每周数据法律资讯 Data Law Weekly（20251208—20251214）

1. 强制性国家标准GB 46864-2025《数据安全技术电子产品信息清除技术要求》发布

近日，强制性国家标准GB 46864-2025《数据安全技术电子产品信息清除技术要求》发布，将于2027年1月1日实施。该标准规定了电子产品信息清除的基本要求、功能要求，以及二手电子产品信息清除过程要求。该标准适用于面向境内生产、销售的，具有非易失性存储介质的电子产品，也适用于电子产品厂商、第三方开发电子产品信息清除功能，以及回收经营者对二手电子产品进行信息清除。同时，该标准不适用于处理国家秘密的电子产品，涉及国家秘密的电子产品按照国家保密相关规定执行。

【参见：

http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=5C4386F0FACDE55499DA42891EA3A9D5】

Mandatory National Standard GB 46864-2025 “Data Security Technology - Technical Requirements for Information Sanitization of Electronic Products” issued

Recently, the mandatory national standard GB 46864-2025 “Data Security Technology - Technical Requirements for Information Sanitization of Electronic Products” was issued and will take effect on January 1, 2027. This standard specifies fundamental requirements, functional requirements, and process requirements for information erasure of electronic products. It applies to electronic products with non-volatile storage media intended for domestic production and sales, as well as to third-party development of information erasure functions by electronic product manufacturers and information erasure of second-hand electronic products by recycling operators. However, this standard does not apply to electronic products handling state secrets; such products shall comply with relevant national confidentiality regulations.

[Reference:

http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=5C4386F0FACDE55499DA42891EA3A9D5]

2. 公安部网安局公布一起未履行法定数据安全保护义务的处罚案例

12月10日，公安部网安局公布一起未履行法定数据安全保护义务的处罚案例。该案中，辽宁抚顺市某单位管理平台遭非法侵入，网安部门在侦破案件的同时对被入侵单位的数据安全防护情况开展全面执法检查。经查，该单位在数据安全保护工作中存在多项法定义务未履行的严重问题，包括未建立覆盖数据收集、存储、使用、传输等环节的全流程安全管理制度；从未组织开展数据安全专题教育培训；未部署必要的防火墙、入侵检测等技术防范设施；日常处理并存储大量数据但防护体系薄弱。最后，网安部门依据《数据安全法》中 “网络运营者应当按照网络安全等级保护制度的要求，履行安全保护义务” 等相关规定对该单位作出处罚。

【参见：

https://mp.weixin.qq.com/s/1SN3DJpeWt8g3F-1JYEEng】

Ministry of Public Security’s Cybersecurity Bureau announced a penalty case for failure to fulfill statutory data security protection obligations

On December 10, the Cybersecurity Bureau of the Ministry of Public Security announced a penalty case involving failure to fulfill statutory data security protection obligations. In this case, the management platform of an entity in Fushun City, Liaoning Province, was illegally breached. While investigating the case, cybersecurity authorities conducted a comprehensive law enforcement inspection of the breached entity’s data security protection measures. The investigation revealed multiple serious violations of statutory obligations in the entity’s data security practices. These included: failure to establish comprehensive security management systems covering all stages of data collection, storage, usage, and transmission; failure to organize specialized data security training programs; failure to deploy essential technical safeguards such as firewalls and intrusion detection systems; weak protection systems despite routinely processing and storing large volumes of data. Ultimately, the Cybersecurity Bureau imposed penalties on the entity based on relevant provisions of the Data Security Law, including the requirement that “network operators shall fulfill security protection obligations in accordance with the cybersecurity grading protection system.”

[Reference:

https://mp.weixin.qq.com/s/1SN3DJpeWt8g3F-1JYEEng ]

3. 工信部通报24款侵害用户权益行为的APP（SDK）

12月9日，工业化和信息化部通信管理局发布《关于侵害用户权益行为的APP（SDK）通报》（2025年第8批，总第53批），共涉及24款APP（SDK）。这些APP（SDK）所涉问题有：未明示收集个人信息清单、违规收集个人信息、APP强制、频繁、过度索取权限、欺骗误导用户提供个人信息、信息窗口点击乱跳转、超范围收集个人信息、SDK信息公示不到位等。

