每周数据法律资讯 Data Law Weekly（20250929—20251012）

1. 中央网信办、国家发展改革委印发《政务领域人工智能大模型部署应用指引》

中央网信办、国家发展改革委近日联合印发《政务领域人工智能大模型部署应用指引》，为各级政务部门提供人工智能大模型部署应用的工作导向和基本参照。政务部门应结合工作实际和场景特点，充分论证人工智能大模型的应用需求、实施路径、功能设计等，选择适宜的部署模式，统筹推进实施，推动共建共享，提升建设管理效能。政务部门应强化政务领域人工智能大模型运行管理，健全管理制度、运行模式和安全要求，有序推进人工智能大模型技术、产品和服务在政务领域部署应用。

【点击查阅指引全文：

https://mp.weixin.qq.com/s/N9_iyKY8ufC9LNqgb6YEXQ】

CAC and NDRC issued the guidelines for the deployment and application of AI large models in the government sector（《政务领域人工智能大模型部署应用指引》）

The Cyberspace Administration of China (CAC) and the National Development and Reform Commission (NDRC) have recently jointly issued the guidelines for the deployment and application of AI large models in the government sector, providing direction and basic references for government departments at all levels to deploy and apply AI large models. Government departments should, in light of their actual work needs and specific scenarios, thoroughly assess the necessity, implementation path, and functional design of AI large model applications. They should select appropriate deployment models, promote coordinated implementation, advance joint construction and sharing, and enhance efficiency in system development and management. Government departments should also strengthen the operation and management of AI large models in the government sector, improve management systems, operational models, and security requirements, and promote the orderly deployment and application of AI large model technologies, products, and services in government affairs.

[Click to read the full text of the Guidelines:

https://mp.weixin.qq.com/s/N9_iyKY8ufC9LNqgb6YEXQ]

2. 上海发布新一期生成式人工智能服务登记信息公告

10月11日，上海市网信办发布《上海市生成式人工智能服务登记信息公告（10月11日）》。公告显示，截至当日，上海市新增5款已完成登记的生成式人工智能服务，累计已完成119款生成式人工智能服务登记。已上线的生成式人工智能应用或功能，应在显著位置或产品详情页面标明所取得的上线编号。

【参见：

https://mp.weixin.qq.com/s/mLt-hvYrO6rwNbYwBvFyLg】

Shanghai released new round of generative AI service registration information announcement

On October 11, the Shanghai Cyberspace Administration released the “Announcement on the Registration Information of Generative AI Services in Shanghai (October 11).” The announcement shows that as of that day, Shanghai had added five new generative AI service that had completed registration, bringing the total number of generative AI services that had completed registration to 119. Generative AI applications or functions that have been launched should clearly indicate the launch number obtained in a prominent location or on the product details page.

[Reference:

https://mp.weixin.qq.com/s/mLt-hvYrO6rwNbYwBvFyLg]

3. 国家网络安全通报中心通报34款违法违规收集使用个人信息的移动应用

10月10日，国家网络安全通报中心对34款存在违法违规收集使用个人信息情况的移动应用进行了通报。这些移动应用存在的问题包括：未逐一列出收集、使用个人信息的目的、方式、范围；在申请打开可收集个人信息的权限时，未同步告知用户其目的；征得用户同意前就开始收集个人信息；个人信息保护政策中描述需要收集的个人信息超出相关功能的必要范围；提前要求用户打开非当前功能所需的可收集个人信息权限；注销账户的流程中设置不合理的条件或提出额外要求；广告存在误导、欺骗用户行为等。

【参见：

https://mp.weixin.qq.com/s/jZ_bybsfUbmo8vchBu1pQw】

National Cybersecurity Notification Center issued the notice on 34 mobile Apps violating personal information collection and use regulations

On October 10, the National Cybersecurity Notification Center issued a notice regarding 34 mobile applications found to be illegally collecting and using personal information. The issues identified include: Failure to itemize the purposes, methods, and scope of personal information collection and use; failure to simultaneously inform users of the purpose when requesting permission to access personal information; commencement of personal information collection prior to obtaining user consent; description of required personal information in the privacy policy exceeding the necessary scope for relevant functions; prematurely requiring users to enable permissions for collecting personal information not needed for current functions; setting unreasonable conditions or imposing additional requirements during account cancellation procedures; and advertising containing misleading or deceptive practices.

