每周数据法律资讯 Data Law Weekly（20250512-20250518）

1.《国务院2025年度立法工作计划》发布，预备制定《网络安全等级保护条例》、预备修订《互联网信息服务管理办法》

5月14日，国务院办公厅发布《国务院2025年度立法工作计划》。计划显示，国务院拟提请全国人大常委会审议的法律案16件，拟制定、修改的行政法规30件。其中，国务院拟制定、修改《政务数据共享条例》、预备制定《网络安全等级保护条例》、预备修订《互联网信息服务管理办法》。

【参见：

https://www.gov.cn/zhengce/content/202505/content_7023697.htm】

1. The State Council’ s 2025 Annual Legislative Work Plan was released, proposing the formulation of the Cybersecurity Grading Protection Regulations（《网络安全等级保护条例》）and the revision of the Measures for the Administration of Internet Information Services（《互联网信息服务管理办法》）

On May 14, the General Office of the State Council released the “State Council's 2025 Annual Legislative Work Plan.” The plan indicates that 16 draft laws will be submitted to the Standing Committee of the National People’s Congress for review, and 30 administrative regulations will be formulated or revised. Among these, the State Council plans to formulate or revise the “Regulations on the Sharing of Government Data”（《政务数据共享条例》, prepare to formulate the “Cybersecurity Grading Protection Regulations”（《网络安全等级保护条例》）, and prepare to revise the “Measures for the Administration of Internet Information Services”（《互联网信息服务管理办法》）.

[Reference:

https://www.gov.cn/zhengce/content/202505/content_7023697.htm]

2. 工信部公开征求对《儿童手表安全技术要求》强制性国家标准（征求意见稿）的意见

5月14日，工业和信息化部公开征求对《儿童手表安全技术要求》强制性国家标准(征求意见稿)的意见。标准在网络安全、信息安全、数据安全和个人信息保护、网络沉迷防治、生物特征识别等多方面对儿童手表提出了具体要求，包括不可预置生成式语音问答应用程序、应制定专门的儿童个人信息处理规则、不向应用程序默认开放麦克风摄像头、定位、通讯录短信等权限、账号的解绑和注销应通过儿童智能手表管理端由监护人进行操作等。

【参见：

https://www.miit.gov.cn/jgsj/kjs/jscx/bzgf/art/2025/art_e46d2807ebbc4384b2aa73bbcd5cc620.html】

2. The MIIT has solicited public comments on the draft mandatory national standard for “Safety Technical Requirements for Children's Smartwatches”（《儿童手表安全技术要求》）

On May 14, the Ministry of Industry and Information Technology (MIIT) publicly solicited comments on the draft mandatory national standard for “Safety Technical Requirements for Children’s Smartwatches”（《儿童手表安全技术要求》）. The standard sets specific requirements for children’s smartwatches across multiple areas, including cybersecurity, information security, data security, personal information protection, prevention of internet addiction, and biometric recognition. Specific requirements include: no pre-installed generative voice-based question applications; the establishment of dedicated rules for the processing of children's personal information; no default granting of permissions such as microphone, camera, location, and contact list access to applications; and the requirement that account unlinking and deletion must be performed by guardians through the children's smartwatch management interface.

[Reference:

https://www.miit.gov.cn/jgsj/kjs/jscx/bzgf/art/2025/art_e46d2807ebbc4384b2aa73bbcd5cc620.html]

3.上海市通信管理局发布《关于开展“浦江护航”2025年电信和互联网行业数据安全专项行动的通知》

5月13日，上海市通信管理局发布《关于开展“浦江护航”2025年电信和互联网行业数据安全专项行动的通知》。本次专项行动适用范围为上海市电信和互联网行业数据处理者。其中，重点对象为在电信和互联网行业运营重要网络信息系统或处理重要数据、1000万人以上个人信息的电信业务经营者。同时，本次专项行动有七大重点任务，分别是：促进行业数据要素安全流通和利用、深化行业首席数据官制度落地实施、深入推进重要数据识别认定及目录管理、加强行业数据安全风险评估管理、加强数据对外共享安全管理、加强互联网数据中心客户数据安全保护、加强数据安全风险防范及应急处置。