【参见：

https://mp.weixin.qq.com/s/yRC9C2LeYNzStIweGFM9zw】

MIIT issued notice on 24 Apps (SDKs) violating user rights

On December 9, the Department of Communications of the Ministry of Industry and Information Technology (MIIT) released the “Notice on Apps (SDKs) Violating User Rights” (Batch 8 of 2025, Total Batch 53), which involved a total of 24 Apps (SDKs). The issues identified in these Apps (SDKs) include: Failure to explicitly list personal information collected, illegal collection of personal information, apps forcing, frequently or excessively requesting permissions, deceiving or misleading users into providing personal information, information windows redirecting randomly upon clicks, collecting personal information beyond the scope of necessity, inadequate disclosure of SDK information, etc.

[Reference:

https://mp.weixin.qq.com/s/yRC9C2LeYNzStIweGFM9zw]

4. 上海通管局2025年累计通报750款存在违规问题的APP

12月9日，上海市通信管理局发布资讯称，上海市通信管理局2025年稳步推进电信和互联网领域APP个人信息和用户权益保护监管工作，织密APP用户权益保护网，建立“发现问题—通报整改—下架处置”闭环监管机制。其中，2025年累计远程抽测APP 5000余款，对750款存在违规问题的APP进行了通报，对207款未落实整改要求的APP依法采取下架处理。

【参见：

https://mp.weixin.qq.com/s/5FyWc6DfZq1Ed_seuVN-Gg】

Shanghai Communications Administration notified 750 Apps with violations in 2025

On December 9, the Shanghai Communications Administration announced that in 2025, it steadily advanced regulatory efforts to protect personal information and user rights in telecommunications and internet apps. This strengthened the user rights protection network and established a closed-loop oversight mechanism: “identify issues - notify for rectification - remove from shelves”. During 2025, the Administration conducted remote sampling inspections on over 5,000 apps, issued notifications for 750 apps with violations, and legally removed 207 apps that failed to implement required rectifications.

[Reference:

https://mp.weixin.qq.com/s/5FyWc6DfZq1Ed_seuVN-Gg]

5. 《能源行业数据安全管理办法（试行）》发布

12月8日，国家能源局发布《能源行业数据安全管理办法（试行）》。能源行业数据，是指在开展能源活动中收集和产生的数据。能源活动主要包括与能源相关的规划、设计、建设、生产、储运、消费、科研等。能源数据处理者开展数据处理活动，应建立健全数据安全管理制度，明确数据全生命周期各环节的管理要求；定期组织开展能源行业数据安全知识和技能教育培训。

【点击查阅办法全文：

https://www.nea.gov.cn/20251212/f8ee9d3f829641cb9cc4f1e9405e794a/c.html】

Energy Industry Data Security Management Measures (Trial) issued

On December 8, the National Energy Administration issued the Energy Industry Data Security Management Measures (Trial). Energy industry data refers to data collected and generated during energy-related activities. Energy activities primarily include planning, design, construction, production, storage and transportation, consumption, scientific research, and other energy-related endeavors. When conducting data processing activities, energy data processors shall establish and improve data security management systems, clearly defining management requirements for all stages of the data lifecycle; and regularly organize training on data security knowledge and skills within the energy sector.

[Click to view the full text of the Measures:

https://www.nea.gov.cn/20251212/f8ee9d3f829641cb9cc4f1e9405e794a/c.html]

1. 美国总统特朗普签署《确立国家级人工智能政策框架》行政令

12月11日，美国总统特朗普签署《确立国家级人工智能政策框架》（Ensuring A National Policy Framework for Artificial Intelligence）行政令。行政令旨在为美国人工智能企业提供不受繁琐监管的创新空间，确立一套最低负担的国家级监管标准，而非50套不同的州级标准。最终形成的政策框架，必须禁止与本行政令政策相悖的州级法律。同时，该框架需保障儿童权益、防范审查行为、尊重版权保护、维护社区安全。行政令提出，将成立由司法部长牵头的人工智能诉讼特别工作组，其唯一职责是对不符合本指令政策的州级人工智能法律提起诉讼。

【参见：

https://www.whitehouse.gov/presidential-actions/2025/12/eliminating-state-law-obstruction-of-national-artificial-intelligence-policy/】     

US president Trump signed Executive Order “Ensuring a National Policy Framework for Artificial Intelligence”

On December 11, US President Trump signed the Executive Order “Ensuring a National Policy Framework for Artificial Intelligence”. The order aims to provide US AI companies with an innovation space free from burdensome regulations, establishing a set of national regulatory standards with minimal burden rather than 50 different state-level standards. The resulting framework must forbid State laws that conflict with the policy set forth in this order. That framework should also ensure that children are protected, censorship is prevented, copyrights are respected, and communities are safeguarded. The order mandates the creation of a special AI litigation task force led by the Attorney General, whose sole responsibility will be to file lawsuits against state AI laws that violate the policy in this order.

