每周数据法律资讯 Data Law Weekly（20250113-20250119）

1、中央网信办启动“清朗·2025年春节网络环境整治”专项行动

1月19日，中央网信办发布通知，决定即日起开展为期1个月的“清朗·2025年春节网络环境整治”专项行动。专项行动重点整治6方面问题，包括挑起极端对立问题、炮制不实信息问题、宣扬低俗恶俗问题、鼓吹不良文化问题、违法活动引流问题以及侵害消费者权益问题。

【全文链接：

https://mp.weixin.qq.com/s/rgteOEUsc7Kdrc-EJJXa-g】

1. The CAC starts “clear - 2025 Spring Festival network environment rectification” special action (“清朗·2025年春节网络环境整治” 专项行动)

On January 19, the CAC issued a notice deciding to launch a one-month special operation to rectify the online environment for the Spring Festival of 2025, with a focus on six aspects. The special action focuses on six issues, including provoking extreme confrontation, fabricating inaccurate information, promoting vulgarity, advocating undesirable culture, attracting traffic through illegal activities, and infringing on consumers' rights and interests.

[https://mp.weixin.qq.com/s/rgteOEUsc7Kdrc-EJJXa-g]

2、2024年证券期货业网络和信息安全现场检查发现多项问题

1月18日，根据媒体报道，监管部门近期在业内通报了2024年证券期货行业网络和信息安全现场检查发现的一些突出问题和共性问题。2024年9月至10月，中国证监会组织开展了行业网络和信息安全专项检查工作。据现场检查情况，部分行业机构在网络安全工作责任制落实、网络和重要信息系统管理、应急管理、外包管理、软件正版化等方面存在一定风险隐患。

【全文链接：

https://www.cls.cn/detail/1922902】

2. Multiple issues discovered during on-site inspections of network and information security in the securities and futures industry in 2024

On January 18, according to media reports, the regulator recently informed the industry of a number of prominent and common problems found in the 2024 on-site inspection of network and information security in the securities and futures industry. From September to October 2024, the CSRC organized and carried out special inspections of the industry's network and information security. According to the on-site inspection, some industry organizations have certain risks and hidden dangers in the implementation of the responsibility system for network security work, management of network and important information systems, emergency management, outsourcing management, and software regularization.

[https://www.cls.cn/detail/1922902]

3、国家金融监督管理总局发布《小额贷款公司监督管理暂行办法》

1月17日，国家金融监督管理总局发布《小额贷款公司监督管理暂行办法》。在公司治理与风险管理方面，《办法》强调小额贷款公司应当加强网络安全管理、数据安全管理、业务连续性管理和信息科技外包管理等工作。网络小额贷款公司使用的互联网业务信息系统应当符合网络安全与数据安全管理要求，由网络小额贷款公司设立并享有完整数据权限。

【全文链接：

https://www.nfra.gov.cn/cn/view/pages/governmentDetail.html?docId=1195616&itemId=861&generaltype=1】

3. The National Financial Regulatory Administration issued Interim Measures for the Supervision and Administration of Small Loan Companies (“《小额贷款公司监督管理暂行办法》”)

On January 17, the National Financial Regulatory Administration issued the Interim Measures for the Supervision and Administration of Microfinance Companies (“《小额贷款公司监督管理暂行办法》”). In terms of corporate governance and risk management, the Measures emphasize that microfinance companies should strengthen network security management, data security management, business continuity management and information technology outsourcing management. The internet business information system used by the network microfinance company shall meet the requirements of network security and data security management, and be set up by the network microfinance company and enjoy complete data rights.

