CHINA: An Introduction to TMT: Data Protection & Privacy (PRC Firms)
Current Regulatory Landscape and Future Outlook of Artificial Intelligence and Data Security
Introduction
The data protection framework of China has expanded from traditional areas centered on personal information to important data covering non-personal information, fully reflecting the systematic and extensive scope of regulation. At the same time, legislators have actively responded to the challenges posed by the rapid development of new technologies such as artificial intelligence, promptly introducing supporting policies and adjusting regulatory strategies, which demonstrates China's keen insight and firm determination in digital technology governance. No longer limited to data processing activities, China's data compliance regulation focuses on the deep-seated challenges brought by technological changes, promoting the formation of a comprehensive and multi-level governance system covering the data lifecycle and technology application scenarios as well as providing strong safeguards for the healthy development of the digital economy.
Artificial Intelligence
Since the advent of GPT models, a wave of research and development of underlying large language models has been set off in China. Major technology companies are investing resources and racing to launch their self-developed LLMs, aiming to secure a dominant position in technology and the market in this field. At this stage, the focus of China's artificial intelligence industry is gradually shifting to application, characterised by a broad range of applications, expanded application scenarios, and diverse business models. At the same time, Chinese companies are eyeing the global markets, with China's AI technologies demonstrating strong competitiveness in emerging markets such as Southeast Asia and the Middle East.
China has not yet promulgated a comprehensive AI law. The regulation of AI-related technologies and applications primarily relies on departmental rules and normative documents, covering areas such as recommendation algorithm technologies, deep synthesis technologies, and generative AI services. Moreover, municipalities and provinces like Shanghai are actively exploring regulatory and governance approaches for the AI sector through local legislative practices. Nevertheless, AI regulation still faces multiple challenges in practice. Topics such as privacy and data leakage risks during the data collection phase, the ownership and protection of intellectual property rights for AI-generated outputs, compliance supervision of generated content, and algorithmic fairness await clear legal guidance from future legislation.
In May 2023, the General Office of the State Council issued the Legislative Work Plan of the State Council for 2023, which included the plan of promulgating an AI law. It is anticipated that higher-level legislation in the AI field may be introduced by 2025 to co-ordinate and integrate existing regulations, providing unified provisions on fundamental principles for the AI sector.
Important Data
The Data Security Law establishes the classified protection system (CCPS), categorising data based on its importance to economic and social development and the potential adverse effects of unlawful use on the state, society, individuals, or organisations. Within this framework, legislators introduced the concepts of "important data" and "core data." This implies that, beyond personal information, important and core data that could impact national security and public interest are also subject to regulation under China's data protection laws.
The concept of important data was first proposed in the 2017 Cybersecurity Law. In 2022, the Measures for Security Assessment of Data Exports provided a formal definition of "important data" for the first time. The Regulation on Network Data Security Management further clarified this concept at the administrative regulation level, stating that important data pertains to specific fields, groups, or regions, or reaches certain thresholds of precision and scale. These regulations also systematised the compliance obligations of processing important data, including the security measures, administrative reporting obligations, and compliance requirements for the provision of important data.
However, the identification of important data is still in its early stages. Following Several Provisions on Automotive Data Security Management (Draft for Comments), which first outlined types of important data in the automotive field, sectors such as industry, telecommunications, and healthcare have gradually released rules for identifying important data within their domains. Regions including Beijing, Shanghai, Tianjin, and Fujian have also actively explored mechanisms to identify important data at the local level. In the coming year, more industries and regions are expected to issue relevant legislation. Data handlers should proactively compile data inventories and fulfilling the compliance obligations for important data processing.
Personal Information Protection Compliance Audit
In the field of personal information, APP enforcement activities and supervision of outbound cross-border information transfers have become routine. As enterprises improve their personal information protection levels and compliance management systems, the regulatory focus in 2025 will shift toward personal information protection compliance audits.
The Personal Information Protection Law explicitly establishes compliance audits for personal information protection as a mandatory obligation for personal information handlers. The Regulation on Network Data Security Management further emphasises that personal information protection audits should be integrated with mechanisms such as important data risk assessments and cross-border security assessments of important data, with the goal of alleviating enterprises' compliance burdens while stressing co-ordination among regulatory authorities. Currently, specific rules to guide enterprises in conducting personal information protection compliance audits are still under development, including the Administrative Measures for Personal Information Protection Compliance Audits (Draft for Comments) and the national standard Data Security Technology—Personal Information Protection Compliance Audit Requirements (Draft for Comments).
