每周数据法律资讯 Data Law Weekly（20250707-20250713）

1. 国家金融监督管理总局发布《金融机构产品适当性管理办法》，明确客户信息保护要求

7月11日，国家金融监督管理总局发布《金融机构产品适当性管理办法》，自2026年2月1日起施行。该办法规定金融机构应当具备符合适当性管理要求的信息系统等设施，保障网络和信息系统安全、高效、可持续服务，保障数据安全。金融机构应当在合理范围内收集客户信息，评估客户情况。金融机构应当履行客户信息保护义务，确保客户信息安全。

【点击查阅办法全文：

https://www.nfra.gov.cn/cn/view/pages/rulesDetail.html?docId=1217183&itemId=4214&generaltype=1】

The National Financial Supervisory Administration issued the “Measures for the Appropriate Management of Financial Products by Financial Institutions,”《金融机构产品适当性管理办法》clarifying requirements for the protection of customer information

On July 11, the National Financial Supervisory Administration issued the “Measures for the Appropriate Management of Financial Institution Products,” which will take effect on February 1, 2026. The Measures stipulate that financial institutions shall possess information systems and other facilities that meet the requirements for appropriate management, ensuring the security, efficiency, and sustainability of network and information systems, as well as data security. Financial institutions shall collect customer information within a reasonable scope and assess customer circumstances. Financial institutions shall fulfill their obligations to protect customer information and ensure its security.

[Click to view the full text:

https://www.nfra.gov.cn/cn/view/pages/rulesDetail.html?docId=1217183&itemId=4214&generaltype=1]

2. 国家网信办发布生成式人工智能服务已备案信息公告（2025年4月至6月）

7月11日，国家网信办发布生成式人工智能服务已备案信息公告（2025年4月至6月）。公告称，4月至6月，新增93款生成式人工智能服务在国家网信办完成备案，对于通过API接口或其他方式直接调用已备案模型能力的生成式人工智能应用或功能，由地方网信办开展登记，本阶段新增74款完成登记。截至2025年6月30日，累计有439款生成式人工智能服务完成备案，233款生成式人工智能应用或功能完成登记。

【参见：

https://www.cac.gov.cn/2024-04/02/c_1713729983803145.htm】

The CAC released an announcement on the filing of generative AI services (April to June 2025)

On July 11, the Cyberspace Administration of China (CAC) released an announcement on the filing of Generative AI services (April to June 2025). The announcement stated that from April to June, 93 new generative AI services were filed with the Cyberspace Administration of China. For generative AI applications or functions that directly call upon the capabilities of filed models via API interfaces or other means, registration is conducted by local cyberspace administration departments. During this phase, 74 such applications or functions were registered. As of 30 June 2025, a cumulative total of 439 generative AI services have been filed, and 233 generative AI applications or functions have been registered.

[Reference:

https://www.cac.gov.cn/2024-04/02/c_1713729983803145.htm]

3.国家网络与信息安全信息通报中心通报68款违法违规收集使用个人信息的移动应用

7月11日，国家网络与信息安全信息通报中心通报68款违法违规收集使用个人信息的移动应用。其中，涉及问题有：在APP首次运行时未通过弹窗等明显方式提示用户阅读隐私政策等收集使用规则；以默认选择同意隐私政策等非明示方式征求用户同意；隐私政策难以访问；隐私政策未逐一列出APP（包括委托的第三方或嵌入的第三方代码、插件）收集使用个人信息的目的、方式、范围等；个人信息处理者向其他个人信息处理者提供其处理的个人信息的，未向个人告知接收方的名称或者姓名、联系方式、处理目的、处理方式和个人信息的种类，并取得个人的单独同意；未向用户提供撤回同意收集个人信息的途径、方式；个人信息处理者未提供便捷的撤回同意的方式；通过自动化决策方式向个人进行信息推送、商业营销，未同时提供不针对其个人特征的选项，或者未向个人提供便捷的拒绝方式；处理敏感个人信息未取得个人的单独同意；APP非服务所必需或无合理应用场景，超范围频繁自启动或关联启动第三方APP；未采取相应的加密、去标识化等安全技术措施；无隐私政策等。

