framing: - **Real property** (e.g., a house) has a defined property-right concept under the Civil Code; once registered, the registry produces legally recognized *in rem* rights. - **Data property rights** have *no defined statutory concept yet*. The Data 20 Articles is a policy directive; the NDA Registration Guide is a draft trial measure. A registration certificate issued under that draft is, at best, a **trust credential** (可信凭证) — evidence that the registrant invested effort in compliance review and that an institution reviewed the materials. - A trust credential is not a legal title. Whether it carries weight in a courtroom is a *separate question* — one the SPC has now placed squarely on the table. ## The risk Wang flags: a single failed certificate erodes the regime Wang's most operationally important argument is this: **the registration regime is more fragile than its market position suggests**, because failure mode is *systemic*, not local. Her hypothetical: a company holds a data property rights certificate purportedly conferring a "right to hold data" over a dataset. In litigation, the opposing party produces evidence that the data originated from a government-commissioned project, with the commissioning contract restricting the data to specific permitted uses. The registration institution conducted only **formal review** — it did not verify the underlying data source. The court looks at the actual provenance, finds the certificate was issued without substantive verification, and the certificate's evidentiary effect is **"reset to zero" (清零)**. The danger, Wang argues, is contagion. Once one certificate is judicially repudiated, market confidence in the entire class of registration certificates drops sharply. *"It's like a tea shop using expired ingredients,"* she writes. *"Consumers instinctively start questioning the food safety of every tea shop."* A regime built on the public-trust premise of certificates loses its trust premise when courts begin disregarding individual instances. ## Why pure substantive review is not the answer The intuitive solution — require registration institutions to conduct full substantive review of every dataset — fails, Wang argues, for three reasons. **No unified standard.** There is no statutory standard for what substantive review must encompass. Each institution sets its own threshold. The result: registrants face inconsistent expectations across institutions, and certificates from different issuers carry different evidentiary weight. **The cost is prohibitive.** Full substantive review of, say, a personal-information dataset would require verifying the consent of every data subject in the dataset — a chain-of-authorization audit at potentially massive scale. For an important-data dataset, the review institution would need to verify CII designation status, confirm no anti-scraping measures were circumvented, and so on. Wang's analogy is medical: *"You can't determine someone is healthy with just a temperature reading, but you also can't run CT, MRI, and every test on every patient — it's prohibitively expensive."* **Friction kills circulation.** If substantive review is too demanding, registrants and traders will avoid the system. Data sits in the corner. The market never matures. *"It's like setting up so many checkpoints on a highway that traffic just stops."* ## Wang's proposed five-point fix Her recommendations describe what a workable middle path looks like. **1. A three-tier protection model.** Replace pure formal review with the combination: - **Third-party legal opinion** (第三方法律意见书) — a qualified law firm verifies the legal basis of source and authorization. - **Limited substantive review** (有限实质审查) — registration institutions review against defined high-risk categories (personal information, public data, important data) at three checkpoints (legality of source, completeness of authorization chain, protection of third-party rights). - **Public-announcement objection** (异议公示) — give third parties a window to challenge before the certificate is issued. **2. Unified standards for limited substantive review.** Establish a national "baseline checkup" so registration institutions across China apply the same review depth, with risk-graded sampling for large datasets (e.g., sampling-rate verification for personal-information datasets, random spot-checks for industrial data). **3. Alignment between regulators, registration institutions, and courts.** Publish SPC guiding cases and judicial interpretations so registration institutions know what courts will look for. Without alignment, the SPC will reach one conclusion about what valid title looks like and registration institutions will be issuing certificates under a different conception. **4. Companies should stop treating certificates as a one-stop solution.** Build the underlying compliance documentation regardless: clear data-rights provisions in trading contracts, retained authorization files, processing-activity records, anonymization records. Those documents will outperform a formal-review certificate in court. **5. Tolerant judicial scrutiny.** Courts should *prefer to credit* certificates from institutions that genuinely conducted substantive review, and should not reject the entire evidentiary effect of a certificate for non-material defects. Data law is still maturing; "rule of judicial prudence" is more useful than "absolute zero tolerance." ## Why this matters for overseas teams Three takeaways for foreign counsel and compliance leads engaging with the Chinese data property regime. - **The registration regime's defensibility is now an open question.** Compliance teams that have been advising clients to obtain a registration certificate as a one-stop ownership-proof are now operating under a closing window. A certificate from a formal-review-only institution may not carry the evidentiary weight clients have been told it does. - **The SPC has taken the adjudicator's seat.** The "data disputes" case category change reads, on its face, as procedural housekeeping — but the substantive consequence is the *centralization of judicial review over data property rights claims*. Courts now have a dedicated case channel and will produce a body of precedent. Compliance documentation should be built to survive judicial review, not just registration review. - **Watch which institutions adopt substantive review.** Wang's piece is, among other things, a soft argument that the **Shenzhen Data Exchange and other institutions that have invested in substantive review** will outperform those that haven't, as the regime matures. For overseas counsel advising on data deals tied to a specific registration institution, the choice of institution is now a meaningful risk variable. The deeper observation in Wang's piece is that **China's data property rights regime is moving through the same maturity sequence as any property-rights system** — from informal claim, to administrative registration, to judicial review. The "rush" stage is ending. What follows depends on whether registration institutions, regulators, and courts can converge on a single standard before the first certificate gets struck down in open court. --- — Wang Qinglan (王青兰), *数据确权登记热潮,要被司法审查"打回原形"了?* (Will Judicial Review "Reset" the Data Registration Rush?), 青兰数据观察 WeChat Official Account, December 19, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/wvM52Sexl8UWlr_dHD1yBQ) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## PIPO vs. DPO — How China's Personal Information Protection Officer Differs from the GDPR Data Protection Officer - Published: 2025-12-15 - Author: DCC Editorial - Tags: personal-information, pipl, gdpr-comparison, data-protection-officer, commentary - Laws cited: pipl, personal-info-audit-measures - Domains: personal-information, enforcement - URL: https://datacompliancechina.com/posts/pipo-vs-dpo-pi-protection-officer-comparison/ - Markdown: https://datacompliancechina.com/posts/pipo-vs-dpo-pi-protection-officer-comparison.md - Original source: https://mp.weixin.qq.com/s/eTH37QZSCSU6DUxiU6TQ-A - Original author: 全球法律政策研究 (Global Legal Policy Research Team) - Original publication: 合规小叨客 ### Description The Cyberspace Administration of China announced in July 2025 that personal-information processors handling data on 1 million or more individuals must submit Personal Information Protection Officer (PIPO) information to CAC. Compliance Talker's global legal policy research team contrasts China's PIPO regime under PIPL Article 52 with the GDPR's Data Protection Officer (DPO) framework under Articles 37–39. The most consequential difference: PIPO carries individual administrative liability — up to RMB 1 million in personal fines and industry bans — where DPO does not. ### Body > *Editor's Note — DCC.* > > The Cyberspace Administration of China (CAC) opened, in July 2025, a > mandatory information-reporting channel for **Personal Information > Protection Officers (PIPOs, 个人信息保护负责人)** at personal-information > processors handling data on 1 million or more individuals. The > announcement is not just procedural — it puts PIPOs onto a CAC-administered > register, with monitoring, audit triggers, and (per the underlying PIPL > Article 66 liability regime) personal exposure for the officer. > > The Compliance Talker (合规小叨客) global legal policy team published, in > December 2025, a comparison of China's PIPO under PIPL Article 52 with > the EU's Data Protection Officer (DPO) under GDPR Articles 37–39. For > multinational compliance teams who already understand DPO and now need > to understand PIPO — and especially whether a single individual can serve > both functions — the comparison surfaces the design choices that make > the two roles meaningfully different. Article is original (原创) with a > non-republish clause; DCC summarizes in our own words with attribution. ## What the CAC PIPO reporting announcement requires The CAC's July 18, 2025 announcement obligates personal-information processors meeting the 1-million-individual threshold to submit PIPO information through the dedicated reporting system at `grxxbh.cacdtsc.cn`. Key parameters: - **Reporting scope**: PI processors handling 1M+ individuals' PI, plus government agencies and industry associations. - **Reporting timeline**: Entities meeting the threshold before July 18, 2025 must complete reporting by August 29, 2025. Entities meeting it after must report within 30 business days of crossing the threshold. - **Update obligation**: Substantive changes must be re-reported within 30 business days. - **Extraterritorial processors**: Entities subject to PIPL Article 3(2) extraterritorial reach must report through their designated domestic representative. - **Content**: PIPO name and contact information; PI processing details (employee headcount handling PI, deduplicated); CAC may issue "supplement-and-correct" requests with a 10-business-day response window. The architecture is one of *registered accountability*: the CAC now has a national register of named individuals personally accountable for PI protection within scoped entities, with administrative jurisdiction to monitor compliance and impose personal liability under PIPL Article 66. ## Where PIPL Article 52 and GDPR Article 37 diverge The Compliance Talker team's comparison surfaces four design-level differences. ### Triggering threshold: quantity vs. activity **PIPO threshold** is a flat *quantity* test: PI processors processing the PI of 1M+ individuals must appoint a PIPO. The threshold reads off processing scale, not the nature of the processing activity. **DPO threshold** under GDPR Article 37 is *activity-based*: a DPO is required if (i) the processing is conducted by a public authority or body, (ii) the controller's or processor's core activities involve regular and systematic monitoring of data subjects on a large scale, or (iii) the core activities involve large-scale processing of special-category data or criminal-conviction data. The practical consequence: a Chinese SaaS company processing 1.1M users automatically owes PIPO appointment regardless of *what* it does with the data. An EU SaaS company processing the same scale of users may or may not owe DPO appointment, depending on the nature of its monitoring or special-category processing. ### Qualifications: implicit vs. explicit **PIPL Article 52** is silent on PIPO qualifications. The implementing reference standard is **GB/T 35273** (*Information Security Technology — Personal Information Security Specification*), which sets out the PIPO's duties in detail but does not impose specific certification or experience requirements. In practice, market expectation is for a PIPO to have data-security or legal background; there is no formal credentialing. **GDPR Article 37** requires the DPO to be appointed *on the basis of professional qualities*, particularly **expert knowledge of data protection law and practices** and the ability to fulfill GDPR Article 39 tasks. EDPB's *Guidelines on Data Protection Officers (WP243)* further details what this expertise must look like in practice. ### Duty scope: similar in structure, different in emphasis Both roles share a common architecture: internal advisory, monitoring, training, audit, regulator-liaison. The differences are emphasis and surface area: - **PIPO** is, by design, the regulator's eyes inside the company. The GB/T 35273 duty list includes monitoring authorized access policies, conducting PIA, organizing PI security training, pre-launch screening for unknown collection/use/sharing, audits, and direct liaison with regulators. Embedded throughout: PIPO is *responsible for the security work* and "bears direct responsibility" for PI security inside the organization. - **DPO** is, by design, the data subject's internal advocate. Article 39's list emphasizes *advising the controller/processor* on GDPR obligations, monitoring compliance, advising on DPIAs, cooperating with regulators, serving as contact point for both regulators and data subjects. GDPR Article 38 mandates *independence*: the DPO may not receive instructions on how to perform the role, may not be dismissed for performing it, and must not be in a position with conflicts of interest. The two roles share aim — protecting personal data inside the entity — but they sit in materially different institutional positions. ### Liability: personal exposure vs. corporate-only This is, in the Compliance Talker team's reading, the *most consequential* difference for compliance leadership. **PIPL Article 66** imposes administrative liability not only on the entity but also on **directly responsible managers and other directly responsible personnel**. For ordinary violations: warning, confiscation of illegal gains, and **personal fines of RMB 10,000 to 100,000**. For serious violations: provincial-level CAC may impose **personal fines of RMB 100,000 to 1,000,000** and **prohibit the individual from serving as director, supervisor, senior officer, or PIPO at relevant enterprises** for a defined period. PIPL Article 52 places the PIPO squarely inside the "directly responsible personnel" envelope when PI protection duties are not performed. The administrative-liability mechanism produces *personal accountability* — the regulatory architecture is explicitly designed to make a named individual feel exposed. **GDPR**, by contrast, places *no personal liability* on the DPO. GDPR penalties (Articles 83–84) apply to controllers and processors as legal entities. The DPO's independence — protected by Article 38 — is structurally inseparable from the absence of personal liability: a DPO who could be personally fined for the controller's violations could not maintain advisory independence. The Compliance Talker team frames this concisely: PIPO architecture binds the officer's accountability to the entity's compliance — *the officer's personal exposure is the enforcement lever*. DPO architecture, by contrast, *firewalls* the officer from the entity's liability so the advisory function stays clean. ## Practical implications for multinational compliance teams The Compliance Talker team offers two cross-cutting practices and several role-specific ones. **Common practices.** - *Dynamic role-fit assessment*. Re-assess annually whether the appointed PIPO/DPO still matches the entity's actual processing profile, especially after material changes — entry into a new cross-border data line, AI processing of user data, regulatory updates from CAC or EDPB. If a Chinese subsidiary launches AI processing of customer communications, the PIPO may need AI-compliance background or replacement. - *Documentation of appointment*. Issue a formal appointment letter specifying role name, duty scope, authority, reporting line, and term, signed by a corporate principal. Update on any change. Without written documentation, regulators may treat the appointment as non-compliant. - *Group-level discipline*. Group parents should map data processing across subsidiaries to determine which entity is the responsible PI processor — but should *not* intervene in subsidiary-level appointment decisions, which risks "responsibility piercing" up to the parent. **Role-specific differences.** - For **PIPO** appointment: focus on coverage of GB/T 35273 duty list, alignment with internal audit and security functions, and clear management-level reporting to senior leadership. - For **DPO** appointment: focus on demonstrable expert qualifications, structural independence (no conflicts of interest, direct top-management reporting line, protected from dismissal for performing the role), and accessibility to data subjects. ## Why this matters for overseas teams The most operational consequence of the comparison: **a single individual cannot, in practice, serve both functions cleanly** — at least not across the same parent entity that has both EU exposure and Chinese exposure at scale. - A PIPO must accept personal exposure and embed inside the entity's accountability chain. - A DPO must remain independent of the entity's liability and reporting structure. A combined appointment risks compromising DPO independence under GDPR Article 38 (if the individual is exposed to PIPL Article 66 personal liability for performing the China role), and risks PIPO non-compliance if the individual is structurally insulated in ways that prevent the duty-performance the PIPO regime expects. Multinational compliance architectures should treat the appointments as distinct functions with distinct individuals, even where the same legal-entity group is the underlying employer. Where the same individual must serve both functions for cost or scale reasons, the appointment-letter architecture should explicitly carve the China role from the EU role, and the reporting lines should be separated. The Compliance Talker piece is essentially a translation of two regulatory regimes into a side-by-side institutional comparison. For overseas compliance leads who have spent a decade internalizing the DPO model, the PIPO regime requires unlearning the assumption that data-protection officer roles are functionally equivalent across jurisdictions. --- — Compliance Talker (合规小叨客) Global Legal Policy Research Team, *中国个人信息保护负责人与海外数据保护官的职责"差异图鉴"* (A "Differences Atlas" of the Responsibilities of China's Personal Information Protection Officer and the Overseas Data Protection Officer), 合规小叨客 WeChat Official Account, December 15, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/eTH37QZSCSU6DUxiU6TQ-A) *Not legal advice. The above is DCC's structured summary of the source article's comparison; not a verbatim translation. The source carries an original-content non-republish clause and is summarized here under fair-use principles with full attribution.* --- ## Reverse Interoperability: Li Wenlong's Frame for the Doubao On-Device Agent Fight - Published: 2025-12-12 - Author: DCC Editorial - Tags: ai-governance, ai-agents, interoperability, anti-unfair-competition, platform-governance, on-device-agents, academic-commentary - Laws cited: genai-services-interim-measures - Domains: data-economy, ai-governance - URL: https://datacompliancechina.com/posts/doubao-reverse-interoperability-on-device-agents/ - Markdown: https://datacompliancechina.com/posts/doubao-reverse-interoperability-on-device-agents.md - Original source: https://mp.weixin.qq.com/s/E6RjF63A3vqd4WW78mVlXQ - Original author: 李汶龙 (Li Wenlong) - Original publication: 科技利维坦 WeChat Official Account ### Description ByteDance's Doubao phone assistant — preinstalled at the device layer to operate other apps on a user's behalf — was met with pop-up blocks from WeChat and others citing security and risk-control. Li Wenlong (科技利维坦) argues the dispute is, at bottom, a question of how China's competition-law toolkit (反不正当竞争法 / 反垄断法) absorbs the idea of interoperability — and specifically what he calls 'reverse interoperability (反向互操作性)'. The classic interoperability problem is a platform refusing to open up, with antitrust used as a market remedy to force access. Doubao inverts it: interoperability is fully achieved at the device level, and the legal question becomes whether the law should restrict 'over-interoperation.' Li maps interoperability's journey from the Microsoft case through GDPR data portability and the DMA to the agent era, distinguishes the Doubao fight from the decade-old 3Q War, and predicts on-device-agent governance will look less like classic antitrust and more like the ex-ante, conditional-use compliance model emerging for AI training data. For overseas counsel: a structural read on the platform-access war that on-device AI agents are about to intensify. ### Body > *Editor's Note — DCC.* > > This brief summarises 《豆包手机助手说到底是个被动互联问题》by Li > Wenlong (李汶龙) on the 科技利维坦 channel — a theory-building piece on > the Doubao phone-assistant controversy. The dispute itself: ByteDance > preinstalled, on ZTE/Nubia handsets, a system-level AI assistant that > can *operate other apps for the user*; WeChat and others responded with > pop-up limits and interruptions citing security and risk-control, > opening a fight between phone makers and "super-apps" over permissions, > security and "entry control (入口控制权)." Li's move is to refuse the > easy analogies ("disruptor," "theft," "intimate digital companion") and > reach for a precise legal anchor: interoperability, and its inversion. > This is a competition-law and platform-governance piece rather than a > pure data-protection one — DCC runs it because the on-device AI agent > is about to make platform data-access the central battleground of the > Chinese internet, and Li's "reverse interoperability" framing is the > sharpest public attempt to name what is actually being fought over. > Note: the analysis is Li's own theoretical proposal, not settled > Chinese law. ## The dispute, stated precisely Strip away the metaphors and the Doubao question is narrow, Li says: **why is it fine for a consumer to perform a sequence of taps on their own phone, but not fine to let the phone do it automatically?