每周数据法律资讯 Data Law Weekly（20250428-20250504）

1.中央网信办部署开展“清朗·整治AI技术滥用”专项行动

4月30日，为规范AI服务和应用，促进行业健康有序发展，保障公民合法权益，中央网信办印发通知，在全国范围内部署开展为期3个月的“清朗·整治AI技术滥用”专项行动。本次专项行动分两个阶段开展。第一阶段强化AI技术源头治理，清理整治违规AI应用程序，加强AI生成合成技术和内容标识管理，推动网站平台提升检测鉴伪能力。第二阶段聚焦利用AI技术制作发布谣言、不实信息、色情低俗内容，假冒他人、从事网络水军活动等突出问题，集中清理相关违法不良信息，处置处罚违规账号、MCN机构和网站平台。

【参见：

https://mp.weixin.qq.com/s/U5B0bonVW7xy4ifMmVM6Og】

1. The OCCAC launched the “Clear - Rectification of AI Technology Abuse” special action

On April 30, the Office of the Central Cyberspace Affairs Commission (OCCAC) issued a notice to launch a three-month “Clear - Rectification of AI Technology Abuse” special action nationwide, aiming to regulate AI services and applications, promote the healthy and orderly development of the industry, and safeguard the legitimate rights and interests of citizens. The special action is carried out in two stages. The first stage will strengthen the governance of AI technology at the source, clean up and rectify illegal AI applications, strengthen the management of AI generation and synthesis technology and content labeling, and promote website platforms to enhance their ability to detect and identify counterfeits. The second stage focuses on the use of AI technology to produce and publish rumors, inaccurate information, pornographic and vulgar content, impersonate others, engage in network army activities and other prominent issues, focusing on cleaning up related illegal and undesirable information, and disposing of and punishing illegal accounts, MCN agencies and websites and platforms.

[Reference:

https://mp.weixin.qq.com/s/U5B0bonVW7xy4ifMmVM6Og]

2.国家网信办等七部委发布《终端设备直连卫星服务管理规定》

4月30日，国家互联网信息办公室、国家发展改革委、工业和信息化部、公安部、海关总署、市场监管总局、广电总局联合发布《终端设备直连卫星服务管理规定》，自2025年6月1日起施行。终端设备直连卫星服务，是指利用终端设备通过无线通信方式，不经过中转设备，直接连接通信卫星提供语音互通、文字收发或数据交换服务的活动。向中华人民共和国境内提供终端设备直连卫星服务，在中华人民共和国境内使用终端设备直连卫星服务，以及生产、组装、提供和销售支持中华人民共和国境内直连卫星服务的终端设备的，适用该规定。

【点击查阅《规定》全文：

https://mp.weixin.qq.com/s/GJdNdKbSStZSWFYsETwIkA】

2. CAC and other six ministries and commissions jointly issued the Provisions on the Administration of Direct Satellite Connectivity Services for Terminal Devices (《终端设备直连卫星服务管理规定》)

On April 30, the Cyberspace Administration of China（CAC）, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the General Administration of Customs, the State Administration for Market Regulation, and the National Radio and Television Administration jointly issued “The Provisions on the Administration of Direct Satellite Connectivity Services for Terminal Devices”, which will take effect on 1 June, 2025. Terminal device direct satellite connectivity services refer to activities that utilize terminal devices to connect directly to communication satellites via wireless communication methods, without passing through intermediate devices, to provide voice communication, text transmission, or data exchange services. This regulation applies to the provision of terminal device direct satellite connectivity services within the territory of the People's Republic of China, the use of such services within the territory of the People's Republic of China, as well as the production, assembly, provision, and sale of terminal devices that support direct satellite connectivity services within the territory of the People's Republic of China.

