China Data Privacy and Cybersecurity: 2025 Year in Review

In 2025, China took several notable steps to strengthen its data privacy and cybersecurity regulatory framework, finalizing compliance audit requirements, operationalizing the cross-border data transfer certification regime, and amending the Cybersecurity Law to increase penalties and expand its extraterritorial reach.

This Advisory highlights the key developments and their practical implications for companies operating in or handling data from China.

Legislative & Regulatory Developments

1. Personal Information Protection Compliance Audit Requirements

On February 12, 2025, the Cyberspace Administration of China (CAC, 国家互联网信息办公室) issued the Measures for the Administration of Compliance Audits on Personal Information Protection (Audit Measures, 个人信息保护合规审计管理办法), which took effect on May 1, 2025. The Audit Measures require data processors (akin to controllers under the General Data Protection Regulation (GDPR) to assess and quantify the scale of their personal information processing activities. Personal information protection compliance audits are required in the following circumstances:

• Routine audit obligations: If data processors process the personal information of more than 10 million individuals, they must conduct a personal information protection compliance audit at least once every two years. If the volume of personal information processed is below this threshold, data processors may determine a reasonable audit cycle based on their own circumstances. These audits may be conducted internally or by third parties.
• Regulator-initiated audits: If data processors fall within one of the following categories, regulators (including the CAC) may require them to engage third parties to conduct personal information protection compliance audits:

a. The processing activities present material risks to individuals’ rights and interests or demonstrate serious deficiencies in security measures,

b. The processing activities may infringe the rights and interests of a large number of individuals, or

c. A personal information security incident occurs, resulting in the leakage, tampering with, loss, or destruction of personal information involving more than 1 million individuals, or more than 100,000 individuals’ sensitive personal information.

The Audit Measures are accompanied by an annex, the Personal Information Protection Compliance Audit Guidelines (Audit Guidelines, 个人信息保护合规审计指引), which outline the substantive scope of compliance audits across 27 categories of processing activities. Audits are expected to cover, among other things, whether there is a legal basis for processing, whether individuals have been properly informed, and whether adequate technical and organizational safeguards are in place. The Audit Guidelines also provide additional focus areas for audits involving sensitive personal information or cross-border transfers.

Separately, the Audit Measures introduce a filing obligation for data processors that process the personal information of more than one million individuals: these entities must designate a personal information protection officer (PIPO, 个人信息保护负责人) and file the relevant information with the provincial CAC.

2. Personal Information Protection Certification for Cross-border Data Transfer

On October 14, 2025, the CAC and the State Administration for Market Regulation (SAMR, 国家市场监督管理总局) jointly issued the Measures on Certification for Cross-Border Transfer of Personal Information (PIP Certification Measures, 个人信息出境认证办法), which took effect on January 1, 2026. The PIP Certification Measures operationalize the Personal Information Protection Certification (PIP Certification, 个人信息保护认证) regime as one of the three mechanisms for cross-border transfers of personal information under the Personal Information Protection Law (PIPL, 个人信息保护法), along with CAC Security Assessment (Security Assessment, 数据出境安全评估) and filing Standard Contractual Clauses (SCC Filing, 个人信息出境标准合同备案).

In general terms, the Security Assessment is required for higher-risk transfers (including those by Critical Information Infrastructure Operators (CIIOs)), and transfers involving the personal information of more than 1 million individuals or sensitive personal information of more than 10,000 individuals). SCC Filing and PIP Certification are available for lower-risk transfers.

• Scope of application: The PIP Certification Measures clarify that PIP Certification is applicable to non-CIIOs, data processors whose annual cross-border data transfers involve the personal information of more than 100,000 but fewer than 1 million individuals, or the sensitive personal information of fewer than 10,000 individuals.
• Key procedural requirements: Before using PIP Certification as a cross-border data transfer mechanism, data processors are required to inform the affected individuals and obtain separate consent for the cross-border data transfer, and to conduct a personal information protection impact assessment (PIA) covering:
  • The legality and necessity of the transfer,
  • The risks to individuals’ rights and interests,
  • The obligations and safeguards on protecting personal information undertaken by overseas recipients, and whether they can ensure the security of personal information transferred overseas,
  • The impact of foreign laws and policies on personal information security and individuals’ rights.

PIP certification applications are submitted to CAC-approved certification institutions, which assess the applicant’s personal data protection system through technical verification, on-site review, and ongoing supervision.

