每周数据法律资讯 Data Law Weekly（20251124—20251130）

1. 公安部发布《公安机关网络空间安全监督检查办法（征求意见稿）》

11月29日，为规范公安机关对网络空间安全的监督检查工作，公安部发布了《公安机关网络空间安全监督检查办法（征求意见稿）》，向社会公开征求意见。该办法明确了公安机关开展网络空间安全监督检查的程序性规定，要求对网络安全等级保护三级以上的网络运营者、关键信息基础设施运营者，每年开展一次监督检查。

【点击查阅办法全文：

https://www.mps.gov.cn/n2254536/n4904355/c10316016/content.html】

Ministry of Public Security released “Measures for Supervision and Inspection of Cyberspace Security by Public Security Organs (Draft for Comment)”(《公安机关网络空间安全监督检查办法（征求意见稿）》)

On November 29, to standardize the supervision and inspection of cyberspace security by public security organs, the Ministry of Public Security released the “Measures for Supervision and Inspection of Cyberspace Security by Public Security Organs (Draft for Comment)” for public consultation. The Measures establish procedural requirements for public security organs conducting cybersecurity supervision and inspection, mandating annual inspections for network operators at Level 3 or above of the Cybersecurity Graded Protection System and operators of critical information infrastructure.

[Click to view the full text of the Measures:

https://www.mps.gov.cn/n2254536/n4904355/c10316016/content.html]

2. 《金融机构客户尽职调查和客户身份资料及交易记录保存管理办法》正式发布

11月28日，中国人民银行国家金融监督管理总局中国证券监督管理委员会正式发布《金融机构客户尽职调查和客户身份资料及交易记录保存管理办法》，《办法》自2026年1月1日起施行。《办法》规定了金融机构开展客户尽职调查工作的相关要求，明确了客户身份资料及交易记录保存的要求。客户身份资料自业务关系结束后或者一次性金融服务结束后至少保存10年，交易记录自交易结束后至少保存10年。

【点击查阅办法全文：

http://www.pbc.gov.cn/tiaofasi/144941/144957/5916164/index.html】

Administrative measures for Customer Due Diligence and Retention of Customer Identity and Transaction Records by Financial Institutions(《金融机构客户尽职调查和客户身份资料及交易记录保存管理办法》) officially released

On November 28, the People's Bank of China, the National Financial Regulatory Administration, and the China Securities Regulatory Commission officially released the Administrative Measures for Customer Due Diligence and Retention of Customer Identity and Transaction Records by Financial Institutions. The Measures will take effect on January 1, 2026. The Measures stipulate relevant requirements for financial institutions conducting customer due diligence and clarify requirements for retaining customer identity and transaction records. Customer identity information shall be retained for at least 10 years after the termination of the business relationship or the completion of a one-time financial service. Transaction records shall be retained for at least 10 years after the completion of the transaction.

[Click to view the full text of the Measures:

http://www.pbc.gov.cn/tiaofasi/144941/144957/5916164/index.html]

3. 广东省网信办发布《粤港澳大湾区个人信息跨境流动标准合同备案指南》

11月28日，广东省网信办发布了《粤港澳大湾区个人信息跨境流动标准合同备案指南》，进一步优化备案流程，公布线上报送系统，规范标准合同、承诺书、经办人授权委托书等材料的内容、格式，并提供了可下载模板。符合条件的个人信息处理者或接收方，通过订立标准合同的方式进行粤港澳大湾区内内地和香港、澳门之间的个人信息跨境流动，可按照指南以线上方式向广东省网信办备案。

【参见：

https://www.cagd.gov.cn/v/2025/11/8263.html?sessionid=】

Guangdong Cyberspace Administration issued “Guidelines for Filing Standard Contracts for Cross-Border Personal Information Flow in the Guangdong-Hong Kong-Macao Greater Bay Area”(《粤港澳大湾区个人信息跨境流动标准合同备案指南》)

On November 28, the Cyberspace Administration of Guangdong Province released the “Guidelines for Filing Standard Contracts for Cross-Border Personal Information Flow in the Guangdong Hong Kong Macao Greater Bay Area.” This document further streamlines the filing process, introduces an online submission system, standardizes the content and format of materials such as standard contracts, commitment letters, and authorized representative letters, and provides downloadable templates. 