[Click to view the full text of the Regulations:

https://mp.weixin.qq.com/s/GJdNdKbSStZSWFYsETwIkA]

3.《数据安全技术 敏感个人信息处理安全要求》等6项网络安全国家标准获批发布

4月30日，由全国网络安全标准化技术委员会归口的6项国家标准正式发布。本次发布的标准聚焦于数据安全、生成式人工智能安全等关键领域，进一步丰富了大网络安全工作格局下的网络安全标准体系建设，为国家数据安全和人工智能安全的管理工作及产业发展提供标准支撑。标准具体包括：GB/T 45574—2025《数据安全技术 敏感个人信息处理安全要求》、GB/T 45576—2025《网络安全技术网络安全保险应用指南》、GB/T 45577—2025《数据安全技术数据安全风险评估方法》、GB/T 45652—2025《网络安全技术生成式人工智能预训练和优化训练数据安全规范》、GB/T 45654—2025《网络安全技术生成式人工智能服务安全基本要求》、GB/T 45674—2025《网络安全技术生成式人工智能数据标注安全规范》。上述标准的实施日期均为2025年11月1日。

【参见：

https://mp.weixin.qq.com/s/6cOdc3C8eGAuK_ytdnHW0A】

3. “Data Security Technology - Security Requirements for the Processing of Sensitive Personal Information” （《数据安全技术敏感个人信息处理安全要求》）and other 5 national standards on cybersecurity approved for release

On April 30, six national standards under the purview of the National Technical Committee 260 on Cybersecurity of Standardization Administration of China were officially released. The released standards focus on data security, generative artificial intelligence security and other key areas, further enriching the construction of cybersecurity standard system under the pattern of large cybersecurity work, and providing standard support for the management of national data security and artificial intelligence security and industrial development. The standards specifically include: GB/T 45574-2025 “Data Security Technology-Security Requirements for the Processing of Sensitive Personal Information”（《数据安全技术敏感个人信息处理安全要求》）, GB/T 45576-2025 “Cybersecurity Technology-Guidelines for the Application of Cybersecurity Insurance”(《网络安全技术网络安全保险应用指南》), GB/T 45577-2025 “Data Security Technology-Data Security Risk Assessment Methods”（《数据安全技术数据安全风险评估方法》）, GB/T 45652-2025 “Cybersecurity Technology-Generative Artificial Intelligence Pre-training and Optimization Training Data Security Specification”(《网络安全技术生成式人工智能预训练和优化训练数据安全规范》), GB/T 45654-2025 “Cybersecurity Technology-Generative Artificial Intelligence Service Security Basic Requirements”(《网络安全技术生成式人工智能服务安全基本要求》), GB/T 45674 -2025 “Network Security Technology-Security Specification for Data Labeling of Generative Artificial Intelligence”(《网络安全技术生成式人工智能数据标注安全规范》). The implementation date of the above standards is November 1, 2025.

[Reference：

https://mp.weixin.qq.com/s/6cOdc3C8eGAuK_ytdnHW0A]

4. 中国气象局、国家网信办发布《人工智能气象应用服务办法》

4月29日，中国气象局、国家互联网信息办公室发布《人工智能气象应用服务办法》，鼓励、促进和规范人工智能气象应用服务健康有序发展。该办法是国内首部促进和规范人工智能细分领域应用的部门规章。在中华人民共和国领域和中华人民共和国管辖的其他海域利用人工智能技术开展气象应用服务的，适用该办法。该办法自2025年6月1日起施行。

【点击查阅《办法》全文：

https://mp.weixin.qq.com/s/UkABv71EQeC_cNwpVTg6fQ】

4. The CMA and the CAC issued Measures on Artificial Intelligence Meteorological Application Services（《人工智能气象应用服务办法》）

On April 29, the China Meteorological Administration (CMA) and the Cyberspace Administration of China（CAC）issued Measures for Artificial Intelligence Meteorological Application Services, to encourage, promote and regulate the healthy and orderly development of artificial intelligence meteorological application services. The Measures are the first departmental regulations in China to promote and regulate the application of artificial intelligence in special areas. The measures apply to the use of artificial intelligence technology for meteorological application services within the territory of the People's Republic of China and in other maritime areas under the jurisdiction of the People's Republic of China. The Measures are effective from June 1, 2025.