** Where, exactly, is the harm — and how do existing legal concepts, principles and precedents attach to the new business form? Public commentary has reached for analogies that all fall short. Incumbents call Doubao a "disruptor (搅局者)" — but disruption is not *per se* bad for consumers or markets; historically every technical advance disrupts. Others analogise to theft — but what is stolen? Can "traffic" be stolen; does the criminal-law concept of theft migrate here? Still others coin labels — "system-level dangerous permissions," "intimate digital companion," "super-app / entry point," "phone controller." Each touches *some* facet, none is precise. Regulation, Li argues, needs a conceptual anchor to identify the applicable legal framework and to pin down the *impaired legal interest*. His candidate is interoperability. ## What interoperability actually covers In China's internet-policy history, "互联互通" flared briefly and was then suppressed; the public version touched only the surface — can a Taobao link open inside WeChat, can WeChat Pay be used inside Douyin. Those are interoperability symptoms, but the concept is far richer. At its core, interoperability is the capacity of different systems, platforms, technologies or services to mutually recognise, read/write and effectively interact — at the **protocol** level (compatible standards) and the **data** level (system A can read or write system B's data); on Urs Gasser's account it extends to human and institutional layers as well. Its legal home has shifted with each technical era: from network-comms and computer engineering before the internet; into **antitrust and competition policy** as software platforms began to compete (the Microsoft case as watershed); then, in the platform era, into digital-ecosystem antitrust enforcement, the **GDPR's data- portability right**, and the **DMA's** messaging- and social-media- interoperability mandates. With agents, the meaning shifts again — from protocol and data interoperability to *semantic* understanding, invoking another service's core capabilities, and completing complex tasks across ports. Doubao introduces **function-level interoperability**: a platform lets a third party reach into its core functions. The subtlety, Li notes, is that ByteDance did not negotiate app-by-app permission; it partnered with a *handset maker* to solve the problem at the **device layer** — so the assistant achieves seamless cross-app operation without any app's consent. ## "Reverse" interoperability Here is Li's central inversion. The classic interoperability problem assumes the technology is *not* interoperable — there is no capability or no incentive to open up — and the law (typically antitrust) pushes to *force* access; opening the ecosystem wall is a market remedy. Doubao is the opposite. Interoperability is *fully achieved* at the ZTE device layer. So the question flips: the technology "over-interoperates," and the issue becomes whether the law should *restrict* it. Li calls this **reverse interoperability (反向互操作性)** — borrowing the interoperability concept to bring the dispute into legal language, while recognising that the legal problem is qualitatively different. It is tempting, he notes, to liken Doubao to the decade-old **3Q War** (Tencent v. Qihoo). Both touch the boundary between system platform and app service, and both involve competitive exclusion. But the 3Q War was about tampering with a function to block ads (framed as unfair competition); Doubao is about using high system-level permissions to *bypass an app's risk controls* and so unsettle the app-centric structure of mobile internet. You cannot simply "reverse" the classic antitrust framework and apply it here. ## Governing "reverse interconnection" From the antitrust and regulatory angle, interoperability is normally a *structural competition remedy*: it reduces user lock-in, weakens the market power that network effects confer, and lets competitors into a concentrated market. In competition law it shows up as three questions: (1) must a dominant firm provide a technical interface or data to rivals; (2) does refusing interoperability constitute abuse of dominance; (3) does *mandating* interoperability promote competition while avoiding over-intervention in innovation. The settled lesson: interoperability can promote competition, but forced interoperability — which tends toward standard unification — can blunt the incentive to innovate. Because Doubao is a *reverse* problem, that logic does not transplant directly. Li's prediction is that on-device-agent governance will instead come to resemble how **copyright law is learning to govern AI training data** — a shift from purely *ex-post* infringement findings toward *ex-ante* lawful access plus conditional use, wrapped in AI-compliance duties (transparency, training-data-source disclosure, filtering). By analogy, an on-device agent would be allowed to auto-execute operations only on conditions: it follows platform rules, is identifiable and accountable, and apps express their permissions in a standardised, machine-readable way. The competition-law apparatus still has a role at the edges. Li flags the abuse-of-dominance analysis and the **DMA gatekeeper** path — asking which platforms or services might constitute an *essential facility* in the AI era — and suggests that, on a footing of platform safety and control, agents could be offered access on **FRAND-style** terms, with interoperability restricted or suspended where there is sufficient evidence of harm. Crucially, cross-device operation spawns new risks (privacy among them) that demand stronger accountability — **permission audits and logging** — so on-device-agent compliance will not be merely contractual; it will carry distinct AI-compliance requirements. ## Why overseas counsel should care - **The platform-access war is restarting at the device layer.** The Doubao fight is the leading edge of a structural conflict that on-device AI agents will intensify. Clients on either side — super-apps defending risk-control, or agent/handset players seeking access — need a frame sharper than "disruptor" or "theft," and "reverse interoperability" is it. - **Expect ex-ante, conditional access, not just litigation.** If Li is right, the governance model borrows from AI-training-data compliance: standardised permission expression, identifiability, accountability, audit logs — built in up front rather than fought out after the fact. - **Accountability artefacts matter now.** Permission audits and logging for cross-device actions are the controls most likely to harden into obligations; agent builders should be generating them already. This connects directly to DCC's coverage of China's emerging AI-agent rules — the [governance framework](/posts/ai-agent-rules-governance-framework/) and [risk taxonomy](/posts/ai-agent-rules-risk-taxonomy/) — and to Li's companion piece on the same Doubao assistant viewed through the privacy/authorisation lens, [AI agents and the limits of consent](/posts/ai-agents-and-the-limits-of-consent/). His training-data analogy also tracks DCC's note on [open-source AI training-data compliance](/posts/open-source-ai-training-data-compliance/). ## DCC sources - Original: 李汶龙 (Li Wenlong), 《豆包手机助手说到底是个被动互联 问题》, 科技利维坦 WeChat Official Account ([source](https://mp.weixin.qq.com/s/E6RjF63A3vqd4WW78mVlXQ)). - Comparative reference points named by the author: the US *Microsoft* antitrust case; the EU GDPR data-portability right; the EU Digital Markets Act (gatekeepers, interoperability mandates); Urs Gasser's work on interoperability; and China's 3Q War (Tencent v. Qihoo). - The forward-looking compliance analogy tracks China's [Generative AI Services Interim Measures](/laws/genai-services-interim-measures/) model of ex-ante, disclosure-based AI duties. > This is an editorial summary, not a translation. The "reverse > interoperability" framing and the governance prediction are Li > Wenlong's analytical proposals, not settled Chinese law; any > simplification or error of emphasis is DCC's. **Not legal advice.** --- ## Is There Such a Thing as 'Game Data Compliance' in China? — Li Wenlong's Field Notes - Published: 2025-12-09 - Author: DCC Editorial - Tags: personal-information, pipl, app-compliance, gaming, enforcement, academic-commentary - Laws cited: pipl, network-data-security-regulations - Domains: personal-information, app-compliance - URL: https://datacompliancechina.com/posts/in-game-personal-data-collection-china/ - Markdown: https://datacompliancechina.com/posts/in-game-personal-data-collection-china.md - Original source: https://mp.weixin.qq.com/s/EF7L9R6wMlo_Cz8OZXsZnA - Original author: 李汶龙 (Li Wenlong) - Original publication: 科技利维坦 WeChat Official Account ### Description Li Wenlong (科技利维坦) reports field observations on personal-data collection inside Chinese games, framed around three questions: is there an industry-specific 'game data compliance' mode; where is enforcement actually concentrated; and does the Chinese picture differ from abroad. His read: domestic game-data compliance is still at a 'wild-west stage' — the violations being caught are the blunt, clearly-unlawful kind (a game demanding photo-album permission), and the enforcement frontier is no different from any other app ecosystem. A principle-level framework was in place before 2023, but the yardstick stays crude, with no breakthrough on concrete evaluation standards — which caps how deep either enforcement or compliance can go. Overseas (GDPR and consumer law), games were under-scrutinised until the last year or two. The forward warning: games will be the main carrier of VR and will embed many models, so the compliance picture is about to get far more complex. For overseas counsel advising game studios on the China market: a reality check on what is — and isn't — being enforced. ### Body > *Editor's Note — DCC.* > > This brief summarises the framing observations Li Wenlong (李汶龙) > published on the 科技利维坦 channel to accompany a talk — > 《游戏内个人数据收集的界限和合法性基础》— given to game-industry > practitioners at the invitation of Kaiying Network (恺英网络). The > substance of the talk lived in a slide deck that was not part of the > public post, so this brief reports Li's **stated observations and the > three questions that framed them**, not the slide-by-slide detail. We > run it because the headline finding — that there is, as yet, no > industry-specific "game data compliance" in China, only generic app > enforcement — is exactly the kind of ground-truth a counsel advising a > game studio on the China market needs, and is rarely stated this > plainly. ## The three questions Games are a business form Li says he had touched little, so he used the invitation to probe the domestic compliance ecosystem and enforcement frontier around three questions: 1. Is there an industry-specific compliance mode that could be called **"game data compliance"** — i.e., game-scenario-specific rules and standards, rather than generic app rules applied to games? 2. Where is game-data-compliance **enforcement** actually concentrated? 3. Does the domestic picture **differ from abroad**? ## What he found **Still a "wild-west stage" (草莽阶段).** Almost everything being caught is a serious, clearly-unlawful violation — his example is a game **demanding access to the user's photo album** (索取相册权限) with no legitimate basis. The discussion has not yet reached the industry-specific scenarios that would make "game data compliance" a distinct discipline; the enforcement frontier for games is, in practice, **no different from any other app ecosystem**. **A framework without a fine yardstick.** At the level of *principle*, a full system was in place before 2023 — the familiar PIPL-and-app-rules stack on notice, consent, minimisation and lawful basis. But the yardstick stays crude: there has been no breakthrough on the *concrete evaluation standards* that would let a regulator (or a compliance team) judge a borderline collection practice inside a game. That gap directly caps how deep enforcement and compliance can go — you cannot adjudicate fine questions with blunt instruments. **Abroad was late too.** Looking at GDPR and overseas consumer law, Li notes that games were comparatively under-scrutinised for years; only in the last year or two have game-specific complaints and litigation begun to appear. So China is not uniquely behind here — the whole field is early. **The complexity is coming.** His forward note: games will be the main carrier of **virtual reality**, and will increasingly **embed models**. Once that happens, the compliance picture — today dominated by blunt permission-overreach cases — becomes far more complex, layering AI and immersive-environment data issues on top of ordinary app collection. ## Why overseas counsel should care - **Don't over-engineer for rules that don't exist yet.** There is no game-specific Chinese data regime to map to; the operative framework is [PIPL](/laws/pipl/) and the general app/network-data rules, including the [Network Data Security Management Regulations](/laws/network-data-security-regulations/). Compliance effort is better spent on the basics that are actually enforced — permission minimisation, lawful basis, honest notice. - **The blunt stuff is what gets caught.** Photo-album, contacts, location and similar over-collection — not subtle, game-specific processing — is the live enforcement risk today. - **Build for the next phase now.** Studios moving into VR or embedding models should anticipate that the standards will tighten and the scenario-specific scrutiny that is absent today will arrive. For the same author on where AI-specific rules *are* hardening, see DCC's note on [system prompts as a regulatory instrument](/posts/system-prompts-as-regulatory-instrument/). ## DCC sources - Original: 李汶龙 (Li Wenlong), 《游戏内个人数据收集的界限和合法性 基础》(talk framing notes), 科技利维坦 WeChat Official Account ([source](https://mp.weixin.qq.com/s/EF7L9R6wMlo_Cz8OZXsZnA)). The detailed slides referenced in the post were not part of the public text. - Operative Chinese framework: the [Personal Information Protection Law](/laws/pipl/) and the [Network Data Security Management Regulations](/laws/network-data-security-regulations/). > This is an editorial summary of Li Wenlong's published observations, > not a translation, and not based on the slide deck (which was not > public). Any simplification or error of emphasis is DCC's. **Not legal > advice.** --- ## Mutual Trust Mechanisms for Cross-Border Data Flow — China's 'Trusted Data Space' Bet - Published: 2025-11-20 - Author: DCC Editorial - Tags: cross-border, trusted-data-space, confidential-computing, data-sovereignty, commentary - Laws cited: dsl, pipl, csl, cross-border-data-flows-provisions - Domains: cross-border, data-economy - URL: https://datacompliancechina.com/posts/compliance-talker-cross-border-mutual-trust-trusted-data-spaces/ - Markdown: https://datacompliancechina.com/posts/compliance-talker-cross-border-mutual-trust-trusted-data-spaces.md - Original source: https://mp.weixin.qq.com/s/K0bJsC3XaNCWcws2wZBeCg - Original author: 全球法律政策研究 (Global Legal Policy Research Team) - Original publication: 合规小叨客 ### Description Compliance Talker's global legal policy team analyzes three competing models for cross-border data mutual trust: the EU's 'rule trust' (adequacy + SCC), the US's 'market trust' (CLOUD Act + DPF), and China's 'technology trust' bet on Trusted Data Spaces (TDS). The NDA's November 2024 *TDS Development Action Plan 2024-2028* makes confidential computing, federated learning, and blockchain the technical layer through which China seeks to demonstrate cross-border data flow can be 'usable but invisible.' For overseas teams, this is the most concrete view of where Chinese cross-border data infrastructure is heading. ### Body > *Editor's Note — DCC.* > > Cross-border data flow attracts a lot of regulatory-comparison > commentary — most of it focused on the substantive rules. Compliance > Talker's piece is unusual: it focuses on the **mutual trust > infrastructure** that makes cross-border flow operationally possible > in the first place, and frames China's bet on Trusted Data Spaces > (可信数据空间) as a fundamentally different architectural choice from > the EU's "rule trust" or the U.S.'s "market trust" model. DCC's > framing brings out the comparative architecture and the operational > implications for multinationals trying to operate across all three > systems. ## The mutual-trust problem Cross-border data flow growth is enormous — McKinsey projects global data-flow value reaching $11 trillion by 2025. Each 10% increase in data flow raises GDP by 0.2%. Yet international mutual trust mechanisms are radically underdeveloped: - EU adequacy decisions: as of October 2025, **only 15 countries / regions** have received adequacy. - The U.S. CLOUD Act creates direct conflicts with non-aligned jurisdictions. - China operates under DSL / PIPL / CSL with no inbound adequacy from EU and increasing scrutiny from U.S. The consequence: high compliance costs (Meta fined €1.2B for invalid Privacy Shield; TikTok fined €530M for failing to demonstrate equivalent protection in China), data silos (only a tiny fraction of global data crosses borders), and innovation drag in fields requiring cross-border data (autonomous vehicles, biopharma). The Compliance Talker piece frames cross-border mutual trust as a single problem with three competing architectural answers. ## Three models — rule trust vs market trust vs technology trust ### EU — Rule Trust The EU model uses GDPR's adequacy framework + SCCs / BCRs. Trust derives from *substantive legal protection equivalence* — if the receiving jurisdiction has "substantially equivalent" privacy protection, data may flow freely; otherwise, contractual safeguards (SCCs / BCRs) substitute. Strengths: high individual-rights protection; deeply established jurisprudence. Weaknesses: only 15 jurisdictions have achieved adequacy; SCCs / BCRs impose heavy compliance burden; the framework is criticized as a "digital wall." Why the EU runs this model: long history of strong privacy protection + relative scarcity of dominant EU internet platforms means the EU benefits from constraining U.S. tech companies' EU data collection. ### U.S. — Market Trust The U.S. model favors data free flow with industry self-regulation + bilateral agreements as the trust substrate. No comprehensive federal data protection law; the **CLOUD Act** asserts "data-controller jurisdiction" — U.S. authorities can reach data held by U.S.-incorporated entities regardless of physical storage location. Mutual trust mechanisms: the EU-U.S. Privacy Shield (struck down in Schrems II 2020), succeeded by the EU-U.S. **Data Privacy Framework** (2023); USMCA-style trade agreements promote U.S. data-governance norms in partner jurisdictions. Strengths: enables Google / Meta / cloud-services global operations. Weaknesses: regulatory under-enforcement; foreign governments object to U.S. extraterritorial reach. ### China — Technology Trust The Compliance Talker team's framing of China's model is the most distinctive contribution of the piece. China's response is not primarily *rules* or *markets* — it's **technology**. The doctrinal foundation: CSL + DSL + PIPL establish the three pathways (security assessment / SCC / certification) for personal information cross-border. **But** the technical infrastructure layer — **Trusted Data Spaces (可信数据空间)** — promises a fundamentally different mutual-trust posture: *data that can be used cross-border while staying invisible to the receiving party*. The NDA's **November 2024 *Trusted Data Space Development Action Plan (2024-2028)*** is the national-level systematic deployment. | | EU "Rule Trust" | U.S. "Market Trust" | China "Technology Trust" | |---|---|---|---| | **Trust source** | Substantive legal equivalence | Industry self-regulation + bilateral agreements | Technical control of data usage | | **Operational vector** | Adequacy / SCC / BCR | CLOUD Act + DPF / USMCA | TDS + confidential computing + blockchain + standard pathways | | **Cross-border friction** | High (legal compliance burden) | Low (for U.S. operators) | High but declining (as TDS infrastructure matures) | | **Sovereignty trade-off** | Privacy-rights-centric | Market-access-centric | Sovereignty + technology-controllable | ## What Trusted Data Spaces actually are The TDS Action Plan's vision: a distributed-architecture data collaboration ecosystem implementing **three core capabilities**: - **Data sovereignty controllable** (数据主权可控) - **Joint processing efficient** (联合加工高效) - **Value allocation fair** (价值分配公平) The technical architecture has three layers: - **Infrastructure layer** — cross-border data centers (e.g., Beijing Daxing International Airport "International Data Port") providing storage + compute, with physical-residency provenance. - **Trusted interaction layer** — blockchain attestation + privacy-computing engines providing data-usage audit across the full lifecycle. - **Application service layer** — data rights confirmation, pricing, cross-border settlement tools. **Confidential computing** is the technical core. The premise: cross-border data flow needn't require the receiver to *see* the raw data — it requires that the receiver be able to *use* (compute on) the data within a controlled environment where the data remains encrypted and the data owner retains visibility into how it's being processed. ### Scenario-based grading of mutual-trust mechanisms TDS uses scenario sensitivity to allocate technical approach: - **High-sensitivity scenarios** (e.g., personal health data) — *federated learning + differential privacy*, ensuring original data stays in domain. - **Medium-sensitivity scenarios** (e.g., manufacturing data) — *blockchain attestation + data-element-ization*, ensuring processing is auditable. - **Low-sensitivity scenarios** (e.g., meteorological data) — *open API* for direct flow, prioritizing efficiency. The model handles different sensitivity-level data differently. For high-sensitivity flows the technical bar is high; for low-sensitivity flows the technical bar is low. The *uniform substantive rule* is replaced by a *graduated technical architecture*. ## Institutional layering — China's dual-track approach The TDS technical infrastructure is paired with institutional reforms: ### Domestic institutional innovation - **Data classification and grading management** — DSL + Network Data Security Regulation establish the floor; sector-specific catalogues build on top. - **FTZ negative lists** — Beijing, Tianjin, Shanghai, Zhejiang, Hainan publish sector-specific catalogues; data off the list flows cross-border under exemption. - **Data prohibited from cross-border export** — national security / biological genetic / other core sensitive data. ### International institutional convergence China has pursued several institutional vectors for international mutual trust: - **RCEP** — Asia-Pacific Cross-Border Privacy Rules (CBPR) accession negotiation. - **CPTPP application** — including data-flow provisions. - **DEPA application** — Digital Economy Partnership Agreement. - **FTZ offshore data bonded zones** — exploratory international mutual recognition. The Compliance Talker team's read: China is using *technology trust* as the differentiator while institutional convergence catches up — the technical layer can deliver auditable cross-border data flow before the institutional layer (treaty-based mutual recognition) is fully built. ## The operational implications for multinationals ### Implication 1 — TDS may emerge as a practical alternative to standard CAC pathways For data flows that don't qualify for the 2024 CBDF Provisions exemptions, the standard CAC pathways (security assessment / SCC / certification) impose significant friction. TDS-based flows — where data stays in a controlled processing environment with blockchain-attested usage tracking — may offer a third operational vector: cross-border *use* without cross-border *transfer*. This is most relevant for: - **Joint research and development** between China-based and overseas teams. - **Pharmaceutical and biotech data analytics** where source data is highly sensitive but analytical results can flow freely. - **AI model training** using Chinese training data without the training data leaving the controlled environment. The TDS Action Plan's 2024-2028 timeline suggests this becomes operationally available within compliance teams' current planning horizon. ### Implication 2 — Cross-border data infrastructure is becoming a strategic asset Beijing's Daxing International Airport "International Data Port" and similar physical infrastructure (cross-border data centers in FTZ-host zones) are emerging as the operational layer where multinationals will route their high-sensitivity China data flows. Foreign-invested entities should evaluate whether their China data infrastructure architecture is positioned to integrate with the TDS framework as it rolls out. ### Implication 3 — The CBPR / CPTPP / DEPA negotiating track matters for long-term posture China's pursuit of international data agreements through CBPR (Asia-Pacific) and applications to CPTPP / DEPA could, over the next 2–4 years, create the *institutional* mutual-trust framework to complement the *technical* one. Multinationals with strong Asia-Pacific operations should watch this track — and may benefit from positioning their China entity to take advantage of CBPR-certified status as the framework matures. ## Why this matters for overseas teams Three takeaways: - **China's cross-border data architecture isn't just "more restrictive" — it's structurally different.