[https://www.nfra.gov.cn/cn/view/pages/governmentDetail.html?docId=1195616&itemId=861&generaltype=1]

4、国家发展改革委等部门印发《关于完善数据流通安全治理 更好促进数据要素市场化价值化的实施方案》的通知

1月15日，国家发展改革委等部门印发《关于完善数据流通安全治理 更好促进数据要素市场化价值化的实施方案》的通知。《实施方案》提出要明晰企业数据流通安全规则，加强公共数据流通安全管理，强化个人数据流通保障，完善数据流通安全责任界定机制，加强数据流通安全技术应用，丰富数据流通安全服务供给，防范数据滥用风险。

【全文链接：

https://mp.weixin.qq.com/s/e4anaxSBKBrRe2F4cNtDoA】

4. The National Development and Reform Commission and other departments issued a notice on the Implementation Plan on Improving the Security Governance of Data Circulation and Better Promoting the Marketization and Valorization of Data Elements (“《关于完善数据流通安全治理 更好促进数据要素市场化价值化的实施方案》”)

On January 15, the National Development and Reform Commission and other departments issued a notice on the Implementation Plan on Improving the Security Governance of Data Circulation and Better Promoting the Marketization and Valorization of Data Elements (“《关于完善数据流通安全治理 更好促进数据要素市场化价值化的实施方案》”). The Implementation Plan proposes to clarify the security rules for enterprise data circulation, strengthen the security management of public data circulation, enhance the security of personal data circulation, improve the mechanism for defining the responsibility for data circulation security, strengthen the application of data circulation security technology, enrich the supply of data circulation security services, and guard against the risk of data misuse.

[https://mp.weixin.qq.com/s/e4anaxSBKBrRe2F4cNtDoA]

5、工业和信息化部发布《关于加强互联网数据中心客户数据安全保护的通知》

1月14日，工业和信息化部办公厅发布《关于加强互联网数据中心客户数据安全保护的通知》，要求加强客户数据安全保障能力建设，提升客户数据安全保护水平。明确安全责任，在与客户、第三方服务商等签署的合同协议中，根据合作模式、内容等，明确各方数据安全保护责任义务。强化制度建设和组织保障，加强客户管理，提升安全防护能力。《通知》中同时发布了《互联网数据中心客户数据安全保护实施指引》。

【全文链接：

https://wap.miit.gov.cn/jgsj/waj/wjfb/art/2025/art_0ba3ad6a2bb94d0c9c0e466fdb8ca48d.html】

5. The Ministry of Industry and Information Technology issued a notice on Strengthening the Security Protection of Customer Data in Internet Data Centers (“《关于加强互联网数据中心客户数据安全保护的通知》”)

On January 14, the General Office of the Ministry of Industry and Information Technology issued the Circular on Strengthening the Security Protection of Customer Data in Internet Data Centers(“《关于加强互联网数据中心客户数据安全保护的通知》”), which requires strengthening the construction of customer data security capacity and improving the level of customer data security protection. Clarify the security responsibility, and in the contract agreements signed with customers, third-party service providers, etc., clarify the responsibility and obligations for data security protection of each party according to the mode and content of cooperation. Strengthening system construction and organizational safeguards, enhancing customer management, and improving security protection capabilities. The Implementation Guidelines for Data Security Protection for Customers of Internet Data Centers were also issued in the Circular.

[https://wap.miit.gov.cn/jgsj/waj/wjfb/art/2025/art_0ba3ad6a2bb94d0c9c0e466fdb8ca48d.html]

6、国家计算机病毒应急处理中心通报16款违规移动应用

1月13日，国家计算机病毒应急处理中心通报16款违规移动应用。该等应用涉及的违规问题主要包括：

（1） 隐私政策难以访问、未声明App运营者的基本情况；

（2） 隐私政策未逐一列出App（包括委托的第三方或嵌入的第三方代码、插件）收集使用个人信息的目的、方式、范围等；

（3） 个人信息处理者向其他个人信息处理者提供其处理的个人信息的，未向个人告知接收方的名称或者姓名、联系方式、处理目的、处理方式和个人信息的种类，未取得个人的单独同意；

