每周数据法律资讯 DataLaw Weekly（20250324-20250330）

1、国家数据局发布《数据领域常用名词解释（第二批）》

3月29日，国家数据局发布《数据领域常用名词解释（第二批）》，包括对数据产权、数据持有权、数据使用权、数据经营权等概念的解释。

【点击查阅全部名词解释：

https://mp.weixin.qq.com/s/hOkPNr-tVnzlkJfxs2e3hw】

1. The National Data Administration released “Explanation of Common Terms Used in the Data Field (Second Batch)”

On March 29, the National Data Administration released “Explanation of Common Terms Used in the Data Field (Second Batch)”, including explanations of concepts such as data property rights, data possession rights, data usage rights, and data management rights.

[Click to view all term explanations:

https://mp.weixin.qq.com/s/hOkPNr-tVnzlkJfxs2e3hw]

2、国家网信办发布《网络安全法（修正草案再次征求意见稿）》

3月28日，国家网信办发布了《网络安全法（修正草案再次征求意见稿）》。本次《网络安全法》修改的主要内容包括：

（1）关于网络运行安全的法律责任。增加造成大量数据泄露、关键信息基础设施丧失局部功能等严重危害网络安全后果的和造成关键信息基础设施丧失主要功能等特别严重危害网络安全后果的情形，并参照《数据安全法》调整了现行《网络安全法》第五十九条罚款幅度，增加相应处罚规定；新增销售或者提供未经安全认证、安全检测或者安全认证不合格、安全检测不符合要求的网络关键设备和网络安全专用产品的法律责任；明确关键信息基础设施运营者使用未经安全审查或者安全审查未通过的网络产品或者服务行为的处置处罚措施。

（2）关于网络信息安全的法律责任。完善现行《网络安全法》第六十八条、第六十九条针对的违法情形，调整未向有关主管部门报告和不按照有关部门的要求对法律、行政法规禁止发布或者传输的信息停止传输、采取消除等处置措施情形的法律责任，明确对造成特别严重影响、特别严重后果的违法情形的处置处罚措施。

（3）关于个人信息和重要数据安全的法律责任。对现行《网络安全法》第六十四条第一款、第六十六条涉及的个人信息和重要数据违法行为的处罚作出了新的专门规定，明确转致适用的规定。

（4）关于从轻、减轻或者不予行政处罚的情形。新增一条衔接规定，明确网络运营者存在主动消除或者减轻违法行为危害后果、违法行为轻微并及时改正且没有造成危害后果或者初次违法且危害后果轻微并及时改正等情形的，依法从轻、减轻或者不予处罚。

【点击查阅征求意见稿全文：

https://mp.weixin.qq.com/s/GouWZ0PAPYHB2EI8BFsdUA】

2. The CAC released the “Cybersecurity Law (Revised Draft for Further Solicitation of Opinions)”（《网络安全法（修正草案再次征求意见稿）》）

On March 28, the CAC released the“Cybersecurity Law (Revised Draft for Further Solicitation of Opinions)”. The main revisions to the Cybersecurity Law include:

(1) Legal liability for network operation security. The circumstances that cause serious harm to network security, such as massive data leaks and the loss of partial functions of critical information infrastructure, and those that cause particularly serious harm to network security, such as the loss of key functions of critical information infrastructure, and adjusted the penalty range of Article 59 of the current Cybersecurity Law with reference to the Data Security Law, adding corresponding punishment provisions; newly added legal liability for selling or providing network critical equipment and network security-specific products that have not passed security certification, security testing, or have failed security certification or security testing; and clarified the punishment measures for operators of critical information infrastructures who use network products or services that have not passed security review or have failed security review.

(2) Legal liability for network information security. The illegal circumstances targeted by Articles 68 and 69 of the current Cybersecurity Law are improved, and the legal liability for failure to report to the relevant competent authorities and failure to stop transmitting or take measures such as eliminating information prohibited from being published or transmitted by laws and administrative regulations in accordance with the requirements of the relevant departments is adjusted. The penalties for illegal circumstances that have caused particularly serious impacts and consequences are clarified.

