All

February 3, 2026

Chinese Regulators Publish New Model Cases on Network Data Security Protection

Advisory

On January 16, 2026, the Shanghai office of the Cyberspace Administration of China (Shanghai CAC) published eight model cases relating to network data security protection. These cases highlighted regulators’ continued focus on data privacy and cybersecurity, and provided practical guidance on regulators’ interpretation of key laws and regulations, including the Cybersecurity Law (CSL, 网络安全法), the Personal Information Protection Law (PIPL, 个人信息保护法), the Data Security Law (DSL, 数据安全法), and the Regulation on Network Data Security Management (Regulation, 网络数据安全管理条例).

This Advisory summarizes the eight cases, which span three main enforcement areas: (1) network data security; (2) cross-border transfers; and (3) personal information protection. It concludes with questions for companies to consider when assessing their compliance posture.

Network Data Security Obligations

Under the CSL, DSL, the Regulation, and other relevant rules, data processors (akin to “controllers” under the European Union’s General Data Protection Regulation (EU GDPR)) must implement network data security measures, including:

1. Compliance with the requirements under China’s cybersecurity Multi-Level Protection Scheme (MLPS, 网络安全等级保护制度)¹

2. Establishing network data security management systems

3. Technical measures such as encryption, backup, access control, and security authentication to protect network data from being tampered with, damaged, leaked, or illegally accessed or used

A summary of the model cases relating to the failure to implement data security protection measures is below.

No.	Case Summary	Penalties ²
1	A company providing IT services for the logistics industry exposed the interface of its Elasticsearch database directly to the public when transmitting large volumes of internal business data. This exposed the data, including sensitive personal information, to illegal access and potential data leakage. Regulators found that the company failed to (1) conduct an assessment of its cybersecurity level; and (2) did not take technical protective measures for the relevant data in the implicated systems, such as encryption, access controls, port security strategies, or other measures.	The company was ordered to remediate within a specified time period and was given a warning and fined.
2	A company providing Internet of Things technology services had system logs containing sensitive personal information on its servers that were improperly exposed to the public internet, leading to a data leak. Regulators found that the company failed to (1) effectively fulfill its network data security protection obligations; (2) establish a network data security management system; and (3) take appropriate technical measures to ensure data security, resulting in the data leak.	The company was ordered to remediate the issue within a specified time period and was given a warning.
3	A file management center’s systems had a security flaw that allowed anyone to look up archive information by entering an ID number, putting personal information at risk. Regulators found that the center (1) failed to effectively fulfill its primary responsibilities and obligations to implement network data security and personal information protection; (2) had an ineffective security management system; and (3) had failed to implement technical measures.	The center was ordered to remediate the issue within a specified time period and was given a warning.

Cross-Border Transfers of Personal Information

Cross-border transfers of personal information continue to be a key enforcement area for Chinese regulators in recent years. Enforcement has focused on:

1. Whether the data processor undertook one of the three mechanisms promulgated by the PIPL for the cross-border transfer of personal information, including the Personal Information Protection Certification issued by Certification Institutions approved by Cyberspace Administration of China (CAC, 国家互联网信息办公室) (PIP Certification, 个人信息保护认证), Security Assessment performed by the CAC (Security Assessment, 数据出境安全评估), and filing the Standard Contractual Clauses (SCC Filing, 个人信息出境标准合同备案)

2. Whether the data processor completed a Personal Information Protection Impact Assessment (PIA) prior to the transfer, including assessment of the legality, legitimacy, and necessity of the purpose and method of personal information processing

3. Whether the data processor had informed the individuals and obtained separate consent prior to the transfer

A summary of the model cases relating to cross-border transfers of personal information is below.

No.

Case Summary

Penalties

A company in the hotel industry operated an online booking system, which transferred the personal information of Chinese citizens abroad. The company applied for CAC Security Assessment, and the CAC determined that the cross-border transfer of certain types of personal information was not necessary.

Despite the CAC’s decision, the company failed to take effective measures and continued to unlawfully transfer personal information abroad.

The company was ordered to remediate the issue within a specified time period and was fined.