（4） App未建立并公布个人信息安全投诉、举报渠道；

（5） 个人信息处理者未提供便捷的撤回同意的方式；向用户提供撤回同意收集个人信息的途径、方式，未在隐私政策等收集使用规则中予以明确；

（6） 处理敏感个人信息未取得个人的单独同意；

（7） 处理不满十四周岁未成年人个人信息的，未制定专门的个人信息处理规则。

【全文链接：

https://www.cverc.org.cn/zxdt/report20250113.htm】

6. The National Computer Virus Emergency Response Center notified 16 non-compliant mobile applications

On January 13, the National Computer Virus Emergency Response Center notified 16 non-compliant mobile applications. The violations involved in these apps mainly include:

(1)The privacy policy is difficult to access and does not state the basic information of the app operator;

(2)The privacy policy does not list the purpose, manner, and scope of the app's collection and use of personal information (including commissioned third parties or embedded third-party code and plug-ins);

(3)Where a processor of personal information provides personal information it processes to other processors of personal information, it fails to inform the individual of the name or names of the recipients, their contact information, the purpose of processing, the manner of processing, and the type of personal information, and fails to obtain the individual's individual consent;

(4)The app fails to establish and publicize channels for complaints and reports on personal information security;

(5)The processor of personal information does not provide a convenient way to withdraw consent; provide users with ways and means to withdraw consent to the collection of personal information, but does not make it clear in the privacy policy and other rules on collection and use;

(6)Processing sensitive personal information without obtaining the individual's separate consent;

(7)Processing personal information of minors under the age of fourteen without making special rules for handling personal information.

[https://www.cverc.org.cn/zxdt/report20250113.htm]

7、国家发改委等部门发布《关于促进数据标注产业高质量发展的实施意见》

1月13日，国家发展改革委等部门发布《关于促进数据标注产业高质量发展的实施意见》，提出促进数据标注产业高质量发展。《实施意见》指出要释放公共数据标注需求、挖掘企业数据标注需求，健全数据标注标准，着力壮大经营主体，培育一批数据标注龙头企业，鼓励通过资源整合、并购重组等方式做大做强，推动数据标注企业规模化、标准化、集约化发展。

【全文链接：

https://www.ndrc.gov.cn/xxgk/zcfb/tz/202501/t20250113_1395643.html】

7. The National Development and Reform Commission and other departments issued the Implementation Opinions on Promoting High-Quality Development of Data Labeling Industry (“《关于促进数据标注产业高质量发展的实施意见》”)

On January 13, the National Development and Reform Commission and other departments issued the Implementation Opinions on Promoting the High-Quality Development of the Data Labeling Industry (“《关于促进数据标注产业高质量发展的实施意见》”), proposing to promote the high-quality development of the data labeling industry. The Implementation Opinions pointed out the need to release public data labeling demand, tap enterprise data labeling demand, improve data labeling standards, focus on growing the main body of the business, cultivate a number of leading data labeling enterprises, encourage bigger and stronger through resource integration, mergers and acquisitions, etc., and promote the large-scale, standardized and intensive development of data labeling enterprises.

[https://www.ndrc.gov.cn/xxgk/zcfb/tz/202501/t20250113_1395643.html]

1、NOYB对TikTok、AliExpress、SHEIN、Temu、WeChat和xiaomi非法向中国传输数据提起投诉

1月16日，奥地利隐私保护组织NOYB就TikTok、AliExpress、SHEIN、Temu、WeChat和xiaomi六家企业，非法向中国传输数据的行为提起了GDPR 投诉，并要求数据保护机构立即下令暂停向中国传输数据，因为其没有根据GDPR第44条和第46条提供基本同等水平的数据保护。NOYB还要求这些公司采取措施使其数据处理符合GDPR。最后，NOYB要求DPA处以行政罚款，以防止将来发生类似的违规行为。

【全文链接：

https://noyb.eu/en/tiktok-aliexpress-shein-co-surrender-europeans-data-authoritarian-china】

1. NOYB filed complaints against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi for unlawful data transfers to China

On January 16, an Austrian Privacy Protection Organization NOYB filed GDPR complaints against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi for unlawful data transfers to China and requests the data protection authorities to immediately order the suspension of data transfers to China as the country does not provide an essentially equivalent level of data protection under Article 44 and 46 GDPR. NOYB also requests the companies to bring their processing into compliance with the GDPR. Last but not least, NOYB asks the DPAs to impose an administrative fine to prevent similar violations in the future.