(3) Legal liability for the security of personal information and important data. New special provisions have been made on the penalties for violations of personal information and important data as covered in Article 64(1) and Article 66 of the current Cyber Security Law, and the provisions on transfer of application have been clarified.

(4) Circumstances in which administrative penalties may be reduced, mitigated or not imposed. A new bridging provision has been added to clarify that if a network operator takes the initiative to eliminate or mitigate the harmful consequences of an illegal act, the illegal act is minor and is promptly corrected without causing harmful consequences, or the illegal act is committed for the first time and the harmful consequences are minor and promptly corrected, etc., the penalty may be reduced, mitigated or not imposed according to law.

[Click to view the full text of the draft for comments:

https://mp.weixin.qq.com/s/GouWZ0PAPYHB2EI8BFsdUA]

3、中央网信办、工业和信息化部、公安部、市场监管总局关于开展2025年个人信息保护系列专项行动的公告

3月28日，中央网信办、工业和信息化部、公安部、市场监管总局联合发布关于开展2025年个人信息保护系列专项行动的公告，明确将进一步深入治理常用服务产品和常见生活场景中存在的违法违规收集使用个人信息典型问题。重点问题包括：App（含小程序、公众号、快应用）违法违规收集使用个人信息；SDK违法违规收集使用个人信息；智能终端违法违规收集使用个人信息；公共场所违法违规收集使用人脸识别信息；线下消费场景违法违规收集使用个人信息；个人信息相关违法犯罪案件。

【全文链接：
 

https://mp.weixin.qq.com/s/a5YtWnnA1CsnxLS-z1neHg】

3. Announcement of the CAC, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation on launching a series of special actions for personal information protection in 2025

On March 28, the CAC, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation jointly issued an announcement on launching a series of special actions for personal information protection in 2025, clarifying that they will further intensify efforts to address typical problems of illegal collection and use of personal information in commonly used service products and common life scenarios. Key issues include: illegal collection and use of personal information by apps (including mini-programs, official accounts, and quick apps); illegal collection and use of personal information by SDK; illegal collection and use of personal information by smart terminals; illegal collection and use of face recognition information in public places; illegal collection and use of personal information in offline consumption scenarios; and personal information-related criminal cases.

[Full text link: 
 

https://mp.weixin.qq.com/s/a5YtWnnA1CsnxLS-z1neHg]

4、上海市网信办发布《上海市网络数据分类分级和重要数据目录管理办法（征求意见稿）》

3月28日，上海市网信办发布了《上海市网络数据分类分级和重要数据目录管理办法（征求意见稿）》。办法适用于在上海市范围内开展的各行业、各领域的网络数据分类分级规则制定、网络数据分类分级实践、重要数据识别处理、网络数据安全保护体系建立等工作及其安全监管行为。

【全文链接：
 

https://mp.weixin.qq.com/s/sg10kB6ahFsPTpbv4rmOCA】

4. Shanghai Cyberspace Administration released the“Measures for the Classification and Grading of Network Data and the Catalogue of Important Data in Shanghai (Draft for Soliciting Opinions)”(《上海市网络数据分类分级和重要数据目录管理办法（征求意见稿）》)

On March 28, the Shanghai Cyberspace Administration released the“Measures for the Classification and Grading of Network Data and the Catalogue of Important Data in Shanghai (Draft for Comment)”. The measures apply to the formulation of rules for the classification and grading of network data, the practice of classifying and grading network data, the identification and processing of important data, the establishment of a network data security protection system, and the supervision of safety in various industries and fields carried out within the boundaries of Shanghai.