• Validity and supervision: PIP Certifications are generally valid for three years. Certificates must be renewed by filing an application at least six months before expiration, and certification bodies must report issuance, renewal, revocation, and other certification status changes to the National Certification and Accreditation Information Public Service Platform (全国认证认可信息公共服务平台). During the validity period, certified data processors are subject to routine supervision by certification institutions and may also be subject to oversight and spot checks by relevant regulators, such as the CAC and SAMR.

For more details on PIP Certification, please refer to our previous Advisory.

3. Cybersecurity Law Amendments

On October 28, 2025, China passed amendments to the Cybersecurity Law (CSL, 中华人民共和国网络安全法), which took effect on January 1, 2026. The amendments primarily strengthen enforcement by increasing liability and penalties for non-compliance and expanding the law’s extraterritorial reach.

• Increased and newly introduced penalties: The amended CSL significantly strengthens legal liability for violations of cybersecurity obligations. Most notably, maximum fines for general violations increased fivefold, and the newly introduced category of severe violations carries fines of up to RMB 10 million (approximately USD 1.4 million), a significant escalation from the CSL’s previously modest penalty regime.
• Entities: The amended CSL differentiates general violations and severe violations, with stricter penalties for general violations and new penalties for severe violations. For general violations , the maximum fine has been increased from RMB 100,000 (USD 14,000) to RMB 500,000 (USD 70,000). For severe violations, defined as large-scale data breaches, the loss of functionality of critical information infrastructure, and other actions causing significant harm to cybersecurity, the maximum fine can reach RMB 10 million (USD 1.4 million).

Notably, where data processors fail to cease the transmission of information prohibited by laws or administrative regulations, or fail to take remedial measures and report to regulators, and such failures result in serious consequences, they may be ordered to suspend their business operations, shut down the relevant websites or applications, and/or take other measures. In some cases, data processors’ business licenses may be revoked.

• Individuals: The amended CSL broadens individual liability from managerial personnel with direct responsibility to include other directly responsible personnel. Similar to the liability for entities discussed above, the amended CSL raises the penalties for individuals for general violations and introduces penalties for individuals involved in severe violations. For general violations, the maximum fine has been increased from RMB 50,000 (USD 7,000) to RMB 100,000 (USD 14,000). For severe violations, individuals may be fined up to RMB 1 million (USD 140,000).

In addition, individuals who illegally intrude into others’ networks, interfere with the normal functioning of networks, or steal network data, and who are subject to administrative or criminal penalties, may be prohibited from engaging in network security management for five years or permanently barred from taking key network operation roles.

• Expanded extraterritorial application: The amendments broaden the extraterritorial scope of the CSL from overseas activities that harm critical information infrastructure in China to any overseas activities that endanger China’s cybersecurity, thereby expanding potential application of the law to a wider group of entities and activities outside China. For example, overseas SaaS providers, cloud service providers, or data analytics companies that process China-related data outside China, or whose activities are deemed to endanger China’s cybersecurity, may fall within the scope of the amended CSL. In practical terms, companies with no physical presence in China but that provide services to, or process data originating from, Chinese users or customers may need to assess whether their activities could be characterized as endangering China’s cybersecurity under the amended CSL.

New National Standards

1. National Standard GB/T 45574 — 2025 on Sensitive Personal Information

Although recommended national standards (referred to as “GB/T” standards) are officially voluntary, they are widely regarded as reflecting regulatory expectations and are frequently referenced during enforcement and compliance assessments. In practice, companies are well-advised to treat them as the benchmark for compliance.

The new recommended national standard Data Security Technology — Security Requirements for Processing of Sensitive Personal Information (GB/T 45574 — 2025, 数据安全技术 — 敏感个人信息处理安全要求), which took effect on November 1, 2025, further clarifies the scope of sensitive personal information and sets out detailed security and compliance requirements for its processing.

Key requirements under GB/T 45574 — 2025 include:

• Identification of sensitive personal information: GB/T 45574 — 2025 aligns with the framework of the PIPL and, compared with the national standard Information Security Technology — Personal Information Security Specification (GB/T 35273 — 2020, 信息安全技术 — 个人信息安全规范), adopts a more cautious and refined approach to identifying sensitive personal information. In particular, Appendix A specifies the categories of sensitive personal information:
  • Compared with GB/T 35273 — 2020, GB/T 45574 — 2025 no longer includes national ID numbers as sensitive personal information under the category of specific identity information. But photographs of the national ID cards are still classified as sensitive personal information.
  • The standard also clarifies that basic physical condition information, such as body weight, height, blood type, blood pressure, and vital capacity, does not fall within the category of medical and healthcare sensitive personal information.
  • In addition, financial account information is identified as sensitive personal information only where relevant elements are combined, such as account number and password, or account number together with payment or transaction details.

