每周数据法律资讯 DataLaw Weekly（20250407-20250413）

1、浙江网信办等三部门发布数据出境负面清单管理办法、负面清单（2024版）

4月10日，浙江省网信办、浙江省商务厅、浙江省数据局联合发布了《中国（浙江）自由贸易试验区数据出境负面清单管理办法（试行）》《中国（浙江）自由贸易试验区数据出境管理清单（负面清单）（2024版）》。浙江省负面清单涉及电子商务（企业对企业）行业以及清结算行业，规定了需要通过数据出境安全评估的数据清单以及需要通过个人信息出境标准合同备案、个人信息保护认证出境的数据清单。

【点击查阅管理办法及负面清单：

https://www.zjwx.gov.cn/art/2025/4/10/art_1673564_58876604.html?sessionid=788070926】

1. The Zhejiang Cyberspace Administration and two other departments jointly issued the Administrative Measures for the Negative List of Data Export and the Negative List (2024 Edition)

On April 10, the Zhejiang Cyberspace Administration, the Zhejiang Provincial Department of Commerce, and the Zhejiang Provincial Data Administration jointly released the “Administrative Measures for the Negative List of Data Export from the China (Zhejiang) Pilot Free Trade Zone (Trial)” and the “Administrative List of Data Export from the China (Zhejiang) Pilot Free Trade Zone (Negative List) (2024 Edition)”. The Zhejiang Province negative list covers the e-commerce (business-to-business) industry and the clearing and settlement industry, and stipulates the list of data that requires a security assessment for data export and the list of data that requires the filing of a standard contract for personal information export and certification of personal information protection for export.

[Click to view the management measures and negative list:

https://www.zjwx.gov.cn/art/2025/4/10/art_1673564_58876604.html?sessionid=788070926]

2、国家网信办发布《数据出境安全管理政策问答（2025年4月）》

4月9日，国家网信办发布了《数据出境安全管理政策问答（2025年4月）》。国家网信办对近期收到的咨询问题进行研究，将一些有代表性的问题和答复予以公布。根据问答，国家网信办在开展数据出境安全评估工作中，将充分考量数据处理者申报事项的业务场景和实际需求，对个人信息出境必要性进行评估，评估要点主要包括出境活动本身的必要性、涉及自然人规模的必要性以及出境个人信息数据项范围的必要性等。

【点击查阅完整政策问答：

https://mp.weixin.qq.com/s/iYVkA0u2I26kZww2TItEgQ】

2. The CAC released the “Questions and Answers on Data Export Security Management Policy (April 2025)”

On April 9, the CAC released the “Questions and Answers on Data Export Security Management Policy (April 2025)”. The CAC studied the consultation questions it recently received and published some representative questions and answers. According to the Q&A, in carrying out security assessments of data exports, the CAC will fully consider the business scenarios and actual needs of the matters declared by data processors, and assess the necessity of exporting personal information. The main points of the assessment include the necessity of the export activity itself, the necessity of involving a natural person, and the necessity of the scope of personal information data items to be exported.

[Click to view the full policy Q&A:

https://mp.weixin.qq.com/s/iYVkA0u2I26kZww2TItEgQ]

3、全国网安标委发布6项网络安全国家标准

4月9日，全国网安标委发布了6项网络安全国家标准，包括《网络安全技术 运维安全管理产品技术规范》（GB/T 45409-2025）、《数据安全技术 数据安全评估机构能力要求》（GB/T 45389-2025）、《数据安全技术 基于个人信息的自动化决策安全要求》（GB/T 45392-2025）、《数据安全技术 政务数据处理安全要求》（GB/T 45396-2025）、《数据安全技术 大型互联网企业内设个人信息保护监督机构要求》（GB/T 45404-2025）、《网络关键设备安全技术要求 可编程逻辑控制器（PLC）》（GB/T 45406-2025），以上国家标准将于2025年10月1日开始实施。

【原文链接：

https://www.tc260.org.cn/front/postDetail.html?id=20250409161207&sessionid=788530561】

3. TC260 released six national cybersecurity standards

On April 9, TC260 released six national cybersecurity standards, including “Cybersecurity Technology Technical Specification for Operation and Maintenance Security Management Products” (GB/T 45409-2025), “Data Security Technology  Capability Requirements for Data Security Assessment Organizations” (GB/T 45389-2025), “Data Security Technology  Security Requirements for Automated Decision-Making Based on Personal Information” (GB/T 45392-2025), “Data Security Technology  Security Requirements for Government Data Processing” (GB/T 45396-2025), “Data Security Technology  Requirements for Personal Information Protection Supervisory Organizations within Large Internet Enterprises ”(GB/T 45404-2025), and “Technical Requirements for Safety of Network Critical Equipment Programmable Logic Controllers (PLC) ”(GB/T 45406-2025) , the above national standards will be implemented from October 1, 2025.