【参见：

https://mp.weixin.qq.com/s/7eZP5xViXDH1gn_Q3YyUgQ】

National Network and Information Security Information Reporting Centre reported 68 mobile applications that illegally collect and use personal information

On July 11, the National Network and Information Security Information Reporting Centre reported 68 mobile applications that illegally collect and use personal information. the issues involved include: when the app is run for the first time, it does not prompt users to read the privacy policy and other collection and use rules through pop-up windows or other obvious means; it obtains user consent through non-explicit means such as default selection of agreeing to the privacy policy; privacy policies were difficult to access; privacy policies did not list in detail the purposes, methods, and scope of personal information collection and use by the app (including third parties commissioned by the app or third-party code and plugins embedded in the app); when personal information processors provided personal information they had processed to other personal information processors, they failed to inform individuals of the name or contact information of the recipient, the purpose and method of processing, and the types of personal information being provided, and failed to obtain the individual’s separate consent; they failed to provide users with a means or method to withdraw their consent to the collection of personal information; personal information processors have not provided a convenient way for users to withdraw their consent; when using automated decision-making methods to send information or engage in commercial marketing to individuals, options that do not target their personal characteristics are not provided simultaneously, or convenient ways for individuals to refuse are not provided; sensitive personal information is processed without obtaining the individual’s separate consent; the app frequently self-starts or launches third-party apps beyond the scope of necessary services or without reasonable application scenarios; appropriate security measures such as encryption or de-identification are not implemented; there is no privacy policy, etc.

[Reference:

https://mp.weixin.qq.com/s/7eZP5xViXDH1gn_Q3YyUgQ]

4. 北京市开展公共场所“强制刷脸”专项治理

7月8日，北京网信办发布通知称，7月起，北京市将开展公共场所违法违规收集使用人脸识别信息专项治理。该项专项治理活动系响应2025年6月1日起施行的《人脸识别技术应用安全管理办法》，办法规定，非必要不得将人脸识别作为公共场所唯一验证方式。同时，应用人脸识别技术处理的人脸信息存储数量达到10万人的个人信息处理者，应当向所在地省级网信部门履行备案手续。目前，在北京市网信办的指导下，已有69家单位通过“个人信息保护业务系统”（https://grxxbh.cacdtsc.cn）履行备案流程，网信部门正在逐一跟进，督促个人信息处理者依法合规处理个人信息。此外，北京市网信办还将会同有关部门，聚焦交通运输、住宿旅游、教育培训、文化体育、物流商贸、休闲娱乐等领域，开展公共场所违法违规收集使用人脸识别信息专项治理。

【参见：

https://mp.weixin.qq.com/s/td7U_H-En8L1kf7FTOZ5Cg】

Beijing launched special campaign to regulate “Mandatory Facial Recognition” in public places

On July 8, the Beijing Cyberspace Administration issued a notice stating that starting in July, Beijing launched a special campaign to address illegal collection and use of facial recognition information in public places. This special campaign is in response to the “Security Management Measures for the Application of Facial Recognition Technology,” （《人脸识别技术应用安全管理办法》）which came into effect on June 1, 2025. The measures stipulate that facial recognition shall not be used as the sole verification method in public places unless absolutely necessary. At the same time, personal information processors that store facial information processed using facial recognition technology and reach a total of 100,000 individuals must file a report with the provincial cyberspace administration department in their jurisdiction. Currently, under the guidance of the Beijing Cyberspace Administration, 69 entities have completed the filing process through the “Personal Information Protection Business System” (https://grxxbh.cacdtsc.cn), and the cyberspace administration department is following up with each entity to ensure that personal information processors process personal information in accordance with the law. In addition, the Beijing Cyberspace Administration will work with relevant departments to focus on transportation, accommodation and tourism, education and training, culture and sports, logistics and commerce, and leisure and entertainment sectors to carry out special governance of illegal collection and use of facial recognition information in public places.

