————Takeaways————

• The Cyberspace Administration of China (CAC) has issued the Announcement on Reporting Compliance Audit of Minors' Personal Information Protection, launched an online reporting system and published the filling instructions, with the reporting deadline confirmed as January 31 each year. This marks the official entry of China's compliance audit system for minors' personal information into the phase of regular implementation. Companies that provide products and services for minors and all-age audiences should actively assess their information processing practices and conduct audits as required.
• The mandatory national standard Data Security Technology - Technical Requirements for Information Sanitization of Electronic Products has been released and will be formally implemented on January 1, 2027. The new standard requires electronic products to provide an irreversible information erasure function, covering user files, account passwords, encryption keys, etc. It also requires second-hand electronic product operators to fulfill the obligations of information erasure and verification. Manufacturers, third-party developers and recycling operators must strictly implement the standard.
• The Ningbo Intermediate Court, Zhejiang has concluded a case involving the crawling of commodity data from e-commerce platforms, with the illegal web crawler service provider ordered to pay a high compensation of CNY 5 million (about USD 716,640).
• EU has imposed a fine of EUR 120 million on the X in accordance with the Digital Services Act (DSA) for the first time. Vietnam has adopted the Artificial Intelligence Law to regulate data flows based on risk levels. The Trump’s Administration of the United States has signed an AI executive order, planning to formulate a unified federal regulatory framework with minimal compliance burden.

————Regulatory Highlights————

CAC Issues Announcement on Reporting Compliance Audit of Minors' Personal Information Protection
Article 37 of the Regulations on the Protection of Minors in Cyberspace requires personal information processors to conduct compliance audits on minors' personal information either on their own or by entrusting professional institutions each year, with the results submitted to the competent prefectural-level cyberspace authority. On December 29, 2025, CAC issued the Announcement, officially launching an online reporting system and publishing the first version of filling instructions, and clarifying that the annual reporting deadline is January 31. This marks the official entry of China's compliance audit system for minors' personal information into the phase of regular implementation.

According to the original provisions of the Regulations on the Protection of Minors in Cyberspace, an objective judgment standard applies to the subjects obligated to perform compliance audits. Specifically, as long as a product objectively processes the personal information of minors under the age of 18—especially products directly targeting minors as their audience, all-age products without age restrictions, and products or services that process massive amounts of user information on a large scale—operating enterprises are recommended to promptly conduct business assessments to point out whether they involve the processing of minors' information. If so, they shall also clarify basic details such as responsible persons, handling personnel, usage scenarios, and processing scale, subsequently initiating compliance audit procedures and actively conducting risk rectification.

CAC Issues the Mandatory National Standard Data Security Technology—Technical Requirements for Information Sanitization of Electronic Products

On December 2, 2025, the mandatory national standard related to information erasure of electronic products was released and will be formally implemented on January 1, 2027. The Technical Requirements stipulate that electronic products shall provide users with either a built-in information erasure function or external erasure tools, covering all user data such as user files, applications, contact lists, account passwords, and encryption keys. The erasure shall be irreversible, rendering user data inaccessible and irrecoverable. Also, the Technical Requirements specify specific erasure technical methods for magnetic media and semiconductor media, including data overwriting, block erasure and others. Electronic product manufacturers and third-party erasure function developers shall carry out development in accordance with the Technical Requirements. In addition to those entities mentioned above, the Technical Requirements also clarify the personal information protection obligations of electronic product recycling operators, requiring them to perform information erasure on second-hand electronic products and verify the erasure effect before sale.

————Cross-Border Data Transfer————

On December 30, 2025, CAC released a list of three professional institutions that have completed the filing for personal information outbound transfer certification. They are: the China Cybersecurity Review, Certification and Market Regulation Big Data Center, the Data and Technology Support Center of CAC, and CESI Certification Co., Ltd. Personal information processors intending to provide personal information overseas via the certification mechanism may apply for personal information outbound transfer certification from the above-mentioned institutions.

On December 22, 2025, the National Technical Committee 260 on Cybersecurity of Standardization Administration of China (TC260) solicited public comments on the Cybersecurity Standards Practice Guide – Requirements for Cross-border Personal Information Processing and Protection in the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao) (Exposure Draft). The document clarifies the fundamental principles and specific requirements for the mutual recognition mechanism for cross-border personal information transfer between the Mainland and Macao within the Greater Bay Area, which was established under the cooperation memorandum confirmed by both sides in September 2024.

On December 12, 2025, the State Administration for Market Regulation (SAMR) and CAC officially announced the new standard basis for the certification of personal information transfer. It specifies that the standards for certifying the protection of personal information in cross-border processing activities are now GB/T 35273 Information Security Technology – Personal Information Security Specification and the new recommended national standard GB/T 46068 Data Security Technology – Security Certification Requirements for Cross-border Processing Activities of Personal Information, which was released on August 29 of last year.

Fujian Province issued the Measures for the Management of the Data Outbound Negative List in the China (Fujian) Pilot Free Trade Zone (for Trial Implementation) and the China (Fujian) Pilot Free Trade Zone Data Outbound Management List (Negative List) (2025 Edition), covering four major industries: pharmaceuticals, internet of vehicles, retail, and aviation maintenance. It is worth noting that after companies in relevant fields submit filing materials such as their data outbound business scenarios and data outbound catalogues, each pilot free trade zone area will first review and provide feedback on whether the data falls within the negative list. Companies can then proceed with subsequent compliance work based on the feedback.