[Original link:

https://www.tc260.org.cn/front/postDetail.html?id=20250409161207&sessionid=788530561]

4、国家网信办发布生成式人工智能服务已备案信息（2025年1月至3月）

4月8日，国家网信办发布了生成式人工智能服务已备案信息（2025年1月至3月）。截至2025年3月31日，共有346款生成式人工智能服务在国家网信办完成备案；对于通过API接口或其他方式直接调用已备案模型能力的生成式人工智能应用或功能，共有159款生成式人工智能应用或功能在地方网信办完成登记。

【点击查阅完整备案信息：

https://www.cac.gov.cn/2024-04/02/c_1713729983803145.htm?sessionid=788845856】

4. The CAC released information on generative AI services that have been filed (January to March 2025)

On April 8, the CAC released information on generative AI services that have been filed (January to March 2025). As of March 31, 2025, a total of 346 generative AI services have completed the filing process with the Cyberspace Administration of China; for generative AI applications or functions that directly call the capabilities of filed models through API interfaces or other methods, a total of 159 generative AI applications or functions have completed the registration process with local cyberspace administration offices.

[Click to view the complete filing information:

https://www.cac.gov.cn/2024-04/02/c_1713729983803145.htm?sessionid=788845856]

1、美国司法部发布EO14117最终规则的常见问答和合规指南

4月11日，美国司法部发布了一系列常见问答和合规指南，内容涉及关于防止受关注国家或相关人员访问美国敏感个人数据和政府相关数据的最终规则，该最终规则于2025年4月8日生效。该最终规则源于美国第14117号行政命令，该行政命令限制美国人进行涉及受关注国家的某些交易。常见问答和指南的内容包括数据安全计划概述、对防止访问敏感个人数据和政府相关数据的解释、哪些交易被视为禁止和限制的交易、受行政命令约束的数据类型等。

【点击查阅常见问答和合规指南：

https://www.justice.gov/opa/pr/justice-department-implements-critical-national-security-program-protect-americans-sensitive】

1. The U.S. Department of Justice released FAQs and compliance guidelines for the final rule EO14117

On April 11, the U.S. Department of Justice released a series of frequently asked questions (FAQs) and compliance guidelines related to the final rule to prevent access to U.S. sensitive personal and government-related data by countries of concern, which took effect on April 8, 2025. This final rule stems from U.S. Executive Order 14117, which restricts U.S. persons from certain transactions involving foreign countries of concern. The FAQs and guidance include an overview of data security programs, explanations of preventing access to sensitive personal and government-related data, what transactions are considered prohibited and restricted transactions, and the types of data subject to the Executive Order.

[Click to view the FAQ and compliance guidance:

https://www.justice.gov/opa/pr/justice-department-implements-critical-national-security-program-protect-americans-sensitive]

2、爱尔兰DPC宣布对X公司使用用户数据训练AI进行调查

4月11日，爱尔兰数据保护委员会（DPC）宣布对 X Internet Unlimited Company 进行调查，涉及EU/EEA 用户在“X”社交媒体平台上发布的公开帖子中包含的个人数据的处理，这些数据被用以训练生成式人工智能模型，特别是Grok大语言模型。该调查将审查对 GDPR一系列关键条款的遵守情况，包括处理的合法性和透明度。

【点击查阅官方新闻稿：

https://www.dataprotection.ie/en/news-media/latest-news/data-protection-commission-announces-commencement-inquiry-x-internet-unlimited-company-xiuc】

2. The Irish DPC announced an investigation into Company X's use of user data to train AI

On April 11, the Irish Data Protection Commission (DPC) announced an investigation into X Internet Unlimited Company involving the processing of personal data contained in public posts published by EU/EEA users on X social media platforms, which was used to train generative AI models, in particular the Grok large language model. The investigation will examine compliance with a range of key GDPR provisions, including the lawfulness of processing and transparency.

[Click to view the official press release:

https://www.dataprotection.ie/en/news-media/latest-news/data-protection-commission-announces-commencement-inquiry-x-internet-unlimited-company-xiuc]