【点击查看通知全文：

https://shca.miit.gov.cn/cms_files/filemanager/350417865/attach/20255/570928097a3b4bad953d7d186162fd5e.pdf】

3. Shanghai Communication Administration issued “Notice on ‘Pujiang Huhang’ 2025 Special Action on Data Security in Telecommunications and Internet Industry” (《关于开展“浦江护航”2025年电信和互联网行业数据安全专项行动的通知》)

On May 13, “Notice on ‘Pujiang Huhang’ 2025 Special Action on Data Security in Telecommunications and Internet Industry” (《关于开展“浦江护航”2025年电信和互联网行业数据安全专项行动的通知》) was released by Shanghai Communication Administration. The scope of this special action is applicable to data processors in the telecommunications and Internet industries in Shanghai. Among them, the key targets are telecommunications business operators that operate important network information systems or process important data or personal information of more than 10 million people in the telecommunications and internet industry. This special action has seven key tasks: promoting the safe circulation and utilization of industry data elements, deepening the implementation of the industry’s chief data officer system, further promoting the identification and determination of important data and directory management, strengthening the industry’s data security risk assessment and management, strengthening the security management of data sharing with external parties, strengthening the security protection of customer data in Internet data centers, and strengthening the prevention of data security risks and emergency response.

[Click here to view the full text:

https://shca.miit.gov.cn/cms_files/filemanager/350417865/attach/20255/570928097a3b4bad953d7d186162fd5e.pdf]

4. 上海市发布最新一批生成式人工智能服务登记信息

截至5月13日，上海市新增5款已完成登记的生成式人工智能服务，累计已完成85款生成式人工智能服务登记。上海市网信办按照《生成式人工智能服务管理暂行办法》要求，开展上海市生成式人工智能服务备案工作。同时，对通过API或其他方式直接调用已备案模型能力，且面向境内公众提供具有舆论属性或者社会动员能力的生成式人工智能服务开展登记工作。已上线的生成式人工智能应用或功能，应在显著位置或产品详情页面标明所取得的上线编号。

【点击查阅登记名单：

https://mp.weixin.qq.com/s/H7XMXt4_vaynsqwNrY07ig】

4. Shanghai released latest batch of generative AI service registration information

As of May 13, Shanghai has added five newly registered generative AI services, bringing the total number of registered generative AI services to 85. The Shanghai Cyberspace Administration has conducted the filing of generative AI services in Shanghai in accordance with the Interim Measures for the Administration of Generative AI Services（《生成式人工智能服务管理暂行办法》）. At the same time, it has initiated the registration of generative AI services that directly call upon registered models via API or other means and provide services with public opinion attributes or social mobilization capabilities to the domestic public. Generative AI applications or features that have been launched must clearly display the registration number obtained upon launch in a prominent location or on the product details page.

[Click here to view the registration list:

https://mp.weixin.qq.com/s/H7XMXt4_vaynsqwNrY07ig]

5. 国家计算机病毒应急处理中心通报65款违法违规收集使用个人信息的移动应用，涉多款车机APP

5月12日，国家计算机病毒应急处理中心通报65款违法违规收集使用个人信息的移动应用。其中，涉及问题有隐私政策及其展示方式违规、数据共享违规、未征得用户同意、未提供有效的更正或删除个人信息及注销用户账号功能、投诉或举报未在承诺时限内受理并处理、未向用户提供撤回同意收集个人信息的途径方式、自动化决策违规、处理敏感个人信息违规、处理儿童信息违规、未采取相应的加密、去标识化等安全技术措施等。其中，多款奇瑞、长安车机预装应用涉上述违规问题。