[Reference:

https://mp.weixin.qq.com/s/jZ_bybsfUbmo8vchBu1pQw]

4. 上海通管局通报27款存在侵害用户权益行为的APP（SDK）

10月10日，上海市通信管理局发布《关于侵害用户权益行为APP的通报（2025年第七批）》, 共涉及27款APP（SDK）。这些APP（SDK）所涉问题有：未明示个人信息处理规则、违规收集个人信息、超范围收集个人信息、未妥善处理用户投诉与未规范安装卸载行为。

【参见：

https://mp.weixin.qq.com/s/fbFfnUGb1uhIiNE4ER9RSw】

Shanghai Communication Administration issued notice on 27 apps (SDKs) found to infringe upon user rights

On October 10, the Shanghai Communication Administration issued the “Notice on Apps Violating User Rights (2025 Seventh Batch),” which involved a total of 27 apps (SDKs). The issues identified in these apps (SDKs) include: Failure to explicitly state personal information processing rules, illegal collection of personal information, collection of personal information beyond authorized scope, failure to properly handle user complaints, and non-compliant installation and uninstallation practices.

[Reference：

https://mp.weixin.qq.com/s/fbFfnUGb1uhIiNE4ER9RSw]

5. 上海网信办指导属地重点平台发布未成年人网络保护社会责任报告

近期，在上海市委网信办指导下，哔哩哔哩、小红书、拼多多、喜马拉雅、蜻蜓、咪咕视频、米哈游、莉莉丝、心动网络、崽崽等首批10家平台在各自官网或微信公众号上发布未成年人网络保护社会责任报告，接受社会监督。各平台采取的措施包括：优化诈骗账号识别模型；拦截、过滤不适内容；畅通涉未成年人投诉举报渠道；引入未成年人心理疏导服务；设置内容分龄推荐；深化防沉迷与家长协同治理等。

【参见：

https://mp.weixin.qq.com/s/QU3jTY5pSb5Blhhyz5qojw】

Shanghai Cyberspace Administration directed local key platforms to release Social Responsibility Reports on online protection for minors

Recently, under the guidance of the Shanghai Cyberspace Administration, the first batch of 10 platforms—Bilibili, Xiaohongshu, Pinduoduo, Himalaya, Qingsong, Migu Video, Mihoyo, Lilith Games, Xindong Network, and ZaiZai—published their Social Responsibility Reports on Online Protection for Minors on their respective official websites or WeChat public accounts, subjecting themselves to public oversight. Measures implemented by these platforms include: optimizing fraud account detection models; intercepting and filtering inappropriate content; streamlining complaint channels for issues involving minors; introducing psychological counseling services for minors; implementing age-based content recommendations; and enhancing anti-addiction measures and parental collaboration governance.

[Reference:

https://mp.weixin.qq.com/s/QU3jTY5pSb5Blhhyz5qojw]

6. 深圳发布《深圳市加强应用程序个人信息保护若干指引（2025年版）》

近日，深圳发布《深圳市加强应用程序个人信息保护若干指引（2025年版）》。《指引》旨在落实上级有关部署要求，进一步提升深圳属地备案应用程序（含小程序、公众号、快应用）个人信息保护能力，切实维护人民群众在网络空间合法权益。《指引》包括隐私政策规范、用户同意管理、数据处理合规、用户权益保障等四个方面。

【参见：

https://mp.weixin.qq.com/s/V6qyyonbUcRohXExsf5kqg?scene=25#wechat_redirect】

Shenzhen released “Guidelines for Strengthening Personal Information Protection in Applications (2025 Edition)”（《深圳市加强应用程序个人信息保护若干指引（2025年版）》）

Recently, Shenzhen issued the “Guidelines for Strengthening Personal Information Protection in Applications (2025 Edition).”（《深圳市加强应用程序个人信息保护若干指引（2025年版）》） The Guidelines aim to implement higher-level directives, further enhance the personal information protection capabilities of locally registered applications in Shenzhen (including mini-programs, official accounts, and quick apps), and effectively safeguard the legitimate rights and interests of the public in cyberspace. The Guidelines cover four key areas: privacy policy standards, user consent management, data processing compliance, and user rights protection.