[Full text link: 
 

https://mp.weixin.qq.com/s/sg10kB6ahFsPTpbv4rmOCA]

5、北京网信办发布《北京市数据跨境流动便利化综合配套改革实施方案》

3月27日，北京市网信办、北京市商务局、北京市政务服务和数据管理局联合发布《北京市数据跨境流动便利化综合配套改革实施方案》。这是北京出台的首个促进数据跨境流动便利化的综合性配套改革文件。方案从政策供给、数据利用、企业服务、技术应用、产业促进、安全监管等多个维度，统筹提出了一揽子创新举措。

【全文链接：
 

https://mp.weixin.qq.com/s/dvv4bK-KXqPhkJ6LvxPiEw】

5. Beijing Cyberspace Administration issued the Implementation Plan for Comprehensive Supporting Reforms to Facilitate Cross-border Data Flow in Beijing

On March 27, the Beijing Cyberspace Administration, the Beijing Municipal Bureau of Commerce, and the Beijing Municipal Administration of Governmental Services and Data jointly issued the Implementation Plan for Comprehensive Supporting Reforms for Facilitating Cross-border Flow of Data in Beijing. This is the first comprehensive supporting reform document issued by Beijing to promote the facilitation of cross-border data flow. The program puts forward a package of innovative initiatives in a coordinated manner from a variety of dimensions, including policy supply, data utilization, enterprise services, technology application, industry promotion, and safety supervision.

[Full text link：
 

https://mp.weixin.qq.com/s/dvv4bK-KXqPhkJ6LvxPiEw]

6、《实施〈中华人民共和国反外国制裁法〉的规定》正式公布

3月24日，国务院总理日前签署国务院令，公布《实施〈中华人民共和国反外国制裁法〉的规定》。规定的内容包括明确反外国制裁法第六条第四项中的“其他必要措施”，包括但不限于禁止或者限制向其提供数据、个人信息。规定对不依法执行反制措施的，国务院有关部门有权责令改正，禁止或者限制其从境外接收或者向境外提供数据、个人信息。

【全文链接：
 

https://mp.weixin.qq.com/s/QGbfKCUbgbv_fobio_YwEA】

6. “The Provisions for the Implementation of the Anti-Foreign Sanctions Law of the People's Republic of China” (《实施〈中华人民共和国反外国制裁法〉的规定》) were officially announced

On March 24, the Premier of the State Council signed a State Council order recently to announce the Provisions for the Implementation of the Anti-Foreign Sanctions Law of the People's Republic of China. The provisions include clarifying the “other necessary measures” in Article 6, Item 4 of the Anti-Foreign Sanctions Law, including but not limited to prohibiting or restricting the provision of data and personal information to them. The provisions stipulate that if countermeasures are not implemented in accordance with the law, the relevant departments of the State Council shall have the right to order corrections and prohibit or restrict the receipt of data and personal information from or provision of data and personal information to foreign countries.

[Full text link:

https://mp.weixin.qq.com/s/QGbfKCUbgbv_fobio_YwEA]

7、工信部公开发布《工业互联网安全分类分级管理办法》

近期，工信部公开发布了《工业互联网安全分类分级管理办法》，工业互联网安全分类分级管理以工业互联网企业为对象，包括应用工业互联网的工业企业、工业互联网平台企业以及工业互联网标识解析企业。工业互联网企业级别由高到低分为三级、二级、一级。完成自主定级的工业互联网企业应当通过全国工业互联网安全分类分级管理平台开展信息登记。

【全文链接：
 

https://www.miit.gov.cn/jgsj/waj/wjfb/art/2025/art_72d3dab251474245908611263f50b096.html】

7. The Ministry of Industry and Information Technology publicly released the “Administrative Measures for the Classification and Grading of Industrial Internet Security”(《工业互联网安全分类分级管理办法》)

Recently, the Ministry of Industry and Information Technology has publicly released the “Administrative Measures for the Classification and Grading of Industrial Internet Security”. The classification and grading of industrial internet security targets industrial internet enterprises, including industrial enterprises that use the industrial internet, industrial internet platform enterprises, and industrial internet identity analysis enterprises. Industrial internet enterprises are divided into three levels, two levels, and one level, from high to low. Industrial internet enterprises that have completed independent classification should register information through the national industrial internet security classification and grading management platform.