【参见：

https://mp.weixin.qq.com/s/tnE2zjDx4lLPXyvernuwrQ】

5. The CVERCreported 65 mobile applications for illegally collecting and using personal information, involving multiple vehicle-mounted apps

On May 12, the National Computer Virus Emergency Response Center (CVERC) publicly identified 65 mobile applications that illegally or non-compliantly collected and used personal information, including multiple in-vehicle apps. The violations involved: Non-compliant privacy policies (e.g., improper content or display methods); unauthorized data sharing with third parties; failure to obtain user consent; lack of functional mechanisms for users to correct and delete personal information or deactivate accounts; untimely handling of user complaints or reports; absence of options for users to withdraw consent for data collection; non-transparent automated decision-making processes; improper processing of sensitive personal information; non-compliant processing of children’s data; insufficient security measures (e.g., encryption, de-identification) . Among these, several pre-installed applications on Chery and Changan vehicle infotainment systems were found to involve the aforementioned violations.

[Reference:

https://mp.weixin.qq.com/s/tnE2zjDx4lLPXyvernuwrQ]

6. 迪奥中国发生客户数据泄露事件，并向客户发布通知短信

5月12日，奢侈品集团路威酩轩旗下Dior迪奥品牌向用户发布短信，表示该品牌发生数据泄露事件。短信内容显示，迪奥于2025年5月7日发现，曾有未经授权的外部人员获取了迪奥持有的部分客户数据。根据目前调查进展，在中国收集的受影响的客户个人信息的最大范围可能包括姓名、性别、手机号码、电子邮箱地址、邮寄地址、消费水平、偏好，以及客户可能已向迪奥提供的其他信息。被访问的数据库中不包含诸如银行账户详情、国际银行账户号码（IBAN）或信用卡信息等财务信息。短信中称，初步调查显示，此次事件是由数据库遭受未经授权的访问所致。迪奥建议客户对任何可疑通信（短信、电话、电子邮件）都要保持警惕。不要打开或点击来自不明来源的通信或链接，也不要透露验证码、密码等敏感信息。若收到任何以迪奥名义发送的可疑信息或联系，请客户咨询迪奥官方客服中心。

【参见：

https://mp.weixin.qq.com/s/RJ5UtUzvIhxa60aBUFAmeA】

6. Dior China experiences customer data breach and sends notification SMS to customers

On May 12, the luxury goods group LVMH’s Dior brand sent an SMS to users stating that a data breach had occurred. The SMS stated that Dior discovered on May 7, 2025, that unauthorized external personnel had accessed some of the customer data held by Dior. Based on the current investigation, the maximum scope of personal information of affected customers collected in China may include names, gender, mobile phone numbers, email addresses, mailing addresses, spending levels, preferences, and other information that customers may have provided to Dior. The accessed database did not contain financial information such as bank account details, international bank account numbers (IBAN), or credit card information. The SMS message stated that preliminary investigations indicate the incident was caused by unauthorized access to the database. Dior advises customers to remain vigilant regarding any suspicious communications (SMS, phone calls, emails). Do not open or click on communications or links from unknown sources, and do not disclose sensitive information such as verification codes or passwords. If the customers receive any suspicious information or contact purporting to be from Dior, should contact Dior's official customer service center.

[Reference:

https://mp.weixin.qq.com/s/RJ5UtUzvIhxa60aBUFAmeA]

7. 上海临港新片区印发再保险、国际航运、生物医药3个领域数据出境操作指引

近日，临港新片区印发再保险、国际航运、生物医药3个领域数据出境操作指引。其中，再保险领域包括财产险再保险、人身险再保险等3大场景11个子场景，国际航运领域包括国际集装箱舱位交易、船检和船舶管理等5个领域，生物医药领域包括组织商业合作伙伴管理、跨境购买药品等9个场景。有合规化需求的数据处理者可通过临港新片区数据跨境服务中心进行咨询，并通过数据便捷流通公共服务管理平台申报备案。