————Data Enforcement————

On December 8, 2025, the Guangzhou Intermediate People's Court in Guangdong Province concluded the first case involving the illegal trading of citizens' personal information for profit by utilizing IMEI code to match personal data. Company A and five defendants, without user authorization, illegally obtained encrypted IMEI codes labeled with specific internet preferences from telecommunications Company B. Through technical matching, these codes were decrypted into plaintext mobile phone numbers and sold to downstream companies, resulting in illicit profits exceeding CNY 680,000 (about USD 97,700). The acts constituted the crime of infringing on citizens' personal information. The illegal gains were confiscated, and the defendants were sentenced to fixed-term imprisonment and fined according to law. Notably, Company A had originally engaged in DMP big data business with telecommunications Company B, agreeing that Company A would provide encrypted IMEI codes with users’ authorization, and Company B would match user internet preference labels from its database before returning the desensitized data to Company A. However, the transaction was ultimately not executed as agreed. In its public judgment summary, the Guangzhou Intermediate People's Court did not rule that the original data cooperation contract was illegal.

The Ningbo Intermediate People's Court in Zhejiang Province announced a first-instance judgment in an unfair competition dispute filed by Taobao and Tmall against eight defendants (including five companies and three individuals). The eight defendants, without permission, used methods such as web crawling or user cookies interception to capture product data from the two platforms and provide paid services, constituting joint infringement and unfair competition. The court ordered them to immediately cease the infringement, jointly compensate CNY 5 million (about USD 717,500), and publish a statement to eliminate the negative impact.

On December 1, the Cyberspace Administration and Market Supervision Department of Shanghai jointly released five typical cases of failing to fulfill personal information protection obligations. These included instances where companies' inadequate security measures—such as unencrypted storage, failure to conduct cybersecurity level protection assessments, and insufficient log retention—led to data breaches. The cases also covered practices such as compulsory collecting personal information under disguised forms and illegally using consumer personal information for drug sales.

————Mobile Application Regulation————

On December 4, 2025, the National Computer Virus Emergency Response Center detected 69 mobile apps that illegally collected and used personal information. The three most common violations included incomplete fulfillment of notification obligations, failure to provide convenient methods for withdrawing consent, and lack of security measures such as encryption and de-identification.

On December 9, the Ministry of Industry and Information Technology (MIIT) reported 24 apps and SDKs that infringed upon user rights and interests. These were found in frequently used sectors such as education and learning, health management, social entertainment, logistics and freight, and advertising tools.

On December 29, the Public Security Ministry's Quality Supervision and Inspection Center for Computer Information System Security Product detected 54 mobile apps that illegally collected and used personal information. Among these, 29 apps failed to disclose their rules for collecting and using personal information.

On December 17, the Shanghai Communications Administration announced the removal of 38 apps (SDKs) that infringed upon user rights and interests. These 38 apps had been publicly identified as non-compliant in November 2025 but failed to meet rectification requirements within the given timeframe, leading to their removal by the Shanghai Communications Administration.

On December 23, the Cyber Security Association of China issued the Announcement on Releasing the List of Apps That Have Completed Optimization and Improvements in Personal Information Collection and Use (Sixth Batch of 2025). Six apps, including Huazhu Club, Zhihu, and Tencent Meeting, have completed optimizations and improvements in accordance with the Cybersecurity Law, the Personal Information Protection Law and other laws and regulations. These improvements specifically addressed issues related to excessive collection of personal information, overuse of sensitive permissions, inconvenient permission settings, and difficulties in account cancellation.

————Industrial Support————

On December 8, 2025, the National Energy Administration issued the Measures for the Security Management of Data in the Energy Sector (Trial), which will come into effect on July 1, 2026. These measures classify energy sector data into three levels: general, important, and core, for management purposes.

On December 29, MIIT, along with three other departments, jointly issued the Implementation Plan for Digital Transformation in the Automotive Industry. The plan prioritizes intelligent manufacturing as the main direction and sets two-phase goals: By 2027, digital and intelligent technologies are expected to be deeply integrated into enterprises' R&D, production, supply, sales, and service processes, driving significant improvements in enterprise intelligent manufacturing maturity and production efficiency, while gradually establishing a robust industry supply and public service system. By 2030, the overall digital and intelligent development of the industry is expected to reach a high level.

————Worldwide News————

On December 2, 2025, the Court of Justice of the European Union clarified that advertising platforms are considered data controllers for personal information contained in user-uploaded advertisements, such as the name, photo, and contact details of individuals referenced. In accordance with the relevant obligations under the General Data Protection Regulation (GDPR), these platforms must verify before publishing advertisements that any included personal information either originates from the advertiser themselves or has been provided with the consent of the data subject. Additionally, they are required to implement appropriate technical measures to prevent those advertisements from being copying and unlawfully published on other platforms.

On December 5, the European Union imposed a EUR 120 million fine on the X under the Digital Services Act (DSA), marking the first non-compliance decision under the DSA. The penalty was issued for three violations of transparency obligations by X: first, its paid verification system grants account authentication badges without real identity verification, constituting deceptive design; second, its advertising database lacks transparency; and third, it fails to provide researchers access to public data. Additionally, the EU’s investigation into X's alleged dissemination of illegal content is still ongoing.

On December 10, Vietnam officially passed the Artificial Intelligence Law, which explicitly requires the regulation of data flows based on AI risk levels. High-risk systems must retain operational data logs. The law will officially take effect on March 1, 2026.

On December 11, the Trump administration signed a new executive order on artificial intelligence, explicitly stating that a unified AI policy framework with minimal compliance burdens will be established at the federal level. This aims to prevent varying regulatory systems across states and excessive compliance burdens on enterprises, thereby avoiding the suppression of technological innovation. Additionally, the Trump administration will establish a new artificial intelligence litigation task force to challenge certain overly stringent state-level legislation and curtail the regulatory authority of individual states over technology.