China: A TMT: Data Protection & Privacy (PRC Firms) Overview

Contributors:

Hao Zhang

View profile

lingling Zhang

Sitong Qian

Luyao Gao

View Firm profile

Latest Developments in Global Data Compliance and Privacy Protection

Against the macro backdrop of global economic fluctuations and geopolitical tensions, the value and risks of data as a new production factor have become increasingly prominent. In 2025, data compliance has evolved beyond traditional legal risk control, becoming a cornerstone of corporate strategic operations, market competitiveness and business reputation. For enterprises, understanding the global landscape of data legislation, grasping regulatory trends and anticipating risks are prerequisites for formulating effective compliance strategies and supporting steady business development.

Overview of data compliance in 2025: a paradigm shift under economic pressure

In 2025, enterprises are generally facing dual pressures of slowing economic growth and rising operational costs. This economic environment directly impacts the allocation of compliance resources. Compliance budgets are shifting from “comprehensive coverage” to “targeted investment”, with more resources being directed towards core areas characterised by frequent violations, stringent regulatory penalties and deep business dependencies. Meanwhile, the escalating costs of post-compliance remediation due to various data compliance risk incidents are forcing enterprises to align compliance budgets directly with risk exposure and potential losses.

Correspondingly, the legal services market is exhibiting notable trends of “deep specialisation” and “compliance value creation”. Enterprises’ demand for data compliance legal services has shifted from pre-emptive legal consultations and post-incident regulatory responses to actionable data compliance management system development and operation, as well as compliance-driven value creation for business growth. On the demand side, compliance needs related to new business areas – such as AI R&D and application, embodied AI data training, global cross-border data transfers, and data assetisation – are experiencing explosive growth. Data compliance efforts are increasingly requiring deep collaboration with IT, security, product, business and finance departments. Legal service providers must not only be proficient in legal practices but also deeply understand technological logic and business models.

Opportunities and challenges in data compliance

Embodied AI compliance: new dimensions of data risks in physical world interactions

Embodied AI, as the next wave of deep integration between artificial intelligence and physical entities, is driving physical terminals such as robots and smart vehicles to continuously interact with their environment through perception, decision-making and action.

When AI agents become “embodied”, the complexity and risks of data compliance increase exponentially. Core challenges arise from the expansion of data collection scenarios from virtual to ubiquitous physical spaces. Specific compliance pain points include the following:

environmental information continuously collected via lidar, multimodal sensors and other means may contain vast amounts of irrelevant third-party personal information or even sensitive geographical data, making it difficult to define compliant collection boundaries;
to achieve adaptability and continuous learning, devices need to process highly contextualised behavioural data locally and may upload such data, posing significant challenges to implementing the “principle of minimal necessity”; and
security vulnerabilities and compliance risks in embodied AI systems could lead to dual incidents of physical harm and data breaches, complicating liability attribution.

Necessary compliance measures include establishing a full life cycle data governance framework for embodied AI, incorporating “privacy-by-design” principles from the early stages of R&D, and balancing data utilisation with privacy protection through technical means. Additionally, conducting necessary data protection impact assessments before hardware deployment, thoroughly mapping data flows, and designing product features – such as privacy policies, authorisation interactions and function triggers – to clearly and transparently disclose how data is collected and used.

Cross-border data compliance: mechanism optimisation and pathway strategies

Despite the increasing fragmentation of global data protection rules, 2025 is also a year of ongoing optimisation of cross-border transfer mechanisms and the accumulation of practical experience. Compliance pathways for cross-border data flows, supported by tools such as standard contracts and certification mechanisms, have become clearer, providing multinational enterprises with a window of certainty for global data co-ordination and business integration.

The current core challenge lies in pathway selection and compliance strategies under parallel multiple mechanisms. Enterprises must align their strategies with their global market layout and actual business operations, seeking common ground among the divergent requirements of different jurisdictions (eg, China, the EU and the US), as no single solution is universally applicable.

Legal and compliance professionals need to design tailored compliance strategies for different business scenarios (eg, human resources, R&D, advertising, after-sales management), build modular cross-border transfer mechanisms and actively explore secure technical solutions such as privacy computing and edge-side processing to enable cross-border data flows while meeting compliance requirements.

Data assetisation compliance: building a framework from concept to implementation

The goal of data compliance efforts is shifting from “meeting regulatory requirements and avoiding penalties” to “unlocking data value and generating financial benefits”. Clear data ownership and compliant data application are prerequisites for data assetisation and transactions.

The key challenge in this process is the lack of a mature compliance framework. The confirmation, measurement and disclosure of data assets involve complex data governance issues, with specific pain points including:

ambiguous boundaries of data rights among various stakeholders in data collection, processing and other stages;
inadequate security audits and liability tracing mechanisms in data transactions; and
the absence of universally recognised valuation models incorporating compliance factors for data asset assessment.

To capitalise on the trend of data assetisation, enterprises should strengthen their internal data governance systems, clarify data lineage and lay a solid compliance foundation for data assets. In external data collaborations or transactions, clear agreements should be established regarding data sources and ownership, compliance requirements for processing, revenue-sharing models, and mechanisms for liability allocation and remedies in the event of compliance risks.