** EU mutual trust runs on adequacy + SCCs. U.S. mutual trust runs on CLOUD Act + bilateral executive agreements. China is building mutual trust through *technical architecture* (TDS + confidential computing) layered with institutional channels. Compliance teams that think of China cross-border purely through the EU lens will miss the operational path the technology layer opens. - **TDS is not a marketing concept — it's national infrastructure.** The NDA's 2024-2028 Action Plan, the Beijing Daxing International Data Port, the FTZ pilots all signal that TDS is being built as production-grade infrastructure, not a research demo. Compliance architects planning 3-5 year cross-border data strategy should treat TDS-based flows as a credible future option, not science fiction. - **The compliance friction calculus may invert.** Today, China cross-border data flow is significantly more friction-heavy than EU or U.S. cross-border. By 2027-2028, for compliant use cases that fit TDS architecture (joint R&D, analytics on sensitive data, AI training), the friction may invert — TDS-based flow may be operationally simpler than EU SCCs or U.S. discovery exposure. The deeper point in the Compliance Talker piece is that **China is making a sustained, infrastructure-level bet that the cross-border-data problem can be solved through technical control rather than substantive-rule equivalence**. For overseas counsel watching Chinese data policy, this is the most consequential strategic move underway — and it deserves serious operational attention. --- — Compliance Talker (合规小叨客) Global Legal Policy Research Team, *原创 || 数据要素跨境流动互信机制研究——探索兼顾安全与效率的互信机制* (Research on Mutual Trust Mechanisms for Cross-Border Data-Element Flow — Exploring Trust Mechanisms Balancing Safety and Efficiency), 合规小叨客 WeChat Official Account, November 20, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/K0bJsC3XaNCWcws2wZBeCg) *Not legal advice. The above is DCC's structured summary of the source article's analysis; not a verbatim translation. The source carries an original-content non-republish clause and is summarized here under fair-use principles with full attribution.* --- ## Reading the FRT Application Measures — What the 100k-Record Filing Threshold Actually Triggers - Published: 2025-10-28 - Author: DCC Editorial - Tags: facial-recognition, frt-measures, sensitive-personal-information, filing-regime, commentary - Laws cited: facial-recognition-technology-application-measures, facial-recognition-judicial-interpretation, pipl - Domains: personal-information, enforcement - URL: https://datacompliancechina.com/posts/compliance-talker-frt-application-measures-impact/ - Markdown: https://datacompliancechina.com/posts/compliance-talker-frt-application-measures-impact.md - Original source: https://mp.weixin.qq.com/s/Pp_IuQ51wq0yrARWqQ0Y8g - Original author: 全球法律政策研究 (Global Legal Policy Research Team) - Original publication: 合规小叨客 ### Description The Administrative Measures for the Application Security of Facial Recognition Technology took effect June 1, 2025. The May 2025 announcement on FRT filing implementation followed. Compliance Talker's global legal policy team walks through the seven specific compliance obligations the Measures impose — the non-exclusive-use rule, end-side storage default, 100k-individual filing threshold, separate-consent reinforcement, PIA mandate, and more — with practical implementation guidance on each. For overseas firms with any China-facing FRT deployment, this is the operational walkthrough. ### Body > *Editor's Note — DCC.* > > The *Administrative Measures for the Application Security of Facial > Recognition Technology* (《人脸识别技术应用安全管理办法》) — China's > first standalone facial-recognition statute — were jointly issued by > CAC and MPS on March 20, 2025 and took effect June 1, 2025. The > *Announcement on Conducting FRT Filing Work* of May 28, 2025 added > the operational filing procedure. Compliance Talker's team produced a > detailed walk-through five months after effective date — the > compliance picture has stabilized enough to deliver concrete > operational guidance. DCC's framing emphasizes what the rules > actually require of overseas-facing FRT deployments. ## Scope — what the Measures apply to The Measures apply to: *"the application of facial recognition technology to process facial information within the territory of the PRC."* The scope is **focused and specific** — facial-feature-based biometric identification using already-collected facial information to identify or verify individuals. Two operational modes are covered: - **One-to-one** verification — comparing a captured face against a single specific stored facial record to verify identity. Example use cases: airport / high-speed-rail identity verification against ID documents; mobile payment / online banking facial login. - **One-to-many** recognition — comparing a captured face against a database of records to identify a specific individual. Example use cases: public-security suspect tracking; missing-person searches; mall and office-building security; school attendance; hotel self-check-in. The Measures **do not apply** to FRT used for technology R&D or algorithm training. (Those activities remain subject to PIPL, the sensitive-PI rules under TC260 guidance, and other data-compliance regimes — but not the Measures themselves.) ## Seven concrete obligations the Measures impose ### 1. The non-exclusive-use rule > *"Where the same purpose or business requirement can be achieved through non-facial-recognition technology, FRT shall not be the sole verification method. Where otherwise provided by the State, follow those provisions."* This is the *necessity test*, codified. For most identity-verification scenarios — app login, in-person service identity check — at least one non-FRT alternative (SMS code, ID document check, etc.) must be provided. The technical implementation should avoid *"default-tick"* or *"hidden skip"* dark patterns that nudge users toward FRT. Where FRT is the only viable verification method (in narrow technical scenarios), the data handler must produce a *multi-modal verification analysis report* documenting why other methods are not feasible — for example, demonstrably inferior accuracy or efficiency, or disproportionate business cost of alternatives. ### 2. Preferred use of national-identity infrastructure For one-to-one verification scenarios, the Measures encourage *priority use of the **National Population Basic Information Database** and the **National Network Identity Authentication Public Service***. The implication: where regulated identity verification is needed (e.g., real-name registration), use the state-provided identity infrastructure rather than building independent FRT systems. ### 3. Prohibition on coerced FRT consent No organization or individual may, for reasons of *"providing services" or "improving service quality,"* mislead, deceive, or coerce individuals into accepting FRT-based identity verification. The hard-stop matters for product designers who use friction or feature gating to push users toward FRT. ### 4. Public-space deployment rules For FRT devices in public spaces: - Deployment must be **necessary for public security**. - The **collection area must be lawfully and reasonably determined**. - **Visible notice signs** must be set up. - **No FRT in private spaces** within public venues — explicitly: hotel guest rooms, public bathhouses, public changing rooms, public toilets. (The latter list responds to documented incidents — see the 2025 Shanghai swimming-pool changing-room case the Compliance Talker team cites.) ### 5. Technical security measures FRT application systems must implement: *data encryption, security audit, access control, authorization management, intrusion detection and defense.* The list is referenced from existing TC260 / GB standards, now made mandatory under the Measures. ### 6. End-side storage default > *"Facial information shall be stored within facial recognition equipment. It shall not be transmitted externally via the internet, except where otherwise provided by laws / administrative regulations, or with separate individual consent."* This is **the most operationally consequential provision** in the Measures. The default is **end-side storage** — facial information stays on the device that collected it. Cloud storage and external transmission are *prohibited* absent (a) statutory authorization or (b) **separate individual consent**. The Measures upgrade what was previously a TC260 recommended-standard preference (end-side storage) into a **mandatory legal requirement**. The compliance implication for an FRT product: - *"Non-essential, non-stored"* — FRT data should be processed and deleted (or anonymized) where possible. - Where storage is necessary, **end-side storage by default**. - Where cloud storage or external transmission is needed, **product design must include a consent prompt (pop-up or checkbox)** obtaining separate individual consent, and the data must be encrypted in transit and at rest. ### 7. 100,000-record filing trigger — the regulatory headline > *"PI handlers shall, within 30 working days from the date when the stored facial information processed using FRT reaches 100,000 individuals, perform filing procedures with the provincial-level or higher CAC of their location."* The filing regime is China's third major direct-supervisory channel alongside data-export filing and large-model algorithm filing. Specific operational parameters: - **Counting unit**: number of *individuals* whose facial data is stored (deduplicated), not number of records. - **Cumulative basis**: historical accumulated stored count (cache that's "used and deleted" generally excluded; end-side-stored data inaccessible remotely is generally excluded). - **Excluded scenarios**: FRT R&D and algorithm training are out of scope. - **Filing trigger**: 30 business days after crossing the 100k threshold. - **Filing materials**: processing rules, security measures, evaluation report, and other materials specified in the *FRT Filing Announcement* (May 28, 2025). - **Material change re-filing**: substantial changes to processing volume or method require re-filing. - **Filing cancellation**: discontinuation of FRT use requires cancellation filing. The 100,000 threshold is meaningfully *higher* than the 10,000 threshold in the 2023 draft for public consultation. The Compliance Talker team's reading: the regulator chose to *raise the threshold* to reduce compliance burden on smaller deployments while concentrating enforcement attention on larger-scale FRT operators. ## Statutory underpinnings the Measures reinforce The Measures don't create new PIPL obligations — they make existing PIPL obligations concrete for the FRT context: | Measures Provision | PIPL Anchor | |---|---| | Specific purpose + necessity + minimum-impact protection | PIPL Article 6 (purpose limitation + necessity) | | Notice obligation | PIPL Articles 17, 30 | | Separate, voluntary, explicit consent | PIPL Article 29 (sensitive PI); Article 31 (minors under 14 — parent/guardian consent) | | Pre-deployment Personal Information Impact Assessment | PIPL Article 55 (PIA mandatory for sensitive PI) | | Maximum-necessary storage duration | PIPL Article 19 | The Measures stack on top of the existing standards (**GB/T 44248-2024**, **GB/T 41819-2022**) and judicial framework (the **SPC FRT Judicial Interpretation** — see [DCC's law page](/laws/facial-recognition-judicial-interpretation/)). ## Why the Measures came out when they did The Compliance Talker team identifies two drivers: - **Legislative trajectory** — PIPL Article 62 directed the development of FRT-specific implementation rules. The Measures are that delivery. - **Enforcement-pull from documented FRT misuse cases** — a 2024 Zhoushan real-estate firm collected facial data of viewing customers without consent for commission settlement; a 2025 Shanghai swimming-pool installed FRT in a changing room. These cases drove regulatory urgency. The Measures' regulatory model is *dual-track*: **full-lifecycle management** (collection / storage / transmission / destruction, with closed-loop controls) **+ scenario-based grading** (public-safety scenarios permitted with conditions, private spaces flatly prohibited). ## Implementation guidance for foreign-invested entities The Compliance Talker team gives a long operational playbook. Three of the most important items for overseas firms: ### Implementation 1 — Verification design audit For any business flow that uses FRT for identity verification (app login, in-person service check, employee access control): - Implement at least one non-FRT alternative (SMS, document check, password, hardware key). - The non-FRT alternative must be *reasonably available* — no dark patterns ("default-checked FRT option," "hidden skip button") that push users toward FRT. - If FRT must be the sole method, prepare a *multi-modal verification analysis report* documenting why non-FRT alternatives are unsuitable (accuracy / efficiency / cost differential). ### Implementation 2 — Storage architecture rebuild For FRT data currently transmitted to the cloud or to centralized servers: - Default to **end-side storage**. - Where central / cloud storage is required, redesign the consent UI: explicit pop-up or checkbox obtaining separate consent before any external transmission. - Encrypt at rest and in transit. - Build the *dynamic counting and threshold-alert system* to monitor stored individual count and trigger filing process at the 100k threshold. ### Implementation 3 — Filing workflow For entities with FRT stored data approaching or above 100k individuals: - **Existing systems**: inventory storage distribution and total count. If already ≥100k individuals, complete filing per the *FRT Filing Announcement* with the provincial-level CAC. - **New systems**: build pre-deployment filing into product launch workflow. Track storage growth; file within 30 business days of crossing 100k. - **Material changes**: process re-filing for substantial volume changes or processing-method changes. The filing timeline: - Entities exceeding 100k at the time the Measures took effect (June 1, 2025): files due within 30 business days from the date the threshold was exceeded. - Entities exceeding 100k after the effective date: files due within 30 business days from the date the threshold is exceeded. ## Why this matters for overseas teams Three takeaways: - **The 100k filing threshold is the headline operational change.** Foreign-invested entities running FRT deployments at any scale should immediately benchmark their stored-individual counts. A 100k+ deployment without filing is now a direct violation; entities approaching the threshold should architect for filing readiness. - **The end-side storage default rebuilds product architecture.** Cloud-based facial recognition products are now legally disfavored by default. The compliance architecture for new FRT products in China should assume end-side storage as the baseline, with cloud only as a separately-consented exception. This will materially affect how foreign FRT vendors structure their China product offerings. - **The non-exclusive-use rule changes user-experience design.** Product flows that pushed users toward FRT through default-tick / hidden-skip patterns are now non-compliant. UX reviews should specifically check for these patterns and offer reasonably accessible alternatives. The deeper point in the Compliance Talker piece is that **FRT regulation in China has matured from principle-based PIPL provisions into operational rules with specific filing channels**. Compliance teams should now treat FRT as a *separately supervised* category — alongside cross-border data export and large-model algorithm filing — rather than as one application of general PI compliance. --- — Compliance Talker (合规小叨客) Global Legal Policy Research Team, *原创 || 《人脸识别技术应用安全管理办法》解读与企业影响分析* (Interpretation of the Administrative Measures for the Application Security of Facial Recognition Technology and Enterprise Impact Analysis), 合规小叨客 WeChat Official Account, October 28, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/Pp_IuQ51wq0yrARWqQ0Y8g) *Not legal advice. The above is DCC's structured summary of the source article's analysis; not a verbatim translation. The source carries an original-content non-republish clause and is summarized here under fair-use principles with full attribution.* --- ## How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan - Published: 2025-10-16 - Author: DCC Editorial - Tags: important-data, data-classification, cross-border, dsl, commentary - Laws cited: dsl, csl, network-data-security-regulations, data-export-security-assessment-measures, cross-border-data-flows-provisions - Domains: data-security, cross-border - URL: https://datacompliancechina.com/posts/qinglan-how-to-identify-important-data/ - Markdown: https://datacompliancechina.com/posts/qinglan-how-to-identify-important-data.md - Original source: https://mp.weixin.qq.com/s/eAD9Zhd-cbA5umcLoU9rxA - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description Wang Qinglan, head of compliance at a Chinese data exchange, walks through China's unique 'important data' concept in plain language: where it came from, why no other major jurisdiction has anything quite like it, how the U.S., EU, Japan and Korea solve the same problem differently, and — most useful for compliance teams — three methods to identify whether a dataset is 'important' in practice. Her own 'unorthodox' shortcut: ask whether a hostile foreign actor could use this data to cause trouble. If yes, treat it as important data. ### Body > *Editor's Note — DCC.* > > "Important data" (重要数据) is a uniquely Chinese legal concept that > overseas compliance teams stub their toes on more often than any other > piece of vocabulary in the regime. Wang Qinglan — legal-tech PhD, > post-doctoral computer scientist, head of compliance at a Chinese data > exchange — wrote this piece as a deliberately plain-language explainer. > The 邪修 ("unorthodox") shortcut in her title is the part most > compliance practitioners will find immediately useful: a thought > experiment that captures the regulatory intent better than any of the > formal definitions. We summarize her argument with DCC framing for > overseas counsel, including the international comparison and the > identification method — but the metaphor at the heart of this piece is > hers. ## What "important data" is — and isn't Wang frames important data as the **VIP tier** of the Chinese data classification regime. Two attributes define it: - **Importance** — the data relates to a specific sector (e.g., finance, telecom, healthcare), a specific population (e.g., military, government), or a specific geography (e.g., classified locations); or it has unusual precision (e.g., high-precision maps); or it has unusual scale (e.g., statistics on 10 million people). - **Harm severity** — if the data were tampered with, damaged, leaked, unlawfully acquired, or misused, the consequence could threaten national security, disrupt economic order, undermine social stability, or affect the health and safety of the population. The DSL formalized a three-tier classification in 2021: **general data** (一般数据), **important data** (重要数据), and **core data** (核心数据). Important data and core data are the protected tiers. Core data is the VVIP — data so important that its compromise would cause "major trouble" for the state. ## Why China created the category — and why no one else has Wang's historical note: "important data" first appeared in Article 37 of the **Cybersecurity Law** (2016), which required Critical Information Infrastructure Operators to store important data domestically and run a security assessment before any cross-border transfer. The **Data Security Law** (2021) then built out the classification-and-grading regime and the important-data protection framework. China is, by Wang's reading, the first major jurisdiction in the world to make "important data" a defined legal concept. The point of the category, Wang argues, is **proactive perimeter-drawing**. Western jurisdictions tend toward *reactive* mechanisms: national security review of specific transactions, export controls on specific items, CFIUS-style screening for specific deals. China codifies the perimeter up front: a defined category of data, with mandatory localization and pre-export assessment, regardless of who is moving it or why. She compares the four major non-Chinese approaches: - **United States — Controlled Unclassified Information (CUI).