【参见：

https://mp.weixin.qq.com/s/Llf3H-PXygisqOMJkEH04A】

7. Shanghai Lingang Special Area issued operational guidelines for data outbound transfers in three sectors: reinsurance, international shipping, and biopharmaceuticals

Recently, the Lingang Special Area has issued operational guidelines for data cross-border transfers in three sectors: reinsurance, international shipping, and biopharmaceuticals. In the reinsurance sector, there are three major scenarios and 11 sub-scenarios, including property reinsurance and life reinsurance. In the international shipping sector, there are five areas, including international container booking transactions, ship inspection, and ship management. In the biopharmaceutical sector, there are nine scenarios, including managing commercial partners and cross-border procurement of pharmaceuticals. Data processors with compliance requirements may consult the Lingang Special Area Data Cross-border Service Center and submit applications for record-filing through the Data Convenient Circulation Public Service Management Platform.

[Reference:

https://mp.weixin.qq.com/s/Llf3H-PXygisqOMJkEH04A]

1. 韩国PIPC因Temu违规数据跨境问题对其处以13.69亿韩元罚款

5月15日，韩国个人信息保护委员会（PIPC）发布公告，跨境电商平台Temu因违反韩国《个人信息保护法》中限制个人信息跨境传输及居民身份登记号码处理的相关规定，以及委托处理个人信息及指定本地代表的相关规定，分别被处以13.69亿韩元和1,760万韩元的罚款。此外，PIPC对Temu下达了整改命令并提出改进建议。此次处罚对象包括负责Temu用户数据管理的Whaleco Technology Limited和管理入驻卖家数据的Elementary Innovation Pte. Ltd.。其中，PIPC认定Temu存在以下违法事实：未明确告知用户或在其隐私政策中披露的情况下，将用户个人信息委托给包括中国、新加坡、日本在内的境外公司处理或存储；未能对这些境外受托公司进行有效的管理和监督，也未按照法律要求设立本地代表；要求用户完成多达7个步骤才能注销账户，明显增加了用户行使权利的难度；在对卖家身份认证过程中，Temu在无适当合法性基础的情况下处理了居民身份登记号码，并收集了卖家的身份证和面部视频信息。

【参见：

https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS074&mCode=C020010000&nttId=11200#LINK】

1. South Korea’s PIPC imposed a fine of KRW 13.69 billion on Temu for cross-border data violations

On May 15, the Korean Personal Information Protection Commission (PIPC) issued an announcement stating that the cross-border e-commerce platform Temu had violated provisions of the Korean Personal Information Protection Act related to restrictions on the cross-border transfer of personal information, the processing of resident registration numbers, the entrustment of personal information processing, and the designation of a local representative. As a result, Temu was fined 13.69 billion won and 17.6 million won, respectively. Additionally, the PIPC issued a corrective action order and made improvement recommendations to Temu. The entities subject to the penalties include Whaleco Technology Limited, which manages Temu user data, and Elementary Innovation Pte. Ltd., which manages data of sellers on the platform. The PIPC found that Temu committed the following violations: without clearly informing users or disclosing such information in its privacy policy, it entrusted the processing of user personal information to companies located in China, Singapore, Japan; failing to effectively manage and supervise these overseas companies or establish local representatives as required by law; requiring users to complete up to seven steps to delete their accounts, significantly increasing the difficulty for users to exercise their rights; and processing residents' identity registration numbers and collecting sellers' ID cards and facial video information during the seller identity verification process without a legitimate legal basis.