[https://noyb.eu/en/tiktok-aliexpress-shein-co-surrender-europeans-data-authoritarian-china]

2、美国发布《关于加强和促进国家网络安全创新的行政命令》

1月16日，美国政府发布了《关于加强和促进国家网络安全创新的行政命令》，在该行政命令中，其指出敌对国家和犯罪分子持续开展针对美国和美国人的网络活动，其中中国对美国政府、私营部门和关键基础设施网络构成了最活跃和最持久的网络威胁。该行政命令要求采取更多行动来改善美国的网络安全，重点是保护数字基础设施，保护对数字领域最重要的服务和能力，并建设应对主要威胁的能力，包括来自中国的威胁。改善对软件和云服务提供商的问责制，加强联邦通信和身份管理系统的安全性，以及促进行政部门和机构以及私营部门的创新发展和新兴网络安全技术的使用。

【全文链接：

https://www.whitehouse.gov/briefing-room/presidential-actions/2025/01/16/executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/】

2. U.S. issued Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity

On January 16, the U.S. government issued an Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity, in which it noted thatadversarial countries and criminals continue to conduct cyber campaigns targeting the United States and Americans, with the People’s Republic of China presenting the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks. The Executive Order calls for additional actions to improve U.S. cybersecurity, focusing on defending digital infrastructure, securing the services and capabilities most vital to the digital domain, and building capability to address key threats, including those from the People’s Republic of China. Improving accountability for software and cloud service providers, strengthening the security of Federal communications and identity management systems, and promoting innovative developments and the use of emerging technologies for cybersecurity across executive departments and agencies.

[https://www.whitehouse.gov/briefing-room/presidential-actions/2025/01/16/executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/]

3、美国商务部发布最终规则，防范来自中国和俄罗斯的网联汽车技术对美国国家安全构成的风险

1月14日，美国商务部发布了一项最终规则，禁止从中国和俄罗斯销售和进口网联汽车硬件和软件系统，以及完整的网联汽车。它将禁止进口或销售由与中国或俄罗斯有关联的实体设计、开发、制造或供应的某些网联汽车系统。这包括车辆连接系统（VCS），即通过蓝牙、蜂窝、卫星和Wi-Fi模块连接车辆与外部世界的系统和组件，以及自动驾驶系统（ADS）。该规定还包括对使用VCS和ADS软件的网联汽车以及VCS硬件设备进口的限制。软件限制将从2027年车型年开始生效，硬件限制将从2030年车型年开始生效。该规定还包括禁止在美国销售由中国或俄罗斯拥有、控制或受其管辖或指导的实体所销售的网联汽车——即使这些汽车是在美国制造的。该禁令将从2027年车型年开始生效。

【全文链接：

https://www.whitehouse.gov/briefing-room/statements-releases/2025/01/14/fact-sheet-safeguarding-america-from-national-security-risks-of-connected-vehicle-technology-from-china-and-russia/】

3. U.S. Department of Commerce issued final rule to safeguarding America from national security risks of connected vehicle technology from China and Russia

On January 14, the U.S. Department of Commerce issued a final rule that will prohibit the sale and import of connected vehicle hardware and software systems, as well as completed connected vehicles, from the PRC and Russia. The final rule will prohibit the import or sale of certain connected vehicle systems designed, developed, manufactured, or supplied by entities with ties to the PRC or Russia. This includes vehicle connectivity systems (VCS), or systems and components that connect vehicles to the outside world – including via Bluetooth, cellular, satellite, and Wi-Fi modules – and automated driving systems (ADS). The rule includes restrictions on the import or sale of connected vehicles using VCS and ADS software, as well as imports of VCS hardware equipment. Restrictions on software will take effect for Model Year 2027 and restrictions on hardware will take effect for Model Year 2030. The rule also includes a prohibition on the sale of connected vehicles in the United States by entities who are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia – even if those vehicles were made in the United States. That prohibition will take effect with Model Year 2027.