[Reference:

https://mp.weixin.qq.com/s/td7U_H-En8L1kf7FTOZ5Cg]

5. 中国网络空间安全协会公布12款完成个人信息收集使用优化改进的App

7月8日，中国网络空间安全协会（CSAC）发布《关于发布完成个人信息收集使用优化改进App清单的公告（2025年第2批）》。公告称，中国网络空间安全协会组织指导网络社区、应用商店、餐饮外卖、房屋租售、网络直播、即时通信和求职招聘7类12款App运营方，根据相关法律法规，重点针对超范围收集个人信息、过度调用敏感权限、权限设置和账号注销不便等个人信息收集使用问题完成了优化改进。

【参见：

https://mp.weixin.qq.com/s/jEibbPgn8B8R7yOtSnZz2Q】

CSAC announced 12 Apps that have completed optimization and improvement of personal information collection and use

On July 8, the Cyber Security Association of China (CSAC) released the “Announcement on the Publication of the List of Apps that have Completed Optimization and Improvement of Personal Information Collection and Use (2025, Batch 2).” The announcement stated that the CSAC organized and guided the operators of 12 apps across seven categories—online communities, app stores, food delivery, real estate rental and sales, live streaming, instant messaging, and job recruitment—to optimize and improve their personal information collection and usage practices in accordance with relevant laws and regulations. The improvements focused on issues such as excessive collection of personal information, excessive access to sensitive permissions, inconvenient permission settings, and difficulties in account deletion.

[Reference:

https://mp.weixin.qq.com/s/jEibbPgn8B8R7yOtSnZz2Q]

1. 欧盟委员会发布通用人工智能实践准则

7月10日，欧盟委员会发布《通用人工智能实践准则》（General-Purpose AI Code of Practice）。准则致力于帮助业界符合欧盟《人工智能法案》中有关通用人工智能的相关规定，这些规定将在2025年8月2日生效，以确保欧洲市场通用人工智能模型的安全性与透明性。准则由三章组成：透明度、版权、安全和保障。其中透明度与版权章节适用于所有的通用人工智能模型提供者、安全与保障章节适用于特定的最先进的模型提供者。后续准则通过成员国与欧盟委员会的批准后，自愿签署准则的通用人工智能模型提供者可通过遵守准则证明其符合《人工智能法案》的相关义务。相较于通过其他方式证明合规的供应商，这种方式对于通用人工智能模型提供者具有更低的行政负担和更高的法律确定性。

【参见：

https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai】

European Commission published the General-Purpose AI Code of Practice

On July 10, the European Commission published the General-Purpose AI Code of Practice. The Code is designed to help industry comply with the AI Act’s rules on general-purpose AI, which will enter into application on 2 August 2025 as well as to ensure that general-purpose AI models placed on the European market are safe and transparent. The Code consists of three chapters: Transparency, Copyright, as well as Safety and Security. Transparency and copyright apply to all providers of general-purpose AI models, while safety and security only apply to a limited number of providers of the most advanced models. Following approval by member states and the European Commission, providers of general-purpose AI models that voluntarily sign the guidelines can demonstrate compliance with the relevant obligations of the AI Act by adhering to the guidelines. Compared to suppliers proving compliance through other means, this approach imposes lower administrative burdens and provides greater legal certainty for providers of general-purpose AI models.