[Reference:

https://www.cagd.gov.cn/v/2025/11/8263.html?sessionid=]

4. 上海新增1款已完成备案的生成式人工智能服务

11月28日，上海网信办发布《上海市生成式人工智能服务已备案信息公告（11月28日）》。公告称，截至11月28日，上海市新增1款已完成备案的生成式人工智能服务，累计已完成116款生成式人工智能服务备案。已上线的生成式人工智能应用或功能，应在显著位置或产品详情页面公示所使用已备案生成式人工智能服务情况，注明模型名称及备案号。

【参见：

https://mp.weixin.qq.com/s/bSku07mhkozCRJ8eWO5-LQ】

Shanghai added a new generative AI service that have completed registration

On November 28, the Cyberspace Administration of Shanghai released the “Announcement on Generative AI Services that have Completed Registration in Shanghai (November 28)”.The announcement states that as of November 28, Shanghai has added 1 new generative AI services that have completed registration, bringing the total number of registered generative AI services to 116. Generative AI applications or features that have been launched must prominently display the details of the registered generative AI services they use, including the model name and registration number, on their main interface or product information page.

[Reference:

https://mp.weixin.qq.com/s/bSku07mhkozCRJ8eWO5-LQ]

5. 网信部门查处一批存在人工智能生成合成内容标识违法违规问题的移动互联网应用程序

11月25日，国家网信办发布资讯称，近期网信部门集中查处一批违法违规移动互联网应用程序，依法依规予以约谈、责令限期改正、下架下线等处置处罚。主要违法违规情形如下：（1）人工智能生成合成服务提供者未对生成合成的内容添加显式标识；提供生成合成内容导出功能时，未在文件中添加显式标识；在生成合成内容的文件元数据中，未添加包含属性信息、服务提供者名称或者编码、内容编号等制作要素信息的隐式标识；隐式标识添加位置不规范等。（2）网络信息内容传播服务提供者未落实隐式标识核验、在发布内容周边添加显著提示标识相关要求；未在生成合成内容传播活动涉及的文件元数据中添加属性信息、传播平台名称或编码、内容编码等传播要素信息；未向用户提供声明生成合成内容的功能等。

【参见：

https://mp.weixin.qq.com/s/l97hl0hcB7Ga6FqSuJ6Odw】

Cyberspace administration investigated mobile applications violating regulations on AI-generated synthetic content labeling

On November 25, the Cyberspace Administration of China（CAC） announced that it recently conducted a concentrated crackdown on mobile applications violating regulations. These apps were subject to measures including official interviews, corrective orders within specified timeframes, and removal from app stores. Primary violations include: (1) AI-generated synthetic service providers failing to add explicit labels to synthetic content; when providing export functions for generated/synthesized content, they failed to add explicit labels to the files; they did not include implicit labels containing production element information such as attribute details, service provider name or code, and content ID in the metadata of generated/synthesized content files; and the placement of implicit labels was non-compliant. (2) Online information content dissemination service providers failed to implement requirements for implicit label verification and adding prominent warning labels around published content; failure to include dissemination element information—such as attribute details, dissemination platform name or code, and content code—in the metadata of files involved in synthetic content dissemination activities; failure to provide users with functionality to declare synthetic content generation.