[Reference:

https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS074&mCode=C020010000&nttId=11200#LINK]

2.美国发布三件对华出口限制规定，涉及用于芯片的先进计算集成电路以及人工智能模型训练

5月13日，美国商务部产业与安全局（BIS）发布《关于可能用于训练人工智能模型的先进计算集成电路及其他商品的管控政策声明》《防止先进计算集成电路被转用的行业指南》《关于对中国先进计算集成电路适用通用禁令10的指南》三份文件，进一步收紧对中国先进计算芯片及AI模型训练能力的限制。其中，三份文件分别旨在禁止使用美国芯片训练中国AI大模型；防止中国通过第三方渠道获取美国先进芯片；限制中国自主研发的高性能AI芯片的使用，特别点名华为昇腾910B、910C、910D三款芯片。

【三份文件分别参见：

1.https://www.bis.gov/media/documents/ai-policy-statement-training-ai-models-may-13-2025

2.https://www.bis.gov/media/documents/ai-counter-diversion-industry-guidance-may-13-2025.pdf

3.https://www.bis.gov/media/documents/general-prohibition-10-guidance-may-13-2025.pdf】

2. The United States has issued three export restriction rules targeting China, involving advanced computing integrated circuits for chips and training artificial intelligence models

On May 13, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) issued three documents: “BIS Policy Statement on Controls that May Apply to Advanced Computing Integrated Circuits and Other Commodities Used to Train AI Models”, “Industry Guidance to Prevent Diversion of Advanced Computing Integrated Circuits”, “Guidance on Application of General Prohibition 10 (GP10) to People’s Republic of China (PRC) Advanced-Computing Integrated Circuits (ICs)”.These documents further tighten restrictions on China's advanced computing chips and AI model training capabilities. The three documents aim to prohibit the use of U.S. chips to train Chinese AI large models; prevent China from obtaining advanced U.S. chips through third-party channels; and restrict the use of China's domestically developed high-performance AI chips, specifically naming Huawei's Ascend 910B, 910C, and 910D chips.

[See the three documents below:

1.https://www.bis.gov/media/documents/ai-policy-statement-training-ai-models-may-13-2025

2.https://www.bis.gov/media/documents/ai-counter-diversion-industry-guidance-may-13-2025.pdf

3.https://www.bis.gov/media/documents/general-prohibition-10-guidance-may-13-2025.pdf]

3. 欧盟发布《数字服务法》（DSA）项下的网络未成年人保护指南草案

5月13日，欧盟委员会就《数字服务法》（DSA）项下的网络未成年人保护指南草案启动公开咨询。通过这一步骤，委员会旨在通过支持未成年人可访问的在线平台，为儿童创造一个更安全的在线环境，以确保儿童的高度隐私与安全。指南草案涵盖了广泛的措施，如验证用户的年龄、改进向用户推荐内容的方式以降低儿童接触有害内容的风险、默认将儿童账户设置为私人账户、儿童安全内容审核的最佳实践、儿童友好的报告渠道和用户支持，以及平台内部治理的指导。

【参见：

https://digital-strategy.ec.europa.eu/en/news/commission-publishes-draft-guidelines-protection-minors-online-under-digital-services-act】

3. The EU published draft guidelines on protection of minors online under the Digital Services Act (DSA)

On May 13, the European Commission launched a public consultation on the draft guidelines on the protection of minors online under the DSA. Through this step, the Commission aims to create a safer online environment for children by supporting online platforms that are accessible to minors, thereby ensuring a high level of privacy and security for children. The draft guidelines cover a wide range of measures, including verifying users’ ages, improving the way content is recommended to users to reduce the risk of children encountering harmful content, setting children’s accounts to private by default, best practices for reviewing child-safe content, child-friendly reporting channels and user support, and guidance on platform governance.