[Reference:

https://mp.weixin.qq.com/s/V6qyyonbUcRohXExsf5kqg?scene=25#wechat_redirect]

7. 推荐性国家标准《数据安全技术个人信息跨境处理活动安全认证要求》获批发布

近日，市场监管总局（国家标准委）批准发布《数据安全技术个人信息跨境处理活动安全认证要求》（GB/T 46068－2025）推荐性国家标准，将于2026年3月1日正式实施。该标准旨在指导跨境处理个人信息的相关方规范自身个人信息跨境处理活动，支撑对个人信息处理者跨境处理个人信息的活动进行监督、管理、认证和评估。

【参见：

https://mp.weixin.qq.com/s/OaYNy-iPGqOFXD3K0DeV7Q】

Recommended national standard “Information Security Technology — Security Certification Requirements for Cross-Border Processing of Personal Information” (《数据安全技术个人信息跨境处理活动安全认证要求》) approved for release

Recently, the State Administration for Market Regulation (Standardization Administration of China) approved and issued the recommended national standard GB/T 46068-2025, “Information Security Technology — Security Certification Requirements for Cross-Border Processing of Personal Information.” The standard will officially take effect on March 1, 2026. The standard is intended to guide relevant parties engaged in cross-border processing of personal information to standardize their processing activities, and to support the supervision, management, certification, and evaluation of such cross-border processing conducted by personal information processors.

[Reference:

https://mp.weixin.qq.com/s/OaYNy-iPGqOFXD3K0DeV7Q]

1. 欧盟委员会根据DSA审查 Snapchat、YouTube、Apple App Store 和 Google Play的未成年人保障措施

10月10日，欧盟委员会根据《数字服务法》（DSA）规定的未成年人保护指南启动了首次调查行动。委员会要求 Snapchat、YouTube、Apple 和 Google 提供有关其年龄验证系统的信息，以及他们如何防止未成年人访问非法产品或有害材料的信息。

【参见：

https://ec.europa.eu/commission/presscorner/detail/en/mex_25_2353】

European Commission scrutinised safeguards for minors on Snapchat, YouTube, Apple App Store and Google Play under the Digital Services Act under the DSA

On October 10, the European Commission launched its first investigation under the Digital Services Act (DSA) focusing on the protection of minors. The Commission has requested Snapchat, YouTube, Apple, and Google to provide information about their age verification systems and how they prevent minors from accessing illegal products or harmful content.

[Reference:

https://ec.europa.eu/commission/presscorner/detail/en/mex_25_2353]

2. 加州州长签署《加州选择退出法案》（the California Opt Me Out Act）

10月8日，加州州长签署了《加州选择退出法案》，。该法案要求在加州运营的浏览器提供易于使用的“选择退出偏好信号”(OOPS)，允许用户自动将其隐私偏好告知网站。启用后，OOPS 会告知网站不要出售或共享用户的个人信息。该方案使加州成为美国第一个要求浏览器为用户提供简单、内置方式来告知网站不要出售或共享其个人信息的州。

【参见：

https://cppa.ca.gov/announcements/2025/20251008_2.html】

California Governor signed the California Opt Me Out Act

On October 8, the Governor of California signed the California Opt Out Act. The bill requires browsers operating in California to offer easy-to-use opt-out preference signals (OOPS) that allow users to automatically communicate their privacy preferences to websites. When enabled, OOPS tells websites not to sell or share the user’s personal information. This Act makes California the first state in the United States to require browsers to provide users with a simple, built-in way to inform websites not to sell or share their personal information.