[Reference:

https://mp.weixin.qq.com/s/l97hl0hcB7Ga6FqSuJ6Odw]

6. 上海通管局下架31款侵害用户权益行为的APP（SDK）

11月26日，上海通信管理局通报下架31款侵害用户权益行为的APP（SDK）。通报称，2025年11月，上海通管局向社会公示了一批存在侵害用户权益行为的APP（SDK）。在规定的整改期限内，经核查复检，尚有31款APP（SDK）未按照要求落实整改，现对上述APP（SDK）采取下架处理。上海通管局将对上述APP（SDK）持续跟踪，视情况进一步采取停止接入、行政处罚、纳入电信业务经营不良名单等后续处理措施。

【参见：

https://mp.weixin.qq.com/s/CH8N8tADK34FHXAzPJQy8Q】

Shanghai Communications Administration removed 31 Apps (SDKs) for violating user rights

On November 26, the Shanghai Communications Administration announced the removal of 31 APPs(SDKs) for infringing upon user rights. The notice stated that in November 2025, the Shanghai Communications Administration publicly disclosed a list of APPs(SDKs) found to violate user rights. After verification and re-inspection within the stipulated rectification period, 31 APPs(SDKs) failed to implement required corrections. These APPs(SDKs) are now being removed from app stores. The Shanghai Communications Administration will continue monitoring these APPs(SDKs) and may impose further measures including access suspension, administrative penalties, or inclusion in the telecom business blacklist as circumstances warrant.

[Reference:

https://mp.weixin.qq.com/s/CH8N8tADK34FHXAzPJQy8Q]

7. 上海通管局通报71款存在侵害用户权益行为的APP（SDK）

11月26日，上海市通信管理局发布《关于侵害用户权益行为APP的通报（2025年第十批）》, 共涉及71款APP（SDK）。这些APP（SDK）所涉问题有：未明示个人信息处理规则、违规收集个人信息、超范围收集个人信息、违规使用个人信息、账号注销难、APP强制、频繁、过度索取权限、APP自启动和关联启动行为、强制用户使用定向推送功能、未妥善处理用户投诉等。

【参见：

https://mp.weixin.qq.com/s/NHuaHKeV9yuCyBh4QKn8FA】

Shanghai Communications Administration notified 71 Apps (SDKs) for violating user rights

On November 26, the Shanghai Communications Administration released the “Notice on Apps Violating User Rights (2025, Tenth Batch),” involving 71 apps (SDKs). Issues identified in these apps (SDKs) include: failure to disclose personal information processing rules, illegal collection of personal information, excessive collection of personal information beyond authorized scope, illegal use of personal information, difficulty in account cancellation, forced, frequent, or excessive permission requests, app self-launch and associated launch behaviors, forcing users to enable targeted push notifications, and inadequate handling of user complaints.

[Reference:

https://mp.weixin.qq.com/s/NHuaHKeV9yuCyBh4QKn8FA]

8. 上海发布《上海市医疗服务类互联网企业网络数据安全和个人信息保护合规指引》

11月25日，上海市网信办发布了《上海市医疗服务类互联网企业网络数据安全和个人信息保护合规指引》。《指引》将适用于上海市行政区域内医疗服务类互联网企业，作为开展网络数据安全和个人信息保护合规管理的指导建议。其中，医疗服务类互联网企业，主要指从事医疗软件开发与维护、医疗服务培训、数字健康服务等业务，利用信息技术为医疗机构、医务人员及患者等提供预约挂号、在线诊疗、健康咨询、电子处方、检验结果查询、医疗信息发布、医疗数据分析等服务的企业。

【参见：

https://mp.weixin.qq.com/s/K3_OzeO6IpsTngo7vW5ULw】

Shanghai released “Compliance Guideline for Cyber Data Security and Personal Information Protection of Internet Enterprises Providing Healthcare Services in Shanghai”（《上海市医疗服务类互联网企业网络数据安全和个人信息保护合规指引》）

On November 25, the Shanghai Cyberspace Administration released the “Compliance Guideline for Cyber Data Security and Personal Information Protection of Internet Enterprises Providing Healthcare Services in Shanghai.”（《上海市医疗服务类互联网企业网络数据安全和个人信息保护合规指引》）The Guideline apply to healthcare-related internet enterprises within Shanghai’s administrative region, serving as advisory recommendations for implementing compliance management in network data security and personal information protection. Healthcare-related internet enterprises primarily refer to those engaged in medical software development and maintenance, healthcare service training, digital health services, and other related businesses. These enterprises utilize information technology to provide services such as appointment scheduling, online diagnosis and treatment, health consultations, electronic prescriptions, test result inquiries, medical information dissemination, and medical data analysis to healthcare institutions, medical personnel, and patients.

