Different legislative updates were recorded in China in the last couple of months. These concern several topics related to data protection and data security, such as the definition of sensitive personal information, appointment obligations and registration of a Data Protection Officer (DPO), reporting measures in case of data security incidents for financial services and the global AI action plan. In this article we will illustrate the updates with attention to compliance requirements for companies.
Definition and Processing of Sensitive Personal Information
In November 2025 a national standard – GB/T 45574-2025 (“Information Security Technology – Security Requirements for Processing of Sensitive Personal Information”) will come into force. This standard will provide helpful guidance to identify sensitive personal information more precisely (for example by excluding some categories of information from the definition) and reinforcing the necessity of the “risk harm test” to identify such data. With regard to the processing of sensitive personal information, the standard provides guidance on a compliant use of the data to minimise risks. Sensitive personal information includes any data that, if disclosed, may imply a risk for the individuals, such as: biometric data, religious beliefs, medical health information, but also financial data (accounts) and geolocation information. Data of minors of 14 years is also considered sensitive. Examples of minimisation of risk practices involve for example: avoiding the use of automatic tools collecting personal data, restricting the access to authorized personnel, minimising data collection (if the use of such data is not necessary). An appropriate information notice is also advised, and separate declarations of consent should be requested, if multiple types of data are collected. In relation to the security measures to be applied, the standard requires that specific and strong measures are in place for the complete processing operation. Those measures may include controls on the access by the personnel, encryption, definition of internal policies, and also the use of monitoring systems to label the sensitive personal information and prevent unauthorized disclosure.
Appointment of a DPO
According to Art. 52 of the Personal Information Protection Law of the People’s Republic of China (PIPL), the appointment of a DPO is mandatory for organisations processing personal information of over one million individuals, as instructed by the Cyberspace Administration of China (CAC). Furthermore, controllers handling sensitive personal information of over 100,000 individuals, have the obligation to appoint a DPO and should set-up a specific internal body with the function to oversee the processing operations and the security measures applied. Beside the appointment requirements of the DPO, it was not clear, until recently, if the DPO should be registered with the relevant authorities, however on 18 July 2025, CAC officially opened an online portal for the registration of DPOs by companies. It is important to keep in mind that the deadline to register a DPO for data controllers who met the one million individual’s threshold is 29 August 2025. The appointment and registration of a DPO is also required by foreign organizations having headquarters outside China but processing personal data of Chinese affiliates, or of foreign companies without affiliates in China, but still processing personal data of Chinese residents. The online form to register the DPO requires organizations to provide – besides the DPO data – other information on the data processing by the company related to the scope of personal information processed.
Data Security Incident for Financial Services
At the beginning of August this year, the Measures for the Administration of Cybersecurity Incident Reporting in the Business Field of the People’s Bank of China (PBC) entered into force. According to the measures, a cybersecurity incident should be reported to the authority according to precise instructions. The PBC defines four levels of incidents – extremely serious, serious, relatively serious, and genera – based on their impact on operations, users, and data. Financial institutions should report to the authorities depending on the type of incident, provide updates on the status of the incident and action plans to minimise the risks. In case of personal data involved, the controllers should also involve the relevant authorities and include any information on the measures taken to address the personal data breach, when providing their reports to the PBC. Penalties for non-compliances on reporting obligations are foreseen by the cybersecurity legislation and a right to flag failures of reporting obligations to the PBC is granted to organizations and individuals.
AI Action Plan
On 26 July 2025, the National People’s Congress of the People’s Republic of China (NPC) announced the release of the action plan for Global Governance of Artificial Intelligence (the AI Action Plan) during the 2025 World Artificial Intelligence Conference. Further to promoting and fostering the high-level development of AI technologies for different industry fields, the AI Action Plan promotes the international cross-border collaboration, for example by encouraging the dialogues among national standards bodies and leverage international standards-setting organizations as well as promoting the digital infrastructure improvement in the developing countries. It is meaningful that contextually to the AI Action Plan, the Chinese government proposed the establishment of a global AI cooperation organization which would promote and support the international collaboration on AI development and regulation, together with the UN efforts on the same matter. Another example of international collaboration was the second meeting of the China-EU cross-border data flow exchange mechanism, held in Brussels on the 17 July 2025. The meeting reviewed the positive progress from the first meeting in August 2024 and encouraged the establishment of a working group to collaborate on cross-border data flows in the automotive sector.
Conclusions
From the latest updates it emerges that Chinese authorities are giving more importance to data protection (not only personal related data) by providing companies instruments to better understand the national requirements for compliance and by providing tools that can support the practical implementation. The authorities, on top of aiming at reinforcing the compliance framework (also for foreign entities) are also looking at fostering global collaboration for the future development plans of AI technologies involving data and international data flows.