** Created by Executive Order 13556 (2010). Covers law-enforcement information, personal privacy, trade secrets, and national-security-adjacent sensitive data. *But:* CUI only governs data held by federal agencies, not the private sector's own data. Cross-border CUI transfer is restricted through a patchwork — Export Control Reform Act for military and dual-use tech; CFIUS review for transactional risk; intelligence-sharing agreements; sector-specific health-data and financial-data rules. There is no single CUI cross-border regime. - **European Union — GDPR adequacy.** GDPR contains no "important data" category and no "national security data" category. Its cross-border regime is centered on *individual privacy*: data may flow to a third country if the European Commission has issued an "adequacy decision" recognizing that country's protection level (Japan, Korea, the UK, etc. have it; the U.S. operates through the Data Privacy Framework). Where adequacy is absent, transfer requires Standard Contractual Clauses, Binding Corporate Rules, or another safeguard. National security exceptions exist at member-state level (France and Germany invoke them for defense and CII data) but there is no EU-wide *important data* concept. The Data Act and Data Governance Act protect non-personal data through trade-secrecy and access-restriction routes, not through a defined sensitivity category. - **Japan — APPI plus CII Security Law.** Japan secured EU adequacy in 2019 (first Asian country to do so). Its APPI requires consent or contractual safeguards for cross-border PI transfer. The CII Security Law layers security obligations onto operators of critical systems. No explicit "important data" catalogue — instead, guidance and industry standards identify "important personal information" or "sensitive information" requiring additional protection. The Japan model: high PI protection + sector security law, in exchange for international data flow. - **Korea — PIPA plus security legislation.** Korea earned EU adequacy in 2021 (second in Asia). PIPA restricts cross-border PI transfer absent consent or comparable safeguards. Defense and intelligence-sector data is restricted by special legislation. Korea trades off slightly more openness against China's more closed approach to participate in the global digital economy. The closest international parallel to "important data," Wang notes, is **Vietnam**, which has adopted a similar concept but has not yet promulgated implementation rules. ## Why cross-border is the choke point The reason important data attracts so much attention, Wang argues, is that the cross-border vector is where the national-security risk crystallizes. *Domestic* mishandling of important data is an internal problem; *cross-border* mishandling becomes a potential weapon in the hands of a foreign actor. The Chinese cross-border important-data regime: - **Default localization.** Important data, as a rule, must be stored within China (DSL + CSL). - **Pre-export security assessment.** Cross-border transfer requires a security assessment under the *Measures for the Security Assessment of Data Export* (2022). CIIO transferors must run the assessment for *any* important data; other transferors must run it for important data they transfer. - **No alternative path.** Unlike personal information — which has three cross-border pathways (security assessment / standard contract / certification) — important data has only one path: security assessment. There is no SCC or certification shortcut. - **The 2024 exemption.** The *Provisions on Promoting and Regulating Cross-Border Data Flow* (March 2024) introduced a critical practical relief: **if no regulator or sectoral catalogue has notified you that your data is "important data," you are not required to declare it as such**. The data transfer will not be deemed unlawful for failure to treat it as important data. This shifts the identification burden away from a pure self-assessment posture and toward a regulator-led notification model. ## Three methods to identify important data in practice This is the operationally useful core of Wang's piece. Three identification methods, applied in sequence: ### Method 1 — Sectoral catalogue or guideline "Whoever supervises is responsible for identifying" (谁主管谁负责). Each sector regulator is expected to publish its own important-data catalogue and identification rules. Some examples: - **Geographic / surveying data** — Ministry of Natural Resources. - **Financial data** — People's Bank of China + financial-sector regulators. - **Automotive data** — *Automotive Data Security Management Provisions (Trial)* (2021) listed vehicle traffic data and charging-network operational data as important data. The *Automotive Data Export Security Guide (2026 Edition)* (8 ministries, Jan 2026) added 27 categories / 51 important data items across R&D, manufacturing, autonomous driving, OTA, and connected-operations scenarios — the first sector-level "full catalogue" published. - **Telecom / industrial data** — MIIT-led, with sector standards still developing. For sectors with published catalogues, identification is a checklist exercise. ### Method 2 — National standard reference Where no sectoral catalogue exists, the operational reference is **GB/T 43697-2024 (*Data Security Technology — Rules for Data Classification and Grading*)** and its **Annex G — Important Data Identification Guide**. Annex G provides identification dimensions (sector / population / geography / aggregation effect / precision) that compliance teams can apply to their own data sets. This is still a self-assessment posture — but anchored to a national standard rather than free-form judgment. ### Method 3 — The "unorthodox" thought experiment Wang's contribution to the operational literature is what she calls the **邪修 ("unorthodox") method**: a plain-language thought experiment that captures the regulator's underlying intent. > *"If a hostile foreign actor obtained this data, could they use it to cause trouble for China — politically, economically, socially, or for public health and safety?"* If the answer is *probably yes* — treat it as important data, regardless of whether any sectoral catalogue has named it. Her illustrative example: a data exchange's subsidiary aggregated bulk transaction data and sold it to a foreign institution. The aggregated data was then used in foreign analyses framing the Chinese economy as collapsing — which the regulator viewed as a national-security harm. The company was sanctioned. The thought experiment, applied prospectively, would have caught this. Wang's framing: this is not a substitute for the formal identification methods, but a *cross-check*. When the catalogue says no but the thought experiment says yes — escalate. When the thought experiment says no — most ordinary business data will not become important data merely through aggregation. ### Free-trade-zone negative lists (regional supplement) Beyond the three sector-and-national methods, Free Trade Zones (FTZs) have been permitted to publish their own data-export negative lists. Data on the negative list is "important" within the FTZ — needing security assessment for export. Data off the list flows freely. FTZ negative lists currently published include Tianjin, **Beijing** (the 2025 version expanded to all of Beijing with 9 sectors / 67 scenarios / 612 fields), **Shanghai**, and **Guangxi**. The negative-list mechanism is the most practical operational tool overseas teams can leverage when transferring data through these regions. ## What Wang's piece tells overseas compliance teams The piece reads as a primer for a Chinese audience, but four implications matter operationally for overseas counsel: - **You probably aren't holding important data by accident.** The 2024 CBDF Provisions Article 3 / 4 exemption — *"if no regulator has notified you and your data isn't on any published catalogue, you don't need to declare it as important data"* — is the most important practical relief in this regime. For most ordinary business data, a documented self-assessment showing the absence of catalogue inclusion is sufficient. - **Sector catalogues are the dominant identification vector going forward.** The 2026 automotive guide is the template. Compliance teams in finance, healthcare, telecom, geographic / surveying, and AI sectors should expect to operate against published catalogues within 12–24 months. Build the classification framework against an evolving catalogue, not against a static one. - **Aggregation is the most common failure mode.** Wang's case — bulk transaction data + foreign sale + adverse analytical use — is the canonical important-data failure pattern. Compliance teams should pay particular attention to the aggregation step, not just the source data classification. - **FTZs are the operational lever.** If a multinational has operations in Beijing, Shanghai, Tianjin, or other FTZ-hosting zones, the negative-list mechanism is the cleanest way to operate cross-border. Map flows to negative lists where possible; flows outside the list move under the standard exemption. The deeper point in Wang's piece is that **the Chinese important-data regime is a different *architecture* of cross-border data control**, not a more or less strict version of the GDPR-style adequacy regime. Overseas teams that internalize the Subject × Object framework (see [DCC's Overview page](/overview/)) and the sector-catalogue identification pattern will operate the regime efficiently. Teams that try to retrofit the Chinese regime into Western analogies will spend the next few years frustrated. --- — Wang Qinglan (王青兰), *重要数据咋判断?这招"邪修"办法,小白也能看懂!* (How to Identify Important Data? An Unorthodox Method Even Beginners Can Understand), 青兰数据观察 WeChat Official Account, October 16, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/eAD9Zhd-cbA5umcLoU9rxA) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## What Is Data, Really? — A Plain-Language Primer on Rules and Compliance - Published: 2025-08-28 - Author: DCC Editorial - Tags: data-fundamentals, data-governance, compliance-architecture, commentary - Laws cited: dsl, data-foundation-system-opinions - Domains: data-economy, data-security - URL: https://datacompliancechina.com/posts/qinglan-what-is-data-rules-and-compliance-primer/ - Markdown: https://datacompliancechina.com/posts/qinglan-what-is-data-rules-and-compliance-primer.md - Original source: https://mp.weixin.qq.com/s/Dn4hlPZUHJOuUkLYzoaGLA - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description What does it actually mean to call something 'data,' and what turns raw recordings into a data asset? Wang Qinglan uses a toy storage room metaphor to walk through the foundational concept overseas readers often skip: data is not just 'records' — it's records made under rules. Master data, metadata, ontology, the three-tier compliance taxonomy (legal / ethical / promised), and the three-step compliance workflow (select / allocate / execute) — all anchored in a concrete example a non-specialist can follow. ### Body > *Editor's Note — DCC.* > > A surprising number of overseas data-compliance discussions skip the > foundational question — *what is data*? — and jump straight into > classification regimes, lawful bases, and cross-border paths. Wang > Qinglan's primer fills the gap with a toy storage room metaphor that > overseas readers will find unusually accessible. The piece is sequel > to her [data governance / management / compliance disambiguation](/posts/qinglan-data-governance-management-compliance-disambiguation/), > and reads cleanly as a stand-alone primer too. DCC's framing > emphasizes where the conceptual building blocks anchor to the formal > Chinese regime. ## Data isn't "records" — it's records made under rules Wang opens with an exercise. Imagine you're cataloguing the toy cars in your home storage room and someone hands you this string: > *"3+, mom, cherry red, 3-6, square, red, 2023, ages 3 to 6, plastic, ef555, 250, Shenzhen, 239,85,82, pre-school..."* That's raw recording — observations captured in arbitrary form. If you tried to put this into Excel, you'd be unable to count anything. *"Red," "cherry red," "ef555," "239,85,82"* — all describing color, in incompatible formats. *"3+," "3-6," "pre-school"* — all describing age, in incompatible formats. So Wang's first move: a working definition. *Data is the objective recording — under rules — of phenomena relevant to the business.* The rules are what separate **data garbage** from data that can be turned into a **data resource**, and ultimately a **data asset**. The Chinese regulatory regime's three-tier vocabulary (per the NDA *Common Data Terms (First Batch)*) maps onto this: - **Raw data** (原始数据) — first-collected recordings, unprocessed. - **Data resources** (数据资源) — raw data, primarily processed, with potential for value creation. - **Data assets** (数据资产) — data resources that are lawfully held or controlled, can be measured in monetary terms, and can produce economic or social benefit. The progression *raw → resource → asset* requires rules at every step. ## What rules look like, concretely To turn the cluttered toy-car notebook into something useful, Wang prescribes four kinds of rule. Each maps onto a formal compliance vocabulary overseas readers will recognize. ### Rule 1 — "Required dropdowns": master data and metadata You don't let people type "big car" or "excavator-thing" in the type field. You constrain the field to a fixed enumeration: *engineering vehicle / car / racecar / motorcycle / other.* Same for color, age range, weight, etc. This is **master data management** + **metadata management**. The fields are typed; the values are constrained; the recording is consistent across users. Wang's example is Taobao's typed inputs (quantity, color, size are dropdowns, not free text) — the architecture is identical. ### Rule 2 — Unified standards: ontology "Battery capacity 6000mAh" / "2 hours charging gives 1 hour of play" / "excellent battery life" — three ways to describe the same thing. None of them comparable. None of them queryable. The rule fix: define an ontology of measurable attributes. Battery life is measured in `mAh`. Playtime is measured in `hours`. Now the data is comparable and the records support analysis. ### Rule 3 — Automated capture: digital business process Install a simple sensor in the storage cabinet. Take a toy out — clock starts. Put it back — clock stops. The "playtime" attribute is captured *automatically*, with no manual error. In enterprise data-compliance vocabulary: **digitalize the business process**. Don't capture data from human attestation; capture it from instrumented systems. This is what the NDR's *risk assessment* and *security incident response* obligations assume — that the underlying business processes are digitalized and observable. ### Rule 4 — Hard requirements: the law "This data must be stored within China." This is not a design choice — it's a hard requirement that overrides everything else. It must be in the rulebook. For the storage room, this might be: "Receipts and bills tied to toys must be retained as records for tax purposes." For an enterprise: "Important data must be stored in the PRC." "Sensitive personal information requires separate consent." "Cross-border transfer of PI above the threshold requires CAC security assessment." These are the **legal floor** rules — they bound everything the rulebook can authorize. When all four rule types are combined, the storage room has a **Family Toy Car Data Pact** — a written record-keeping standard that turns raw observations into a usable data resource. Wang's metaphor: an enterprise's data governance framework is the same pact, scaled up. ## What compliance actually means With the Pact in place, the question shifts: *am I following it?* This is compliance. Wang's three-tier taxonomy (introduced in her [previous primer](/posts/qinglan-data-governance-management-compliance-disambiguation/)) reappears: - **Legal rules** (法规) — what the law mandates. "Important data must stay in country." - **Ethical rules** (德规) — what the enterprise voluntarily commits to. "Don't sloppily fill in records to make our reports look good." - **Promised rules** (诺规) — what the enterprise publicly promised. "Toy usage times accurate to the minute." All three end up in the Pact. All three must be followed. The compliance workflow Wang describes — *"three steps, in plain language"* — is the operational discipline: ### Step 1 — Select the rules Decide which rules apply. Two inputs: - *What is the storage room's situation?* — i.e., the enterprise's internal and external compliance environment. - *Who interacts with the storage room and what do they want?* — i.e., stakeholder requirements. But you cannot select *every* rule that might apply. Wang cites Professor **Chen Ruihua** (陈瑞华)'s **risk-oriented compliance model** — focus first on the highest-risk *mandatory* rules. PIPL Article 29's separate-consent requirement for sensitive PI is the storage-room equivalent of "don't leave sharp toys in reach of toddlers." Miss it once and the consequence is a regulatory or reputational injury. Beyond the legal floor, there are *optional* rules — annual data security assessments, industry ethical standards, public commitments to customers. These aren't mandatory, but they earn trust from regulators, partners, and customers. Critically, rule-selection is **not a once-and-done exercise**. New business lines, new jurisdictions, new regulations all trigger re-selection. The discipline is "accurate *and* dynamic." ### Step 2 — Allocate the responsibility The selected rules become a **compliance obligation register**. Each obligation gets: - An *owner* — whose job is it? - A *process* — what concrete workflow embodies the obligation? ("PI processing requires 3-tier approval.") - A *control* — how does the owner verify the process worked? Wang's storage-room version: "Daddy collects engineering vehicles; Mommy collects regular cars; child collects blocks." The rule has names attached. This is also the moment where external rules become **internalized institutional culture**. Without internalization, the rule lives only in the obligation register — a paper compliance program. With internalization, it becomes how the organization actually behaves. ### Step 3 — Execute This is the simplest step in concept and the hardest in practice. *Do the things on the obligation register.* If you don't do them, you have a compliance failure — possibly a compliance risk event. Wang's risk taxonomy: - **Inherent risk** — the risk before any controls. Storage room with no lock and no rules: theft is just a matter of time. - **Residual risk** — the risk after controls are in place. Lock installed, rules written, but someone occasionally forgets the lock. Risk reduced but not zero. Wang's blunt observation: *"It's impossible to be 100% compliant — humans are uncertain, business is dynamic, there's always something to adjust."* What matters is the framework — risk-allocated obligations, written process, executable controls. ## Two organizational shapes for the compliance system Wang's practical advice on building the compliance system: - **By position (job role).** "Customer-facing staff protect user info; operations record data sources." Each role has a defined set of obligations. - **By business process.** "From data collection → storage → use, each step has its own controls." Each step has a defined set of obligations. Both work. Pick whichever organizational shape fits the enterprise. Either way, the *clear logic* matters more than the *absolute zero-error target*. ## Why this matters for overseas compliance teams Three operational takeaways from Wang's primer: - **Don't skip the "what is data" question.** Many overseas counsel jump from PIPL provisions straight to lawful-basis analysis, missing that the enterprise has not yet *operationalized* what counts as data, what attributes it carries, and where the records are. The PIPL framework only works once the underlying data is well-formed. *Build the master data + metadata layer first.* - **The three-tier compliance taxonomy is not just academic.** A compliance team that conflates *legal floor* with *ethical commitment* either over-burdens itself (treating optional commitments with mandatory rigor) or under-protects (treating mandatory rules with optional flexibility). Wang's three-tier model is the practical sorting mechanism. - **Inherent vs residual risk are the diagnostic axes.** When something goes wrong, the first question is which one: was the inherent risk un-controlled (no rule for this scenario), or was a control bypassed (rule existed but not followed)? Different diagnoses, different fixes. The deeper point in Wang's piece is that **data compliance starts before the law**. The law constrains what an enterprise can do with data; but the enterprise's *data-handling discipline* — what counts as data, what rules govern it, who owns each rule — determines whether compliance is achievable at all. Without the discipline, no amount of legal review will produce a compliant operation. --- — Wang Qinglan (王青兰), *数据的奇妙真相:从生活实例看它的真面目* (The Magical Truth About Data — Seeing Its Real Face Through Everyday Examples), 青兰数据观察 WeChat Official Account, August 28, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/Dn4hlPZUHJOuUkLYzoaGLA) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## Data Governance vs. Data Management vs. Data Compliance — A Plain-Language Disambiguation - Published: 2025-08-25 - Author: DCC Editorial - Tags: data-governance, terminology, dama, compliance-architecture, commentary - Laws cited: dsl, data-foundation-system-opinions - Domains: data-security, data-economy - URL: https://datacompliancechina.com/posts/qinglan-data-governance-management-compliance-disambiguation/ - Markdown: https://datacompliancechina.com/posts/qinglan-data-governance-management-compliance-disambiguation.md - Original source: https://mp.weixin.qq.com/s/ylOsa9BV7m9nw3WMR037Wg - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description Wang Qinglan disambiguates three terms that compliance and data teams habitually conflate: data governance, data management, and data compliance. Using a 'data manor' metaphor (the family council vs. the steward team vs. the community monitor), she maps each function to its job — setting direction, executing efficiently, and operating sustainably within external rules and self-imposed commitments. The piece is useful precisely where bilingual confusion is highest: 'data governance' in English carries different connotations than 数据治理 in Chinese practice. ### Body > *Editor's Note — DCC.