A company in the property management industry operated an application for membership management, hotel booking, and hotel check-in. The personal information that the company transferred abroad included users’ accommodation information and sensitive information such as financial account information.

Despite the sensitivity of the personal information transferred abroad, the company did not apply for CAC Security Assessment, conduct SCC Filing, or obtain PIP Certification.

The company was ordered to remediate the issue within a specified time period and was given a warning.

Personal Information Protection

Article 22 of the Regulation provides that the collection of personal information must be necessary for providing products or services. Data processors are prohibited from collecting users’ personal information that exceeds the scope (1) necessary for providing products or services, or (2) for which data processors obtained users’ consent. Data processors are also prohibited from obtaining users’ consent through misrepresentation, fraud, coercion, or similar tactics.

A summary of the model cases relating to personal information protection is below.

No.	Case Summary	Penalties
1	A company sold coffee to users through its WeChat mini-program and collected and stored related user data. However, the company’s mini-program induced users to provide their phone numbers and register as members. In addition, the company failed its obligations of protecting personal information, had an insufficient network data security management program, and failed to adopt technical measures to secure user personal information. A company primarily provided advertising and marketing services for applications through software development kits (SDKs). The company collected information about the users’ installed applications, without (1) adhering to its data processing rules; and (2) informing users through privacy policies or other means.	The company was ordered to remediate the issue within a specified time period and was given a warning.
2	A company primarily provided advertising and marketing services for applications through software development kits (SDKs). The company collected information about the users’ installed applications, without (1) adhering to its data processing rules; and (2) informing users through privacy policies or other means.	The company was ordered to remediate the issue within a specified time period and was given a warning. Regulators required SDK operators to implement all management requirements and impose penalties on responsible individuals.
3	A company operated an application providing users with hotel order inquiry services. The company’s API interface lacked an identity verification mechanism, which allowed users to query the hotel order information of any individual using merely the order numbers, including personal information such as check-in information and payment information, risking a personal information breach.	The company was ordered to remediate the issue within a specified time period and was given a warning.

Questions to Consider for Your Operations in China

As Chinese regulators continue to prioritize enforcement related to network data security, companies operating in China should proactively assess their compliance posture. Questions to address with internal stakeholders include:

1. Have we completed our MLPS self-assessment and filed with public security authorities where necessary?

2. For any cross-border transfers of personal information, have we completed one of the three lawful transfer mechanisms where necessary, and if there is any feedback or concern with the cross-border transfers, taken appropriate and timely remedial action?

3. Are our technical controls (e.g., encryption, access controls, identity verification) adequate for systems handling sensitive personal information?

4. Do our data collection practices align with necessity requirements, are we obtaining consent without pressure tactics or inducements, and do our privacy notices accurately describe our processing activities?

For questions on this or any other subject, please reach out to the authors or any of their colleagues in Arnold & Porter’s Privacy, Cybersecurity & Data Strategy practice group.

*Zhewen Zhang contributed to this Advisory.

© Arnold & Porter Kaye Scholer LLP 2026 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

China’s MLPS requirement was first published in 2007 by China’s Ministry of Public Security and primarily focuses on security of IT systems. Compliance with the MLPS is a requirement imposed on all network data processors according to Article 27 of the DSL and Article 23 of the CSL. Under relevant national standards and guidance, network data processors must assess and determine its own cybersecurity level (from level one to level five, with level one being the least risky), and take corresponding measures such as expert review of the self-determined level and protective measures taken by data processors, and filing of assessment reports with relevant public security authorities, based on its cybersecurity level.
Specific fine amounts were not disclosed in the published model cases. For reference, serious violations of the CSL and DSL can result in fines up to RMB 10 million for entities and RMB 1 million for responsible individuals; serious PIPL violations can reach RMB 50 million or 5% of the prior year's revenue.

Find more content tagged:

Key Contacts

John Tan

Partner

Shanghai

Email +86 (0)21 2208 3670

Sheena Thomas

Counsel

Washington, D.C.

Email +1 202.942.5099

Siyi Gu

Associate