[Click to view the full text of the Measures:

https://mp.weixin.qq.com/s/UkABv71EQeC_cNwpVTg6fQ]

5.《网络安全标准实践指南—个人信息保护合规审计要求（征求意见稿）》公开征求意见

4月28日，为贯彻落实《个人信息保护法》《个人信息保护合规审计管理办法》，指导个人信息保护合规审计活动，保护个人信息权益，全国网络安全标准化技术委员会秘书处参照个人信息保护合规审计国家标准，组织编制了《网络安全标准实践指南——个人信息保护合规审计要求(征求意见稿)》，并面向社会公开征求意见。该文件提出了个人信息保护合规审计原则，规定了个人信息保护合规审计的总体要求、内容方法和实施流程。

【点击查看《征求意见稿》全文：

https://www.tc260.org.cn/upload/2025-04-28/1745827789863092922.pdf】

5. “Practice Guidelines for Cybersecurity Standard-Personal Information Protection Compliance Audit Requirements (Draft)” （《网络安全标准实践指南—个人信息保护合规审计要求（征求意见稿）》）is open for public comments

On April 28, in order to implement the Personal Information Protection Law and the Administrative Measures for Personal Information Protection Compliance Audit, guide the activities of compliance audit of personal information protection, and protect the rights and interests of personal information, the Secretariat of the National Technical Committee 260 on Cybersecurity of Standardization Administration of China, with reference to the national standards for compliance auditing of personal information protection, organized the preparation of the “Practice Guideline for Cybersecurity Standard-Personal Information Protection Compliance Audit Requirements (Draft)”, which are open for public comments. This document sets forth the principles for personal information protection compliance audits, specifying the overall requirements, content, methods, and implementation processes for such audits.

[Click to view the full text of the guidelines：

https://www.tc260.org.cn/upload/2025-04-28/1745827789863092922.pdf]

6. 上海网信部门处罚一批医疗服务类互联网企业

4月28日，上海市网信办在专项执法行动中发现，一批医疗服务类互联网企业（主要从事医疗软件开发与维护、医疗服务培训、数字健康服务等）未依法履行网络安全、数据安全保护义务，所属系统存在网络安全漏洞，被境外IP访问并窃取，发生个人信息泄露情况，反映出部分医疗服务类互联网企业存在个人信息制度不规范不健全、安全防护不严密、存储不合规等问题，上海市网信办根据相关法律法规对一批医疗服务类互联网企业予以行政处罚。

【参见：

https://mp.weixin.qq.com/s/-EznCqFnu_4vCBZDSJhC7g】

6. Shanghai Cyberspace Administration imposed penalties on a number of internet companies providing medical services

On April 28, during a special enforcement operation, the Shanghai Cyberspace Administration discovered that a number of internet companies providing medical services (mainly engaged in medical software development and maintenance, medical service training, digital health services, etc.) had failed to fulfill their obligations regarding cybersecurity and data security protection. Their systems had cybersecurity vulnerabilities, were accessed by foreign IP addresses, and personal information was stolen, resulting in the leakage of personal information. This reflects that some internet companies in the medical services sector have issues such as inadequate and incomplete personal information management systems, insufficient security measures, and non-compliant data storage practices. The Shanghai Cyberspace Administration has imposed administrative penalties on a number of internet companies in the medical services sector in accordance with relevant laws and regulations.