[Reference:

https://www.whitehouse.gov/presidential-actions/2025/12/eliminating-state-law-obstruction-of-national-artificial-intelligence-policy/]

2. 越南通过《人工智能法》

12月10日，越南国会审议通过了《人工智能法》，将于明年3月1日生效。这是越南首次制定并颁布专门的人工智能法律，通过此次立法，越南成为少数拥有全面人工智能法律框架的国家之一。越南《人工智能法》将适用于在越南从事人工智能活动的越南及外国组织和个人，其将人工智能系统的风险等级分为低风险、中等风险和高风险三类，并附有禁止行为条款。其中，高风险系统应在投入使用前或发生重大变更时进行合规评估；中等风险系统的提供者与部署者须履行透明度义务、使用者须遵守标识义务；低风险系统的提供者仅在涉嫌违法或损害权益时被要求说明，使用者应合法使用并自负其责。

【点击查看法案全文：

https://duthaoonline.quochoi.vn/dt/luat-tri-tue-nhan-tao/251009091536864496】

Vietnam passed the Artificial Intelligence Law

On December 10, the Vietnamese National Assembly deliberated and passed the Artificial Intelligence Law, which will take effect on March 1 next year. This marks Vietnam’s first dedicated legislation on artificial intelligence, positioning the country among the few nations with a comprehensive legal framework for AI. The Vietnamese AI Law applies to both domestic and foreign organizations and individuals engaged in AI activities within Vietnam. It categorizes AI systems into three risk levels—low, medium, and high—and includes provisions prohibiting certain actions. Specifically, High-risk systems must undergo compliance assessments before deployment or after significant modifications. Providers and deployers of medium-risk systems must fulfill transparency obligations, while users must comply with labeling requirements. Providers of low-risk systems are only required to provide explanations when suspected of violating laws or infringing rights; users must use such systems lawfully and bear their own responsibilities.

[Click to view the full text of the law:

https://duthaoonline.quochoi.vn/dt/luat-tri-tue-nhan-tao/251009091536864496]

3. 澳大利亚儿童社交媒体禁令生效

12月10日，澳大利亚针对16岁以下儿童的社交媒体禁令正式生效。澳大利亚于2024年11月通过了《2024网络安全(社交媒体最低年龄)修正法案》[Online Safety Amendment (Social Media Minimum Age) Bill 2024]，法案规定，符合特定情形的社交平台应设置最低年龄限制，平台提供者应采取合理措施避免未达最低年龄的儿童持有账户。目前，该最新限制年龄为16岁。根据该法案，未能采取合理措施阻止年龄限制者持有平台账户的公司，最高将被罚款约4950万澳元。本次禁令中，Facebook, Instagram, Snapchat, TikTok, YouTube, X, Threads, Reddit, Kick和Twitch等10家社交媒体平台被列入需执行该禁令的名单。

【参见:

https://www.oaic.gov.au/privacy/your-privacy-rights/social-media-minimum-age】

Australia’s social media ban for children takes effect

On December 10, Australia’s social media ban for children under 16 officially came into effect. Australia passed the “Online Safety Amendment (Social Media Minimum Age) Bill 2024” in November 2024. The legislation mandates that social media platforms meeting specific criteria must implement minimum age restrictions, and platform providers must take reasonable measures to prevent children below the minimum age from holding accounts. The current minimum age is 16. Companies failing to implement reasonable measures to prevent underage users from holding platform accounts may face fines of up to approximately $49.5 million under this legislation. Ten social media platforms—Facebook, Instagram, Snapchat, TikTok, YouTube, X, Threads, Reddit, Kick and Twitch—are included in the list of platforms required to enforce this ban.

[Reference:

https://www.oaic.gov.au/privacy/your-privacy-rights/social-media-minimum-age]