[Reference:

https://mp.weixin.qq.com/s/K3_OzeO6IpsTngo7vW5ULw]

9. 全国网安标委就个人信息识别、去标识化、匿名化三项网络安全标准实践指南公开征求意见

11月24日，全国网安标委发布《个人信息保护个人信息识别指南（征求意见稿）》《个人信息保护个人信息去标识化指南（征求意见稿）》《个人信息保护个人信息匿名化指南（征求意见稿）》等3项网络安全标准实践指南，面向社会公开征求意见。三项指南分别可为个人信息处理者识别个人信息、实施去标识化、进行有效的匿名化处理提供指引。

【参见：

https://mp.weixin.qq.com/s/HKL9XhCyE445mj-PzgdsmA】

TC260 sought public comments on three cybersecurity practice guidelines for personal information identification, de-identification, and anonymization

On November 24, the TC260 released three cybersecurity standard practice guides: “Personal Information Protection - Personal Information Identification Guide (Draft for Comment)” （《个人信息保护个人信息识别指南》）, “Personal Information Protection - Personal Information De-identification Guide (Draft for Comment)” （《个人信息保护个人信息去标识化指南》）, and “Personal Information Protection - Personal Information Anonymization Guide (Draft for Comment)”（《个人信息保护个人信息匿名化指南》）. These guides respectively provide guidance for personal information processors on identifying personal information, implementing de-identification, and conducting effective anonymization.

[Reference:

https://mp.weixin.qq.com/s/HKL9XhCyE445mj-PzgdsmA]

10. 上海网信办开展“AI滥用”专项执法工作

11月24日，上海网信办发布资讯称，上海市网信办在执法办案工作中发现，部分企业开发使用生成式人工智能功能，未依法开展安全评估工作、未采取必要的安全防护措施防范违规信息生成、未采取限制措施防止被滥用，导致相关功能被用于“换脸变声”“变装造假”等侵犯他人个人信息权益行为，产出“开盒”“洗钱”等违法违规内容，以及生成色情低俗图片等信息内容。“整治AI滥用”为“亮剑浦江·2025”专项执法行动的年度治理重点，下一步，上海市网信办将巩固专项行动成果，持续对“AI滥用”“算法推荐”等存在侵犯个人信息权益、危害网络生态的违法违规行为予以重点打击和纠治。

【参见：

https://mp.weixin.qq.com/s/rO8DnpkrDlCqVyigrM0CAg】

Shanghai Cyberspace Administration launched special enforcement campaign against AI abuse

On November 24, the Shanghai Cyberspace Administration announced that during law enforcement operations, it discovered certain enterprises developing and utilizing generative AI functionalities without conducting mandatory security assessments, failing to implement necessary safeguards against illegal content generation, and neglecting restrictions to prevent misuse. This led to such functionalities being exploited for “face-swapping and voice-altering” “impersonation and forgery” and other violations of personal information rights. These entities also produced illegal content such as “unboxing” and “money laundering” videos, as well as generated pornographic and vulgar images. “Addressing AI Abuse” is a key focus of the “Sharp Sword Pujiang 2025” special enforcement campaign. Moving forward, the Shanghai Cyberspace Administration will consolidate the campaign’s achievements and continue to prioritize cracking down on and rectifying illegal activities that infringe upon personal information rights and endanger the online ecosystem, including “AI abuse” and “algorithm recommendations.”