* > > Three terms that English-Chinese bilingual practitioners constantly mix > up: **data governance** (数据治理), **data management** (数据管理), and > **data compliance** (数据合规). The confusion isn't merely linguistic — > in Chinese practice the boundaries are drawn slightly differently than > in DAMA-style English frameworks. Wang Qinglan's plain-language primer > uses a "data manor" metaphor that holds up well across the bilingual > gap. DCC's framing here highlights where the Chinese and Western > conceptual boundaries diverge. The 数据资产 ("data asset") vocabulary in Chinese practice often runs ahead of the operational clarity around how data work is actually organized inside an enterprise. Wang's piece names the three roles and the relationships between them — not as a theoretical exercise but as the architectural foundation an enterprise needs before it can claim to "do" any of them. ## The data manor — three roles Imagine the enterprise's data assets as a manor estate. Three roles run it: - **Data governance** — the family council. Sets rules, doesn't execute. - **Data management** — the steward team. Executes the rules, runs the estate day-to-day. - **Data compliance** — the community monitor. Holds the estate accountable to external rules and to the commitments the estate has made publicly. Each role answers a different question. Mixing them creates organizational confusion. ## Role 1 — Data governance (数据治理): "doing the right things" The family council. Sets the rules; doesn't carry out the work. Its job is the **direction-setting layer** of data work. The council answers questions like: - *Who owns which data?* — assigning data ownership. - *Who can see / change which data?* — permission allocation. - *What quality and security standards must the data meet?* — policy definition. - *When two departments dispute which data flow takes priority — who decides?* — escalation mechanism. Crucially, the council doesn't decide *how* data is moved or stored. It decides *what the rules are*. The rules are typically organized in two layers: **business rules** (which data the manor needs to prioritize, e.g., which customer segments deserve first-pass attention) and **management rules** (who is responsible for which data activity, e.g., which team owns customer-data integrity). Wang's framing: governance is "the management of management." The output is the **rulebook** — the policies that every steward team must follow when actually executing data work. Without a coherent rulebook, the steward team improvises and the compliance monitor has nothing to verify against. ## Role 2 — Data management (数据管理): "doing things right" The steward team. Takes the council's rules and executes them. The **operational layer**. The steward team's day-to-day work covers the full data lifecycle: - **Discovery and inventory** — what data does the manor hold, where is it stored, what's in the vault? - **Storage and architecture** — how is the data organized so it can be found again? - **Access control** — who is permitted to use which data? - **Quality and cleaning** — keeping the data accurate, deduplicated, current. - **Security** — protecting the data from unauthorized access, leakage, modification. The team is organized by specialism. Wang sketches the typical roster: - **Chief Data Officer (CDO)** — the head steward, bridging governance and management. - **Data Architect** — the building planner, designing the storage and flow topology. - **Data Security Specialist** — the guard, securing the perimeter. - **Data Quality Engineer** — the gardener, keeping the data tidy. - **Metadata Manager** — the archivist, cataloguing what exists. - **Master Data Manager** — the warehouse-keeper, ensuring authoritative reference data. Their collective job: keep the manor running, and ensure that as data passes through the lifecycle — from collection, through processing, to eventual archival or destruction — quality and security are maintained. The core posture: *execution-focused*, not direction-setting. "Doing the right thing well" — where the *right thing* has been defined by governance. ## Role 3 — Data compliance (数据合规): "operating sustainably" The community monitor. Holds the manor accountable to two sources of rules: **external requirements** (laws, regulations, standards) and **self-imposed commitments** (the manor's public promises). Wang divides compliance rules into three tiers, with sharply different operational implications: ### Tier 1 — Community rules (mandatory legal obligations) The community's binding rules. Things like "trash must be sorted before disposal" (data classification regulation), "no demolishing load-bearing walls during renovation" (mandatory data-security standards), "no leaking visitor information" (personal information protection). The manor's family council cannot override these — they constrain governance itself. Violation consequences range from fines and neighbor disputes (administrative penalties) to litigation and imprisonment (criminal penalties under, e.g., Criminal Law Article 253-1 for PI infringement). ### Tier 2 — Bonus rules (voluntary ethical obligations) Self-imposed standards above the legal floor. The community requires "no probing visitor information without need" (minimum-necessary PI collection); the manor goes further: "quarterly audit of supply chain to ensure proper visitor information handling." These aren't legally mandatory, but they earn reputation. They reflect the manor's strategic positioning — the choice to operate at a higher ethical bar than competitors. Wang's framing: these are *reputation investments*, not compliance requirements. ### Tier 3 — Commitment rules (promised obligations) The manor's publicly made promises. "Lost item recovery guaranteed within 24 hours." These aren't legal requirements but breaking them damages the brand and exposes the manor to civil liability (contract claims, consumer-protection claims, false-advertising claims) even though no statute is violated. ### How the tiers stack The council sets internal rules with all three tiers in mind: the community floor (Tier 1) is the immovable foundation; Tiers 2 and 3 are positioning choices. The steward team must operate within all three. Compliance — the monitor — verifies the manor's behavior against all three. Wang's metaphor: compliance is a *dynamic guardrail* — keeping the manor from straying across any of the three lines while leaving room for the manor to chase its own ambition. ## Putting the three together A clean summary, in Wang's framing: | Role | Function | Question answered | |---|---|---| | **Governance** | Set direction, define rules | *Are we doing the right things?* | | **Management** | Execute the rules efficiently | *Are we doing things right?* | | **Compliance** | Operate within external + self-imposed rules | *Are we operating sustainably?* | The three are not parallel — they form a stack. Governance defines the rulebook. Management executes the rulebook. Compliance verifies the execution against external standards and self-imposed commitments. Confuse the roles and you get the common pathology: the compliance team writing rules (governance), the data team improvising without guidance (no governance), or the governance team auditing operational details (overstepping into management). ## Where Chinese and Western framings diverge Wang doesn't push the bilingual comparison, but it's the most useful payoff for overseas readers. In **DAMA's English-language framework** (DMBOK 2), *data governance* is one of eleven knowledge areas of *data management*. Governance is a *subset of* management. Operationally, governance is the **central coordination layer** *within* data management — the function that sets policies for the other ten knowledge areas (architecture, modeling, storage, security, integration, etc.) to follow. In **Chinese enterprise practice**, governance and management are often treated as *parallel functions*, with compliance as a *third parallel*. The relationship gets ambiguous: is governance subset of management (DAMA), or peer to management (Chinese usage)? Both framings are defensible — they answer different questions. Wang's metaphor sidesteps this by giving each function a distinct role identity. The practical implication for multinationals: when a global compliance memo refers to "data governance," a Chinese counterpart may understand it as a peer-function rule-setting body. When a Chinese operations document refers to 数据治理, a Western team may read it as a subordinate function within a broader management framework. Both teams nodding at "data governance" may mean different things. The cleanest disambiguation, in DCC's reading: **anchor to the question being answered**. - *Direction-setting question* → governance. - *Execution-efficiency question* → management. - *External-rules + self-commitments question* → compliance. Where the question is unclear, name the function instead. ## Why this matters for compliance architecture Three takeaways: - **The three functions need three different organizational positions.** Governance reports up to executive leadership (the family council). Management reports through operations / IT / data-platform leadership. Compliance reports through legal / risk / audit. Collapsing them into one team produces structural conflict — the governance function shouldn't be auditing itself. - **Compliance is not "follow the rules" — it's "follow which rules."** Wang's three-tier model (mandatory legal / voluntary ethical / public commitment) is the operational asset compliance practitioners should internalize. Treating Tier 2 and Tier 3 with Tier 1 rigor over-burdens; treating Tier 1 with Tier 2 flexibility creates legal exposure. - **Chinese-language internal documents and English-language global policies are easier to align when each piece names its function explicitly.** Don't translate "governance" generically — translate it as the specific function being referenced. The Wang piece is short — three pages in the original — but it makes a distinction that matters more than its length suggests. For compliance teams building bilingual frameworks, it's a useful conceptual anchor. --- — Wang Qinglan (王青兰), *3分钟读懂数据治理、数据管理与数据合规* (Three Minutes to Understand Data Governance, Data Management, and Data Compliance), 青兰数据观察 WeChat Official Account, August 25, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/ylOsa9BV7m9nw3WMR037Wg) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data - Published: 2025-08-12 - Author: DCC Editorial - Tags: cross-border, important-data, ftz-negative-list, data-classification, commentary - Laws cited: cross-border-data-flows-provisions, data-export-security-assessment-measures, dsl, network-data-security-regulations - Domains: cross-border, data-security - URL: https://datacompliancechina.com/posts/compliance-talker-ftz-negative-lists-important-data/ - Markdown: https://datacompliancechina.com/posts/compliance-talker-ftz-negative-lists-important-data.md - Original source: https://mp.weixin.qq.com/s/yZm01jMnCzMSsHBbUhYPGw - Original author: 全球法律政策研究 (Global Legal Policy Research Team) - Original publication: 合规小叨客 ### Description Article 6 of the 2024 CBDF Provisions authorized Free Trade Zones to publish data-export negative lists. Since then, Tianjin, Beijing, Hainan, Shanghai, Zhejiang and others have published negative lists covering 17 sectors — automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, and more. Compliance Talker's analysis walks through the structural convergence of the negative lists, the important-data identification refinements each FTZ has produced, and the operational impact on enterprises both inside and outside the FTZs. ### Body > *Editor's Note — DCC.* > > Article 6 of the **2024 Provisions on Promoting and Regulating > Cross-Border Data Flow** authorized Free Trade Zones to publish their > own data-export negative lists — data on the list requires the standard > CAC pathways (security assessment / SCC / certification); data off the > list flows freely. In the 18 months since, seven FTZs have published > negative lists covering 17 sectors and dozens of business scenarios. > The Compliance Talker team produced one of the cleanest practitioner > overviews. DCC's framing emphasizes what overseas multinationals > should be doing operationally to take advantage of the regime. ## The negative-list mechanism, in one paragraph Article 6 of the 2024 CBDF Provisions delegates to Free Trade Zones the authority to publish jurisdictionally specific data-export negative lists. Within the FTZ, data falling on the negative list requires the standard CAC cross-border pathway (security assessment for important data and large-volume PI; SCC for medium volumes; certification for voluntary alternative paths). Data falling **off** the negative list is exempt from these pathways and can flow cross-border without the standard formalities. The mechanism is the most operationally impactful piece of the 2024 CBDF Provisions for cross-border-data compliance. It is also explicitly *experimental* — the FTZs are policy laboratories for an eventual nationally generalized framework. ## What's been published As of August 2025 (the Compliance Talker article's publication date), seven FTZs across China have published data-export negative lists: - **Tianjin** (first published 2024) - **Beijing** (2024 FTZ-only version, then 2025 city-wide expansion to "1+9" architecture covering 9 sectors / 67 scenarios / 612 fields — see DCC's tracking) - **Hainan** - **Shanghai** (with the Lingang New Area piloting a *positive list* mechanism alongside) - **Zhejiang** - **Fujian** (Pingtan area, with positive + negative lists) - **Additional FTZs** in various stages of publication Coverage spans **17 sectors / sub-sectors**: automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, medical devices, autonomous driving / intelligent connected vehicles, trade logistics, banking, AI, biopharma, and others. The Compliance Talker team's note on dominance: while the Lingang positive-list approach is theoretically interesting, *"in independent published documents, the negative-list format is overwhelmingly dominant."* The negative-list model has become the de facto standard. ## Three structural patterns across the published lists ### Pattern 1 — Structural convergence in format Outside the Tianjin 2024 list (which was a first-mover and used a different format), every subsequent FTZ negative list adopted a common structure: > **Industry (with applicable enterprise types) → Cross-border path required (security assessment / SCC / certification) → Data category (important data / personal information) → Data sub-class → Basic features and description** This convergence is regulator-led, per the CAC's *April 9, 2025 Q&A on Data Export Security Management Policy*, which emphasized coordination and the avoidance of conflicting requirements across FTZs for the same data activity. ### Pattern 2 — Sector selection reflects local economic priorities Each FTZ selects sectors aligned with its strategic positioning: - **Shanghai FTZ** — focuses on reinsurance, international shipping, and retail (including hospitality / dining / lodging) — sectors aligned with Shanghai's international finance and shipping hub positioning. - **Beijing FTZ** — automotive, pharmaceuticals, civil aviation, retail, AI initially; expanded to 9 sectors in 2025 covering medical devices, autonomous driving, trade logistics, banking — tracking the National Demonstration Zone for Service-Sector Opening. - **Hainan FTZ** — focuses on duty-free retail and clearance shopping personal-information export — aligned with Hainan's free-trade-port positioning. - **Tianjin FTZ** — first-mover, with auto-industry focus. Same industries appear across multiple FTZs, but with **different scope and scenario emphasis**. For example: both Shanghai and Hainan include retail-related personal data export — but Hainan focuses on *duty-free / clearance shopping scenarios* while Shanghai restricts to *membership management scenarios*. ### Pattern 3 — Dynamic update mechanisms Each FTZ negative list explicitly provides for **dynamic management**. The Beijing 2024 list (Article 9) is representative: > *"The negative list shall be subject to dynamic management. For industries / sectors where no negative list has been issued, the corresponding negative list shall be timely studied and formulated."* The mechanism allows the regulator to (a) add new sectors to the list as data-economy needs evolve, and (b) loosen restrictions on low-risk scenarios within existing sectors based on implementation experience. ## How the negative lists refine important-data identification The Compliance Talker team's most useful contribution: showing how each negative list operates as a **public important-data catalogue** for its sector. Under the 2024 CBDF Provisions Article 2, *publicly published* identification of data as important data is sufficient to trigger the important-data export regime. As of May 30, 2025, the FTZs have published important-data catalogues for **15 sectors / sub-sectors**. Some examples: ### Automotive (Beijing FTZ 2024 — refined from the 2021 Automotive Data Provisions) The Beijing FTZ list refined the 2021 *Provisions on Automotive Data Security Management*'s broad catalogue of "automotive charging network operational data" into operational granularity: > *"Charging post / station location information; usage status; billing and payment information; switching-station vehicle statistics; site statistics; distribution information; and other data."* The result: enterprises can now map their automotive data inventory against specific field-level catalogues, not against high-level category descriptions. ### AI sector (newly published) For the first time, the FTZ negative lists publish a sector-specific important-data catalogue for AI. The Beijing list specifies: - High-value sensitive data collected and generated during R&D / design related to industry competitiveness. - Audio, image, and text data the alteration, destruction, leakage, or illegal acquisition / use of which may endanger national security, economic operation, social stability, public health, or safety. - Data included in export control or technology-export management lists. ### Medical / pharmaceutical (Beijing 2024) The 2024 Beijing list specified important medical data with **quantitative thresholds**: > *"...10,000-individual-or-more medical records, imaging, pathology, blood-test, and genetic-test diagnostic data involving public health and safety."* The "certain scale" framing of the underlying *Network Data Security Regulation* gets quantified — 10,000 individuals. The Compliance Talker team's framing: *"This framework structure aligns well with enterprise data classification and grading workflows. It converts abstract important-data compliance requirements into operationalizable, executable concrete rules."* ## The cross-border export process — what FTZs change For Beijing, Zhejiang, and Shanghai (the three FTZs the Compliance Talker team analyzes for filing procedure): ### Beijing and Zhejiang FTZ — sequential filing model 1. Data handler submits **application** to the FTZ administrative committee (registration location, sector, operating status, recent administrative penalties / regulatory investigations / remediation status). 2. Upon approval, data handler submits **negative-list filing** (data export business scenario, list of data being exported, export volume, overseas recipient, applicable negative-list sub-class, reason for applicability). 3. Based on the FTZ committee's *evaluation opinion*, the data handler conducts data export. 4. If the data is on the negative list (i.e., is identified as important data), the data handler files data-export security assessment with the national CAC. ### Shanghai FTZ — post-export reporting model Shanghai's negative list **permits FTZ enterprises to conduct data export first** and submit negative-list materials within 15 working days to the local cross-border data service center. The Shanghai approach is slightly more permissive on timing — but the substantive reporting and oversight requirements are similar. The Compliance Talker team's framing: the FTZ filing is a *substitute for the sector-regulator identification step* in the standard important-data export workflow. The FTZ committee replaces the sector regulator as the identification authority; the standard CAC security assessment process continues afterward. **The substantive simplification is limited.** The FTZ negative list provides clarity on important-data identification — but does not bypass the security assessment itself. For enterprises whose data is on the negative list as important data, the FTZ benefit is *clarity in classification*, not *exemption from review*. ## Impact and operational guidance ### For enterprises inside an FTZ with published negative lists - **High direct impact.** The negative list applies specifically to enterprises *registered* in the FTZ. Enterprise data falling on the list gets clarified important-data status; enterprise data falling off gets a much simpler cross-border export path. - **For sectors covered**: - *Important-data identification benefit*: the published catalogue provides an authoritative external reference. Use it to organize the enterprise's important-data inventory. - *Cross-border path benefit*: where the enterprise's data falls off the negative list, cross-border export proceeds without standard CAC procedures. - **For sectors not yet covered**: - *Identification still uncertain.* Enterprises remain in the position of self-assessing whether their data is "important data," without authoritative reference. - *Cross-border path uncertain.* Enterprises still need sector-regulator identification (where available) or self-assessment to determine whether the standard security assessment applies. ### For enterprises outside an FTZ - **Indirect impact, but useful as reference.** The negative lists are published documents. Enterprises in the same sector outside the FTZ can use them as identification reference — the lists effectively become the most operational important-data catalogue currently available in that sector. - **Watch for cross-province negative-list adoption.** Some FTZs (Beijing 2025) have begun adopting other provinces' negative lists for enterprises operating across provinces. This pattern, if it spreads, will let enterprises in non-FTZ jurisdictions effectively benefit from FTZ negative-list infrastructure. ## Why this matters for overseas teams Three operational takeaways: - **FTZ registration is now a serious cross-border-data strategic lever.** Foreign-invested entities with significant cross-border data flows should evaluate whether registering operations in a covered FTZ (especially Beijing post-2025 expansion or Shanghai) materially reduces compliance friction. For data-heavy sectors (auto, pharma, biotech, AI, banking), the negative-list path is operationally cheaper than the standard CAC security assessment. - **The FTZ catalogues are the best important-data identification reference available.** Even for enterprises operating outside any FTZ, the published negative lists are the most authoritative *sector-specific* important-data catalogues currently in existence. Use them as identification reference; document the analysis. - **Watch the dynamic update mechanism.