Article 4.1 of GB/T 45574 — 2025 further provides that, when assessing whether the data constitutes sensitive personal information, the data processors should assess not only individual types of data, but also the sensitivity of the combined datasets. Where the combination of multiple types of data, if leaked or misused, has a significant impact on individuals’ rights and interests, the combined dataset should be identified and protected as sensitive personal information.

• Legality of personal information collection: Collection of sensitive personal information must be conducted legally. For example, data processors should not collect sensitive personal information for any illegal use, or collect it through illegal methods such as deception or coercion. In addition, data processors should not automatically collect sensitive personal information from websites or mobile applications through technical means without obtaining separate consent (e.g., through cookies, tracking technologies, web scraping tools).
• Notice and consent: Processing of sensitive personal information requires separate consent, and consent mechanisms should avoid non-transparent collection, bundled or blanket authorizations ((i.e., one “bulk” consent for multiple processing activities), and coercive practices. Where the processing of publicly disclosed sensitive personal information may have a material impact on individuals’ rights and interests, separate consent should be obtained.
• Security measures: Data processors should adopt appropriate technical and organizational measures to safeguard the sensitive personal information they collect and process. Required practices include setting up procedures to identify and classify sensitive personal information, adopting specialized security measures for sensitive personal information (such as encryption, access control, and/or de-identification), and establishing approval processes for important processing activities involving sensitive personal information.
• Other specific processing requirements: GB/T 45574 — 2025 also provides more detailed requirements for the processing of each category of sensitive personal information. Examples include:
  • Biometric information: Processors are encouraged to retain only characteristic or summary data and delete original images or videos where feasible, in order to reduce sensitivity and potential harm in the event of a data breach.
  • Sector-specific sensitive personal information: For sensitive personal information in specific sectors (e.g., medical and healthcare information or financial account information), data processors should comply with applicable sector-specific requirements and implement enhanced, classified protection measures. Such information should, by default, be displayed in a de-identified form within products and internal systems, with full display permitted only where necessary and subject to appropriate access controls and identity verification.

2. National Standard GB/T 46068 — 2025 on Cross-Border Processing of Personal Information

The recommended national standard Data Security Technology — Security Certification Requirements for Cross-Border Processing Activity of Personal Information (GB/T 46068 —2 025, 数据安全技术 — 个人信息跨境处理活动安全认证要求) will take effect on March 1, 2026. Like GB/T 45574 — 2025, this is not legally binding, but provides a useful reference for security matters relating to cross-border data transfer and is applicable to data processors, overseas recipients, certification institutions, and regulators.

Key requirements under GB/T 46068 — 2025 include:

• Legally binding documentation: Cross-border data transfer activities should be supported by legally binding documents, which should, at a minimum, address the allocation of responsibilities and obligations, overseas storage arrangements, security protection measures, protection of individuals’ rights, commitments by overseas data recipients, and available remedies.
• Organizational management: Data processors and overseas recipients should establish appropriate organizational structures and designate responsible personnel for cross-border data transfer:
• Personal information protection organizations: Dedicated functions or organizations shall be established for personal information protection, including the prevention of unauthorized access and the mitigation of risks of data leakage, tampering, or loss.
• Personal information protection officers (PIPO): officers should have appropriate professional knowledge and relevant experience in personal information protection.
• Protect personal information rights: GB/T 46068 — 2025 also sets out specific requirements for data processors and overseas recipients to protect individuals’ personal information rights. For example, data processors and overseas recipients should accept requests to exercise personal information rights. Data processors and overseas recipients should also comply with obligations relating to notice and consent, provide mechanisms for individuals to exercise their rights (e.g., access), process personal information in accordance with agreed purposes and methods, refrain from unauthorized onward transfers, retain records of cross-border processing activities as required, and implement appropriate technical and organizational security measures.

Looking Ahead

Several of the developments discussed above will continue to take shape in 2026. The PIP Certification Measures and the amended Cybersecurity Law both took effect on January 1, 2026, and the cross-border processing national standard (GB/T 46068 — 2025) follows on March 1, 2026. Companies should use this period to assess their current compliance posture against these new requirements, particularly with respect to audit planning, cross-border transfer mechanisms, and PIPO designation, and to monitor for further implementing guidance from the CAC and other regulators. We will continue to track these developments and provide updates as they arise.

For questions on this or any other subject, please reach out to the authors or any of their colleagues in Arnold & Porter’s Privacy, Cybersecurity & Data Strategy practice group.

© Arnold & Porter Kaye Scholer LLP 2026 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.