[https://www.whitehouse.gov/briefing-room/statements-releases/2025/01/14/fact-sheet-safeguarding-america-from-national-security-risks-of-connected-vehicle-technology-from-china-and-russia/]

4、美国发布临时最终规则《在人工智能时代确保美国安全和经济实力》

1月13日，美国政府发布了一项临时最终规则《在人工智能时代确保美国安全和经济实力》。规则中的六项关键机制包括：

（1） 向18个主要盟友和合作伙伴销售芯片不受限制；

（2） 具有高达约1700个高级 GPU 的集体计算能力的芯片订单不需要许可证，也不计入国家芯片上限；

（3） 符合高安全和信任标准且总部位于密切盟友和伙伴的实体可以获得高度可信的“通用验证最终用户”（UVEU）身份。凭借这一身份，它们可以在全球范围内放置高达其全球人工智能计算能力7%的芯片——可能达到数十万颗芯片；

（4） 符合相同安全要求且总部位于非关注国家的任何目的地的实体可以申请“国家验证最终用户”身份，使其能够在未来两年内购买相当于多达32万颗先进GPU的计算能力；

（5） 位于密切盟友之外的非VEU实体仍然可以购买大量计算能力，每个国家的上限相当于5万颗先进GPU；

（6） 政府间安排，培育一个关于人工智能的开发、部署和使用的共享价值观的国际生态系统。签署这些安排的政府——这些安排使这些国家的出口控制、清洁能源和技术安全努力与美国保持一致——可以将其芯片上限翻倍（高达10万颗当今先进的 GPU）。

【全文链接：

https://www.whitehouse.gov/briefing-room/statements-releases/2025/01/13/fact-sheet-ensuring-u-s-security-and-economic-strength-in-the-age-of-artificial-intelligence/】

4. U.S. issued an interim final rule Ensuring U.S. Security and Economic Strength in the Age of Artificial Intelligence

On January 13, the U.S. government issued an interim final rule Ensuring U.S. Security and Economic Strength in the Age of Artificial Intelligence. The six key mechanisms in the rule include:

(1)No restrictions apply to chip sales to 18 key allies and partners.

(2)Chip orders with collective computation power up to roughly 1,700 advanced GPUs do not require a license and do not count against national chip caps.

(3)Entities that meet high security and trust standards and are headquartered in close allies and partners can obtain highly trusted “Universal Verified End User” (UVEU) status. With this status, they can then place up to 7% of their global AI computational capacity in countries around the world – likely amounting to hundreds of thousands of chips.

(4)Entities that meet the same security requirements and are headquartered in any destination that is not a country of concern can apply for “National Verified End User” status, enabling them to purchase computational power equivalent to up to 320,000 advanced GPUs over the next two years.

(5)Non-VEU entities located outside of close allies can still purchase large amounts of computational power, up to the equivalent of 50,000 advanced GPUs per country.

(6)Government-to-government arrangements cultivate an international ecosystem of shared values regarding the development, deployment, and use of AI. Governments that sign these arrangements – which align those nations’ export control, clean energy, and technology security efforts with the United States – can double their chip caps (up to 100,000 of today’s advanced GPUs).

[https://www.whitehouse.gov/briefing-room/statements-releases/2025/01/13/fact-sheet-ensuring-u-s-security-and-economic-strength-in-the-age-of-artificial-intelligence/]