中国数据保护法律资讯
China Monthly Data Protection Update
2025年10月
October 2025
要点提示 Developments Highlights
我国首项针对个人信息跨境处理活动安全认证的国家标准正式发布:9月29日,国家市场监管总局(国家标准委)正式发布我国首项针对个人信息跨境处理活动安全认证的国家标准——《数据安全技术个人信息跨境处理活动安全认证要求》,将于2026年3月1日起实施。该标准明确了个人信息跨境处理的基本原则、安全要求及权利保障义务,为推动建立统一、权威的认证制度提供技术依据。
China Issues First National Standard for Certification of Cross-Border Personal Information Processing: On September 29, SAMR (the National Standardization Administration) officially issued China’s first national standard for the certification of cross-border personal information processing activities — Information Security Technology - Requirements for Security Certification of Cross-Border Processing of Personal Information. The standard, which will take effect on March 1, 2026, sets out fundamental principles, security requirements, and obligations for safeguarding individuals’ rights in cross-border data processing. It provides the technical foundation for establishing a unified and authoritative certification system in this area.
公安网安部门依法查处迪奥(上海)公司未依法履行个人信息保护义务案:9月9日,公安网安部门通报查处迪奥(上海)公司未依法履行个人信息保护义务一案。经调查,迪奥(上海)存在以下违法行为:一是未经数据出境安全评估、未签订标准合同或通过个人信息保护认证,违规向法国总部传输中国用户个人信息;二是未向用户充分告知数据接收方处理方式,未取得用户“单独同意”;三是未对所收集的个人信息采取加密、去标识化等安全技术措施。公安机关依据《个人信息保护法》对其作出行政处罚。这是我国首起未依法履行数据出境申报义务公开案件。
Dior (Shanghai) Penalized in China’s First Public Case for Failing to Fulfill Personal Information Protection Obligations: On September 9, the MPS Cyber Administration announced an administrative penalty against Dior (Shanghai) Co., Ltd. for violating personal information protection obligations. The investigation found that the company: (1) unlawfully transferred Chinese users’ personal information to its headquarters in France without completing a data export security assessment, signing standard contracts, or obtaining personal information protection certification; (2) failed to fully inform users of how their data would be processed by overseas recipients and did not obtain separate consent; and (3) neglected to implement encryption, de-identification, and other security measures for the collected data. The authority imposed an administrative penalty under the PIPL. This marks China’s first publicly disclosed case for failure to comply with data export filing obligations.
国家网信办发布近期网络安全、数据安全、个人信息保护相关执法典型案例:9月16日,国家网信办发布近期网络安全、数据安全、个人信息保护相关执法典型案例,涉及网页篡改、数据泄露、个人信息超范围收集、违规使用人脸识别技术及深度合成服务未评估上线等多种问题。
CAC Releases Recent Typical Enforcement Cases on Cybersecurity, Data Security, and Personal Information Protection: On September 16, CAC released a series of recent typical enforcement cases concerning cybersecurity, data security, and personal information protection. The cases involved issues such as website tampering, data leakage, excessive collection of personal information, unlawful use of facial recognition technology, and the launch of deep synthesis services without required security assessments.
目录 Contents
立法动态 Legislation
我国首项针对个人信息跨境处理活动安全认证的国家标准正式发布
China Issues First National Standard for Certification of Cross-Border Personal Information Processing
商务部等九部门印发《关于促进服务出口的若干政策措施》,支持跨国公司内部个人信息跨境传输便捷化安排
MOFCOM and Eight Other Departments Issue Policy Measures to Promote Service Exports, Supporting Facilitated Cross-Border Transfers of Personal Information Within Multinational Corporations
全国网安标委印发《数据安全国家标准体系(2025版)》与《个人信息保护国家标准体系(2025版)》
TC260 Secretariat Issues the 2025 Editions of the National Standard Systems for Data Security and Personal Information Protection
国家网信办发布《未成年人用户数量巨大和对未成年人群体具有显著影响的网络平台服务提供者认定办法(征求意见稿)》
CAC Releases Draft Rules on Identifying Platforms with a Large Minor User Base or Significant Impact on Minors
全国网安标委发布《网络安全标准实践指南——互联网平台停服数据处理安全要求》
TC260 Issues Cybersecurity Standards Guidelines on Data Processing During Platform Shutdowns
国家网信办发布《大型网络平台设立个人信息保护监督委员会规定(征求意见稿)》
CAC Releases Draft Provisions on the Establishment of Personal Information Protection Supervisory Committees by Major Online Platforms
CAC Issues Measures for the Administration of Cybersecurity Incident Reporting
NPCSC Reviews Draft Amendment to the Cybersecurity Law
国家网信办等四部门联合发布《人工智能生成合成内容标识办法》自2025年9月1日施行
CAC and Other Departments Jointly Issue the Provisions on the Labeling of Artificial Intelligence-Generated Synthetic Content, Effective September 1, 2025
重庆市网信办发布自贸区数据出境负面清单管理办法和2025版负面清单
Chongqing CAC Releases FTZ Negative List Administrative Measures and 2025 Version of the Cross-Border Data Transfer Negative List
执法机构 Authorities
工信部通报29款APP存在侵害用户个人信息权益行为
MIIT Reports 29 Mobile Apps for Infringing Users’ Personal Information Rights and Interests
Qinghai CAC Handles Case Involving Data Security Risks Caused by OA System Vulnerability
公安机关查处AI模型训练企业未开展敏感个人信息保护评估案
MPS Cyber Administration Handles Case Involving AI Model Training Company’s Failure to Conduct Personal Information Protection Impact Assessment
公安部公布6起不履行网络安全、数据安全、个人信息保护义务的行政执法案例
MPS Releases Six Administrative Enforcement Cases Involving Failures to Fulfill Cybersecurity, Data Security, and Personal Information Protection Obligations
国家网信办发布近期网络安全、数据安全、个人信息保护相关执法典型案例
CAC Releases Recent Typical Enforcement Cases on Cybersecurity, Data Security, and Personal Information Protection
国家网络安全通报中心通报69款违法违规使用个人信息APP
CVERC Reports 69 Apps for Illegal Collection and Use of Personal Information
公安网安部门依法查处迪奥(上海)公司未依法履行个人信息保护义务案
Dior (Shanghai) Penalized in China’s First Public Case for Failing to Fulfill Personal Information Protection Obligations
云岩区互联网信息办公室针对辖区某企业存在数据异常跨境传输问题开展执法约谈
Yunyan District CAC Conducts Administrative Interview over Abnormal Cross-Border Data Transmission
执法案例 Enforcement Cases
行业首例:特斯拉被判向“车顶维权”女车主提供事故前30分钟完整行车数据
Tesla Ordered to Provide 30 Minutes of Pre-Accident Driving Data in Industry’s First Case
Beijing Internet Court Releases Typical Cases Involving Artificial Intelligence Disputes
*自2014年1月开始,大成数据保护团队每月发布中英文双语的中国数据保护月度报告。如需获取全文,请与大成数据保护团队联系。
邓志松 律师
大成北京
专业领域:数据与隐私保护、竞争与反垄断、公司与并购、跨境投资与贸易
电子邮箱:zhisong.deng@dentons.cn
戴健民 律师
大成上海
专业领域:数据与隐私保护、竞争与反垄断、公司与并购、生命科学与医药
电子邮箱:jianmin.dai@dentons.cn