[Reference:

https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai]

2. 爱尔兰DPC宣布对TikTok将欧洲用户数据传输到中国服务器进行调查

7月10日，爱尔兰数据保护委员会（DPC）启动了新一轮对TikTok将欧洲用户个人数据传输至位于中国的服务器的调查，DPC称该调查是对其在4月份对TikTok进行5.3亿欧元罚款的跟进。爱尔兰监管机构于4月接到通报，称TikTok存在将部分欧盟用户数据存储在中国服务器上的问题，该问题于2月被发现。这一情况与该公司长期以来的立场相矛盾，即欧盟用户的数据仅由中国境内的平台员工远程访问，并且欧洲用户数据未存储在位于中国境内的服务器上。但这一发现恰逢调查即将结束之际，因此，爱尔兰DPC未曾对该问题进行全面调查。爱尔兰监管机构表示，此次调查将重点关注TikTok是否遵守了欧盟《通用数据保护条例》（GDPR）规定的义务，包括与问责制、透明度、与监管机构合作以及遵守欧盟以外数据转移规则相关的条款。

【参见：

https://www.dataprotection.ie/en/news-media/press-releases/dpc-announces-inquiry-tiktok-technology-limiteds-transfers-eea-users-personal-data-servers-located】

DPC announced inquiry into TikTok’s transfers of EEA users’ personal data to servers located in China

On July 10, the Irish Data Protection Commission (DPC) launched a new inquiry into TikTok's transfer of EEA users' personal data to servers located in China. The DPC said the inquiry was a follow-up to its €530 million fine imposed on TikTok in April. The Irish regulatory authority was informed in April that TikTok had been storing some EEA user data on servers in China, an issue first identified in February. This contradicted the company's long-standing position that EEA user data was only accessed remotely by platform employees within China and that EEA user data was not stored on servers located in China. However, this discovery came as the inquiry was nearing its conclusion, prompting the Irish DPC to refrain from conducting a full investigation into the matter. The Irish regulatory authority stated that the investigation will focus on whether TikTok has complied with its obligations under the EU's General Data Protection Regulation (GDPR), including provisions related to accountability, transparency, cooperation with regulatory authorities, and compliance with rules governing data transfers outside the EU.

[Reference:

https://www.dataprotection.ie/en/news-media/press-releases/dpc-announces-inquiry-tiktok-technology-limiteds-transfers-eea-users-personal-data-servers-located]

3. 法国CNIL发布数据传输影响评估（TIA）实践指南

7月9日，法国国家信息与自由委员会（CNIL）发布了数据传输影响评估（TIA）实践指南的最终版。依赖 GDPR第 46.2 和 46.3 条所列的传输工具进行数据跨境传输的出口方有义务评估目的地第三国的数据保护水平以及是否需要采取额外保障措施。这种评估通常被称为“传输影响评估”（TIA）。TIA的核心目的在于评估数据进口方能否结合目的地第三国的法律法规与实践（尤其是该国当局对个人数据的潜在访问权限），履行所选传输工具的义务，并对评估过程进行文档记录。指南提供了开展TIA的方法论框架与具体步骤。

【参见：

https://www.cnil.fr/en/transfer-impact-assessment-tia-cnil-publishes-final-version-its-guide】

French CNIL published Data Transfer Impact Assessment (TIA) Practical Guidelines

On July 9, the French National Commission for Information Technology and Liberties (CNIL) published the final version of its guide on Transfer Impact Assessments (TIA).Exporters relying on the transfer tools listed in Article 46.2 and 46.3 GDPR for their transfers have an obligation to assess the level of protection in third countries of destination and the need for additional safeguards. Such an assessment is commonly referred to as a ‘Transfer Impact Assessment’ (TIA). The objective of the TIA is to assess whether the importer will be able to comply with its obligations under the chosen tool taking into account the legislation and practices of the third country of destination – in particular as regards the potential access to personal data by authorities of the third country – and to document that assessment. The guidelines provide a methodological framework and specific steps for conducting a TIA.

[Reference:

https://www.cnil.fr/en/transfer-impact-assessment-tia-cnil-publishes-final-version-its-guide]