[Reference:

https://mp.weixin.qq.com/s/rO8DnpkrDlCqVyigrM0CAg]

1. 欧洲议会通过关于未成年人网络保护的报告，呼吁将欧盟数字最低年龄设置为16岁

11月26日，欧盟议会通过了一项非立法性质的报告，表现出对未成年人于网络环境中面临的生理与心理健康风险的深度担忧，呼吁建立更强的保护措施应对增加儿童成瘾性的操作行为，这些行为可能会加剧网络成瘾，损害儿童集中注意力和健康地接触网络内容的能力。欧洲议会提议，应将欧盟允许访问社交媒体、视频分享平台和人工智能伙伴的最低年龄统一为16岁，同时允许13至16岁的青少年在获得父母同意的情况下访问这些平台。

【参见：

https://www.europarl.europa.eu/news/en/press-room/20251120IPR31496/children-should-be-at-least-16-to-access-social-media-say-meps】

European Parliament adopted report on the Protection of Minors Online, proposes setting EU digital minimum age at 16

On November 26, the European Parliament adopted a non-legislative report expressing deep concern over the physical and mental health risks minors face in the online environment. It calls for stronger protective measures against practices designed to increase minors addictive behavior, which may exacerbate internet addiction and impair minors ability to concentrate and engage healthily with online content. The European Parliament proposes unifying the EU digital minimum age for accessing social media, video-sharing platforms, and AI companions at 16 years old, while permitting adolescents aged 13 to 16 to access these platforms with parental consent.

[Reference:

https://www.europarl.europa.eu/news/en/press-room/20251120IPR31496/children-should-be-at-least-16-to-access-social-media-say-meps]

2. 欧盟委员会依据《数字服务法》要求Shein提供非法商品销售信息

11月26日，欧盟委员会依据《数字服务法》(DSA)向Shein发出信息请求。此前有初步迹象表明，该平台存在销售非法商品的行为，特别是儿童造型性玩偶和武器类商品。欧盟委员会现正式要求该平台提供详细信息及内部文件，说明其如何确保未成年人免受不适龄内容侵害（特别是通过年龄验证措施），以及如何防止非法商品在其平台流通。委员会同时要求Shein说明所采取的风险缓解措施的有效性。

【参见：

https://ec.europa.eu/commission/presscorner/detail/en/mex_25_2816】

European Commission requested Shein to provide information on the sale of illegal products under the Digital Services Act

On November 26, the European Commission has sent a request for information to Shein under the Digital Services Act (DSA), following preliminary indications that illegal goods, particularly child-like sex dolls and weapons, are being offered on the marketplace.The Commission is now formally asking the platform to provide detailed information and internal documents on how it ensures that minors are not exposed to age-inappropriate content, in particular through age assurance measures, as well as how it prevents the circulation of illegal products on its platform. The Commission is also inquiring about the effectiveness of such mitigation measures adopted by Shein.

[Reference:

https://ec.europa.eu/commission/presscorner/detail/en/mex_25_2816]

3. 马来西亚计划禁止16岁以下人群使用社交媒体

马来西亚政府计划对社交媒体用户设置年龄限制，将从明年起禁止16岁以下青少年使用社交媒体。马来西亚通信部长近日表示，政府正在研究澳大利亚等国做法，希望明年开始实施相关限制措施，以保护青少年免受网络霸凌、诈骗等。届时，根据马来西亚政府规定，社交媒体平台将禁止16岁以下人群开设账户。

【参见：

https://mp.weixin.qq.com/s/4adxtRQ68pvWphNCLhqAwg】

Malaysia plans to ban social media use for those under 16

The Malaysian government plans to impose age restrictions on social media users, banning teenagers under 16 from using social media starting next year. Malaysia's Communications Minister recently stated that the government is studying approaches adopted by countries like Australia, aiming to implement relevant restrictions next year to protect youth from cyberbullying, fraud, and other risks. Under the Malaysian government's regulations, social media platforms will be prohibited from allowing individuals under 16 to create accounts.

[Reference:

https://mp.weixin.qq.com/s/4adxtRQ68pvWphNCLhqAwg]