[Reference：

https://mp.weixin.qq.com/s/-EznCqFnu_4vCBZDSJhC7g]

1. TikTok因数据跨境被爱尔兰罚款5.3亿欧元

5月2日，爱尔兰数据保护委员会宣布了对TikTok公司（“TikTok” ）展开调查后的最终决定。调查结果认定，TikTok将欧洲经济区用户数据传输至中国的行为及其透明度方面违反了GDPR（《通用数据保护条例》）。该决定包括总计5.3亿欧元的行政罚款，以及一项要求TikTok在6个月内使其数据处理符合相关规定的命令。如果TikTok在规定时间内未能实现数据处理合规，将暂停TikTok向中国传输数据。

【参见：

https://www.dataprotection.ie/en/news-media/latest-news/irish-data-protection-commission-fines-tiktok-eu530-million-and-orders-corrective-measures-following】

1. TikTok Fined €530 Million by Irish Data Protection Commission for cross-border transmission of data

On May 2, the Irish Data Protection Commission announced its final decision following an investigation into TikTok. The findings of the investigation determined that TikTok violated the General Data Protection Regulation in relation to the transfer of EEA user data to China and its transparency requirements. The decision includes administrative fines totaling €530 million and an order requiring TikTok to bring its data processing into compliance within six months. The decision also includes an order suspending TikTok’s data transfers to China if processing is not brought into compliance within this timeframe.

[Reference:

https://www.dataprotection.ie/en/news-media/latest-news/irish-data-protection-commission-fines-tiktok-eu530-million-and-orders-corrective-measures-following]

2. 马来西亚发布《个人数据跨境传输指南》

4月29日，马来西亚个人数据保护局（PDP）发布了《个人数据跨境传输指南》，该指南就个人数据传输出境的条件以及跨境数据传输的处理要求提供了指导，规定了进行或计划进行跨境数据传输的数据控制者的义务，包括但不限于通过个人数据保护通知或其他书面通知告知数据主体有关传输事宜；保留并维护接收个人数据的接收方的记录等。指南还解释了基于标准合同条款（SCCs）和约束性公司规则（BCRs）进行数据转移的条件。

【点击查阅指南全文：

https://drive.google.com/file/d/1ujXHLtekUoJ1EswqIQy7s4B0OIXcddOS/view】

2. Malaysia Issued Guidelines on Cross-Border Transfer of Personal Data

On April 29, the Department of Personal Data Protection (PDP) of Malaysia issued the Guidelines on Cross-border Transfer of Personal Data. The guidelines provide guidance on the conditions for the cross-border transfer of personal data and the processing requirements for cross-border data transfers, specifying the obligations of data controllers who conduct or plan to conduct cross-border data transfers, including but not limited to informing data subjects about the transfer through personal data protection notices or other written notices; retaining and maintaining records of the recipients of personal data, etc. The guidelines also explain the conditions for data transfers based on standard contractual clauses (SCCs) and binding corporate rules (BCRs).

[Click to view the full guidelines:

https://drive.google.com/file/d/1ujXHLtekUoJ1EswqIQy7s4B0OIXcddOS/view]

3. 美国国会通过《删除法案》

4月28日，美国国会众议院通过《删除法案》（Take It Down Act），该法案将发布未经本人同意的私密图像（Non-consensual Intimate Imagery）定为联邦犯罪，并要求在线平台在接到举报后48小时内删除相关内容，否则将被联邦贸易委员会（FTC）处罚。其中，私密图像”，不仅包括真实拍摄的照片或视频，还包括用人工智能或其他技术制作的、看起来和真人无异的合成影像。这是美国多年来第一部直接监管网络内容的法案，也是第一部联邦层面的人工智能监管法案。

【点击查看法案原文：

https://www.congress.gov/119/bills/s146/BILLS-119s146es.pdf】

3. U.S. Congress passed Take It Down Act

On April 28, the U.S. House of Representatives passed the Take It Down Act, which makes it a federal crime to publish non-consensual Intimate Imagery and requires tech platforms to remove the content within 48 hours or be penalized by the Federal Trade Commission (FTC). The term “intimate image” includes not only photos or videos taken of real people, but also synthetic images created with artificial intelligence or other technologies that look like real people. This is the first U.S. law in years to directly regulate online content, and the first to regulate AI at the federal level.

[Click to view the full text of the Act：

https://www.congress.gov/119/bills/s146/BILLS-119s146es.pdf]