每周数据法律资讯 Data Law Weekly（20251201—20251207）

1. 国家网信办发布《网络数据安全风险评估办法（征求意见稿）》

12月6日，国家网信办发布《网络数据安全风险评估办法（征求意见稿）》。《办法》适用于在中华人民共和国境内开展的网络数据安全风险评估，其中，网络数据安全风险评估是指对网络数据和网络数据处理活动安全进行的风险识别、风险分析和风险评价等活动。《办法》规定，处理重要数据的网络数据处理者应当每年度对其网络数据处理活动开展风险评估；鼓励处理一般数据的网络数据处理者至少每3年开展一次风险评估。

【参见：

https://mp.weixin.qq.com/s/mVQNdtHfmSem4C-bLwlrew】

CAC released the “Measure for Cyber Data Security Risk Assessment (Draft for Comment)”（《网络数据安全风险评估办法（征求意见稿）》）

On December 6, the Cyberspace Administration of China(CAC) released the “Measure for Cyber Data Security Risk Assessment (Draft for Comment)”（《网络数据安全风险评估办法（征求意见稿）》）. The Measure will apply to cyber data security risk assessments conducted within the territory of the People’s Republic of China. Cyber data security risk assessment refers to activities such as risk identification, risk analysis, and risk evaluation concerning the security of cyber data and cyber data processing activities. The Measure stipulate that cyber data processors processing important data shall conduct annual risk assessments of their cyber data processing activities. Cyber data processors processing general data are encouraged to conduct risk assessments at least once every three years.

[Reference:

https://mp.weixin.qq.com/s/mVQNdtHfmSem4C-bLwlrew]

2. 国家网络安全通报中心通报69款违法违规收集使用个人信息的移动应用

12月4日，国家网络安全通报中心对69款存在违法违规收集使用个人信息情况的移动应用进行了通报。这些移动应用存在的问题包括：在App首次运行时未通过弹窗等明显方式提示用户阅读隐私政策等收集使用规则；隐私政策未逐一列出App（包括委托的第三方或嵌入的第三方代码、插件）收集使用个人信息的目的、方式、范围等；个人信息处理者向其他个人信息处理者提供其处理的个人信息的，未向个人告知接收方的名称或者姓名、联系方式、处理目的、处理方式和个人信息的种类，并取得个人的单独同意；未在征得用户同意后才开始收集个人信息或打开可收集个人信息的权限；未提供有效的更正、删除个人信息及注销用户账号功能；个人信息处理者未提供便捷的撤回同意的方式；未采取相应的加密、去标识化等安全技术措施；无隐私政策等。

【参见：

https://mp.weixin.qq.com/s/hQ8bOf5-_OpTRz5wt6EJGQ】

National Cybersecurity Notification Center reported 69 mobile apps for illegal collection and use of personal information

On December 4, the National Cybersecurity Notification Center issued a report on 69 mobile applications found to be illegally collecting and using personal information. Issues identified in these apps include: failure to prominently notify users via pop-ups or similar methods to review privacy policies and data usage rules upon first launch; failing to itemize in privacy policies the purposes, methods, and scope of personal information collection and use by the app (including third-party entities commissioned or embedded third-party code/plugins); when providing processed personal information to other processors, failing to inform individuals of the recipient’s name, contact details, processing purpose, methods, and types of personal information, and failing to obtain separate consent; initiating personal information collection or enabling collection permissions without prior user consent; failure to provide effective functions for correcting, deleting personal information, and canceling user accounts; failure to provide a convenient method for withdrawing consent; failure to implement corresponding security technical measures such as encryption and de-identification; absence of a privacy policy, etc.

[Reference:

https://mp.weixin.qq.com/s/hQ8bOf5-_OpTRz5wt6EJGQ]

3. 上海发布5起不履行个人信息保护义务的典型案例

12月1日，上海网信部门、市场监督管理部门联合发布了5起不履行个人信息保护义务的典型案例。五起案例涉及的违法行为包括：企业相关信息系统未采取技术措施和其他必要措施保障数据安全；未对用户数据进行加密；未制定网络安全和数据安全管理制度；未开展网络安全等级保护测评；网络日志留存不足六个月；数据库未配置密码策略；系统未配置网络安全防护措施，存在未授权访问漏洞；变相强制消费者同意收集与经营活动无直接关系的个人信息；非法使用消费者个人信息等行为。

【参见：

https://mp.weixin.qq.com/s/vmqhYgpgB4zQgIWGHEc4-Q】

Shanghai released five typical cases of failure to fulfill personal information protection obligations

On December 1, Shanghai’s Cyberspace Administration and Market Supervision authorities jointly released five typical cases of failure to fulfill personal information protection obligations. The violations involved in these cases include: failure to implement technical measures and other necessary safeguards for data security in relevant enterprise information systems; failure to encrypt user data; failure to establish cybersecurity and data security management systems; failure to conduct cybersecurity level protection assessments; failing to retain network logs for at least six months; failing to configure password policies for databases; failing to configure cybersecurity protection measures for systems, resulting in unauthorized access vulnerabilities; coercing consumers into consenting to the collection of personal information not directly related to business operations; and illegally using consumers’ personal information.

[Reference:

https://mp.weixin.qq.com/s/vmqhYgpgB4zQgIWGHEc4-Q]

1. 欧盟基于《数字服务法》对X平台处以1.2亿欧元罚款

12月5日，欧盟委员会宣布对X公司处以1.2亿欧元的罚款，原因是该公司违反了《数字服务法》（DSA）规定的透明度义务，违规行为包括其“蓝色认证标志”设计具有欺骗性、广告库缺乏透明度以及未能向研究人员提供公共数据访问权限。这是欧盟委员会根据《数字服务法》做出的首例不合规决定。

【参见：

https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2934】

EU fined X €120 million under Digital Services Act

On December 5, the European Commission issued a fine of €120 million to X for breaching its transparency obligations under the Digital Services Act (DSA). The breaches include the deceptive design of its ‘blue checkmark', the lack of transparency of its advertising repository, and the failure to provide access to public data for researchers This marks the first non-compliance decision issued by the European Commission under the Digital Services Act.

[Reference:

https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2934]

2. 欧盟发布《网络韧性法案》实施条例

12月1日，欧盟发布一项关于《网络韧性法案》（Cyber Resilience Act）的实施条例（REGULATION (EU) 2025/2392）。《网络韧性法案》根据网络安全风险将带有数字要素的产品分为了非重要类、重要类（Important）和关键类（Critical）。其中重要类又分为I 类（Class I）和 II 类（Class II），而本次发布的实施条例，详细定义了《网络韧性法案》中的重要类产品与关键类产品的技术特征，这些产品包括但不限于身份管理系统、浏览器、密码管理系统、网络接口、防火墙、智能家居产品、可穿戴的健康监测产品等。

【参见：

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202502392】

EU published implementing regulation for Cyber Resilience Act

On December 1, the EU published Implementing Regulation (EU) 2025/2392 for the Cyber Resilience Act. The Act categorizes products with digital elements into non-important, Important, and Critical classes based on cybersecurity risks. The Important category is further subdivided into Class I and Class II. The newly published implementing regulation provides detailed technical definitions for Important and Critical products under the Act. These products include, but are not limited to, identity management systems, browsers, password management systems, network interfaces, firewalls, smart home products, and wearable health monitoring devices.

[Reference:

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202502392]