China: A TMT: Data Protection & Privacy (PRC Firms) Overview

From 2025 onwards, China’s digital regulation landscape has entered a phase in which policy objectives are increasingly translated into concrete operational obligations. Across artificial intelligence (AI) governance, important data management and personal information protection, regulators are moving beyond high-level principles towards mechanisms that require enterprises to demonstrate traceable controls, documented processes and verifiable compliance outcomes. Filing regimes, sector-specific implementation rules and targeted enforcement actions are becoming the primary tools for operationalising regulatory expectations.

For businesses, this shift materially changes the compliance equation. Regulatory risk is no longer confined to formal policy alignment or contractual documentation, but increasingly depends on whether systems, workflows and governance structures can withstand practical inspection and accountability scrutiny. The following sections highlight three areas where this transition is most visible and commercially impactful:

• the governance of advanced AI applications;
• the expansion of important data identification and reporting obligations; and
• the operationalisation of personal information protection compliance.

AI Governance: From General Principles to Contextual Oversight

In the AI sector, regulatory focus from 2025 to early 2026 has shifted from establishing foundational frameworks towards governing the substantive application of AI in products and services. Regulators are increasingly scrutinising AI systems that feature human-like interaction, facilitate automated decision-making or operate within large-scale digital platforms. The draft rules on anthropomorphic AI interactions released in late 2025, alongside forthcoming technological ethics measures and the anticipated Artificial Intelligence Law, signal a definitive policy trajectory: AI systems must remain transparent, controllable and subject to meaningful human oversight.

At the enterprise level, AI agents are rapidly proliferating across smartphones, super-apps and enterprise resource planning (ERP) software. These autonomous agents can interpret complex instructions, execute multistep workflows and bridge disparate services – such as booking transactions, document drafting and automated customer engagement. While current legislation has not yet recognised AI agents as a distinct legal category, regulators are proactively applying existing frameworks – including data protection, consumer rights, content moderation and algorithmic governance – to these evolving use cases.

The attribution of liability for AI-generated errors or harms has emerged as a critical focal point. When automated systems produce “hallucinations”, misleading recommendations or infringing content, regulators and judicial bodies are shifting attention towards proactive risk management. Instead of accepting boilerplate disclaimers or technical complexity as a defence, authorities are increasingly evaluating whether companies have implemented reasonable measures to monitor system behaviour and remediate issues promptly.

Against this backdrop, 2026 is expected to reflect a transition towards more differentiated and scenario-based AI governance, rather than a uniform tightening of regulatory requirements. As baseline compliance mechanisms mature, regulatory expectations are likely to be calibrated more precisely across different application scenarios and risk profiles, consistent with the broader policy objective of establishing a tiered and proportionate AI regulatory framework in China. Companies that can demonstrate credible internal risk classification and adaptive compliance capabilities are more likely to benefit from regulatory predictability and operational flexibility as the framework continues to evolve.

Steady Expansion of an Important Data Identification and Reporting Regime

The identification and reporting of important data have continued to progress in a steady and sector-specific manner, with regulatory coverage expanding across a broader range of industries. In 2025, additional sectoral authorities released data security management measures and important data identification guidelines. Notable examples include the Administrative Measures of the People’s Bank of China for Data Security in Business Fields, which came into effect on 30 June 2025, and YD/T 4981–2024 Guidelines for the Identification of Important Data in the Industrial Sector, effective from 1 April 2025.

In the automotive sector, several competent authorities have jointly formulated and selectively circulated guidance on the identification of important data relating to connected vehicle operations and autonomous driving, further refining the identification criteria pursuant to Several Provisions on Automotive Data Security Management (Trial). In parallel, the Ministry of Natural Resources has issued the Geographic Information Data Classification and Grading Working Guidelines to industry participants in order to initiate important data identification and management efforts within the natural resources domain.

At the same time, the filing and reporting of important data catalogues in the banking and payment sector, the industrial and information technology sector, and the automotive sector have been steadily advancing.

Looking ahead, enterprises should expect further refinement of identification criteria, broader coverage across additional industries, and closer regulatory scrutiny of catalogue filing and ongoing data governance practices. In this context, companies are well advised to establish internal important data identification mechanisms aligned with applicable sectoral guidance and the Regulation on Network Data Security Management, maintain dynamic data inventories, and closely monitor evolving filing and reporting requirements in order to mitigate compliance risk and prepare for a more mature and enforcement-oriented regulatory landscape.

Privacy Protection: From Policy Requirements to Verifiable Compliance

In the area of personal information protection, regulatory authorities in 2025 have increasingly introduced filing and reporting requirements targeting specific compliance control points. These include, among others, the Announcement on the Filing of Applications Involving Facial Recognition Technologies issued in May 2025 and the Announcement on the Reporting of Personal Information Protection Officer (PIPO) Information released in July 2025. Such initiatives effectively set clear implementation deadlines for requirements that had previously existed at a legal-text level. While the scope of the required filings remains relatively narrow, these reporting mechanisms increase enterprises’ regulatory visibility and, in practice, compel companies to conduct a more holistic review of their compliance across the entire personal information life cycle, including collection, use, storage, transmission and internal data governance.

Notably, enforcement in the areas of cross-border data transfers and data security intensified in 2025. In September 2025, the competent authorities publicly disclosed an enforcement case involving a fashion and consumer brand for unlawful cross-border data transfers and inadequate data security measures. Multiple additional enforcement actions targeting cross-border data transfers were also pursued in the second half of the year. In this context, enterprises can no longer afford to adopt a wait-and-see approach and should undertake a systematic review of their personal information protection compliance and move promptly towards practical implementation.

The personal information protection compliance audit (the “PI Audit”) regime, which took effect in May 2025, reflects the same regulatory logic. Compliance can no longer remain a purely documentary or policy-driven exercise; it must be operationalised, documented and capable of being verified. In practice, a significant number of enterprises have already completed PI Audits for key business lines in 2025, or at least initiated pre-audit assessments and audit planning. Looking ahead, 2026 is expected to become a critical year for the substantive implementation of PI Audits. To be better positioned to respond to future filing obligations and regulatory inspections, enterprises should systematically map their processing activities and create and retain auditable compliance evidence.