[full text: 
 

https://www.miit.gov.cn/jgsj/waj/wjfb/art/2025/art_72d3dab251474245908611263f50b096.html]

8、广东省通信管理局公开通报8款未按要求完成整改的APP/小程序

广东省通信管理局持续开展移动应用程序专项治理工作，发出《APP处置通知书》责令APP运营者限期整改，并通知相关应用商店协助督促APP运营者整改。截至目前，尚有7款APP、1款小程序未完成整改，故予以通报。该等APP所涉主要问题包括违规收集个人信息、超范围收集个人信息、未公开收集使用规则等。

【全文链接：
 

https://mp.weixin.qq.com/s/h_-Ff6SgYhYnJ_O5WT2nHg】

8. The Guangdong Provincial Communications Administration publicly announced eight apps/mini programs that have not completed rectification as required

The Guangdong Provincial Communications Administration has continued to carry out special governance work on mobile apps, issued “App Disposal Notice” ordering app operators to rectify within a time limit, and notified relevant app stores to assist in supervising app operators' rectification. As of now, there are still seven apps and one mini program that have not completed rectification, so they are being announced. The main problems with these apps include illegal collection of personal information, collection of personal information beyond the scope, and failure to disclose the rules for collection and use.

[Full text link:

https://mp.weixin.qq.com/s/h_-Ff6SgYhYnJ_O5WT2nHg]

1、越南总理公布重要和核心数据清单

3月25日，越南总理颁布了一份重要和核心数据清单。越南《数据法》将于2025年7月1日生效，其对重要数据和核心数据进行了高级别分类。此次颁布的法令提供了根据《数据法》被视为重要或核心数据的详细数据清单。根据该法令，重要数据包括信用卡、借记卡、银行账户、付款或信用信息、债务历史，或涉及1000家或以上越南企业的任何此类信息等数据；核心数据包括种族、信仰、宗教、地理空间数据和航空照片数据等。

【点击查阅该法令全文：

https://www.moj.gov.vn/qt/tintuc/Pages/chi-dao-dieu-hanh.aspx?ItemID=4846】

1. Vietnam promulgated list of important and core data

On March 25, the Prime Minister of Vietnam promulgated a list of important and core data. The Data Law, which enters into effect on July 1, 2025, provides high level classifications of important and core data. Under the promulgation, important data is considered to include data such as credit card, debit card, bank account, payment, or credit information, debt history, or any of the same involving 1,000 or more Vietnamese enterprises. The core data includes, among other things, data about ethnicity, beliefs, and religion, and geospatial data and aerial photo data.

[Click to view the full text:

https://www.moj.gov.vn/qt/tintuc/Pages/chi-dao-dieu-hanh.aspx?ItemID=4846]

2、马来西亚个人数据保护部就新的数据保护指南征求公众意见

3月24日，马来西亚个人数据保护部（PDP）正在就以下个人数据保护相关指南征求公众意见，包括：数据保护影响评估（DPIA）指南，就谁应进行数据保护影响评估、何时进行数据保护影响评估、如何进行数据保护影响评估、通知个人数据保护部以及数据保护影响评估后应做什么提供指导；设计中的数据保护指南，概述了设计中的隐私定义、七项核心原则、如何在《个人数据保护法》的每项原则中实施，以及如何保护儿童隐私。自动决策和定性分析指南，就拒绝权、知情权和人工审查权、将个人数据用于人工智能 (AI) 训练、使用生物识别数据和闭路电视等问题提出建议。

【点击查阅官方新闻稿

https://www.pdp.gov.my/ppdpv1/en/announcement-on-the-public-consultation-paper-pcp-on-personal-data-protection-2025/】

2. Malaysia's PDP seeks public input on new data protection guideline

The PDP is seeking public comments on the following guidelines on personal data protection：The Data Protection Impact Assessment (DPIA) Guidelines, which provide guidance on who should conduct a DPIA, when to conduct a DPIA, how to conduct a DPIA, notifications to the PDP, and what to do after a DPIA；The Data Protection by Design Guidelines, which outline the definition of Privacy by Design, its seven core principles, how to implement it in each of the PDP Act principles, and how to protect children's privacy；The Automated Decision Making and Profiling Guidelines, which provide recommendations relating to the rights to refuse, to information, and to human review, the use of personal data for artificial intelligence (AI) training, the use of biometric data, and CCTV.

[Click to view the official press：

https://www.pdp.gov.my/ppdpv1/en/announcement-on-the-public-consultation-paper-pcp-on-personal-data-protection-2025/]