Nevertheless, we observe that many enterprises have already begun preparing for compliance audits. These efforts include engaging law firms and other intermediary agencies to conduct data inventories as well as establishing audit policies and standards to ensure they can fulfill relevant compliance obligations promptly once the detailed rules are officially released.
人工智能与数据安全监管现状与未来展望
引言
中国的数据保护框架已从以个人信息为核心的传统领域扩展至涵盖非个人信息的重要数据,充分体现出监管范围的系统性和广泛性。与此同时,立法者积极应对人工智能等新兴技术迅猛发展及带来的挑战,先后出台配套政策并及时调整监管策略,展现出国家对数字技术治理的敏锐洞察与坚定决心。中国数据合规监管模式不再局限于以数据处理活动为核心的数据监管,更着眼于技术变革所引发的深层次挑战,推动形成覆盖数据生命周期和技术应用场景的全方位、多层次治理体系,为数字经济的健康发展提供有力保障。
人工智能
自GPT大模型问世以来,中国掀起了一场底层大模型研发的热潮。各大科技公司纷纷投入资源,争相推出自研大模型,以期在这一领域占据技术和市场的制高点。现阶段,中国人工智能产业的发展重心逐渐转向了应用层,展现出应用领域广泛、应用场景扩宽、商业模式多样等特点。与此同时,中国企业也逐步将目光投向全球市场,中国人工智能技术在东南亚、中东等新兴市场展现出强劲的竞争力。
目前,中国尚未颁布统一的《人工智能法》,人工智能相关技术和应用的监管主要依赖于各部门规章和规范性文件,涉及领域包括算法推荐技术、深度合成技术、生成式人工智能服务等。此外,上海等地通过地方性法规的实践,积极探索人工智能领域的监管和治理路径。尽管如此,人工智能监管在实践中仍面临多重挑战。训练数据收集阶段的隐私与泄露风险、人工智能生成物的知识产权归属与保护、生成内容的合规监管与算法公平等话题仍有待未来立法提供明确的法律指引。
2023年5月,国务院办公厅印发《国务院2023年度立法工作计划》,人工智能法草案位列其中。我们预期2025年或将出台人工智能领域的高阶立法,协调和整合现行法规,针对人工智能领域的基本原则作出统一规定。
重要数据
《数据安全法》确立了数据分类分级保护制度,根据数据在经济社会发展中的重要程度,以及非法利用后可能对国家、社会、个人或组织产生的不利影响,对数据实行分类分级保护。基于此,立法者提出“重要数据”与“核心数据”的概念。这意味着,除个人信息外,可能影响国家安全与社会公共利益的重要数据、核心数据,也会落入中国数据保护法律的监管范围。
重要数据的概念最早由2017年《网络安全法》提出。2022年,《数据出境安全评估办法》首次明确“重要数据”的定义。《网络数据安全管理条例》首次在行政法规层面明确重要数据的概念,指出重要数据应与特定领域、特定群体、或特定区域相关,或者达到一定精度和规模,并系统性规定了处理重要数据应采取的安全保障措施与行政报告义务,以及对外提供重要数据应采取的合规措施。
但目前重要数据识别工作仍处于起步阶段。继《汽车数据安全管理若干规定(征求意见稿)》首次在部门规章层面界定汽车行业重要数据类型之后,截止目前,工业、电信、卫生健康等行业陆续发布行业内的重要数据识别规则。北京、上海、天津、福建省等地也通过多种方式积极尝试建立地方层面的重要数据识别机制。可以预见,在未来一年内,将有更多行业和地方陆续出台相关立法。对此,数据处理者应尽早开展数据盘点工作,积极应对重要数据监管要求。
个人信息保护合规审计
在个人信息领域,APP执法活动与个人信息出境监管已成为常态。随着企业个人信息保护水平的不断提升以及合规管理体系的完善,2025年个人信息保护的监管重点将聚焦个人信息保护合规审计。
《个人信息保护法》明确个人信息保护合规审计为个人信息处理者的强制性义务,《网络数据安全管理条例》进一步提出,个人信息保护审计应当与重要数据风险评估、重要数据出境安全评估等机制衔接,旨在减轻企业合规负担,并强调监管机构之间协同配合。目前,指导企业开展个人信息保护合规审计的具体规则仍在指定起草过程中,包括《个人信息保护合规审计管理办法(征求意见稿)》与国家标准《数据安全技术个人信息保护合规审计要求(征求意见稿)》。
即便如此,我们观察到诸多企业已着手合规审计相关的准备工作,包括委托律师事务所等中介机构开展数据盘点、制定审计制度与标准,以确保未来落地细则颁布后可以在最短时间内履行相关合规义务。