[Reference:

https://cppa.ca.gov/announcements/2025/20251008_2.html]

3. 爱尔兰数据保护委员会公布对TikTok作出的5.3亿欧元处罚决定全文

10月2日，爱尔兰数据保护委员会（DPC）公布了此前于2025年4月30日对Tiktok作出的5.3亿欧元处罚决定文书。处罚文书显示，TikTok有两项违法事实：（1）Tiktok在调查的时间范围内进行了数据跨境传输，但未能证明被传输的欧洲经济区（EEA）用户的个人数据得到了与欧盟基本相当的保护，该行为违反了GDPR第46（1）条；（2）TikTok在2020年7月29日至2022年12月1日期间未向数据主体提供有关数据传输相关的信息及其中国员工远程访问存储在新加坡和美国的个人数据相关的处理事宜，该行为违反了GDPR第13（1）（f）条。

【参见：

https://www.dataprotection.ie/en/treoir-ccs/law/decisions/inquiry-tiktok-technology-limited-april-2025】

Irish Data Protection Commission published the full text of €530 million penalty Decision against TikTok

On October 2, the Irish Data Protection Commission (DPC) published the full text of €530 million penalty Decision against TikTok, which was made on April 30, 2025. The penalty Decision reveals two violations by TikTok: (1) TikTok conducted cross-border data transfers during the temporal scope of the Inquiry but failed to demonstrate that personal data of European Economic Area (EEA) users received protection substantially equivalent to that of the EU, violating Article 46(1) of the GDPR; (2) TikTok failed to provide data subjects with information regarding data transfers and the processing of personal data stored in Singapore and the United States by its Chinese employees via remote access between July 29, 2020, and December 1, 2022, violating Article 13(1)(f) of the GDPR.

[Reference:

https://www.dataprotection.ie/en/treoir-ccs/law/decisions/inquiry-tiktok-technology-limited-april-2025]

4. 美国加州通过《前沿人工智能透明法（TFAIA）》

9月29日，美国加州通过《前沿人工智能透明法（Transparency in Frontier Artificial Intelligence Act，TFAIA）》（Senate Bill No. 53）。TFAIA将采取多项措施，以确保由前沿开发者所开发的基础模型的安全性。根据该法案，大型前沿开发者需编写、实施并在其网站上显著发布一份前沿人工智能框架。该框架适用于该开发者的前沿模型，并阐述其如何将国家标准、国际标准及行业共识最佳实践等内容纳入其中。

【参见：

https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB53】

California passed Transparency in Frontier Artificial Intelligence Act (TFAIA)

On September 29, California passed the Transparency in Frontier Artificial Intelligence Act (TFAIA) (Senate Bill No. 53). TFAIA would, among other measures to ensure the safety of foundation models developed by frontier developers, require a large frontier developer to write, implement, and prominently publish on its website a frontier AI framework. This framework would apply to the developer’s frontier models and describe how it incorporates national standards, international standards, and industry-consensus best practices, among other elements.

[Reference:

https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB53]

5. 越南公布《人工智能法（草案）》

9月29日，越南公布《人工智能法（草案）》并公开征求意见。该《人工智能法》将适用于在越南社会主义共和国领土内开展的与人工智能系统相关的活动；或其人工智能系统产品、服务影响越南市场、用户、国家安全、社会公共秩序及组织、个人合法权益的活动。草案借鉴欧盟人工智能法案，根据风险程度将人工智能分为四类（不可接受风险、高风险、中风险、低风险）。其中对于高风险人工智能系统的合规性监督检查，将默认适用事后检查机制，对于列入“需事前评估合规性的高风险人工智能应用领域与情形清单”的需进行事前检查。

【参见：

https://mst.gov.vn/van-ban-phap-luat/du-thao/2294.htm】

Vietnam released Draft Artificial Intelligence Law

On September 29, Vietnam released the draft Artificial Intelligence Law for public comment. This law will apply to activities related to AI systems conducted within the territory of the Socialist Republic of Vietnam; or activities where the products or services of such AI systems impact Vietnam's market, users, national security, social public order, and the legitimate rights and interests of organizations and individuals. Drawing from the EU AI Act, the draft categorizes AI systems into four risk levels (unacceptable risk, high risk, medium risk, low risk). Compliance inspections for high-risk AI systems will default to post-implementation review mechanisms, while those listed in the “Catalog of High-Risk AI Application Fields and Scenarios Requiring Pre-Implementation Compliance Assessment” will undergo pre-implementation inspections.

[Reference:

https://mst.gov.vn/van-ban-phap-luat/du-thao/2294.htm]