Conclusion

Looking ahead to 2026, regulatory frameworks in the data compliance field will become increasingly refined and scenario-specific. For enterprises, passive compliance will no longer suffice to support steady business growth. Deeply embedding data compliance capabilities into product development and business processes, transforming compliance from a cost centre into a value driver for financial gains and trust-building, has become a critical issue for long-term corporate development and competitive evolution in the digital era.

全球数据合规与隐私保护新动态

在全球经济波动与地缘政治紧张的宏观背景下，数据作为新型生产要素的价值与风险同步凸显。2025年，数据合规已超越传统的法律风控范畴，成为企业战略运营、市场竞争与商业信誉的基石。对于企业而言，理解全球数据立法全貌、把握监管态势并预判风险，是制定有效合规策略、支撑业务稳健发展的先决条件。

2025年数据合规领域概览：经济压力下的范式转变

2025年，企业普遍面临经济增长放缓与运营成本上升的双重压力。这一经济环境直接影响了企业对合规资源的分配。合规预算正从“全面铺开”向“精准投入”转变，更多的合规资源向违规事件高频、监管处罚严厉、业务深度依赖的核心领域倾斜。而各类数据合规风险事件导致的事后合规整改成本持续攀升，迫使企业将合规预算直接与风险敞口及潜在损失挂钩。

与此相对应，法律服务市场呈现出显著的“深度专业化”与“合规价值化”趋势。企业对数据合规法律服务的需求，已从事前的法律咨询与事后的监管应对，转向了可落地的数据合规管理体系建设与运营，以及可驱动业务发展的合规价值创造。在需求端，特别是人工智能研发与应用、具身智能数据训练、全球数据跨境传输、数据资产化等新型业务导向的合规需求呈现爆发式增长。数据合规工作正越来越多地与IT、安全、产品、业务、财务等部门深度协作。法律服务提供者不仅应精通法律实务，更需深刻理解技术逻辑与商业模式。

数据合规领域的机会与挑战

具身智能合规：物理世界交互的数据风险新维度

具身智能作为人工智能与物理实体深度融合的下一波浪潮，正推动机器人、智能汽车等实体终端通过感知、决策与行动与环境持续交互。

当智能体“具身化”，其数据合规的复杂性与风险也呈指数级上升。核心挑战源于数据采集场景从虚拟扩展到无处不在的物理空间。合规痛点具体体现在：

首先，通过激光雷达、多模态传感器等持续收集的环境信息，可能包含大量无关第三方的个人信息甚至敏感地理信息，其合规采集边界难以界定；
其次，为实现自适应与持续学习，设备需在本地处理并可能上传高度情境化的行为数据，使得“最小必要原则”的践行极具挑战；
具身智能系统的安全漏洞与合规风险可能导致物理伤害与数据泄露的双重事故，责任界定模糊与复杂。

可采取的必要合规措施包括：为具身智能建立全生命周期的数据治理框架，包括在研发初期即融入“隐私保护设计”理念，通过技术手段在数据利用与隐私保护间取得平衡。同时，在硬件部署前完成必要的数据保护影响评估，全面准确地梳理数据流转情况，并在隐私政策、授权交互、功能唤起等产品设计，以清晰透明地方式披露相关数据是如何被收集与使用的。

数据跨境合规：机制优化与路径博弈

尽管全球数据保护规则碎片化加剧，但2025年亦是跨境传输机制持续优化和实践经验沉淀的一年。通过标准合同、认证机制等工具支撑数据跨境流动的合规路径更加清晰，这为跨国企业的全球数据协同与业务整合提供了确定性窗口。

当前的核心挑战在于多重机制并行下的路径选择与合规策略。企业需根据自身的全球化市场布局战略与实际业务运营情况，在不同法域（如中国、欧盟、美国等）的差异化要求中寻找最大公约数，而任何单一的解决方案将难以被普遍适用。

对于法务与合规人员，需针对不同业务场景（如人力资源、生产研发、广告营销、售后管理等）设计相应合规策略、构建模块化的跨境传输机制，并积极探索隐私计算、端侧处理等安全技术解决方案，在满足合规要求的前提下实现数据跨境流动。

数据资产化合规：从概念到落地的框架构建

数据合规工作的目标，正从“满足监管要求、避免处罚”转向“释放数据价值、创造财务收益”。清晰的数据权属与合规的数据应用，是数据资产化与交易的前提。

这一进程的关键挑战在于缺乏成熟的合规框架。数据资产的确认、计量与披露均涉及复杂的数据治理问题，合规痛点具体表现为：

在数据采集、加工等环节或链条中，各类主体的数据权益边界模糊；
数据交易过程中的安全审计与法律责任追溯机制不健全；以及
数据资产评估缺乏公认的、合规因素嵌入的估值模型等。

为把握数据资产化的大趋势，企业应着手强化内部数据治理体系，明确数据血缘图谱，完善数据资产的合规性基础。在对外进行数据合作或交易时，明确约定数据来源与权属、处理过程合规要求、收益分成模式以及发生合规风险时的责任分配与救济机制。

结语

展望2026年，数据合规领域的监管将更趋精细化和场景化。对于企业而言，被动合规将难以支撑业务稳健增长。将数据合规能力深度嵌入产品研发与业务流程，使其从成本中心转化为财务收益与信任壁垒的价值中心，已成为数字化时代关乎企业长远发展与竞争迭代的重要课题。