** Each FTZ's negative list will continue to be updated. Compliance teams should set up monitoring of the relevant FTZ administrative committees' announcement channels and review the negative list annually at minimum. The deeper point in the Compliance Talker piece is that **China's cross-border data regime is genuinely tiering through the FTZ mechanism**. The 2024 CBDF Provisions framework is becoming a *two-track system*: standard CAC pathways for cross-border export plus FTZ negative-list pathways for FTZ-registered entities in covered sectors. Multinationals that ignore the FTZ track will operate against unnecessary friction; those that build their China presence around an FTZ footprint will operate at materially lower compliance cost. --- — Compliance Talker (合规小叨客) Global Legal Policy Research Team, *原创 || 我国自贸区相继发布数据出境负面清单,企业重要数据管理影响几何?* (China's FTZs Successively Publish Data Export Negative Lists — How Will Enterprise Important Data Management Be Affected?), 合规小叨客 WeChat Official Account, August 12, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/yZm01jMnCzMSsHBbUhYPGw) *Not legal advice. The above is DCC's structured summary of the source article's analysis; not a verbatim translation. The source carries an original-content non-republish clause and is summarized here under fair-use principles with full attribution.* --- ## What Does Data Registration Actually Confirm? — A Doctrinal Reading - Published: 2024-09-19 - Author: DCC Editorial - Tags: data-property-rights, data-registration, civil-law-doctrine, commentary - Laws cited: data-foundation-system-opinions, data-property-rights-registration-guide-draft, public-data-registration-interim-measures - Domains: data-economy, enforcement - URL: https://datacompliancechina.com/posts/qinglan-what-data-registration-actually-confirms/ - Markdown: https://datacompliancechina.com/posts/qinglan-what-data-registration-actually-confirms.md - Original source: https://mp.weixin.qq.com/s/BApKX7i4F6BoWooj3-DxjQ - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description Long before the SPC's January 2026 'data disputes' case category started squeezing data registration certificates against judicial review, Wang Qinglan had already written the foundational critique: data registration does not 'confirm rights' because there are no legal data rights to confirm. The Data 20 Articles created data property rights, not data legal rights, and Chinese property rights are not Article-conferred civil rights. Registration certificates are 'trust credentials,' not 'rights certificates.' This is the doctrinal essay overseas counsel should read before the SPC sequel. ### Body > *Editor's Note — DCC.* > > This is the foundational piece Wang Qinglan wrote in September 2024 > arguing that **data registration cannot confirm rights, because the law > has not yet conferred data rights**. It is the conceptual predecessor > to her [December 2025 piece on the SPC's new 'data disputes' case > category](/posts/spc-data-disputes-case-category-and-data-registration/) — > the SPC's procedural move forced the doctrinal question into the open, > but Wang had identified the gap a year earlier. For overseas counsel > approaching the Chinese data property rights regime, this is the > doctrinal essay; the SPC piece is the operational sequel. DCC's > framing emphasizes the civil-law doctrine that overseas teams trained > in common-law systems will find counterintuitive. ## "Confirming rights" — what does the verb actually do? In Chinese legal usage, 确权 (literally, "confirming rights") means *confirming the attribution and nature of a right*. The verb assumes a right exists; confirmation is a downstream act on that pre-existing right. This is the conceptual frame that breaks when applied to data. Wang's central observation: ***there is no legal right in data to confirm***. The Chinese legal community has not converged on what kind of right "data" is — property right? intellectual property? a new species of property altogether? The NPC has not legislated a defined right. Without legislation, no legal data right exists. The state's response, per Wang: *"Carry on arguing — we won't wait for you. But the data-element market can't wait either. So we'll set aside the rights debate and use the **property rights** (产权) framework to protect data property interests and promote data circulation."* The Data 20 Articles, December 2022, established the structural-subdivision data property rights regime: - **Data resource holding right** (数据资源持有权) - **Data processing-and-use right** (数据加工使用权) - **Data product operation right** (数据产品经营权) The three rights are the C-stage stars of the Chinese data economy. Each is *registrable*. Each gets a certificate. But each is **a property right (产权), not a legal right (权利)**. ## The civil-law doctrine that makes the distinction matter In Chinese civil-law doctrine, **only the NPC and its Standing Committee can confer civil rights** (赋权). The Data 20 Articles is a Central Committee + State Council policy directive — outside the NPC's legislative authority. It can establish a *property rights* regime (产权制度) — but property rights are an *economic* concept, not a *civil-law* concept. The same conceptual move appears in the **Third Plenum of the 20th CCP Central Committee Decision** (July 2024), which speaks of "accelerating the establishment of data property attribution determination" — not "rights determination." > *"Accelerate the establishment of data **property attribution determination** (数据产权归属认定), market transaction, **benefit allocation** (权益分配), and interest protection systems..."* > > — Third Plenum Decision, 2024 Wang's emphasis: the policy text uses *attribution determination* (认定), not *rights determination* (确认). The vocabulary is precise. The Chinese drafting team knew this would be parsed against civil-law doctrine. ## The two ways civil rights actually get confirmed In Chinese civil-law practice, rights confirmation runs on two tracks: ### Track 1 — "Friendly" confirmation Rights confirmation that doesn't require dispute. Two sub-types: - **Possession-based confirmation** (占有确权) — for general movables. Whoever possesses the asset is presumed to hold the right. Every transfer of possession is also a transfer of rights. Wang's example: you buy a used computer on Xianyu (Chinese eBay-equivalent). Whoever physically possesses the laptop at the moment is presumed owner — until possession transfers at the meeting point. The doctrine matches a real intuition: bought from someone, possession transfers, ownership transfers, *the rights confirmation is automatic*. - **Registration-based confirmation** (登记确权) — for high-value assets where possession alone doesn't provide enough public notice. The classic case is real estate: buying a house requires the formal *registration* step at the registry office, and ownership transfers only when registration completes. The mortgage on a house must also be registered to be effective. ### Track 2 — "Adversarial" confirmation When parties dispute attribution, the court confirms the right through litigation. The right is named and assigned to the prevailing party. This is the *adversarial* mode and works for all rights types — property rights, contract rights, IP rights — once the rights themselves are statutorily defined. The full doctrinal cycle: **legislature confers** → **registry / court confirms** → **disputes resolve**. The verb chain has no broken link. ## Where data registration breaks the chain The data property rights regime breaks the chain at the first link. The NPC has not conferred a data right. So: - **Possession-based confirmation** of a data right doesn't work — there's no right to confirm. - **Registration-based confirmation** of a data right doesn't work either — registration "confirms" what the legislature created, and the legislature hasn't created anything yet. - **Adversarial confirmation** in court doesn't work — the court can only adjudicate rights the legislature defined. As of Wang's writing in September 2024, **no Chinese court had cited the Data 20 Articles' three property rights to confirm data rights in adjudication**. Judges, operating under civil-law doctrine, cannot create rights through interpretation. In Wang's words: *"In China — a civil-law country — judges can't make law. They can only adjudicate under the law."* ## What data registration is actually doing Wang's reframing: data registration is **publicity** (公示), not **confirmation** (确权). The chain runs: *trade* → *needs publicity* → *publicity creates public credit* → *public credit creates market trust* → *market trust enables trade*. Registration is one form of publicity. The function is *signaling to potential downstream counterparties that this asset's chain of title is documented*. The publicity supports market confidence — not legal rights creation. Wang's metaphor: registration is a **trust credential** (可信凭证), not a **rights certificate** (确权证书). The operational difference: - A **rights certificate** would have *constitutive effect* — without registration, no right exists. (Real estate ownership has this character in China.) - A **trust credential** has *evidentiary effect* — it's preliminary evidence that the registrant has documented its data chain-of-title and submitted to compliance review by the registration institution. It can be overcome by contrary evidence. ## The 2024 Beijing IP Court case that made the doctrine concrete In a case Wang flags — **Datatang v. Yinmu** (数据堂 v. 隐木, the "first case on the effectiveness of data IP registration certificates") — the Beijing IP Court explicitly declined to recognize a *Data IP Registration Certificate* as an absolute property-right confirmation. The court confirmed only the certificate's effect as a *trust credential*. The court's reasoning (Wang paraphrases): "**Before a property-natured legal interest has been confirmed as an absolute property right by law, the holder of the property-natured interest cannot seek judicial protection by analogizing to other absolute property right types.**" The phrase "by analogy" is the key. The court would not extend property-rights doctrine to a not-yet-confirmed-by-law category. The trust credential effect held — but only as *preliminary evidence* (初步证据), defeasible by contrary evidence. This is meaningfully weaker than what most market participants understood the certificate to provide. ## The three judicial protection paths that work today Without a statutory data right, Chinese courts protect data interests through three existing-law analogies: - **Compilation work copyright** (汇编作品保护) — if the data set demonstrates creativity in selection or arrangement, treat it as a compilation work under copyright law. - **Trade secret protection** (商业秘密保护) — if the data set satisfies the trade-secret elements (secret, kept secret, has commercial value), protect under the *Anti-Unfair Competition Law*. - **Competitive interest protection** (竞争性权益保护) — under the AUCL general clause, protect data as a *competitive interest* the data handler has invested in. The three paths are workable but uneven. Compilation copyright requires creativity in selection. Trade secret protection requires secrecy. Competitive interest protection is the catch-all, but it's a *general-clause* claim with substantial evidentiary burdens (and now operates under the 2025 AUCL Article 13(3) data clause). Wang's prediction at the time: *"data property rights" will not become full legal rights soon — but the trust-credential function of registration can still meaningfully support these three paths*. ## What this means for the registration regime going forward Wang's prescription, in September 2024: - **Registration institutions should stop overclaiming "confirmation."** Calling registration *confirmation* (确权) misleads the market about what a certificate does. - **Strengthen compliance review.** A registration institution's *substantive review* of data legality and authenticity is what gives the certificate evidentiary weight in court. Without rigorous review, the certificate has no evidentiary value. - **Use the *attribution determination* vocabulary.** The Third Plenum's *attribution determination* (认定) language is doctrinally precise — registration institutions can *determine the attribution* of data property without claiming to *confirm* legal rights. - **Build a regulatory framework.** Trust-credential value depends on the credibility of the issuing institution. The state should regulate registration institutions to protect the market's confidence in registration certificates as a category. The SPC's January 2026 "data disputes" case category change — which Wang [followed up on](/posts/spc-data-disputes-case-category-and-data-registration/) — vindicated the underlying doctrinal critique. Once the SPC named the case category, courts gained a procedural channel to scrutinize data registration certificates directly. Wang's September 2024 piece had warned exactly this gap was coming. ## Why this matters for overseas teams Three implications for foreign counsel advising on Chinese data deals: - **Don't translate 确权登记 as "rights confirmation registration."** A more accurate rendering — *"property attribution determination registration"* — preserves the doctrinal distinction. Translating it as "rights" creates false expectations on both sides of the transaction. - **A registration certificate is one input to evidentiary strategy, not a title document.** When advising on a Chinese data acquisition, the registration certificate is useful — it shows the seller invested in chain-of-title documentation. But it does not vest legal title in the buyer in any way comparable to a deed or a patent assignment. The buyer's protection in a downstream dispute will run through compilation work, trade secret, or competitive-interest doctrine. - **Choose the registration institution carefully.** Per the [NDA's draft Data Property Rights Registration Work Guide](/laws/data-property-rights-registration-guide-draft/), only registration institutions practicing *substantive review* (not formal review) will produce certificates with meaningful evidentiary weight. The Shenzhen Data Exchange's "dual-verification" model is the operational benchmark. The deeper observation in Wang's piece is that **the Chinese data property rights regime is doctrinally incomplete by design** — the state chose to operationalize a property rights system without waiting for the NPC to confer formal legal rights. Overseas counsel who expect the regime to behave like a Western IP system will be repeatedly surprised. The regime behaves like a *publicity and credit-building system*. Once that's internalized, the operational logic falls into place. --- — Wang Qinglan (王青兰), *数据确权登记,谁给的勇气?* (Data Rights Confirmation Registration — Who Gave You the Courage?), 青兰数据观察 WeChat Official Account, September 19, 2024. [Original article (Chinese).](https://mp.weixin.qq.com/s/BApKX7i4F6BoWooj3-DxjQ) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## On-Exchange vs. Off-Exchange Data Trading — A Uniquely Chinese Market Structure - Published: 2024-07-01 - Author: DCC Editorial - Tags: data-exchanges, data-economy, szdex, market-structure, commentary - Laws cited: data-foundation-system-opinions - Domains: data-economy - URL: https://datacompliancechina.com/posts/qinglan-on-exchange-vs-off-exchange-data-trading/ - Markdown: https://datacompliancechina.com/posts/qinglan-on-exchange-vs-off-exchange-data-trading.md - Original source: https://mp.weixin.qq.com/s/2qNmM5uxUZkfqE3YCYZx8g - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description Why does China have data exchanges? Wang Qinglan's piece opens with an observation overseas readers will recognize: 'When you tell foreigners about China's on-exchange data trading market, you get blank stares — because exchange-organized data trading is uniquely Chinese.' The analogy she offers — Shenzhen Data Exchange is to data what the Shenzhen Stock Exchange is to securities — unlocks the architecture. Five tiers of trading venues by public-risk level. Three waves of Chinese data-exchange evolution. And the operational meaning of why on-exchange and off-exchange trading coexist. ### Body > *Editor's Note — DCC.* > > Wang Qinglan opens the piece by noting that foreign counsel typically > draw a blank when she describes China's on-exchange data trading > market — *"because data-exchange-organized trading is uniquely > Chinese."* DCC has the same experience. This brief unpacks why China > built data exchanges in the first place, what distinguishes > "on-exchange" from "off-exchange," and the operational meaning of > SZDEX, the Beijing Data Exchange, the Shanghai Data Exchange, and the > tier of regional exchanges that followed. ## The analogy that unlocks it China's data trading market is consciously modeled on its securities market. The architecture: - **On-exchange trading** (场内交易) — a transaction conducted through and managed by a licensed *trading venue* (交易场所). - **Off-exchange trading** (场外交易) — every other transaction. Wang's analogy: **the Shenzhen Data Exchange (SZDEX) is to data what the Shenzhen Stock Exchange (SZSE) is to securities**. The data exchange organizes, supervises, and provides infrastructure for trading — just as a stock exchange does for securities. The doctrinal anchor is the **Data 20 Articles** (December 2022): > *"Establish a compliant and efficient data-element flow and trading system combining on-exchange and off-exchange markets. Improve and standardize data-flow rules. Build a trading system combining on-exchange and off-exchange markets. Standardize and guide off-exchange trading. Cultivate and grow on-exchange trading."* The policy directive is explicit: a *combined* market, with on-exchange trading deliberately nurtured. ## The five tiers of trading venues A *trading venue* (交易场所) in Chinese law is "an institution legally authorized by the government to engage in rights-based, bulk-commodity, data, or other categorized trading — including venues whose names do not contain the word 'exchange.'" Wang's five-tier classification (by public-risk exposure) makes the landscape legible: | Tier | Risk level | Venue type | |---|---|---| | **1** | Highest | Financial-product exchanges (stocks, futures) — State Council or financial regulator approval required | | **2** | Medium | Regional financial exchanges (regional equity, financial assets, IP, commodities, environmental rights) | | **3** | **Low** | **Data exchanges, cultural-IP exchanges, energy exchanges, carbon market exchanges, agricultural-rights exchanges, state-owned-property exchanges, pharmaceutical/medical-consumables exchanges** | | **4** | Very low | Physical-goods exchanges (cars, real estate) — rarely seen today | | **5** | None | Public-resource trading platforms (e.g., government procurement) | **Data exchanges sit at Tier 3** — low public-risk venues. They're not financial exchanges, but they are still highly regulated trading venues, supervised by provincial-level governments under the *Implementation Opinions on Cleaning Up and Rectifying Various Trading Venues* (State Council Office Document No. 37 [2012]) and related instruments. ## Why "exchange" and "trading center" are tightly controlled names Wang flags an operational subtlety many overseas observers miss: the name itself is regulated. - Companies named ***Exchange*** (交易所) — must be approved by the State Council, a financial regulator, or a provincial government (with prior consultation of the inter-ministerial coordination committee). - Companies named ***Trading Center*** (交易中心) — same approval requirement, slightly less strict. - Companies named ***Data Trading Co., Ltd.*** / ***Data Group*** etc. — no special name approval, but they are *not* legal trading venues. The historical reason: in the years before tight name regulation, fake exchanges proliferated and were used as fronts for illegal fundraising and financial fraud. Despite Tier-3 status, low public-risk data exchanges have been caught up in this enforcement — the State Council's *Decision on Cleaning Up and Rectifying Various Trading Venues* (Document No. 38 [2011]) explicitly prohibits unauthorized use of the "exchange" name. The operational implication for overseas counsel: **the company name matters**. A counterparty named "QL Data Exchange Co., Ltd." is more likely to be a real trading venue than "QL Data Trading Co., Ltd." or "QL Data Group" — but the only definitive check is the registered list of licensed trading venues maintained by the provincial financial regulator and (for data exchanges) the local data administration authority. As of mid-2024, of all data-trading-related entities registered in China: - **9** contain "Exchange" (交易所) in the name. - **20** contain "Trading Center" (交易中心) in the name. - The rest use names like "Data Trading Co., Ltd." or "Data Group" — most of which are not licensed trading venues. ## The structural difference between on- and off-exchange Both serve buyers and sellers of data. So why does on-exchange exist? Wang's answer: trading venues bear *infrastructure obligations* that off-exchange platforms don't. The trading venue must do the unprofitable, regulatory-heavy work: - **Ecosystem cultivation** — supporting data brokers, third-party professional service institutions, training the "data trader" workforce. - **Compliance gateway** — vetting both sellers and listings, refusing non-compliant trades, providing a public-trust-grade compliance review. - **Market infrastructure** — the technical systems for matching, settlement, evidence preservation, audit trails. The off-exchange platforms benefit from this work without paying for it — they operate in the data-broker ecosystem the on-exchange venues built. The trading venue takes on responsibility *and* market competition. The trade-off, in Wang's framing: **"On-exchange trading is like marriage — many outside want in, many inside want out."** The crown carries weight. One data trading center founded in 2015 voluntarily surrendered its trading-venue qualification in 2023 to become a "data tech company" operating freely off-exchange. ## Three waves of China's on-exchange data market Wang's historical mapping: ### Wave 1 (2014–2017): Launch and cooling - **2014** — "Big data" written into the Government Work Report for the first time, marking the start of top-level design for the data industry. - **2015** — The Guiyang Big Data Exchange (贵阳大数据交易所), China's first data exchange, founded. Within two years, more than 10 data exchanges established across the country. - **2017** — The wave cools. Many exchanges enter dormancy. The problem: no sustainable business model. The exchanges couldn't pull the broader data industry forward. ### Wave 2 (2021–2024): The data-element strategy - **2021** — Beijing, Shanghai, and Shenzhen data exchanges officially launched. - **2022** — The Guiyang Exchange (which had entered bankruptcy reorganization) was restructured and rejoined the market. New roles emerged: *data broker* (数据商), *data trader* (数据交易员), *data compliance specialist* (数据交易合规师). The data trading industry chain took shape. - **December 2022** — *Data 20 Articles* published. - **October 2023** — National Data Administration (NDA) officially established. The on-exchange market entered a phase of coordinated national development. ### Wave 3 (ahead): Differentiated competition Wang's prediction at the time of writing (mid-2024): the third wave will involve large-scale entry of normalized off-exchange platforms competing with on-exchange venues. Without differentiated value propositions, on-exchange venues face elimination pressure. The differentiation thesis: on-exchange venues must take on *industry-wide infrastructure responsibilities and social functions* — without them, on-exchange trading is genuinely unnecessary ("the data joke" Wang quotes: *"Exchanges need trading, but trading doesn't always need exchanges."