[Reference:

https://digital-strategy.ec.europa.eu/en/news/commission-publishes-draft-guidelines-protection-minors-online-under-digital-services-act]

4. 孟加拉国就2025年《个人数据保护条例》征求公众意见

近期，孟加拉国信息和通信技术（ICT）部门就2025年《个人数据保护条例》征求公众意见。该条例适用于在孟加拉国运营或处理与孟加拉国主体相关数据的数据受托人和处理者。该条例规定了“儿童”、“个人数据”、“同意”和“敏感个人数据”等关键术语的定义。此外，该条例还规定了处理数据的法律依据、数据处理原则和数据主体权利等内容。

【点击查阅条例内容：

https://ictd.portal.gov.bd/site/notices/dfd0d19a-211f-4a91-a588-aa19ab07dbe8/%E0%A6%AC%E0%A7%8D%E0%A6%AF%E0%A6%95%E0%A7%8D%E0%A6%A4%E0%A6%BF%E0%A6%97%E0%A6%A4-%E0%A6%89%E0%A6%AA%E0%A6%BE%E0%A6%A4%E0%A7%8D%E0%A6%A4-%E0%A6%B8%E0%A7%81%E0%A6%B0%E0%A6%95%E0%A7%8D%E0%A6%B7%E0%A6%BE-%E0%A6%85%E0%A6%A7%E0%A7%8D%E0%A6%AF%E0%A6%BE%E0%A6%A6%E0%A7%87%E0%A6%B6-%E0%A7%A8%E0%A7%A6%E0%A7%A8%E0%A7%AB-%E0%A6%8F%E0%A6%B0-%E0%A6%87%E0%A6%82%E0%A6%B0%E0%A7%87%E0%A6%9C%E0%A6%BF-%E0%A6%AD%E0%A6%BE%E0%A6%B0%E0%A7%8D%E0%A6%B8%E0%A6%A8-%E0%A6%8F%E0%A6%B0-%E0%A6%89%E0%A6%AA%E0%A6%B0-%E0%A6%AE%E0%A6%A4%E0%A6%BE%E0%A6%AE%E0%A6%A4-%E0%A6%AA%E0%A7%8D%E0%A6%B0%E0%A7%87%E0%A6%B0%E0%A6%A3】

4. Bangladesh sought public comments on the 2025 Personal Data Protection Regulation

Recently, Bangladesh's Information and Communications Technology (ICT) department sought public comments on the 2025 Personal Data Protection Ordinance. The Ordinance applies to data-fiduciaries and processors operating in Bangladesh or processing data related to entities in Bangladesh. The Ordinance define key terms such as “child” “personal data” “consent” and “sensitive personal data”. Additionally, the Ordinance outline the legal basis for processing, data processing principles, and data subject rights.

[Click here to view the regulations:

https://ictd.portal.gov.bd/site/notices/dfd0d19a-211f-4a91-a588-aa19ab07dbe8/%E0%A6%AC%E0%A7%8D%E0%A6%AF%E0%A6%95%E0%A7%8D%E0%A6%A4%E0%A6%BF%E0%A6%97%E0%A6%A4-%E0%A6%89%E0%A6%AA%E0%A6%BE%E0%A6%A4%E0%A7%8D%E0%A6%A4-%E0%A6%B8%E0%A7%81%E0%A6%B0%E0%A6%95%E0%A7%8D%E0%A6%B7%E0%A6%BE-%E0%A6%85%E0%A6%A7%E0%A7%8D%E0%A6%AF%E0%A6%BE%E0%A6%A6%E0%A7%87%E0%A6%B6-%E0%A7%A8%E0%A7%A6%E0%A7%A8%E0%A7%AB-%E0%A6%8F%E0%A6%B0-%E0%A6%87%E0%A6%82%E0%A6%B0%E0%A7%87%E0%A6%9C%E0%A6%BF-%E0%A6%AD%E0%A6%BE%E0%A6%B0%E0%A7%8D%E0%A6%B8%E0%A6%A8-%E0%A6%8F%E0%A6%B0-%E0%A6%89%E0%A6%AA%E0%A6%B0-%E0%A6%AE%E0%A6%A4%E0%A6%BE%E0%A6%AE%E0%A6%A4-%E0%A6%AA%E0%A7%8D%E0%A6%B0%E0%A7%87%E0%A6%B0%E0%A6%A3]