*). ## The Shenzhen Data Exchange — a case in point Wang closes with a chronology of how the Shenzhen Data Exchange emerged from policy reform, not from private-market entrepreneurship: - **October 2020** — Central Committee + State Council issue the *Implementation Plan for Shenzhen as a Demonstration Zone for Socialism with Chinese Characteristics (2020–2025)*. Proposes accelerating the cultivation of a data-element market and "researching the establishment of a data trading market." - **December 2021** — Shenzhen Data Trading Co., Ltd. registered. - **January 2022** — NDRC + Ministry of Commerce issue the *Opinions on Specific Measures to Relax Market Access in Shenzhen as a Demonstration Zone*. Includes "prudently researching the establishment of data-element trading venues." - **November 2022** — Shenzhen Data Exchange formally unveiled. The Co., Ltd. renamed to Shenzhen Data Exchange Co., Ltd. (SZDEX). - **August 2023** — State Council issues the *Development Plan for the Hetao Shenzhen-Hong Kong Science and Technology Innovation Cooperation Zone, Shenzhen Park*. Calls for "accelerated construction of Shenzhen data trading venues." - **April 2024** — SZDEX Data Trading Business Platform 2.0 launched. - *To be continued...* The point Wang makes through the chronology: SZDEX was created to carry a specific reform mission. It's not just a venue — it's an infrastructure mandate the central government delegated to Shenzhen. ## Why this matters for overseas teams Three operational takeaways: - **On-exchange status is a verifiable counterparty signal.** When evaluating a Chinese data counterparty, check whether they hold a recognized trading-venue qualification. The name alone is suggestive but not dispositive. The provincial-level data administration authority's published list of licensed data exchanges is the authoritative source. - **On-exchange trades carry built-in compliance review; off-exchange trades don't.** When a foreign-invested entity transacts on-exchange (as buyer or seller), the exchange has already vetted the listing against the *Provisions on the Administration of Data Trading*. Off-exchange trades carry the full compliance burden on the counterparties. - **Cross-border data trades typically route through on-exchange venues.** The Beijing FTZ negative list, the Guangdong FTZ data export framework, and the Shenzhen Hetao park's data-flow regime all integrate with the relevant on-exchange venue. Multinationals running cross-border data flows through the FTZs gain compliance leverage by routing through SZDEX or the Beijing International Data Exchange. The deeper point in Wang's piece is that **China has built a market architecture that doesn't exist in Western data ecosystems**. There is no "London Data Exchange" or "Nasdaq Data Exchange." The on-exchange / off-exchange distinction is uniquely Chinese, and foreign counsel approaching the Chinese data market need to internalize the structure before they can advise meaningfully. --- — Wang Qinglan (王青兰), *场内数据交易一定比场外高贵吗?* (Is On-Exchange Data Trading Necessarily More Prestigious Than Off-Exchange?), 青兰数据观察 WeChat Official Account, July 1, 2024. [Original article (Chinese).](https://mp.weixin.qq.com/s/2qNmM5uxUZkfqE3YCYZx8g) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## What Is Actually Traded on China's Data Exchanges — A Bakery Metaphor - Published: 2024-05-28 - Author: DCC Editorial - Tags: data-economy, data-trading, data-products, data-classification, commentary - Laws cited: data-foundation-system-opinions, common-data-terms-batch-1, common-data-terms-batch-2, public-data-authorized-operation-specifications - Domains: data-economy - URL: https://datacompliancechina.com/posts/qinglan-what-is-traded-on-data-exchanges/ - Markdown: https://datacompliancechina.com/posts/qinglan-what-is-traded-on-data-exchanges.md - Original source: https://mp.weixin.qq.com/s/xFM7nS_E0BoB272Im6Mciw - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description Per the Shenzhen Provisional Measures for Data Trading Administration, four categories of object can be traded on a Chinese data exchange: data products, data services, data tools, and other regulator-approved objects. Wang Qinglan walks through what each means in plain language with a bakery metaphor — wheat (raw data) becomes flour (data resources) becomes cakes (data products); a baker is a data service; the oven is a data tool. The piece is useful precisely because it answers a question overseas teams rarely think to ask: what are the data exchanges actually selling? ### Body > *Editor's Note — DCC.* > > The Chinese data-element market is one of the most distinctive features > of the country's data regime — yet most overseas analyses treat it as > a black box. Wang Qinglan's plain-language primer answers the > precondition question: *what is actually for sale*? The bakery metaphor > she uses is more useful than any of the formal definitions and worth > internalizing before approaching the data property rights registration > regime, the Data 20 Articles policy framework, or the Shenzhen Data > Exchange's listing practice. ## The four trading objects The legal anchor is the **Shenzhen Provisional Measures for Data Trading Administration** (《深圳市数据交易管理暂行办法》). Article 6 lists four categories of object that can be traded on a Chinese data exchange: - **Data products** (数据产品) - **Data services** (数据服务) - **Data tools** (数据工具) - **Other trading objects approved by the competent authority** (其他经主管部门同意的交易标的) The first three are well-defined; the fourth is a catch-all that has, in practice, expanded the regime's flexibility — particularly to accommodate *data resources* (数据资源) as a tradable object even though they don't fit cleanly into "data products." ## The bakery metaphor Wang's mental model: imagine a flour mill that becomes a bakery. The metaphor maps cleanly onto the legal categories. | Bakery element | Chinese data concept | English translation | |---|---|---| | Wheat from the farmer | 原始数据 | **Raw data / primary data** | | Flour (after milling) | 数据资源 | **Data resources** | | Cake or cake base (after baking) | 数据产品 | **Data products** | | The baker who turns flour into cake | 数据服务 | **Data services** | | The oven, mixer, frosting spreader | 数据工具 | **Data tools** | The full chain: a farmer harvests wheat (raw data); the mill turns it into flour (data resources); the bakery turns flour into cakes (data products). When a flour mill wants to enter the bakery business but lacks the skill, it hires a baker (data service). The baker needs equipment — oven, mixer, frosting tools (data tools). The metaphor solves the conceptual puzzle. *Raw data*, *data resources*, and *data products* are all data in different states of processing. *Data services* are skills applied to data. *Data tools* are instruments for processing data. ## The narrow vs. broad data product distinction Wang highlights a frequently overlooked distinction: - **Narrow data products** — data products in the strict sense. The data resource is the input; algorithmic processing yields the output. Examples: data sets, data analytics reports, data visualization products, data indices, API data products, encrypted data products. The flour-becomes-cake pattern. - **Broad data products** — narrow data products *plus* data services and data tools. The broader category captures everything traded on a data exchange. The key conceptual divide: - **Narrow data products** contain data — they *are* the cake. - **Data services and data tools** are *methods or instruments* for processing data — they're the baker and the oven, not the cake. Wang treats "data products" in the strict sense throughout her piece — the cake, formed by substantive processing of data resources, yielding derived data or data-derivative products. This narrow usage tracks the NDA's *Common Data Terms (First Batch)* definition: *"data processing products and data services that are formed on the basis of data processing and can meet specific needs."* ## What raw data, data resources, and data products mean operationally The bakery analogy maps to a concrete example Wang gives: - You want to open a milk-tea shop. You hire counters to stand at major shopping-district entrances and record foot traffic in notebooks. Each notebook entry is **raw data** — an electronic-or-otherwise recording of an observable phenomenon (here, foot count at a location). - At end of each day, the counters consolidate notebook entries into a single Excel spreadsheet. The spreadsheet is a **data resource** — raw data, primarily processed, with potential for value creation. - A tourism-data company buys the spreadsheet and processes it into a *shopping-district heat-map analytical report*. They sell the heat map to an advertising agency for targeted ad placement. The heat-map report is a **data product** — the result of substantive processing of data resources. This three-level distinction — raw / resource / product — is foundational. The DSL, the *Network Data Security Regulation*, and the NDA's *Data Property Rights Registration Work Guide (Trial)* all rely on it. The legal consequences of mishandling each tier differ. ## Can data resources be traded? Wang flags a useful operational point. The Shenzhen Provisional Measures' three-category enumeration (products / services / tools) seems to exclude data resources. But Article 6's fourth category — *"other trading objects approved by the competent authority"* — accommodates them. In practice, **data resources can be traded on Chinese exchanges as a fourth-category object** — both on-exchange and off-exchange. The Shenzhen Data Exchange and other regional exchanges have listed both data products and data resources. The one substantive exception: **public data resources** (公共数据资源). Per the *Implementation Specifications for Authorized Operation of Public Data Resources*, public data must pass through *authorized operation* (授权运营) and be converted into *public data products* before it can be traded. Public data, in its raw resource form, is not a tradable object — only the products built on top of it. ## The current trading-object landscape Wang's summary of the practical scope of tradable objects on Chinese data exchanges: - **Data resources** — tradable under Article 6's catch-all, both on-exchange and off-exchange (with the public-data exception). - **Data products (narrow)** — the core tradable object. Includes analytic reports, indices, data sets, API products, encrypted data products. - **Data services / data tools (broad data products)** — methods or instruments for processing data, tradable as their own category. The exchange ecosystem is still maturing. New trading object types may emerge as the regime develops, and the trading rules will continue to refine. ## Why this matters for overseas teams Three operational takeaways for overseas counsel and compliance leads engaging with the Chinese data exchange ecosystem: - **Categorize before you transact.** Whether you're a buyer or a seller, the first question is what *kind* of object you're trading. A data set is a different category from an analytical report (both data products, but with different compliance profiles). A SaaS analytics platform sold to a Chinese counterparty may sit in *data tools*, not *data products*. The categorization determines licensing path, classification obligations, and (for cross-border transactions) export-compliance obligations. - **Public data has a different transactional path.** Public data resources cannot be acquired by foreign entities directly. They must be turned into public data products via the authorized-operation regime first. Foreign entities partnering on public-data-derived products should structure the partnership through an *authorized operating institution* (运营机构) recognized under the *Public Data Resources Registration Interim Measures*. - **The narrow vs. broad distinction matters for IP and product structure.** A data service business model (algorithm-as-a-service, classification-as-a-service) operates under different rules than a data product business model (selling the resulting data set). Where the business is sold matters too — services trade differently from products on most exchanges. The underlying point in Wang's piece is that **the Chinese data-element market has a much richer trading object taxonomy than the Western "data licensing" framing**. A multinational treating data trading as a single category will miss the operational handles that the four-category framework provides. --- — Wang Qinglan (王青兰), *数据交易,到底在交易什么?* (Data Trading — What Is Actually Being Traded?), 青兰数据观察 WeChat Official Account, May 28, 2024. [Original article (Chinese).](https://mp.weixin.qq.com/s/xFM7nS_E0BoB272Im6Mciw) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## Case Study — A Public-Data Operator Hands Personal Data to a Bank. Two Compliance Failures. - Published: 2024-04-11 - Author: DCC Editorial - Tags: public-data, credit-reference, authorized-operation, case-study, commentary - Laws cited: pipl, public-data-registration-interim-measures, public-data-authorized-operation-specifications - Domains: personal-information, data-economy, enforcement - URL: https://datacompliancechina.com/posts/qinglan-public-data-credit-licensing-case/ - Markdown: https://datacompliancechina.com/posts/qinglan-public-data-credit-licensing-case.md - Original source: https://mp.weixin.qq.com/s/EOP5UAW6V3n1HRYW1KYPeg - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description A real-case analysis from Wang Qinglan. A state-affiliated auction company holds the public-data operating right for vehicle license-plate auction data. A bank persuades it to hand over the personal data of winning bidders. The bank builds a targeted credit product and pays the auction company RMB 12 million a year in revenue share. Two compliance failures: (1) no individual consent under PIPL; (2) no credit reference business license under the Credit Reference Industry Regulation and Credit Reference Business Measures. Public-data authorized operation does not displace the credit reference licensing regime. ### Body > *Editor's Note — DCC.* > > Public-data authorized operation (公共数据授权运营) is one of the most > active growth areas in China's data-element market. Wang Qinglan's > case study illustrates one of its most common failure modes: an > operator with public-data rights treats those rights as a general > license to do anything with the data, missing that other regulatory > regimes — here, the credit reference business licensing regime — apply > on top of the public-data framework. This is short for a Wang piece > (under 1500 words in the original) but the analytical pattern is > generally useful for overseas counsel advising on public-data products. ## The case A state-affiliated auction company in a Chinese city holds the operating right to vehicle license-plate auction data. (The license-plate auction system is how the city allocates a capped number of new license plates each year.) Winning bidders' personal data — name, contact information, payment information, vehicle details — flows through the auction platform. A bank approaches the auction company with a proposal: - The auction company gives the bank the personal data of winning bidders. - The bank uses the data to design a targeted credit product for new vehicle purchasers — license-plate winners are a high-creditworthiness segment. - The bank pays the auction company **RMB 12 million per year** in revenue share. The auction company agreed. **Wang's question: was the auction company's conduct compliant?** ## The two failures ### Failure 1 — No individual consent under PIPL The first issue is PIPL. The auction company's *public-data operating right* lets it process the auction data on behalf of the government grantor for the authorized purpose (typically, running the auction platform and providing official services). It does not vest the auction company with general consent to share the personal data of winning bidders with third parties for unrelated commercial purposes. PIPL Article 13 requires a lawful basis for each processing activity. The most common bases — *individual consent*, *contract necessity*, *legal obligation* — would have to be re-grounded for the bank-sharing activity. None of them obviously applied here. If the auction company had not obtained individual consent from each winning bidder authorizing the bank-sharing, the sharing was unlawful. *On the facts of the case, the company had not.* That alone makes the transaction non-compliant. But the deeper problem follows. ### Failure 2 — No credit reference business license The auction company's conduct also constitutes ***credit reference business*** (征信业务), and credit reference business is a licensed activity in China. Operating it without a license is unlawful — and the auction company did not have one. This is the part overseas counsel most often miss when advising on Chinese public-data deals. **Public-data authorized operation does not exempt the operator from sector-specific licensing requirements**. Other regulatory regimes — credit reference, banking, insurance, healthcare, geographic data — stack on top of the public-data framework. The legal anchors: - **Article 2 of the *Credit Reference Industry Regulation*** (《征信业管理条例》) defines credit reference business as *"the collection, organization, retention, processing of credit information about enterprises, public institutions, and individuals, and provision of that information to information users."* - **Article 3 of the *Credit Reference Business Administrative Measures*** (《征信业务管理办法》) further specifies that credit reference business serves *financial and similar activities* — to identify and evaluate the creditworthiness of enterprises and individuals. - **Article 5 of the Credit Reference Business Measures**: *"Financial institutions may not engage in commercial cooperation to obtain credit reference services with market entities that have not obtained the lawful credit reference business qualification."* That last article is the bank's exposure too. By contracting with the unlicensed auction company for credit-reference-purpose data, the bank also violated the regulation. ### The two licensing tracks A critical operational detail in the regulation: - **Personal credit reference business** (个人征信业务) — requires a **license** from the PBoC. Setting one up requires PBoC approval; the regulator has, in practice, issued personal credit reference licenses to a small number of institutions. - **Enterprise credit reference business** (企业征信业务) — requires **filing** with the PBoC's local office. The filing standard is lower than personal credit licensing. In the case, the auction company was processing *individuals'* data for credit purposes — so the licensing track is personal credit reference. No license, no operation. Even if the auction company had separately obtained individual consent under PIPL, the absence of a personal credit reference license would still have made the conduct unlawful. Wang's summary: *"This company probably stacked both non-compliance buffs to the maximum. Genuinely criminal."* ## The operational test The decisive question — for any business considering a transaction involving downstream financial-activity use of personal data — is **"is the use for financial activity?"** (是否用于金融活动). If yes, credit reference business licensing/filing applies. Public-data authorized operation does not displace that requirement. The two-pronged test for credit reference business per the regulation: 1. Is the data *credit information* (信用信息) — information used to identify and evaluate creditworthiness? 2. Is the data being used for *financial or similar activities*? If both are yes, the activity is credit reference business. The license is required for personal data; filing is required for enterprise data. ## Why this matters for overseas teams Three operational takeaways: - **Public-data authorized operation is one license among many, not a master license.** A public-data operator's permitted operations are bounded by *both* the public-data authorization terms *and* every other sector-specific regime that applies to the underlying activity. When the downstream use is financial, the credit reference licensing regime applies separately. When the downstream use is healthcare, the healthcare-data and medical-device regimes apply. When the downstream use is education, education-sector PI rules apply. Public-data status is not a shortcut around sector-specific rules. - **Foreign entities partnering on Chinese public-data products should map the downstream-use regulatory stack before structuring the deal.** A China subsidiary acquiring or licensing a public-data product for cross-border use must satisfy: (a) the public-data authorization terms; (b) PIPL consent / contractual basis requirements for any PI in the data; (c) any sector-specific licensing applicable to the downstream use; (d) cross-border export pathway requirements if the data leaves China. - **The case is also a reminder of the criminal exposure.** Criminal Law Article 253-1 — sale and provision of citizen personal information without consent or in violation of regulations — applies. The PI Audit Measures and the 2026 PI Special Action (six high-risk sectors including finance) put financial-data flow on the regulator's enforcement priority list. Foreign-invested banks and financial-services providers in particular should treat this case as a leading enforcement risk. The underlying point in Wang's piece is that **public-data authorized operation is a permission, not an immunity**. The auction company's mistake was treating the authorization as a general license — and the credit reference licensing regime caught up with that mistake. --- — Wang Qinglan (王青兰), *案例分析 | 公共数据授权运营后提供给金融机构是否须取得征信业务资质?* (Case Analysis — After Public-Data Authorized Operation, Does Providing to Financial Institutions Require Credit Reference Business Qualification?), 青兰数据观察 WeChat Official Account, April 11, 2024. [Original article (Chinese).](https://mp.weixin.qq.com/s/EOP5UAW6V3n1HRYW1KYPeg) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- # III. GLOSSARY (Bilingual ZH-EN) 409 terms across 12 sections. Structured JSON available at https://datacompliancechina.com/glossary.json. ## §1. Data Types (数据类型) - **数据** = data - **原始数据** = raw data / primary data — NDA Common Data Terms Batch 1 (2024) uses "primary data" - **衍生数据** = derived data - **网络数据** = network data — introduced as a defined term by the Network Data Security Regulation - **训练数据** = training data — GenAI Measures Art 7 - **数据资源** = data resources — Gov Data Sharing Regulations usage - **数据产品和服务** = data products and services — NDA Common Data Terms Batch 1 § 5 - **元数据** = metadata - **结构化数据** = structured data - **半结构化数据** = semi-structured data - **非结构化数据** = unstructured data - **个人信息** = personal information - **敏感个人信息** = sensitive personal information - **儿童个人信息** = personal information of children - **未成年人个人信息** = personal information of minors - **生物识别信息** = biometric information - **人脸信息** = facial information — SPC FRT Interpretation core term - **重要数据** = important data - **核心数据** = core data - **国家核心数据** = national core data - **一般数据** = general data - **公共数据** = public data - **政务数据** = government data - **企业数据** = enterprise data - **数据资产** = data assets - **数据要素** = data elements - **重要数据目录** = catalogue of important data ## §2. Data Processing & Compliance Management (数据处理与合规管理) - **处理** = processing - **数据处理** = data processing / data handling — NDA Batch 1 uses "data handling" (collect / store / use / process / transmit / provide / publish) - **数据处理活动** = data processing activities - **数据处理者** = data processor / data handler — DSL term (generic) — "data handler" in CAC and NDA translations - **网络数据处理者** = network data handler — Network Data Security Regulation term - **个人信息处理者** = personal information handler — PIPL Article 73 — DO NOT render as "data controller" - **个人** = the individual / the individual concerned — PIPL's preferred rights-holder term, not "personal information subject" - **受托处理者** = entrusted processor - **受托数据处理者** = commissioned data handler / trustee data processor — NDA Batch 1 § 10 uses "commissioned data handler" - **数据治理** = data governance - **数据流通** = data circulation / data flow — NDA Batch 1 § 11 uses "data circulation"; "data flow" common in cross-border context (not GDPR-style "data flow") - **委托处理** = entrusted processing - **共同处理** = joint processing - **公开披露** = public disclosure - **转让** = transfer - **共享** = sharing - **个人信息主体** = personal information subject — Pre-PIPL standard term; PIPL itself uses "个人" (individual) - **数据主体** = data subject — GDPR vocabulary; preserve if the source author chose it, do not back-fit onto PIPL - **单独同意** = separate consent - **明示同意** = explicit consent - **一揽子同意** = bundled consent — SPC FRT Interpretation Art 4 — invalid consent pattern - **告知** = notice - **知情同意** = informed consent - **实名核验** = real-name verification — Deep Synthesis / GenAI / Algo Rec triple requirement - **真实身份信息** = real identity information - **个人信息保护影响评估** = Personal Information Protection Impact Assessment (PIPIA) — PIPL Arts 55–56 render verbally as "impact assessment on personal information protection" - **风险评估** = risk assessment - **数据安全风险评估** = data security risk assessment - **自评估** = self-assessment — term used across CBDT pathways - **安全事件** = security incident - **个人信息安全事件** = personal information security incident - **网络安全事件** = cybersecurity incident - **数据安全事件** = data security incident - **应急预案** = emergency response plan - **应急响应** = emergency response - **自动化决策** = automated decision-making - **用户画像** = user profiling - **精准营销** = targeted marketing - **去标识化** = de-identification - **匿名化** = anonymization - **脱敏** = de-sensitization — narrower than 去标识化/匿名化 — masking-style treatment used e.g. in the NEA energy-data classification guide's downgrade rule - **最小必要** = minimum necessary - **合法、正当、必要** = lawful, legitimate, and necessary - **数据治理** = data governance - **数据安全** = data security - **数据分类分级** = data classification and grading — also rendered "classified and hierarchical protection of data" in regulations - **分类分级保护** = classified and hierarchical protection - **合规审计** = compliance audit - **个人信息保护合规审计** = personal information protection compliance audit - **个人信息保护负责人** = person in charge of personal information protection - **专门机构** = specialized agency — third-party PI-audit body under the 2025 Audit Measures - **专门安全管理机构** = specialized security management body — CIIO obligation under CII Regulations Art 14-15 - **履行个人信息保护职责的部门** = authorities performing duties of personal information protection - **保护机构** = protection authority — informal shorthand used in the Audit Measures - **保护工作部门** = protection authority — CII Regulations usage - **主管部门** = competent authority - **监督管理部门** = supervisory authority - **重要互联网平台服务** = important Internet platform services — PIPL Art 58 — large-platform obligation trigger - **党政机关** = Party and government organs - **企事业单位** = enterprises and public institutions - **公共服务** = public services - **公益事业** = public welfare - **公开招标** = public bidding - **邀请招标** = invited bidding - **数据安全主体责任** = primary responsibility for data security - **实施方案** = implementation plan - **行政权力** = administrative power - **市场支配地位** = market dominant position - **排除、限制竞争** = exclude or restrict competition - **网络平台运营者** = network platform operator - **网络平台** = network platform - **社会责任报告** = social responsibility report - **网络产品和服务** = network products and services - **网络安全服务机构** = cybersecurity service agency - **安全保密协议** = security confidentiality agreement - **三道防线** = three lines of defense — financial-sector governance term; NFRA cybersecurity draft (2026) drafting principle - **第一责任人** = first person responsible — NFRA cybersecurity draft Art 7 — institution's principal officer ## §3. Cross-Border Data Flow (数据出境) - **数据出境** = cross-border data transfer — PIPL itself uses the verbal "provide personal information outside the territory of the PRC" - **数据跨境流动** = cross-border data flows - **跨境提供个人信息** = cross-border provision of personal information - **跨境处理** = cross-border processing - **境外接收方** = overseas recipient - **数据出境安全评估** = Data Export Security Assessment — PIPL renders verbally as "security evaluation organized by the CAC" — 评估 is rendered both as "assessment" and "evaluation" - **安全评估** = security assessment - **出境安全评估** = outbound security assessment - **评估申报** = assessment declaration / declaration for security assessment - **评估通过** = passing the security assessment - **评估结果通知书** = Assessment Result Notice — CAC document conveying which PI data items cleared / were rejected for export - **违法出境** = unlawful cross-border transfer (of data) — enforcement-notice phrasing, e.g. 违法出境个人信息 - **未落实评估要求** = failure to implement assessment requirements — distinct from 未通过评估 (failure to pass) — transferred outside the cleared scope - **个人信息出境标准合同** = Standard Contract for Cross-Border Transfer of Personal Information - **个人信息出境标准合同备案** = Personal Information Standard Contract Filing - **标准合同** = Standard Contract - **个人信息保护认证** = Personal Information Protection Certification - **认证** = certification — CAC Cross-border Provisions sometimes render 认证 as "authentication" — both are in circulation - **认证机构** = certification body — new under the 2026 PI Outbound Certification Measures - **认证证书** = certification certificate - **认证标志** = certification mark - **备案** = filing - **负面清单** = negative list - **白名单** = whitelist - **数据本地化** = data localization - **本地存储** = local storage - **出海** = overseas expansion - **自由贸易试验区** = pilot free trade zone (FTZ) — introduced by the 2024 Cross-border Provisions Art 6 negative-list mechanism - **自贸区** = pilot free trade zone (FTZ) ## §4. Data Property Rights & Trading (数据产权与交易) - **数据产权** = Data Property Rights - **数据产权登记** = Data Property Rights Registration - **数据持有权** = Right to Hold Data - **数据使用权** = Right to Use Data - **数据经营权** = Right to Operate Data - **数据交易** = data trading - **交易主体** = trading subjects - **交易标的** = subject matter of transaction - **数据交易机构** = data trading institution - **场内数据交易** = on-exchange data trading - **数据场内交易** = on-exchange data trading — NDA Batch 2 § 9 — synonym for 场内数据交易 - **场外数据交易** = off-exchange data trading - **数据场外交易** = off-exchange data trading — NDA Batch 2 § 10 — synonym for 场外数据交易 - **数据撮合** = data matching - **数据交易撮合** = data trading matching — NDA Batch 2 § 11 - **第三方专业服务机构** = third-party professional service institutions - **数据第三方专业服务机构** = data third-party professional service institution — NDA Batch 2 § 12 - **第三方法律服务机构** = third-party legal service institutions - **数据要素市场化配置** = market-oriented allocation of data elements — NDA Batch 1 § 7 - **公共数据资源** = public data resources - **授权运营** = authorized operation - **实施机构** = implementing institution - **运营机构** = operating institution - **登记机构** = registration institution - **登记主体** = registrant - **登记申请人** = registration applicant - **登记凭证** = registration certificate - **赋码** = code issuance - **数据基础制度** = fundamental data system - **一体化数据市场** = integrated data market - **数据要素市场** = data factor market - **数据流通服务机构** = data circulation service institution - **隐私计算** = privacy computing - **政务数据共享** = government data sharing - **数据描述** = data description - **数据来源** = data source - **数据存证** = data evidence preservation - **数据指纹** = data fingerprint - **数据水印** = data watermark - **数据入表** = data balance-sheet entry - **数据资产化** = data assetization - **数据资产资本化** = data asset capitalization - **异议** = objection - **异议处理** = objection handling - **初次登记** = initial registration - **转让登记** = transfer registration - **变更登记** = change registration - **续期登记** = renewal registration - **注销登记** = deregistration - **续期** = renewal - **注销** = deregistration - **权利限制** = rights limitation - **多源数据** = multi-source data - **衍生创造** = derivative creation - **自动化程序** = automated procedures ## §5. Key Laws & Regulations (法律法规) - **网络安全法** = Cybersecurity Law (CSL) - **数据安全法** = Data Security Law (DSL) - **个人信息保护法** = Personal Information Protection Law (PIPL) - **个保法** = Personal Information Protection Law (PIPL) - **民法典** = Civil Code - **反电信网络诈骗法** = Anti-Telecom and Online Fraud Law - **国家安全法** = National Security Law - **外商投资法** = Foreign Investment Law - **反垄断法** = Anti-Monopoly Law - **密码法** = Cryptography Law - **生物安全法** = Biosecurity Law - **种子法** = Seed Law - **粮食安全保障法** = Food Security Guarantee Law - **海南自由贸易港法** = Hainan Free Trade Port Law - **未成年人保护法** = Law on the Protection of Minors — 2020 revision added the Network Protection chapter - **未成年人学校保护规定** = Provisions on the Protection of Minors by Schools — MOE Order No. 50 - **网络数据安全管理条例** = Regulation on Network Data Security Management — State Council Decree No. 790 — official rendering uses singular "Regulation" - **关键信息基础设施安全保护条例** = Security Protection Regulations for Critical Information Infrastructure — State Council Decree No. 745 - **未成年人网络保护条例** = Regulations on the Protection of Minors in Cyberspace — State Council Decree No. 766 - **政务数据共享条例** = Regulations on the Sharing of Government Data — State Council Decree No. 809 - **数据出境安全评估办法** = Measures for the Security Assessment of Data Export — CAC Decree No. 11 - **促进和规范数据跨境流动规定** = Provisions on Promoting and Regulating Cross-border Data Flows — CAC Decree No. 16 — note "Cross-border" (lowercase b) in official translation - **个人信息出境标准合同办法** = Measures on the Standard Contract for the Outbound Transfer of Personal Information — CAC Decree No. 13, effective 2023-06-01 - **个人信息出境标准合同备案指南** = Guide to the Filing of the Standard Contract for Outbound Transfer of Personal Information — CAC procedural guide accompanying SCC Measures - **个人信息出境认证办法** = Measures for the Certification of the Cross-border Provision of Personal Information — CAC + SAMR Order No. 20, effective 2026-01-01 - **个人信息保护认证实施规则** = Implementation Rules for Personal Information Protection Certification - **个人信息保护合规审计管理办法** = Administrative Measures for Personal Information Protection Compliance Audits — CAC Decree No. 18, effective 2025-05-01 - **个人信息安全规范** = Personal Information Security Specification - **网络安全审查办法** = Cybersecurity Review Measures — CAC + 12-agency Decree No. 8 - **网络数据安全风险评估办法** = Measures for Network Data Security Risk Assessment — CAC + MIIT + MPS Order No. 24, effective 2026-08-20 - **外商投资安全审查办法** = Measures for the Security Review of Foreign Investments — NDRC + MOFCOM Decree No. 37 - **互联网信息服务算法推荐管理规定** = Provisions on the Administration of Algorithmic Recommendation Services for Internet Information Services — CAC + 3 Decree No. 9 - **互联网信息服务管理办法** = Administrative Measures for Internet Information Services — State Council, foundational ICP regulation (2000, revised 2011, 2024) - **人工智能拟人化互动服务管理暂行办法** = Interim Measures for the Management of AI Anthropomorphic Interaction Services — CAC + 4-agency Order No. 21, effective 2026-07-15 - **生成式人工智能服务管理暂行办法** = Interim Measures for the Management of Generative Artificial Intelligence Services — CAC + 6 Decree No. 15 - **互联网信息服务深度合成管理规定** = Provisions on the Administration of Deep Synthesis of Internet Information Services — CAC + 2 Order No. 12 - **人工智能生成合成内容标识办法** = Measures for the Labeling of AI-Generated and Composed Content — CAC + 3 Guo Xin Ban Tong Zi [2025] No. 2 - **银行业保险业网络安全管理办法** = Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors — NFRA draft for public consultation, July 2026 - **金融业网络安全管理办法** = Measures for the Administration of Cybersecurity in the Financial Sector — draft for public consultation, July 2026 — companion instrument to the NFRA banking/insurance draft - **最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定** = Provisions of the Supreme People's Court on Several Issues Concerning the Application of Law in the Trial of Civil Cases Involving the Use of Facial Recognition Technology to Process Personal Information ## §6. Regulators & Authorities (监管机构) - **国家互联网信息办公室** = Cyberspace Administration of China (CAC) - **国家网信办** = Cyberspace Administration of China (CAC) - **网信办** = Cyberspace Administration of China (CAC) - **中央网信办** = Office of the Central Cyberspace Affairs Commission - **网络安全审查办公室** = Cybersecurity Review Office - **国家数据局** = National Data Administration (NDA) - **国务院** = State Council - **工信部** = Ministry of Industry and Information Technology (MIIT) - **公安部** = Ministry of Public Security (MPS) - **国家安全部** = Ministry of State Security (MSS) - **国家市场监督管理总局** = State Administration for Market Regulation (SAMR) - **国家发展和改革委员会** = National Development and Reform Commission (NDRC) - **发改委** = National Development and Reform Commission (NDRC) - **教育部** = Ministry of Education (MOE) - **科学技术部** = Ministry of Science and Technology (MOST) - **科技部** = Ministry of Science and Technology (MOST) - **财政部** = Ministry of Finance (MOF) - **商务部** = Ministry of Commerce (MOFCOM) - **中国人民银行** = People's Bank of China (PBOC) - **国家金融监督管理总局** = National Financial Regulatory Administration (NFRA) - **金融监管总局** = National Financial Regulatory Administration (NFRA) - **国家广播电视总局** = State Administration of Radio and Television (NRTA) - **中国证券监督管理委员会** = China Securities Regulatory Commission (CSRC) - **证监会** = China Securities Regulatory Commission (CSRC) - **国家保密局** = State Secrecy Administration (SSA) - **国家密码管理局** = State Cryptography Administration (SCA) - **中国信通院** = China Academy of Information and Communications Technology (CAICT) - **全国信息安全标准化技术委员会** = National Information Security Standardization Technical Committee (TC260) - **最高人民法院** = Supreme People's Court (SPC) - **最高人民检察院** = Supreme People's Procuratorate (SPP) - **人民法院** = People's Court - **人民检察院** = People's Procuratorate ## §7. Cybersecurity & Critical Information Infrastructure - **网络** = network - **网络运营者** = network operator - **关键信息基础设施** = critical information infrastructure (CII) - **关键信息基础设施运营者** = critical information infrastructure operator (CIIO) - **运营者** = operator — CII Regulations shorthand - **关键信息基础设施认定** = identification of critical information infrastructure - **关键信息基础设施识别** = identification of critical information infrastructure - **网络安全等级保护制度** = Multi-Level Protection Scheme (MLPS) - **等级保护** = Multi-Level Protection Scheme (MLPS) - **网络安全审查** = cybersecurity review - **安全审查** = security review - **国家安全审查** = national security review - **数据安全审查** = data security review — DSL Art 24 regime — landed via the 2021 Cybersecurity Review Measures revision; decisions final - **外商投资安全审查** = foreign investment security review - **网络数据安全风险评估** = network data security risk assessment - **总体国家安全观** = holistic approach to national security — official rendering of Xi-era national-security doctrine - **事前审查** = ex-ante review - **海外上市** = overseas listing — Cybersecurity Review Measures Art 7 — listing-trigger - **供应链安全** = supply chain security - **网络安全** = cybersecurity - **网络空间** = cyberspace - **主权** = sovereignty - **网络主权** = cyber sovereignty ## §8. AI & Algorithms - **人工智能** = artificial intelligence (AI) - **生成式人工智能** = generative artificial intelligence - **生成式人工智能服务** = generative AI services - **生成式人工智能服务提供者** = generative AI service provider - **深度合成** = deep synthesis - **深度合成服务** = deep synthesis services - **深度合成服务提供者** = deep synthesis service provider - **深度合成技术** = deep synthesis technology - **算法** = algorithm - **算法服务** = algorithmic services - **算法推荐** = algorithmic recommendation - **算法推荐服务** = algorithmic recommendation services - **算法推荐服务提供者** = algorithmic recommendation service provider - **算法备案** = algorithm filing - **算法安全评估** = algorithm security assessment - **个性化推荐** = personalized recommendation - **不合理差别待遇** = unreasonable differential treatment — Algo Rec Provisions Art 21 — anti-price-discrimination - **大数据杀熟** = algorithmic price discrimination against existing users — informal but ubiquitous Chinese-public term - **人工智能生成合成内容** = AI-generated and composed content - **显式标识** = visible label / explicit label — Labeling Measures — user-facing - **隐式标识** = implicit label — metadata / watermark - **显著标识** = prominent label — Deep Synthesis Provisions usage - **数字水印** = digital watermark - **内容元数据** = content metadata - **内容生态治理** = content ecosystem governance - **拟人化互动服务** = anthropomorphic interaction services — AI Anthropomorphic Interaction Measures Art 2 — sustained emotional interaction simulating a natural person - **拟人化互动服务提供者** = anthropomorphic interaction service provider - **未成年人模式** = minors' mode — mandatory under Anthropomorphic Interaction Measures Art 14 - **虚拟亲密关系** = virtual intimate relationships — banned for minors — virtual family members / romantic partners - **情感依赖** = emotional dependence — Anthropomorphic Interaction Measures Art 8 — 诱导情感依赖 = inducing emotional dependence - **人脸识别** = facial recognition - **人脸识别技术** = facial recognition technology - **人脸验证** = facial verification ## §9. Enforcement, Procedure & Liability (执法、程序与责任) - **约谈** = regulatory interview (yuetan) — PIPL Art 64 renders this simply as "interview" with a legal representative - **检察建议** = procuratorial recommendation — procuratorate-issued compliance recommendation to an institution - **诉前检察建议** = pre-litigation procuratorial recommendation - **法治副校长** = rule-of-law vice principal — school legal-education mechanism staffed by judges/prosecutors/lawyers - **网络欺凌** = cyberbullying - **网络霸凌** = cyberbullying - **网络沉迷** = internet addiction — Minors Online Protection Regulations chapter heading term - **网络素养** = internet literacy - **名誉权** = right to reputation - **隐私权** = right to privacy - **补充责任** = supplementary liability — Civil Code Art 1201 — school liability for third-party injury - **表白墙** = 'confession wall' account — unofficial school-named social account - **责令整改** = order to rectify - **责令改正** = order to make corrections - **行政处罚** = administrative penalty - **行政处分** = administrative sanction - **罚款** = fine - **没收违法所得** = confiscation of illegal gains - **通报批评** = public criticism - **下架** = removal from app stores - **暂停业务** = suspension of business - **吊销许可证** = revocation of business permit / license - **信用档案** = credit archives - **民事责任** = civil liability - **刑事责任** = criminal liability - **公益诉讼** = public-interest litigation - **侵权** = infringement / tort - **App违法违规收集使用个人信息** = illegal or excessive collection and use of personal information by apps - **通报** = notification (public enforcement bulletin) — CAC/MIIT public-naming document type — distinct from 通知 (notice/circular) - **账号注销** = account cancellation — app user-account exit right; 认定方法 final category & CAC 2026 testing priority - **小程序** = mini-program — in-platform apps (WeChat/Alipay/Douyin) — expressly within CAC app-testing perimeter ## §10. Document Types & Regulatory Format (文件类型与立法体例) - **法律** = law (NPC / NPCSC enactment) - **行政法规** = administrative regulation (State Council) - **部门规章** = departmental rule (ministerial) - **规范性文件** = normative document - **国家标准** = national standard - **推荐性国家标准** = recommended national standard (GB/T) - **强制性国家标准** = mandatory national standard (GB) - **司法解释** = judicial interpretation - **决定** = decision (e.g., NPC amendment decision) - **通知** = notice / circular - **指引** = guideline - **指南** = guide / guidelines - **主席令** = Presidential Decree - **国务院令** = State Council Decree - **暂行办法** = interim measures - **管理办法** = administrative measures - **管理规定** = administrative provisions - **实施细则** = implementation rules - **实施条例** = implementing regulation - **征求意见稿** = draft for public consultation - **修正** = amendment - **修订** = revision - **印发** = issuance / promulgation ## §11. Data Economy, Industry & Infrastructure (数据经济、产业与基础设施) - **数字经济** = digital economy - **数字技术** = digital technology - **数字基础设施** = digital infrastructure - **数字产业化** = digital industrialization — NDA Batch 1 § 16 - **产业数字化** = industrial digitalization — NDA Batch 1 § 17 - **数字经济高质量发展** = high-quality development of the digital economy — NDA Batch 1 § 18 - **数字消费** = digital consumption — NDA Batch 1 § 19 - **产业互联网** = Industrial Internet — NDA Batch 1 § 20 - **城市全域数字化转型** = citywide digital transformation — NDA Batch 1 § 21 - **东数西算工程** = East Data and West Computing project — NDA Batch 1 § 22 - **高速数据网** = high-speed data network — NDA Batch 1 § 23 - **全国一体化算力网** = integrated national computing-power network — NDA Batch 1 § 24 - **数据产业** = data industry — NDA Batch 2 § 13 - **数据标注产业** = data labeling industry — NDA Batch 2 § 14 - **数字产业集群** = digital industry cluster — NDA Batch 2 § 15 - **可信数据空间** = trusted data space — NDA Batch 2 § 16 - **数据使用控制** = data use control — NDA Batch 2 § 17 - **数据基础设施** = data infrastructure — NDA Batch 2 § 18 - **算力** = computing power - **算力调度** = computing-power scheduling — NDA Batch 2 § 19 - **算力池化** = computing-power pooling — NDA Batch 2 § 20 - **算力资源池** = computing-power resource pool ## §12. Privacy-Enhancing & Data Engineering Technologies (隐私计算与数据工程技术) - **隐私保护计算** = privacy-protective computation — NDA Batch 1 § 35; also "privacy computing" (隐私计算) - **安全多方计算** = secure multi-party computing — NDA Batch 1 § 36 - **联邦学习** = federated learning — NDA Batch 1 § 37 - **可信执行环境** = trusted execution environment (TEE) — NDA Batch 1 § 38 - **密态计算** = cryptographic computing — NDA Batch 1 § 39 - **区块链** = blockchain — NDA Batch 1 § 40 - **智能合约** = smart contract - **同态加密** = homomorphic encryption - **混淆电路** = confusion circuit / garbled circuit - **不经意传输** = oblivious transfer / inadvertent transmission - **秘密分享** = secret sharing - **数据分析** = data analysis - **数据挖掘** = data mining - **数据可视化** = data visualization - **数据仓库** = data warehouse - **数据湖** = data lake - **湖仓一体** = integration of lake and warehouse / data lakehouse --- *End of corpus. Generated 2026-07-15 from https://datacompliancechina.com.*